Standard Operating Procedure

Of

Security Operation center

Overview of SOC
A Security Operations Center (SOC) is a centralized team responsible for monitoring and responding to
security incidents across an organization's IT infrastructure. The SOC's primary objective is to detect and
respond to potential security incidents as quickly and effectively as possible.
The SOC uses various tools and technologies, including IDS, SIEM, and EDR tools, to monitor the network
for suspicious activity and potential security threats. The SOC follows a structured incident response
process, which typically involves detection, analysis, containment, eradication, recovery, and lessons
learned.
In addition to incident response, the SOC is responsible for ongoing security monitoring, vulnerability
management, threat intelligence gathering, and employee security awareness training. Security
monitoring involves continuous monitoring of the network for potential threats, vulnerabilities, and
security risks. Vulnerability management involves identifying and addressing weaknesses in the network
before they can be exploited by attackers. Threat intelligence gathering involves collecting and analyzing
data about potential security threats to identify emerging trends and potential risks to the organization.
Employee security awareness training involves educating employees about security best practices to
reduce the risk of security incidents caused by human error.
The SOC is a critical component of an organization's cybersecurity strategy. The SOC team works to
protect the organization's assets, reputation, and customers by detecting and responding to security
incidents in a timely and effective manner. The SOC's responsibilities go beyond incident response and
include ongoing security monitoring, vulnerability management, threat intelligence gathering, and
employee security awareness training.

Mission

A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report
on, and prevent cyber-security incidents. A SOC provides services to a set of customers referred to as
a constituency—a bounded set of users, sites, IT assets, networks, and organizations. Combining
definitions from and, a constituency can be established according to organizational, geographical,
political, technical, or contractual demarcations. In order for an organization to be considered a SOC, it
must:

1. Provide a means for constituents to report suspected cyber-security incidents

2. Provide incident handling assistance to constituents

3. Disseminate incident-related information to constituents and external parties.

SOC’s mission statement typically includes the following elements:

1. Prevention of cyber-security incidents through proactive:

a. Continuous threat analysis

b. Network and host scanning for vulnerabilities

c. Countermeasure deployment coordination

d. Security policy and architecture consulting.

2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending
on security-relevant data sources

3. Response to confirmed incidents, by coordinating resources and directing use of timely and
appropriate countermeasures

4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in
adversary behavior to appropriate organizations

5. Engineering and operating

Vision 1. Proactive approach to cybersecurity: The SOC aims to take a proactive

approach to cybersecurity by staying ahead of potential threats and
vulnerabilities before they can be exploited.
2. Dynamic capabilities: The SOC aims to continuously evolve its capabilities to detect and respond
to emerging security threats, including the development of advanced technologies and
techniques.
3. Secure operating environment: The SOC's ultimate goal is to create a secure environment
where the organization can operate effectively, without the fear of security breaches or attacks.
4. Minimize the impact of security incidents: The SOC aims to continuously improve its incident
response process to minimize the impact of security incidents and prevent them from
reoccurring in the future.
5. Foster a culture of security: The SOC aims to foster a culture of security within the organization
by providing employee training and awareness programs to educate staff on best security
practices.
6. Meet cybersecurity challenges: By achieving its vision, the SOC aims to ensure that the
organization is well-positioned to meet the growing cybersecurity challenges of today and the
future.
 Objectives  Threat detection and response: The primary objective of the SOC is to
detect and respond to potential security threats in a timely and effective
manner using various tools and technologies, such as IDS, SIEM, and EDR.
 Incident management: The SOC is responsible for managing security incidents, following a
structured incident response process to contain, eradicate, and recover from the incident.
 Vulnerability management: The SOC aims to identify and manage vulnerabilities within the
organization's IT infrastructure, including patch management and other security updates.
 Compliance and regulatory requirements: The SOC aims to ensure that the organization is in
compliance with relevant regulations and requirements, such as GDPR and HIPAA.
 Threat intelligence: The SOC aims to gather and analyze threat intelligence to identify emerging
trends and potential risks to the organization.
 Employee training and awareness: The SOC aims to provide employee training and awareness
programs to educate staff on best security practices and foster a culture of security within the
organization.
 Continuous improvement: The SOC aims to continuously improve its capabilities by evaluating
its processes, procedures, and technologies to ensure they are effective and efficient.

