Translated by
2020/05/15 12:34:38

Check sheet: check whether everything "is able to do" your SOC?

What problems should SOC solve? It is reasonable to begin the project of creation of situational command center with the answer to this question with information security (Security Operation Center, SOC). Rinat Sagirov, the leading consultant of Information Security Center of Jet Infosystems company, helped to understand that modern SOC should "be able to do" and make the list on this subject for the check sheet – a new format of TAdviser in which experts are divided useful applied information, tips and instructions by application of different technologies.


What can do your SOC

SOC solves not only problems of monitoring and response to incidents of information security, but also in principle any other operational tasks in the field of cybersecurity (secops).

Example of opportunities of SOC according to NIST Cybersecurity Framework

Many companies at the SOC organization are mistakenly focused on its hardware and only then start building of processes and determination of necessary personnel. Meanwhile, it is reasonable to begin with the answer to questions: for what the company needs SOC and what problems it should solve. It will help to create target model of the planned SOC, proceeding from a target set of its functions or services (if in the company the service-oriented model is implemented). For example, MITRE selects about 40 SOC functions.

The list of the SOC functions according to MITRE

"Personnel-processes-technology" are principal components of SOC

After the choice of target feature set of SOC experts recommend to pass to development of the target model defining its principal components by a classical triad of "personnel-processes-technology".

The target SOC model helps to solve: what processes are necessary; what technologies are required for process automation; what personnel are necessary for implementation of processes and support of technologies.

The correct formula of structure of SOC does not exist. Each company has the way and the "obligatory" SOC set. The structure very strongly depends on target feature set of SOC and volume of the tasks solved by it.

The most often implementable SOC functions in Russia, according to Jet Infosystems company

To the companies with small area of a covering of monitoring will collect on a centralized basis enough, to filter and normalize events from infrastructure with the help of management systems for logs (Log Management System) and to build a cybersecurity incident management process that the team of 2–3 people could solve assigned tasks effectively.

The companies with a various stack of technologies, the distributed IT infrastructure and the big park of IT means for solving of tasks of monitoring and reaction need the big SOC command which is capable to use processes together with technologies, to perform their support and development.

Let's stop in detail on separate components of SOC, proceeding from the basic functionality including detection and the analysis of violations of cybersecurity in real time, response to incidents and informing all concerned parties in the companies about the current level of security.

"Personnel": what command is necessary for ensuring work of SOC

The organization structure of SOC depends on its functions therefore accurate criteria which would determine exact number of staff, no. For implementation of basic functionality it is necessary to include in the SOC command specialists who will solve the following problems: monitoring of events of cybersecurity; registration and classification of suspicions for a cybersecurity incident; collecting of necessary data for the analysis of suspicion on a cybersecurity incident; the analysis of suspicions on a cybersecurity incident for the purpose of its identification; coordination of response to cybersecurity incidents; administration of the technical SOC tools; development of infrastructure of SOC.

Example of a role model of SOC

The main team's line-up should be created as soon as possible that he participated in implementation of systems and debugging of processes. A good background for the employee of SOC is experience of administration of IT systems and network infrastructure, implementation and administration of the information security facility and also skills on conducting testing for penetration.

the Optimal variant of the solution of staff deficit can become transfer of a part of the SOC functions on outsourcing on hybrid model. At such approach the company implements a technology core at itself and gradually forms a team. With development of own competences it will be possible to refuse outsourcing services, having left to service provider only the most expert tasks: investigation of non-standard incidents of cybersecurity, forenzika, pro-active search of threats of cybersecurity. For example, having constructed zero SOC c in the company of the HSC sphere, we took its infrastructure on support, provided monitoring and reaction. It helped the company to start SOC services and to gather for it an expert team in the quiet mode.


"Processes": what processes are necessary for effective implementation of the SOC functions

Widespread error during creation of SOC is the wrong building of processes: documentation which is quite often regulating them is impractical and "goes to a table". As a result the specialists armed with technical means are left without a clear understanding of the tasks facing them and without detailed instructions for their accomplishment. In such conditions to organize productive interaction in SOC and with adjacent divisions extremely difficult.

For efficiency of SOC it is recommended to model processes of level of management and the operational level. The first will help to provide its development and the quality objective of implementation of the main functionality. The second mean building of the main (i.e. directly connected with implementation of target functionality) and auxiliary processes. The last serve for determination of approaches to connection of sources of events, to development of correlation logic, solving of tasks of a trablshuting and updating of the list of data assets in the field of monitoring and data on these assets.

Standard process map SOC

How to avoid errors when building processes of SOC

Connect all interested divisions to modeling of processes; Fix areas of responsibility of specialists and define the most convenient communication channels between them; Hold pilot testing according to the results of modeling; Provide training of all who will be involved in implementation of processes, with analysis of real cases; Develop a set of metrics to estimate correct functioning of process.

At development of SOC in systemically significant bank we solved a problem of inefficiency of an incident management process of cybersecurity. Within upgrade of this process our command developed its detailed technology scheme, having included in it all steps on processing of an incident and all possible options of escalation. Also together with credit institution we defined all roles and developed communication matrixes at response to certain types of incidents, having enshrined them in plans of reaction (playbook).
Rinat Sagirov, leading consultant of Information Security Center of Jet Infosystems company

"Technologies": using what solutions to automate processes of SOC

It is desirable to equip large SOC with tools for automation of the built processes.

