The higher level functions of SOC are divided into parts that are “ Core Functions” v/s “ Speciality Fields ”. Small teams may even performs all the functions by themselves. Core Functions are mostly performed by SOC analysts . The other Speciality fields requires different level of significant skillset that they need special another person for performing this. Large Organizations have dedicated forensics, pentesting, Threat intel etc, but small Organizations often outsource these capabilities for cost efficiency.
- Data Collection: This process will let us know that what is occuring both at the network and the endpoints. This can be break down into Network Security Monitoring and Continous Security Monitoring.
- Detection: The goal of this function is to watch the data that is collected from network and endpoints and find potential compromises. This can be what your network and host IDS are doing, anti-virus, SIEM analytics and other things that watches everyday events and outputs alerts of possible compromise.
- Triage and Investigation: This is where identified alerts are prioritized and verified. Nearly in every SOC, there are numbers of alerts identified as malicious, so it is the primary goal of SOC analyst to sort them on the basis of criticality and verify whether the attack has indeed occured.
- Incident Response: This area is responsible for reacting to the problems that are verified and ensuring the impact is minimized. In smaller SOCs, this is considered to be done by SOC analyst whereas in other SOCs, there maybe a team named as CIRT or CSIRT. It is considered as a core part of blue team.
- Threat Intelligence: The mission of Threat intelligence group is to collect the detailed low level and high level information of the attack groups interested in organization. The goal is to help Blue team by giving the tactical and strategic advantage over attackers. If we can predict the goals, moves and even infrastructure ahead of time, we can have more advantage as compared to adversaries.
- Forensics: A specialized function focused on determining exactly what occurred during a breach. This may be traditional hard drive forensics, or something more specific such as memory analysis, malware reverse engineering, or even eDiscovery.
- Self-Assessment: This name is an umbrella term for multiple functions that may or may not be considered as directly within the SOC. This group contains things such as configuration monitoring, vulnerability assessment, penetration testing, and red teaming, and inventory. These activities are all similar in that they help the blue team perform their job effectively by either watching for potential issues (vulnerability management), or test the blue teams reaction to simulated threats (penetration testing and red teaming). It is a critical piece of the security puzzle.