SOC Analyst

 

Security Operation Center(SOC) — The SOC analyst are the cybersecurity professionals who works as the first line of defence. They are responsible for monitoring, detecting, analyzing, and responding to security incident within an organization’s IT environment.

They work in a SOC team and are critical for ensuring the organization’s system and data are protected from cyber threat.

SOC in used for:-

     i. Threat Monitoring

    ii. Investigation Alerts

    iii. Responding Incident

Task for L1 SOC Analyst:-

i. Monitoring

ii. Incident Triage

iii. Initial Analysis

iv. Escalation

v. Communication

Task for L2 SOC Analyst:-

    i. Monitoring Alert

    ii. Threat Hunting

    iii. Resource Monitoring

    iv. Creating and Approving Whitelist

    v. Handling Escalated Investigation

Task of L3 SOC Analyst:-

    i. Client On-Boarding

    ii. Incident Management

    iii. Report and Documentation

    iv. Stake Holder Communication (Technical)

Technology used in SOC:-

    i. SIEM

    ii. EDR

    iii. SOAR

    iv. Ticketing System

    v. Threat Intelligence Platform(TIP)

    vi. Managed Detection & Response(MDR)

SIM:- Security Information Management

SEM:- Security Event Management

SIM + SEM = SIEM:- Security Information and Event Management

SIEM is a comprehensive solution for managing security within an organization by collecting, analysing, and responding to security data from various sources. SIEM system provides real-time insights, threat detection, and compliance management by aggregating data from application, devices, networks, and systems.

SIEM is used for:-

    i. Log Collection

    ii. Log Aggregation

    iii. Rule Based Alert

    iv. Artificial Intelligence

    v. Response

    vi. Parsing

Endpoint Detection & Response(EDR):-

EDR collects only single sources logs unlike SIEM which collects from multiple sources.

EDR is used for:-

i. Real-Time Continuous Monitoring(Online/Offline)

ii. Endpoint data collection

iii. Signature Less Detection

iv. Rule based automated response

EDR is collecting:-

i. Network Connections

ii. Process Execution

iii. Registry Modification

iv. Currently Running Process

v. Cross Process Events

Security Orchestration, Automation and Response(SOAR):-

It is a cybersecurity solution that integrates disparate security tools to centralize alerts, automate investigation and response to streamline incident management.

Security Technologies used in SOAR

i. Ticketing

ii. DLP

iii. SIEM

iv. EDR

v. CTI(TIP)

vi. Email & Webgateway

vii. Network Security

viii. Vulnerability Management

ix. Cloud Tools

x. IAM/PAM