SOC Duties

CyberJosh95CyberJosh95 CISSP, GCIA, CCNA R+S, CASP, Sec+, ITIL FoundationsPosts: 49Member ■■■□□□□□□□
edited November 1 in IT Jobs / Degrees
Hi everyone,

I want to ensure I am not "bugging out" with my train of thought on what a SOC responsibilities are.
What do you think a SOC should be doing? This is a SOC which should be monitoring web applications and the servers these applications reside on. 

Any feedback would be greatly appreciated.
Cheers
-Josh

Comments

  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 393Member ■■■■■□□□□□
    That somewhat depends on what your business needs the SOC to do.

    I'd imagine you're looking at web logs collecting in a SEIM somewhere for attacks and/or other naughties. Same with authentication logs, WAF logs if you have any. You may have firewall and IDS/IPS logs as well, and not just from the external border, but also your internal borders into this traditional DMZ. And not just inbound, but weirdness going outbound as well.

    For servers, you probably get logs out of them (various) and have eventing based on things you want to know or alarm on. Things like who is logging in, what they do. You may have visibility into the security tools on those servers such as AV/EDM,

    You may even have vulnerability scan results being brought into the SOC. You might even have visibility into changes (change request tickets, actual code promotion/changes).

    In some environments, you may even have control and visibility into availability tools and manage the uptime/downtime issues with servers and applications, or their health.

    There are more....  :)

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
  • CyberJosh95CyberJosh95 CISSP, GCIA, CCNA R+S, CASP, Sec+, ITIL Foundations Posts: 49Member ■■■□□□□□□□
    LonerVamp said:
    That somewhat depends on what your business needs the SOC to do.

    I'd imagine you're looking at web logs collecting in a SEIM somewhere for attacks and/or other naughties. Same with authentication logs, WAF logs if you have any. You may have firewall and IDS/IPS logs as well, and not just from the external border, but also your internal borders into this traditional DMZ. And not just inbound, but weirdness going outbound as well.

    For servers, you probably get logs out of them (various) and have eventing based on things you want to know or alarm on. Things like who is logging in, what they do. You may have visibility into the security tools on those servers such as AV/EDM,

    You may even have vulnerability scan results being brought into the SOC. You might even have visibility into changes (change request tickets, actual code promotion/changes).

    In some environments, you may even have control and visibility into availability tools and manage the uptime/downtime issues with servers and applications, or their health.

    There are more....  :)
    Thanks!! This is what I know as well.

    What do you think a SOC full of threat hunters should be doing?  I know these questions may seem weird. However, im just trying to make sure I am not going crazy. LOL.
  • yoba222yoba222 Posts: 1,055Member ■■■■■■■□□□
    Reasonable expectations of services provided by a SOC -- let's see . . . If I browse a SOC website or speak to one of their salespeople on the phone, I'm sure they'll attest that they're fully capable of doing anything and everything I want. As for what will actually get done once payment has been received, well that should be spelled out in the SLA and/or incident response plan. If it's not, I probably shouldn't expect them to provide that service.

    If it's in there and they're not doing it, well then you're certainly not bugging out.
    2017: GCIH | LFCS
    2018: CySA+ | PenTest+ |CCNA CyberOps
    2019: VHL 20 boxes
    2020: OSCP | CISSP
  • JDMurrayJDMurray Certification Invigilator Surf City, USAPosts: 11,476Admin Admin
    edited October 18
    What a SOC does depends on the business goals of the organization that the SOC is protecting and what are the threats and vulnerabilities that put that org at risk.
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK Posts: 393Member ■■■■■□□□□□

    What do you think a SOC full of threat hunters should be doing?  I know these questions may seem weird. However, im just trying to make sure I am not going crazy. LOL.
    What do you mean by threat hunters? To me, threat hunting itself is a step along the maturity path of a full SOC. Typically, you wouldn't get these until a bit later as you can't hunt if you don't have visibility. And part of their duty is not just finding existing compromises you don't know about, but also identifying gaps in visibility and detection coverage.

    I admit, I have not worked in an environment that would have had threat hunting more than just another function of SOC analysts.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS CCP, CCSK
    2019 goals: GWAPT, Linux+, (possible: SLAE, CCSK, AWS SA-A)
Sign In or Register to comment.