Blue Team Fundamentals: Roles and Tools in a Security Operations Center
by Jenny Hofbauer, and Kevin Mayer (CARISSMA Institute for Electric, Connected, and Secure Mobility Technical University Ingolstadt Germany).
Abstract
The evolution from low-impact malicious code in the mid-70s to current Denial-of-Service (DoS) attacks, widespread malware campaigns, and Advanced Persistent Threats (APTs) shaped the furtherance of Information Technology (IT) security services that Security Operations Centers (SOCs) provide to protect against cyberattacks. Despite the ever-growing importance of SOCs, there is little academic and fundamental research. Terminology and the associated definitions are highly influenced by companies developing proprietary software and training and are mostly not standardized. This paper closes part of the gap and provides a suitable research base regarding people and technologies. For this purpose, literature research was conducted using academic literature and industry data, such as advertising material, company white papers, and employment advertisements. A survey with 24 experts in various areas of IT security was conducted to validate and expand the identified roles and tools. Allowing the creation of an overview of roles and tools currently utilized in the industry. These can be seen as building blocks, whereas the company’s individual needs determine its presence, capabilities, and association within SOCs. The percentage of participants who classified the defined roles and tools as part of SOCs is detailed. The survey furthermore captured the affiliation of roles between SOCs and Computer Emergency Response Teams (CERT) or Computer Security Incident Response Teams (CSIRT), often seen as specialized sub-capabilities that work on data SOCs provide. The common terminology creates a uniform basis for further research and more efficient communication and defines roles and technologies in SOCs that can be used to identify possible gaps.