ZSCALER SOC TECHNICAL WHITEPAPER
4
©2021 Zscaler, Inc. All rights reserved.
Overview
As security threats continue to advance, security operations have become a necessary function for protecting
our digital way of life. Security teams require continuous improvement in operations to identify and respond
to fast-evolving threats, including high-delity intelligence, contextual data, and automation prevention
workows. They must leverage automation to reduce strain on their analysts and execute the mission of the
Security Operation Center (SOC) to identify, investigate, and mitigate threats.
In this guide, we’ll help you establish the key processes and best practices to enable your security operations
to detect emerging threats and respond effectively and quickly. At every step along the way, we’ll show you
how you can integrate Zscaler’s security analytics and logging capabilities to optimize your policies to power
your SOC, including processes for preventing, logging, detecting, investigating, and mitigating threats.
This rst installment of a three-part series focuses on leveraging Zscaler logs for analytics and incident
investigation using the Zscaler dashboard, and dissecting security logs exported via the Nanolog Streaming
Service (NSS) to a Security Information and Event Management (SIEM) system. Subsequent documents will
detail the Zscaler technology partnership and API integrations with SOC tools such as SIEM, SOAR, CASB, TIP,
etc., for automated response, remediation, and threat hunting.
SOC Goals and Key Processes
Security operations can be dened more broadly as a function that identies, investigates, and mitigates
threats. The four main functions of security operations are:
• Real-time event monitoring, classication, and triage
• Threat assessment, prioritization, and analysis
• Incident response, remediation, and recovery
• Vulnerability assessment, audit, and compliance management
In this section, we’ll outline the key Zscaler capabilities for each of these processes. Later, we’ll go into much
further depth with detailed tips on settings, policies, and approaches for using Zscaler throughout the incident
response lifecycle.
Real-Time Event Monitoring, Classication, and Triage
The initial triage is an important step to collect, correlate, and analyze log data to nd a “signal in the noise.”
Key indicators of compromise (IoCs) can be found within user activity, security events, and rewall allow/
block, among others. In addition, specic sequences and combinations of these events in specic patterns
can signal an event that requires your attention.
As threats and anomalous activities are detected in your environment, Zscaler Internet Access™ (ZIA™)
security engines generate logs which are sent to Nanolog clusters in real time. These logs can be viewed/
analyzed within the Zscaler dashboards, insights, and logs, and can also be exported to your SIEM through
Nanolog Streaming Service (NSS).
Zscaler Nanolog is a verbose record in a compressed format that includes rich threat context and other useful
information for event classication and threat hunting.