Incident response and

Security Operations Center (SOC)

Incident response
Incident response (sometimes called cybersecurity incident response)
refers to an organization’s processes and technologies for detecting and
responding to cyberthreats, security breaches or cyberattacks. A formal
incident response plan enables cybersecurity teams to limit or prevent
damage.

Ideally, an organization defines incident response processes and

technologies in a formal incident response plan (IRP) that specifies how
different types of cyberattacks should be identified, contained and
resolved.

An effective incident response plan can help cyber incident response

teams detect and contain cyberthreats, restore affected systems and
reduce lost revenue, regulatory fines and other costs.
What are security incidents?
A security incident, or security event, is any digital or physical breach that
threatens the confidentiality, integrity or availability of an organization’s
information systems or sensitive data. Security incidents can range from
intentional cyberattacks by hackers or unauthorized users, to unintentional
violations of IT security policy by legitimate authorized users
Some of the most common security incidents include:

• Ransomware
• Insider threats
• Phishing and social engineering
• Privilege escalation attacks
• DDoS attacks
• Man-in-the-middle attacks
• Supply chain attacks
An incident response plan usually includes:
• An incident response playbook including the roles and responsibilities of each member of the
CSIRT throughout the incident response lifecycle.

• The security solutions—software, hardware and other technologies—installed across the

enterprise.

• A business continuity plan outlining procedures for restoring critical systems and data as quickly as
possible if there’s an outage.

• An incident response methodology that details the specific steps to be taken at each phase of the
incident response process, and by whom.

• A communications plan for informing company leaders, employees, customers and law
enforcement about incidents.

• Instructions for collecting and documenting information about incidents for postmortem review
and (if necessary) legal proceedings.
How incident response works
Most incident response plans follow the same general incident response
framework based on models developed by the National Institute of
Standards and Technology (NIST) and SANS Institute. Common incident
response steps include:
 The evolving threat landscape

 Increasing threats against

organizations of any size and
vertical

 Attack campaigns more targeted

and long-lasting

 Data leakage more than ever linked

to external factors
-Increasing sophistication of cyber attacks
How should we face this scenario?

Traditional Approach
•IT Operations
•Focus and budget on New Approach
preventive technologies
•Incident Response & Intelligence
•Reactive approach
•Focus on Detection
•Proactive role

 SOC as a control center aimed to detect, investigate and address cyber-

security incidents
Pursue the right route towards a SOC model

 Assess your own journey within a

Capability Maturity Model People

 Consider and evaluate People,

Processes and Technologies to: Processes

– Enhance the overall governance

– Improve the standing and the role of IT Technologies
Security in the organization
– Provide accurate measurements to
management
The fundamentals of our maturity model

Technologies
• Visibility
• Response time, efficiency,
Processes efficacy
• Integration with the IT and
• Best practice driven
business context
• Repeatable procedures
• Automation
• Tight integration with the
business
People • Effectiveness
measurement
• Specialization • Intelligence sharing
• Center of Excellence
• Focus on intelligence
• Well-defined roles and
responsibilities
 Implementing a SOC model
.. bringing theory into practice

SIEM
Analyst L2
Threat
• The successfully implementation of a SOC
Analyst
Incident
Process Analysis
Intelligence
model could be slowed down by a
L1
SOC
Analyst
number of factors:
SOC
Centralize
Manager 1 Manager 2
Alerts
HR
Breach
Coordinator Shift
Network
Visibility – Undefined roles and responsibilities
Host
Handoff
Report
– Conflicting goals
Visibility CISO
Breach Legal
KPIs IT Measure
Efficacy
– Budgets spread between departments
Process
Finance
– Vague metrics
IT
Handoff eFraud
– Processes not fully automated
DLP – Technologies not appropriate
 SOC model
Responsibilities
CIO
Roles and

Business Mgr.
Threat Intel Analyst SOC Manager CISO/CSO Privacy Officer
Compliance
SOC Management
Legal
HR
L1 Analyst L2 Analyst
Analysts Cross-functional teams
Orchestrate &
Manage
Processes

Incident IT Security
Breach SOC Program
Management Management Risk
Management
Management

Bring to each role the information required

to effectively support the incident response process
 Standard SoC Room Layout
2U 2U 2U

Evidence Cabinet

SandBox Inc Mgr TI Team

Network RACK

L1
L3

2U
L1
SoC Mgr
2U

2U
L2
Conference Room

2U
Are we ready to accept the challenge?

