•  Visibility
                •  Alert effectiveness
                •  Investigative prowess
                •  Threat intelligence
                •  Incident response








































            Visibility

            At the core of any SOC is monitoring,  and effective monitoring hinges on visibility. Gaps in visibility can
            result in unmanaged risks and present real danger in the event of a cyber incident. Still, not every event
            holds the same level of security value. While every security professional  desires abundant data, we all
            struggle to prioritize data based on its potential impact for an investigation.

            An investigation is only as good as the data it is based on; as such we must first take steps to ensure the
            integrity of events. As a baseline, ensure that all devices are reliably receiving their network time protocol
            sync  from  the same  sources,  that  the events  in the  SIEM  have  the needed  information,  and that  the
            ingestion uptime is reliable.

            Since the vast majority of incidents will involve either a user, a device, or multiples of both; use the rule
            of non-repudiation  to find gaps within monitoring. Every event should correlate to the account or device
            it originated from. Performing  exercises to practice non-repudiation  within logged events will ensure we
            are prepared for any investigation and speed up the root cause analysis process during an incident. The
            operational and investigative teams should be challenged to answer simple investigative questions: who,




            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          96
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.