Overview of SOC Analyst Responsibilities

[Music] hello team welcome to my session on coffee with prob and today we're going to discuss about sock analyst sock stand for security operation center and the person who work in the center is called as analyst so this profile is is getting attracted from last two years so i thought i will make some videos on that so i'm coming up with some season videos in the first season we're going to discuss about sock responsibility purpose of sock governance and in from a second series we're going to start with the interview question if you're new to my youtube channel do subscribe to my youtube channel and click on the bell icon to make sure you should not miss my future videos on the sock my name is prabhnayar for more information you can refer my linkedin profile thank you so question is always arise what is sock so when you're talking about socks sock is stand for security operation center okay so it is a it is a sum of people process and technology okay it's a sum of people process and technology that monitors enterprise i.t infrastructure 24 into seven and detect the cyber security events on incident in a real time and address them as quickly as possible and effectively as possible so you can imagine salk is just like a police it's a cop they discover the threats they discover the issues in the city in the state in the place and according to that they try to react like the way we have a police their goal they ensure that okay they protect our life same like these professionals the sock team professionals they are responsible for protecting my organization or our organization from all kind of external or internal attacks so they use so people in this making they have a team of professionals who basically follow the process and according to that they manage a technology which is used to protect that organization so they use a tools which is used to scan the network 24 into 7 to flag any abnormalities or suspicious activity in some cases uh they refer sock as a blue team they refer as a blue team okay the goal is to basically protect from all kind of an attacks and we also have one more team which is called as a red team red team is the one who basically do the testing on a regular basis to ensure that they are protecting the resources or assets more effectively okay let's let's see one example there is a virus basically attack in your system okay just imagine there is a virus okay they try to attack your organization so we have a sock team which monitor all these kind of an attack in all the systems okay and if they find this there is a virus and they have to react so they will react according to the virus and make sure they try to reduce the impact their primary goal is to prevent the incident okay their primary objective is to prevent the incident or reduce the impact of the incident so that is the goal we have okay so that is a primary role of the sock here you can see they use a tool which is used to scan the network assets technologies to flag all the abnormal behaviors whatever this normal it's not normal it's abnormal and suspicious activity and according to that they react we use one term on a regular basis which is called event and incident okay so event is basically any series of activity which is used to meet the business objective like i want to start the session at 9 a.m in the morning and i'm able to start the session by 9 a.m in the morning by just open the browser and launch the go to meeting so that's an event but if i fail to start the session by 9 am my customer will ask my penalty amount so which is something against the agreed organization objective so that flagged as an incident so any activity which impact the organization objective which impact the confidentiality integrity and availability of assets that is basically called as a incident so let's discuss what does sock team member do in the company and then we'll discuss about the sock team members so there is always a question what this team does why we need a sock in the organization just saying a statement it monitor the enterprise from all kind of external threats but the question is that what are the other things it's apart from monitoring so first thing is always does the monitoring so monitoring basically provide the visibility also on the organization level what is digital activities happening in the organization so in this case example like we have a system a we have a system b we have a system c we have a system d so any kind of a suspicious activity happen on system a all this so we have a dedicated console by which we manage so here the team of professionals do the log file analysis because logs can come from the end points like notebook computers mobile phones iot devices okay routers firewall ideas and all that okay so these logs this information we collect and from there we try to identify any suspicious activities happening or not creating so soft team members work with the various resources which can include your it workers like helped us technicians as well as other professionals to make sure things are working effectively so that is basically the first function which is called as a monitoring okay second part which is called as a prevention technique so in prevention technique what happen is they implementing a rules they implementing some kind of a counter measures so by which we can able to block a wide range of known and unknown risk so first is monitoring look for the normal abnormal behavior and if they find okay system was infected with the virus so they have a prevention techniques by which they isolate a system from the network and make sure that further impact should not be occur the third most important function they have is proactive incidence and remediation if you notice the keyword proactive incident response and remediation so so proactive instant response remediation it's supported by the automatic tools and human intervention nowadays we have a lot many automation tools xdr and all that by which we can able to proactively detect and respond to the incident so here the sock coordinates okay a saw coordinates an organization ability to take the necessary step to mitigate the damage and communicate properly to keep the organization running after an incident it is not enough to just view the logs and issue the alert the major part of an instant response is to helps the organization to recover from the incident that is why that is one of the key function of the sock we have and by this they can able to protect the organization from any kind of a compliance breach example like you are operating your service in europe and you know you are very well aware about that as a company you operating the service in eu you need to be comply with one of the regulation like law restrictions and all that which is called gdpr in layman 10 it mean if i'm running a company in any country i need to respect the law and regulations of that particular country so according to that there one other requirement of the law is to protect the customer data and all that so this team will basically apply the necessary control to ensure that they as a company to be comply with gdpr they need to be comply with iso 27001 so when you compliance with such regulation standard then that is