My first work in a security right out of college was with a Fortune 500 company that had a well-established SOC. On this team, we had a separate subnet with virtually no firewall/proxy rules. We used TOR to investigate potentially malicious websites and were encouraged to find malware, pull it down, and examine it with Linux tools. We were given freedom to operate, innovate, and management trusted us. We did not spend a lot of time on false alarms/blocked events.
Unfortunately, as a contractor, after two years, the only way I could make more $ was to leave. The contracting agency was taking well over 50% of what the company was paying for me (that's another post for another time).
Since leaving, I've worked for two SOCs where the "analysis" consists of putting the URL or hash in VirusTotal, taking a screenshot of the output, cutting and pasting from the alert email (yes, it seems the SEIM is Outlook), and making sure the formatting is right. All of this for an alert that was generated by the security appliance as it was blocking the traffic. And I just had an interview with a third place that seems to do much of the same thing.
I guess I know why this is happening. InfoSec is the hot topic in the boardroom so the solution is to throw money at it. Those who build SOCs get ahold of the money and then have to justify the expense so reporting is the deliverable. A negative can't be proven so it is hard to quantify what could have happened were the SOC not there so the focus is on reporting and not on catching bad guys.
So I think I've identified a few telltale signs that the SOC does not do real analysis:
- Shifts are 10-12 hours long. Any real analyst would be fatigued by then and might miss something. But if you're just cutting and pasting from alert to report and taking screenshots, so what if you're tired?
- The SOC is a Windows only environment. Real analysis exposes the analyst to infection. This is mitigated by using virtual machines and Linux (yes I know Linux has vulnerabilities but consider the probabilities here).
- The SOC is not on a segregated network. As above, the analyst takes risks and should be separate from the rest of the organization.
- It's a MSSP. Two issues here, the analyst can only see what he or she is allowed to see and as stated above, the deliverables are the reports.
- It's a bank or government contract. OK, this one is tongue in cheek. But did I miss the regulation that requires an in-depth investigation for every alert no matter that it's not an incident?
I'm sure you can think of others. I'd love to hear your experiences.