Week 4 Day 2

Cyber Security Bootcamp

Security Operations

We are making time to answer

questions! Please don’t worry!
Today . . .
Part 1 Lecture: Understanding Working Relationships and Workflows in SOC
Part 2 Exercise: Writing Introduction Emails & Asking for Help in SOC
Part 3 Exercise: Review of Relationships, Workflows and Communication in SOC
Part 4 Lecture Review: Build your SOC - Understanding Job Roles, Hierarchy and
Making Connections
Part 5 Exercise: Group Work - Take a Role
Understanding Working Relationships and Workflows in
SOC
It's important to note that the specific teams, workflows, and documentation may
vary based on the organization's size, industry, and specific security requirements.
Customization is essential to align with the organization's unique needs and
compliance obligations.

There is no one standard to follow!

Workflows
A typical SOC workflow would start with data collection, where data from various
sources within the organization is collected for analysis. This includes log data,
threat intelligence feeds, and other security-related information.

The next step would be data processing, where this collected data is normalized
and aggregated for analysis.

After processing, the data is analyzed for potential security events. This analysis
can be performed by security analysts or using automated tools.
Workflows
If a potential security event is detected, the incident response process begins. This
involves triaging the incident to understand its nature and potential impact, followed by
containment, eradication, and recovery measures.

After the incident is handled, a post-incident analysis is usually performed. This helps the
SOC to learn from the incident and improve their processes.

Understanding and improving the working relationships and workflows in a SOC is crucial
to increasing efficiency and effectiveness. It ensures that the SOC team works
harmoniously and that incidents are detected and responded to in a timely manner.
SOP Workflows
A Standard Operating Procedure (SOP) for a Security Operations Center (SOC) is
a set of step-by-step instructions compiled by an organization to help its SOC staff
carry out complex routine operations. SOPs aim to achieve efficiency, quality
output, and uniformity of performance, while reducing miscommunication and
potential for human error.

Very often the SOP is ALWAYS the start of the process and the end of the process
but might call other processes/workflows/playbooks into play as needed.
Common SOP Procedures
Detection and Reporting:

Monitor security tools and dashboards for any alerts or anomalies. These may include IDS/IPS, firewall
logs, system logs, antivirus software, etc.

If an alert is identified, document the details of the alert in the incident response management system.

Escalate to a senior SOC analyst for initial incident triage.

Initial Triage:

The senior SOC analyst investigates the alert to confirm if it is a genuine incident. False positives are
documented and resolved.

If a genuine incident is confirmed, the analyst assigns it an initial severity level based on factors such as
the potential impact and the type of data or systems affected.
Common SOP Procedures
Incident Analysis:

The incident handler begins detailed analysis to understand the nature of the incident and potential threat
actors or malware involved.

Gather additional data as needed. This may involve running additional tools, querying databases, or
checking threat intelligence feeds.

Containment, Eradication, and Recovery:

Once the incident has been analyzed, decide on a containment strategy to prevent further damage.

After containment, eradicate the threat. This may involve removing malware, patching software, or
changing compromised passwords.

Following eradication, recover affected systems or data. This may involve restoring from backups,
reinstalling software, etc.
Common SOP Procedures
Post-Incident Analysis and Reporting:
After the incident is resolved, perform a post-incident analysis. Identify lessons learned
and how to prevent similar incidents in the future.
Document all actions taken during the incident in a formal report. Include an overview of
the incident, its impact, the response actions taken, and recommendations for future
prevention.
The report should be submitted to the SOC manager and other relevant stakeholders.
This is a general SOP and may be customized according to an organization's specific
needs, systems, and tools. Please note that it is critical for organizations to regularly
review and update their SOPs to ensure that they remain effective and relevant.
Writing Introduction Emails & Asking for Help in SOC
Introduction Email:
Start with a professional greeting and introduction. Briefly introduce yourself,
including your name, position, and any relevant background or experience.
Mention your role in the SOC and your objectives within the team. Highlight your
enthusiasm for joining the SOC and your commitment to contributing to its
success.
Request an opportunity to connect or schedule a meeting to introduce yourself
further and learn more about the team. Provide your availability or ask for a
suitable time to discuss further.
Asking for Help
Clearly state the purpose of your email and the specific assistance you require. Be
specific about the problem or challenge you are facing.

Provide relevant details, such as any error messages, logs, or supporting

information that can help the recipient understand the issue more effectively.

Express gratitude and acknowledge their expertise and willingness to assist.

Assure them that their support is highly valued.

Request a suitable time or method for further discussion or ask if they prefer any
specific format or information for a prompt resolution.
Review of Relationships, Workflows and Communication in
SOC
Example Workflows:

Incident Response Workflow: This workflow outlines the steps involved in detecting, analyzing, and responding to
security incidents, including incident triage, containment, evidence collection, and remediation.

Vulnerability Management Workflow: This workflow covers the process of identifying, assessing, and mitigating
vulnerabilities in systems, including vulnerability scanning, prioritization, patching, and verification.

Access Management Workflow: This workflow describes the procedures for granting and revoking access rights to
systems and applications, including user provisioning, access reviews, and privileged access management.

Change Management Workflow: This workflow outlines the process for evaluating and implementing changes to the
organization's IT infrastructure and applications while ensuring security and minimizing risks.
Build your SOC - Understanding Job Roles, Hierarchy and
Making Connections
Security Manager/Director: Responsible for overseeing the entire security function
within the organization, setting strategic objectives, and managing the team.

Security Analysts/Engineers: Conduct security assessments, monitor systems for

vulnerabilities, and respond to security incidents.

Incident Response Team: Dedicated team that handles and coordinates the
response to security incidents, including containment, investigation, and recovery.
Build your SOC - Understanding Job Roles, Hierarchy and
Making Connections
Threat Hunter: They proactively and iteratively search through networks to detect
and isolate advanced threats that evade existing security solutions.

Forensic Analyst: This team member is responsible for investigating cybersecurity

incidents or crimes related to information technology. This includes gathering and
analyzing evidence and helping to mitigate future risks.
Build your SOC - Understanding Job Roles, Hierarchy and
Making Connections
Threat Intelligence Analysts: Research and analyze emerging threats, track threat
actors, and provide proactive guidance on security measures.

Security Operations Center (SOC) Analysts: Monitor systems, detect and

investigate security events, and provide real-time incident response.

Security Architects: Design and implement security solutions, develop security

policies and standards, and provide guidance on security best practices.

Compliance Officers: Ensure compliance with relevant regulations and industry

standards, conduct audits, and maintain documentation.
Role Hierarchy

Image source:
Group Work - Take a Role
In this exercise, you will be re-examining the emails that were written in the lecture
exercise Writing Welcome-Introduction Email and Asking for Help.

You are to respond to an email addressed to their assigned role.

Assign roles to groups; the roles you assign will be either that of a client, an
analyst of the same level as the one that wrote the email, or an analyst one step
higher than the one that wrote the email.
Thoughts, Comments . . .

?
Today’s To Do . . .
Complete W4D2 and D3 scheduled activities as needed

Make sure you are all caught up!