3

I am making a conceptual work-flow of a SOC so if we suppose that a SIEM solution is integrated inside an organization's in-house SOC. Also, if the team of the SOC is the one managing the SIEM solution.

My question is when we will face a log format that does not match any of the parsing rules already stored in the SIEM parser then we will move to a generic format and manually add a new parsing rule for this entry. So which Analyst level should be in charge of this task? Knowing that I have:

  • Level 1 (Triage): responsible for ordinary alerts and closing false-positives

  • Level 2 (Analyze): basically, this is where qualification of non-ordinary alerts are escalated from L1 to L2 which need further investigation.

  • Level 3 (Investigation): For deep investigations where we will need to identify attack vectors and actors also apply some data enrichment...

  • Remediations Team: Where we will contain and eradicate and recover from the incident...

  • SOC management: handles administration, supervision and service management of the SOC.

Hilo21
  • 33
  • 3

4 Answers4

1

It really depends on the SOC and how it structures it team. In the real world Level 1, 2 and 3 analysts may be expected to build parsers/connectors to normalise logs for the SIEM.

Given the descriptions in your question however I would say that none of these roles are right.

The role I would expect to be handle this task would be a Technical Lead. Someone who’s job it is to administer and maintain the SoC tools.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
1

Although FIRST, SANS, and many other sources claim that Tiers of Analyst (L1/Alert, L2/Triage, L3/Investigation, et al) are a good way to structure SOCs in order to get to reasonable outcomes, there is heavy evidence that this is a poorly-constructed concept that does not lead to desired outcomes -- and it does not allow for repeatable outcomes, increases in mid-term or long-term efficiencies, and has many other repercussions including inability to retain talent for reasonable time periods.

There are a few other concepts, including the NIST SP 800-181 and the CLUSIF Cybersecurity Incident and Crisis Management frameworks. NICE NCWF appears to prefer your more-detailed structures, while CLUSIF has another recommended approach that is more-flat and less-heavy.

An important piece of managing cybersecurity events and incidents, especially from alerts, is a proper formula for classifying and prioritizing them -- in addition to a platform to work them. Recommend TheHive (and subcomponents) as the platform, and either the DoD CJCSM 6510.01B or DHS Event Categories (provided as a comparative in CJCSM 6510.01B). TheHive has 3 roles: read, write, or admin. I suggest implementing it and making everyone in your SOC an admin.

atdre
  • 18,885
  • 6
  • 58
  • 107
0

I would probably go with Level 2. Level 2 will most likely be the ones dealing with false positives (the interesting ones) and analyzing the brunt of the data, so they will be most versed in what they need flagged. That being said, if Level 3 are the more qualified team, you may want them to approve the rules, because if the rules miss something, it may take a long time and possibly a breach, before you notice the rules were not finding something important. For the same reasons, you may want to review the existing rules periodically.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • So you suggest that L2 parse then L3 Approve and i think (if you can agree with me) that i will add to this - SOC management "Apply", since they're the ones who got the access to tune the SIEM solution! – Hilo21 Apr 23 '18 at 10:46
  • @Hilo21 of course if you have access rights this granular (which is a good thing), management will have to apply the rules. In that case, you may even want a signature from one or more of the L3 staff who approved it, so it could be traceable in case of problems. Possibly also the L2 who designed it. – Peter Harmann Apr 23 '18 at 10:52
0

I would place this responsibility with the team deploying the product. They are most familiar with it, and should be expected to go through the documentation or source code and provide the list of security relevant events.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • It’s not always the case that the team who deploy the services are the same as the people that will support it. They could set up all the connectors and parsers that are required at the time of deployment, but there may be cases where a log file will be so ‘weird’ that a custom connector will need to be written on the fly by the SoC team. – TheJulyPlot Apr 23 '18 at 12:47
  • @TheJulyPlot , yes, I’m familiar with those org structures. Unfortunately they often contribute more to the problems than to the solutions. – John Deters Apr 23 '18 at 17:09