SOC Case Management 101 Part I
Video Transcript
Oh, name's John Gomez and I am the chief executive officer of founder of since Otto, where a cyber security firm located out of New Jersey in the United States. And this is an introduction to security operation centers. Case an incident management. This program is an abbreviated version of the full program that we provide to our security analyst and those clients that we work with when we're helping them understand how to respond to incidents and manage cases within their security operation centers or organizations. So although this is an abbreviated program, I do firmly believe that it will provide you with a good foundation.
Thio kind of help you drive and build your career from when it comes to understanding how to manage cases and potentially incidents. With that. Let's talk a little bit more about this program. Overall, there are four modules. The 1st 1 is this module, which, as I said, we'll help you establish a foundation. Modules two and three will get into issues and Instant incident management, respectively. And I'll talk more about the differences of those in this module and then lastly, in module four, we're gonna be doing some high level tabletop simulation were presents a real world cases to you, and you'll have the chance to apply what you've learned this program to think how you would manage those those cases.
So I think that should be a fun thing to do. But for now, let's go ahead and get into the actual meat potatoes, if you will. The core of this this module, the first thing I want to cover is really the kind of skills that you need in order to effectively manage cases and to really be ineffective and professional and and strong security analysts working in a security operation center, you need to be able to lead you remember, even if you're a junior analyst, just starting out or a team lead, that people are going to be looking at you during some very hectic times. And if you can't lead, if you can't make clear decisions and provide information effectively, you're not going to really be able to do this position. You have to be able to multitask. You got to keep in mind that alarms are going to be coming in all the time and so you can't sit there and go. I'm overwhelmed I can't do this or I'm already working on 10 things.
You have to be really good at multitasking. And that means that you know one thing's happening and you're able to keep track of six or seven other things. You have to be able to zoom in to be very focused on a piece of information and then zoom out and look at the bigger picture. You have to have an analytical mindset. You have to have extreme attention to detail. You have to remember that what you see, what you say, what you record, how you analyze information. If you make a mistake. If something falls through the cracks, well, that could be a huge, huge risk to the organization, So attention to detail is critical.
You have to have clarity in your communication. You have to be able to communicate very well. You have to be able to present to others. Remember, this is a job that it really requires you to be able to interact with other people. It's not you alone isolated. You have to be able to help others so they can understand what they should or shouldn't be doing, especially if it's an incident response situation. You have to remain calm, whether things were going crazy and hectic and people are getting freaked out now. Attacks are very scary. You know, we all think this is kind of cool, what we see in the movies. But when you're under attack and a cyber Attackers after you or your organization, you really need to be very calm, very professional.
And keep your mind about you, Is that you? You can have that attention to detail you could lead, and you can understand what's going on. You have to have ongoing thirst for knowledge. Attackers get better all the times you have to get better all the time. Gotta love doing research. 90% of what you're going to be doing is researching, and then you gotta have strong verbal and writing skills. Can't communicate. Like I said, you can't write professionally. Go find a program to help you do that, and obviously you have to have very strong technical skills. So let's talk a little about that. The terms alert alarms.
They basically mean the same thing. So you have to validate your environment how they're used in this program, though we're going to basically say that alarm and alert the same thing and all that is is really when you become aware, however, you become aware of a situation that's occurring in your organization that poses a security risk to the organization, systems and people in facilities. Okay and typically. And we're thinking of a cyber security risk. But cyber security risks cyber security attacks can affect people, places and things computers, networks. Now, the other thing is to understand that you need to be able to triage very quickly and accurately.
I'm gonna talk to you more about what triage is, but I want you to take away from here. Is that slow is smooth and smooth is fast. This little sane want You keep that in your mind because it's really important that you slow down and get things right rather than speed through them and make mistakes. So let the skill come to you. Don't get so concerned about being super super fast and then making mistakes, right? Slow down, get it right, be accurate and then increase your skill set, and that will help you get faster and faster as you go.
