Security Operations Center (SOC) Its Evolution

From Logs to IDS

We have always known that the audit logs generated by systems are a key source of information for cybersecurity. The first challenge was to generate these logs, but the second, and more difficult one, was to review them. That's why in 1980, at the NSA, a preliminary concept of what we now know as IDS was born.

In the 1980s, James P. Anderson developed a set of tools to assist administrators in verifying audit logs. These included user access logs, file access logs, system event logs, and others.

The concept rapidly evolved, eventually leading to the commercial IDS systems we became familiar with in the late 1990s. These detection systems relied on signatures because anomaly-based systems generated a lot of noise and false positives.

From SIEM to Security Analysis

With the late 1990s Internet BOOM, there was a rapid expansion of cybersecurity controls for organizations. Cybersecurity architecture projects were critical for establishing organizations on the World Wide Web and mitigating the risks of hacking and malware on the network.

Users implemented various controls, including firewalls, IDS, and antivirus, among others. Each day brought more elements, making the review of audit logs increasingly complex. The first control to correlate logs from cybersecurity tools emerged, focusing on viewing firewall and IDS logs to reduce false positives from intrusion detectors.

This opened the minds of many and led them to focus on the ability to correlate any type of information source from cybersecurity controls to be more effective in incident detection.

In 2003, Gartner introduced its Magic Quadrant for SIEM. It was then that the development of this new control in the evolution of SIEM was opened up in the market, transforming cybersecurity operations into a data-driven function.

But technology evolves, and the vast amounts of data and analytics transform the control into a platform that maximizes telemetry. It also enriches it with other sources of information for decision-making and timely responses. This evolution is elaborated in great detail in the analysis conducted by Forrester, that is found in this article.

From Anomaly Detection to Human Augmented with AI

It is clear that IDS was the beginning of detection engineering. Two types of technology emerged: one that was more widespread, based on detection rules, and one that established a baseline through network traffic analysis.

This baseline generated thresholds used to alert on events that were outside the norm. However, this technology did not gain as much market traction at the time due to the high number of false positives it generated, primarily due to its immaturity.

Currently, we incorporate various machine learning algorithms into cybersecurity analytics systems, yielding highly effective results. These algorithms need to be continually fed with triage and investigative processes, creating substantial value through the fusion of technology and team skills.

With the advent of ChatGPT and other artificial intelligence tools, one of the most tested use cases emerged, leveraging these services to provide context and a better understanding of threats. Defensive and offensive teams have been using these services to improve the accuracy of their tasks and analyses. This is what we refer to as 'human augmentation.' This article explores the benefits and risks of AI.

From SOC to Security Operations

Several years ago, it was clear the services we needed to acquire to address requirements such as:

Log collection and retention.
Log correlation, event management, and cybersecurity alerts.
Compliance reporting.
Triage and investigation services.

These were the services provided by the Security Operations Center. Organizations realized that outsourcing these services offered benefits beyond just cost savings. The following graphic illustrates some relevant aspects.

The way of delivering services goes beyond infrastructure; it is necessary to:

Understand the client's environment: We need to comprehend the cybersecurity controls the organization currently has in place to establish service visibility.
Establish operational processes and align them with the client's structure and the implemented security governance guidelines.
Continuously manage the service to evolve and measure customer expectations.

At present, the market is inundating us with numerous acronyms and options for addressing the needs of prevention, detection, and incident response. Below, we will attempt to describe each of the options found in the market.

SIEMaaS

For some years now, the provision of event collection and correlation tools as a service has become prevalent. Companies with their own cybersecurity operations have decided to move away from on-premises SIEM solutions to gain elasticity and scalability, and to relieve themselves of platform management and infrastructure maintenance. Given its data-centric nature, the advantages of the cloud were evident.

SOCaaS

SOC as a Service can be defined as 24/7 advanced threat detection monitoring. The service is backed by event collection, correlation, and remote intervention tools.

The SIEM is the core of the service and it’s staffed with top-tier personnel for event analysis, as well as other teams for investigation. Its processes focus on cybersecurity incident management, with ticket and case management supporting this process.

MDR

MDR service begins with the management and operation of EDR solutions. The concept was formed by understanding that the triage, investigation, and maintenance process of Endpoint Detection & Response solutions required specific capabilities.

Customers who replaced antivirus with EDR solutions began to hire these services. Currently, MDR has expanded with the same concept of XDR (which we will discuss next), promoted by EDR manufacturers.

Its goal is to extend to other sources of information because having visibility of the Endpoint alone is not sufficient to address today's threats adequately.

