Processes and procedures

The key component to an effectively-run SOC is well-thought-out processes and procedures. An SOC must be able to implement effective identification and remediation activities the same way all the time. Effective processes and procedures ensure that this is carried out in a repeatable and reliable fashion.

Key process and procedure categories are needed to ensure an effectively managed and operating SOC mirror the incident response life cycle and include:

  • Identification:
    • Detection
    • Analysis
  • Remediation:
    • Containment
    • Eradication
    • Recovery

The following is a sample process that identifies the parties and their duties if confronted with cross-site scripting vulnerability being identified on an organizational web application:

Process steps

Role
  1. Identifies or receives a report of an XSS vulnerability

SOC analyst
  1. Documents the identification/report as an incident:
    • XSS vulnerability identified and includes the following information in the tracking form:
      • Vulnerable site/script (URL)
      • Source of the report/identification

SOC analyst
  1. Notifies the SOC manager of the incident through email

SOC analyst
  1. Identifies the owner of the website and the responsible manager

SOC manager
  1. Opens a help desk ticket with the following standard recommendations:
    • Website owner to perform the following:
      • Analyze/validate the reported XSS vulnerability
      • Correct/remove any exploitable pages/scripts from the site

SOC analyst
  1. Remediates the vulnerability

Website owner
  1. Validates that vulnerability has been closed

SOC analyst
  1. Closes the incident when notified by the website owner/developer

SOC analyst
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.120.109