Security alerts are ingested into SOC.OS via either the on-premise SOC.OS agent or from one of the cloud-based sources. The alerts are enriched with further information from 3rd-party sources (e.g. Whois information) and the MITRE ATT&CK® threat associated with the alert is identified. The alerts are then correlated into groups or “clusters” based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster and can be easily examined in one go.
These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking. These clusters can then be investigated from the SOC.OS workbench using a bespoke data visualisation tool that illustrates the time evolution of the cyber event.
The SOC.OS dashboard provides a number of graphs and tables to give you a clear overview of your entire network and to aid in the compilation of high-level reports.
We’re all too familiar with the pain associated with setting up a new tool such as a SIEM, and how integration efforts can last many days, weeks and sometimes months. We’ve worked extremely hard and constantly seek to optimise the SOC.OS on-boarding process to ensure it is as simple as possible.
For on-premise tooling, security alerts are forwarded over syslog from the alerting systems to the SOC.OS agent; which is a lightweight executable that can run on almost any operating system. The installation of the agent takes a matter of minutes, and once configured can be left indefinitely to forward alerts up to the SOC.OS cloud platform.
Cloud-based security tools are even simpler – provide SOC.OS with the API keys to read security alerts from that system, and it will automatically poll for new alerts.
Once you’ve provided a few key details about your network – internal domains, IP address ranges, etc. – SOC.OS will get to work correlating alerts into prioritised incidents. You can then log into the SOC.OS portal to start viewing these incidents – no more swivel chairing across your multiple security portals.
The objective of intrusion detection and prevention systems, endpoint protection, Web Application Firewalls, SIEMs etc. is to produce alerts when they detect a set of conditions which might indicate malicious and/or anomalous activity. Once organisations install these tools, it’s very easy for small, stretched security teams to become overwhelmed by the number of alerts produced, particularly when the vast majority of these alerts are false positives. It’s easy for the alerts which indicate a real attack to slip through the cracks.
SOC.OS is a lightweight, cloud-based, easy to install, zero-maintenance, affordable security solution to help your existing team filter through the deluge of alerts to find the ones that really matter. Affordable does not mean low-quality, however – we’ve worked with enterprise and nation-grade Security Operation Centres to boil down their techniques into cloud-based technologies, making it available to everyone.
Think of SOC.OS as an extra teammate – one with top-tier security training, an ever-increasing understanding of your entire network, and a superhuman memory. It has the ability to remember every interconnected relationship between every single alert (and meta-data within this alert) produced from every single security tool deployed on your network. This teammate then sits there 24/7 analysing, triaging and prioritising the most important incidents, before passing it onto a human teammate for further review.
In the early days of SOC.OS, before any effort went into designing or developing a technical solution, we spent months speaking to customers and infosec professionals exploring the age-old problem of alert fatigue, which still plagues and burdens information security teams worldwide today. Listening and collecting feedback about the problems our peers and colleagues faced day-day, fuelled our determination to challenge the notion that “security-alert-whack-a-mole” was here to stay.
And thus, the SOC.OS mission was born; to fundamentally re-write the playbook that dictates how security operations are conducted today.
After understanding the problem at length, and building an Alpha product, our first successful proof of concepts were completed in Q1 2018. Since then, the SOC.OS team has been focussed on further enhancing and maturing our product with the help of an early-adopting and innovative customer community, who are influencing our roadmap via feedback.
SOC.OS was born within the internal incubator of BAE Systems Applied Intelligence. If you’re interested in learning more about corporate incubation and about the unique problem-centric approach that lead to the creation of SOC.OS, check out this blogpost.
The SOC.OS team and product span-out from BAE Systems in June 2020 with the help of new VC partners, enabling the founding team to develop and scale the SOC.OS service at speed, accelerating the value that the product delivers to our present and future customer community.