Mapping the SOC architecture
To implement a cohesive technical solution for your SOC platform, you will need to ensure that the following components are reviewed and thoroughly implemented. This is best done on a routine basis and incorporates regularly testing for the strength of each capability using penetration testing experts that will provide feedback and guidance to help improve any weaknesses.
Log management and data sources
The first component of an SOC platform is the gathering and storing of log data from a diverse range of systems and services across your IT environment. This is where you need careful planning to ensure that you are collecting and retaining the most appropriate data. Some key considerations we can borrow from other well-documented big data guidance are listed here:
- Variety: You need to ensure you have data feeds from multiple sources to gain visibility across the spectrum of hardware and software solutions across your organization.
- Volume: Too large a volume and you could face some hefty ingestion and storage fees; too small and you could miss some important events that may lead to preventing you from fully analyzing a breach.
- Velocity: Collecting real-time data is critical to reducing response times, but it is also important that the data is processed and analyzed in real time too.
- Value/veracity: The quality of data is important to understand the meaning; too much noise will hamper investigations.
- Validity: The accuracy and integrity must be verified to ensure that the right decisions can be made.
- Volatility: How long is the data useful for? Not all data needs to be retained long term; once analyzed, some data can be dropped quickly.
- Vulnerability: Some data is more sensitive than other data, and when collected and correlated together in one place, can become an extremely valuable data source to a would-be attacker.
- Visualization: Human interpretation of data requires some level of visualization. Understanding how you will show this information to the relevant audience is a key requirement for reporting.
Microsoft Sentinel provides a range of data connectors to ensure that all types of data can be ingested and analyzed. Securing Azure Monitor will be covered in Chapter 2, Azure Monitor – Introduction to Log Analytics, and connector details will be available in Chapter 3, Managing and Collecting Data.
Operations platforms
Traditionally, a SIEM was used to look at all log data and reason over it, looking for any potential threats across a diverse range of technologies. Today, there are multiple platforms available that carry out self-monitoring and alerting functionality, like the way a SIEM would work, except they are designed with a specific focus on a particular area of expertise. Each platform may carry out its own log collection and analysis, provide specific threat intelligence and vulnerability scanning, and make use of machine learning algorithms to detect changes in user and system behavior patterns. If they are advanced systems, they will also provide a level of automated response in reaction to the threats detected.
The following solutions each have a range of capabilities built in to collect and analyze logs, carry out immediate remediations, and report their findings to the SIEM solution for further investigation and cross-analysis:
- Identity and Access Management (IAM): The IAM solution may be made up of multiple solutions, combined to ensure the full life cycle management of identities from creation to destruction. The IAM system should include governance actions, such as approvals, attestation, and the automated cleanup of group membership and permissions management. IAM also covers the capability of implementing multi-factor authentication: a method of challenging the sign-in process to provide more than a simple combination of user ID and password. All actions carried out by administrators and user-driven activities should be recorded and reported to the SIEM for context and end user behavior analytics.
Modern IAM solutions will also include built-in user behavior analytics to detect changes in baseline patterns, suspicious activities, and the potential of insider-threat risks. These systems should also be integrated with a CASB solution to provide session-based authentication controls, which is the ability to apply further restrictions if the intent changes or access to higher-sensitivity actions is required. Finally, every organization should implement privileged access management solutions to control access to sensitive systems and services.
- Endpoint Detection and Response (EDR): Going beyond anti-virus and anti-malware, a modern endpoint protection solution will include the ability to detect and respond to advanced threats as they occur. Detection will be based not only on signature-based known threats but also on patterns of behavior and integrated threat intelligence. Detection expands from a single machine to complete visibility across all endpoints in the organization, both on the network and roaming across the internet.
Response capabilities will include the ability to isolate the machine from the network, to prevent the further spread of malicious activities, while retaining evidence for forensic analysis and providing remote access for investigators. The response may also trigger other actions across integrated systems, such as mailbox actions to remove threats that are executed via email or removing access to specific files on the network to prevent further execution of malicious code.
