Security Operations
Security Operations
https://www.wallarm.com/what/security-operations-center-soc
SOC stands for Security Operations Center. It is a centralized unit that continuously
monitors, detects, analyzes, and responds to cybersecurity threats in an organization. SOC
teams use various security tools, processes, and technologies to protect an organization's IT
infrastructure, data, and users from cyberattacks.
FRAMWORKS OF SOC:
Here’s how a Security Operations Center (SOC) works based on the key framework
components:
1. Availability
SOC ensures that critical systems, applications, and networks remain operational and
always accessible. To prevent disruptions, it implements measures such as
redundancy, failover mechanisms, and DDoS protection.
2. Security
The SOC safeguards an organization's IT infrastructure against cyber threats by
implementing firewalls, intrusion detection systems (IDS), encryption, and real-time
monitoring. It also responds to security incidents to minimize damage.
3. Confidentiality
Protecting sensitive data is a key responsibility of a SOC. It enforces access controls,
identity management, and encryption techniques to ensure that only authorized
personnel can access confidential information.
4. Processing
SOC oversees the secure processing of data, ensuring that integrity is maintained
throughout data transmission and storage. It implements security policies to prevent
unauthorized alterations or data corruption.
5. Privacy
Ensuring data privacy involves compliance with regulations like GDPR and HIPAA.
SOC teams monitor and control data access, ensuring that personal and sensitive
information is handled securely without unauthorized exposure.
FUNCTIONS OF SOC:
1. Monitoring
o SOC continuously monitors network traffic, system logs, and security events
using SIEM (Security Information and Event Management) tools.
o This helps detect unusual activities and potential security threats in real-time.
2. Detection
o By analyzing behavior patterns and comparing them with known threat
intelligence, SOC identifies anomalies and signs of malicious activity such
as phishing, malware, and unauthorized access.
3. Response
o Once a threat is detected, SOC teams take immediate action to mitigate risks
by isolating affected systems, blocking malicious IPs, and applying security
patches.
4. Analysis
o A thorough post-incident analysis is conducted to determine the root cause of
a security breach.
o SOC evaluates the impact of the attack and develops strategies to prevent
similar incidents in the future.
5. Reporting
o SOC maintains detailed security logs and reports for compliance with
standards such as ISO 27001, GDPR, and HIPAA.
o These reports help improve security measures, support forensic investigations,
and assist in regulatory audits.
SOC models are structured based on the size, security needs, and operational capabilities
of an organization. Below are the key SOC models used across industries:
1. SOC-as-a-Service (SOCaaS)
🔹 Description: A fully outsourced SOC where a third-party provider handles threat
detection, response, and monitoring on behalf of an organization.
🔹 Best For: Small to mid-sized businesses that need cybersecurity without investing in
infrastructure.
🔹 Advantages:
✔️Cost-effective compared to a dedicated SOC
✔️24/7 monitoring and expert security support
✔️Quick deployment without requiring in-house staff
🔹 Challenges:
❌ Limited control over security operations
❌ Dependency on third-party expertise and response times
4. Dedicated SOC
🔹 Description: A fully in-house SOC, built and operated by the organization with its own
cybersecurity team, tools, and infrastructure.
🔹 Best For: Large enterprises and government organizations that require complete
security control.
🔹 Advantages:
✔️Full control over security policies and response plans
✔️Faster incident detection and mitigation
✔️Can be customized to meet organizational needs
🔹 Challenges:
❌ High cost of setup and maintenance
❌ Requires highly skilled security professionals
🔹 Description: A centralized SOC that oversees multiple regional or local SOCs, ensuring
standardized security policies and incident response coordination across an enterprise.
🔹 Best For: Multinational corporations and large enterprises with global security
operations.
🔹 Advantages:
✔️Ensures consistent security across all locations
✔️Facilitates intelligence sharing between regional SOCs
✔️Better coordination during global security incidents
🔹 Challenges:
❌ High cost and complexity in managing multiple locations
❌ Requires advanced security automation and expertise
NOC:
Here’s how a Security Operations Center (SOC) functions based on these key areas:
SOC teams continuously monitor systems, networks, and applications using SIEM
(Security Information and Event Management) and other security tools.
