SOC processes and best practices

The true value of collecting, correlating, and analyzing log data is that it gives you the ability to find the “signal in the noise.” Key indicators of compromise can be found within user activity, system events, firewall accept/denies, etc. In addition, specific sequences and combinations of these events in specific patterns can also signal an event that requires your attention. The key to success in this stage is having a way to classify each event quickly, so that you can prioritize and escalate critical events that require additional investigation.

Tier 1 SOC Analysts review the latest events that have the highest criticality or severity. Once they’ve verified that these events require further investigation, they’ll escalate the issue to a Tier 2 Security Analyst (please note: for smaller teams, it may be that the same analyst will investigate issues as they escalate into a deeper investigation). The key to success in this stage is to document all activity (e.g. notation, trouble ticket, etc).

AlienVault USM collects, parses, and analyzes your log data against the latest threat intelligence, which is delivered to the platform automatically and continuously from the AlienVault Labs Security Research Team and the Open Threat Exchange® (OTX™). As threats and anomalous activities are detected in your environment, AlienVault USM generates alarms, which are automatically prioritized by intent according to the Lockheed Martin Cyber Kill Chain. This “chain” is a sequence of actions an attacker needs to take in order to infiltrate an environment and exfiltrate data from it. This event categorization helps to highlight the most serious threats facing your assets. This alarm prioritization allows you to focus your attention on the most severe threats first, rather than having to manually review all alarms to know where to start.

Prioritization is the key to success in any endeavor, and it’s even more critical in cyber security. The stakes are high and the pace of attacks continues to escalate and shows no sign of stopping. Meanwhile, the resources you have to protect assets against this onslaught are highly limited. Focus on those events that could be most impactful to business operations, which requires knowing which assets are the most critical. At the end of the day, maintaining business continuity is the most important responsibility entrusted to the SOC team.

Review and respond to any activity that indicates an adversary has infiltrated your environment. This can range from the installation of a rootkit/RAT or backdoor taking advantage of an existing vulnerability to network communications between an internal host and a known bad IP address associated with a cyber adversary’s C2 infrastructure.

Powered by threat intelligence from the AlienVault Labs Security Research Team, AlienVault USM can detect the specific indicators that signal activity of specific adversary tools, methods, and infrastructure. The Security Research Team's continuous threat intelligence updates include correlation rules that are applied against the raw event log data that AlienVault USM collects. Once applied, these rules identify and categorize these events and activity in ways that help you prioritize SOC tasks.

By prioritizing alarms in the exploitation & installation and system compromise categories, SOC analysts zero in on the threats that have already advanced beyond primary security defenses. With AlienVault USM, analysts can determine the best way to address these attacks using response templates from the Security Research Team’s threat intelligence updates. Because the Security Research Team draws insights from the community-powered threat data in AlienVault OTX,  the threat intelligence within AlienVault USM reflects the collective experiences of tens of thousands of security researchers from around the world and incorporates lessons from in-the-wild attacks at organizations of all sizes.

Relying on the latest threat intelligence to understand as much as possible about an attack will inform how you prioritize and respond to it, as well as how you bolster your defenses against a similar attack in the future. Better still, when you share key information about an adversary’s TTPs with the larger threat intelligence community within OTX, you make that adversary’s job much more difficult and costly. Everybody wins.

The faster you can detect and respond to an incident, the more likely you’ll be able to contain the damage and prevent a similar attack from happening in the future. Please note: There are a number of decisions to make when investigating an incident, particularly whether your organization is more interested in recovering from the damage vs. investigating it as a crime. Make sure that you work closely with your management team. Be sure to communicate clearly and often—and document everything.

Each attack will differ in terms of the appropriate remediation steps to take on the affected systems, but it will often involve one or more of the following steps:

• Re-image systems (and restore backups)
• Patch or update systems (e.g. apps and OS updates)
• Re-configure system access (e.g. account removals, password resets)
• Re-configure network access (e.g. ACL and firewall rules, VPN access, etc.)
• Review monitoring capabilities on servers and other assets (e.g. enabling HIDS)
• Validate patching procedures and other security controls by running vulnerability scans

By the way, some SOC teams hand off remediation and recovery procedures to other groups within IT. In this case, the SOC analyst would create a ticket and/or change control request and delegate it to those responsible for desktop and system operations.

AlienVault USM simplifies remediation and recovery by helping you detect events quickly so you can respond in time to prevent further damage. Additionally, AlienVault USM’s asset discovery and vulnerability assessment capabilities deliver updated and detailed information about your assets—what vulnerabilities exist, what processes are running, and more—to confirm that remediation steps have been implemented correctly.

To keep track of incident response activities across a team, you can also open tickets within Jira or ServiceNow directly from alarms, events, or vulnerabilities within the USM platform. AlienVault USM also enables automatic notification through multiple channels, including Amazon SNS, Slack, PagerDuty, and Datadog, making it fast and simple to notify stakeholders when incidents occur.

Learn more about AlienVault USM vulnerability assessment capabilities ›

It’s always optimal to find and fix vulnerabilities before an attacker exploits them in order to gain access to your environments. The best way to do that is to run periodic vulnerability assessments and review those report findings in detail. Keep in mind that these assessments will identify technical vulnerabilities rather than procedural ones, so make sure your team is also addressing gaps in your SOC processes that could expose you to risk as well.

Running network vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may also review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve SOC team performance and efficiency.

With AlienVault USM, you can run regular vulnerability scans against all of your assets to detect any system changes that may signal an exposure. These vulnerability reports, which automatically rank vulnerabilities by severity, can be shared with auditors, executive management, and others to demonstrate your compliance against a variety of regulatory standards.

In addition, AlienVault USM includes multiple out-of-the-box compliance reports for PCI DSS, HIPAA, and NIST CSF, so that you can more readily demonstrate your compliance during an audit.