Chapter 2: Building a SOC: Processes and Best Practices

One of the most valuable tools an airline pilot has at his disposal is the simplest one. A checklist. The checklist enumerates every single thing that must be done in order to maintain safety, avoid risk, and protect valuable lives. This ensures that you can get to your final destination without spilling any peanuts.

The cyber security world isn’t all that different, yet the stakes are even higher.

There is a long list of things that the SOC team needs to do—and do properly—so that your organization’s assets are protected and high priority threats are detected quickly and with minimal impact.

In this chapter, we’ll help you establish the key processes and best practices that your SOC team will need to perform to detect emerging threats; determine their scope and impact; and respond effectively and quickly. At every step along the way, we’ll show you how you can use AlienVault® Unified Security Management® (USM), AlienVault Open Threat Exchange® (OTX™), and AlienVault Labs Threat Intelligence to power your SOC process.

Key Takeaways

Establish the key processes you’ll need for building a SOC. These include Event Classification & Triage; Prioritization & Analysis; Remediation & Recovery; and Assessment & Audit. Measure progress based on pragmatic SOC metrics. Examine how AlienVault USM supports these critical processes.

Answering the Big Questions
for Each SOC Stage

Stage One: Event Classification & Triage

Why Is This Important?

The true value of collecting, correlating, and analyzing log data is that it gives you the ability to find the “signal in the noise.” Key indicators of compromise can be found within user activity, system events, firewall accept/denies, etc. In addition, specific sequences and combinations of these events in specific patterns can also signal an event that requires your attention. The key to success in this stage is having a way to classify each event quickly, so that you can prioritize and escalate critical events that require additional investigation.

What Do SOC Analysts Do at This Stage?

Tier 1 SOC Analysts review the latest events that have the highest criticality or severity. Once they’ve verified that these events require further investigation, they’ll escalate the issue to a Tier 2 Security Analyst (please note: for smaller teams, it may be that the same analyst will investigate issues as they escalate into a deeper investigation). The key to success in this stage is to document all activity (e.g. notation, trouble ticket, etc).

How Do I Do It with AlienVault?

AlienVault USM collects, parses, and analyzes your log data against the latest threat intelligence, which is delivered to the platform automatically and continuously from the AlienVault Labs Security Research Team and the Open Threat Exchange® (OTX™). As threats and anomalous activities are detected in your environment, AlienVault USM generates alarms, which are automatically prioritized by intent according to the Lockheed Martin Cyber Kill Chain. This “chain” is a sequence of actions an attacker needs to take in order to infiltrate an environment and exfiltrate data from it. This event categorization helps to highlight the most serious threats facing your assets. This alarm prioritization allows you to focus your attention on the most severe threats first, rather than having to manually review all alarms to know where to start.

The critical key to success is identifying attacker activity in the early stages of an attack, before sensitive data and systems are affected. As an attacker moves up these kill chain stages, it becomes more likely they’ll be successful in their attacks. By looking at environmental behavior and infrastructure activity from an attacker’s perspective, you’ll be able to determine which events require your attention now.

How to Staff Your Team

Alarm Types Description Priority Level Tier 1 Analyst Tasks
Alarm Types
Reconnaissance & Probing
Behavior indicating an actor attempting to discover information about the organization
Priority Level
Tier 1 Analyst Tasks
Review activity from OTX (on a weekly basis)
Alarm Types
Delivery & Attack
Behavior indicating an attempted delivery of an exploit
Priority Level
Tier 1 Analyst Tasks
Review activity from OTX (on a weekly basis)
Alarm Types
Exploitation & Installation
Behavior indicating a successful exploit of a vulnerability or backdoor /RAT being installed on a system
Priority Level
Tier 1 Analyst Tasks
Verify and investigate (escalate to Tier 2)
Alarm Types
System Compromise
Behavior indicating a compromised system
Priority Level
Tier 1 Analyst Tasks
Verify and Investigate (escalate to Tier 2)

Document All the Things

As a SOC analyst, it’s essential to document every stage of an investigation: which assets you’ve examined, which ones have “special” configuration or are owned by VIPs (aka execs), and which events are false positives. AlienVault USM makes this part of the process super easy. From any alarm, event, or vulnerability that AlienVault USM detects within your environments, you can easily open and track tickets with third-party productivity tools like ServiceNow and Jira, without leaving the USM platform. You can also use labels within AlienVault USM to classify, track, and search vulnerabilities and alarms. Documenting the investigation provides an audit trail in case it’s targeted again or is involved in future suspicious activity. Even if your company is not subject to an audit now, having this valuable information may prove useful in the future.

Stage Two: Prioritization & Analysis

Why Is This Important?

Prioritization is the key to success in any endeavor, and it’s even more critical in cyber security. The stakes are high and the pace of attacks continues to escalate and shows no sign of stopping. Meanwhile, the resources you have to protect assets against this onslaught are highly limited. Focus on those events that could be most impactful to business operations, which requires knowing which assets are the most critical. At the end of the day, maintaining business continuity is the most important responsibility entrusted to the SOC team.

What Do SOC Analysts Do at This Stage?

