A-SOC Technical Capabilities: 1- Data collection capabilities and compliance benefits of log management, 2- The correlation, normalization and analysis capabilities of SIEM (security information and event management) 3- The network visibility and advanced threat detection of NBAD (network behavior anomaly detection), and user behavior anomaly detection by machine learning - User Behavior Analytics 4- The ability to reduce breaches and ensure compliance provided by Risk Management,

1. Advanced SOC
1. Advanced SOC – Technology, Components, Processes and Organization
2. Threat Hunting
3. Threat Detection using Analytics & Machine Learning
4. Deception Technology: Use Cases (Active Defense & Implementation
Approaches
5. Incident Management

2. 2
Advanced SOC - Features
Threat Assessment and Hunting
– Knowing Threats and Adversaries
– Their tools and methods
– Critical assets as targets
– Existing Controls and Weakness
– Monitoring presence , IOC Management
and Hunting
Threat Intelligence
– Internal threat intelligence
– External threat intelligence
– Application of threat intelligence
– Automated consumption of threat
intelligence (updated SIEM rules/
runbook)
Situational Awareness
– Context and enrichment
(Post correlation, joining the dots to see the
attack chain)
– Visibility
(Visualization to the state of security)
Security Analytics
– Behavioral profiling for users and
systems
– Database searches and statistical
modeling, reporting and visualization
– Forensics capability (Netflow/ replay)

3. Log Sources
Correlation
Analysis &
Reporting
Collection &
Aggregation
Connector Event Processor/ Logger
ESM Console
Storage Array
Online Logs and Reports
Portal Ticketing
Network Devices
Servers / Systems
Authentication/DNS/Apps
Reporting
Monitor everything
Logs, network traffic,
user activity
Correlate
intelligently
Connect the dots of
disparate activity
Detect anomalies
Alerts, Violation,
Unusual yet hidden
behavior
Single, Unified & Integrated
Mgt Console
Incident Management
Automation
Big Data Set - Machine Learning –
Analytics
3
A-SOC Architecture
NetFlow
Threat Intelligence
• Logs
• Contextual Data
• Vulnerability Asset
Inventories
• Reports and Analytics
Internal
• XFORCE
• CrowdStrike
• SecureWorks
• Deepsight
External
Threat Ingestion - Structured Threat Information
eXpression (STIX™)
Threat
Hunting
End Points /
Mobile / Cloud
UBA

4. • Data collection capabilities and compliance benefits of log management,
• The correlation, normalization and analysis capabilities of SIEM (security information and event
management)
• The network visibility and advanced threat detection of NBAD (network behavior anomaly detection), and
user behavior anomaly detection by machine learning - User Behavior Analytics
• The ability to reduce breaches and ensure compliance provided by Risk Management,
• The network traffic and application content insight afforded by Network Forensics.
• The automation of Incident Response by Artificial Intelligence / Run Books
• IOC / VM Management by Threat Intelligence
• Reporting and Visualization provided by Presentation Layer
SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data
management architecture and a single user interface.
4
A-SOC Technical Capabilities

