Mock Interview | SOC Analyst | What is SOC? | Rajneesh Gupta & Jaimin Pathak

okay all right everyone this is rajnish Gupta and this video is about mock interview for shock analyst okay so every every day we are going to do a mock interview series and um in this mock interview jamman will be the interviewer and he will be asking me questions about shock analyst security analyst so first of all let me introduce you to Jim Pak uh he is the security consultant and he also works works with hex Camp as an security instructor lead instructor okay and um so uh let me tell you about how exactly the process

this is this Mark interview will work jman will ask me a few question and um he also asked me some counter questions based on my answers and at the end of the video I'll give you the elaborated answer about uh the main question okay so enough talking let's get into the interview hi J hello rajes welcome to the interview let's get started so my first question is about sock what is sock and uh what are they responsible for sure so sock is the security Operation Center it's a it's a it's a it's a team it's

a facility it's a department and as per my understanding sock uh so they their first uh their major uh responsibility is to bring down the security risk uh to counter to address all the realtime threats in the real time itself okay so they works as the first line of defense and the people and the uh you know security professional who works in the sock team are called as sock analyst okay now there are multiple tiers um this works in uh almost every cases there are multiple tiers there are three major tiers sock Tire one uh

sock tier two and sock tier 3 uh so sock tier one is basically works like a you know uh the first line of defense as I said earlier uh they they take care of security monitoring okay they take care of the initial triage uh they make sure that if they these alerts are false positive or these are genuine okay they also do the primary investigation as well then second we have sock tier 2 who are responsible for uh you know incident response and the further investigation detail investigation they perform the digital for for six uh

they they make sure that uh you know the impact on the network is lower and their their job is to make sure that that the malware or attack is being eradicated from the network and U faster recovery is also their priority okay so and next we have sock tier 3 who are basically uh more focused on threat hunting when I say threat hunting it means proactive threat hunting so they have a a hypothesis that the organization is already being compromised okay they have uh uh there can be multiple hypothesis to be very honest that's their

assumption that the organization is already compromised and based on that assumption they create multiple hypothesis to find out different threats into the network okay now this is about the team there there are tools as well okay when it comes to security we talk about three important elements the uh process people and Tool so we just not talk about the uh people now when we talk about the tools so uh Sim tool is the heart of the entire shock same as security incident and event management uh tool like Splunk is the very popular one so this

collects the log data and event from all the all the devices from the network and give us the visualization second very important tool is the EDR endpoint detection and response Tool uh like crowd strike Windows Defender they are responsible and this tool basically help you to give you the data from all all from all the de endpoints of the network so you focus on what's really relevant okay then we also have security orchestration and automation Tool uh which is basically s tool which basically replicate all the which basically uh automate all the recurring or uh

you know all all the recurring activity of the network like fishing fishing analysis uh email analysis thread intelligence lookup and all those stuff fourth which is very important tool is the itm tool which is Incident Management tool like service now uh this completes the tools and uh as I said there's there's a you know there's process element as well for the stock which is about uh you know what are the different process which is follow so nist uh and Sans these are the major uh framework which has been followed from nist this is called Nest

incident response and Sans incident response so both are more or less same but uh it's all about how you uh respond to any incident into the network so this is about shock um and they are responsible in bringing down the overall security posture of the network so yeah that that's that's all yeah okay it was a nice uh explanation my next question is then so tell me about what uh how sock is different than knock uh well uh well uh uh although I haven't got a chance to work in a knock environment earlier but as

far as I understand I think you're talking about the network Operation Center right yes that's correct Network operation system CER sorry I just wanted to confirm so uh So based on my understanding knock is all about uh uh taking care of network related incidents like uh monitoring or managing network devices like routers switches uh servers everything everything that is being that's a part of the network so for example if the network is slow or the users are facing slowness into the network or some some applications are not working router is is not reachable or switch

is rebooting or all you know very often so this comes under the network Operation Center so their their main job is to bring down the downtime in the network okay and they also take care of upgrading the router and switches in the maintenance window or cut over duration uh sock on the other hand deals with the this with the security incidents right as we just talked about they take care they deal with malware infection if there's a ransomware attack if there's a denial of service attack if there's a Brute Force attack so they deal with

the security incident so that's that's that's the difference yeah so when you say uh sock is dealing with cyber security so what sock is contributing into the overall cyber security program sure so uh well uh and from my understanding sock is very important okay uh it's not because I've been working with it or I'm in that career path uh it's mainly because um the the purpose of sock it's very it's very difficult to uh quantify or you know measure that but yeah uh because uh let's say if we have if we if we don't have

