401d8 read12 - carlosjorr/reading-notes GitHub Wiki

Log Analysis with Splunk

What are three tasks which SOCs often perform?

Security Incident Detection and Response: Security Operations Centers (SOCs) are responsible for monitoring network and system activities to detect security incidents or breaches. They use various tools and technologies to identify unusual patterns or behaviors that could indicate a potential threat. Once an incident is detected, the SOC responds by investigating, containing, and mitigating the threat to minimize its impact.

Threat Intelligence Analysis: SOCs continuously gather and analyze threat intelligence data from various sources to stay informed about emerging threats and vulnerabilities. They use this information to enhance their security posture and proactively defend against potential attacks.

Security Awareness and Training: SOCs often conduct security awareness programs for employees, educating them about the latest cybersecurity threats and best practices to protect sensitive information. By promoting a security-conscious culture, SOCs aim to reduce the likelihood of human errors leading to security incidents.

Explain what a SIEM solution is and how the SOC utilizes it in non-technical terms.

A SIEM (Security Information and Event Management) solution is like a powerful security detective that observes everything happening on a computer network. It collects data from various devices and applications, like logs, events, and alerts, and puts them together in one place. It acts like a big brain that can analyze all this data, trying to find any signs of trouble or unusual activities.

When something suspicious is detected, the SIEM solution raises a red flag, like sounding an alarm, to notify the SOC team. Think of it as a watchful guard that keeps an eye on all the activity within a house, and if it sees something strange, it immediately alerts the security team to investigate further. The SOC team can then use the information from the SIEM to figure out what's happening, stop any potential attacks, and make sure everything stays secure.

How does the typical SOC team structure resemble the structure of an IT Help Desk.

The structure of a typical SOC team and an IT Help Desk can be somewhat similar in terms of tiered support levels.

Tier 1 - Frontline Analysts: Both SOC and IT Help Desk teams have frontline analysts who act as the first point of contact. In the SOC, these analysts handle initial incident triage, assess alerts from security tools, and determine if further investigation is needed. For the IT Help Desk, they receive and address user-reported issues, troubleshoot common problems, and escalate complex cases to higher tiers if required.

Tier 2 - Intermediate Analysts: In both teams, intermediate analysts handle more complex cases that require in-depth analysis. In the SOC, they investigate and respond to confirmed security incidents, performing a detailed analysis of the threat. For the IT Help Desk, they tackle more challenging technical issues that couldn't be resolved at Tier 1.

Tier 3 - Advanced Analysts (Specialists): These are the top-level experts who deal with the most intricate cases. In the SOC, they may have specialized skills, such as threat hunting, malware analysis, or forensics. For the IT Help Desk, they might specialize in specific software or infrastructure areas, providing deep technical expertise.