FAQs

Security alerts are ingested into SOC.OS via either the on-premise SOC.OS agent or from one of the cloud based sources. The alerts are enriched with further information from 3rd party sources (e.g. Whois information) and the MITRE ATT&CK® threat associated with the alert is identified. The alerts are then correlated into groups or “clusters” based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster and can be easily examined in one go.

These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking. These clusters can then be investigated from the SOC.OS workbench using a bespoke data visualisation tool that illustrates the time evolution of the cyber event.

The SOC.OS dashboard provides a number of graphs and tables to give you a clear overview of your entire network and to aid in the compilation of high-level reports.

We’re all too familiar with the pain associated with setting up a new tool such as a SIEM, and how integration efforts can last many days, weeks and sometimes months. We’ve worked extremely hard and constantly seek to optimise the SOC.OS on-boarding process to ensure it is as simple as possible.

For on-premise tooling, security alerts are forwarded over syslog from the alerting systems to the SOC.OS agent; which is a lightweight executable that can run on almost any operating system. The installation of the agent takes a matter of minutes, and once configured can be left indefinitely to forward alerts up to the SOC.OS cloud platform.

Cloud-based security tools are even simpler – provide SOC.OS with the API keys to read security alerts from that system, and it will automatically poll for new alerts.

Once you’ve provided a few key details about your network – internal domains, IP Address ranges, etc. – SOC.OS will get to work correlating alerts into prioritised incidents. You can then log into the SOC.OS portal to start viewing these incidents – no more swivel chairing across your multiple security portals.

The objective of intrusion detection and prevention systems, endpoint protection, Web Application Firewalls, SIEMs etc. is to produce alerts when they detect a set of conditions which might indicate malicious and/or anomalous activity. Once organisations install these tools, it’s very easy for small, stretched security teams to become overwhelmed by the number of alerts produced, particularly when the vast majority of these alerts are false positives. It’s easy for the alerts which indicate a real attack to slip through the cracks.

SOC.OS is a lightweight, cloud-based, easy to install, zero-maintenance, affordable security solution to help your existing team filter through the deluge of alerts to find the ones that really matter. Affordable does not mean low-quality, however – we’ve worked with enterprise and nation-grade Security Operation Centres to boil down their techniques into cloud-based technologies, making it available to everyone. Think of SOC.OS as an extra teammate – one with top-tier security training, an ever-increasing understanding of your entire network, and one with a superhuman memory, having the ability to remember every interconnected relationship between every single alert (and meta-data within this alert) produced from every single security tool deployed on your network. This teammate then sits there 24/7 analysing, triaging and prioritising the most important incidents, before passing it onto a human teammate for further review.