The most SOC, or how we made an analytical report on information from open sources

Hi all! I am Lydia Vitkova, head of the Gazinformservice Central Design Bureau. Today I have unscheduled but interesting material based on a systemic analysis of Russian monitoring and response centers. The full document and cards are available download from link.

Buckle up, it's going to be stuffy.

Why did we choose systems analysis?

Typically, information security reports are mainly analytical (object analysis), since they analyze the types of attacks, types of events in the world of information security, and their symptoms. In narrower cases, techniques, tactics, methods of implementation, etc. are considered. Of course, all this is topped with statistics.

What if we tried it differently? We thought. Take some area, conditionally disassemble it into parts and see what conclusions can be drawn based on system analysis? What happened in the end, read on.

How we worked

(1) STEP

We looked at who published good reports on SOC centers and when. In my personal top – the article “Comparison of services of commercial SOC (Security Operations Center)”[1]. As the name implies, there were two articles and the goal was to compare SOC centers. The comparison was carried out using 179 criteria, which is what we needed. To be honest, I didn’t read the second part, because for me these criteria turned out to be the most valuable. However, the monitoring centers themselves took part in that study, and our goal was not to make a comparison. Moreover, for system analysis we did not need such a large number of criteria. But we were really delighted with the volume and level of decomposition.

(2) STEP

We collected information from open sources for the period from 2022 to the 1st quarter of 2024. 10 monitoring centers were selected for the study. The main selection criterion is the presence of marketing activities during the specified period.

The following companies were included in the report: PTK Solar, Bi.Zone, Informzashita, Angara Security, Jet Infosystems, Innostage, MTS RED, Infosecurity, Perspective Monitoring and Megafon. Of course, other monitoring and response centers also participated in the conferences, but for system analysis ten were enough for us. We counted the number of presentations at conferences by all participants and selected the most active ones. In the report, SOC centers are listed on the second page and then repeated in cards, but the order in which they are located does not mean anything: this is not a comparison or rating, but just a list.

(3) STEP

We listened to all the reports, read the articles, and also studied posts on social networks and channels. Based on the information collected, we identified the following sections, which we analyze in detail in the report:

  • general information,

  • incident management processes,

  • incident investigation processes,

  • cybersecurity products and solutions.

  • training of SOC specialists at cyber ranges.

Here it is worth noting the enormous work done by Edemskaya, who is listed as a co-author of the report. In fact, she needed to be in the authors, because she did the main work.

What we learned

There were several conclusions. We'll tell you about them in order from the most anticipated to the most interesting.

I. Main business processes typical for commercial SOCs:

1. Setting up SOC.

2. Incident management.

3. Incident investigation.

4. Training of specialists.

Let me note: technologies and business processes are still in their infancy, and it is noticeable how everyone categorizes incidents in their own way, chooses the path of personnel training, etc. This is immediately evident in the report. It seems to me that we can now move on to the stage of developing best practice or some standards.

II. Typical work patterns:

1. Connect all sources: everything that can provide data must provide data.

2. We digest any format of events: we definitely absorb structured data, we also try the rest.

3. We are building the 1st line, but we see the division of responsibilities between 1 and 2 differently.

Such a number of sources and event formats, which are currently processed in Russian SOCs, are already being asked to be included in the information security knowledge base. Of course, many can already simply provide services not only in information security, but also in the expertise of their team in terms of working with sources, connectors and correlation rules for SIEM.

III. Basic set of cybersecurity products and solutions:

1. SIEM systems (often not one, but several).

2. IRP/SOAR systems.

3. CMDB systems.

4. NTA systems.

5. SandBox.

6. TIP.

Now the fun part

I.EDR

At the moment, it was not possible to create a list of typical EDR systems for SOCs. We assume that in the coming years, SOCs will select from existing offerings on the market, test products, and gradually develop a list of typical EDRs. An analysis of the state of the EDR market in Russia shows that for SOC such a list will appear no earlier than 2026. Based on the current products available, this list is likely to be small.

II. T.I.P.

The separated TIP (Threat Intelligence Platform) and TH (Threat Hunting) platforms are being replaced by integrated solutions. Perhaps part of this segment will be covered by XDR (Extended Detection and Response) solutions. We expect further announcements, some of which have already been presented. I would like to see these solutions in action.

III. CMDB

We are also seeing a trend in which SOCs are starting to use their own CMDB (Configuration Management Database). Traditionally, a CMDB stores configuration data about all system components and their relationships, which helps track the impact of changes on the system. In large technology corporations (especially foreign ones), the CMDB is complemented by Asset Management, Compliance Management and Hardening Compliance systems. Combining these systems allows SOC teams to have a complete understanding of which assets and configurations are exposed to threats, how those threats may impact related elements, and consider information security and business risks to effectively manage response rates. At the moment, it seems that there is simply no multifunctional solution of this type from any Russian information security vendor.

A few thoughts we didn't include in the report.

System analysis allows you to look at an object holistically, without disassembling it into the smallest details, and highlight key features. For example, we noticed that the level of formalization of incident management and investigation business processes has already paved the way for automation. We look forward to the development of the Security as Code concepts in general, as well as Detection as Code (DaC) and Response as Code (RaC) in particular.

Colleagues, if you are interested in what we do, check out the full version of our report follow the link. If after reading this article you have ideas for research, write to me and we will try to implement them and evaluate the results together. I am very grateful to the (universe) company that at ACKB we have the resources and time not only for routine work, but also for creative research. We thank Nikolai Nashivochnikov, technical director of the Gazinformservice company, for his support.

[1] https://www.anti-malware.ru/compare/SOC-Security-Operations-Center

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *