Hello Readers ! Today I am giving you an overview of SOC (Security operation Center)
Here, I am giving you the short information which helps you for easy to remember. You can easily find the brief description over the internet but here you can make an easy note to remember.
I introduce here the life cycle of SOC ! Basics behind of SOC.
- Real-Time Monitoring Environment
- To Reduce false positive
- Investigations
- To investigate incident logs according to severity (Low, Medium, High, Critical)
- Hunt
- To hunt for unknown threats with deep analytics and machine learning techniques.
- IOC (Indication of Compromise)
- Intelligent Feeds
- Threat center and others
- forensic evidence of potential intrusions on a host system or network
Basically in SOC, they collect the log from various components and here the most possible areas,
Log Collection From:
User's Systems
Clouds Platform
Applications
Servers and Workstations
Network
Endpoints
IoT (Internet Of Things)
Here, I defined the work role of SOC in Level accordingly...
Level 1
Level 2
Level 3
SOC level 1:
- Alert-queue monitoring
- Incident qualification
- Triage and escalation
SOC level 2:
- Incident investigations
- Remediation advice
SOC level 3:
- Detection and use case
- Optimization
- Hunting
- Investigation threats intelligence and analysis
I have a bit of talk about SOC Level and Logs collection but the main point is "where all the logs stored in a well organized way ?"
SIEM - Security Information And Event Management
SIEM-Tools comes in a picture if we talk about log collector, observe and monitor
Basically, SIEM tool used for identifying threats, anomalies cyberattacks from gigs of data with correlation rules in real time.
Top most vendors who provide services of SIEM
Evolution of SIEM
Prior to 2005, There were two major tools available for event monitoring and analysis generate by the systems. Named SIM(Security Information Management) and SEM(Security Event Management). Thereafter, Amrit Williams and Mark Nicollet define a new technology called SIEM comes in picture which is providing a combination of both SIM + SEM.
SIM - Security Information Management
- Collect, monitoring and analysis of security related data from computers
- Log management
- Easy to deploy
- Strong log management capabilities
- e.g. OSSIM (Alien Vault)
SEM - Security Event Management
- Practice of network event management include real-time threat analysis,
visualization and incident response
- More complex to deploy
- Real-time monitoring capabilities
- e.g. NetIQ Sentinel
SIEM - Security Information & Event Management
- Combine both SIM + SEM
- More complex to deploy
- Complete functionality capabilities
- e.g. SolarWinds Log & Event Management, Splunk Enterprise Security,
IBM QRadar
Now, I am giving you the basic architecture of SIEM Tool
SIEM Architecture
There are three main components of SIEM
Receiver
Manager
Logger
Receiver
First component in SIEM that collect the logs from, Windwos, Linux, Applications, Routers, Switches, Firewalls, VPN Servers, Email Servers, and IoT devices.
Functionality,
(i) Extract Logs
(ii) Log Parsing
(iii) Normalization
(iv) Aggregation
(i) Extract Logs
- This is the process done by tool after receiving the logs from receiver
(ii) Log Parsing
- Used for understanding log format in SIEM
- Thousand of devices generate different format logs so, SIEM has to
parse and understand these different logs and mapped them in
the different fields accordingly
(iii) Normalization
- Common event format
- It correlates the rule based on normalization
e.g. Firewall logs and IDS logs
- Correlate both logs into one format as both is generated
similar kind of logs
(iv) Aggregation
- It is used to reduce the similar events by showing aggregation count
- For e.g. If it received the 10 or 20 similar kinds of logs it will aggregate
In one format and represent the counts only with log.
Manager
- Heart of SIEM
- It has functionality like,
- Correlation Engine
- Create alerts
- Dashboard Creation
- Report configuration
- Resources management
Logger
- It will store the parsed Events
- Users data like Alerts, Dashboard and Reports
Thanks for reading, I hope you liked this blog.
Happy Learning!!!