SOC operational procedure.

I work for a research oriented company as Security operations centre analyst. I was asked to define a procedure to be followed by level 1 analysts for monitoring users who are testing rooted android devices by connecting them to their work stations. Can any one help me with any suggestion. Please try to explain me or point me towards right sources where I can get more information. Thank you.
jack danielsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
For a SOC typically it should be receiving the security log and in this case from the org MDM/MAM systems that govern the lockdown and provisioning of the mobile device. That is straightforward as the error based on your provider can better advise the violation error code so that SOC staff can monitor over. However, this is for managed mobile device and not really for BYOD...which probably you or SOC has not mandate on such personal devices..

Regardless, the Analyst L1 should minimally be savvy to monitor from log as well as able to surface breach such as root device using tools or steps and report the case to L2 if the tools surface nothing or not able to run as instructed due to different build or model that apps support etc. Otherwise they will record the faulting device and escalated for containment of root cause (like infection case and unintentional) or fraudulent staff (intentional breach and unauthorised tampering)..

Have this FAQ build up for L1 to reference and as part of operational SOP when they are in doubt of steps or terms -

Focus L1 to minimally has a manual mean to detect if the device is rooted if required and always reference the model and how they are rooted to check the difference. May need to read further to tune to your need how best to use them -

Suggest focus simple two step (its detail can change)
- Verifying with app on your device such that it is as simple as click the button “Is my device rooted?”
- For confirmation, also check for those files and packages installed on the device is one way of finding out if a device is rooted or not.

Lastly, document the case and steps and observation (esp any special symptoms of the rooting and malware existence). Have L2/3 approval workflow to close the reported cases regime in place so that L1 is up to their toes to meet SLA diligence (ppl see it as KPI on no of close cases and escalated cases and outstanding/aged cases)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jackie ManIT ManagerCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: btan (https:#a40937271)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.