how you build that trust in the market right so that is a key feature we have so they do the monitoring they apply the necessary technique to block if they detect something proactively respond to that reduce the impact and moreover by applying all this control they ensure their compliance with legal regulatory requirements seem like the police scope they try to protect us and all that so by which they need to maintain the law and order same thing the stock team is there which basically monitor all these attempts to ensure that they should be comply with the legal regulatory requirement now we're going to discuss about the type of sock what is the type of sock we have okay so we have a different type of sock so first is basically called as a internal sock in which we have a more governance more visibility okay we have a more visibility we have a more governance and most important we have a more control that is a primary advantage of having an internal stock it mean within your organization you have a physical room and from that physical room you're managing everything as an action okay so you can imagine from the logical to the technique so logical to the physical level and to when you have a complete visibility you have a complete control but one this one disadvantage of the internal stock we have is cost and liability because upfront we need to invest in all the resources and everything okay so that is basically one disadvantage we have so but when we have a concern about the governance as a cso as an information security manager if you think from that point of view you need to see the cost liability governance risk and everything so from that perspective internal stock is basically great advantage but cost is a major thing liability is a major thing lot of capex capital expenditure is basically involved so that is basically called as a internal stock where you build internally everything and to end everything you hosted locally okay so second is basically called as a virtual sock okay virtual socks are not on-prem and they are made up of part-time or contracted workers who work together in coordinated manner to resolve the issues as needed so the sock and the organization set parameters and guidelines for how the relationship will work and how much support a stock offer can be varied depending upon the need of the organization so some stock services is on-prem and some is controlled by remotely so that is basically called as a virtual stock so we don't have end-to-end own people process and technology so we have a balance and the third is basically called as a outsource most of the companies because of the cost and liability they go for the uh this one which is called as a outsource sock so they outsource the entire stock operation to third party so the third party remotely can manage all the organization suppose this is the company who providing a stock service so they deploy the agents in all the systems and they start pulling all the logs of a different different companies and from here they manage the things it seem like you know we have basically contact the company to provide me physical security okay so outsource sock in in in which some of some or all functions are managed by externally managed security service provider we called as a mssp they are primarily into providing a stock services and they specialized in security analyst and response sometimes these companies provide the specific service to support an internal stock and sometimes they handle everything so they will say boss you need to pay me every month this much and rest i will take care so they will deploy the solution but they remotely manage the solution they collect the locks directly from the systems remotely and manage everything okay so that is basically called as a outsource talk so from an information security manager and from a cso point of view outsource stock is basically a blend of managing cost uh capital investment and governance risk compliance so if you have a good contract with the mssp you can have a better visibility what kind of a locks you're collecting and everything okay but you don't want to take any kind of a risk you want a more and more visibility you can basically go for the internal sock now we're going to discuss about the different type of sock team thank you so when we're talking about sock in sock we categorize the team into three sections l1 l2 and l3 l1 is the one who monitor prioritize and investigate okay they does that tries activity okay and this is where the security analyst typically spend most of the time tier one or l1 analyst are typically the least experienced analyst like beginners and all that and their primary function is to monitor the event logs for the suspicious activity when they feel something neat for the investigation they gather as much information and then they can basically escalate that information to the level two let me explain you in a layman term so example we have a system a we have a system b we have a system c okay so now what happened we discover some virus in the system we discard we got a notification through the logs and all that that okay there is a virus so the l1 which is basically analyst review all the logs review all the issues review all the data and check whether it is actual incident or something else which is called as a false positive false positive mean they have alerted as an insulin but it is not so false positive is basically a misappropriate information and if it is basically the actual because the first step is need to confirm because sometimes what happen user also report there is a virus but in in but in reality it is not a virus so l1 will basically confirm that incident okay by asking some questions reviewing the records and everything once you confirm okay then they need to go through a triage okay tries mean all about prioritizing the incident because we receiving 100 tickets in a day it is not possible that we can able to give attention to every every ticket so we try to try etch the activity okay so in the triage we follow one formula formula is severity severity plus impact okay severity plus impact equal to priority i repeat again severity plus impact equal to priority okay so we will basically check the severity of the virus and then we will check how this wire is impacting my system a if they're finding okay the impact is basically very high okay so we will prioritize and then analyst initiate the investigation based on the priority criteria which is set by the organization so l1 is basically set the priority and forward that to the l2 so it goes to the l2 now l2 so as i said system was infected with the virus and he confirmed it is a virus l1 confirmed the virus now what is the role of a l2 here l2 basically do the dig deeper into the suspicious activity to determine the nature of the threat and also check what is the extent to which it has penetrated the infrastructure and these analysts coordinate the response for the remediating the issue so their role is that if system was infected with the virus boss reduce the impact like removing a system from the network okay reinstalling the windows and removing a virus that is a responsibility of the layer 2 or you can say l2 okay so l1 is responsible to confirm the incident and