2

So, from a summary of what I have found on the internet, a SOC collects information and the CSIRT makes conclusions based on that info.

However, from what I see in labs/challenges websites like BlueTeam Labs Online, those lines aren't that defined since different challenges from both fields (Operations Center example: Log Analysis - Sysmon, IR example: Log Analysis - Compromised Wordpress) can ask you to do the same thing (the earlier two examples ask you to do some researching from the Logs) and their questions are a lot like what files... or what did the attacker use to....

Can anyone out there sharpen the line between SOC and CSIRT (at least from the perspective of these challenges)?

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Néstor Llop
  • 23
  • 5

1 Answers1

1

More generally:

  • a SOC analyses the data to determine if there is an event to respond to
  • a CSIRT responds to security events

There is, necessarily, a lot of cross-over in terms of skills and activities. A SOC will even perform a lot of CSIRT tasks, especially if the issues are straightforward and easy to contain given established procedures and resources. But generally, a CSIRT is responding to a known security impacting event, so their activities are focused on containment and recovery.

In reference to the log analysis activities you highlighted:

  • a SOC needs to analyse logs to determine if there is an event that needs to be followed up on
  • a CSIRT needs to follow up on those logs, and perform their own analysis to determine the extent of the security issue, and if there are other issues that need to be investigated
schroeder
  • 123,438
  • 55
  • 284
  • 319