Introduction to Security Operations Centre (SOC):
A Security Operations Centre (SOC) - - improves an organisation's ability to detect, respond and recover from cyber security threats by orchestrating defensive cybersecurity technologies and functions.
A SOC is an in-house or outsourced team of IT security professionals dedicated to monitoring an organisation’s entire IT infrastructure 24x7 and its remit is to detect, analyse and respond to security incidents in real-time. Often a SOC is associated with managing a SIEM or Security Information and Event Management platform or tool. A SIEM aggregates log data, security alerts, and events into a centralised repository to provide real-time analysis for security analysts monitoring within a SOC.
An effective SOC requires the right blend of people & skills, technologies and processes. A high level of technical and non-technical skills and experience is required to staff a modern SOC, given the complex range of threats facing organisations in 2024. With a global cyber security skills crisis, many organisations are turning to Managed Security Service Providers (MSSPs) to provide what are termed Managed SOC, Managed Detection and Response (MDR), Extended Detection and Response (XDR), Managed SIEM, or SOC-as-a-Service (SOCaaS) to name but a few of the industry buzz words. Not to mention Endpoint and Network Detection and Response (EDR/NDR) but let’s leave them aside for another time.
Not all SOC/MDR services are created equal!
There are good and not so good SOCs. The selection of the incorrect SOC solution can do more harm than good to an organisation, because it provides a "false sense of security", which is the worst thing anyone can have - when you assume a security control is effective, whereas it is not.
Ineffective SOC monitoring occurs when the SOC fails to adequately detect, analyse, and respond to security incidents and threats in a timely and efficient manner. A SOC serves as the frontline defence against cyber threats. However, the effectiveness of a SOC heavily relies on its monitoring capabilities. A SOC who’s monitoring is subpar can leave organisations vulnerable to sophisticated attacks, data breaches, and significant financial losses.
How to Know if Your SOC is Performing?
You’ve chosen to build or buy your organisations SOC, but how do you know if it’s performing?
The easiest way to test their performance is to conduct a Penetration Test, Red or Purple teaming exercise and validate if the SOC provider can detect attack behaviours. Many organisations with outsourced SOC/MDR providers choose not to notify the SOC of the exercise in order to test their efficiency.
Case Study
During a recent internal Pen Test, a Spartans Security consultant employed various tools and techniques aimed at compromising the customer’s domain controller. Among these tools was CrackMapExec (a.k.a CME) is a post-exploitation tool that helps attackers automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of “Living off the Land”: abusing built-in Active Directory features/protocols to achieve it’s functionality and allowing it to evade most detection and response solutions.
Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios. Despite this the use of CME is not a normal user behaviour, so we were expecting that these activities would trigger alerts by the SOC team. We found that the activity triggered a single security alert to the customer's managed SOC team. However, the SOC team marked the ticket as "False Positive". It became apparent that the SOC analyst assigned to the ticket lacked the requisite knowledge about offensive tools commonly utilised by threat actors. This action allowed our team to persist with the attack chain, compromising the domain controller and establishing a backdoor by adding a user to the domain admin group.
As a result, the organisation decided to terminate the contract with the SOC provider.
Let's delve into the key aspects and consequences of inadequate SOC monitoring.
Lack of Real-Time Visibility
One of the primary drawbacks of ineffective SOC monitoring is the lack of real-time visibility into network activities. Without continuous monitoring and analysis of security events, malicious activities can go undetected for extended periods, allowing threat actors to infiltrate systems and exfiltrate sensitive data unnoticed.
The volume and velocity of cyber-attacks has increased exponentially in recent years due to the widespread use of cloud and automation technologies (AI, ML etc.) by criminal groups. What used to take days, weeks or months for threat actors to perform has been distilled to minutes and sometimes seconds. So speed is key for attackers and defenders alike.