They analyze logs, detect anomalies, and identify potential cyber threats such as
malware infections, unauthorized access, or unusual behavior.
SOC teams isolate affected systems, block malicious IPs, and remove infected files to
prevent further spread and also patch the software and follow the appropriate process
and make sure we update our system and remove the malicious Advanced tools like
EDR (Endpoint Detection and Response) help eliminate persistent threats and
restore system integrity.
After containing an attack, forensic experts analyze logs, network traffic, and digital
evidence to determine the origin of the breach and how it occurred.
They use threat intelligence to understand attacker tactics, techniques, and
procedures (TTPs).
https://www.infosectrain.com/blog/role-and-responsibilities-of-a-soc-analyst/
🔹 Primary Focus: Monitor network and system activity for potential security threats using
SIEM (Security Information and Event Management) tools.
🔹 Key Responsibilities:
✔️Alert Handling:
✔️Continuous Monitoring:
https://www.valimail.com/resources/guides/guide-to-phishing/phishing-vs-pharming/
Pharming (a play on the words “phishing” and “farming”) occurs when an attacker alters your
computer or router’s settings to redirect legitimate users to malicious sites. In a pharming
attack, the attacker changes how your computer resolves domain names to IP addresses. To
do so, they must infect your computer or router with malware that modifies the DNS
settings.
Because it doesn’t require the attacker to interact directly with the victim, pharming can be
even more dangerous than conventional phishing. A key difference between pharming vs.
phishing is that pharming requires an attacker to gain unauthorized access to a system, while
phishing only requires successful social engineering.
As a SOC Analysts you have just received a security alert, that is talking about the phishing
attack on the basis of the phishing attack, the victim he has clicked on the link and once he
has clicked on that link he visited that site and he provided those credential you have to
perform the investigation and you have to find the information what happened over there
SIEM Tools
Security Information and Event Management (SIEM) tools are crucial for monitoring,
detecting, and responding to security incidents in real-time. Below are some of the leading
SIEM tools used in cybersecurity:
1. SPLUNK
Overview:
Splunk is one of the most widely used SIEM tools for data analysis, log management,
and security monitoring.
It allows organizations to collect, index, and analyze machine-generated data from
various sources, including logs, applications, servers, and network devices.
Key Features:
Use Case:
Suitable for organizations that need to collect massive volumes of data and require
advanced log analysis and reporting.
2. IBM QRADAR
Overview:
Key Features:
Use Case:
Overview:
Azure Sentinel is a cloud-native SIEM tool from Microsoft designed to provide real-
time security analytics and monitoring using AI and machine learning.
It integrates seamlessly with Microsoft products and other third-party security
solutions.
Key Features:
Use Case:
Perfect for organizations already using Microsoft services or those with a cloud-
first strategy, especially those operating in multi-cloud environments.
4. Google Chronicle
Overview:
Key Features:
Use Case:
Suitable for large enterprises that need to process massive amounts of security data
with a focus on cloud-based infrastructure and threat intelligence.
Overview:
Key Features:
Use Case:
Overview:
Microsoft Google
Feature SPLUNK QRADAR ArcSight
Sentinel Chronicle
Real-time monitoring Yes Yes Yes Yes Yes
Cloud-native No No Yes Yes No
Machine learning Yes Yes Yes Yes Yes
Integration with 3rd
High High High High High
party tools
Scalability High High High Very High High
Automation & SOAR Limited Yes Yes Limited Yes
Compliance Reporting Yes Yes Yes Yes Yes
Advanced Threat
Yes Yes Yes Yes Yes
Intelligence
SPLUNK: Ideal for data-heavy organizations needing a powerful search engine and
flexibility in data analysis.
QRADAR: Best for large enterprises that require a comprehensive and automated
incident response.
Microsoft Sentinel: Perfect for cloud-native environments or organizations heavily
invested in Microsoft services.
Google Chronicle: Excellent for organizations processing large amounts of
security data that need advanced analytics in a cloud-first environment.
ArcSight: Great for mature enterprises needing a robust, traditional SIEM
solution with advanced security analytics and compliance reporting.
Threat intelligence (TI) tools provide essential information about potential cyber threats,
helping organizations detect, analyze, and mitigate attacks more effectively. These tools
use data about past attacks, vulnerabilities, and threats to provide actionable intelligence.
