It is safe to say that organizations worldwide have different infrastructure setups, technology, software, and different network architecture types. No matter how diverse these organizations are, they have one thing in common, a CSOC analyst who is watching over their infrastructure.
Cyber Security Operation Centers or CSOC is comprised of a team of cyber security analysts whose responsibilities are fully dedicated to hunting for vulnerabilities, indicators of compromise and investigating incidents and alarms generated by SIEM, XDR and other monitoring security platforms and tools.
The incidents can vary in format, severity, and criticality, thereby creating a need for a skilled CSOC analyst to be able to properly identify and respond to these various types of incidents. Besides incident response activities, CSOC analysts are also involved in threat hunting efforts, actively investigating the environment for any malicious indicators or advanced threats.
Cybersecurity Software Tools – a Perfect CSOC Analyst Toolkit
There are thousands of security tools out there making it difficult to choose the right ones, especially because the software solutions need to complement each other.
Nonetheless, each security tool can be categorized based on the types of events it detects and, in some cases, prevents. A perfect toolkit doesn’t exist, since the right choice for each tool will heavily depend on the type of computer systems that need protection and the level of expertise by the CSOC analyst to investigate and drill down to the details.
Taking all into consideration, below is a list of the most efficient and useful tools that should be part of any CSOC analysts cybersecurity toolkit.
SIEM – Security Information and Event Management is the crown jewel for any CSOC analyst. The platform is used for the collection and correlation of logs generated by all other endpoints, network, server, infrastructure, application, databases, cloud, saas and security tools in the environment.
In other words, SIEM provides its own intelligence, along with a set of rules created to provide additional insight into all other security and non-security related logs. It is thus important to have logs from all the log sources deemed to have a significant security interest or events of interest. A CSOC analyst can detect, respond, and classify potential incidents much faster since most of the information is available in a single platform and dashboard, eliminating the need to navigate between many different tools. Incidents and alerts from SIEM can also be mapped to the MITRE ATT&CK model.
EDR (Endpoint Detection and Response) solutions – EDR is an advanced protection endpoint software used for various advanced malware and anomaly-based detections. Unlike traditional anti-virus platform which were based on detecting malware by relying on a set of file signatures, EDR security software relies on machine learning and anomaly-based detections where the context of file execution is also taken into consideration. Modern EDR solution also give CSOC the ability to perform threat hunting techniques and hunt for adversaries and indicators of compromise (IoC). Incidents and alerts from EDR are also be mapped to the MITRE ATT&CK model.
XDR – eXtended Detection and Response tools build on top of the EDR, NDR and SIEM and allow for a quicker correlation and root cause analysis across the IT operating environment. XDR is still new in terms of its maturity and XDR solutions differ from vendor to vendor based on their capabilities and vision. Incidents and alerts from XDR are also be mapped to the MITRE ATT&CK model.
OSINT and DARKINT – Open-Source and Dark Web Intelligence tools provide great benefit to CSOC analysts as they provide access to vast amounts of publicly and dark web information. It is hard to list all of them, but the most popular tools that are worth mentioning are Shodan, Maltego, Sherlock, and DarkSearch, Darkowl, Sixgill etc. Maltego tool can assist in uncovering relationships between companies and people, Shodan can provide up-to-date scanning information of publicly exposed devices, Sherlock can be used to find usernames across many social networking platforms, and DarkSearch can be used as a dark web search engine.
Threat Intelligence – Usually publicly available, threat intelligence tools provide a centralized place for threat intel lookup and analysis of IPs, domain reputation, file hashes, and more. CSOC analysts frequently utilize threat intel tools such as various sandboxes for file analysis and emulation, malware analyzers such as Yara for malware identification and classification, IP address / domain analyzers such as AlienVault OTX, IBM X-Force, FortiGuard and Palo Alto Unit 42, Crowdstrike Falcon and other popular commercial platforms.
