The Security Operations Center (SOC) Team: Operations & Responsibilities
WHAT IS A SOC TEAM?
Just like people, every security organization is different. In some companies, the executive team recognizes the importance of cybersecurity to the business bottom line. In these cases, the security operations center (or SOC) team is in a great position, with enough budget for good tools, enough staff to manage them, and the “human” capital of executive visibility and support. Unfortunately, that’s not the reality in most cases.
Most SOC teams are fighting fires with never enough staff, never enough time, and never enough visibility or certainty about what’s going on. That’s why it’s essential to focus on consolidating your toolset, and effectively organizing your team.
A SOC team that has the right skills and uses the least amount of resources, while gaining visibility into active and emerging threats—that’s our goal.
SO HOW DO WE GET THERE?
Let’s talk about the key security operations center roles and responsibilities you need to support a SOC.
Setting up the SOC Foundation:
The Quick Basics
THERE ARE TWO CRITICAL FUNCTIONS IN BUILDING UP YOUR SOC OPERATIONS
The first is setting up your security monitoring tools to receive raw security-relevant data (e.g. login/logoff events, persistent outbound data transfers, firewall allows/denies, etc.). This includes making sure your critical cloud and on-premises infrastructure (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to your log management, log analytics, or SIEM tool. (We’ll go into more detail about how AlienVault® Unified Security Management® (USM) provides this critical capability as well as others like IDS in the next chapter).
The second function is to use these tools to find suspicious or malicious activity by analyzing alerts; investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.); reviewing and editing event correlation rules; performing triage on these alerts by determining their criticality and scope of impact; evaluating attribution and adversary details; sharing your findings with the threat intelligence community; etc.
Knowing what it will take to build a SOC will help you determine how to staff your team. In most cases, for security operations teams of four to five people, the chart below will relay our recommendations.
How to Staff Your Team
Role | Description | Skills | Responsibilities |
---|---|---|---|
Role
Tier 1Security Analyst |
Description
Triage Specialist(Separating the wheat from the chaff) |
Skills
Sysadmin skills (Linux/Mac/Windows); programming skills (Python, Ruby, PHP, C, C#, Java, Perl, and more); security skills (CISSP, GCIA GCIH, GCFA, GCFE, etc.) |
Responsibilities
Reviews the latest alerts to determine relevancy and urgency. Creates new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. Runs vulnerability scans and reviews vulnerability assessment reports. Manages and configures security monitoring tools. |
Role
Tier 2Security Analyst |
Description
Incident Responder (IT’s version of the first responder) |
Skills
All of the above + natural ability, dogged curiosity to get to the root cause, and the ability to remain calm under pressure. Being a former white hat hacker is also a big plus. |
Responsibilities
Reviews trouble tickets generated by Tier 1 Analyst(s). Leverages emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack. Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determines and directs remediation and recovery efforts. |
Role
Tier 3Expert Security Analyst |
Description
Threat Hunter (Hunts vs. defends) |
Skills
All of the above + be familiar with using data visualization tools and penetration testing tools. |
Responsibilities
Reviews asset discovery and vulnerability assessment data. Explores ways to identify stealthy threats that may have found their way inside your network, without your detection, using the latest threat intelligence. Conducts penetration tests on production systems to validate resiliency and identify areas of weakness to fix. Recommends how to optimize security monitoring tools based on threat hunting discoveries. |
Role
Tier 4SOC Manager |
Description
Operations & Management (Chief Operating Officer for the SOC) |
Skills
All of the above + strong leadership and communication skills |
Responsibilities
Supervises the activity of the SOC team. Recruits, hires, trains, and assesses the staff. Manages the escalation process and reviews incident reports. Develops and executes crisis communication plan to CISO and other stakeholders. Runs compliance reports and supports the audit process. Measures SOC performance metrics and communicates the value of security operations to business leaders. |
Do I Need a Threat Intelligence Team Too?
Some SOC teams (especially those with more resources) have developed a dedicated threat intelligence function. This role—which could be staffed by one or more analysts—would involve managing multiple sources of threat intelligence data, verifying its relevance, and collaborating with the larger threat intelligence community on indicators, artifacts, attribution, and other details surrounding an adversary’s TTPs (tools, tactics, and procedures). For smaller teams (fewer than 5 members), we recommend looking for ways to automate the consumption of threat intelligence from a reliable threat intelligence service provider (for more detail, see Chapter 4 on Threat Intelligence).
How Do I Know If
I Need an MSSP?
We wish that there was a hard and fast rule to knowing precisely if/when you’d need to outsource your SOC to a service provider. Staff size and skillset is certainly a factor. At the same time, some of the largest enterprises rely on MSSPs instead of building their own SOCs. The choice really comes down to answering one question: How confident are you that your team has the resources and skilled staff to detect, contain, and respond to a data breach? If your team's resources are concentrated on other priorities, it may be wise to leverage an MSSP to manage your SOC. In fact, we’d recommend starting with one of many AlienVault-powered MSSPs. You can find one here.