SOC Duties

Hi everyone,

I want to ensure I am not "bugging out" with my train of thought on what a SOC responsibilities are.

What do you think a SOC should be doing? This is a SOC which should be monitoring web applications and the servers these applications reside on.

Any feedback would be greatly appreciated.

Cheers

-Josh

Find more posts tagged with

Comments

LonerVamp

That somewhat depends on what your business needs the SOC to do.

I'd imagine you're looking at web logs collecting in a SEIM somewhere for attacks and/or other naughties. Same with authentication logs, WAF logs if you have any. You may have firewall and IDS/IPS logs as well, and not just from the external border, but also your internal borders into this traditional DMZ. And not just inbound, but weirdness going outbound as well.

For servers, you probably get logs out of them (various) and have eventing based on things you want to know or alarm on. Things like who is logging in, what they do. You may have visibility into the security tools on those servers such as AV/EDM,

You may even have vulnerability scan results being brought into the SOC. You might even have visibility into changes (change request tickets, actual code promotion/changes).

In some environments, you may even have control and visibility into availability tools and manage the uptime/downtime issues with servers and applications, or their health.

There are more....

CyberJosh95

LonerVamp said:

That somewhat depends on what your business needs the SOC to do.

I'd imagine you're looking at web logs collecting in a SEIM somewhere for attacks and/or other naughties. Same with authentication logs, WAF logs if you have any. You may have firewall and IDS/IPS logs as well, and not just from the external border, but also your internal borders into this traditional DMZ. And not just inbound, but weirdness going outbound as well.

For servers, you probably get logs out of them (various) and have eventing based on things you want to know or alarm on. Things like who is logging in, what they do. You may have visibility into the security tools on those servers such as AV/EDM,

You may even have vulnerability scan results being brought into the SOC. You might even have visibility into changes (change request tickets, actual code promotion/changes).

In some environments, you may even have control and visibility into availability tools and manage the uptime/downtime issues with servers and applications, or their health.

There are more....

Thanks!! This is what I know as well.

What do you think a SOC full of threat hunters should be doing? I know these questions may seem weird. However, im just trying to make sure I am not going crazy. LOL.

yoba222

Reasonable expectations of services provided by a SOC -- let's see . . . If I browse a SOC website or speak to one of their salespeople on the phone, I'm sure they'll attest that they're fully capable of doing anything and everything I want. As for what will actually get done once payment has been received, well that should be spelled out in the SLA and/or incident response plan. If it's not, I probably shouldn't expect them to provide that service.

If it's in there and they're not doing it, well then you're certainly not bugging out.

JDMurray

What a SOC does depends on the business goals of the organization that the SOC is protecting and what are the threats and vulnerabilities that put that org at risk.

LonerVamp

CyberJosh95 said:

What do you think a SOC full of threat hunters should be doing? I know these questions may seem weird. However, im just trying to make sure I am not going crazy. LOL.

What do you mean by threat hunters? To me, threat hunting itself is a step along the maturity path of a full SOC. Typically, you wouldn't get these until a bit later as you can't hunt if you don't have visibility. And part of their duty is not just finding existing compromises you don't know about, but also identifying gaps in visibility and detection coverage.

I admit, I have not worked in an environment that would have had threat hunting more than just another function of SOC analysts.

TechGromit

CyberJosh95 said:

Hi everyone,

I want to ensure I am not "bugging out" with my train of thought on what a SOC responsibilities are.
What do you think a SOC should be doing? This is a SOC which should be monitoring web applications and the servers these applications reside on.

Really depends on what tier / level of the SOC your referring to. First Tier / Level of the SOC is a pretty thankless job. Shift work, 24/7, monitoring systems for alerts. at our ITOC (IT Operations Center) they also monitor the networks as well. So what happens when an alert is generated, open a ticket, which then sends an email/ SMS the responsible parties. They may do some lower level trouble shooting of issues, but for the most part they are a glorified help desk job. No thanks.

2nd and + tiers / levels do actual threat assessments, Incident response, Malware investigations, etc. That's where you want to be.

chrisone

Id like to hear what it is you are bugging out on, within the SOC you are working at. I have my own little gripes at my current employer and certain tasks I feel are stretching the terminology of what a security engineer should be doing. But as JD mentioned, it really depends on the business, culture, and your boss. Hence, why many engineers change jobs. Sometimes its just the culture, employeer, or your boss who expect XYZ from you daily. Its up to you to suck it up, get paid what your worth, or leave.

