How Security Operations is a Journey, Not a Destination: An Analyst’s Perspective

Security operations are those practices and teams that are devoted to preventing, detecting, assessing, monitoring, and responding to cybersecurity threats and incidents.

Because pre-configured Antivirus, Firewalls and Intrusion Detection System (IDS) are not enough to ensure your company’s security. Threats on the internet are anything but static. Therefore static defense mechanisms are merely a walk in the park for APTs (Advanced Persistent Threat).

The main purpose of an SOC (Security Operations Center) is to ensure the proper monitoring of infrastructure in the cyber park. Firms need a reliable team who can keep their security perimeter regularly updated against new and evolving threats around the clock. Through a well-configured SOC, the company can ensure business continuity and anticipate potential risks and incidents. Information security is a process that moves through phases building and strengthening itself along the way. The point is, security is a journey, not a destination.

Fundamentally, it boils down to two things: defend the organization and find the anomaly. Different teams work together to figure out the evil and once the investigation is completed, a report is prepared and the necessary actions are initiated. Analysts work in shifts 24*7*365 in SOC environment to support the clients and their infrastructure.

Generally, an analyst will be monitoring the client infrastructure for malicious activity. In simple terms, an analyst will be sitting around having a cup of coffee waiting for alerts on the dashboard. Once an alert is triggered, the analyst triages it and starts the investigation process.

This process may or may not have a time limit called the SLA (Service Level Agreement) which is predefined by the client based on the engagement. After completing the investigation, the analyst would create a ticket and resolve the alert. In some cases, the incident might be highly critical and would need escalations. The Tier-I analyst would escalate to the Tier-II which might be an internal Tier or outside the SOC. The response and remediation would depend upon the severity of alert and the level of visibility the team has on the client environment.

A typical SOC waits for alerts to come in and doesn’t have much to do (apart from IOC hunts) during the 24*7 monitoring period.

The job requires great attention to detail and general awareness for all things cyber. Analysts are expected to be updated on changing cyber trends. A piece of basic knowledge in areas like networking, malware analysis, incident response, and cyber etiquette is the bare minimum required out of a SOC Analyst. Efficient management of SOC is a key factor for its success. Analysts, Hardware, and Software are also key elements, but the ultimate success of SOC is based on the skills of its manager. Weak or inefficient management can have disastrous consequences in terms of performance, neglected incidents, or improperly followed processes.

One of the key success factors of a SOC is the implementation of a good monitoring strategy. To ensure decent management it is obligatory to define the perimeter, technical architecture, processes of monitoring and maintenance, rules of the SOCs, points of contacts, all based on observation and the type of engagement.

A SOC is not as simple as installing a SIEM (Security Information and Event Management) and lay back hoping the tools will defend the organization.

One of the primary directives of a SOC team is to identify and defend the perimeter. To do so the analysts need to look into the logs. Now the question is, what and where to look for them?

The SOC team should consider looking into Network traffic (HTTP, SSL, DNS, DHCP, SNMP, FTP, SSH etc), Web proxy, VPN, External-facing firewall, AD, IDS, IPS. Also logs from the Host machine, AV, File hashes, Registry Modifications, Process Tree, Executing Directory, Outbound DNS queries and other Syslogs. Threat Intelligence feeds, Vulnerability information and disclosures will simplify the needle in haystack process.

The reference model for infosec is preserving the CIA triad (protecting Confidentiality, ensuring Integrity, maintaining Availability). But when it comes to blue teaming foundations, I prefer going forward with PDR (Prevention, Detection, and Response).

Proper planning before an incident will greatly reduce the risks of an attack and greatly increase the capabilities of timely and effective detection and response if an attack occurs.

Reducing the amount of incoming data negatively impacts analysts’ ability to detect incidents and minimize false positives. Furthermore, more sophisticated attacks usually require more context to successfully pinpoint and co-relate events.

Configuration management and maintenance of appliances are crucial because if not properly optimized, data sources might induce management difficulties. Using fewer sources can simplify the management of this data but also reduces the SOC’s detection capabilities. The security leaders overseeing the SOC must also have a thorough understanding of the working of SOC.

Being a SOC Analyst gives me the feeling of a samurai defending their clan. Ready to take secret missions, finding and resolving issues before it affects the client. Naruto fans would understand better; anyhow it is vital to focus on teamwork and collaboration. Witnessing the trends and attacks first-hand helps me grow and move ahead in my career. But at times the amount of information we are supposed to ingest gets overwhelmingly huge giving panic attacks. What are you doing in cyber if you aren’t overwhelmed with data? It is one of the reasons why cyber is dynamic and continuously evolving.

One of the most important things in cyber is Asking Questions. It’s vital that you ask questions and I believe there are no stupid questions whatsoever in cyber. The ability to weave a hypothesis and the confidence to make decisions based on what’s good and bad will be the deciding factor in your cyber career.

SOC is a decent place to start a Cybersecurity career. You can move up or keep the regime of the SOC. It just depends on whether you want to be a specialist or a generalist. There are many roles to choose from like Security Analyst, Security Engineer, SOC Manager, Security Researcher, Threat Hunter to CISO (Chief Information Security Officer).

Many folks getting into infosec are thrilled at the idea of things like threat-hunting and incident response (pinnacle of the pyramid). Adversary simulation and threat-hunting sound a whole lot cooler than excel creation and alert triage. The essence of blue teaming can be understood only if you start from the bottom and slowly move up. What use is spending your time hunting for APTs when you have vulnerable endpoints and unpatched systems waiting to be hacked?

It’s easy to get excited about jumping into the user-behaviour analytics tool or SOAR (Security Orchestration, Automation, and Response), but remember that the most important thing is establishing the basics. Always remember that infosec is a process, not a product. The people and processes on your blue team are as equally important as the technologies you put in place.

Security Information Event Management (SIEM), are essential solutions for the successful implementation of a SOC. SIEM allow collection, aggregation, standardization, correlation, reporting, archiving, and replay events. SIEM with EDR and NDR solutions are part of a defense mechanism and not a pro-active offensive solution.

I am a big fan of GIFs and I believe visuals convey more than words. Here’s one of my favourite GIFs that absolutely relates to SOC.

The best part of being a SOC Analyst is getting to see a variety of events and having fun investigating them. Put simply, struggling day in and out while banging heads against the monitor.