Below are some of the popular threat intelligence platforms:
1. VirusTotal
Overview:
VirusTotal is a free online service that scans files, URLs, and IP addresses using a
large number of antivirus engines and tools.
It is widely used to check whether files or URLs are flagged as malicious.
Key Features:
File scanning: Upload and scan files for malicious content (viruses, trojans, etc.).
URL scanning: Check if URLs are associated with phishing or malware.
Malware reports: Provides detailed analysis on files and URLs, including which
antivirus engines flagged them.
Community feedback: VirusTotal’s public report system allows users to see and
contribute to analysis of suspicious files/URLs.
Use Case:
Ideal for analyzing files, URLs, and IP addresses to check if they are part of known
malware or phishing campaigns.
Overview:
Key Features:
IOC sharing: Allows users to share and access IOCs such as IPs, domains, file
hashes, and URLs.
Real-time threat intelligence: The platform gathers real-time threat data from
multiple sources.
API integration: Easily integrates with SIEM tools for automated threat detection.
Threat analysis: Provides insights on malware campaigns, phishing, and other threat
activities.
Use Case:
Excellent for organizations looking for collaborative threat intelligence and to stay
updated on global threat trends.
3. MITRE ATT&CK
Overview:
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a
knowledge base that documents adversary tactics, techniques, and procedures (TTPs)
based on real-world observations.
It’s a framework that helps organizations understand how attackers operate and
map threats to specific techniques.
Key Features:
Use Case:
Overview:
Key Features:
Structured threat data: Supports the sharing of data in formats such as OpenDXL,
STIX, and CybOX.
Collaboration: Enables collaboration between organizations to share and enrich
threat intelligence.
Threat data correlation: Correlates different threat intelligence sources to identify
patterns and relationships.
API and integrations: Integrates with other security tools like SIEMs, firewalls, and
endpoint protection.
Use Case:
Overview:
IBM X-Force Exchange is a cloud-based threat intelligence platform offering access
to a vast database of security incidents, vulnerabilities, and threat data collected by
IBM’s X-Force team.
Key Features:
Use Case:
Ideal for enterprises looking for high-quality threat intelligence to help with
proactive defense and incident response.
Overview:
Key Features:
Use Case:
7. Mandiant (FireEye)
Overview:
Mandiant (acquired by FireEye) is a leading cybersecurity firm providing
advanced threat intelligence services to help organizations detect and respond to
sophisticated attacks such as APTs, ransomware, and nation-state cyber activities.
Key Features:
Use Case:
Best for organizations needing advanced threat intelligence for high-value targets
or those at risk of sophisticated, targeted attacks (e.g., nation-state threats, APT
actors).
1. Carbon Black
Overview:
Carbon Black is an endpoint security solution that uses cloud-native technology to
provide continuous monitoring and incident response capabilities. It focuses on
behavioral analysis to detect and prevent cyber threats in real-time.
Key Features:
Use Case:
2. Windows Defender
Overview:
Key Features:
Real-Time Protection: Actively monitors your system for potential threats and
malware.
Automatic Updates: Receives continuous updates from Microsoft to stay current
with new threats.
Firewall and Network Protection: Provides network-level security and monitors
incoming/outgoing traffic.
Cloud Protection: Uses cloud-powered analysis for faster identification of threats.
Exploit Protection: Protects against common attack techniques like buffer overflow.
Use Case:
Best for individuals or small organizations looking for built-in, free, and basic
endpoint protection in Windows environments.
3. CrowdStrike
Overview:
CrowdStrike is a leading endpoint security solution that offers cloud-delivered
protection for endpoints. It uses AI-driven analysis to provide advanced threat
detection, prevention, and response capabilities.
Key Features:
Use Case:
1. Snort
Overview:
Key Features:
Packet Inspection: Snort analyzes network packets for anomalies and signs of
malicious behavior.
Real-Time Traffic Analysis: It detects and alerts on malicious traffic and attacks in
real-time.
Rule-Based Detection: Snort uses a signature-based rule system to identify threats.
Extensibility: Users can write custom detection rules based on specific network
traffic patterns.
