SOC & IR Experts

SOC & IR Experts

A Security Operations Center (SOC) is a facility where security analysts utilize forensic tools and threat intelligence to hunt, investigate and  to cyber threats in real-time.

Equipped with advanced tools and expertise, a SOC protects an organization from known and unknown threats that can bypass traditional security technologies.

So in short, yes—you need a SOC or MSSP to adequately protect against any and all cyber threats

Our experts have Hands-On experience in implementing information security and cyber solutions in the SOC world. We implement cross-organizational methodologies and processes in the largest and most complex organizations in the world..

Incident Response Phases

Framework

Preparation

pHASE 1

Getting ready for incident response, creating documentation, building tools, etc. Strategic preparation includes deployment of sensors, development of processes, system & network hardening, etc.

Detection

Phase 2

This is about the first moment where the victim becomes aware an attack has occurred,hopefully by an internal processor alert.

Identification

phase 3

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.

 Questions to address 

  • When did the event happen?
  • How was it discovered?
  • Who discovered it?
  • Have any other areas been impacted?
  • What is the scope of the compromise?
  • Does it affect operations?
  • Has the source (point of entry) of the event been discovered?
  • Containment

    phase 4


    Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready

    Ask yourself

    what is the risk to the business for taking drastic measures to contain the threat? Does it outweigh the impact of the incident? Is it necessary to collect the evidence for possible prosecution? All of this must be considered and documented for each use case

     

    Eradication & Recovery

    Phase 5

    The eradication phase includes a more permanent fix for infected systems. Here are some checklist items to run through during this phase in the incident response process.

    • Have infected systems been hardened with new patches?

    • Do any systems or applications need to be reconfigured?

    • Have all possible entry points been reviewed and closed up?

    • Have all processes to eradicate the threat(s) been covered?

    • Are any additional defenses needed to support the eradication of the threat(s)?

    • Has all malicious activity been eradicated from affected systems?

    • Where will responders pull recovery and backups from?

    • How will infected systems be deployed back into production?

    • When will infected systems be deployed back into production?

    • What operations will be restored during the recovery phase?

    • What testing and verification should be done on infected systems?

    • Have responders included documentation on how the recovery was completed?

    Lessons Learned

    phase 6

    Documentation is key during the lessons learned phase of incident response. A detailed report should cover all aspects of the IR process, the threat(s) that were remediated, and any future actions that need to take place to prevent future infection. Consider these questions when entering the lessons learned phase.

    • Has all necessary documentation been recorded throughout the IR phases?
    • Has the responder prepared an incident response report for the lessons learned meeting?
    • Does the report cover every aspect of the incident remediation process?
    • When can the IR team hold the lessons learned meeting?
    • Who will deliver the lessons learned meeting?
    • Are there areas for improvement in the incident response process?
    × How can I help you?