Back to articles

How do correlation strategies work within an SOC?

20 October 2020

Phishing, ransomware… cyber-attacks against businesses have surged this year. To protect against them, more and more businesses are choosing to set up an SOC : Security Operations Center. This security unit monitors the whole of a company’s infrastructure and data from a single department. This single-security QG arrangement automatically identifies events that could present a danger to your network. Explanations.

Security Operations Centre (SOC): the watchtower for your IT infrastructure


Your IT network has several levels of security: firewall, IDS/IPS, DDOS protection, endpoint detection and response (EDR), etc. These are like the outer walls of a castle, intended to ward off intrusion. However, it is also essential to monitor and record attempts at breaking in to your network. For this you need a watchtower that gives full visibility over your various perimeter walls. That’s the role of an SOC. It supervises your IT infrastructure’s comings and goings: from the network layer to the software installed on workstations.

How does an SOC work?

Each component of your network generates a large volume of logs, or events: VPN connection, entries to and departures from a building, viewing of shared documents, etc. The centre aims to collect all of this network information, and make it compatible in a single format as part of a huge data lake.

This data can then be analysed to spot anything unusual. What is meant by “unusual”? That depends on the company. It may be connecting to the VPN after midnight and then reading dozens of files shared on the network, or downloading data from the server to a PC. These events are all listed in a SIEM (Security Information and Event Management) report and can then be checked by your teams. In other words, you can ask your colleague if it really was them who logged in after midnight.

Above all, though, a well-configured SOC can send alerts to administrators when a series of potentially dangerous events suggests that a cyberattack is under way. This is where correlation rules come in. Let’s see how they work.

What is a correlation rule?

A correlation rule tells your system the different series of events that are considered to be unusual and could lead to a security breach or cyberattack. Basically, a correlation means deciding that when events X and Y, or X and Y plus Z occur, your administrators need to be informed.

Let’s take the example of a phishing attempt:

The hacker sends an email with a Word document attached. The user opens the attachment, which contains a macro (a series of instructions to be executed), giving the hacker complete access to the user’s computer.

  • To protect against this risk, SOC teams identify a correlation between these different events:
  • the user receives an email
  • the email contains an attachment
  • the user opens the document, which contains a macro
  • the macro starts a connection to the internet

These four events together represent the key stages of a cyberattack. An alert is therefore sent to your network administrators, who must urgently check whether or not you are under attack.

It is important to bear in mind that there is no magic log guaranteed to show that an attack is under way. This is why establishing correlation rules is a crucial stage in your security strategy. It’s about finding the right balance between too many false positives wasting your teams’ valuable time, and the risk of missing a series of events that could foreshadow an attack.

Attributing weighting to tighten the net

We can even go further with this correlation exercise by attributing a weighting to each action or use case (according to its likelihood and consequences). The higher the risk, the heavier the weighting. So, not only are the actions of a user (or an IP address) all remembered, but a weighted score is assigned to them. This leads to an overall score for each network user. If an average user carries out a huge number of “normal” actions that have a low individual weighting, then the weighted score assigned to this user will allow the system to create an alert.

So while it will still be possible for isolated events to pass under the radar, the added value of an SOC with a correlation strategy is the chance to identify enough suspicious actions to be sure of detecting an attack.

Interested in your company’s IT security? Read other articles from our experts on the importance of adopting the right security framework and the human factor in a cybersecurity strategy.

Our experts answer your questions

Do you have any questions about an article? Do you need help solving your IT issues?

Other articles in the category Cybersecurity

DDoS attacks in Luxembourg in 2024

Discover the statistics of DDoS attacks detected in Luxembourg in 2024 by POST Cyberforce.

Read this article

Published on

31 March 2024

DDoS attacks in Luxembourg in 2023

Discover the statistics of DDoS attacks detected in Luxembourg in 2023 by POST Cyberforce.

Read this article

Published on

15 February 2023

DDoS attacks in Luxembourg in 2022

Discover the statistics of DDoS attacks detected in Luxembourg in 2022 by POST Cyberforce.

Read this article

Published on

11 October 2022