Let’s talk modern SOC tools. The analogy I’d like to use is that of a “Nuclear Triad” – a key cold war concept. The triad consisted of strategic bombers, ICBMs and missile submarines (strictly speaking, submarine missiles – SLBMs) and sought to “significantly reduce the possibility that an enemy could destroy all of a nation’s nuclear forces in a first-strike attack.”
Your SOC should have its own nuclear triad of visibility:
- SIEM – if I need to explains this, please read something else instead 🙂
- Network Forensics (NFT) – tools that can capture all network traffic (full packet capture), extract metadata (including application layer, L7 metadata such as HTTP user-agent, DNS query response, FTP username, email subject, etc) and payloads, retain some raw traffic and metadata, enable searching and analysis. There are several commercial tools, and then there are moloch and OpenSOC; Bro sort of fits in as well. [See more details here and in this GTP document]
- Endpoint Detection and Response (EDR, formerly ETDR) – typically agent-based tools to capture execution, local connections, system changes, memory activities, etc. There are a lot (A LOT!) of commercial tools, and then there are GRR, MIG (update: not really MozDef, as I mentioned in the previous version) as osquery, sort of. [See more details here and in this GTP document]
Similar to the above, your “SOC triad” seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals.
Of course, your SOC will make use of other tools and capabilities, such as threat intelligence (TI) data, malware sandboxes and reversing tools [to push the above analogy a tad too far, maybe this is like a suitcase nuke? Very much an auxiliary weapon, but also very cool? :-)] as well as some workflow system to organize all your work [strategic forces undeground command center?]. However, I always think of SIEM + NFT + EDR as “SOC nuclear triad” of visibility!
There you have it! Enjoy!