Correlation strategies at a SOC: how do they work?
Phishing, ransomware… cyber-attacks against businesses have surged this year. To protect against them, more and more businesses are choosing to set up a SOC: Security Operations Centre. This security unit monitors the whole of a company’s infrastructure and data from a single department. This single-security QG arrangement automatically identifies events that could present a danger to your network. Explanations.
Security Operations Centre (SOC): your IT infrastructure watchtower
Your IT network has several levels of security: firewall, IDS/IPS, DDOS protection, endpoint detection and response (EDR), etc. These are like the outer walls of a castle, intended to ward off intrusion. However, it is also essential to monitor and record attempts at breaking in to your network. For this you need a watchtower that gives full visibility over your various perimeter walls. That’s the role of a SOC. It supervises your IT infrastructure’s comings and goings: from the network layer to the software installed on workstations.
How does a SOC work?
Each component of your network generates a large volume of logs, or events: VPN connection, entries to and departures from a building, viewing of shared documents, etc. The centre aims to collect all of this network information, and make it compatible in a single format as part of a huge data lake.
This data can then be analysed to spot anything unusual. What is meant by “unusual”? That depends on the company. It may be connecting to the VPN after midnight and then reading dozens of files shared on the network, or downloading data from the server to a PC. These events are all listed in a SIEM (Security Information and Event Management) report and can then be checked by your teams. In other words, you can ask your colleague if it really was them who logged in after midnight.
Above all, though, a well-configured SOC can send alerts to administrators when a series of potentially dangerous events suggests that a cyberattack is under way. This is where correlation rules come in. Let’s see how they work.
What is a correlation rule?
A correlation rule tells your system the different series of events that are considered to be unusual and could lead to a security breach or cyberattack. Basically, a correlation means deciding that when events X and Y, or X and Y plus Z occur, your administrators need to be informed.
Let’s take the example of a phishing attempt:
The hacker sends an email with a Word document attached. The user opens the attachment, which contains a macro (a series of instructions to be executed), giving the hacker complete access to the user’s computer.
- To protect against this risk, SOC teams identify a correlation between these different events:
the user receives an email
- the email contains an attachment
- the user opens the document, which contains a macro
- the macro starts a connection to the internet
These four events together represent the key stages of a cyberattack. An alert is therefore sent to your network administrators, who must urgently check whether or not you are under attack.
It is important to bear in mind that there is no magic log guaranteed to show that an attack is under way. This is why establishing correlation rules is a crucial stage in your security strategy. It’s about finding the right balance between too many false positives wasting your teams’ valuable time, and the risk of missing a series of events that could foreshadow an attack.
Attributing weighting to tighten the net
We can even go further with this correlation exercise by attributing a weighting to each action or use case (according to its likelihood and consequences). The higher the risk, the heavier the weighting. So, not only are the actions of a user (or an IP address) all remembered, but a weighted score is assigned to them. This leads to an overall score for each network user. If an average user carries out a huge number of “normal” actions that have a low individual weighting, then the weighted score assigned to this user will allow the system to create an alert.
This means that while is still possible to ignore an isolated event, the benefit of a SOC and the correlation strategy is that they can identify enough suspicious actions to be sure of spotting any attack.
Interested in your company’s IT security? Read other articles from our experts on the importance of adopting the right security framework and the human factor in a cybersecurity strategy.