Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Connect Directly
E-Mail vvv

SOC in Translation: 4 Common Phrases & Why They Raise Flags

By keeping an ear out for out for catchphrases like "Just ask Stu" or "I've got a bad feeling about this," CISOs can overcome the barriers that get between business leaders and their security teams.

Having worked in many different security environments, I've picked up on more than a few phrases that you hear only in the security operations center (SOC). These catchphrases frequently need translation — especially as CISOs and the entire C-suite look to get more involved with their organizations' security practices.

Below are a few to listen for, along with what they mean for the business.

"That's not the true source."
The true source? When you hear this, someone is likely performing an investigation and has hit a confounding barrier. The translation: "I'm analyzing network traffic whose origin is other than what's listed in the Source IP field." The cause is likely one of these conditions:

  • Proxy: A proxy device is masking the origin.
  • DNS recursion: DNS servers use recursive queries to resolve hosts not in their cache. This causes many DNS requests to appear to originate from a DNS server and not the origin client.
  • Unusual protocols/spoofing: Some protocols will actually communicate "backward" during their conversations (e.g., FTP active data transfer). Visibility on the wild Internet will also expose analysts to spoofed communications or the responses to victim networks around the world (e.g., DDoS backscatter).

If you hear "not the true source" a lot in your SOC, you may have visibility blind spots that are inhibiting the investigative process.

"Clear the channel before you start hunting." 
OK, full disclosure: This one has been directed at me quite a bit, and I've heard this phrase in every SOC where I've worked. It translates to: "We have more alerts than we know what to do with and not enough analysts to deal with them. Please attend to all the alerts before you explore the data looking for your own outliers." 

SOC managers who find they are uttering this phrase often should take a step back and consider:

  • Analysts' morale. Analysts aren't often satisfied with working "the channel." You see, the channel never ends. Perhaps dedicated hunting time allotted per day/week regardless of the alert queue will keep analysts' morale up. Also, you'll be amazed what they'll find. All of the biggest incidents I've ever been a part of did not start with clearing the channel; they all resulted from hunting.
  • Technology gaps. Analysts may not have the tools they need to conquer their alert volume. If it takes 30 minutes or longer to analyze an event, there is something missing. 
  • Whether alert volume is too high. Analysts often don't have the agility to "tune" alerts fast enough to keep up with the alert volume. Cumbersome change management results in no changes at all. 

Your very best analysts want to hunt. If these analysts move on to different opportunities due to job dissatisfaction, you'll be saying this phrase even more.

"Just ask Stu."
Well, replace Stu with the gold-star guy/girl in your organization who has all the answers. Here's the translation: "Our daily activities and processes are so complicated and have evolved so rapidly, there's only one guy who knows how the whole thing works. His name is Stu — go talk to him." Every place where I've worked had a "Stu," and in fact, Stu is the real name of one of them. (He knows who he is — hi, Stu!) If you're a manager and hear this phrase, you must do two things: 

  1. If Stu likes money, give Stu a raise. If money isn't what makes Stu happy, find out what does, and give him that. You can't lose Stu.
  2. Build a process to capture everything Stu knows as artifacts in your system. Your system must become Stu. Capturing knowledge from your workforce is not a "one-time thing" — it's a continuous process, and it's never complete. 

If you're a colleague of Stu's, learn everything you can. Shoulder surf him. Steal his bash history. Read the books on his desk while he's not there. Whatever it takes. Study him.

"I've got a bad feeling about this."
Your analysts are developing an intuition! This is great! Translation: "I can't describe it yet, but this (IP address, user-agent string, URI, username, etc.) just looks wrong." When you spend enough time as an analyst slogging through the mundane task of reacting to events that turn into nothing burgers, there will come a time when you see something where you sit up in your chair and goosebumps appear on your arm. This is analyst intuition, and it's very hard to code and train for (although some companies are getting there). Here are the best ways to foster it:

  • Make sure analysts have the context and the speed to ask the easy questions and get rapid results. This exposes them to a lot of data and affords them the opportunity to ask questions of the data that might not be asked otherwise.
  • Keep the analysts happy and caffeinated. Analysts with a grin on their face, and whose eyes are focused on the target, will reach the intuitive phase.
  • Training, conferences, communities. Expose the analysts to everything new and possible. New perspectives are often all it takes for an intuitive sense to bubble up.

Ask any SOC team, and members are sure to tell you they've heard these phrases at one point or another. The question is, which ones are they using at your organization? By keeping an eye out for these essential phrases and understanding the true meaning behind them, business leaders can overcome the barriers that get between them and their security teams.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX and learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Save $200 off your conference pass until March 23 with Promo Code DR200.

Daniel Smallwood is senior security engineer at JASK, the company modernizing security operations with its Autonomous Security Operations Center (ASOC) platform. Prior to JASK, Daniel spent more than 16 years in security and software development for companies including Alert ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/23/2018 | 9:57:34 AM
AI can help with a lot of this. Many organizations find themselves ignoring most if not all of their security alerts because they are too much for their human staff to handle, but AI solutions on the market can help manage these alerts -- bringing only the serious and "real" ones to the forefront.

Plus, what with all the language-interpreting technology out there, you could build an Alexa-like AI system in your SOC to be on the lookout for these phrases and send an alert to your CISO. ;)
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.