All right, so just a little bit of free advice. So let's talk about triage. Triage is simply the idea comes from the health care industry, right hospitals and emergency rooms and emergency departments or a any in the European and Asian sentence parts of the world. And triage just basically says, Hey, we have multiple patients who are injured and we have to figure out which one of those patients needs our attention needs medical attention first and which patients can wait well, The same thing applies to cybersecurity and operation centers. We have alarms coming in. We need to be able to triage the priority of the alarm, right? We need to say, Is this a critical alarm or is it a modern or or not so critical alarm? And we base that on the severity right? The severity of the alarm will talk more about that in a moment. But regardless of what you're doing, how your systems work, you know us perform must perform triage, and there's never a time you don't do triage. Regardless of what is happening. You're always doing triage. Even if you're working on a current case, you're still gonna keep triaging that case and trying to stay aware of? Is there another alarm coming in that needs your attention, Maur Importantly than the case that you're working on a case.
Hopefully it makes sense. You triage the moment the alarm comes in. But then you keep triaging the things you're working on as new things air coming in to make sure that you're always focusing on the most critical things. The most severe things immediately. So how do we triage? Well, there's this concept of rapid triage. We get in really deep into triage. We don't have time to do that. So I'm gonna give you this technique called rapid triage. Rapid triage says, Hey, I'm gonna look at the type of the alarm or the alert has come in. I'm gonna look at what's in front me and I'm gonna decide is one of it. Is it fit into one of three buckets. The 1st 1 is I'm gonna say is is this an attack? Is this alarm telling me there's an attack?
And if there is an attack, is it occurring right now? Inactive attack? Or is it a past attack that it occurred in the past and it stopped? And so based on that, I'm gonna take different actions, right? The second thing, if it's not an attack, then I'm gonna determine is this thing Ah, configuration issue. Is it mean that there's something wrong with the servers? There's some type of infrastructure issue that's posing a security risk to the organization. And if it's not a configuration or infrastructure issue, then it's quiet. Your eyes is something other. But here's the thing. I want you to just get really good. And when you see an alarm, first thing you're gonna ask isn't an attack. Yes, Okay. Is that an active attack happening right now, or did it happen in the past? If it's not an attack, what is it is a configuration and infrastructure.
If it's not okay, caught off, categorize it as something other. But having that skill, this ability gives you the ability to rapidly triage things. So no matter how many alarms air coming in, you're gonna have the ability to sort out which ones need your immediate attention. Obviously, the ones that are under attack than the ones that are security researchers, configuration or infrastructure, and then everything else. Guy Good. Let's keep going. Okay, cases we'll taste is just a term for a mechanism to track not only alarms but other activities related to the security operation center. Right? So basically a case is just kind of an umbrella to that we use is a term, right. We're managing cases in those cases, regardless of what type of security operations their urine are gonna have, you're gonna have some way to manage those, whether it's simple, like using Excel, spreadsheet or really complex case management system, no matter what, you're going to have cases.
And one type of case is the alarm that we've been talking about. Your alarm alert that's come in. But there are other types of cases you could have A cases that are exceptions, right? You're gonna have a case opened for an exception, the policy or change management. You're making changes to the system or changes to policy. And then there's intelligence that you're getting or other details. The point is, cases could be different types. They could be managed simply or very complex. Oh, our advanced. But they're going to be kind of the structure that we work with. So we talk about cases, cases have data, and the data we have to have in a case which also in our situation right now talking about alarms and alerts is we need to know what's involved right is if it's if it's a system we want to know.
Well, what I p addresses what ports are involved here. What's the destination and source? I p address in port. We need to know, you know, is this Ah, wire slacks. This point is that an application or software that's involved are people involved are locations of facility, so we need to narrow down what is involved. Remember, Zoom in, zoom out. You look really specifically. And then take a look at the big picture. If it's an I p address. What systems? What software With people. What location? With facilities. Got it. Second thing, what are we actually be seeing? What we're observing. Is this an attack? You know, Is it a system failure? Is configuration issues now? I think if you think back to the triage stuff that rapid triage model I gave you just a couple slides ago, you should be going. Yeah, Now I get it. I get it. Okay. So alarm comes in.
