soc_basics.md

SOC/CSIRT Basic and fundamental concepts

ToC

• What is a SOC?
• SOC Activities vs. CSIRT activities
• What is a SIEM? What for?
• SOC mission and context
• SOC/CERT processes and workflow
• What is purple/red/blue team?
• Attack lifecycle
• Most common infection vectors

What is a SOC?

SOC definition:

As per MITRE paper (SOC strategies, see below):

Typical SOC:

Data, tools, and capabilities:

Evolution of SOC in time

Some people may consider SOC has evolved in time, as the following drawing shows (from this article):

I do believe it mostly depends on the context (environment t o the monitored), and the cyber maturity. And on top of that, AI (meaning Artificial Intelligence) still does not exist per say....

SOC activities vs. CSIRT activities

SOC activities:

As per ENISA's whitepaper, a minimal set of services for SOCs usually includes those in bold below in accordance with the FIRST services framework:

CSIRT activities:

As per ENISA's whitepaper, a minimal set of services for CSIRTs usually includes those in bold below in accordance with the FIRST services framework:

What is a SIEM? What for?

As per Gartner's glossary:

Security information and event management (SIEM) technology supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. The core capabilities are a broad scope of log event collection and management, the ability to analyze log events and other data across disparate sources, and operational capabilities (such as incident management, dashboards and reporting).

And as per this article (in French):

SOC mission and context

SOC operating context:

As per MITRE paper (SOC strategies, see below):

SOC/CERT processes and workflows

Incident response lifecycle (detection // incident response):

As per NIST SP800-61 rev2 paper (see below):

As an IT security teacher used to tell his students, like a SOC motto: "Without response, detection is useless" (Freely inspired from Bruce Schneier, Secrets and Lies: Digital Security in a Networked World book).

Typical incident handling workflow:

As per ENISA paper see below:

SOC/CERT procedures:

• Write and maintain in time alerts/incident handling procedures.
  • My recommendation: take those from CERT-SG, IRM, as an example.

What is purple/red/blue team?

Quoting Lutessa (article in French):

Attack lifecycle

As per Mandiant article:

Most common infection vectors

Based on experience, and on numerous malware statistics, the following ones should be considered as priority:

• emails;
• web browsing;
• USB sticks / removable storage;
• exposed (internet facing) services/apps and equipments (e.g.: appliances)

End

Go to main page.