A SIEM system helps to automate identification of incidents of cybersecurity due to collecting, correlation and the analysis of events of cybersecurity from elements of IT infrastructure and information security tools.

IRP/SOAR system (Incident Response Platform/Resilient Security Orchestration, Automation and Response) increase the speed of reaction to incidents due to automation of routine tasks of their processing. For example, with their help it will be possible to save time for registration, classifications (determination of category and level of criticality), filling of a card of an incident, enrichment with events for the analysis, check on injuriousness of indicators of a compromise and accomplishment of actions for reaction. In solutions of this class it is possible to configure scenarios of reaction under each category of incidents that will help to automate all lifecycle of management of them.

SOC can apply the IRP/SOAR systems not only to incident management of cybersecurity, but also to the solution of additional tasks.

Inventory and control of IT infrastructure
In the presence in the system of the module of asset management it is possible to implement control of relevance of structure of IT infrastructure and to solve a problem of shadow IT (Shadow IT). All this is performed in close interaction with other infrastructure systems: CMDB, corporate domain, management systems for IT infrastructure.
Management of vulnerabilities in infrastructure
Using a system it is possible not only to reveal and register, but also to prioritize vulnerabilities on levels of criticality of data assets, to appoint automatically responsible and terms of elimination.

Threat Intelligence Platform help to automate the tasks connected with use of data of cyberinvestigation (Threat Intelligence). It is possible to refer collecting and processing of indicators of a compromise with the subsequent retrospective analysis of events of cybersecurity on existence of the received compromise indicators to such tasks.

What SOC should reveal

At construction of SOC often there are difficulties with understanding of what incidents it should reveal. This problem is solved by its technology core — a SIEM system — by correlation of the events of cybersecurity raised from elements of IT infrastructure and means of protecting. Vendors deliver SIEM with a large number of the developed rules of correlation which need only to be adapted for realities of specific IT infrastructure. Or it is possible to write the rules, being guided by a popular framework of MITRE ATT&CK with practicians of identification known the technician of the attacks.

You should not expect that the rule of correlation will be able to detect a complete vector of implementation of threat of cybersecurity. Probability that and the technician the malefactor will select delivered on monitoring from all variety of tactics it is insignificant it is small. Therefore it is better to develop the rules of correlation directed to identification of atomic events of implementation specific the technician of relevant threats.

How to develop scenario base Define relevant threats of cybersecurity for the connected IT infrastructure; Set scenarios of actions (tactics) for implementation of each threat of cybersecurity; Reveal vulnerabilities which can be used within specific tactics; Designate methods (technicians) of implementation of vulnerabilities; Define methods of identification of sale of the equipment — a set of events of cybersecurity which indicates attempts of execution or implementation of the specific equipment, such as:
- events of detection of indicators of a compromise (IP address, URL, hashes of files, etc.);
- events of detection of software allowing to implement the equipment;
- events of detection of actions taken within implementation the technician.
Hold testing for penetration to be convinced that selected technology of implementation of threats of cybersecurity are really relevant for the company.

We applied such approach on the project on construction of SOC from scratch in the large metallurgical company. It helped us not only to understand what data assets were required to be connected and what threats of cybersecurity to deliver on monitoring, but also to reveal threats of cybersecurity which implementation the current system of protection did not allow to detect.
Rinat Sagirov, leading consultant of Information Security Center of Jet Infosystems company


The arising cybersecurity events in infrastrukturev the first stage of SOC should analyze cybersecurity events in elements of IT infrastructure and information security tools for identification of incidents of cybersecurity. It needs to be done not only in real time, but also in a retrospective for the set period. So you will be able to detect the missed cybersecurity incidents.

Post-incidental analysis That an incident did not repeat, it is important to analyze results of reaction. It is necessary to understand why an incident occurred and how effective were the taken measures for its elimination. After that it is possible to start development of recommendations: correct settings of means of protecting, make changes to rules of identification of incidents, change plans for reaction, etc.

Control of metrics of SOC Tracking of values of metrics allows to reveal and fix in time problems which can be detected both in the organization of process, and in the personnel implementing it. The following metrics can be useful to SOC, for example: share of incidents with a reaction adherence to deadlines; average time of identification of incidents of cybersecurity; the average time of response to an incident (on criticality levels).

Visualization of the reporting The analytics on activity of SOC is displayed on dashborda in the form of widgets — the various tables and charts grouped in sense on one screen. Systems entering a technology core of SOC (SIEM, IRP/SOAR) are capable to create a set of types of widgets of any structure and a configuration. Dashborda of operational and tactical levels are most often developed. The first show a cut on the current picture of a status of cybersecurity: new and open incidents, their priorities, loading of personnel, adherence to deadlines, etc. The second provide statistics on activity for the last month: distribution by categories of incidents and subjects to the attacks, average time of identification and response to incident, efficiency metrics.