prioritize and l2 is basically removing a virus like implementing acl installing an antivirus updating a signatures to make sure this this can be reduce the impact so l1 and l2 is work is over thank god according to sla and everything we able to achieve the thing because the customer was also creating some issues customer one why server is down okay so l2 will basically ensure by removing a virus restore the system back to the production by which we define the sla now the third is basically called as a l3 so l3 are basic like a expert okay they are like a threat hunting people and all that they are most experienced analysts which support the complex instant response and spend any remaining time looking through the forensic and other data for a threats that detect by the softwares or sometime it is not so you can say in a layman l one is responsible to confirm the incident l2 is reducing the impact by installing the anti-virus or implementing acl and l3 basically do the root cause they basically do the root cause because now as per the sla we have closed the ticket but question is that how that virus attack the system what is the reason okay so identifying the root cause analysis and find a solution to make sure similar activity should not be happen again okay so average companies spend the least time on the threat hunting activity as a tier one and tier two consume so many analyst resources so they are primarily look for the reasoning for this attack and make sure this should not be happen again so this is the entire case study of the sock team so i have one website from where i got this information and thanks to aj and rupain from where i got the more information about this i would like to thanks them also but along with that i explored some websites which give me the you know idea about the this one which is called as a responsibility part of their so let me show you that just give me a second so there is a website is called as a exam beam so in this website if you notice they giving you the same thing see we have a tier one which is called analyst they are the front liner they receive the ticket and their two tier two is basically responsible to make sure uh reduce the impact removing the virus install the acl and then further we have smes for the network we have smes for the threat intel we have smes for the end point we have smes for malware to understand how this attack happen so that they can able to mitigate that in the for the future perspective this should not be happen again so if you see the responsibility part for the tier one okay the tier one responsibility is they monitor sim alert manage and configure the things prioritize okay they tries the alert which is identifying sorting and everything and then we have a tier two tier two is basically receive the incidents perform deep analysis they define execute the strategy for containment remediation along with that what is the skills and qualifications required similar to everyone but with more experience in the instant response so whenever you're basically making your career in a sock and all that you always start with the tier one only okay so we have a l1 only so far we have a certification like cysa from commissioner very good then ec console has a csa then i work for the info sector so infosect and have a saw canal is an expert course in which we deal with the multiple tools in which we'll prepare you for l1 and l2 both that's the best thing about us and we also have our own exam so these are the things which is basically you can use to upgrade your skills but if you notice we have a tier 3 which is called l3 they do the day-to-day conduct vulnerability assessment pt on a further level and try to identify why this attack happens so they tried to pass those areas so that is basically called as a tier three and then l3 l1 l2 report to the stock manager which is basically responsible for oversighting the entire things so this is basically called as a l1 l2 and l3 now question is what is a technology is required for building a sock okay so one thing we need a sim because siem is basically provide the sock foundation it gives the ability to correlate rule against a massive amount of data to find the threat example like we have a system a we have a system b we have a system c we have a system d so this is basically the sim we have so any activity happen the system a b c d all this information goes to assign sim basically aggregate the data from all the system so aggregate then it correlate example like there is a firewall and we have a ip which is called as a just give me a second we have ip which is called as a 1.1.1.1 so it is a attacker ip just imagine so we have our attacker ip so attacker ip was able to bypass the firewall then it attacks system a then it takes system b attack system c attack system d so far will basically send the lock to siem a sending a lock to sim b sending a lock to simc sending a lock to sim d sending a lock to sim so all the logs has been aggregated here correlated here and from there we can get the meaningful information so that is where the sim is basically the foundation for everything otherwise if you're talking about only log management it only collect the log manually we need to correlate review and everything which is a time taken task so sim basically automate the entire response process okay so this tool provide the stock foundation which given its ability to correlate the rule against a massive amount of disparate data to find the threats okay so that is the activity which is basically happening here now second thing is called as a behavioral monitoring okay second that is called as a behavioral monitoring so we have a tools like yuba user entity and behavior analytics okay so in the case of ubea they typically add on the top of the sim platform which is basically helps the security team to create a baseline by applying the behavioral modeling machine learning to service at security risk because when we're collecting a data it need to be collect based on some benchmark and all that right abnormal activities and all that so we use some ueba tools with siem to collect and correlate the informations okay so like example receiving 70 packets in a minute which is basically against the normal baseline so you behavior monitoring will basically detect that and you buy behavior monitoring with the help of ueba we basically collect that and sim basically help us to aggregate the data another important thing is required in the salk is the asset discovery so asset discovery or an asset directory helps you to better understand what system and tools are running in your environment and it enable you to determine what the organization critical systems are and how to prioritize the security control so without asset discovery it is difficult to have a visibility about about the sock along with that we also need to perform the vulnerability assessment vulnerability assessment is all about identifying the gaps in the system identify the weakness in the system okay so security team will search the system for vulnerabilities to spot these cracks and act accordingly and some certification regulation also required the periodic vulnerability assessment to prove the compliance like in a regular basis we identify vulnerabilities