Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Incident Response within the SOC SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Incident Response within the SOC
Can you advise me please how a SOC and its processes and people/job titles are arranged.
i.e. coming from a Helpdesk and Support background where you have 1st line and then 2nd line and then 3rd line support.
1st line who receives the call/email, who then logs it and then passes it to 2nd line who troubleshoots and fixes it or escalates to 3rd line. ...... So how does the SOC typically work with regards to the roles/responsibilities and people involved and where does Incident Response and or Incident Handling sit. I appreciate IR and IH are different with the latter involved in dealing with stakeholders etc.
Thank you in advance.

1 Posts
I'd like to know it as well. please someone reply .


Here's a worthy read by folks at MITRE: "Ten Strategies of a World-Class Cybersecurity Operations Center"[1]. It has general guidance and specific recommendations.


1 Posts
Different companies handle this in different ways. Commonly you'll have Tier 1 SOC guys handling the low hanging fruit and alerts that require only basic analysis. Then you have Tier 2 folks who do the more advanced analysis. If they can't handle it or need further analysis, then it gets sent off to the Incident Response team. In some companies Incident Responders sit with the SOC and they're highly integrated (this seems to be the best model from the opinions I've heard) whereas other companies have completely separate IR teams (relationships become more adversarial). There's a number of variations on this model. It really depends on what kind of expertise you have on your team and how concerned you are about getting those Tier 1 guys to become more advanced. Anonymous


Sign Up for Free or Log In to start participating in the conversation!