As with any service or solution, an ongoing maintenance routine is a critical process to ensure timely service improvements, maintain operational efficiency and cost control, and —most importantly— ensure the service remains highly effective in detecting and responding to security issues.
In general, Security Operations Center (SOC) operations are performed by two distinct roles: SOC engineers and SOC analysts. In a small organization, this may be a single person carrying out both roles; in larger organizations, these roles will span many teams and will be carried out by dedicated professionals. In this chapter, we will provide details of the daily, weekly, and monthly tasks required for each role, and any ad hoc tasks that should be carried out as required.
The information in this chapter is meant to provide a starting point for your own planning and ongoing improvement, so you can carry out the necessary processes to produce a high-performing team and a well-managed Azure Sentinel solution.
In this chapter, we will cover the following topics:
A well-developed SOC will be made up of multiple roles, to divide responsibilities and ensure that each individual can focus on their specific tasks. Depending on the size of the team, there could be many roles and many layers of management, leadership, and expertise, or it could be a smaller team in which two or three individuals carry out all the roles between them.
At a high level, the operation of an SOC will require experts that know how to install and maintain the technology solutions required to run the SOC (SOC engineers), and another set of experts that are able to use the solutions to hunt for threats and respond to security incidents (SOC analysts). These two roles work together to provide constant feedback on what works well, and where improvements are required.
Let’s review the primary differences between the two main roles, to understand the type of operational tasks they might need to carry out.
SOC engineers are responsible for the initial design and configuration of Azure Sentinel, including the connection of data sources, configuring any threat intelligence (TI) feeds, and securing access to the platform and the data contained within.
Once the service is operational, SOC engineers are then responsible for ongoing improvements, creating analytic rules for threat detection, and fine-tuning to ensure the service remains operationally cost-effective and efficient.
SOC engineers will implement new features made available by Microsoft, and develop automations and other improvements based on feedback from SOC analysts.
SOC analysts focus on using the tools and data available to respond to alerts and hunt for other threats that may not have been automatically detected.
This role relies on the continuous development of new detection methods, the advancement and integration of machine learning algorithms, and the automation of threat responses to ensure SOC analysts can react quickly to new alerts.
To ensure they can focus on threat detection, SOC analysts offload the tooling and rule configuration to SOC engineers, allowing them to create and maintain their playbooks, and define their standard operating procedures for identifying and responding to suspicious events and behaviors.
In this section, we will provide an initial list of tasks that have been identified as engineering tasks. You can use this list as a starting point, and then add your own tasks based on what works for your specific requirements. Each component that is added to the SOC architecture will have its own task requirements—for example, if you integrate a Cloud Access Security Broker (CASB) solution, you will need to carry out similar tasks within that platform to ensure it is well maintained and sending the appropriate information to Azure Sentinel.
A list of daily tasks is as follows:
A list of weekly tasks is as follows:
Monthly tasks
A list of monthly tasks is as follows:
A list of ad hoc tasks is as follows:
In this section, we will provide an initial list of tasks that have been identified as operational requirements for SOC analysts. These tasks focus on the work required to create, maintain, and organize Azure Sentinel components to ensure operational efficiency.
A list of daily tasks is as follows:
Review TI sources for current activities and new findings; apply findings to your threat-hunting procedures.
A list of weekly tasks is as follows:
A list of monthly tasks is as follows:
A list of ad hoc tasks is as follows:
While this is one of the shorter chapters in this book, it has covered the importance of ongoing maintenance that will ensure SOC teams remain vigilant with respect to ongoing changes in the threat landscape, and will also keep Azure Sentinel tuned for efficient and effective security operations.
In the final chapter of this book, we will introduce some resources you can use to continue gaining the knowledge required to implement and operate Azure Sentinel and related solutions.
Review the following questions to test your knowledge of this subject:
18.119.142.232