in advanced stage so we can able to block or pass those area in advance so instead of this should be occur again example like we have a system in the organization we have a system here in the organization and we discover that the system has some vulnerabilities okay we have a system which have already vulnerability okay so we have patch it but if we haven't discovered it is still there so it is a soft target for any attacker so in the shock we also insure a regular basis to identify vulnerabilities in the asset so we can able to block it next thing is basically called as an intrusion detection so we also install some kind of a monitoring tool sorry we also installed some kind of detective tools which is a which is a fundamental tool for saw to detect the attack at the initial stage and they typically work by identifying the known known patterns of attack using a intrusion signatures so if you ask me the sequence so suppose this is my nids i installed my previous video have covered an ideas you can check that nids logs goes to the siem then we have a ueba here which is basically collect the data they send the tool to siem and sim is basically collecting aggregating and correlating a data which is used by the si uh sock professionals to respond to the things and everything so this is how it works so this team this sock is a sum of people process and technology by which they basically alert and detect the things so question is what is the skill is required see as a sock for the layer tier 1 tier 2 tier 3 you need to have an understanding of windows linux because definitely that is something you're trying to protect so if you know logs you want to understand the logs and elements and everything until unless you don't have a visibility about the os you can't do anything in that so understanding of windows linux mac is required in some cases you need to know the good knowledge of python and paul that is a great language we have because sometimes we need to run the scripts definitely tools on level and siem so q radar siem so in my infosect train shock course we covering the q radar and splunk bow that is the best thing about our course other companies basically cover only splunk but we cover sprunk q radar and other tools because these are basically used for aggregating the logs and everything in some cases you need to know the osi model it is a very important thing in salk the foundation is osi model you should know in which layer what is happen what kind of an attack we have okay so osm model understanding is very very important in some cases you need to know the protocol understanding example like you need to know how dns work how dhcp works you should know about how the http works so according http errors so and without understanding of the protocol it is difficult to drive these things vulnerability assessment we have already discussed and sometime when you basically working on the reports parts and all that you must have a good writing skills and all that because you need to convey the reports to the management you need to articulate the details in such a manner which is easy for the people to understand so that is the thing we have so this is the skill which is required by the people to enter into the sock but the question is that what are the success factor okay we understood technology is required we understood skill is required but along with that what is the holistic approach for the success factor for building a sock that's a key word so first important thing a success factor is the management sponsorship okay by end of the day paisa which is called money given by the management so sock program must have executive sponsorship so make sure your sock program it should not be the hi-fi security solution because you also need to understand your solution should be mapped with the business objective understood so there's no point of buying a directly checkpoint or splunk and all that and later on the company does not have a budget so there is a probability the management will reject your proposal so as a stock manager or as a cso when you're convincing the management for the stock your solution should be mapped with the business objective it should be mapped with the regulatory requirement so management sponsorship is a very important thing okay so in some cases what happen is the cio or in some cases ceo make the internal executive sponsor for the stock program so your business case should have a clarity about why we need a sock second is effective governance okay sock you basically convince you introduce a people process technology but problem is that you don't have a matrix to monitor the stock so governance is required now what is governance governance is all about organization structure okay policy procedure so you need to have a proper oversight what is happening how you said that you introducing the racy chart responsibility accountability consultant informed you introduce some kind of a kp and kri by which you can measure the sock like before shock we have a 70 incidents in a day after shock we able to close 30 incidents we have a racy chart for each and every professional this is as sla so this is basically called as a effective governance okay like we do governance at home right when parents set the rule like in the morning you have to wake up uh by uh eight o'clock you have to complete your breakfast 8 30 you have to rush for the school nine o'clock evening two o'clock you will come back five o'clock fix time for your lunch evening whatever so this is something a rule and regulations has been created by our parents so that they can give us a better life same like we need to create a policy procedures responsibility matrix by which we can able to manage the sock so you can say like that first two are the most important pillar we have for the sock second thing whatever the monitoring we have we need to have a proper visibility until unless we don't have a visibility and access data it doesn't make sense okay then skill set and another important thing definitely we need a right people for the right thing and if you don't have it doesn't make sense right so skill set and experience is required in some cases and we also need to create a process and procedure okay like today we have a 10 people and tomorrow they left again new people has joined so again we need to train them end to end so if you have a clear process and procedure which is called as a kt transfer knowledge transfer by which we can able to build the effective sock if you find this video useful okay do share in network and do let me know what are the other videos you want me to create on a sock and make sure make sure you should watch my other two interview question video which i'm making on the sock which help you for your interview preparation part thank you for watching my video if you're new to my channel do subscribe to my youtube channel it motivate me and do share your inputs in the comment box and do let me know what is the best tool you can use for the sock like what is what is the best tool for the siem and what is the best tool for the ueba thank you for watching my video bye