Other method of visualization of the reporting — data view on a cybersecurity incident in the form of graphs or interactive schemes and cards of networks. Such method shows: cybersecurity incident source; data assets in corporate network, subject to the attack; the compromised accounts; the possible connectivity of some incidents of cybersecurity with others for identification of a chain of the attack.

New trends

Search of premises to carrying out atakv lately focus of cybersecurity is displaced from identification of already perfect negative actions in infrastructure towards detection of premises to carrying out the attacks. In other words, specialists aim to reveal the attacks at earlier stages according to a chain of Kill Chain describing the universal scenario of actions of the malefactor.

Cybersecurity focus shift at identification of cyberincidents

For implementation of such concept of SOC tools which not only reveal signature activity are necessary, but also fix and analyze aberrant behavior, thereby allowing to detect the purposeful attacks using an unknown malicious code, the compromised accounts, besfaylovy methods, legitimate applications and actions which are not bearing under themselves anything suspicious. The Gartner company positions a linking of NTA (Network Traffic Analysis), EDR (Endpoint Detection and Response) and SIEM as a set of necessary technical means for the organization of the most complete monitoring of infrastructure and identification of the threats aimed at a bypass of traditional means of protecting.

Edrrabochiye of the place remain the key purpose of malefactors and the most widespread points of entry in infrastructure of the company. Endpoints connect to SIEM as events for monitoring of incidents seldom or partially — only the most critical. It is caused first of all by the high cost of collecting and processing of magazines from all terminal stations and also generation of a huge number of events for analysis that often leads to an overload of personnel of SOC. For detecting of events on final nodes in infrastructure it is possible to use the solution of the class EDR which will help to reveal aberrant behavior on final hosts.

Ntasetevoy traffic — one of important sources of events for identification of incidents of cybersecurity. Often instead of its full analysis are limited to collecting of logs from standard network means of protecting and network equipment. It is possible automate collecting and the analysis of events in traffic using solutions of the class NTA. Unlike standard instruments of identification of network attacks, they operate with large volumes of traffic that gives the chance to reveal an attack chain entirely, but not to be content with operation of a single signature. The system of the class NTA can be useful in identification of unknown threats at the expense of the behavioural analysis of traffic.

Deception Toolissledovateli Gartner call Deception of one of the most important new technologies in cybersecurity. Solutions of this class reveal in IT infrastructure the harmful actions made at the APT attack which often remain imperceptible for standard cybersecurity means. The Deception systems create the active traps and fake resources fully imitating full-time employment of real users, program and the software and hardware complexes functioning in IT infrastructure. Such traps give to the malefactor the chance successfully them to attack and to achieve imaginary results of attack, thereby winning time for reaction for the SOC command.

Breach and Attack Simulation (BAS) Actively develop also the systems of the class BAS which allow to automate functionality of testing for penetration partially. Also they can be useful when holding cyberexercises when it is necessary to fulfill practical skills of personnel of SOC on operational identification and response to the attacks.

What it is still important not to forget about

"Sandbox" The malware which broke loose which the analyst decided to analyze by the main machine can be serious threat. For the analysis of a malicious code it is necessary not to forget to put completely isolated "sandbox" in the SOC project.

Cyberpolygon Cyberexercises are required — to reflect a cyberpolygon the simulator using which specialists will be able to study of the attack and to investigate incidents in the fighting mode. Besides, it is useful also for testing of new means of protecting. In fact, it is test infrastructure which does not interact with the main IT landscape of the company in any way. In it it is necessary to provide a possibility of simulation of different scenarios of cyber attacks (DDoS, attacks on OS, Web, the telecom equipment and Wi-Fi) and to unroll the system of protection allowing to reveal and counteract them.

Protection of SOC For SOC it is necessary to develop separate, more strict, standards of providing Information Security, than for all other company. Infrastructure of SOC should be most separated from corporate, the network segment is separated by firewalls and constructed on separate network equipment. In other words, it is worth recognizing that all IT infrastructure of the company is already compromised. At creation of SOC it is necessary to remember that his eyes and ears are network sensors, different information security tools scattered on all company. Secure access to them and their protection should be worked carefully out.

Instead of the conclusion

Construction of SOC is a long and resource-intensive project. Classical approach to such projects can be formulated so: "Eat an elephant in parts".

Before start of the project, when forming target model, we recommend to develop the road map of transition to it with indication of intermediate status models of SOC and necessary projects for their achievement. It is better to begin to build SOC for implementation of basic functionality: monitoring, identification, reaction and analytics of incidents. So to begin with building of an incident management process of cybersecurity and implementation of a SIEM system. The next stage of improvement of SOC is an increase in level of a maturity of an incident management process due to development of correlation logic and implementation of procedures of automation using IRP/SOAR and also building of more expert processes, for example, such as a forenzika, pro-active search of threats of cybersecurity, cyberinvestigation data management. Further development is possible in case of decision-making of building of full-fledged service-oriented SOC for implementation of operational tasks in the field of cybersecurity.
Rinat Sagirov, leading consultant of Information Security Center of Jet Infosystems company

In more detail about nuances of the SOC organization can [be recognized from experts of Jet Infosystems company.]