When a possible intrusion has been detected, the Security Op- erations Center (SOC) can escalate the event. The security event then becomes an incident: a violation or imminent threat of vi- olation of computer security policies, acceptable use policies or standard security practices, which has to be handled. What is considered a security incident within a specific organization de- pends on its business processes, but common events that may trigger an incident include unauthorized system access, mal- ware infections and data loss. The goal of incident response is to handle the security breach in such a way that limits the dam- age and reduces the time to recovery and the costs involved. As soon as a security incident is detected, it has to be analyzed to identify its root cause in order to resolve the incident and remediate it. Not every SOC performs incident response itself, but it remains a core part of security operations within an or- ganization. In cases where the SOC is not responsible itself for
facet descriptions 127 incident handling, external parties can be contacted to handle the incident.
Irrespective of which party is responsible for the incident handling process, having access to the right data is an absolute must within incident response. The data is necessary in order to investigate the incident, find out what happened, who or what entities were involved, assess the impact of the incident, how to recover from the incident and to actually recover from the incident. During the incident response process every sec- ond counts, so having access to the data and the right fidelity of data is crucial.
When theSOChas access to a centralized data storage infras-
tructure this greatly improves the incident response and inves- tigation process. In the case that the SOC does not have access to the data directly it should be able to obtain the data on short notice. Having remote access to and control over all endpoints can prove invaluable in such a case, because analysts can start their investigation from that point. One example is that the
SOC (or an automated system) can start a live packet capture or memory of disk images can be acquired instantly. Methods to reconstruct objects and sessions can provide analysts with an even more complete view of what happened at the time of the incident and can help identifying the root cause.
Investigation into incidents is mostly initiated only after an incident response process has been started and when deemed necessary: reactive investigation. We propose its logical coun- terpart, proactive security investigation (also popularly called hunting), to become a core part of theSOCs functions. Proactive investigation should be used to uncover threats in the security data that is already available. This method can be used to ex- tract intelligence and create new detection methods, so that the organization does not fall prey to the same kind of threat in the future. Analysts need an interface to all of the available data re- sulting in unlimited flexibility during their analysis which also performs fast. This way they can take advantage of tools for visualization they already know about and can concentrate on the hunt.
In a maturedata driven securitystrategy, we foresee the emer- gence of the continuous security response process. The contin- uous security response process consolidates the prevention of, detection of and response to threats and security events. It is the culmination of the data driven security strategy, in which data is transformed into information, then intelligence and even-
tually applied in practice to improve all of the SOC functions.
Some examples of the process include the investigation of in- cidents resulting in new detection methods and increasing the visibility in areas where it fell short before the incident.
The main tenet of the incident response and investigation facet is that the processes for data collection, analysis and inci- dent remediation are well-defined and repeatable. This allows theSOC to become nimble in an ever-evolving threat landscape
and complex IT environment.
soc staff
Hiring the right people for security operations has always been a hard task. A diverse skill set is necessary, including both the- oretical and practical knowledge about network devices, net- work security analysis, network protocols, application security, engineering and software and tools in all of these fields. De- pending on which functions the Security Operations Center (SOC) delivers, more specialist knowledge in reverse engineer-
ing, malware analysis and digital forensics may also be neces- sary to have available. Another human aspect important for success is the mindset of people: security monitoring and inci- dent response are fields that will likely never be developed to their full extent. Security operators will have to be passionate and curious about their job and should continuously develop their skills and knowledge to stay relevant.
In addition to traditional functions within the SOC, several new ones can be introduced in a data driven security strategy. When the SOC wants to improve its activities around Threat In- telligence, security operators may need a deep understanding of Open Source Intelligence (OSINT) or structured analytic pro- cesses for creating real intelligence, depending on what level (strategic, tactical, operational) the SOC wants to improve. If a SOC wants to deploy new types of detection methods, such as statistical models or machine learning based approaches, se- curity operators having skills related to these are an absolute necessity for a successful implementation. Setting up a special- ist hunting team or individual requires them having practical knowledge in the field of programming, visualization and data science.
Besides SOCstaff having certain skills, the SOC should also invest in the development of its members. Continuously hav-
facet descriptions 129 ing training and education opportunities available will keep the operators up-to-date and not doze off. This is also supported by having clearly defined career paths available. Another as- pect for success is creating a well-oiled team of operators. Hav- ing means available for knowledge sharing and collaboration, which can include predefined work flows and supporting tech- nologies, will greatly improve the capabilities of theSOC.