What are the tools used in SOC?

blog + SOC Z. Oualid todayJuly 15, 2021

Background
share close

Security operation centers are becoming more and more important in the life of a company. As security experts said once, there are two types of companies, those who have been hacked and those who don’t know yet they get hacked.

Building a SOC is based on 3 main pillars, which are People, Processes, and Technology. Therefore, in this blog post, we will discuss the technology. We will mainly discuss what are the tools used in SOC?

Here is a list of 8 necessary tools to run a SOC:

  • SIEM
  • EDR/XDR
  • IDS/IPS
  • Firewalls
  • Vulnerability scanners
  • Investigation tools
  • Vulnerabilities Feeds and DB
  • Ticketing solutions

If you are reading this blog post now, then you have at least thought about building or managing a SOC or you are in the implementation phase. So I highly encourage you to take the time to read this blog post to get an idea about what kind of solutions you will need in your SOC.

Security information and event management (SIEM)

I think the first idea that anyone could get once he thought about building a SOC is to have a SIEM. Unfortunately, that’s not really the best approach to deal with SOC technologies as there is a lot more important devices and solution that you need to have in your network before thinking about a SIEM. However, I would like to start this blog post by talking about this solution as it is the most representative of the SOC.

A security information and event management system (SIEM) is a real-time event-based analyzer system. Depending on the way it was implemented, this system could be able to:

  1. Detect potential attacks based on a signature or a set of rules
  2. Detect potential attacks and perform quick actions like creating tickets
  3. Acting like an alert forwarder that collect those alerts from security solution like IDS/IPS and display them in a centralized interface.

Moreover, some SIEMs take advantage of free and commercial data sources to facilitate the analysis of some events for the SOC analyst. For example, IP reputations or domain reputation, or even known SPAM Emails.

Here is a list of the most popular SIEM solution in the market with an estimation of their price:

ToolPrice
Qradarstarting at $10700/year
AlienvaultAlienVault USM Appliance is sold as a perpetual license, with pricing starting at $5,595
SplunkPricing is available as a perpetual or annual term license, is based on maximum daily data ingestion, and starts at $2,000/year for 1 GB/day.
Securonix$25,000 for 800 users/year

I have personally tested two of the previous SIEM, which are Qradar and Alienvault. I know that Alienvault does not exist in Gartner’s ranking of 2021 but, it has a nice functionality that I personally didn’t see in the other SIEMs. For example, developing plugins for each solution you want. Moreover, it is partially open-source, which means high flexibility and scalability.

QRadar is one of the best SIEMs out there, I mean it has a very friendly interface and functionalities that dramatically reduce the time while investigating alerts. In addition, Qradar has a very detailed documentation supported by a very big community, which leaves no one stuck in some problem.

EDR/XDR

An Endpoint Detection and Response (EDR) is a tool that gets installed into each endpoint to collect information about its behavior. Here is a list of some behavioral information that an EDR can get from an endpoint:

  • ARP
  • DNS
  • Sockets
  • Registry
  • Memory dumps
  • System calls
  • IP addresses
  • Hardware types

In addition, an EDR can also analyze locally this data to detect pattern-based treats and stop them. EDR is seen as a complementary element to a SIEM. Many SIEM vendors start to integrate it by default in their SIEM solutions.

One of the most recurrent questions I get from my clients is, what is the difference between a SIEM and an EDR?

The main difference between the SIEM and the EDR is that unlike an EDR a SIEM has a large view of the network. This capacity gives it the ability to correlate events and logs to detect more complex attacks that happens in the network.

Most of the time the EDR is used as another source of logs to perform a deeper investigation in case of a breach. The level of details that can an EDR give is very high compared to the SIEM and this is due to the way it is implemented.

In past years, the EDR system has evolved to what we call now an XDR. To be honest, and in my personal point of view, there is almost no difference between an EDR and XDR in terms of functionalities. The only difference I can see between them is the fact that the XDR is the use of the latest technologies and systems, and that’s all. All the functionalities that an XDR offer, an EDR offer them by default.

Here is a list of the best EDR solutions in the market:

ToolPrice
Microsoft Defender for Endpoint$10 per user per month
CrowdStrike$8.99/month for each endpoint
SentinelOnestarts at $45.00 per feature, per year
Mcafee EDR$47.78 per endpoint, per year

Firewalls

Firewalls are one of the most important components of the security chain, it is the first line of security in the network. The main job of a firewall is to protect the network from external and internal networks attacks by monitoring incoming and outgoing packets to whether allow or block the traffic.

The next-generation firewalls, perform much more actions to protect the network, like going deeper in analyzing the packets it receives by monitoring the traffic at the level of applications. In addition, they also include intrusion detection and prevention systems, Antivirus, URL filtering system, and a Sandbox to analyze unknown suspicious files.

I think there is no need to keep detailing firewalls as they are the older and known devices of the network.

Analyzing the logs generated by the Firewalls at the SIEM level is very critical especially to avoid and prepare for future attacks. For example, a treat actor that scans the network from outside, represents a potential possible future attack that is in preparation. Therefore, this alert should be treated and reported by the SOC analyst.

