McVey’s 37 Questions for a SOC

The Basics: Do you have…
1. Authority to operate, a defined scope of operation, authority to act
2. Enough staff to meet the desired scope of operation
3. Accurate inventory of endpoints (hosts and serves)
4. Accurate inventory of networks, their design and use
5. Accurate inventory of egress points, VPNs, DMZs, externally accessible servers, and externally hosted resources (“the cloud”)
6. Contact lists for groups of users (departments, offices, etc.), system owners, other IT teams, service providers, and external response organizations
7.  A list of high value assets and the data they hold (PII, financial data, HIPPA, etc.)
Visibility: What is your access to… 
8. Logs (Active Directory, DHCP, DNS, firewall, proxy, servers, VPN, etc.)
9. Flow data (source, destination, ports, session time, volume, etc.)
10. Endpoints (disk, memory, and processes)
11. Network shares and home drives
12. Full packet capture (consider SSL interception as well)
13. Email metadata
Monitoring: What are your…
14. Sources of endpoint and network alerts (security appliances, Endpoint Detection and Response (EDR) solutions, HIPS, Next Generation Firewalls (NGFW), SEIM
alerts, Snort, external sources, etc.)
15. Enterprise specific threats (risks) (application versions, hardware types, externally accessible services, active directory trusts, etc.)
16. Threat feed and Open Source Intelligence (OSINT) monitoring processes
17. Automated blocking and block list processes
Response Actions: Can you…
18. Quarantine systems (via HIPS, MAC address, or other means)
19. Request drive pulls and system refreshes
20. Freeze/reset accounts (Active Directory, VPN, etc.)
21. Perform remote remediation
22. Perform active defense
23. Hunt and pivot off of collected event data
Operations: How does the SOC…
24. Communicate during incidents
25. Track open cases, requests, IOCs, and incidents (ticketing system, MISP, etc.)
26. Report findings, after action reports (AARs), and inform stakeholders about risks, and activities
27. Track collected media and devices
28. Document processes (Standard Operating Procedures (SOPs), templates, etc.)
29. Automate response processes
30. Communicate resource needs, process gaps, weaknesses, and risks
Information Technology Processes: How effectively does your organization…
31. Manage patching and end of life software
32. Manage server and desktop builds (Security Technical Implementation Guides (STIGs), Group Policy Object settings, etc.)
33. Network filtering and blocking (website category, autonomous systems, email attachment types, etc.)
34. Enforce an acceptable use policy
35. Train users on IT risks and use
36. Test user awareness and compliance (phishing tests, etc.)
37. Encourage user reporting of suspicious emails, pop-ups, and other abnormal events

Popular posts from this blog

OS X Location Information: Where Has That MacBook Been?

SDR and Unitrunker

Malware Fingerprinting