M-XDR

eXtended Detection & Response (XDR) is an acronym that has sparked many debates over its definition, with the most common interpretations being:

- XDR is the Next Generation SIEM

- XDR is an EDR on steroids

- XDR = EDR + NDR + CDR

These discussions can be intense, but what is clear is that XDR was established to broaden the sources of information and enhance analytical capabilities and visibility.

So which definition of XDR do you think will win? @forrester with XDR as EDR++ or @Gartner_inc with XDR as EDR + NDR?
— Richard Bejtlich 💾 🇺🇦 (@taosecurity) November 17, 2021

The M included in XDR stands for the management and operation of this extension of information sources. There are services that include a SIEM or DataLake, while others have developed their own triage and investigation playbooks, which customers can view on a platform.

ITDR

Lately, the acronym Identity Threat Detection & Response (ITDR) has started to gain traction, focusing on specific use cases such as:

- Compromised systems

- Exposed identities

- Situations involving exposed identities

- Processes for revoking privileges, rotating credentials, and implementing other cybersecurity controls to contain threats

To address this need, information sources such as Active Directory, PAM, IdM, among others, are necessary.

Unified Cybersecurity Operation by A3Sec

This is a concept that is taking shape, encompassing continuous attack surface management and cybersecurity posture services, in addition to detection and response services.

This service integrates teams, processes, and technology to achieve the objectives of reducing Incident Dwell Time. Below, we describe what constitutes this concept.

Tribes

This type of service includes highly specialized teams that focus on carrying out specific activities in the delivery of the service. Below, are some of the tribes that make up the Unified Cybersecurity Operation service at A3Sec.

DevSecOps & ML-Ops

The DevSecOps team, composed of our architects, focuses on:

Maintaining the infrastructure supporting our services and operations
Infrastructure deployment as code
Process automation
Integrations

Offensive

The offensive team focuses on understanding the artifacts and techniques used by attackers to validate the effectiveness of existing controls in our clients' operations. Their mission is to support continuous improvement of the cybersecurity posture. Their approach is oriented as follows:

Continuous analysis of published vulnerabilities
Analysis of artifacts and tools used by threat actors
Prioritization of actions to effectively mitigate detected risks

IT, TH

The threat intelligence and threat hunting team, along with the data scientists, aim to create intelligence that aids in more effective detection of techniques, tactics, and procedures. Their focus is as follows:

Generating IoCs (Indicators of Compromise) and IoAs (Indicators of Attack)
Developing detection models
Reducing alert fatigue

The incident response team focuses on executing activities related to alarm and incident management, including prioritization, investigation, escalation, containment, and recovery in response to risk-generating events for our clients. Their focus includes the following tasks:

Client knowledge generation: asset inventory, access, authorized apps.
Alarm triage.
Prioritization and escalation.
Investigation.
Containment processes and crisis management.

Consulting

Our consulting and client success team is responsible for managing client expectations, handling the backlog, and coordinating resources to exceed expectations. Their focus is based on the following activities:

Gathering client needs
Managing the client's requirement backlog
Guiding the cybersecurity strategy by prioritizing requirements from multiple clients
Translating the technical concepts of our services into business language
Supporting the organization's risk management in accordance with the cybersecurity operation of our services.

Key Processes and Tools

Each tribe is responsible for specific processes and tools with the mission of evolving these processes and finding new, more efficient ways to do them. Below is the table that shows the tribes, their processes, and the required tools to carry out their tasks efficiently:

Tribu	Processes and Responsibilities	Tools
DevSepOps & ML-Ops	CD/CI Application Lifecycle: Implementation, operation, maintenance, automation, integrations, support, ML Ops	Ansible, Terraform, WOCU, TensorFlow, Serveress, Microservicios, Phyton
Offensive	Continuous inventory of digital assets. Ongoing management of control effectiveness. Effective attack vector management strategy. Mitre Attack and Mitre Defend.	Atomic RedTeam, ASV,
IT, TH	Detection Engineering Threat hunting methodology Mitre Attack	TIP, SIEM, EDR, NDR, Sandbox
IR	Security Event Management Security Incident Management Crisis Management	SIEM, TIP, Ticketing Tool, SOAR, EDR, NDR.
Consulting	Agile Project Management Cybersecurity Risk and Uncertainty Management Mitre Defend	Project Management Tool.

What are the new requirements that our customers want to address with our Unified Security Operations services?

We have compiled a list of requirements for both LATAM and European customers who have expressed interest in Unified Cybersecurity Operations services. We believe that this list can be of great value when drafting a specification or implementing these types of services within our organizations.