I'm trying to figure out what's being observed what's being involved. Is it under attack as a configuration issue is another. So hopefully this starting to make sense, How you apply these tools that I'm giving you? What's the timeline, isn't it? When did this start? How long has it been going on? It's really important that we start to investigate this down the road. Are there any assets other assets involved as new alarms come in or they related to this case or the new case? Is this stuff all kind of related is the Is the situation spraying right? Is it affecting more than one thing more than one person?
11 facility would need to understand what assets are related. Is there any intelligence we're getting from this? You know, is there any base information that we could derive? Then what's the severity and the criticality severity? Criticality. We usually think of a point system of 1 to 51 being below US five being the highest value. So severity of five would mean that is a really serious A very severity one would be a low, so very situation assets. Same thing. 1251 could be a training system or a printer.
If I would be something that's extremely mission critical, you lose this. You've got a big problem in the world of society. On my organization. We work our critical infrastructure. So five for us would be something that impact someone's life like a medical device. Now all of this is going on during triage. This is what you're doing doing triage. You're determining what you're singing, and then you're trying to narrow down what's involved the criticality, the assets timeline and those types of situations.
Okay, so makes sense to you while you're doing triage, you do the rapid triage, and then you dive down and ask these questions. Hopefully that that's clear to you. So let's talk a little bit about issues versus incidents. Real simple. An issue is anything that you're dealing with. Alarm comes in. You do your triage, and if it's not an attack, it's an issue. If it's an incident, that means you haven't attack underway, and you need to contact the incident response team for your organization or invoke an incident response plan.
So either way, we want to divide the alarm. We're gonna take the alarm of the alert and then decide is that an issue isn't an incident, and we do that by performing the triage explained to you earlier than figuring out those co answers to those questions I just gave you on the last slide and then categorizing this as issue or incident. Hopefully all that makes sense. Here's a little chart in case it doesn't. Basically, if you have to activity the incident response team our plan, then it's an incident. If you don't, it's an issue, and that's basically no other way to think about it. So couple pro trips and tricks for you to make you look like you been doing this for a while. One is continuity of care.
You gotta make sure that when you're working cases that they're continually managed right, that you are continuing to assure that they're being updated, that they don't just sit there regardless of its an issue or incident. Half a configuration, whatever it is, if it's a case, you have to continually deal with it. In our organization, all cases have to be dealt with every eight hours. We don't let them lag regardless of severity and obviously been attacks going on. Those gonna want the most important pieces of your attention.
But the point here is make sure that all cases, nothing falls through the cracks. Second thing. No, your audience is a real important. One is a skill set. Make sure you're able to communicate using them right level with whoever you're talking to. If you're talking to a CEO, chief marketing officer, a public relations person, which you might be If you have an attack and there needs to be a press release done, people may ask, you will explain to us what happened. You have to be able to do that in non technical terms. Now, if you're speaking of somebody who is technical, then, yeah, use technical terms.
But don't alienate people during case management because all you can do is speak technically. And then you think that if they can't keep up with you, there's something wrong with them. Not everybody's a technologist. If you want to go far in this industry in this position, you need to learn howto relate to people who are not technical, because incident response requires many people who have no idea what an I P addresses or a Mac address. You got to get really good at knowing the audience.
Okay, so quick things to take away Triage is a critical skill. Cases help us organize and track information. The minimum data required to perform triage and manager case is what's involved. What's happening right now. When it occurred, What's the severity of criticality? Issues do not require an incident response. Activation incidents require an incident response for activation. And that's the poor difference. If something in here and these takeaways did not make sense to you that go back, rewatched the video and get these things under your belt. Okay. In Montreuil too. We're gonna talk about issues managed and so that would cover some basics having investigated shoes and we'll talk a little bit about some resource is you can use. So I'll see you in Montreuil too.