Scalability: Can scale from small environments to large enterprise networks.
Use Case:
Key Features:
Use Case:
Best for large enterprises or organizations that need in-depth network traffic
analysis and network security monitoring.
3. Suricata
Overview:
Key Features:
Use Case:
4. Wazuh
Overview:
Wazuh is an open-source security monitoring platform that provides log analysis, file
integrity monitoring, intrusion detection, and real-time alerting.
Key Features:
Log Data Collection & Analysis: Wazuh collects logs from servers, endpoints, and
network devices and analyzes them for security events.
File Integrity Monitoring: Monitors critical files for changes to detect unauthorized
access.
Intrusion Detection: Offers real-time IDS/IPS capabilities.
Security Monitoring and Incident Response: Supports incident response processes
with automated alerts and detailed logs.
Integration with SIEMs: Easily integrates with SIEM platforms like Elastic Stack
for enhanced data analysis.
Use Case:
1. TheHive
Overview:
Key Features:
Use Case:
Best for teams managing and responding to security incidents with collaborative
and automated workflows.
2. ServiceNow
Overview:
Key Features:
ITIL Framework: Implements the ITIL (Information Technology Infrastructure
Library) framework for managing incidents, problems, and changes.
Security Incident Management: Provides a set of tools for tracking, managing,
and responding to security incidents.
Automation: Integrates automation into workflows for faster incident resolution.
Collaboration: Facilitates collaboration across IT and security teams for incident
response.
Integration with Other Tools: Works with SIEMs, firewalls, and other security
solutions for streamlined management.
Use Case:
Ideal for enterprises that already use ServiceNow for IT service management and
want to integrate security incident management into the same platform.
3. Jira
Overview:
Jira is a popular project management tool used by many teams, including security
teams, for incident tracking and task management.
Key Features:
Incident and Task Tracking: Helps teams track and manage security incidents and
remediation efforts.
Agile Workflows: Supports Agile project management methodologies, which can
be beneficial for security teams managing incidents.
Custom Workflows: Teams can create custom workflows tailored to their specific
incident response process.
Integration with Other Tools: Jira integrates with other incident management
tools, including TheHive and ServiceNow.
Use Case:
Best for organizations already using Jira for project management who want to use
the same platform for security incident tracking.
Summary Comparison:
SOC Analyst Level 2 (L2) plays a critical role in the security operations center (SOC) by
handling more complex incidents that require in-depth analysis, investigation, and response.
Below are the detailed roles and responsibilities for L2 analysts:
1. In-Depth Analysis
Purpose: L2 analysts are responsible for analyzing security incidents that have been
escalated from L1 analysts. They perform a deeper dive into incidents to determine
the scope, severity, and impact of the threat.
Tasks:
o Conduct detailed analysis of potential threats and anomalies.
o Use various security tools, logs, and threat intelligence to evaluate the
incident further.
o Determine whether the threat is genuine or a false alarm.
2. Incident Validation
Purpose: Validate and prioritize incidents to ensure that the most critical threats are
addressed immediately.
Tasks:
o Validate if the incident is legitimate, confirming whether it is a true security
event or a false positive.
o Prioritize incidents based on the threat level (severity and impact).
o Apply risk assessments to decide whether an incident requires immediate
action or can be handled later.
3. Incident Handling
4. Communication
Purpose: L2 analysts coordinate with other internal teams to ensure a rapid and
efficient response to security incidents.
Tasks:
o Coordinate with cross-functional teams, such as network engineers, IT
support, and incident response teams, to ensure the containment and
resolution of the incident.
o Keep stakeholders updated on the status of the incident and any actions taken.
o Document the incident response process and communicate findings to senior
management or clients, as required.
Purpose: L2 analysts often provide guidance and support to lower-level analysts (L1)
to improve team skills and effectiveness.
Tasks:
o Mentor L1 analysts, helping them improve their analysis skills and incident-
handling procedures.
o Provide feedback to junior analysts to enhance their understanding of different
security threats and best practices.
o Conduct knowledge-sharing sessions to help the team stay updated on
emerging threats and security tools.
Purpose: L2 analysts integrate threat intelligence feeds into their analysis to identify
known patterns of attack or indicators of compromise (IOCs).
