Unit - 1(SOC).pptx

Full Transcript

Security Operations Center (SOC)

GUJARAT UNIVERSITY

Program - Master of Science(Sem-3)

Branch/Spec. - Cyber Security & Forensics

Prepared By – Himani Parmar
 Unit 1: Introduction to Security Operations Center


Overview of SOC

SOC Roles and Responsibilities

SOC Architecture

Introduction to Cyber Threats
 Overview of SOC


What is a security operations center (SOC)?

A security operations center (SOC) improves an organization's threat detection,
response and prevention capabilities by unifying and coordinating all
cybersecurity technologies and operations.

Its mission is to detect, analyze and respond to security incidents in real-time.

The SOC also selects, operates and maintains the
organization's cybersecurity technologies and continually analyzes threat data
to find ways to improve the organization's security posture.
Overview of SOC
 Overview of SOC


What a security operations center (SOC) does ?

SOC activities and responsibilities fall into three general categories.

Preparation, planning and prevention
 Overview of SOC


Asset inventory:

A SOC needs to maintain an exhaustive inventory of everything that
needs to be protected, inside or outside the data center

(for example applications, databases, servers, cloud services,
endpoints, etc.) and all the tools used to protect them (firewalls,
antivirus/anti-malware/anti-ransomware tools, monitoring software, etc.).

Many SOCs will use an asset discovery solution for this task.
 Overview of SOC


Routine maintenance and preparation:

To maximize the effectiveness of security tools and measures in place,
the SOC performs preventive maintenance such as applying software
patches and upgrades, and continually updating firewalls, allow list and
blocklists, and security policies and procedures.

The SOC can also create system backups—or assist in creating backup
policies or procedures—to ensure business continuity in the event of a
data breach, ransomware attack or other cybersecurity incident.
 Overview of SOC


Incident response planning:

The SOC is responsible for developing the organization's incident
response plan, which defines activities, roles and responsibilities in
the event of a threat or incident, and the metrics by which the
success of any incident response will be measured.
 Overview of SOC


Regular testing:

The SOC team performs vulnerability assessments—comprehensive
assessments that identify each resource's vulnerability to potential or
emerging threats and the associate costs.

It also conducts penetration test that simulate specific attacks on one or
more systems.

The team remediates or fine-tunes applications, security policies, best
practices and incident response plans based on the results of these tests.
 Overview of SOC


Staying current:

The SOC stays up to date on the latest security solutions and
technologies, and on the latest threat intelligence — news and
information about cyberattacks and the hackers who perpetrate them,
gathered from social media, industry sources and the dark web.
 Overview of SOC


Monitoring, detection and response

Continuous, around-the-clock security monitoring:

The SOC monitors the entire extended IT infrastructure—
applications, servers, system software, computing devices, cloud
workloads, the network—24/7/365 for signs of known exploits and for
any suspicious activity.
 Overview of SOC


Log management:

Log management—the collection and analysis of log data generated by every network event
—is an important subset of monitoring.

While most IT departments collect log data, it's the analysis that establishes normal or
baseline activity and reveals anomalies that indicate suspicious activity.

In fact, many hackers count on the fact that companies don't always analyze log data, which
can allow their viruses and malware to run undetected for weeks or even months on the
victim's systems.

Most SIEM(Security information and event management) solutions include log management
capability.
 Overview of SOC


Threat detection:

The SOC team sorts the signals from the noise—the indications of
actual cyberthreats and hacker uses from the false positives—and
then triages the threats by severity.

Modern SIEM solutions include artificial intelligence (AI) that
automates these processes and which 'learns' from the data to get
better at spotting suspicious activity over time.
 Overview of SOC


Incident response: In response to a threat or actual incident, the SOC moves
to limit the damage. Actions can include:

Root cause investigation, to determine the technical vulnerabilities that gave
hackers access to the system, as well as other factors (such as bad password
hygiene or poor enforcement of policies) that contributed to the incident.

Shutting down compromised endpoints or disconnecting them from the
network.

Isolating compromised areas of the network or re-routing network traffic.
 Overview of SOC


Pausing or stopping compromised applications or processes.

Deleting damaged or infected files.

Running antivirus or anti-malware software.

Decommissioning passwords for internal and external users.
 Overview of SOC


Recovery, refinement and compliance

Recovery and remediation:

Once an incident is contained, the SOC eradicates the threat, then works to recover
the impacted assets to their state before the incident

(for example wiping, restoring and reconnecting disks, user devices and other
endpoints; restoring network traffic; restarting applications and processes).

In the event of a data breach or ransomware attack, recovery might also involve
cutting over to backup systems, and resetting passwords and authentication
credentials.
 Overview of SOC


Post-mortem and refinement:

To prevent a recurrence, the SOC uses any new intelligence gained
from the incident to better address vulnerabilities, update processes
and policies, choose new cybersecurity tools or revise the incident
response plan.

At a higher level, SOC team might also try to determine whether the
incident reveals a new or changing cybersecurity trend for which the
team needs to prepare.
 Overview of SOC


Compliance management:

It's the SOC's job to ensure all applications, systems and security tools
and processes comply with data privacy regulations such as
GDPR(Global Data Protection Regulation), CCPA (California Consumer
Privacy Act), PCI DSS (Payment Card Industry Data Security Standard,
and HIPAA (Health Insurance Portability and Accountability Act).

