SOC Mission, Roles, and Tools
Key Points
- The SOC’s core mission is to detect and respond to security incidents, complementing broader cybersecurity efforts focused on prevention.
- A modern SOC is staffed with four main roles: a manager who oversees operations, engineers who build and configure the environment, analysts (often tiered from 1‑3) who investigate alerts, and threat hunters who proactively seek hidden risks.
- Analysts rely on a SIEM to ingest telemetry—such as logs from a web server under a denial‑of‑service attack—and provide the data needed for rapid investigation and mitigation.
- Tiered analyst structures allow basic alerts to be triaged by Tier 1, with deeper forensic work escalated to Tier 2 or Tier 3, which can be handled in‑house or via managed security services.
- Threat hunters generate hypotheses and conduct proactive searches across the SOC’s tooling to uncover latent threats before they manifest as active incidents.
Sections
- Inside a Modern Security SOC - An overview of a SOC’s mission of detection and response, outlining its core roles—manager, engineer, and tiered analysts—and illustrating how various tools operate in real‑world cybersecurity scenarios.
- Detecting Exfiltration and Malware with UBA and XDR - The speaker outlines using a UBA‑enhanced SIEM to flag abnormal data access/exfiltration and employing an XDR platform’s federated search for threat hunting across infected workstations.
Full Transcript
# SOC Mission, Roles, and Tools **Source:** [https://www.youtube.com/watch?v=OHkWXFheSKM](https://www.youtube.com/watch?v=OHkWXFheSKM) **Duration:** 00:05:41 ## Summary - The SOC’s core mission is to detect and respond to security incidents, complementing broader cybersecurity efforts focused on prevention. - A modern SOC is staffed with four main roles: a manager who oversees operations, engineers who build and configure the environment, analysts (often tiered from 1‑3) who investigate alerts, and threat hunters who proactively seek hidden risks. - Analysts rely on a SIEM to ingest telemetry—such as logs from a web server under a denial‑of‑service attack—and provide the data needed for rapid investigation and mitigation. - Tiered analyst structures allow basic alerts to be triaged by Tier 1, with deeper forensic work escalated to Tier 2 or Tier 3, which can be handled in‑house or via managed security services. - Threat hunters generate hypotheses and conduct proactive searches across the SOC’s tooling to uncover latent threats before they manifest as active incidents. ## Sections - [00:00:00](https://www.youtube.com/watch?v=OHkWXFheSKM&t=0s) **Inside a Modern Security SOC** - An overview of a SOC’s mission of detection and response, outlining its core roles—manager, engineer, and tiered analysts—and illustrating how various tools operate in real‑world cybersecurity scenarios. - [00:03:02](https://www.youtube.com/watch?v=OHkWXFheSKM&t=182s) **Detecting Exfiltration and Malware with UBA and XDR** - The speaker outlines using a UBA‑enhanced SIEM to flag abnormal data access/exfiltration and employing an XDR platform’s federated search for threat hunting across infected workstations. ## Full Transcript
"Houston, we have a problem." Those are the famous words from the Apollo 13 moon mission.
Well, what if you have a problem in cybersecurity?
Who is mission control?
Well, it's the SOC-- the security operations center.
And you're looking at a picture of IBM's cyber range in the Boston, Massachusetts area where you can see what a modern SOC would look like.
Lots of technology.
Well, what is the mission of the SOC?
What are the roles and organization of a soc?
What are the tools?
And in particular, I'm going to go through three different scenarios as to how those tools might run in a modern SOC.
First of all, the mission.
So, in security, we're always focused on prevention, detection, and response.
That's what everything in cybersecurity is about.
And the SOC is particularly focused on those last two things where it's about finding the problems and resolving those problems.
Now, a little bit about the roles.
There's at least four distinct roles I'm going to talk about here.
One is the manager of the SOC who organizes the operations.
There is an engineer.
Engineers are the people who are building the SOC itself, as in installing the software, picking the tools, configuring the tools and things of that sort.
Then we have an analyst.
A SOC analyst is going to be the one who is actually going through the scenarios, fielding the incidents and trying to discover what was the root cause of those.
Oftentimes, we have SOC analysts that are organized in different tiers, depending on the level of complexity of the problem that they're dealing with.
So a tier 1, tier 2, tier 3, where the tier 1 does the initial fielding of the issues, and then if it needs more, deeper investigation, tier 2 and tier 3.
Very often these could be done in-house or could be done as part of a managed security service.
Or maybe you just have the tier 1 as the managed security service and then your organization does the deeper investigations.
The fourth role that I'm going to mention here is a threat hunter.
And a threat hunter is someone who is going to come up with a hypothesis
and then they're going to go out proactively trying to find where the problems areas might be.
Okay, let's talk about the tools. In the tools area,
let's take a scenario where we've got a web server and that web server now suddenly starts getting tons and tons of traffic and it's not good traffic.
In fact, we're in a denial of service situation, so we're under attack.
What could happen in that case is, I'm going to take the information from that web server and feed it into something that we call a SIEM--
a security information and event management system.
And I'm going to have the cybersecurity analyst here looking into the SIEM and seeing what's happening.
They're going to get all of that telemetry, they're going to have the information they need to go off and do an investigation and find out what's going on.
So that's our first scenario.
Our second scenario, let's say we have a database-- with a critical information in it --and someone is exfiltrating that data.
That is, they're taking data out of that system and sending it out into the network.
Maybe they're selling it, who knows what they're doing.
But anyway, we would like to be able to detect that there's an anomalous level of activity, either of accessing data or sending data out.
And I could use a technology called a user behavior analytics (UBA) system that runs along with the SIEM in order to figure that out.
And it would send an alarm up and then this SOC analyst might be able to use that system in order to do further investigations.
So that's what an analyst might do in those two cases.
How about let's look at a third case where we have a workstation here and this workstation has been infected by malware.
And in fact, it's not one, but it's a lot of these workstations that are out here, and maybe many of them have been infected and some of them haven't.
So what would we do?
Well, we have in this case, the threat hunter that I just mentioned would be using a platform
and they might use a platform that we call an XDR, an extended detection and response platform.
And what that tool does is it allows us to query information in what we call a federated search-- pull this information just when I need it.
So I leave the information in place until I need it, where the SIEM is bringing all the information up and fetching that in advance
and acting as an alarm system, this is more of a go out and look through the information and figure out what I want to do.
So our threat hunter uses the XDR system to do that.
Now, we would also have the ability to have linkages between these systems that would also be very important.
And then ultimately leverage a system called a SOAR-- a security orchestration, automation and response system
--that either of these people could use in order to go out and guide their activities, orchestrate the response,
use a dynamic playbook, open a case, and do the incident response and resolution that's necessary in order to solve the problem.
So now you have an idea of what goes into a modern SOC.
And it all boils down to this: people, process, and technology.
With all of those things working together, a modern SOC can give us the solution we need.
And now, Houston, we have a solution.
Thanks for watching.
If you found this video interesting and would like to learn more about cybersecurity, please remember to hit like and subscribe to this channel.