a sof okay and we just have install antivirus software in the network we just have Fireballs in the network we just have email security spam filter in the network right so if you look at the current threat landscape the you know uh the threat actor or the malare are are able to bypass the Security Solutions right so if we install these antivirus software and this preventive tools and we we we have to completely believe them okay and we might relax uh you know keeping in mind that they will do their job it's a wrong approach

because uh these malware can actually bypass them and we will never know about it on the other hand if we have a sock which is mixed of the tools and the PE and people of course uh even if someone try to uh you know do any advanc attack or try to bypass any of the security controls as well there are people behind who can monitor those uh activity okay so that's where the accountability will be taken out from the uh accountability will be taken out from the uh you know uh uh tools and will be

given to the people again right so this way uh uh you know we actually work uh a lot onto the security element and we actually bring down the overall security uh bring down the risk exposure to the network and that's how it is helpful in the security program as well so yeah great great rajish it was a nice explanation by you it's awesome so thank you thank you all right so um thank you so much J uh for having me here now it's time I I should give you the detail explanation about what is sock

and get ready guys so um let me share my screen and um let me share my screen guys okay yeah okay then all right so um yeah we go so uh basically as I said sock has three tiers right so depending on the organization and in the manage security service or in the Consulting businesses it can be different but this works in this is similar in most of the organization sock tier one uh take care of the security monitoring or threat management they take care of the security monitoring activity okay and they take care of

the primary investigation primary investigation uh into the network for every alerts that they get it they also deal with the false positive they remove the false positive they perform the initial uh triage okay and they keep their eye on this plun Tool uh I mean Sim tool basically okay or the edr2 so that's their job now if something is really important something that's really need further investigation Sofer one will create an incident on the itm tool I hope you remember so you know uh they will create create an incident on the itm tool like service

now and they will assign it to the sock tier 2 sock tier 2 is the one I told you that who responsible for the advanced investigation they are also called as the FI team digital forensic and incident response team they take care of the getting the artifacts first looking at the artifacts performing the windows uh digital foreign six they also perform the malware analysis as well and then their job is to make sure they you know they remediate the network they they actually isolate the malware or they maybe uh you know uh mitigate the attack

in the network so that's there for first job and they uh then once it is done then they perform the recovery of the network as well or they probably assign it to the itam okay they can also do the thread intelligence lookup or Advanced thread intelligence lookup it's not that the tire one team cannot do that they they can also do the threat intelligence lookup but uh threat intelligence they they DFI team do it in the much more detail now the soof tier 3 team is very uh different they they are responsible for threat hunting

and with that they when I say threat hunting they do the proactive thread hunting with an assumption that the organization is already being compromised okay so they use the multiple hypothesis one of the very popular hypothesis is by using the miter attack framework okay it's very very popular framework if you want to know much more detail about mitti framework then I'll mention the link in the description you should definitely watch this video watch that video okay um they make use of a lot of tools uh one of the popular Tool uh you know uh one

of the popular open source tool is the osquery okay or velocity Raptor uh well I mean both of both of both of these tools are also used by the DF tool DFI team or the sof tier 2 team as well but uh thread hunting is very very Advanced uh you know activity so multiple tools are already available but uh as I told you earlier ADR is common everywhere so we you talk about S one two three everywhere the EDR tools are used okay this is the most common thing tools like crowd strike Windows Defender Sentinel

one these are the EDR tool they take care of everything from that that's helpful for everyone from tire tire one to Tire three okay and the mo another common thing is the reporting okay whether it is uh tier one team tier 2 team or tier three team all have to deal with the reporting what what's there in the reports basically it consists of the data from uh what happened basically timeline of when it is happen and what is the artifacts what's the malware hash what's the source IP address what's the victim IP address uh how

that was happened what was the attack Vector uh you know everything everything so everything is there in it and that's how the entire system really works okay so that's the process that's that's how the same uh that's how the sock system really works I hope this was useful for you um let me know in the comment section how how how did you like this video and if you have any questions do let me know do let us know in the chat in the in the comment section and if you have any of your interview question

we'll try to answer that we'll take it in the mock interview series as well uh this is me rajnish Gupta and Jin Pak uh of course you know me I'm I'm security consultant Jer is also security consultant if you have any questions you have any need any help you can always reach out to us on our LinkedIn I'll mention our link Lin account as well thank you so much for watching we'll catch you in the next video thank you thank you