We all hear about big corporations and their security teams, usually under less than ideal circumstances, but what do these teams really look like? What do they actually do?
The answers to these questions can vary greatly, depending on the size of the company and what they are trying to protect, but it generally boils down to a single security team or department. Their mission? Collect relevant cyber security data and analyze it to detect and respond to incidents in a timely fashion.
Starting with larger companies, this mission is generally split between between two efforts: the security operations center (SOC) and the security architecture team (tech or tools team). Keep in mind that physical security is generally handled by a separate team altogether.
Cool, two teams. So, what is the SOC?

Much like the name “security operations center” implies, this is the team that analyzes security events and resolves incidents on a daily basis. It generally operates under a centralized command structure with analysts that carry out the investigations.
The analyst team lives out of a system called the Security Information and Event Management platform (the SIEM). This (in theory) is the single pane of glass in which all of the SOC analysts are able to view relevant logs from across the network to correlate into security events and assist in the various types of investigations. This is also the team, under most circumstances, that performs any forensic level of investigation whether for legal, compliance, or breach-related purposes.
All of this is dependent on the data that feeds the SIEM. That is, data from system security, network security, and everything in between.
What is this “data” and where does it come from?

That bring us to the architecture team. None of what the SOC does can happen without the most important aspect of cyber security as a whole: data. Analysts need data. It is the architecture team’s responsibility to get that data to centralized locations for easier analysis, but also deploy all of the architecture into strategic locations within the network in order to best protect the firm.
What does this consist of? Quite a bit. Keeping this at a high level, below is a list of the major categories. However, something like Data Loss Prevention can consist of a software install on every system in the company AND appliances in the network designed to intercept and analyze data traffic in flight. Simply put, this is by no means a comprehensive list.
- Antivirus (Standard protection against known threats)
- Advanced Malware Agents (Advanced exploit detection and prevention capabilities assisting in the fight against unknown threats)
- Endpoint Interrogation (Hey computer, give me certain files or attributes so I can better figure out what’s going on)
- Data Loss Prevention (Prevents sensitive data from leaving the network, sometimes managed by the privacy team)
- Intrusion Prevention and/or Detection (Stops attacks on the perimeter of the network based on various aspects of the network traffic)
- Vulnerability Scanning (Detects what is currently vulnerable and to what so the company can prioritize fixes)
- Packet Capture (Think of this like a DVR for the network. Analysts get to turn back time to see exactly what traversed the network. This can also get super expensive.
What else?
This is just the beginning. Standards, processes and procedures, and bureaucracy all play their important parts in this realm. I do want to give an honorable mention to the client relations teams, however. These are the associates that respond to requests such as “what are you doing to protect against this threat that I saw on CNN 20 minutes ago?” or “this vulnerability was released to the public an hour ago and has no fix, have you fixed it yet?”
While the answers to these questions is usually something more politically correct than “yes, we’re doing what every other company on the planet is doing and minimizing our threat landscape,” it is important that this time isn’t taken away from the analysts trying to keep the company and its data safe.
Images courtesy of Wikimedia and Pixabay
Great article Alex. For us, not so seamless or single pane of glass. Cost always trumps functionality, whether it be bodies to man the stations and do the investigations, or cost of the platforms themselves to plug all the holes. Someday though, we will get there, I just keep chipping away at it. We are not that bad off, but still have a ways to go. IDS/IPS, endpoint advanced Malware, and AV are in effect for us. Throw in URL filtering, with OpenDNS and we are somewhat proactive vs. reactive.
Proxy and DNS logs are my absolute favorite data points as a hunter. I always get a kick out of watching people’s reactions when I explain to them why our proxy filtering is the main reason we don’t see ransomware infections on a weekly basis rather than malware controls (yay threat intelligence).
Alex-Nice job with this article. Where I work it takes me at minimum 15 minutes and four separate passwords to be logged in. Many parts of the internet are blocked. If I tried to log in to theFreq at work I would be blocked. Security actually sends out fake phishing emails and they expect us to report it with a button on the system that automatically forwards it to them. Information security training is mandatory twice per year as well. If I leave a secure document on a copier or go to the bathroom without locking my computer, I could… Read more »
First, LP good to see you man! Hope Christmas was good, and have a great New Years. I am the firewall and Internet rules guy and guess what (@Alex)??? The Freq is blocked by our firewall also. I haven’t taken the time to review the logs and see which rule it is hitting. Not a common one like a porn category or something, because I would get a warning. So it must be triggering some type of malware/phising or other boogeyman. Will let you know when I get off my lazy butt and track it.
