Security Operations Center escalation

In this organizational model, the Security Operations Center (SOC) is responsible for handling the initial incident detection or investigation. In general, the SOC is responsible for the management of the security tools that monitor the network infrastructure. It has direct access to event management, intrusion prevention and detection, and antivirus systems. From here, it is able to view events, receive and review alerts, and process other security-related data.

SOC escalation is a common model among organizations that have a dedicated SOC, either through in-house personnel or through a third-party Managed Security Service Provider (MSSP). In this model, there are clearly defined steps, from the initial notification to the escalation, as follows:

1. An alert is received by the SOC or Tier 1 analyst.
2. The SOC or Tier 1 analyst then determines whether the alert meets the criteria for an incident.
3. When a potential incident has been identified, the analyst performs an initial investigation.
4. If warranted, the analyst will then escalate the incident to the SOC manager.
5. After a review by the SOC manager, the incident is escalated to the CSIRT manager to address the incident.

The following diagram shows the flow of incident escalation from the SOC manager to the CSIRT manager:

In this model, there are several issues of concern that need to be addressed by the CSIRT and SOC personnel, as follows:

• First, engaging the CSIRT in this manner creates a situation where there are several individuals handling an incident before the CSIRT is fully engaged.
• Second, if the incident escalation is not properly documented, the CSIRT manager would have to engage the SOC manager for clarification or additional information, thereby increasing the time taken to properly address an incident.
• Third, the SOC personnel require training to determine which observed events constitute an incident and which may be false positives. The CSIRT may suffer from burnout and become weary of the SOC chasing up false incidents.
• Finally, communication between the SOC and the CSIRT needs to be clear and concise. Any gap in their ability to share information in real time will cause additional confusion.

Another variation of this model, common within organizations without a dedicated SOC, is where an initial security incident is received by either a helpdesk or a network operations center. This adds further complexity in terms of engaging the CSIRT in a timely manner, as such personnel are often not trained to address incidents of this nature.

The best practice in a case like this is to have several of the personnel on these teams trained in cyber security analysis, to address initial triage and a proper escalation.