Module 2 Flashcards
Purpose and Mission of the SOC
Formalized structure for defending against cyber threats. Three-tier elements: People, Process and Technology
Element 1: People (3 Tier’s plus a manager)
Tier 1 Threat Analyst, Tier 2 Threat Responder, Tier 3 Threat Hunter and lastly we have the SOC manager
Tier 1 - notes
Monitors incoming alerts, verifies a true incident and forwards to LVL 2 if necessary
Tier 2
Deep investigation of incidents and advises for remediation.
Tier 3
Experts in network, endpoint, threat intelligence, malware reverse engineering and tracing the process of the malware, determining its impact and removal strategy. Also deeply involved in hunting for threats and implementing threat detection tools. They search for threats that exist in the network but have not been detected.
Head Guy
Manages the resources of the SOC
Element 2: The process
Think of how tickets are utilized in your organization.
Explain the Process in the SOC
Analyst monitors security alert queues and investigates assigned alerts. *Be aware of false positives, make sure it is a “true incident.” Escalate to Responders for deeper investigation. Escalated to Tier 3 if ticket needs help.
Element 3: Technologies
Technologies in the SOC: SIEM and SOAR
What is SIEM
Security Information Event Management System
How does SIEM work?
It collects and filters data - classify - analyze and investigate threats. It takes data from a wide arena of systems - think network appliances, firewalls, etc.
What is SOAR
Security Orchestration Automation and Response
How does SOAR work?
Similar to SIEM, they aggregate, correlate and analyze alerts. Integrates threat intelligence and automates incident investigation and response workflows based on playbooks developed by the security team.
SOC Metrics
(5)
Dwell Time
The length of time that threat actors have access to a network before they are detected and their access is stopped.
