Security Operations Center (SOC) Exam Questions And Answers

Why do we need a Security Operations Center (SOC) - It helps identify: - Who or what was targeted - Was the adversary successful - Who is the adversary and what is their motivation - How do we continue with the business mission SOC Mission - - A team that detects, analyzes, and responds to incidents to minimize damage from security issues - Known by a variety fo alternative names and terms -- Cybersecurity Operations Center (CSOC) -- Computer Incident Response Team (CIRT) -- Computer Security Incident Response Team (CSIRT) -- Computer Emergency Response Team (CERT) -- Network Operations and Security Center (NOSC) What does a SOC do - Detects, analyzes and responds to security incidents Functional Components of a SOC - - Understand what it's supposed to do - How it works; and what components are available to support the desired function - Roles people play and define the procedures for those people to follow - Permutations on how to arrange and staff the functions Steering Committee - - Provides a vehicle for discovery and planning; it focus shifts to high-level implementation decisions, without involving itself in the details of the actual build - Provides ongoing operational oversight -- Helps SOC adapt to changing business and technology drivers -- Supplies SOC with: - Situational awareness of the business - Legal requirements - Cultural drivers SOC Charter - - Written policy that describes SOC scope, constituency, and services; in reality, it is a service level agreement or objective (SLA/SLO) - Provides a high-level mission statement - Signed off by senior management Which of the following should be included in a SOC Charter? - A mission statement SOC Command Center - Is the command center for all cyber-security related activities - Maintains situational awareness of systems and threat environments - Manages threats and proactively protects systems SOC Command Center Key Activities - - Command and control for all activity related to security operations - Single point of entry for security-related requests - Has authority to direct response and notify constituents - Defines and manages communications SOC Command Center Process - Receives request and provides direction to the functional areas of the SOC to protect the organizations: 1. Receives request from: business units, law enforcement, third parties, or SOC functional areas 2. Determine if reports are duplicate or ongoing 3. If an incident. then appropriate notifications, ticket creation, and reporting are performed 4. Leverages functional capabilities to determine the scope of the incident 5. SOC functional areas receives appropriate tasks from the command center to advance the handling of the incident Network System Monitoring (NSM) Function - Cornerstone capability of SOC - Watching data in motion - Data aggregates into a single resource (SIEM) - Network instrumentation is required - Incorporates data from many resources - Uses all data sources to attempt to understand what occurred and determine if the reported issue is a security incident - Correlation is the process used to look at other related items of the reported incident -- The intent of the correlation process is to understand what occurred A firewall log shows a connection from an internal host to an internal IP address that has been determined to be malicious. The analyst looked at logs on internal host, IDS alerts and DNS requests. What process has the analyst used? - Correlation process Threat Intelligence Function - The process of investigating and collecting information about emerging threats and threat sources. - Collects open source info and internal adversary info - Correlate events to threat actors - Learns adversary activities: -- Retain adversary characteristics -- Attribution info and characteristics Incident Response Function - Contain incidents, eradicate incidents, perform coordination among various teams, and provide reporting on status as well as final disposition: - Interrupt normal operations in an appropriate manner - Leaving systems compromised - Contain assets: -- Logically and physically -- Containment strategies are terrible --- Don't detect adversaries in a timely manner to contain attacks - Eradicate issues and and return to service (recovery) - Ongoing status dissemination to other SOC functions is important during incidents