The first is setting up your security monitoring tools to receive raw security-relevant data (e.g. login/logoff events, persistent outbound data transfers, firewall allows/denies, etc.). This includes making sure your critical cloud and on-premises infrastructure (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to your log management, log analytics, or SIEM tool. (We’ll go into more detail about how AlienVault® Unified Security Management® (USM) provides this critical capability as well as others like IDS in the next chapter).
The second function is to use these tools to find suspicious or malicious activity by analyzing alerts; investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.); reviewing and editing event correlation rules; performing triage on these alerts by determining their criticality and scope of impact; evaluating attribution and adversary details; sharing your findings with the threat intelligence community; etc.
Knowing what it will take to build a SOC will help you determine how to staff your team. In most cases, for security operations teams of four to five people, the chart below will relay our recommendations.
(Separating the wheat from the chaff)
SkillsSysadmin skills (Linux/Mac/Windows); programming skills (Python, Ruby, PHP, C, C#, Java, Perl, and more); security skills (CISSP, GCIA GCIH, GCFA, GCFE, etc.)
ResponsibilitiesReviews the latest alerts to determine relevancy and urgency. Creates new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. Runs vulnerability scans and reviews vulnerability assessment reports. Manages and configures security monitoring tools.
(IT’s version of the first responder)
SkillsAll of the above + natural ability, dogged curiosity to get to the root cause, and the ability to remain calm under pressure. Being a former white hat hacker is also a big plus.
ResponsibilitiesReviews trouble tickets generated by Tier 1 Analyst(s). Leverages emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack. Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determines and directs remediation and recovery efforts.
Expert Security Analyst
(Hunts vs. defends)
SkillsAll of the above + be familiar with using data visualization tools and penetration testing tools.
ResponsibilitiesReviews asset discovery and vulnerability assessment data. Explores ways to identify stealthy threats that may have found their way inside your network, without your detection, using the latest threat intelligence. Conducts penetration tests on production systems to validate resiliency and identify areas of weakness to fix. Recommends how to optimize security monitoring tools based on threat hunting discoveries.
DescriptionOperations & Management
(Chief Operating Officer for the SOC)
SkillsAll of the above + strong leadership and communication skills
ResponsibilitiesSupervises the activity of the SOC team. Recruits, hires, trains, and assesses the staff. Manages the escalation process and reviews incident reports. Develops and executes crisis communication plan to CISO and other stakeholders. Runs compliance reports and supports the audit process. Measures SOC performance metrics and communicates the value of security operations to business leaders.
Some SOC teams (especially those with more resources) have developed a dedicated threat intelligence function. This role—which could be staffed by one or more analysts—would involve managing multiple sources of threat intelligence data, verifying its relevance, and collaborating with the larger threat intelligence community on indicators, artifacts, attribution, and other details surrounding an adversary’s TTPs (tools, tactics, and procedures). For smaller teams (fewer than 5 members), we recommend looking for ways to automate the consumption of threat intelligence from a reliable threat intelligence service provider (for more detail, see Chapter 4 on Threat Intelligence).
We wish that there was a hard and fast rule to knowing precisely if/when you’d need to outsource your SOC to a service provider. Staff size and skillset is certainly a factor. At the same time, some of the largest enterprises rely on MSSPs instead of building their own SOCs. The choice really comes down to answering one question: How confident are you that your team has the resources and skilled staff to detect, contain, and respond to a data breach? If your team's resources are concentrated on other priorites, it may be wise to leverage an MSSP to manage your SOC. In fact, we’d recommend starting with one of many AlienVault-powered MSSPs. You can find one here.