Overall, the objectives of the SOC are to protect the organization's IT infrastructure from
potential security threats, minimize the impact of security incidents, and ensure the
organization is compliant with relevant regulations and requirements.
Organizational Structure and Hierarchy of SOC Team

Security analyst

Security engineer

SOC manager

Chief information security

officer

Director of incident response

Fig : SOC Team

Operational Overview
SOC analysts are organized in four tiers:

Tier 1 Event Classification and Triage

Tier 2 Prioritization and Analysis

Tier 3 Remediation and Recovery

Tier 4 Assessment and Audit

Tier 1 : Event Classification and Triage

Event classification and triage are critical components of a Security Operations Center (SOC) team's
incident response process. Here's an overview of how SOC teams classify and triage events:

Event Classification: SOC analysts (Tier 1) use a classification scheme to determine the severity of each
event or alert. This allows them to prioritize their response efforts based on the potential impact to the
organization.

At present in our SOC we Analysis About our Host . Tier 1 classify the hosts in 4 category according to
the Risk level

1. Critical User : The user Whose Risk point 100 we categories them as a Critical user. We observe
their Installed Software and also their files
2. High Risk Level User (Risk point 70-99) These events represent a critical threat to the
organization and require immediate attention, such as a data breach or ransomware attack.
 3. Medium Risk level User ( Risk point 30-69) These events are significant but not as critical as high-
severity events. Examples might include a phishing attempt or an attempted exploit of a known
vulnerability.
4. Low Risk level User ( risk point 0-29) : These events represent a potential threat to the
organization, but are not as urgent as high or medium severity events. Examples might include a
failed login attempt or a low-level network scan.

Tier 2 : Prioritization and Analysis

 Reviews trouble tickets generated by Tier 1 Analyst.
 Utilizes emerging threat intelligence (IOCs, Updates rules etc) to identify affected systems and
the scope of attack.
 Reviews and collects asset data (configs, running processes etc) on these systems for further
investigation.
 Determines and directs remediation and recovery efforts

Overall, the SOC prioritization and analysis stage is critical in ensuring that the security team can
effectively manage and respond to potential threats. By prioritizing incidents based on their severity and
impact, the team can focus their resources on the most critical issues and respond in a timely and
effective manner.

Tier 3 : Remediation and Recovery

 Re-image systems (and restore backups)

 Patch or update systems (e.g. apps and OS updates)

 Re-configure system access (e.g. account removals, password resets)

 Re-configure network access (e.g. ACL and firewall rules, VPN access etc

 Review monitoring capabilities on servers and other assets.

 Validate patching procedures and other security controls by running network vulnerability

scans

Tier 4 : Assessment and Audit

Running network vulnerability assessments and generating compliance reports are some of the most
common audit activities for SOC team members. Additionally, SOC team members may also review their
SOC processes with audit teams (internal and external) to verify policy compliance as well as determine
how to improve SOC team performance and efficiency.
Tools and Technologies used by SOC Team

1. SIEM
2. EDR/XDR
3. IDS/IPS
4. Firewalls
5. Vulnerability scanners
6. Investigation tools
7. Vulnerabilities Feeds and DB
8. Ticketing solutions

Security information and event management (SIEM)

A security information and event management system (SIEM) is a real-time event-based analyzer
system. Depending on the way it was implemented, this system could be able to:

1. Detect potential attacks based on a signature or a set of rules

2. Detect potential attacks and perform quick actions like creating tickets
3. Acting like an alert forwarder that collect those alerts from security solution like IDS/IPS and
display them in a centralized interface.

Most popular SIEM solution in the market

a) Qradar
b) Alienvault
c) Splunk

EDR/XDR
An Endpoint Detection and Response (EDR) is a tool that gets installed into each endpoint to collect
information about its behavior. Here is a list of some behavioral information that an EDR can get from an
endpoint:

 ARP
 DNS
 Sockets
 Registry
 Memory dumps
 System calls
 IP addresses
 Hardware types

Here is a list of the best EDR solutions

 a) Microsoft Defender For Endpoint
b) Mcafee EDR

Firewalls
Firewalls are one of the most important components of the security chain, it is the first line of security in
the network. The main job of a firewall is to protect the network from external and internal networks
attacks by monitoring incoming and outgoing packets to whether allow or block the traffic.

The next-generation firewalls, perform much more actions to protect the network, like going deeper in
analyzing the packets it receives by monitoring the traffic at the level of applications. In addition, they
also include intrusion detection and prevention systems, Antivirus, URL filtering system, and a Sandbox
to analyze unknown suspicious files.

In our organization we use Palo Alto as the Next generation firewall

Vulnerability scanners

For Vulnerability scanner we use

a) Nmap
b) Zenmap
c) OpenVAS
d) Burp Suite
e) Nessus

Investigation tools

As a investigation tools we use Wireshark

Vulnerabilities Feeds

For vulnerabilities feeds we use VirusTotal