Professional Documents
Culture Documents
Operations Center
Thomas M. Mitchell
There must also be additional escalation Use Cases: What Advanced Analytics
procedures in place. The SOC must have Can Add to the CSOC Mission
clearly defined procedures for the escala- Achieving the balance of proactive, dynamic,
tion tier that address, at a minimum: and forensic cybersecurity encompasses the
following use case actions.
Resources to assist with resolution of
incidents Use Case Examples
Review of open incident records Advanced analytics comes in two flavors.
Status updates One is the automated analyst and the other is
No response from the customer (again the human analyst who will perform similar
customer is defined as part of the SOC functions, where they both can dive into the
services and in many cases may be the aggregated data for analysis of such use case
end user or system administrator) functions as incident monitoring, malware
detection, data breach detection, advanced Upon the definition of the service func-
persistent threat detection, insider threat tions, there will be a runbook, playbook, or
detection, threat intel analysis, and incident SOPs. This series of documentation must
response. The automated CSOC will then be developed and consistently updated to
execute its mission efficiently when given ensure that the appropriate information
the authority to do its job through efficient is accurate. These documents are con-
organizational placement and appropriate sidered “living” documents and need to
and transparent policies and procedures for be updated as events happen or there is
cyber-situational awareness. any major u pdate to the network topol-
The advanced analytics-driven CSCO will ogy. This documentation will guide the
take massive amounts of data and bring daily processes and procedures for the
them together into dashboard graphs as SOC staff. Each tier within the CSOC is
data-driven behavioral diagrams designed assigned a series of responsibilities based
by the use cases. The use cases will allow on each tier’s position’s description at the
for cybersecurity investigations. The vast tier level. The advent of utilizing advanced
amounts of data will provide the context for analytics within the CSOC will drive effi-
a comprehensive view of the network that ciencies and automation of processes and
will enable the defenders to be successful. procedures. The a utomation will initially
To be the next generation, CSOC should be take place in the Tier 1 responses to initial
aware of the existing and new technologies. receipt of incidents. The goal of analytics
This proactive vigilance will enable the CSOCs within the confines of the CSOC is for the
to become technologically sophisticated. The actual fingerprint of the network. Once
consumer of advanced analytics along with this baseline or footprint is established,
threat intelligence creates a CSOC that will then anomalies will be able to be detected.
become advanced by using these technologies The Tier 1 incidents will auto-generate a
to grow the a utomated CSOC of the future. ticket and automatically be escalated or
The future is now. closed based on the historical data and
the information from threat intelligence
Primary Components of a CSOC feeds.
with Advanced Analytics The programming of the analytics e ngine
The mission of the SOC—situational aware- will lead to the automation and escalation
ness of the managed enclave. of true incidents through false positives
Determine the processes, procedures, that will be handled automatically. There
technology—Identify and document critical will need to be human interaction to ensure
templates, methods, and processes r equired the accuracy of the ticket closure initially.
to support the CSOC.
Understand the cyber-enclave’s environ- Traditional Structure of a CSOC
ment to determine the “use cases” and the Roles and Responsibilities
type of data that is received by the CSOC. The following individuals are responsi-
Identify the interaction with the CSOC. ble for maintaining and managing system
Staff the CSOC—define the operational events on incidents for the enterprise or
hours and the necessary personnel per shift. organization:
Manage the events with advanced
analytics—categorize, assign, and prioritize ■■ Tier 1 CSOC engineer can resolve the
activities received by the CSOC. incident record, he/she:
Leverage the appropriate framework, Defines the incident in specific terms
that is, CSF, NIST 800-53, and ITIL—under- and also gathers additional facts neces-
stand the core framework to regulate the sary for troubleshooting and resolving
components to run an efficient CSOC. the issue(s).