CyberJosh95

TechGromit said:

CyberJosh95 said:

Hi everyone,

I want to ensure I am not "bugging out" with my train of thought on what a SOC responsibilities are.
What do you think a SOC should be doing? This is a SOC which should be monitoring web applications and the servers these applications reside on.

Really depends on what tier / level of the SOC your referring to. First Tier / Level of the SOC is a pretty thankless job. Shift work, 24/7, monitoring systems for alerts. at our ITOC (IT Operations Center) they also monitor the networks as well. So what happens when an alert is generated, open a ticket, which then sends an email/ SMS the responsible parties. They may do some lower level trouble shooting of issues, but for the most part they are a glorified help desk job. No thanks.

2nd and + tiers / levels do actual threat assessments, Incident response, Malware investigations, etc. That's where you want to be.

I agree with this 100%. Once again verifying my thoughts.

CyberJosh95

chrisone said:

Id like to hear what it is you are bugging out on, within the SOC you are working at. I have my own little gripes at my current employer and certain tasks I feel are stretching the terminology of what a security engineer should be doing. But as JD mentioned, it really depends on the business, culture, and your boss. Hence, why many engineers change jobs. Sometimes its just the culture, employeer, or your boss who expect XYZ from you daily. Its up to you to suck it up, get paid what your worth, or leave.

Its just the little things. We're in migration efforts from an on-premise data center into the cloud. I was brought in to help ensure the SOC is stood up properly due to the fact that there was no SOC when the environment was strictly on-prem. (dont ask me why not lol)

With that being said.... People who worked in the on-prem data center had no where else to go. There are no more routers and switches to manage since the on premise infrastructure is gone. So since the SOC was new and "in the need for bodies" (as my leadership would say) they placed the folks who used to do that in the SOC.

Ive tried to explain this was a bad move due to the fact that these folks dont seem to understand IR, Threat Hunting, Vulnerability scanning and about 95% of them have never ran an nmap scan.

I can go on and on...however, its so much to type out. Lol

chrisone

Well from what I am reading, it seems like your employer/executive management did not want to lay people off. Unless I am wrong, but that is admirable from any employer. I was laid off once and it really does suck. From a technical perspective I agree, it will be hard to get up to speed with people who have no security experience. I suppose you may be able to get the training budget to increase dramatically since executive management would know they are placing engineers in positions with little experience. One would assume they would want their staff skilled and up to speed in a short time. Especially since they are saving money with the cloud

bigdogz

If the management didn't want to lay them off I would applaud them on their loyalty. It's now time for the employee to retrain and re tool him / her self to help themselves and the company.
Sometimes it is tough trying to learn something that what can seem to be in a different language, but after time most people pick up the knowledge.

UnixGuy

Interesting situation. Usually companies are demonised when they move to newer technologies and lay off people with outdated skillset. Now you're employer seem to want to keep the people which is admirable, but I'm interested to see how many of said employees are willing to upskill.

CyberJosh95

UnixGuy said:

Interesting situation. Usually companies are demonised when they move to newer technologies and lay off people with outdated skillset. Now you're employer seem to want to keep the people which is admirable, but I'm interested to see how many of said employees are willing to upskill.

Exactly. These folks seem to be stuck in old fashioned ways and dont seem too motivated/excited about the opportunity to take SANS certifications, etc. Its been a real struggle here for me. lol

JDMurray

I work in a tier-less SOC. Everyone works any kind of security event that they are trained for. If someone has a question about triage, analysis, point-of-contacts, documentation, etc. they reach out to the group of assistance. This way everyone learns how to work most every type of event that we monitor for or are reported to us.

bigdogz

SOC and NOC tier 1 folks have to constantly follow a process. At times they will just get lazy and throw it over a fence on a non issue or an issue can be resolved easily.

When folks are comfortable with the same process, work and people can be bored, and lazy. If you create something that makes them think and use the business processes, it could help keep the team sharp.

You have to get the right people who will be motivated all of the time. They will want to move up or out. They will always look for the anomalies and find the smaller incidents that can be closed quickly.

JDMurray

SOC analysts will also tend to work the events that they enjoy the most or at least understand the best. Therefore, to keep every analyst proficient in working all types of events, the events to work should be handed out by the SOC shift lead (supervisor) to the next available analyst. (One might call this round-robin distribution or event-leveling.) If a system like this is not used, you will end up with some analysts who are very proficient in, say, working Active Directory security issues (which they enjoy working) but are poor at working email phishing cases (which they hate working).