skill set needed to work successfully in a soc
TRANSCRIPT
WHAT IS A SECURITY OPERATIONS CENTER?
• An organization for computer network defense. Used to defend a computer
network against unauthorized activity.
• There are many other names and organization for this role such as
• Computer Security Incident Response Team (CSIRT)
• Computer Incident Response Team (CIRT)
• Computer Incident Response Center (CIRC)
• Computer Security Incident Response Center (CSIRC)
• Security Operations Center (SOC)
• Cybersecurity Operations Center (CSOC)
EXPOSURE TO IT SECURITY STANDARDS
• Extensive IT Security and incident response handling experience
• NIST SP 800-61 Computer Security Incident Handling Guide
• SOC SOP and procedures
• Agency SOC procedures
“Real Knowledge is knowing the extent of one’s ignorance”
UNDERSTAND SOC LIFECYCLE
UNDERSTAND HOW NIST IS INVOLVED
UNDERSTAND THE BIG PICTURE
UNDERSTAND THE LIFESTYLE AND DEMANDS OF SOC
• Daily operational needs
• Always be ready for the next incident
• Live in the present, past is not important
• Not a project based lifestyle, live in the present
• Are you ready and able to do shift work
• Operations oriented
• Waiting for the bad guys to attack
• Fast changing environment
• Constant learning
• Difficult to live with for most people as it difficult and high energy demands.
UNDERSTAND THE ROLES IN A SOC
WHAT DOES A TIER 1 SOC ANALYST DO?
• Observe SIEM logs and other analytic senor data points.
• Curious about everything
• First line of defense in the SOC
• Put in the trouble tickets
• Keep awake and have good customer related skills
• Sometimes have to do above and beyond in times of need
• Everyone starts in a SOC at tier 1
• Most SOC managers want you to start at tier 1 to learn the ropes and SOC
processes
• You will learn security and get a wide range of security experience
WHAT DOES A TIER 2 SOC ANALYST DO?
• More responsibility
• More research
• More visible
• Developing a solution set for tier 1 analysts
• Managing the tier 1 analysts
• More analysis and checking for patterns of malware
• Work on analyzing the intrusion detection patterns
• Automate repetitive tasks via scripting or automation language
• Create shortcuts
• Need to have decent programming skills, security knowledge and curious
WHAT DOES A TIER 3 SOC ANALYST DO?
• Master of a particular security area
• In-depth knowledge and experience in multiple areas of security
• Usually have advanced security certifications like OSPF and SANS training
• Work as hunters, hunting for the malware path and removal
• Forensic analysis of memory, hard drive and session traffic
• Most elite role in the SOC
• Highly sought after security experts
WHAT DOES EVERYONE NEED TO DO
• Teamwork
• Teamwork
• Teamwork
NEED MORE INFORMATION
Read Carson Zimmerman excellent book on Cybersecurity Operations Center