Common Use Cases for SOC for Different Sec teams

On February 18, 2020

Use Cases help an organization to more efficiently identify and manage common reiterative events and function, as well to identify a particular situation for a product or service where they can be utilized efficiently. A common use case deployment process follows like this :

  • Understand Business Objective : The first step to creating a use case for SOC is to understand the primary objectives of the business.
  • Document Problem Statement : Problem statement of the SOC needs to be documented properly & illustrated so that can be used to formulate specific solutions.
  • Define Use Cases : Define Use cases so that they can be used in system analysis to identify, clarify & organize system requirements.
  • Generate Requirement Statement : Create a list of requirements statement which are needed for the SOC architecture.
  • Prioritize Objective : Properly prioritize the issues that need to be addressed and evaluated.
  • Identify Source Data : Properly identify the sources of the data that are coming & where they are going in the stream.
  • Create Content : Creating the relevant content
  • Build Real time Event Based data monitors : These data monitors utilize real time event triggers that are to be monitored.
  • Rules for advanced co-relation : Preparing & Laying out rules to further advanced co- relation.
  • Build variables & event stream analysis : finally it comes down to preparing the variables doing event stream analysis.

Most Common Use case for SOC Blue team :

  • Attempt to stop AV services : This use case defines any active attempt to stop the AV services.
  • Virus detected : This use case defines whenever a potential or recognized virus is detected
  • Data exfiltration : recognizing & monitoring the unauthorized copying, transfer or retrieval of data from a computer or server.

Data exfiltration is a malicious activity performed through various different techniques.

  • Antivirus Failed to Clean/Quarantine/Remove Malware : To find out if the malicious virus was cleaned & removed or not.
  • Multiple Failed Login Attempts to VPN—“ Repeated Login Failure”:
  • Audit Policy Setting Change : Identifying if & when the Security Audit setting is changed or modified.
  • Multiple logins from different locations- “User Logged In From Multiple Countries”
  • SEPM :Intrusion Prevention disabled : To correctly pinpoint when an SEPM Intrusion Prevention is disabled.

Use Cases for SOC Red Team :

  • Identifying The security Controls : Proper alert conveyance for both low level frequency & High impact level events
  • Determining the effective range of the software during proof of concept : Is the alerting depended on a given event, or depended on runtime context (i.e. user, parent/child process attributes, etc.)
  • Evaluating the Security analysis team and the Security processes : Determining the signal to noise ratio for the detection criteria used to identify the activity?

Use cases for Pink (Process/ Compliance) Team :

  • Detailed SOC Security Design
  • Process Framing
  • Project & Resource Management, Competency Management
  • Responding to an incident

Use Case for Purple (Technology Implementation) Team :

  • Project Planning : Formulating & Planning the Security Architecture.
  • Understanding the SOC Architecture needs for the organization
  • Foot Printing : Comprehensive technique used to gather information about the host, network & people related to the organization. TO know Security Posture, Reduce attack area, identify vulnerabilities, Draw network map detailing the data server topology.
  • Observation, Installing & implementing the required security assets like Data Servers, SIEM, SOAR as well as EDR according to their place in the Security Architecture layer.
  • Support for the SOC architecture needs once it is installed.

So there you have it folks. These are the most common use cases for the various security defense team that are made for Security Optimization Center.