5. 5
A-SOC Framework
Strategy
Program vision, objectives, approach, initiatives, roadmap
SIEM Admin Operation
• Tool / Log Integration
• Reporting and Dashboards
• Rule Administration
• Device Administration
Threat Monitoring & Response
• Monitoring and Notification
• Validation and Triage
• Analysis and Escalation
Threat Hunting & Intelligence
• Internal Threat Intelligence (Assets/
Vulnerabilities/ Alerts
• External Threat Intelligence (Feeds,
analysis, actionable)
Governance
SOC Organization, Reporting, Service Level Management, Policy Approvals, Recommendations, Escalation.
NBAD and Forensics
• Network flow monitoring and anomaly
detection
• Full packet capture for forensics
Strategy &
Governance
Operations
SIEM Technology
• Log collection, processing and
correlation
• Data sources – structure, referential
and unstructured
Incident Management Tool
• Ticketing, run book automation, incident
response and collaboration and KPI
monitoring
Technology Analytics
• Big data – User Behavior Analytics
• End System Analytics
• Historical log and network and
application data correlation
Integration
• CMDB - Asset Modeling
• VM – Vulnerability Mapping
• Incident Mgt – Ticketing / Workflow
• Threat Intelligence Feeds
Business Intelligence
• Security Dashboard
• Visualization – Integrated Security
Posture
• Risk and Analysis Report
BUSINESS FUNCTION
• Requirement Analysis
• Risk Management
• Audit and Compliance Management
• Legal and Fraud Management
OPERATION FUNCTION
• Active Threat Hunting
• Run Book / Response Management
• IOC Management
• Use Case Management
• Intelligence Analysis
TECHNOLOGY FUNCTION
• Architecture and Integration
• Development
• Server Management
• Application, User and Data
monitoring
CSIRT
• Incident Response / Emergency
Response
• Forensics
A-SOC framework allow organizations to setup a cohesive and comprehensive cyber
defense SOC with a strong foundation
Advanced SOC
FRAMEWORK

6. Other Internal Teams
Systems
Applications
Network
Database
Vulnerability / Patch
Business
Risk / Compliance
Information
Technology
Information
Security and Risk
Management
CISO
CEO , COO, CRO
Board / Shareholders
Incident Responder
L2/L3 SOC Analysts
Service Desk
L-1 Monitoring Team
SOC Manager
SIEM Admins Forensics
Threat Hunter
Country CERT
Regulatory Bodies
CIO
SOC Team
Internal SOC organization associated roles
and responsibilities should be clearly
defined. The following is a sample
organization structure.
Threat Intelligence
6
A-SOC Organization Structure and Functions

7. Event Management
• Event monitoring, analysis and
correlation
• Triage and Escalation
• Containment
• Proactive intelligence and situational
awareness
• Response collaboration
Vulnerability & Patch Mgmt
• Vulnerability research
• Identification
• Patch management
• Dissemination
• Compliance monitoring
• Configuration / Control baselines
• Antivirus signature management
• Microsoft updates
Incident Response
• IM Charter, CSIRT and TIG Reporting Structure, R&R
• Incident Handling Process and Procedures for:
• Identification, validation, declaration, escalation,
containment, investigation, forensics, eradication,
recovery, post incident
• Cross functional RACI and co-ordination for response
• Forms and Templates
Threat Specific Response Procedures
• Phishhing / Spear Phishing
• Malware (virus, worms, trojans, spyware)
• NetFlow Abnormal Behavior Incident
• Network Behavior Analysis Incident
• (Distributed) Denial of Service
• Domain hijack or DNS cache poisoning
• Website defacement
• Web application incident
• Unauthorized access
• User account compromise
• Host compromise
SOC
• Charter
• Organization
• Roles and responsibilities
• Business requirements, scope
and architecture
• Service Catalogue
• SOC operations and
management procedures
• SOC metrics and KPIs
• SOC process and procedure
manual (all processes and
procedures including
tool/solution specific)
• SOC security policy
• SOC business continuity and
disaster recovery
Threat Hunting
• Threat Intelligence
• Threat Hunting
• Crown Jewel Mapping / TTPs
7
A-SOC Processes

8. 8
Incident Lifecycle Management
Threat Management – Our defence in Cyber Kill Chain
Know your
adversaries
and their
methods; IOC,
Hunt Mission
Detect threat
activity in kill
chain
Disrupt the kill
chain and stop
the attack
Eradicate
threat agent
and remove
the threat
 Our Best Defence against advanced cyber threats lie in Advanced detection, hunting, analysis
intelligence and incident response working in cordial manner defined by our processes
Threat Intelligence & Hunting
Security Operation
Incident Response
Response StrategyDetection and Deception - Threat Indicators