Following an incident, the SOC makes sure that users, regulators, law
enforcement and other parties are notified in accordance with regulations
and that the required incident data is retained for evidence and auditing.
 Overview of SOC


Security operations center (SOC) Importance:

A SOC provides numerous benefits to organizations, including:

Asset protection: The proactive monitoring and rapid response capabilities of
SOCs help prevent unauthorized access and minimize the risk of data
breaches. This will safeguard critical systems, sensitive data and intellectual
property from security breaches and theft.

Business continuity: By reducing security incidents and minimizing their impact,
SOCs ensure uninterrupted business operations. This helps maintain
productivity, revenue streams and customer satisfaction.
 Overview of SOC


Regulatory compliance: SOCs help organizations meet regulatory requirements
and industry standards for cybersecurity by implementing effective security
measures and maintaining detailed records of incidents and responses.

Cost savings: Investing in proactive security measures through a SOC can result
in significant savings by preventing costly data breaches and cyberattacks.

The upfront investment is often far less than the financial damages and risks to
reputation caused by a security incident, and, if outsourced, replaces the need
for staffing security professionals in-house.
 Overview of SOC


Customer trust: Demonstrating a commitment to cybersecurity through the
operation of a SOC enhances trust and confidence among customers and
stakeholders.

Enhanced incident response: The rapid response capabilities of SOCs
reduce downtime and financial losses by containing threats and quickly
restoring normal operations to minimize disruptions.

Improved risk management: By analysing security events and trends, SOC
teams can identify an organization’s potential vulnerabilities. They can then
take proactive measures to mitigate them before they are exploited.
 SOC Roles and Responsibilities


Key security operations centre (SOC) team members

SOC manager: The SOC manager runs the team, oversees all security
operations, and reports to the organization's CISO (Chief Information
Security Officer).

Security engineers: These individuals build out and manage the
organization's security architecture.

Much of this work involves evaluating, testing, recommending,
implementing and maintaining security tools and technologies.
 SOC Roles and Responsibilities


Security analysts: Also called security investigators or incident responders,
security analysts are essentially the first responders to cybersecurity threats or
incidents.

Analysts detect, investigate, and triage (prioritize) threats; then identify the
impacted hosts, endpoints and users.

They then take appropriate actions to mitigate and contain the impact or the
threat or incident. )

In some organizations, investigators and incident responders are separate
roles classified as Tier 1 and Tier 2 analysts, respectively.)
 SOC Roles and Responsibilities


Threat hunters: Also called expert security analysts or SOC analysts,
threat hunters specialize in detecting and containing advanced
threats—threat hunting for new threats or threat variants that manage
to slip past automated defenses.
SOC Architecture
 Introduction to Cyber Threats


Cyber Threats

Cyber threats are malicious activities aimed at compromising the
integrity, confidentiality, or availability of information systems. These
threats can come from various sources, including individuals, groups,
or even nation-states.
 Introduction to Cyber Threats


Types of Cyber Threats

Malware: Malicious software designed to damage, disrupt, or gain
unauthorized access to computer systems. Examples include viruses, worms,
Trojans, and ransomware.

Phishing: Fraudulent attempts to obtain sensitive information by disguising as
a trustworthy entity, often through email or messaging.

Denial of Service (DoS): Attacks that overwhelm a system, making it
unavailable to users. Distributed Denial of Service (DDoS) attacks involve
multiple systems targeting a single system.
 Introduction to Cyber Threats


Man-in-the-Middle (MitM): Attacks where the attacker intercepts and possibly
alters the communication between two parties without their knowledge.

SQL Injection: Exploiting vulnerabilities in an application’s software by
inserting malicious SQL code into a query.

Zero-Day Exploit: Attacks that occur on the same day a vulnerability is
discovered, before a fix is available.

Advanced Persistent Threats (APTs): Prolonged and targeted cyberattacks
where an intruder gains access to a network and remains undetected for an
extended period.
 Introduction to Cyber Threats


Attack Vectors

Attack vectors are the methods or pathways used by cybercriminals to infiltrate a
system. Here are some common attack vectors:

Social Engineering: Manipulating individuals into divulging confidential information.
This includes phishing, pretexting, baiting, and tailgating.

Credential Theft: Stealing usernames and passwords to gain unauthorized access
to systems.

Vulnerability Exploits: Taking advantage of weaknesses in software or hardware to
gain access or cause damage.
 Introduction to Cyber Threats


Malicious Email Attachments and Links: Sending harmful files or links that, when
opened, execute malicious

Insider Threats: Attacks from within the organization, often by disgruntled employees
or contractors.

Drive-by Downloads: Unintended download of malicious software when visiting a
compromised website.

Insider Threats: Attacks from within the organization, often by disgruntled
employees or contractors.
 Assignment -1
1.What are its primary purposes and why is it important for organizations to have a SOC?
2.How does it improve an organization’s cybersecurity posture?
3.Identify and describe the key roles within a SOC. What are the main responsibilities of SOC analysts, incident
responders, and SOC managers?
4.Explain the role of a SOC analyst. What skills and knowledge are essential for this position?
5.Describe the typical components and layout of a SOC. How do these components work together to ensure
effective security operations?
6.Discuss the importance of SOC architecture. How does it contribute to the overall effectiveness of the SOC?
7.List and explain the different types of cyber threats. Provide examples for each type.
8.What are attack vectors? Describe at least three common attack vectors used by cybercriminals.
9.Compare and contrast malware and phishing. How do these threats differ in terms of their methods and impacts?
10.
Discuss the concept of Advanced Persistent Threats (APTs). Why are they particularly challenging for SOCs to
handle?