Basic Operational Procedures and Incident Response Processes of a Security Operations Center (SOC)
Certification: Cisco CCNA Cyber Ops - Cisco Certified Network Associate Cyber Ops
By Sherry G. Holland
In the corporate structure, security is becoming more established and it is no longer an acceptable practice to have security as a secondary function. Organizations are investing in the development of Security Operations Center (SOC) so they can provide an increased security presence in the rapid response to events throughout the network. The points of building a SOC is a monumental task but it is like network specific with several major components that all organizations should include like people, processes and technology. These three components are critical and should be considered in all aspects of security.
In the development and implementation phases proper planning is critical. An iterative process is effective in developing a refined set of procedures as with many security programs. An organization with this approach will quickly recognize benefits from investments so as to position them to take advantage of lessons learned and knowledge gained through the operation of the SOC. Setting the appropriate timelines and expectations for the deployment of the SOC and so the initial operational period is viewed as the refinement period.
The primary components of a SOC are:
- Establish the mission, responsibility and the scope of the SOC. This is part of the process of defining the SOC.
- Inthe determine the process phase, clearly document and identify key templates, procedures and processes that are required to support the SOC.
- During the understand the environment phase, the business needs to define the technical domain to be monitored, the “use Cases” and the type of data that the SOC will receive.
- During the identify the customer phase the business will determine the classes of customers and their interaction with the SOC.
- During the staff the SOC phasethe operational hours and the required staff per shift is identified.
- During the manage the events phase, the business will categorize, assign and prioritize events received by the SOC.
- During the leveraging ITIL phase – the business will understand the core ITIL components needed to continually run an effective SOC.
Define the Security Operations Center
When implementing a SOC, the first and most important component is to define the mission, charter, objectives and responsibilities. This will ensure its longevity as well as helping to avoid conflict with other companywide functions. Create a formal document that will contain these components: the mission, charter, objectives, responsibilities and operational hours. Creating this manual at the beginning will be able to guide the SOC staff as a great reference guide.
Another important component is defining the service functions of the SOC. Once defined theservice functions will serve as a daily guide on the processes and procedures of the staff. Based on the expertise, this can be assigned additional responsibilities for the critical task. SME’s or subject matter experts, will be assigned some of the more intensive task based on tier levels. Documents will be developed to ensure appropriate information is gathered in the event of an incident to garner consistency across all staff members.
Determine the Processes
The scope determines the number of processes and procedures the SOC will off, the number of different technologies that are in use, and the number of customers supported. If the SOC environment consists of tens or even hundreds of thousands of procedures as part of the global environment, it must at minimum have the following basic requirements:
- Procedures for monitoring
- Procedure for notification – whether through mobile, email, chat or home
- A notification and escalation process
- A transition of the daily SOC services
- Procedure for shift logging
- Procedure for incident logging
- Procedure for compliance monitoring
- Procedure for report development
- Procedure for dashboard creation
- Procedure for incident investigation (malware, virus, etc.)
Developing Use Cases
For an effective SOC, a series of Use Cases should be defined. These use cases are like events that may require SOC intervention and / or monitoring. These use cases might contain a rule, alarm or a dashboard to meet the requirements. These cases are developed based on procedures and by looking at the company from the perspective of an attacker or from the regulations of the organization when evaluating as being non-compliant. Some examples of use cases is a use case for repeat attack from a single source or an anomaly in a DoS baseline.
After developing the use case, a staffing schedule should be developed. This will ensure a 24x7 schedule of coverage. Holiday coverage should be considered as well. Shift logs, incident logs and turnover should be managed also. Incident logs and shift logs should be maintained in a safe and controlled manner and should contain the time, the incident record number, staff name and description of the event.
Some log procedures that should be adhered to are:
- Mandatory shift logs are required for each shift
- If there is no activity or open problem to turnover, note that on the log.
Shift log entries use a defined format that will include:
- Details of the event
- Impact of the threat to the asset or organization
- The item descriptions found during the investigation while the event is researched
- Any recommendations for the next analyst that will take over the incident
Event and Incident Categorization
There are standards available that can categorize events and incidents. They can be defined in the Governance Risk and Compliance System and metrics can accordingly be tracked by these categories. Examples of these categories include:
- Training and exercises
- Root level intrusion (incident)
- User level intrusion (incident)
- Denial of service (incident)
- Malicious logic (incident)
- Unsuccessful activity attempt (event)
- Non-compliance activity (event)
- Reconnaissance (event)
- Investigating (event)
- Explained anomaly (event)
Incident Resolution and Escalation Procedures
During the resolution of an incident, the SOC might tie into an existing incident response practice or it could be included in the incident ticket record escalation process that is used to document the required steps by the SOC staff. The resolution of incidents many tasks will need to be completed, including:
- Documenting incident resolution and description
- Referencing any other incident record IDs or trouble tickets
- Closing the incident record and the communication method that is used to notify end users or tier level contacts
- Documenting the underlying root cause of the problem
Escalation procedures should also be in place and the SOC should have clearly defined procedures for the escalation tier that addresses at a minimum the following:
- Resources to assist with incident resolution
- Review of open incident records
- Status updates
- No response from customer
- Adding notes to the incident record
- Additional escalations
- Incident record closure
- High priority / high severity handling
- Lack of resolution
Third party resolution and escalation procedures are also needed and may include when a software patch or antivirus needs to be quickly developed. This could require a third party forensics investigation and analysis. Therefore the SOC should have a defined procedure for escalating these instances and appropriate contact for information to support the escalation process.
Incident Escalation Guidelines
It is a good practice to maintain a detailed contact list with information on internal contacts, distribution lists, third-party contacts and phone numbers. When it comes time to correct an incident there should be a defined process that will require the detection, isolation and resolution disciplines that has already been established and practiced by all levels of the SOC. This process should be documented in the incident response plan where applicable and should contain subject matter experts for each area in case assistance is needed to resolve the incident.
Functional responsibilities for each operator are also important. These responsibilities documenting the SOC functions and assigning them to each level is needed to ensure the tasks are handled and escalated properly. Some of these functions includes creating shift logs, taking inbound request and performs forensic investigations.
In conclusion, larger corporations are now initiating security operations centers or SOCs to maintain their information security services. Well-designed centers can not only protect the company, it can also warn of impending incidents. A well designed SOC will have the proper procedures in place to assist with incidents and a structured and defined process that will minimize the amount of danger that could possible happen. The SOCs mission, charter , objectives and responsibilities are the most important component of the SOC and will ensure the longevity of the SOC.