Security Operations rightfully gained a lot of corporate attention over the years. From writing SIEM rule logic over building out Threat Intelligence capability to managing a CSIRT and designing/running a SOC operational framework, I have extensive experience with all roles and their content, understand how they relate to each other, where potential difficulties are situated and how security operation can be optimally implemented within different types of organizations.
What is security operations?
Historically, the IT department was responsible for the ins and outs of a company's IT infrastructure; their primary goal was to ensure that "it" worked and IT systems were always available. Over the years, the need arose to provide a holistic approach to securing this IT infrastructure. However, the finality of the cybersecurity team did not match that of the IT department, as they also wanted to maintain the confidentiality and integrity of the systems and their data. Security Operations seeks to bridge the gap between these 2 parties and reconcile both visions, focusing on increasing the operational security of the infrastructure.
What does security operations do?
When many think of an SOC, they think of a room with lots of big screens with flashy graphics on the wall, filled with diligently typing nerds defending the organization's network from hackers and ransomware. While that may be how fysically a SOC is set up in some companies, underneath that facade hides a well-oiled machine, where different functions complement each other to not only repel attacks, but also provide the intelligence to the organization on how to better defend itself, based on real, tangible data.
What roles do we find in an SOC?
Event / Alert Investigator
When security alerts are produced and they can't be remediated or mitigated automatically, somebody who knows the infrastructure, systems and applications should investigate what is the context, purpose and potential impact of the alert. When there is malicious intent or a policy breach and there is impact to operations, the security alert becomes a security incident.
Incident Responder
Although in some companies CSIRT is a separate team, they have a lot of affinity with a SOC and are often found within or closely affiliated with a SOC. Their job is to respond to cyberattacks that have impact on the environment and contain the threat, remove it from the environment and restore the working back to normal as soon as possible.
Detection Engineer
A detection engineer's job is to look for, based on known, common adversary attack techniques, which systems and sensors can provide the right data to detect this unwanted behavior. They build logic on events from all possible layers of the infrastructure to identify suspicious or unauthorized behavior in the environment. These rules, along with user alerts, form the alarms for the SOC analysts to investigate.
Threat Hunter
In this role, we look for either events outside the ordinary, normal behavior of the environment to analyze for potential negative impact, or a specific technique of an attack or indicators of a breach that are not covered by rule logic of detection engineering.
Vulnerability Manager
They manage the "attack surface" of the environment and ensure that weaknesses in systems, appliances or software are detected and fixed within a reasonable timeframe so the opportunity to abuse the environment is minimized. If the vulnerability itself cannot be eliminated, they assist in mitigating the risks in other ways and ensure that these weaknesses are known to the relevant defensive roles within the organization.
Threat Intelligence Officer
The purpose of this role is to provide all other roles of a SOC with outside information that can make their work more efficient. Gather and disseminate indicators of compromise, inform the team of new techniques and tactics, relay what vulnerabilities are being exploited, how and by whom, and monitor trends in the infosec world to project on their own defensible environment in order to provide prioritization advice on security improvements to be implemented.
Threat Researcher
Not every SOC has this capability. These researchers will examine malware, infected Web sites and other maliciousness found by detonating it in a controlled (sandbox) environment to learn about the impact and how it is created to even better shield the environment.
Roles supporting Security Operations:
The above roles are classically the core of SOC operation, although other arrangements are possible. To meet their full potential, there is the need for a well-functioning IT Security environment, which ideally includes the following supporting functions:
Security Architect
They provide the security foundations when new processes and applications are designed. They are typically responsible for creating the Threat Model that lists and prioritizes potential threats, laying the foundation for their prevention or mitigations. Their output is paramount to the SOC analysts' understanding of each component in the environment and its perils and weaknesses.
Security Engineer
These are the IT specialists in charge of the security side of configuring the environment, like system and application hardening, but also configuration of security products such as firewalls, API gateways, Intrusion Detection Systems and the likes. These profiles are often spread across the traditional IT teams according to their responsibilities and areas of expertise.
Asset Manager
Essential for any defense is knowing what needs to be defended, who works with it and is responsible for it, where it sits and how it was configured. Asset management is responsible for an inventory of all devices and systems, with the necessary links to people, applications, configuration items and other assets.
Log & Event Manager
The foundation of which events are stored and how they are formatted and saved, required detail, in a uniform manner across the organization so that correlation is facilitated, is laid by this team. Close collaboration with SOC as consumers of this information is essential.
Governance Manager
A governance manager lays the ground work on how policy decisions and the direction an organization takes translates from the top down to the operational IT layer.
Risk Manager
Risk managers try to quantify risk so that the technical reality of threats can be understood by (senior management) and they can adjust their strategy and policies accordingly. Risk managers are also responsible for maintaining a risk register and often supervise the entire risk process (avoidance, mitigation, acceptance, transfer).
Compliance Manager
Compliance managers outline ways to monitor that policies, acceptable use and rules are followed by all levels of the organization.
Security Manager
This term covers a wide range, from SOC manager to CISO, but a SOC needs the support and backing of management to realize their value within the organization and correctly fit their security operations in the bigger picture.