The SOC works by establishing a baseline of normal behaviour, such as which accounts typically log into which machines. From there, the SOC flags any behaviour that falls outside of the baseline - such as an admin account logging in to a machine it has never logged into before.
The SOC then triages behaviours and escalates things to the DCA team as needed. It’s similar to systems that banks use to monitor credit cards. If a banking customer goes on holiday and swipes their card in a foreign country, they are likely to get a confirmation phone call from their bank to make sure it’s a legitimate transaction. The SOC follows a similar protocol: identifying the baseline, then investigating behaviour outside of that baseline.
“There were lots of false positives in the beginning,” Steve said, “but this showed how powerful the service was - it was reassuring.”
Over time, the number of false positives reduced as the SOC figured out the baseline behaviour.