A Day in the Life of a SOC Team

This piece was originally published on Fortra’s Alert Logic blog.

Managed detection and response (MDR) would be nothing without a SOC (security operations center). They’re on the frontline of our clients’ defenses — a living, breathing layer of intelligence and protection to complement our automated cybersecurity features. These are the people who make our MDR services best in class so dependable. It’s time you met them.

With our new webinar series, Inside Alert Logic’s SOC, we’ve begun to pull back the curtain on how a SOC operates, how we work and what those methods mean for your organization’s stake in cyberspace. The first episode of the SOC series is ready to watch on demand. But, in case you’d like a primer or want to spend a few minutes learning about our SOC experts, here are some highlights from the discussion. They’ll give a much deeper understanding of the support you can expect from Fortra’s Alert Logic MDR.

Meet the SOC Team

Among our hundreds of cybersecurity experts located across the world, Josh Davies, our Principal Product Marketing Manager, hosted two key members of our global SOC team: Security Operations Lead Ian Ashworth and Senior Security Analyst Jamal Heard. They’ve been working together for years in Alert Logic’s SOC.

Image

Sorting Real Security Incidents from the Rest

Incident triage and response is about two things: Determining whether an attack or data compromise is taking place and doing everything possible to guide the best response. Therefore, our SOC team must make critical distinctions and deal with one question first — what constitutes a security incident?

Basically, an incident is created when suspected malicious activity is observed or anomalous activity exceeds a threshold. This might be signs of intrusion, suspicious commands, accounts being created in the middle of the night or repeated failed login attempts; anything that suggests something within your network is behaving strangely. Log and network IDS data (event) is collected from our customers and analyzed by our analytics engine, which is maintained by our internal threat intelligence teams. Alert Logic’s threat researchers curate a combination of third party, open source, and proprietary threat intelligence to ensure our automated detections keep pace with the ever-evolving threat landscape. They work closely with the SOC, educating on what the incident is intended to catch and how to investigate effectively, while the SOC relays successes and shortcomings in the detections, creating a continuous feedback loop of incident and analysis improvement. The result is an ever-growing library of known dangers that necessitate alerts. This relationship between threat researchers and SOC analysts has driven significant improvements. As Josh remembers, we used to manually review certain log reports daily, for potential incidents, what analysts found then informed our researchers and the machine learning engine on what to look out for, it was a gradual process “but these days, it’s almost entirely automated, after undergoing a supervised machine learning process.”

When a log or network IDS event matches with an analytic, it creates an incident. Alert Logic’s network IDS technology allows us to inspect the data packets themselves, creating events to provide additional visibility into network traffic. Some SOCs rely on flow logs for network monitoring, but this has limitations, as Josh explains, “Think of a flow log like an envelope. It has an address. You know where it’s going, what it weighs, but have no idea what’s inside. A network IDS rips the envelope open and scrutinizes it.” This reveals far more information than firewalls or IP address monitoring and is essential for verifying success of certain attacks.

As soon as an incident is triggered, it appears on the console board, ready for analysis. That also kicks our 15-minute SLA into motion.

Jamal says rapid assessment is critical to preventing an attack or limiting its impact. “We need to acknowledge the incident as soon as it hits the board, essentially. It’s already ticking. We have to do the analysis there and then.” Once the incident is defined, it’s triaged.

Launching an Investigation

If there’s a genuine threat to our customers’ network, the SOC launches a thorough investigation, which maps out the context surrounding the incident and what past, present, and future implications it may hold. This demands as much data as we can gather.

“It can be something we’ve seen a thousand times,” Jamal says, “and we’ll know what the attack vector is, where the threat actor is going. So, even if they’re doing certain things to compromise other customers, we’re able to hunt through the data and use the indicators of compromise (IOCs) to see the likely end objective.” Tracing the potential threat’s full history while accounting for factors that may have raised a false alarm, such as a scheduled penetration test, is part of the SOC team’s pre- and post-event strategy. Automated incidents draw our SOC’s attention to data that may deserve further investigation; the following manual investigation fills in the gaps to ensure we have the entire scope so we can advise on the right response strategy.

The SOC deploys an advanced triaging console, IRIS, for a three-tier investigation:

• Overview
• Evidence
• Disposition

The initial stage looks at open tickets and incidents logged over the previous 30 days. The second breaks down whatever has “tripped the wire,” using filters such as an attack associated with IP addresses to enrich the alert. At that point, we know exactly what’s in front of us, and the team begins moving to disposition, which relays that data to the customer. Ian considers this stage one of the key challenges for a SOC engineer because “it’s where the analyst needs to be clear and concise, so a client can make a decision.”

Templates and custom notes explain whether a threat is a low, medium, high, or critical priority. While Alert Logic’s automated security features buy time with containment actions (isolate host, disable user and block at perimeter) allowing human responders to focus on the more complex and nuanced response actions. The SOC team immediately call the affected organization to provide guided remediation advice, presenting information in a way that makes sense to them and supporting throughout.

Learning and Adapting with Drip-down Expertise

Both members of the SOC team taking part in episode one come from wildly diverse backgrounds. Ian became a SOC analyst after 24 years in the British Army, describing his role at Alert Logic as “his dream job.” Jamal, on the other hand, was swept up after completing a master’s degree in cybersecurity. Their rapid rise in our SOC reflects the opportunities we like to offer those who have a mind and passion for fighting threats in cyberspace. Since the COVID-19 outbreak, we’ve focused on being even more collaborative.

“It never feels like a hierarchy,” Jamal says. “If you need someone else to take a look at something, you just need to ask. In the office, I often used to see people crowding around each other’s computers.” More experienced SOC analysts feed their advice and suggestions to newer teammates, helping our analysts find their own specialties.

Ian agrees: “You’re not just being told ‘Go and learn this.’ It’s rather, ‘Go and learn.’” He mentioned the six-week training period we take fresh recruits through, getting them involved in incidents from the start, providing feedback on analysis and refining their customer communications. The analytics content team also holds weekly meetings with SOC, looping them into the latest incident triggers and working with them to determine how to evaluate true positives and tune out any false positives.

“We want quality incidents,” Ian concludes, “to give the customer the information they require, that’s good for them to see, and whatever they need to take the next steps.” To strengthen our approach even further, we use “community immunity” — all the insights we glean from over 4,000 customers — to ensure every incident and investigation we’ve already worked through informs what’s ahead of us.