A security operations center (SOC) includes the people, processes and technologies responsible for monitoring, analyzing and maintaining an organization’s information security (Source: https://www.crowdstrike.com/cybersecurity-101/security-operations-center-soc/). It is important to consider the relevant business use cases while developing the analytical rules and reporting guidelines for your SOC tools. Your detection rules must analyze the problem from the user, geography, technical and business perspectives which would essentially serve as useful metrics for evaluating your SOC tool.

It is also important to note that if any of the business units have an independent set up for their security defense, e.g. a firewall, then the firewall or any other endpoint security devices must report to the centralized SOC console where the intelligence patterns are being monitored. In most cases, the SOC serves as a reactive function which includes static condition rules that are defined with reference to a security framework like MITRE att&ck.

It is therefore essential for organizations to define their scope for security implementation and consider only the required rules for their SOC system. The MITRE att&ck framework helps in visualizing the attack scenarios and implementing rules to identify them. When reviewing the performance of your SOC, it becomes essential to ensure that your SOC team understands the various detection rules which combine internal and external parameters.

A SIEM (security information and event management) tool coupled with UEBA (user entity and behavioural analytics) functionality will help in capturing both internal events (insider threat) and external attack behavior (outsider threat). Questions for the panel revolved around incorporating the power of ML/AI rules. The panel ascertained that present vendors have their SOC rules defined using machine learning models which can complement and aid the SOC analysts.

Watch the Panel Talk