Discussing the purpose of a Security Operations Center (SOC) from a personal thought standpoint. No other references were used for this, it is all opinion based.
I attempt to cover what I believe to be the purpose of a SOC, what the analysts do, the pros and cons to the job, brief comparisons to internal and MSSP SOC’s, courses and certifications to pursue, tools and skills, incident response. For reference, an MSSP is a Managed Security Service Provider, an advancement on the more commonly known, MSP – Managed Service Provider.
So first and foremost, what is a Security Operations Center (SOC)? A SOC is that top secret, access restricted, siloed room where you only see the humans when they need a coffee, or a toilet break. No, not really. That’s just the stereotype. In fact, the room is secure by design and only authorised personnel should have access – people should not be allowed to walk in willy nilly due to the sensitive nature of the job. Anyway, the purpose of a SOC is to proactively monitor and respond to security threats using a Security Information and Events Management (SIEM) tool, 24/7 365. The threat actors will not go away and will continue to target organisations or individuals around the clock, especially around or on Christmas and New Years when they know staffing is short, hence the need for 24/7 365. SOC’s can be part of an MSSP whereby you look after other organisations’ security, or you can be an internal SOC to your organisation. A common one is an MSSP with an internal SOC and then offering their service to other organisations. Both have their advantages and disadvantages which I will discuss later on.
SIEM tools have different capabilities, strengths and weaknesses as do most softwares. From experience, I have only used a few. One of the biggest things for a SIEM tool, which I feel should be a given, is to provide the ability of being able to be proactive and do custom searching as the analyst. For me, I want to be able to tune the searches, write custom searches and then create rules/alarms off the back of it. Not only does this benefit the analyst, it allows the SOC to provide more value to their customer or organisation. From the tools I have used, Microsoft’s Azure Sentinel is the only that has provided this. Splunk is a good option too for data manipulation and rules/alarms/alerting, but it is not really a “SIEM” as such.
Following on from the tool conversation, these are what I feel should be there as a bare minimum (tools and access):
– SIEM tool,
– Ticketing system.
– Appropriate access to the network;
– NIDS
– Firewall
– Domain controllers with containment permissions
– Audit logs
– Anti-virus access including logs
– Azure/O365 subscriptions
Most SOC’s have some form of Incident Response activities going on so you will get exposure there should you undertake any employment in one, however, the niche area for SOC is offering that extra capability of Incident Response.
Phishing Scenario
As a very simple Incident Response process, let’s imagine a phishing incident – the most common cyber attack seen, and one of the easiest to conduct. As quoted from Imperva, ”Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information”.
The email comes in, whether it be whaling, spear-phishing or general phishing, and the user clicks on the email. It takes them to a landing page that looks just like an email sign in page, Outlook for example. The user thinks nothing of it and enters their username and password as it looks legitimate. This then authenticates the entered details against the actual email provider and sends a log of this to the hacker so they can then use it to operate your account. From this, the email account is breached, and malware could be downloaded to the machine and cause further compromise.
The 6 steps that would typically be seen in an Incident Response process are:
From a SOC perspective responding to the phishing incident, this is how it would look.
1. Preparation
To have runbooks/processes in place for all types of incidents/alarms so analysts know how and what to do, and who to engage and at what stage. A flow chart would simplify this best (ensure you have sign off from customers/stakeholders/internal members!)
2. Identification
Reported by the user and raised to the relevant security teams, or it was spotted by a tool set or alarm etc.
3. Containment
Remove the computer from the network to stop the spread, and purge emails from the network (check if others have received it too via your tools). Disable user sign-ins and reset the password to kill any active sessions. Revert any other actions if identified such as a new account has been created unauthorised.
4. Eradication
Put blocks in place for any indicators of compromise (IoC’s) you may have to ensure they are mitigated against in the future. Wildcards can come in handy but be careful!
5. Recovery
Rebuild the PC is the primary go to.
6. Review/Lessons learned
Post Incident Review (PIR) form. This covers many aspects and provides an overview of the incident, what happened, timeline of events and so on.
With regards to a react and respond approach within the SOC, which is one of the main purposes if not the main purpose, I have a list of pointers that are going to be included on the next blog post so stay tuned for this.
Advantages and Disadvantages of working in a SOC (Internal and MSSP)
These are not final by any means and are only from my initial thoughts – if you do have any others please do reach out as I’m sure someone will benefit from this. I will reference you on any suggestions.
Let’s get the worst bits out of the way first so it ends on a happier note.