Tasks:
o Use tools like MISP, Threat Intelligence platforms, or external sources to
enrich incident data with context.
o Correlate current incidents with known attack techniques, tactics, and
procedures (TTPs) using frameworks like MITRE ATT&CK.
o Enhance detection capabilities by sharing internal findings and collaborating
with threat intelligence providers.
SOC Level 3 (L3) analysts are the senior security experts within a Security Operations
Center (SOC). They handle the most complex cybersecurity threats and work on advanced
threat detection, response, and strategic improvements in security posture.
✔️Lead investigations into high-priority security incidents (e.g., APTs, Zero-Day Attacks,
Data Breaches).
✔️Work with forensics teams to identify attack vectors.
✔️Recommend and implement containment strategies to mitigate threats.
✅ Tools Used:
✔️Proactively search for hidden threats that evade traditional security tools.
✔️Conduct behavioral analysis to detect anomalies in network traffic, logs, and endpoint
activity.
✔️Utilize machine learning models and security analytics to identify advanced threats.
✅ Tools Used:
✔️Improve the SOC playbook and define response strategies for emerging threats.
✔️Work with red teams and penetration testers to strengthen defenses.
✔️Analyze past incidents to refine security policies and enhance compliance (ISO 27001,
NIST, GDPR).
✅ Tools Used:
✅ Tools Used:
✅ Tools Used:
2-4-25
Importance of Logging`
Types of Logs
Network (logs are generated) -> they are forwarded using the syslog calls
https://rafeeqrehman.com/2018/12/15/scalable-log-collection-as-foundation-of-soc/
Local Logging:
1. Storage: Logs are stored locally on individual devices or systems where events occur.
2. Management: Each system collects and manages its own logs separately.
3. Access: Logs can only be accessed from the specific device they are stored on.
4. Scalability: Not suitable for large-scale deployments, as managing multiple local logs
becomes difficult.
5. Security Risks: Logs may be lost or tampered with if a system is compromised.
6. Use Case: Common in small applications, debugging during development, and non-
distributed environments.
Centralized Logging:
1. Storage: Logs are aggregated and stored in a central repository, such as a log server
or cloud-based system.
2. Management: Data from multiple sources is collected, analyzed, and managed in
one place.
3. Access: Logs can be accessed remotely by administrators, security teams, and
monitoring tools.
4. Scalability: Supports large-scale systems and distributed environments by handling
logs from multiple devices.
5. Security & Reliability: Logs are secured, backed up, and protected from local
system failures.
6. Use Case: Essential for enterprise systems, cloud infrastructure, security
monitoring, and compliance tracking.
http://manageengine.com/academy/what-is-log-management.html
Log Management & Log Analysis
Log management is the continuous process of collecting, storing, and analyzing log data
from various sources to a centralized location. It helps organizations improve performance,
security, and compliance while identifying technical issues.
1. Data Collection
o Logs are gathered from multiple sources such as servers, applications,
network devices, security tools, and databases.
o Helps in tracking user activities, system behavior, and error occurrences.
2. Centralized Storage
o Logs are stored in a centralized system to prevent data loss and allow easy
access.
o Supports structured formats like JSON or unstructured formats like raw text.
3. Real-time Monitoring & Alerts
o Enables real-time tracking of security threats, system failures, and
anomalies.
o Alerts can be triggered for unauthorized access, application crashes, or
suspicious activities.
4. Log Analysis & Troubleshooting
o Helps developers and IT teams quickly identify issues, debug errors, and
analyze performance.
o Speeds up incident response and reduces downtime.
5. Compliance & Auditing
o Ensures compliance with regulations like GDPR, HIPAA, SOC 2, and PCI
DSS.
o Maintains logs for audits and forensic investigations.
6. Security & Threat Detection
o Helps in intrusion detection, anomaly detection, and cyber threat
monitoring.
oProtects sensitive data by detecting unauthorized access attempts.