[Music] hello team welcome to my session on coffee with prob and today we&#39;re going to discuss about sock analyst sock stand for security operation center and the person who work in the center is called as analyst so this profile is is getting attracted from last two years so i thought i will make some videos on that so i&#39;m coming up with some season videos in the first season we&#39;re going to discuss about sock responsibility purpose of sock governance and in from a second series we&#39;re going to start with the interview question if you&#39;re new to my youtube channel do subscribe to my youtube channel and click on the bell icon to make sure you should not miss my future videos on the sock my name is prabhnayar for more information you can refer my linkedin profile thank you so question is always arise what is sock so when you&#39;re talking about socks sock is stand for security operation center okay so it is a it is a sum of people process and technology okay it&#39;s a sum of people process and technology that monitors enterprise i.t infrastructure 24 into seven and detect the cyber security events on incident in a real time and address them as quickly as possible and effectively as possible so you can imagine salk is just like a police it&#39;s a cop they discover the threats they discover the issues in the city in the state in the place and according to that they try to react like the way we have a police their goal they ensure that okay they protect our life same like these professionals the sock team professionals they are responsible for protecting my organization or our organization from all kind of external or internal attacks so they use so people in this making they have a team of professionals who basically follow the process and according to that they manage a technology which is used to protect that organization so they use a tools which is used to scan the network 24 into 7 to flag any abnormalities or suspicious activity in some cases uh they refer sock as a blue team they refer as a blue team okay the goal is to basically protect from all kind of an attacks and we also have one more team which is called as a red team red team is the one who basically do the testing on a regular basis to ensure that they are protecting the resources or assets more effectively okay let&#39;s let&#39;s see one example there is a virus basically attack in your system okay just imagine there is a virus okay they try to attack your organization so we have a sock team which monitor all these kind of an attack in all the systems okay and if they find this there is a virus and they have to react so they will react according to the virus and make sure they try to reduce the impact their primary goal is to prevent the incident okay their primary objective is to prevent the incident or reduce the impact of the incident so that is the goal we have okay so that is a primary role of the sock here you can see they use a tool which is used to scan the network assets technologies to flag all the abnormal behaviors whatever this normal it&#39;s not normal it&#39;s abnormal and suspicious activity and according to that they react we use one term on a regular basis which is called event and incident okay so event is basically any series of activity which is used to meet the business objective like i want to start the session at 9 a.m in the morning and i&#39;m able to start the session by 9 a.m in the morning by just open the browser and launch the go to meeting so that&#39;s an event but if i fail to start the session by 9 am my customer will ask my penalty amount so which is something against the agreed organization objective so that flagged as an incident so any activity which impact the organization objective which impact the confidentiality integrity and availability of assets that is basically called as a incident so let&#39;s discuss what does sock team member do in the company and then we&#39;ll discuss about the sock team members so there is always a question what this team does why we need a sock in the organization just saying a statement it monitor the enterprise from all kind of external threats but the question is that what are the other things it&#39;s apart from monitoring so first thing is always does the monitoring so monitoring basically provide the visibility also on the organization level what is digital activities happening in the organization so in this case example like we have a system a we have a system b we have a system c we have a system d so any kind of a suspicious activity happen on system a all this so we have a dedicated console by which we manage so here the team of professionals do the log file analysis because logs can come from the end points like notebook computers mobile phones iot devices okay routers firewall ideas and all that okay so these logs this information we collect and from there we try to identify any suspicious activities happening or not creating so soft team members work with the various resources which can include your it workers like helped us technicians as well as other professionals to make sure things are working effectively so that is basically the first function which is called as a monitoring okay second part which is called as a prevention technique so in prevention technique what happen is they implementing a rules they implementing some kind of a counter measures so by which we can able to block a wide range of known and unknown risk so first is monitoring look for the normal abnormal behavior and if they find okay system was infected with the virus so they have a prevention techniques by which they isolate a system from the network and make sure that further impact should not be occur the third most important function they have is proactive incidence and remediation if you notice the keyword proactive incident response and remediation so so proactive instant response remediation it&#39;s supported by the automatic tools and human intervention nowadays we have a lot many automation tools xdr and all that by which we can able to proactively detect and respond to the incident so here the sock coordinates okay a saw coordinates an organization ability to take the necessary step to mitigate the damage and communicate properly to keep the organization running after an incident it is not enough to just view the logs and issue the alert the major part of an instant response is to helps the organization to recover from the incident that is why that is one of the key function of the sock we have and by this they can able to protect the organization from any kind of a compliance breach example like you are operating your service in europe and you know you are very well aware about that as a company you operating the service in eu you need to be comply with one of the regulation like law restrictions and all that which is called gdpr in layman 10 it mean if i&#39;m running a company in any country i need to respect the law and regulations of that particular country so according to that there one other requirement of the law is to protect the customer data and all that so this team will basically apply the necessary control to ensure that they as a company to be comply with gdpr they need to be comply with iso 27001 so when you compliance with such regulation standard then that is how you build that trust in the market right so that is a key feature we have so they do the monitoring