Structured model to
Technologies
face the new threats

Threat
Processes
Intelligence
Visibility
Advanced threats People

Big data
and
Analytics

Quick and effective

Continuous decisions
improvement
Organized cybercrime
What Do Clients Need?
Building the next generation SOC
Building the next generation SOC
Building the next generation SOC
Building the next generation SOC
 SOC Components
• Log Monitoring Solution (SIEM)
• Network Traffic (Packet) Monitoring
• System and Network Data Monitoring
• Applications and Servers Monitoring
• AD and Exchange Monitoring
• Privileged Access Management
• Identity and Access Management
• Assets & Helpdesk Management
• Database Activity Monitoring
• Endpoint Security (AV, EDR / XDR, APT,
Full Disk Encryption)
• User and Entity Behavior Analytics (UEBA)
• MFA / Two Factor Authentication
• Data Protection Solutions (DLP & Data
Backup)
• Network Gateway Protection (NGFW, NGIPS)
• Secure Email & Web Communication (SEGW,
Web Security Gateway)
• Web Application Firewall (WAF)
• DNS Security
• Vulnerability Management
• Anti-DDoS Solution
• Security Orchestration, Automation, and
Response (SOAR)
• Governance, Risk, and Compliance (GRC)
SIEM (Security Information Event Management
SIEM stands for Security Information and Event Management, a cybersecurity
solution that provides real-time analysis of security alerts, centralized log
management, and threat detection capabilities by aggregating data from multiple
systems, applications, and devices within an organization.
1.Centralized Monitoring:
1. Consolidates logs and events into a single platform for better visibility.
2.Improved Threat Detection:
1. Identifies potential security incidents in real time.
3.Faster Incident Response:
1. Helps security teams detect and investigate incidents quickly.
4.Regulatory Compliance:
1. Simplifies compliance with industry regulations through detailed logging and reporting.
5.Scalability:
1. Handles large volumes of data, making it suitable for organizations of all sizes.
Examples of SIEM Solutions
SOAR (Security Orchestration, Automation, and Response)
SOAR stands for Security Orchestration, Automation, and Response. It is a cybersecurity solution
that enhances an organization's ability to manage, analyze, and respond to security threats efficiently.
SOAR combines automation, workflow orchestration, and case management to streamline and
accelerate incident response, reduce manual effort, and improve overall security operations.
• Orchestration:
• Integrates various security tools (e.g., SIEM, firewalls, endpoint security, threat intelligence) into a
unified workflow.
• Coordinates actions across different systems to ensure a seamless response.
• Automation:
• Automates repetitive and manual tasks, such as triaging alerts, gathering threat intelligence, and
implementing remediation steps.
• Reduces reliance on human intervention for routine operations.
• Response:
• Provides predefined playbooks for consistent and efficient incident response.
• Facilitates real-time responses, such as isolating compromised systems or blocking malicious IPs.
• Case Management:
• Tracks, documents, and manages security incidents throughout their lifecycle.
• Improves collaboration among security teams by centralizing information.
 XDR (Extended Detection and Response)
XDR stands for Extended Detection and Response, a comprehensive security solution designed to detect,
investigate, and respond to threats across multiple security layers, such as endpoints, networks, servers,
email, cloud environments, and more. It provides a unified platform that consolidates data from various
security tools and applies advanced analytics and automation to enhance threat detection, improve
incident response, and simplify security operations.

Cross-Layered Threat Detection:

Correlates data from multiple sources to identify sophisticated attack patterns.
Breaks down silos between endpoint, network, and cloud security.
Unified Visibility:
Provides a single dashboard for monitoring and managing threats across all integrated systems.
Threat Correlation:
Links security events across layers (e.g., an endpoint alert correlated with network activity) to detect complex
threats.
Automated Response:
Automates containment and remediation actions, such as isolating compromised endpoints or blocking malicious
IPs.
AI and Machine Learning:
Uses advanced analytics to detect threats with higher accuracy and reduce false positives.
Difference Between SIEM ,SOAR and XDR

Aspect SIEM SOAR XDR

Aggregates and analyzes Automates and Correlates and responds
Purpose
event data orchestrates response to threats
Alert detection and Response and workflow Threat detection across
Focus
event management automation layers
Cross-layer threat
Output Alerts and event insights Incident resolution
insights
User and Entity Behavior Analytics (UEBA)

UEBA stands for User and Entity Behavior Analytics, a cybersecurity technology that
uses machine learning, statistical analysis, and behavior analytics to detect anomalous
activities and potential threats by monitoring the behavior of users, devices, and
entities within an organization.