7. Performance Optimization
o Identifies slow queries, server overloads, and system inefficiencies.
o Helps in capacity planning and resource optimization.
https://www.linkedin.com/pulse/importance-log-management-security-aby-s/
Log Analysis
https://spectralops.io/blog/top-9-log-analysis-tools/
Web Server Logs – Categories & Importance
Web server logs record events related to the server’s operations, helping administrators
monitor, troubleshoot, and secure the system. They are broadly categorized into:
1. Access Logs
📌 Breakdown:
192.168.1.1 → Client IP
02/Apr/2025:14:23:10 +0000 → Timestamp
GET /index.html → Request method & resource
200 → HTTP status code (Success)
5123 → Response size (bytes)
2. Error Logs ⚠️
[Wed Apr 02 14:23:10 2025] [error] [client 192.168.1.1] File does not
exist: /var/www/html/missing-page.html
📌 Breakdown:
3. Security Logs 🔒
✅ Tracks suspicious activities like failed login attempts, brute-force attacks, and access
violations.
✅ Helps in intrusion detection and forensic analysis.
✅ Logs include unauthorized access attempts, firewall rejections, and security policy
violations.
📌 Breakdown:
HTTP status codes are categorized into different series based on their purpose. Let’s break
them down:
Indicates that the request was received, understood, and processed successfully.
200 OK Request succeeded, and the response contains the requested data.
Example:
HTTP/1.1 200 OK
Content-Type: text/html
Indicates that further action is needed to complete the request (redirects, multiple choices,
etc.).
300 Multiple Choices Multiple options for the resource; the client must choose one.
301 Moved Permanently The resource has been moved permanently to a new URL.
304 Not Modified The resource hasn’t changed; the client should use a cached version.
Indicates that the request contains bad syntax or cannot be fulfilled by the server.
400 Bad Request The server cannot process the request due to client error.
403 Forbidden The request is valid, but the server refuses to fulfill it.
404 Not Found The requested resource does not exist on the server.
405 Method Not Allowed The request method (e.g., POST, GET) is not allowed for this resource.
Indicates that the server encountered an issue while processing the request.
500 Internal Server Error A generic error indicating something went wrong on the server.
502 Bad Gateway The server received an invalid response from an upstream server.
504 Gateway Timeout The server did not receive a response from an upstream server in time.
FIREWALL LOGS:
Firewall logs are essential for monitoring network security and diagnosing potential threats.
Here's a more detailed breakdown of their key aspects:
Firewall logs play a crucial role in network security and performance management by
providing detailed records of network activities. Here’s why they are important:
1. Security Monitoring
2. Incident Response
Aids in quickly detecting and responding to cyber threats before they escalate.
Enables real-time alerts when a security breach or anomaly is detected.
Helps administrators take corrective actions, such as blocking malicious IPs or
tightening security rules.
Many industries (e.g., finance, healthcare, government) must comply with security
regulations like GDPR, HIPAA, PCI-DSS, and ISO 27001.
Firewall logs serve as proof of security measures taken to protect sensitive data.
Ensures organizations follow industry best practices to avoid fines and legal issues.
4. Forensic Analysis
5. Performance Monitoring
Helps track network performance metrics, such as bandwidth usage and latency.
Identifies bottlenecks and slow network connections affecting business operations.
Aids in optimizing firewall rules to reduce unnecessary traffic filtering and improve
overall efficiency.
SSH Logs:
SSH (Secure Shell) logs are records of all SSH-related activities on a system. Since SSH is
commonly used for secure remote access, monitoring these logs is critical for security and
system auditing.
SSH logs are typically stored in system log files, such as:
Linux/macOS:
o /var/log/auth.log (Debian-based systems like Ubuntu)
o /var/log/secure (Red Hat-based systems like CentOS)
Windows (OpenSSH Logs):
o Stored in Event Viewer under Applications and Services Logs >
OpenSSH
1. Security Monitoring
o Detects unauthorized login attempts and brute-force attacks.
o Identifies compromised accounts or suspicious activities.
2. Incident Response
o Helps in investigating security incidents and responding to intrusions.
o Provides detailed forensic data to understand attack patterns.
3. Compliance & Auditing
o Required for organizations following security standards (ISO 27001,
HIPAA, PCI-DSS, etc.).
o Ensures administrators can track who accessed the system and what they
did.
4. System Performance & Troubleshooting
o Helps diagnose login failures due to authentication issues or network
problems.
o Assists in troubleshooting SSH connection errors.