they apply the necessary technique to block if they detect something proactively respond to that reduce the impact and moreover by applying all this control they ensure their compliance with legal regulatory requirements seem like the police scope they try to protect us and all that so by which they need to maintain the law and order same thing the stock team is there which basically monitor all these attempts to ensure that they should be comply with the legal regulatory requirement now we&#39;re going to discuss about the type of sock what is the type of sock we have okay so we have a different type of sock so first is basically called as a internal sock in which we have a more governance more visibility okay we have a more visibility we have a more governance and most important we have a more control that is a primary advantage of having an internal stock it mean within your organization you have a physical room and from that physical room you&#39;re managing everything as an action okay so you can imagine from the logical to the technique so logical to the physical level and to when you have a complete visibility you have a complete control but one this one disadvantage of the internal stock we have is cost and liability because upfront we need to invest in all the resources and everything okay so that is basically one disadvantage we have so but when we have a concern about the governance as a cso as an information security manager if you think from that point of view you need to see the cost liability governance risk and everything so from that perspective internal stock is basically great advantage but cost is a major thing liability is a major thing lot of capex capital expenditure is basically involved so that is basically called as a internal stock where you build internally everything and to end everything you hosted locally okay so second is basically called as a virtual sock okay virtual socks are not on-prem and they are made up of part-time or contracted workers who work together in coordinated manner to resolve the issues as needed so the sock and the organization set parameters and guidelines for how the relationship will work and how much support a stock offer can be varied depending upon the need of the organization so some stock services is on-prem and some is controlled by remotely so that is basically called as a virtual stock so we don&#39;t have end-to-end own people process and technology so we have a balance and the third is basically called as a outsource most of the companies because of the cost and liability they go for the uh this one which is called as a outsource sock so they outsource the entire stock operation to third party so the third party remotely can manage all the organization suppose this is the company who providing a stock service so they deploy the agents in all the systems and they start pulling all the logs of a different different companies and from here they manage the things it seem like you know we have basically contact the company to provide me physical security okay so outsource sock in in in which some of some or all functions are managed by externally managed security service provider we called as a mssp they are primarily into providing a stock services and they specialized in security analyst and response sometimes these companies provide the specific service to support an internal stock and sometimes they handle everything so they will say boss you need to pay me every month this much and rest i will take care so they will deploy the solution but they remotely manage the solution they collect the locks directly from the systems remotely and manage everything okay so that is basically called as a outsource talk so from an information security manager and from a cso point of view outsource stock is basically a blend of managing cost uh capital investment and governance risk compliance so if you have a good contract with the mssp you can have a better visibility what kind of a locks you&#39;re collecting and everything okay but you don&#39;t want to take any kind of a risk you want a more and more visibility you can basically go for the internal sock now we&#39;re going to discuss about the different type of sock team thank you so when we&#39;re talking about sock in sock we categorize the team into three sections l1 l2 and l3 l1 is the one who monitor prioritize and investigate okay they does that tries activity okay and this is where the security analyst typically spend most of the time tier one or l1 analyst are typically the least experienced analyst like beginners and all that and their primary function is to monitor the event logs for the suspicious activity when they feel something neat for the investigation they gather as much information and then they can basically escalate that information to the level two let me explain you in a layman term so example we have a system a we have a system b we have a system c okay so now what happened we discover some virus in the system we discard we got a notification through the logs and all that that okay there is a virus so the l1 which is basically analyst review all the logs review all the issues review all the data and check whether it is actual incident or something else which is called as a false positive false positive mean they have alerted as an insulin but it is not so false positive is basically a misappropriate information and if it is basically the actual because the first step is need to confirm because sometimes what happen user also report there is a virus but in in but in reality it is not a virus so l1 will basically confirm that incident okay by asking some questions reviewing the records and everything once you confirm okay then they need to go through a triage okay tries mean all about prioritizing the incident because we receiving 100 tickets in a day it is not possible that we can able to give attention to every every ticket so we try to try etch the activity okay so in the triage we follow one formula formula is severity severity plus impact okay severity plus impact equal to priority i repeat again severity plus impact equal to priority okay so we will basically check the severity of the virus and then we will check how this wire is impacting my system a if they&#39;re finding okay the impact is basically very high okay so we will prioritize and then analyst initiate the investigation based on the priority criteria which is set by the organization so l1 is basically set the priority and forward that to the l2 so it goes to the l2 now l2 so as i said system was infected with the virus and he confirmed it is a virus l1 confirmed the virus now what is the role of a l2 here l2 basically do the dig deeper into the suspicious activity to determine the nature of the threat and also check what is the extent to which it has penetrated the infrastructure and these analysts coordinate the response for the remediating the issue so their role is that if system was infected with the virus boss reduce the impact like removing a system from the network okay reinstalling the windows and removing a virus that is a responsibility of the layer 2 or you can say l2 okay so l1 is responsible to confirm the incident and prioritize and l2 is basically removing a virus like implementing acl