SOC

[rainit2006]

EDR, MDR, XDR, SIEM, SOAR

EDR

• Endpoint Detection and Response. At least with the EDR agent we are using, EDR gets us monitoring of things like Windows Event Logs, persistence events, processes, dns queries, etc.. That info would be used to make behavioral-type detections such as the TTPs associated with various ransomware gangs and APTs.

MDR

• A combination of EDR and 24/7 monitoring/response by a SOC team.

XDR

• I've heard this described as a SIEM for EDR vendors. Behavioral data from EDR along with Windows event logging, logging from services like 365, and logs from network devices are all sent to XDR. "AI" is then used to correlate all of those data points together and provide alerts on potentially malicious activity.
• XDR: eXtended Detection and Response, this is the newest and most poorly defined term. I don't remember the actual origin story, but my web search reads like the xdr category was invented by an analyst and now everyone marketing department are rushing to justify why the same thing they had last year is now XDR. So what is it.. it's indeed to be a "replacement" or improvement over a SIEM. In short XDR should aggregate events from EDR, spam filter, firewall, possibly auth logs from your cloud services etc etc so you can corelate across multiple platforms and see the full stack from first email phish to credential compromise and on to malware on an endpoint. There are lots of variables here, some "open XDR" offerings that should allow integrations with third party tools, it closed platforms that only integrate one vendors set of tools.

SIEM, SOAR

Xdr - generates logs Siem - correlates logs and generates alerts Soar - automates generated alerts.. Edit: We are now @ SOAR + AI - automates generated alerts & response with tier 1 AI workforce. Soar: allows triggering automated response when certain conditions apply. Like if a finance dept user attempts to log in from Russia at 3am on a Saturday, lock the account, open a case, and email someone who cares

SIEM is a product that takes in data (log data, event data) and correlates it and let's you search/report/alert on it. SOAR merges the management and response parts of security into a single tool. Often, SOAR is built on top SIEM. So... want to see your web proxy logs showing malicious download merged with your endpoint AV logs showing that download executing = SIEM. Want to automatically block the site that download came from when your endpoint AV detects it = SOAR.

CSIRT(Computer Security Incident Response Team)

• https://www.rapid7.com/blog/post/2017/04/19/difference-between-a-soc-and-a-csirt/
• When to Create a CSIRT: The CSIRT may be a formal or informal organization, depending on your company’s unique needs. If you’re not faced with threats on a regular basis, the CSIRT may come together only on an as-needed basis. But if you’re in a high-risk industry (e.g. government, healthcare, finance) where responding to threats is a regular and vital part of your business strategy, a formal and full-time CSIRT may be necessary.

[rainit2006]

SOC team building

Look at the SC-200 documentation. Microsoft lays a good foundation of a typical SOC team with different tiers and specialized teams. In terms of shifts, i like 12 hour shifts because you get 3-4 days off per week depending on the week.

If you haven't already, check out Mitre's SOC strategies publication: https://www.mitre.org/news-insights/publication/11-strategies-world-class-cybersecurity-operations-center Pages 86 - 89 cover some considerations for a 24x7 SOC implementation you may find helpful.

Most teams here are on 10 hour shifts, 4 days a week, 2 nights, 2 day shifts. Works pretty well, haven't heard anyone complaining too much about it. You always have out of office days after the night shifts. 4x10’s (Sun-Wed) and (Wed-Sat) same shift, using Wednesday as meeting day to sync up with and discuss changes and that since everyone is on. e.g. 4-3, Ten Hour, Rotating Shift Schedule | 24/7 Shift Coverage

[rainit2006]

SOC team

In this book, the constructs of “tier 1” and “tier 2+” are sometimes used to describe analysts who are primarily responsible for front-line alert triage and in-depth investigation/analysis/ response, respectively. However, not all SOCs are arranged in this manner.

https://www.mitre.org/news-insights/publication/11-strategies-world-class-cybersecurity-operations-center