How do correlation strategies work within an SOC? - DEEP
Phishing, ransomware… cyber-attacks against businesses have surged this year. To protect against them, more and more businesses are choosing to set up an SOC : Security Operations Center. This security unit monitors the whole of a company’s infrastructure and data from a single department. This single-security QG arrangement automatically identifies events that could present a danger to your network. Explanations.
Security Operations Centre (SOC): the watchtower for your IT infrastructure
Your IT network has several levels of security: firewall, IDS/IPS, DDOS protection, endpoint detection and response (EDR), etc. These are like the outer walls of a castle, intended to ward off intrusion. However, it is also essential to monitor and record attempts at breaking in to your network. For this you need a watchtower that gives full visibility over your various perimeter walls. That’s the role of an SOC. It supervises your IT infrastructure’s comings and goings: from the network layer to the software installed on workstations.
How does an SOC work?
Each component of your network generates a large volume of logs, or events: VPN connection, entries to and departures from a building, viewing of shared documents, etc. The centre aims to collect all of this network information, and make it compatible in a single format as part of a huge data lake.
This data can then be analysed to spot anything unusual. What is meant by “unusual”? That depends on the company. It may be connecting to the VPN after midnight and then reading dozens of files shared on the network, or downloading data from the server to a PC. These events are all listed in a SIEM (Security Information and Event Management) report and can then be checked by your teams. In other words, you can ask your colleague if it really was them who logged in after midnight.
Above all, though, a well-configured SOC can send alerts to administrators when a series of potentially dangerous events suggests that a cyberattack is under way. This is where correlation rules come in. Let’s see how they work.
What is a correlation rule?
A correlation rule tells your system the different series of events that are considered to be unusual and could lead to a security breach or cyberattack. Basically, a correlation means deciding that when events X and Y, or X and Y plus Z occur, your administrators need to be informed.
Let’s take the example of a phishing attempt:
The hacker sends an email with a Word document attached. The user opens the attachment, which contains a macro (a series of instructions to be executed), giving the hacker complete access to the user’s computer.
- To protect against this risk, SOC teams identify a correlation between these different events:
- the user receives an email
- the email contains an attachment
- the user opens the document, which contains a macro
- the macro starts a connection to the internet
These four events together represent the key stages of a cyberattack. An alert is therefore sent to your network administrators, who must urgently check whether or not you are under attack.
It is important to bear in mind that there is no magic log guaranteed to show that an attack is under way. This is why establishing correlation rules is a crucial stage in your security strategy. It’s about finding the right balance between too many false positives wasting your teams’ valuable time, and the risk of missing a series of events that could foreshadow an attack.
Attributing weighting to tighten the net
We can even go further with this correlation exercise by attributing a weighting to each action or use case (according to its likelihood and consequences). The higher the risk, the heavier the weighting. So, not only are the actions of a user (or an IP address) all remembered, but a weighted score is assigned to them. This leads to an overall score for each network user. If an average user carries out a huge number of “normal” actions that have a low individual weighting, then the weighted score assigned to this user will allow the system to create an alert.
So while it will still be possible for isolated events to pass under the radar, the added value of an SOC with a correlation strategy is the chance to identify enough suspicious actions to be sure of detecting an attack.
Interested in your company’s IT security? Read other articles from our experts on the importance of adopting the right security framework and the human factor in a cybersecurity strategy.
Written by
Alan OlszewskiContact us
Do you have any questions about an article? Do you need help solving your IT issues?
Contact an expertOur experts answer your questions
Do you have any questions about an article? Do you need help solving your IT issues?
Other articles in the category Cybersecurity
DDoS attacks in Luxembourg in 2024
Discover the statistics of DDoS attacks detected in Luxembourg in 2024 by POST Cyberforce.
Author
Paul FelixPublished on
31 March 2024
DDoS attacks in Luxembourg in 2023
Discover the statistics of DDoS attacks detected in Luxembourg in 2023 by POST Cyberforce.
Author
Paul FelixPublished on
15 February 2023
DDoS attacks in Luxembourg in 2022
Discover the statistics of DDoS attacks detected in Luxembourg in 2022 by POST Cyberforce.
Author
Paul FelixPublished on
11 October 2022