installing an antivirus updating a signatures to make sure this this can be reduce the impact so l1 and l2 is work is over thank god according to sla and everything we able to achieve the thing because the customer was also creating some issues customer one why server is down okay so l2 will basically ensure by removing a virus restore the system back to the production by which we define the sla now the third is basically called as a l3 so l3 are basic like a expert okay they are like a threat hunting people and all that they are most experienced analysts which support the complex instant response and spend any remaining time looking through the forensic and other data for a threats that detect by the softwares or sometime it is not so you can say in a layman l one is responsible to confirm the incident l2 is reducing the impact by installing the anti-virus or implementing acl and l3 basically do the root cause they basically do the root cause because now as per the sla we have closed the ticket but question is that how that virus attack the system what is the reason okay so identifying the root cause analysis and find a solution to make sure similar activity should not be happen again okay so average companies spend the least time on the threat hunting activity as a tier one and tier two consume so many analyst resources so they are primarily look for the reasoning for this attack and make sure this should not be happen again so this is the entire case study of the sock team so i have one website from where i got this information and thanks to aj and rupain from where i got the more information about this i would like to thanks them also but along with that i explored some websites which give me the you know idea about the this one which is called as a responsibility part of their so let me show you that just give me a second so there is a website is called as a exam beam so in this website if you notice they giving you the same thing see we have a tier one which is called analyst they are the front liner they receive the ticket and their two tier two is basically responsible to make sure uh reduce the impact removing the virus install the acl and then further we have smes for the network we have smes for the threat intel we have smes for the end point we have smes for malware to understand how this attack happen so that they can able to mitigate that in the for the future perspective this should not be happen again so if you see the responsibility part for the tier one okay the tier one responsibility is they monitor sim alert manage and configure the things prioritize okay they tries the alert which is identifying sorting and everything and then we have a tier two tier two is basically receive the incidents perform deep analysis they define execute the strategy for containment remediation along with that what is the skills and qualifications required similar to everyone but with more experience in the instant response so whenever you&#39;re basically making your career in a sock and all that you always start with the tier one only okay so we have a l1 only so far we have a certification like cysa from commissioner very good then ec console has a csa then i work for the info sector so infosect and have a saw canal is an expert course in which we deal with the multiple tools in which we&#39;ll prepare you for l1 and l2 both that&#39;s the best thing about us and we also have our own exam so these are the things which is basically you can use to upgrade your skills but if you notice we have a tier 3 which is called l3 they do the day-to-day conduct vulnerability assessment pt on a further level and try to identify why this attack happens so they tried to pass those areas so that is basically called as a tier three and then l3 l1 l2 report to the stock manager which is basically responsible for oversighting the entire things so this is basically called as a l1 l2 and l3 now question is what is a technology is required for building a sock okay so one thing we need a sim because siem is basically provide the sock foundation it gives the ability to correlate rule against a massive amount of data to find the threat example like we have a system a we have a system b we have a system c we have a system d so this is basically the sim we have so any activity happen the system a b c d all this information goes to assign sim basically aggregate the data from all the system so aggregate then it correlate example like there is a firewall and we have a ip which is called as a just give me a second we have ip which is called as a 1.1.1.1 so it is a attacker ip just imagine so we have our attacker ip so attacker ip was able to bypass the firewall then it attacks system a then it takes system b attack system c attack system d so far will basically send the lock to siem a sending a lock to sim b sending a lock to simc sending a lock to sim d sending a lock to sim so all the logs has been aggregated here correlated here and from there we can get the meaningful information so that is where the sim is basically the foundation for everything otherwise if you&#39;re talking about only log management it only collect the log manually we need to correlate review and everything which is a time taken task so sim basically automate the entire response process okay so this tool provide the stock foundation which given its ability to correlate the rule against a massive amount of disparate data to find the threats okay so that is the activity which is basically happening here now second thing is called as a behavioral monitoring okay second that is called as a behavioral monitoring so we have a tools like yuba user entity and behavior analytics okay so in the case of ubea they typically add on the top of the sim platform which is basically helps the security team to create a baseline by applying the behavioral modeling machine learning to service at security risk because when we&#39;re collecting a data it need to be collect based on some benchmark and all that right abnormal activities and all that so we use some ueba tools with siem to collect and correlate the informations okay so like example receiving 70 packets in a minute which is basically against the normal baseline so you behavior monitoring will basically detect that and you buy behavior monitoring with the help of ueba we basically collect that and sim basically help us to aggregate the data another important thing is required in the salk is the asset discovery so asset discovery or an asset directory helps you to better understand what system and tools are running in your environment and it enable you to determine what the organization critical systems are and how to prioritize the security control so without asset discovery it is difficult to have a visibility about about the sock along with that we also need to perform the vulnerability assessment vulnerability assessment is all about identifying the gaps in the system identify the weakness in the system okay so security team will search the system for vulnerabilities to spot these cracks and act accordingly and some certification regulation also required the periodic vulnerability assessment to prove the compliance like in a regular basis we identify vulnerabilities in advanced stage so we can able to block or