Hey Mason. Nice to be here and Happy New Year to you and other readers as well. If I get on a blocked site, I can call my buddies in IT and they remotely take over my station and open up the site temporarily because they trust me. But alas, the next time I go to the site it’s blocked again. The simple fix is to carry my personal iPad. The other stuff is too frustrating. I once went to go to our corporate website and it got blocked as being “potentially dangerous”. The IT guys loved that one.
If they trust you, they should just whitelist it by your user ID, since your IP probably changes. You tell them I said to do that. If they can only do it by IP, I just furrowed my brow in disapproval. lol.
Thank you! Those are good examples of where security becomes a bit too overbearing. With a proper setup, there is no reason that it should take fifteen minutes and four passwords. Multi-factor authentication for sure, but when there are that many separate walls, it just adds unnecessary complexity. I would have to say that’s a rather harsh punishment for leaving a secure document or not locking the computer. I won’t demean the importance of those offenses, but much more can be done to prevent those potential issues in the first place (“followme” printing, inactivity lockouts, etc). Internal phishing campaigns is… Read more »
Alex-I work in a bank environment. One password to open the system and into corporate email (which is monitored by compliance dept). Next password gets me into the bank DNA system which gives me all personal financial information including passwords to get into their bank accounts. Password three gets me into their investment account information at an outside brokerage firm which also includes personal Social security, DOB, etc. Finally, I type in a work station number to turn on my phone. I get the security necessity. And we are pretty anal about INFOSEC. For obvious reasons. Apparently more so than… Read more »
Alex-Somehow I got into another commenting account. So the above homanj1 comment came from me.
Thanks for clarifying! Yeah, when you have different categories of sensitive information, it makes sense to have them a bit more separated out. Still not user friendly, however. But yes, I would have to agree that many of the large commercial firms follow cyber security practices a lot more closely, which probably shouldn’t be the case..
When I was contract to the DOE I worked in a program called Counter Terrorism Operations Support (CTOS). We researched terrorism and taught related subjects. Imagine how hard it was to try and research for course development when every page you try to get to trips a rule at the firewall. It’s those rat bastards like Mason who were to blame!! (ha ha ha),
Thanks for posting, Alex.
geo sends
Just for you Geo, I would whitelist all the stuff you wanted to get to, but it would cost something. Beer, more than likely.
Haha, always a problem! My penetration testers complain on a daily basis how their tools and tool sites are deleted or blocked by our security stack. Granted, we have non-standard equipment for full testing exercises, but the tools that keep us safe definitely live under the love-hate umbrella for the technical minds among us.
Alex, I really do like reading the cyber security articles. I have always taken as much caution as I can when it comes to my home computer. Even disconnect from the internet at night. My work on the other hand has a lot at risk. They only load our computers with the free version of AGV Antivirus, nothing else. Nothing to check malware or anything else. A few days ago, someone did get some type of threat so they had to shut everyone down (Massachusetts and Florida locations) and disconnect all from the network. Then one by one set up… Read more »
Gaaack! that is turrible! So many better ways to do that, but this is Alex’s show, he can detail.
Glad to hear it! Your example is.. well.. terrifying. Antivirus is extremely limited in detecting today’s threats. As I mentioned above, it’s designed to detect KNOWN threats, which amounts to having signatures for each of these documented pieces of malware. If the bad guy takes a known threat, changes a few pieces of the code (variable names, maybe even just comments in the code), it changes that signature. Suddenly, it’s an unknown threat that will bypass antivirus until the malware investigators find it, and add it to the list. That’s simplifying it a bit, but business really need to decide… Read more »
McMac-I got a death threat email the other night from a hit man. Supposedly I needed to pay him more than the person that hired him. And he would rat on the person that wanted me dead. I thought it was kind of funny. It scared my wife to death. A simple search on the web found the exact email was going around all over.
LPD, I got that Hitman one also mid December. It did shock me for a few minutes. Then I googled it and found that it was circulating for a few weeks. I have since received another in Chinese. I didn’t tell my daughters because they would be needlessly concerned, or my husband as I didn’t want to give him ideas (haha) just kidding. I made the mistake of telling another relative and they asked me to never send them another email or text! They think i’m contagious now.
Mic-I’m in trouble with the IRS and Social Security. They both leave me messages. My warranty has expired on several cars I no longer own. I have car dealers calling to buy back those cars at a premium. Charities with very low ratings, mostly veterans and Police groups call. My Nigerian Uncle that has willed me millions hasn’t emailed me lately. I’m concerned for his health. Sadly, all the BS phone calls and emails we get make it harder for legitimate charities.
LOL… seems those are circulating all around… tho I did get a c.c. hacked a couple of years ago by Russians… everything was in the Russian language lol….