SOC Fundamentals - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | ---------------- | ---------- | ------------------ | ------------------ | -------------------------------------------- | | SOC Fundamentals | Jon Marien | September 08, 2025 | September 08, 2025 | [[#soc\|#soc]], [[#arcticwolf\|#arcticwolf]] | # SOC Fundamentals A vulnerability is a weakness in a system’s software that hackers can use to do things they are not supposed to do. These weaknesses can exist in programs or operating systems on things like servers or computers. For example, the Security Operations Center (SOC) might find that several Windows computers need updates to fix a specific known weakness. While the SOC is not always in charge of fixing these, leaving them unfixed makes the entire company less safe. The SOC also keeps an eye out for people doing things they should not, like using stolen employee credentials to log into the company’s systems. It is very important to notice this activity quickly before it causes problems. Clues like someone logging in from an unusual location can help. Another thing the SOC looks for is people breaking company safety rules. These rules, called security policies, help protect the company and keep it within legal limits. What counts as a rule break can change from company to company, but some examples are downloading illegal files or sending private company information in an unsafe way. Intrusions are when someone gets into company systems or networks without permission. For instance, a hacker could find a way into a company website, or an employee could get a virus after visiting a harmful website. When the SOC finds a problem, it helps with the response. This means they take steps to control the situation and try to find out what caused it. The SOC works closely with the incident response team through this process. A strong SOC relies on three important areas: **People, Process, and Technology**. When all three are in place, the SOC can effectively spot and deal with security problems. --- ## **People** The **People** are known as the **SOC team**. This team has the following roles and responsibilities. ![[image-931.png]] - **SOC Analyst (Level 1):** These analysts are the first ones to see any security alerts that come in. They check basic alerts to see if anything dangerous is happening and then report what they find using the correct process. - **SOC Analyst (Level 2):** When something needs a closer look, these analysts help out. They dig deeper into alerts that Level 1 analysts find and look at information from multiple sources to better understand what’s going on. - **SOC Analyst (Level 3):** These are the most experienced analysts. They search ahead of time for signs of threats even before alarms go off, and help lead the response during serious security incidents — like containing threats, cleaning up, and helping things get back to normal. - **Security Engineer:** This person sets up and configures the tools that the analysts use. Their main job is to make sure all the security systems are working properly. - **Detection Engineer:** This role focuses on designing the rules that tell the security tools what to look out for. Often, Level 2 and 3 analysts take on this role, but it can also be a dedicated specialist on the team. - **SOC Manager:** The manager oversees how the team works and supports everyone. They also keep in regular contact with the company’s security executive (CISO) to update them on the SOC team’s actions and overall security situation. --- ## **Process** ### **Alert Triaging** Alert triage is the foundation of the SOC team’s work. When any alert comes in, the first thing the team does is perform triage. This means analyzing the alert to figure out how serious it is and how quickly it needs attention. The main goal during triage is to answer the **5 Ws**: ![[image-932.png]] *** **Example Alert:** Malware detected on Host: GEORGE PC | **5 Ws** | **Answers** | | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **What?** | A harmful file was found on a computer inside the company's network. | | **When?** | The file was discovered at 1:20 PM on June 5, 2024. | | **Where?** | The file was located in a folder on the computer called "GEORGE PC." | | **Who?** | The file was connected to the user named George. | | **Why?** | After checking, it turned out that George downloaded the file from a website that sells pirated software. He wanted to use some software without paying for it. | *** ### **Reporting** Any harmful alerts need to be quickly passed along to higher-level analysts so that the right people can respond. These alerts are sent as tickets and assigned to the correct team members. A good report should cover all 5 Ws, give detailed analysis, and include screenshots as proof of what happened. ### **Incident Response and Forensics** Sometimes, an alert points to a very serious security problem. In these cases, a special team starts the incident response process. (This is covered in more detail in the “Incident Response” section.) Sometimes they will also do a deep forensic investigation to figure out exactly how the incident happened by carefully studying information from the system or network involved. --- ## **Technology** Having the right **people and processes** is not enough on its own—security technology is also essential for detecting and responding to threats. The technology part of the SOC pillars refers to these security solutions, which help reduce the amount of manual work required by the SOC team to spot and deal with security issues. A company’s network usually has lots of devices and programs. Trying to monitor and handle threats on each one separately would take way too much time and resources. Security solutions make this easier by bringing together information from all devices and programs in one place, and by automating much of the detection and response work. Here’s a simple look at some key security solutions used in SOCs: - **SIEM (Security Information and Event Management):** This is a tool most SOCs use. It collects logs (records of activities) from different devices in the network. The SIEM looks for suspicious activity by following detection rules you set up. If something strange happens that matches a rule, it alerts the team. Modern SIEM tools are even smarter—they can analyze how people normally act on the network (user behavior analytics), gather outside threat information (threat intelligence), and use machine learning to improve detection. ***Note: SIEMs are mainly used for detection, not for responding to threats directly.*** - **EDR (Endpoint Detection and Response):** EDR tools keep an eye on individual computers and devices. They provide real-time and past activity details, so the SOC can see exactly what’s happening at the “endpoint” (like a laptop or desktop). EDR can also take automatic actions to respond to threats, making it easy for analysts to investigate and stop problems quickly. - **Firewall:** A firewall protects the company’s network by acting like a gate between the inside network and the outside world (like the internet). It checks all traffic going in and out and blocks anything unauthorized or that looks suspicious. Firewalls also use detection rules to catch and block threats before they can cause harm. There are plenty of other security tools as well, such as Antivirus, EPP (Endpoint Protection Platform), IDS/IPS (Intrusion Detection/Prevention Systems), XDR (Extended Detection and Response), SOAR (Security Orchestration, Automation, and Response), and more. Deciding which technology to use in the SOC depends on what kinds of threats the business faces and how many resources are available.