pass those area in advance so instead of this should be occur again example like we have a system in the organization we have a system here in the organization and we discover that the system has some vulnerabilities okay we have a system which have already vulnerability okay so we have patch it but if we haven&#39;t discovered it is still there so it is a soft target for any attacker so in the shock we also insure a regular basis to identify vulnerabilities in the asset so we can able to block it next thing is basically called as an intrusion detection so we also install some kind of a monitoring tool sorry we also installed some kind of detective tools which is a which is a fundamental tool for saw to detect the attack at the initial stage and they typically work by identifying the known known patterns of attack using a intrusion signatures so if you ask me the sequence so suppose this is my nids i installed my previous video have covered an ideas you can check that nids logs goes to the siem then we have a ueba here which is basically collect the data they send the tool to siem and sim is basically collecting aggregating and correlating a data which is used by the si uh sock professionals to respond to the things and everything so this is how it works so this team this sock is a sum of people process and technology by which they basically alert and detect the things so question is what is the skill is required see as a sock for the layer tier 1 tier 2 tier 3 you need to have an understanding of windows linux because definitely that is something you&#39;re trying to protect so if you know logs you want to understand the logs and elements and everything until unless you don&#39;t have a visibility about the os you can&#39;t do anything in that so understanding of windows linux mac is required in some cases you need to know the good knowledge of python and paul that is a great language we have because sometimes we need to run the scripts definitely tools on level and siem so q radar siem so in my infosect train shock course we covering the q radar and splunk bow that is the best thing about our course other companies basically cover only splunk but we cover sprunk q radar and other tools because these are basically used for aggregating the logs and everything in some cases you need to know the osi model it is a very important thing in salk the foundation is osi model you should know in which layer what is happen what kind of an attack we have okay so osm model understanding is very very important in some cases you need to know the protocol understanding example like you need to know how dns work how dhcp works you should know about how the http works so according http errors so and without understanding of the protocol it is difficult to drive these things vulnerability assessment we have already discussed and sometime when you basically working on the reports parts and all that you must have a good writing skills and all that because you need to convey the reports to the management you need to articulate the details in such a manner which is easy for the people to understand so that is the thing we have so this is the skill which is required by the people to enter into the sock but the question is that what are the success factor okay we understood technology is required we understood skill is required but along with that what is the holistic approach for the success factor for building a sock that&#39;s a key word so first important thing a success factor is the management sponsorship okay by end of the day paisa which is called money given by the management so sock program must have executive sponsorship so make sure your sock program it should not be the hi-fi security solution because you also need to understand your solution should be mapped with the business objective understood so there&#39;s no point of buying a directly checkpoint or splunk and all that and later on the company does not have a budget so there is a probability the management will reject your proposal so as a stock manager or as a cso when you&#39;re convincing the management for the stock your solution should be mapped with the business objective it should be mapped with the regulatory requirement so management sponsorship is a very important thing okay so in some cases what happen is the cio or in some cases ceo make the internal executive sponsor for the stock program so your business case should have a clarity about why we need a sock second is effective governance okay sock you basically convince you introduce a people process technology but problem is that you don&#39;t have a matrix to monitor the stock so governance is required now what is governance governance is all about organization structure okay policy procedure so you need to have a proper oversight what is happening how you said that you introducing the racy chart responsibility accountability consultant informed you introduce some kind of a kp and kri by which you can measure the sock like before shock we have a 70 incidents in a day after shock we able to close 30 incidents we have a racy chart for each and every professional this is as sla so this is basically called as a effective governance okay like we do governance at home right when parents set the rule like in the morning you have to wake up uh by uh eight o&#39;clock you have to complete your breakfast 8 30 you have to rush for the school nine o&#39;clock evening two o&#39;clock you will come back five o&#39;clock fix time for your lunch evening whatever so this is something a rule and regulations has been created by our parents so that they can give us a better life same like we need to create a policy procedures responsibility matrix by which we can able to manage the sock so you can say like that first two are the most important pillar we have for the sock second thing whatever the monitoring we have we need to have a proper visibility until unless we don&#39;t have a visibility and access data it doesn&#39;t make sense okay then skill set and another important thing definitely we need a right people for the right thing and if you don&#39;t have it doesn&#39;t make sense right so skill set and experience is required in some cases and we also need to create a process and procedure okay like today we have a 10 people and tomorrow they left again new people has joined so again we need to train them end to end so if you have a clear process and procedure which is called as a kt transfer knowledge transfer by which we can able to build the effective sock if you find this video useful okay do share in network and do let me know what are the other videos you want me to create on a sock and make sure make sure you should watch my other two interview question video which i&#39;m making on the sock which help you for your interview preparation part thank you for watching my video if you&#39;re new to my channel do subscribe to my youtube channel it motivate me and do share your inputs in the comment box and do let me know what is the best tool you can use for the sock like what is what is the best tool for the siem and what is the best tool for the ueba thank you for watching my video bye

Transcript for:Overview of SOC Analyst Responsibilities

Transcript for:
Overview of SOC Analyst Responsibilities