Understanding Security Operations Center (SOC)
The SOC team is responsible for the day-to-day monitoring, detection, and response to security incidents. They work in shifts to ensure 24/7 coverage and act as the first line of defense against cyber threats.
SOC teams typically use a variety of tools and techniques to monitor network traffic, identify suspicious activity, and investigate incidents.
The size and composition of a SOC team will vary depending on the size and complexity of the organization it supports. However, most SOC teams will include a mix of security analysts, incident responders, and shift leads/managers.
SOC Team roles
Security Analysts: They are responsible for monitoring and analyzing security alerts and events generated by security tools. These events are monitored via a tool called Security Information and Event Management (SIEM). They investigate (or triage) these alerts, filter out potential security incidents, determine their severity and impact, and remediate or pass them to the rightful team. Security Analysts typically work in a 24/7 model and can be 1st party (employed and working for the company), or 3rd party (working for a client), or a mix of both.
Incident Responders: The Security Incident Response Team (SIRT) is responsible for investigating and responding to security incidents in a timely and effective manner. They work closely with other teams within the SOC and external stakeholders to contain and mitigate the impact of security incidents. They are usually responsible for handling any security incident affecting the company, regardless if it is reported from within the company or externally. SIRT works during business hours but is always on standby and available as on-call to respond to an incident 24/7. They can be internal to the company (1st Party) or can be 3rd party which is kept on standby and is contractually bound to respond within X hours.
Threat Intelligence Analysts: The Threat Intelligence Team is responsible for gathering, analyzing, and sharing information about potential or emerging cyber threats, attack techniques, and vulnerabilities. They provide actionable intelligence to other teams within the SOC to help improve the organization’s security posture. The team is responsible for enriching information and data that flow in the SIEM with more context (like relation to any threat actor) and making it more meaningful for Security Analysts and Incident Responders. This team generally works during business hours and is known to be outsourced to a third-party company that is working for one or more clients.
Threat Hunt Team: This team proactively search for threats and vulnerabilities that may have been missed by automated security tools. This team works on assume compromise scenario with hypothesis and scope while considering that attackers are already in the network or there is a vulnerability in the environment that's been exploited for an attack. They analyze large data sets commonly over a 90 days of window, to look for threats and outliers. Suspicious activities are then escalated to SIRT for deeper investigation. The outcome of a Threat Hunt exercise is visibility gaps, new detections, and security incidents, which weren't picked up by Security Tools. This team works during business hours and compromises of senior members from Security Analysts and/or SIRT.
Digital Forensics Team: This team is responsible for investigating security incidents by collecting and analyzing digital evidence. They use highly specialist forensic tools and techniques to determine the root cause of security incidents and provide recommendations for remediation. They work closely with the legal team and comply with local laws and regulations and work in accordance with those when handling digital investigations. The team members in this team are highly specialized and have deep knowledge of Operating System Internals. This team generally works in third-party model and is billed on an hourly basis for their clients when involved on an investigation.
The Malware Analysis and Reverse Engineering Team is responsible for analyzing and reverse-engineering malware. They use a variety of tools and techniques to disassemble, decompile, and debug malware in order to understand how it works and what it is designed to do. They also develop and maintain tools and techniques for malware analysis, and they provide recommendations for mitigating the impact of malware infections and preventing future attacks. Malware Analyst (or Researcher) role is commonly available in companies that sell anti-virus or other security tools, who are responsible for identifying new malware threats and developing new methods for analyzing malware. Some SOC teams also have 1–2 persons who have basic knowledge of malware analysis. These individuals use their knowledge to extract next-stage indicators of compromise (IOCs) from malware samples, for containment and hunting infected machines in the network.