Review and respond to any activity that indicates an adversary has infiltrated your environment. This can range from the installation of a rootkit/RAT or backdoor taking advantage of an existing vulnerability to network communications between an internal host and a known bad IP address associated with a cyber adversary’s C2 infrastructure.

How Do I Do It with AlienVault?

Powered by threat intelligence from the AlienVault Labs Security Research Team, AlienVault USM can detect the specific indicators that signal activity of specific adversary tools, methods, and infrastructure. The Security Research Team's continuous threat intelligence updates include correlation rules that are applied against the raw event log data that AlienVault USM collects. Once applied, these rules identify and categorize these events and activity in ways that help you prioritize SOC tasks.

By prioritizing alarms in the exploitation & installation and system compromise categories, SOC analysts zero in on the threats that have already advanced beyond primary security defenses. With AlienVault USM, analysts can determine the best way to address these attacks using response templates from the Security Research Team’s threat intelligence updates. Because the Security Research Team draws insights from the community-powered threat data in AlienVault OTX,  the threat intelligence within AlienVault USM reflects the collective experiences of tens of thousands of security researchers from around the world and incorporates lessons from in-the-wild attacks at organizations of all sizes.

Relying on the latest threat intelligence to understand as much as possible about an attack will inform how you prioritze and respond to it, as well as how you bolster your defenses against a similar attack in the future. Better still, when you share key information about an adversary’s TTPs with the larger threat intelligence community within OTX, you make that adversary’s job much more difficult and costly. Everybody wins.

Know All Your Environments and Assets

Asset discovery and inventory is one of the most important and yet most overlooked cybersecurity capabilities When you’re on the SOC team, having access to an updated and automated asset inventory is invaluable. AlienVault USM continuously scans your cloud and on-premises environments to discover assets to monitor. On- premises, you can discover all the IP-enabled devices on your network, as well as identify what software and services are running on them, and whether they include potential vulnerabilities. For your AWS and Azure cloud infrastructure, AlienVault USM provides visibility into the assets in your dynamically changing environments.

  • What systems are critical to the ongoing function of your company?
  • Which systems are critical to the day-to-day tasks?
  • What other systems, devices, or networks do those critical assets and services rely on?
  • Which systems manage and store sensitive information?

Learn more about AlienVault USM asset discovery capabilities ›

Stage Three: Remediation & Recovery

Why Is This Important?

The faster you can detect and respond to an incident, the more likely you’ll be able to contain the damage and prevent a similar attack from happening in the future. Please note: There are a number of decisions to make when investigating an incident, particularly whether your organization is more interested in recovering from the damage vs. investigating it as a crime. Make sure that you work closely with your management team. Be sure to communicate clearly and often—and document everything.

What Do SOC Analysts Do at This Stage?

Each attack will differ in terms of the appropriate remediation steps to take on the affected systems, but it will often involve one or more of the following steps:

  • Re-image systems (and restore backups)
  • Patch or update systems (e.g. apps and OS updates)
  • Re-configure system access (e.g. account removals, password resets)
  • Re-configure network access (e.g. ACL and firewall rules, VPN access, etc.)
  • Review monitoring capabilities on servers and other assets (e.g. enabling HIDS)
  • Validate patching procedures and other security controls by running vulnerability scans

By the way, some SOC teams hand off remediation and recovery procedures to other groups within IT. In this case, the SOC analyst would create a ticket and/or change control request and delegate it to those responsible for desktop and system operations.

How Do I Do It with AlienVault?

AlienVault USM simplifies remediation and recovery by helping you detect events quickly so you can respond in time to prevent further damage. Additionally, AlienVault USM’s asset discovery and vulnerability assessment capabilities deliver updated and detailed information about your assets—what vulnerabilities exist, what processes are running, and more—to confirm that remediation steps have been implemented correctly.

To keep track of incident response activities across a team, you can also open tickets within Jira or ServiceNow directly from alarms, events, or vulnerabilities within the USM platform. AlienVault USM also enables automatic notification through multiple channels, including Amazon SNS, Slack, PagerDuty, and Datadog, making it fast and simple to notify stakeholders when incidents occur.

Learn more about AlienVault USM vulnerability assessment capabilities ›

Stage Four: Assessment & Audit

Why Is This Important?

It’s always optimal to find and fix vulnerabilities before an attacker exploits them in order to gain access to your environments. The best way to do that is to run periodic vulnerability assessments and review those report findings in detail. Keep in mind that these assessments will identify technical vulnerabilities rather than procedural ones, so make sure your team is also addressing gaps in your SOC processes that could expose you to risk as well.

What Do SOC Analysts Do at This Stage?

Running network vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may also review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve SOC team performance and efficiency.

How Do I Do It with AlienVault?

With AlienVault USM, you can run regular vulnerability scans against all of your assets to detect any system changes that may signal an exposure. These vulnerability reports, which automatically rank vulnerabilities by severity, can be shared with auditors, executive management, and others to demonstrate your compliance against a variety of regulatory standards.

In addition, AlienVault USM includes multiple out-of-the-box compliance reports for PCI DSS, HIPAA, and NIST CSF, so that you can more readily demonstrate your compliance during an audit.

Navigate Your Build

Watch a Demo ›
Get Price Free Trial