Here is a list of the best Next Generation firewalls for 2021:

ToolPrice
Palo Alto Networksstart at $2,900
Fortinetstart at $1,756
Checkpoint software technologystart at $499

The NextGen firewall prices presented here are only for buying the appliance. Therefore, a yearly license will be needed to run the firewall and to maintain it.

IDS/IPS

An intrusion detection system (IDS) or an intrusion prevention system (IPS) are both old concepts in the field of cybersecurity. Both technologies monitor the network and analyze the traffic looking for attacks patterns and possible intrusion.

The main difference between these two solutions is that an IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners and that’s all. Contrarily to an IDS, an IPS actively stops network attacks when they get detected.

In the new generation of firewalls also known as Next Generation firewalls, these solutions are included by default, and all you need to do is to enable them by buying their license.

However, those solutions still exist in sort of appliance or virtual machines and you can buy them separately if you want and here is a list of the most powerful ones in the market:

ToolPrice
Ciscostart at $8,000
Mcafeestart at $10,995
Trend micro?

Vulnerability scanners

One of the most important tools to have in your security arsenal is the vulnerability scanners. A vulnerability scanner is an automated tool that actively scans the network to detect vulnerable hosts and applications.

You should understand the difference between a vulnerability scanner and a penetration test. Most people confuse these two concept which by the way are complementary. The main difference between this two is that a vulnerability scanner cannot find logical, business, or configuration vulnerabilities and it is fully automated.

However, in the case of a penetration test, a big part of the job is performed manually or semi-manually. Moreover, in the SOC context, the goal of performing a penetration test is to calculate the time to detect and the time to respond to security events.

Having a vulnerability scanner in your network is very important to keep your network updated and clean from known vulnerabilities.

It is better to schedule scans when your employee or you have very low traffic to avoid disturbing them. You should keep in mind that a vulnerability scanner could never replace the work performed by a skilled penetration test, as many checks still need human thinking and understanding to be found.

Here is a list of the best vulnerability scanners in the market:

All of these three vulnerability scanners tools do give you the possibility to schedule your scanners the way you want. Some open-source and free tools exist that also offer the same functionalities. However, the difference between all the vulnerability scanners is on how big their database of vulnerabilities is. Unfortunately, open-source projects still have a very slow database knowledge update process.

Investigation tools

Most starting SOCs do not care too much about Investigation tools and usually, they allocate a very low budget for that. Investigating an event or a security incident is the daily life of the SOC team, it’s true that most of the time these investigations are performed using the SIEM solution, however in some cases semi-manual investigations need to be performed on local machines. Therefore, having some powerful investigations tools is necessary to deal with this kind of situation.

To be honest, most of the investigations tools are very expensive and I fully understand that at the beginning of the SOC project, the budget might be limited. Therefore, you can start it without those tools and wait till the SOC start to be mature.

Here are some of the functionalities that you may need in those tools:

  • Identifying and recovering file fragments and hidden and deleted files and directories from any location
  • Examining file structures, headers, and other characteristics to determine what type of data each file contains, instead of relying on file extensions
  • Performing complex searches
  • Extracting evidence and protecting it from alteration
  • Memory analysis
  • Generating reports

Unfortunately, and to be honest with you I don’t have deep experience in the forensics field and I don’t know too many tools that perform a really good job to recommend to you. However, here is a list of some forensic tools, that some of my friends used before and that they were satisfied with their work:

Vulnerabilities Feeds and DB

Vulnerability discovery is a very fast-growing field and each day thousands of vulnerabilities are discovered in different apps and OS. Therefore, one of the most important tasks of a SOC is to keep updated about all the new vulnerabilities discovered in the world. To do that manually, I can tell you that it’s really hard work and a time-consuming task, I mean it is not easy to wake up every day and start searching for the last discovered vulnerabilities in the world and still do Incident and response tasks.

Therefore, having multiple data sources that let you know about the last discovered vulnerabilities in the world, is a must. It might look like it is useless but trust me, it is very important and it can save your company from one-day vulnerabilities.

You should also keep in mind that you have to diversify your data sources as those sources might be different and some might be faster than others.

Having a person dedicated to follow these streams and alert about every new vulnerability then tracking their fixing in the network is also important in your SOC. You should know that alerting about vulnerabilities will not always result in a quick response from the IT team and they might ignore it, as the most important part of their job is to keep the system working regardless of being vulnerable or not. Therefore, tracking those teams to see if they have fixed the issue is necessary as daily work.

Here are some tools that you can use to keep your SOC updated about these issues:

Ticketing solutions

Ticketing solutions are tools that help your SOC team to create, track and manage the demands sent by your company employees. They are very important in the SOC process, as they help organize the process of incident response.

Most of the time, these tools are already used by the IT teams and are very flexible and easy to customize for your process. Therefore, you don’t need to buy one for your SOC, you can simply adapt it for yourself. However, if for any reason this solution does not already exist then here is a list of solutions you can use:

Written by: Z. Oualid

Rate it

About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *