What All Tools and Technologies you are using in SOC

Cyber talents
 What All Tools and Technologies you are using in SOC

Vulnerability management tools

Cloud Services

Incident management or Ticketing tools

Cyber talents
What type of SOC Model you are working (Inhouse/MSSP/Hybrid SOC)

Inhouse:
I am part of an in-house SOC, which is dedicated to secure the internal assets
and information of our organization. Our focus is on maintaining the security
posture of the company's networks, systems, and data

MSSP (Managed Security Service Provider) SOC:

Dedicated MSSP: I work in a Dedicated MSSP SOC, where we provide

cybersecurity services to multiple clients. Each client has a dedicated SOC
team, and our responsibilities include monitoring and responding to security
incidents on behalf of our clients. We log in to client environments via VPN and
utilize security tools and technology to secure the organization.

In the shared MSSP model, tools and technology are hosted within our
environment (service provider). Multiple clients send logs to us for
monitoring, threat detection, and analysis. In this model, responsibilities for
security operations are shared between the service provider and the client
Cyber talents
 What type of SOC model you are working (Hybrid SOC)

I am a member of a hybrid SOC, which combines elements of both in-house and MSSP models. We manage the
security of our organization's internal assets while also offering security services to external clients.

In a Hybrid SOC, we manage all higher-level security operations for our company, while L1 SOC operations are
taken care of by a Service Provider.

Cyber talents
 What is your Security team size and Hierarchy

The SOC team consists of

• ‘X’ SOC L1 analysts ,
• 'X' SOC L2 analysts,
• SOC L3/Lead, SOC Manager and Director

• L1,L2 reports to SOC L3/Lead or SOC

Manager

• L3 report to SOC Manager/Director

• SIEM/SOAR Engineers reports SOC

Lead/SOC Manager

• SOC Managers report to the Director, who,

in turn, reports to the Chief Information
Security Officer (CISO). The CISO reports
directly to the Chief Executive Officer
(CEO)."
Cyber talents
 What all Different Log sources Integrated to your Clients SIEM
Servers and Hosts: Applications and Databases:
• Antivirus and endpoint protection logs • Application-specific logs (e.g., ERP systems, CRM systems)
• File integrity monitoring logs • Database logs (e.g., MySQL, Oracle, SQL Server)
• Linux/Unix system logs • Web server logs (e.g., Apache, Nginx, IIS)
• Application logs (e.g., web servers, database servers) DNS and DHCP:
• Windows event logs • DNS server logs
Network Devices: • DHCP server logs
• Intrusion Detection/Prevention Systems (IDS/IPS) Email and Messaging:
• Proxies • Email server logs
• Routers and switches • Instant messaging logs
• Firewalls Authentication and Authorization:
• Load balancers • Authentication server logs (e.g., RADIUS, TACACS+)
Security Devices: • VPN logs
• Data Loss Prevention (DLP) logs • Remote Desktop logs
• Web Application Firewalls (WAF) logs Cloud Services:
• Intrusion Detection/Prevention Systems (IDS/IPS) logs • Cloud provider logs (e.g., AWS CloudTrail, Azure Monitor)
Endpoint Security: • Cloud application logs (e.g., AWS S3 access logs, Azure App Service logs)
1. Antivirus and endpoint protection logs Third-Party Applications:
2. Host-based intrusion detection system logs • Logs from third-party security solutions (e.g., vulnerability scanners, security analytics
3. User and system activity logs Cyber talents
• tools) &Logs from custom-built applications
 How many Alerts You received per day

I work for 24*7 rotational shifts. The number of alerts receive per day varies significantly, relying on the specific client
and the type of SOC in operation. In my current role at a Dedicated MSSP, We as SOC team typically handle around 40-
50 alerts daily. However, in a Shared MSSP environment, the volume can increase substantially, ranging from 200-250
alerts daily.

Cyber talents
Describe how you categorize and prioritize incidents in your SOC

• We classify incidents according to their type, such as malware infections, phishing attempts, or
unauthorized access.
• The prioritization process considers the potential impact on critical assets and the overall risk posture of the
organization.
• Service Level Agreements (SLAs) are linked to the prioritization, ensuring a timely and effective response
based on the severity of each incident.

Priority Level Description Target Response Time

P1 Critical 15 Minutes
P2 High 30 Minutes
P3 Medium 2 Hours
P4 Low 4 Hours

Cyber talents
 At the beginning of your shift as a SOC analyst, what tasks do you
typically perform?

• Review ongoing incidents and alerts from the previous shift using shift handover documentation.
Understand the current state of the environment and identify any unresolved issues.

• Examine real-time alerts generated by security tools. Investigate incidents from the previous shift,
considering severity levels and understanding the nature of each alert.

• Perform a quick check on the health of critical systems, including SIEM components and essential log
sources. Ensure proper functioning of security tools, smooth log flow, and identify any issues affecting
the overall infrastructure.

• Engage with the outgoing SOC analyst to gather details about current security issues. Work closely with
the team, sharing information and collaborating to respond effectively to any incidents.

• Update incident logs, documentation, and important runbooks at the beginning of the shift. Maintain
accurate and current records to have a clear and complete view of incidents and responses.
• Summarize notable incidents or observations to prepare for the shift briefing Share this information with
the next shift to ensure a seamless transition and enhance awareness of the current security landscape.
Cyber talents
 In the Security Operations Center (SOC), which teams do you collaborate with?
SIEM Administration and Engineering:
• Work closely with SIEM administration and engineering teams to optimize performance and configuration.
• Fine-tune rules, create custom dashboards, and address issues related to log ingestion and correlation.
SOAR (Security Orchestration, Automation, and Response):
• Collaborate with the SOAR team to automate and orchestrate incident response processes.
• Create and refine playbooks, automate repetitive tasks, and integrate various security tools for more efficient incident response workflows.
Threat Intelligence:
• Regularly interact with the Threat Intelligence team.
• Integrate threat feeds into the SIEM to enhance event correlation and proactively detect known threats.
Malware Analysis:
• Close coordination with the malware analysis team.
• Collaborate on analyzing suspicious files, understanding malware behavior, and implementing countermeasures for prevention and response to malware incidents.
Endpoint Security Team:
• Collaborate with the endpoint security team for securing individual devices.
• Share information on endpoint incidents detected by the SIEM and work together on endpoint protection strategies. Vulnerability Assessment Team
Critical IR team
Network Security Team:
• Engage regularly with the network security team.
• Exchange insights into network traffic patterns and collectively address anomalies impacting network security.
• Implement proactive measures such as blocking URLs and IP addresses for a Cyber talents
unified and responsive approach to safeguarding network infrastructure.