Application events provide the most valuable insights for the SOC, covering Authentication, Authorization, and Accounting (Triple A) along with application performance and user actions. However, interpreting application events often requires SOC teams to configure the SIEM, as many proprietary applications may not be natively understood by it.
SOC Staffing
The staffing of a SOC varies significantly depending on the organization’s needs and structure. In this section, we will briefly explore the typical roles involved in operating a SOC, providing an overview of potential positions:
In a well-organized SOC, various roles contribute to its operation:
- SOC Chief: Leads the department and sets the strategy and tactics to combat organizational threats.
- SOC Architect: Ensures that systems and platforms meet team needs, builds correlation rules, and verifies data compliance with platform requirements.
- Analyst Lead: Develops and maintains processes or playbooks to help analysts effectively assess alerts and incidents.
- Level 1 Analysts: Act as first responders to alerts, resolving issues within their capabilities and escalating unresolved matters to higher-level analysts.
- Level 2 Analysts: Have more experience and technical expertise, forwarding unresolved alerts to the Analyst Lead for continuous SOC improvement and escalating incidents to the Incident Response Team (IRT).
- Incident Response Team (IRT): Works to remediate and resolve issues affecting the organization.
- Penetration Testers: Provide insights into attacker methodologies, aiding in root cause analysis and facilitating collaboration between attack and defense teams, known as Purple Teaming, which is considered a best practice.