The Story
So there I was… watching a new cyber security analyst who was sitting in front of his computer clicking on buttons and menus on his screen. He didn’t seem to be getting anywhere so after about 10 minutes I asked, “Hey, what are you looking for?” “I have no idea,” he said. Maybe that was too broad a question, “What question are you asking the data?” Same response. That sparked an idea in the back of my skull that has been rolling around ever since. What questions are we asking our data?
What’s the Question?
As a cyber security analyst, what questions are we asking our data? Let that sink in for a moment… We can have all the logs we want: Windows event logs, Sysmon, antivirus, firewall, EDR, web proxy server, DNS, the list goes on and on ad infinitum. If we don’t have a question to ask, then the data can’t help us!
I realize that every SOC is different, every network is different, data sources are different, sensor placement is different, workflows are different, playbooks are different, politics are different, and policies are different in every place, nevertheless, there are some basic questions that every cyber security analyst should answer when looking at data.
Let’s assume that the scenario we are stepping into is a daily hunt on your network. There has been no indication of anything out of the ordinary, but your job is to make sure everything is good to go.
My initial reviews are logons, DNS, accounts, and services.
Moving Forward
These are just a starting point. Your SOC may require something different. Add, edit, and adjust this list until you have what you need to be Master of Your SOC!