Building SOC 101:
SOC Tools: Review of the essential security monitoring tools you’ll need for building a Successful SOC.
In this thread, we’ll learn the details of these SOC tools & technologies 🧵
#infosec #cybersecurity #Pentesting #informationsecurity #hacking #CISSP
SOC Tools: Review of the essential security monitoring tools you’ll need for building a Successful SOC.
In this thread, we’ll learn the details of these SOC tools & technologies 🧵
#infosec #cybersecurity #Pentesting #informationsecurity #hacking #CISSP
The essential SOC capabilities include
1.Asset discovery
2.Vulnerability assessment
3.Behavioral monitoring
4.#Intrusion_detection
5.#SIEM
1.Asset discovery
2.Vulnerability assessment
3.Behavioral monitoring
4.#Intrusion_detection
5.#SIEM
1.Asset Discovery:
- Knowing what’s on your network is the 1st step in protecting what’s on your network.
- You need to know what systems exist –
a.laptops and servers - as well as what’s been installed and running on those systems e.g. apps, services, and active ports.
- Knowing what’s on your network is the 1st step in protecting what’s on your network.
- You need to know what systems exist –
a.laptops and servers - as well as what’s been installed and running on those systems e.g. apps, services, and active ports.
2.Vulnerability Assessment
- Vulnerabilities represent the tiny cracks that an attacker uses to infiltrate your networks, apps, devices, and systems referred to as the “attack surface”.
- Vulnerabilities represent the tiny cracks that an attacker uses to infiltrate your networks, apps, devices, and systems referred to as the “attack surface”.
These vulnerabilities can open up when you least expect them - that’s why it’s essential to continually
- - assess your entire network for vulnerabilities.
Additionally, you may be subject to a variety of contractual and regulatory mandates (e.g. PCI DSS, SOX, etc.)
- - assess your entire network for vulnerabilities.
Additionally, you may be subject to a variety of contractual and regulatory mandates (e.g. PCI DSS, SOX, etc.)
3. Behavioral monitoring
- At its basic level, effective cyber security monitoring comes down to exception management.
- Creating a baseline of system and network behavior provides the essential foundation with which to spot anomalies.
- At its basic level, effective cyber security monitoring comes down to exception management.
- Creating a baseline of system and network behavior provides the essential foundation with which to spot anomalies.
- What activities represent exceptions to the norm?
- e.g. policy violations, error messages, spikes in the outbound network activity, unexpected reboots, etc.
- e.g. policy violations, error messages, spikes in the outbound network activity, unexpected reboots, etc.
- Technologies used for behavioral Monitoring are
1.Active service monitoring
2.#Netflow analysis
3.#Network_traffic_capture
4.Host-based intrusion detection (#HIDS).
1.Active service monitoring
2.#Netflow analysis
3.#Network_traffic_capture
4.Host-based intrusion detection (#HIDS).
4.Intrusion Detection System
- Detecting an intruder at the point of entry can have
the greatest impact on reducing system compromise and data leakage.
- Detecting an intruder at the point of entry can have
the greatest impact on reducing system compromise and data leakage.
Intrusion Detection Systems (#IDS )
-One of the “must-have” SOC tools for identifying
“known” attacks and “known” attacker activity by
using rule & signature-based detection.
-One of the “must-have” SOC tools for identifying
“known” attacks and “known” attacker activity by
using rule & signature-based detection.
An intrusion detection system (#IDS ) combines NIDS & HIDS
- Network Intrusion Detection System (#NIDS):
To detect known attack patterns that indicate
malicious activity e.g. malware infections, policy
violations, port scans, etc.
- Network Intrusion Detection System (#NIDS):
To detect known attack patterns that indicate
malicious activity e.g. malware infections, policy
violations, port scans, etc.
Host-based Intrusion Detection System (#HIDS)
analyzes system behavior and configuration that could indicate system compromise.
This includes the ability to recognize common #rootkits, detect rogue processes, and detect modifications to critical configuration files.
analyzes system behavior and configuration that could indicate system compromise.
This includes the ability to recognize common #rootkits, detect rogue processes, and detect modifications to critical configuration files.
5.SIEM – Security Information & Event Management
SIEM tools is a core foundation for building a SOC
because of their ability to apply dynamic correlation
rules (i.e. Correlation Directives) against a mountain of disparate and varied event log data -
SIEM tools is a core foundation for building a SOC
because of their ability to apply dynamic correlation
rules (i.e. Correlation Directives) against a mountain of disparate and varied event log data -
- When an alarm is triggered by a correlation directive, details about the event and activity are classified according to an event taxonomy based on a simplified version of Lockheed Martin’s cyber kill chain (an industry standard).
This event classification enables SOC analysts to prioritize which events to focus on, in order to quickly respond and investigate.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