Secure Web Gateway (SWG) / Web Proxy / DNS Firewall – with a large amount of internet traffic being generated every second, the ability to analyze and act on malicious DNS traffic is necessary – a DNS Firewall provides such capabilities or firewalls with DNS inspection capabilities. DNS can also be used to siphon data out of the organization using DNS tunneling mechanisms. Browsing the internet whether in the office or at home can be problematic if all access to the Internet does not pass through a SWG or Web Proxy with advanced features such as browser isolation and forward explicit proxy capabilities. With the increase of the work from home scenarios organization should adopt cloud SWG/Web proxy to ensure all Internet access is unified. CSOC analysts can combine the SWG / web proxy logs and other EDR related events to reach a conclusion regarding the root cause of an event.
Email Security Gateway – Phishing attacks represent the largest percentage of cybersecurity attacks and the primary method of delivery of malicious payload. Defending against these attacks would be impossible without a robust email security protection platform. CSOC analysts can create whitelists and blacklists for emails senders, IP addresses, and much more. Configure SPF, DMARC and DKIM for domain level security, introduce attachment scanning and sandboxing, URL rewrite capabilities, file extension analysis, apply advanced anti-phishing technique using machine-learning. Configuring email protection policies and investigating suspicious emails is part of the daily work of a CSOC analyst.
Vulnerability Management and Application Scanning – The ever-increasing vulnerabilities at application and software level that is in use within an organization carries hidden risks behind it – such vulnerabilities could be the use of open-source libraries, vulnerable web components, vulnerable APIs endpoints, file-less attacks surface etc.
Many software and applications used in an organization are vulnerable to cyber-attacks. Vulnerability and Application scanners perform periodic checks in the environment detecting any outdated software, insecure software, vulnerable libraries, security misconfigurations, and vulnerable programs. A CSOC Analyst will conduct vulnerability and application scanning on a regular basis and interpret the results.
NGFW and WAF – CSOC analysts work in different organization types and sizes and industry verticals. The larger the infrastructure, the more network traffic is being generated. Additionally, almost every organization has an online presence that needs to be protected. The Internet exit points all need to be monitored in real-time, attack surface needs to be controlled and managed for all published services whether they are on-premises or in the cloud.
This is where NGFW and WAF solutions allow CSOC analysts to identify network and web-based threats. Usually located at the boundaries of the environment – Internet, Perimeter, DMZ, WAN, Extranet, Server Farm, User Segment. NGFW provide a necessary layer of protection against every type of cyber-attack imaginable. The architecture and security zoning definitions play a key role in ease of detection of traffic flow and is equally important for CSOC analysts to have a sound grasp of the network architecture and security zoning and policy IDs configured on the firewalls.
WAF should be deployed to protect all public facing sites; advanced web application attacks can be prevented using RASP (Run-Time Application Security Protection). API security gateway should be deployed to protect all API-borne threats and should only be published through a centralized gateway.
CSOC analysts also use network packet analyzers to dive deeper into specific sets of network traffic and hunt for threats which can also be achieved using NDR (Network Detection and Response) or ETA (Encrypted Traffic Analysis) platforms.
Better SOC Analyst Cybersecurity Toolkit – Better Incident Response
Having more tools at a CSOC analysts disposal allows the analyst to classify an incident faster and respond to a potential incident in a more comprehensive way. However, it must be noted that tools are as good as how they are configured, managed, and operated. Various other tools exist and assist the CSOC analyst in finding advanced threats and classifying them accordingly based on the MITRE ATT&CK.
New and adventurous cybersecurity tools are being developed every year, with more than 1000++ cybersecurity vendors, increasing the detection and response capabilities and trying to stay up to date with the latest and sophisticated cybersecurity attacks.
The trend doesn’t seem to be slowing down and we will see great progress in the future with the adoption of AI across the ecosystem for self-immune and self-defending networks and systems.
The ever-changing landscape will push for more innovation in cybersecurity tools along with the need for experienced CSOC analysts. Therefore, it is safe to say, a good security analyst will always continuously research and build their own toolkit to stay up to date with the latest threats.
A comprehensive cybersecurity toolkit is crucial for CSOC analysts to be able to do their jobs effectively and ensure organizations remain vigilant and protected from cyber-threats.