Cons
1. Shifts
Shifts in a SOC can be daunting, don’t get me wrong – I’ve been there, done that, got the t-shirt so to speak. Most SOC’s do operate day and night shifts, the pattern can vary though. The most common is 4 on 4 off. This is 4 days, 4 off, 4 nights, 4 off, 4 days, 4 off and so on. Each shift would be 12 hours, unless there’s enough staff to operate more flexible hours. The upside to this is you get 4 days off after each cycle.
2. Access Issues
This is not specific to internal or MSSP, but a common issue for a SOC analyst is to experience issues with access. Most clients who outsource are often hesitant to give out access to their systems and networks so gaining access and trust can be challenging, but more reason to prove everyone wrong right?
3. Authority
Another issue with being a SOC analyst, especially within an internal organisation is having authority. One of the reasons for building a SOC in the first place is to have constant eyes-on to your network in the event of an attack or incident so you’d think that if something happens, you’d have the authority given your profession to make a suggestion or take action in order to remediate? Nope! I feel organisations should trust the people they employee who have studied, trained and put a lot in to getting to the position they’re in to make such decisions – the decisions follow process internally to the SOC anyway which is why you have the superiors in with you or available quickly.
4. Slow Responses
When you are internal, you will more than likely have the channels you have to go through to get things done. If you need something doing, you’ll probably need to raise a ticket or a change request and then wait for it to be actioned. This is a huge issue especially when there’s an incident ongoing – and from experience, this has genuinely happened. This really needs to change! Now don’t get me wrong, this is not everywhere you go but be aware that the frustration could happen!
When it comes to being in an MSSP, your customers are typically more responsive to you as you are essentially responsible for their security, so when something happens, they need to know.
As mentioned, this is not the case in every role, some organisations do things a lot smoother than others and I can honestly say its advancing towards that, which is great.
5. False Positives
One of the most common things from a SIEM tool is to get inundated with false positives. This is why I mention about being proactive and having the ability to recommend changes and spot trends etc. in order to iron out and tune the SIEM platform. On the other hand, having a fully tuned SIEM is not always possible and operating a mindset of “0 alarms is good”, is definitely not good.
6. Stale SOC
Ok I swear being internal isn’t that bad at all! However, being internal can become stale for many reasons I’m afraid. I did enjoy my time internally by the way, it just came with a few cons.
Sometimes in an internal SOC you can experience a range of things depending on the setup. It really can go either way. You may have access to all log sources, you may only have a fraction on them, you may be lacking in some areas, you may not etc. This applies to most places, including MSSP’s, however, in an internal SOC, because you’re looking for one organisation only and you rely on other departments giving you information, you may find yourself with a lot of time on your hands – especially on those 12 night shifts.
My advice for you here, in both internal and MSSP, is to NOT have this mindset but do bear it in mind. I would highly advise you to work closely with your line manager in order to set achievable objectives, project work and professional development so that you can be working on these in any spare time you get – this could be to develop a new tool, study for a certification, implement a new alarm, define a process with documentation and runbooks, pick up some other work that another member is unable to get on with, etc. etc.
Pros
1. The attacks you see on one customer can be seen in advance on another customer.
The title says it all pretty much. You will gain exposure to numerous attacks and events occurring on a network and being in a proactive position gives great satisfaction and exposure, things that look good on you from all perspectives. Furthermore, the client gets more value from you and the service and is more inclined to give you more. It builds trust and relationships, these things are invaluable in this industry.
2. SOC Accreditation
A SOC can gain accreditation, and working for a SOC that has this can be very exciting. Why? Because clients see this and will be more inclined to choose you over someone else as you are seen as better value for money as well as an extra layer of “security” as such. Having accreditation shows compliance and adds further value to the offering as stated, and thus has an effect on the analyst as you have a great chance to be working on more (as the organisation wins more contracts). It’s a nice waterfall effect really, and if you think about it, the more they win, the more they have to spend, whether it be on your development and investment or for growth of the SOC (which can lead to promotions), or an improvement on tools which means you work with better software and so on.
3. Exposure
Typically, analysts are exposed to a variety of attacks on a daily basis when working in an MSSP, whereas an internal SOC might rarely see attacks to their organisation as they are only monitoring that infrastructure, that’s if you are seeing everything in the first place. On the flip side, working in an internal SOC you may see other things which you would not in an MSSP because of the level of monitoring. For example, in one of my past roles I got to work with some confidential things due to the business, but then in others it can be taken off you because it belongs to someone else and you only need to provide the initial notification to them.
4. Scalability
When working in a SOC you are similar to a helpdesk but in a different sector. Where helpdesk would troubleshoot and be a 1st line contact for near enough everything, you’re similar to that in a SOC but for security issues. You have to react to the notification, troubleshoot/triage the incident, make a judgement on if this is a false positive or not, your actions, your containment and so on. In both internal and MSSP you will get the chance to interact with many areas of a business in order to get things resolved, but the more you get involved in, the more you will learn and the more others will trust in security/SOC and the abilities of the analysts/staff.