Inadequate Alerting Mechanisms
Inefficient alerting mechanisms within a SOC can lead to alert fatigue among analysts. False positives, poorly configured alerts, or an overwhelming volume of alerts can distract analysts from identifying genuine threats, resulting in critical security incidents being overlooked or delayed in response.
Limited Threat Intelligence Integration
Effective SOC monitoring heavily relies on threat intelligence to proactively identify and mitigate potential threats. Poor integration of threat intelligence feeds into monitoring tools can hinder the SOC's ability to detect emerging threats and trends, leaving organisations open to evolving attack vectors.
Insufficient Incident Response Capabilities
Inadequate SOC monitoring can disrupt incident response capabilities, leading to delays in identifying and containing security incidents. Without timely detection and response, cyberattacks can escalate quickly, causing widespread damage to an organisation's infrastructure and reputation.
Impact on Compliance and Regulatory Requirements
Failure to maintain effective SOC monitoring practices can result in non-compliance with industry regulations and data protection laws. Organisations may face legal repercussions, fines, or reputational damage due to inadequate security measures and lack of proper monitoring controls.
Lifecycle of the Security Operation Center (SOC)
The following process chart outlines the steps for handling, validating, filtering, and responding to alerts in an efficient and systematic manner. Each stage involves specific actions to ensure thorough investigation and appropriate response to security incidents. Effective SOC monitoring practices rely on rigorous processes to ensure SLAs such as time to detect, time to respond or time to resolve incidents are achieved consistently.
Recommendations for Improving SOC Monitoring
Implement a robust SIEM solution for centralised log management and real-time analysis.
Develop playbooks within the SIEM platform to speed up the investigation of alerts.
Regularly review and fine-tune alerting rules to reduce false positives and enhance detection accuracy.
Ensure critical data sources and assets are updated as required and look to best practices such as ASD’s Essential 8 to ensure key event types are captured and acted upon.
Invest in threat intelligence platforms to enrich monitoring data with up-to-date threat feeds.
Conduct regular training for SOC analysts to enhance their skills in incident detection, analysis, and response.
Perform periodic assessments and audits of SOC monitoring processes to identify gaps and areas for improvement.
Consider the use of Security Orchestration, Automation and Response (SOAR) technologies to reduce the load on the SOC by incorporating automated responses to a variety of events.
If outsourcing the SOC, consider whether there is evidence of the elements above and demand SLAs to enforce performance.
Modern SOCs should also be capable of advanced threat-hunting techniques, such as proactive hunting for indicators of compromise (IOCs), behavioural analytics, and anomaly detection, as well as the ability to identify emerging threats and uncover previously unknown threats.
Consider red or purple teaming exercises to assess the effectiveness of your SOC under simulated adversary attacks using frameworks such as MITRE ATT&CK.
Plan and run incident response tabletop exercises to simulate how the SOC and organisation as a whole would respond to a genuine cyber-attack.
How Spartans Security Can Help
Spartans Security is dedicated to comprehensively understanding the unique needs of your organisation and stay up to date with emerging security threats. Our approach involves tailoring recommendations to provide the best-suited solutions for your specific requirements. We not only identify the most fitting security solutions but also offer practical advice on successful implementation. Our commitment lies in ensuring that your organisation not only achieves its security goals but does so with a seamlessly implemented and practical strategy for success.
Conclusion
Understanding the effectiveness of your SOC is important in ensuring your investment in security yields a solid return and is critical in safeguarding the organisation against evolving cyber threats.
By addressing the pitfalls of ineffective SOC practices and implementing proactive measures to enhance visibility, alerting mechanisms, threat intelligence integration, and incident response capabilities, organisations can enhance their cybersecurity posture and mitigate risks effectively. Spartans Security offers tailored security solutions and implementation guidance to address organisation-specific needs effectively.
Looking for SOC, Penetration Testing, Incident Response or other cyber security solutions for your organisation? Then feel free to reach out to us at info@spartanssec.com. Our dedicated experts are looking forward to assisting with robust solutions according to your organisation's needs.
Comments