Many companies have already invested in an EDR solution due to their effectiveness in reducing the risk of intrusion via advanced attacks. The trend now is to mature this implementation and focus on Extended Detection and Response (XDR) platforms: an XDR solution will include EDR, IAM, CASB, and several other solutions integrated to ensure complete attack chain detection and response capabilities.
- CASB: A CASB is now a critical component in any cloud-based security architecture. With the ability to ingest logs from network firewalls and proxy servers, as well as connecting to multiple cloud services via their APIs, the CASB has become the first point of collation for many user activities across the network, both on-premises and when directly connected to the internet. This also prevents the need to ingest these logs directly into the SIEM (saving on costs) unless there is a need to directly query these logs rather than pivoting from the SIEM to the CASB portal to carry out an investigation.
A CASB will come with many connectors for deep integration into cloud services, as well as connection to the IAM system to help govern access to other cloud services (via Single Sign-On (SSO)), acting as a reverse proxy and enforcing session-based controls. The CASB will also provide many detection rule templates to deploy immediately, as well as offering the ability to define custom rules for an almost infinite set of use cases unique to your organization. The response capabilities of the CASB are dependent on your specific integrations with the relevant cloud services; these can include the ability to restrict or revoke access to cloud services, prevent the upload or download of documents, or hide specific documents from the view of others.
- Cloud Workload Protection Platform (CWPP): The CWPP may also be known as a Cloud Security Posture Management (CSPM) solution. Either of these will provide the unique capability of scanning and continuously monitoring systems to ensure that they meet compliance and governance requirements. This solution provides a centralized method for vulnerability scanning and for carrying out continuous audits across multiple cloud services (such as Amazon Web Services (AWS) and Microsoft Azure), while also centralizing policies and remediation actions. Resources within these services can be protected by implementing policies and technologies including Just In Time (JIT) access and Attack Surface Reduction (ASR).
When these solutions are deployed, it is one less capability that we need the SIEM to provide; instead, it can take a feed from the service to understand the potential risk and provide an integration point for remediation actions.
- Next-Generation Firewall (NGFW): Firewalls have been the backbone of network security since the 1980s and remain a core component of the segmentation and isolation of internal networks, as well as acting as the front door for many internet-facing services. With NGFW, not only do you get all the benefits of previous firewall technologies, but now you can carry out deep packet inspection for the application layer security and integrated intrusion detection/prevention systems. The deployment of NGFW solutions will also assist with the detection and remediation of malware and advanced threats on the network, preventing the spread to more hosts and network-based systems.
As you can see from these examples, the need to deploy a SIEM to do all the work of centrally collecting and analyzing logs is in the past. With each of these advanced solutions deployed to manage their specific area of expertise, the focus of SIEM changes to look for common patterns across the solutions as well as monitoring those systems that are not covered by these individual solutions. With Microsoft Sentinel as the SIEM, it will also act as the SOAR, enabling a coordinated response to threats across each of these individual solutions, preventing the need to re-engineer them all each time there is a change in requirements for alerting, reporting, and responding.
Threat intelligence and threat hunting
Threat intelligence adds additional context to the log data collected. Knowing what to look for in the logs and how to identify serious events requires a combination of threat hunting skills and the ongoing intelligence feed from a range of experts that are deep in the field of cybercrime research. Much of this work is augmented by Artificial Intelligence (AI) platforms; however, a human touch is always required to add that gut-feeling element that many detectives and police officers will tell you they get from working their own investigations in law enforcement.
SOC mapping summary
The following diagram provides a summary of the multiple components that come together to help to make up the SOC architecture, with some additional thoughts when implementing each one:
This solution works best when there is a rich source of log data streaming into the log management solution, tied in with data feeds coming from threat intel and vulnerability scans and databases. This information is used for discovery and threat hunting and may indicate any issues with configuration drift. The core solutions of the SOC operations include the SIEM, CASB, and EDR, among others, each with its own End User Behavior Analytics (EUBA) and SOAR capabilities. Integrating these solutions is a critical step in minimizing the noise and working toward improving the speed of response. The outcome should be the ability to report accurately on the current risk profile, compliance status, and clearly communicate in situations that require an immediate response and accurate data.