Key Features of UEBA

• Behavior Baselines: Establishes normal behavior patterns for users and

entities.
• Anomaly Detection: Identifies deviations from established baselines that
may indicate malicious activity.
• Risk Scoring: Assigns risk scores to activities based on their level of
anomaly and potential threat.
• Entity Focus: Goes beyond user activity to monitor systems, devices,
applications, and other entities.
• Advanced Analytics: Utilizes machine learning and AI for deeper insights
into behavioral patterns.
Vulnerability Management

Vulnerability management is a continuous, proactive, and often

automated process that keeps your computer systems, networks, and
enterprise applications safe from cyberattacks and data breaches.

Get a risk-based view of your IT, security and compliance posture so

you can quickly identify, investigate and prioritize your most critical
assets and vulnerabilities.
 Patch Management

Patch management is the practice of deploying firmware, driver,

operating system (OS), and application updates to your computing
endpoints. Patch management is critical to keeping systems updated,
reducing attack surfaces, and ensuring employee productivity.
- Patch management provides an automated, simplified patching process that is administered from a
single console.
- This solution / software gives you unified, near real-time visibility and enforcement to deploy and
manage patches to all distributed endpoints.
- This software can help you reduce business risk, control costs and enhance security.
Zero Trust Segmentation for Endpoint

Zero Trust Segmentation (ZTS) is a cybersecurity strategy designed to

limit and control access to resources by creating micro-perimeters
around endpoints, applications, users, and data. In the context of
endpoints, ZTS enforces the principle of "never trust, always verify" by
dynamically restricting access and reducing the attack surface, even if
an attacker gains a foothold in the network.
Key Principles of Zero Trust Segmentation for Endpoints

Least Privilege Access:

• Only grant endpoints access to the resources they need to perform specific functions.
• Limit access based on roles, users, or device posture.

Micro-Segmentation:
• Divide the network into small, isolated zones and enforce strict access controls at the endpoint level.
• Prevent lateral movement by attackers within the network.

Continuous Verification:
• Continuously validate the trustworthiness of endpoints through factors like device health, user behavior,
and location.

Dynamic Policies:
• Apply policies that adapt to changing conditions, such as endpoint vulnerabilities or suspicious activities.

Context-Aware Access:
• Incorporate context such as the endpoint's compliance state, geolocation, and time of access before
granting permissions.
Active Directory Security

Effective Active Directory management helps protect your business's

credentials, applications and confidential data from unauthorized
access. It's important to have strong security to prevent malicious users
from breaching your network and causing damage.

- Find and Fix Active Directory Weaknesses Before Attacks Happen.

- Detect and Respond to Active Directory Attacks in Real Time.
- Discover the underlying issues affecting your Active Directory
- Identify dangerous trust relationships
- Explore MITRE ATT&CK descriptions directly from incident details
 Identity and Access Management

Identity and Access Management (IAM) is a security and business

discipline that includes multiple technologies and business processes to
help the right people or machines to access the right assets at the right
time for the right reasons, while keeping unauthorized access and fraud
at bay.

IAM systems are designed to perform three key tasks:

- Identify
- Authenticate
- Authorize.
 Database Activity Monitoring

Database activity monitoring (DAM) refers to a suite of tools that can

be used to support the ability to identify and report on fraudulent,
illegal or other undesirable behavior, with minimal impact on user
operations and productivity.

Activity that monitors:

Discover sensitive data, identify vulnerabilities, monitor database user and privileged account activity,
protect against data breach, and gain a clear actionable picture of compliance and security status.
 Compromise Assessment Platform

A compromise assessment is just one of the many cybersecurity

assessments that can be performed by IT/SOC teams. While
traditionally reserved as one of the later assessments to be
implemented, advances in machine learning and automation
technology have made compromise assessments faster, more accurate,
more thorough and more affordable.
Compromise Assessment Platform
 Deception Technology

Deception technology is a category of cybersecurity solutions that

detect threats early with low rates of false positives. The technology
deploys realistic decoys (e.g., domains, databases, directories, servers,
apps, files, credentials, breadcrumbs) in a network alongside real assets
to act as lures.
The aim of deception technology is to prevent a cybercriminal that has
managed to infiltrate a network from doing any significant damage.
The technology works by generating traps or deception decoys that
mimic legitimate technology assets throughout the infrastructure.
 Malware Analysis

Malware Analysis is the practice of determining and analyzing

suspicious files on endpoints and within networks using dynamic
analysis, static analysis, or full reverse engineering.