Gaining trust in cyber can be challenging to some extent because a lot of SOC is false positives as mentioned above in the cons, so when you have the ability to explain why it is a false positive and recommendations to stop this, or even spot “true positives”, you start to build trust and people start to contact you more and your profile begins to build and build.
5. Variety
Not only will you work with different environments in a SOC, you will get the chance to work with different sectors, departments and or customers. I feel this is worth mentioning because not every role out there gives you that much variety. In IT especially, the chance to work in different environments will develop your skillset and expertise vastly. As mentioned in my first blog, I like to be hybrid as such whereby I want to learn as much as I can about anything. I like to be equipped to do my job and be an escalation where necessary because I take pride in that. I believe that SOC offers this.
As mentioned in the scalability section, you get to work with many different people and areas of an organisation too because you’re the eyes on person, the overseer so you do carry a big responsibility.
6. MSSP Learning
Now, this is only an opinion based on my past experience so you may disagree completely here.
Up to now, I have learnt a lot more since working in an MSSP as opposed to internal. My reasoning for this is near enough all of the above. I have been lucky enough to work with so many amazing people who I have taken plenty of information and notes from. Not only that, an MSSP SOC is expected to do so much more because you are looking after a lot more. You have more than 1 client, you have many deliverables, more service offerings to adhere to, you might be a primary contact for more than 1 client depending on the setup of the SOC, you have more exposure to things, typically more trust as you look after stuff for the customer, better relationships, the list goes on.
When I was internal, I had a lot more time to do other things such as personal development, certification studying, being proactive, but ultimately there was less going on which gave more time for these things – and at that stage of my career, I wanted to gain exposure and really expand my knowledge of cyber and start to carve my career pathway. And this refers back to point 6 in the cons.
7. Communication and Interaction
SOC staff are used to communicating and working with customers on a regular basis. We are able to provide assurance, speak both technical and non-technical, provide recommendations, take action and so on. This does apply for both internal and MSSP, however being internal can be more challenging.
If you’re a shy person, not confident doing these kinds of things, this could be a great stepping stone because coming in as a junior or 1st line, you will be eased into things and your senior/escalation can cover for a lot of things. You will learn from them and start to pick things up and gain confidence, even down to picking the phone up.
Certifications and Career Path
I’m going to end this by giving my view on the career paths and certifications for SOC. Everyone is different by all means so what is “typical” for SOC analysts may not suit you as is seen commonly. Some start in SOC and end up in Pen-testing, sysadmins and so on. The cyber industry as a whole is huge.
Known providers for certifications in Cyber/Information Security: CompTIA, SANS, CREST, ISC2, ISACA, EC-Council. I would advise exploring these options and choosing what suits you best.
So starting out in SOC, one of the very first certifications I would recommend you study and sit is the CompTIA Security+ exam. It’s common, yes, but it provides so much insight in to the industry you’ll be glad you did it. After I passed I found myself noticing a lot more because I’d studied for it. The exam covers a lot so don’t expect to have completed this in a month. You will study a lot of things, so I would refer you to the section, “What Are the CompTIA Security+ Exam Domains, and What Do They Cover?” found here on CompTIA. Some may say do the CompTIA framework whereby you do A+, Network+ and then Security+, but Security+ does incorporate a lot of Network+, so my preference would be to skip and go to Security+.
Secondly, my personal preference was to go down the CompTIA route again and study the CompTIA CyberSecurity Analyst+ Certification, more commonly known as CySA+. This is the advanced certification which requires Network+ or Security+ as a pre-requisite, as far as I know.
Other certifications could include CREST Practitioner Intrusion Analyst (CPIA) or CREST Practitioner Security Analyst (CPSA). I would say CPIA is more security based and CPSA is more pen-test related. You may have another field you wish to pursue and so a different certification would be more suited.
After this, SANS would be my next preference and I would continue to try and get more here unless something else stood out to me.
SANS has the benefit in the Cyber industry in that it is the pinnacle of certification providers. With their instructors undertaking a challenging process to be successful, they really do have the best people for the job, and so, they have a wide range of courses on offer. For me, I wish to pursue Incident Response further and so my next certification is to study the SANS 504 course, GIAC Certified Incident Handler (GCIH). For you, I would recommend looking through the courses offered at SANS here.
I know this has been long-winded but I had a lot on my mind that I wished to share.
As always, all feedback is welcomed and I hope to hear from you. If you have any questions or concerns, please do reach out to me.
Dan.
Steel Cyber Security 