Some of the techniques used in this type of malware analysis are virus scanning, packer detection, file
fingerprinting, debugging, and memory dumping. Dynamic analysis involves a sandbox environment
so that analyzing the behavior of malware while running the program won't affect other systems.
Network Detection & Response (NDR) / Network
Security

Network detection and response (NDR) products detect abnormal

system behaviors by applying behavioral analytics to network traffic
data. They continuously analyze raw network packets or traffic
metadata between internal networks (east-west) and public networks
(north-south).
- Real-time detection of all suspicious network activity
- Comprehensive and real-time attack surface visibility
- Ability to track lateral movement of an attacker
- Complete retrospective analysis of incidents
 Continuous Security Validation

Continuous security/control validation is a method of repeatedly

testing security controls within an organization to validate they work as
intended, and then proactively address any vulnerabilities.

Continuous monitoring is an approach where an organization constantly monitors its IT systems and
networks to detect security threats, performance issues, or non-compliance problems in an
automated manner. The goal is to identify potential problems and threats in real time to address them
quickly.
 Attack Surface Management

Attack Surface Management (ASM) is the continuous monitoring,

discovery, inventory, classification and prioritization of sensitive
external assets within an IT organization's infrastructure.

An effective attack surface management approach requires information such as IP address, device
type, whether it is in current use, its purpose, its owner, its connections to other assets, and possible
vulnerabilities contained within it.
 Digital Threat Monitoring

Digital Risk Monitoring (DRM) is the practice of monitoring digital

channels to identify, understand, and remediate risks to enterprise
brands, people, assets, and data across the public attack surface.

Digital Risk Monitoring has become increasingly challenging and time-

consuming for enterprises with large digital footprints. To meet this
challenge, organizations are turning to AI-driven DRM software
solutions that leverage both automation and human expertise to
comprehensively and persistently monitor the public attack surface at
scale for digital risk indicators.
Governance, Risk, and Compliance (GRC)

Governance, Risk, and Compliance (GRC) is a structured way to align IT

with business goals while managing risks and meeting all industry and
government regulations.

Governance, Risk, and Compliance (GRC) is a risk management solution that

provides solutions in sectors such as business resiliency, operational and enterprise
risk management, audit management, public sector, security and IT risk
management, third-party governance and regulatory compliance management.
IT Infrastructure Provisioning

• Servers: High-performance servers to support SOC operations.

• Storage: Scalable storage solutions for retaining log data and backups.
• Network Devices: Firewalls, routers, switches, and other networking equipment.
• Security Appliances: Hardware for SIEM, SOAR, and other security functions.
• Power and Cooling: Uninterruptible power supplies (UPS) and cooling systems to
ensure continuous operation.
Reliable IT infrastructure is critical to the success of your SOC, providing the foundation for all
security activities.
Implementation Plan
Project Phases
Phase 1: Planning – xx weeks
Phase 2: SOC Room Design and Construction – xx weeks
Phase 3: SOC Components Implementation – xx weeks
Phase 4: Testing and Optimization – xx weeks
Phase 5: Go-Live and Handover – xx weeks
Resources
• Personnel: Project Manager, Security Engineers, System Integrators,
Construction Team.
• Tools & Technologies: SIEM, SOAR, Monitoring Tools, Security
Appliances, Construction Materials.
• Support: Ongoing support from Veridos’s dedicated team.
Milestones
• Completion of SOC Room Construction: End of Week xx
• SOC Components Setup: End of Week xx
• Testing and Optimization: End of Week xx
• Final Deployment and Handover: End of Week xx
Training and Support
Training
We will provide comprehensive training sessions for your security team to ensure they are
proficient in using and managing the SOC. Training will cover all key components and
include hands-on exercises. Additionally, we will offer training on maintaining the SOC
room and IT infrastructure.
Ongoing Support
Our support services include 24/7 monitoring, regular updates, and incident response
assistance. We will ensure that your SOC remains effective and up-to-date with the latest
security technologies. Additionally, we offer maintenance support for the SOC room and IT
infrastructure.
Cost Estimate

Detailed Cost Breakdown

• SIEM Implementation: $[Cost]
• SOAR Integration: $[Cost]
• Network Monitoring: $[Cost]
• SOC Room Construction: $[Cost]
• IT Infrastructure Provisioning: $[Cost]
• SOC Room Layout: $[Cost]
• Training and Support: $[Cost]

Total Investment: $[Total Cost]

Payment Terms