Index

Numbers

3D printing, 638

A

Abuse.ch Feodo Tracker, 412

access

ACL, segmentation, 117

computer rooms, access control, 113

datacenters, 661–662

NAC

automated NAC, 501

manual NAC, 501

profiling, 128

SOC development, 92, 128–130

values, 129–130

privileges, 265

RBAC, 140

accreditation policies, 331–332

ACL, segmentation, 117

acoustics, facility design, 104

actionable intelligence, 378, 392

flowcharts, 414

processing data, 414

active vulnerability scanning, 86–87, 515–516

activity-attack graphs, 34–35

activity threads, 33

actors, threat, 5

cyberterrorists, 7

hacktivists, 5–6

insider threats, 7

motivations of, 7

state-sponsored actors, 6–7

AD, segmentation, 119–120

addressing risk, 172–173

business contingency planning, 173

risk heat mapping, 173–174

advanced static analysis, 448–451

adware, 456

aesthetics, SOC interior design, 105

AI (Artificial Intelligence), 315

airflow, computer rooms, 108–109

aisles, hot/cold design, 108–109

alerting levels in Cisco products, 142–143

AlienVault OTX (Open Threat Exchange), 412–413

AM (Account Managers), 214

Amazon DevOps, 612–613

analysis services, 45, 151

dynamic analysis, 200

hidden extensions diagrams, 197

job roles, 240

static analysis, 197–200

TrIDNET, 197

analytic pivoting, 30–31

anomaly detection, 15–16

Ansible

automated DevOps, 596

DevOps labs, 596–598

hosts files, 597–598

installing, 597

playbooks, 598–600

setting up, 597–598

antivirus data assessment example, 267–269

API (Application Programming Interfaces), 303–304

architectures, 304–305

examples of, 305–307

event-driven/streams, 305

IBM QRadar dashboard, 303–306

leveraging, 303–304

network programmability, NetDevOps, 605

Rapid7 Nexpose, 303–307

REST, 304

RPC, 305

applications

event logs, 273

firewalls, 534

NBAR and SOC development, 93

architectures, API, 304–305

artifacts, incident response

analyzing, 442–443

file identification tools, 445

identifying artifact types, 443–444

file identification tools, 445

magic numbers, 443–444

magic numbers, 443–444

ASHRAE, temperature/humidity in computer rooms, 108–109

assessment officers, 220–221

assessments, 355

capabilities assessments, 60–65

data, 267

antivirus data assessment example, 267–269

SOC services, 270–272

executive summaries, 357–360

FedRAMP security assessment reports, 356

future of, 667–668

goal assessments, 53

defining goals, 54–55

ranking goals, 56–58

summary of, 60

impact assessments, 356

results of, 357

risk assessment phase, vulnerability management, 504

risk assessments, 356

templates, 357–360

threat assessments, 355

types of, 355–356

vulnerabilities

assessments, 355–356, 505

scanning, 360–361

weaknesses of, 361

asset inventory phase, vulnerability management, 500–502

assets, 265

vulnerability evaluation

asset collection, 529–532

prioritizing assets, 536

vulnerability management, 522, 527

assigning tasks to incident response playbooks, 427–430

assurance of information, 9

Atomic Red Team, penetration testing, 182–185

ATT&CK Model, 35

chaining together attack behaviors, 36–38

PRE-ATT&CK research, 36–37

using, 38

attack graphs

activity-attack graphs, 34–35

Diamond Model attack graphs, 34–35

attack vectors, tactical threat intelligence, 394–395

audits, 351

compliance services, 188–189

example of, 351–352

external auditors, 353–354

firewall audit example, 351–352

future of, 667–668

internal audits, 352–353

PDCA cycle, 188–189

tools, 354–355

authenticated scanning, 86

automation

DevOps, 595–596

ML, 651

NAC, 501

playbooks, 575–578

upgrades, SASE, 630

avoiding risk, 542

B

backdoors, 456

baseline security, establishing, 11, 94, 133–135

behavior detection, 15

best-of-breed capabilities, 17

big data, centralized data management, 307–308

Hadoop, 308

challenges, 309–311

securing, 311–312

threat feeds, 312

black-box testing, 181

block pages, reputation security, 89–90

Blocklist.de, 412

blueprinting, 600–601

blue teaming. See threat hunting

boolean data type, 265

botnets, 457

branch networks, capability maps, 64–65

breaches

defense tools, 439–440

impact of, 9–10

Verizon 2020 Data Breach Investigations Report, 189–190

business challenges, SOC, 40–41

business contingency planning, 173

bytes, 264

C

capability assessments, 60

capability maps, 61, 68–69

branch networks, 64–65

endpoint security, 61–63

gap analysis, 66–68

network security, 63–64

gap analysis, 66–68

NIST CSF, 344–345

capacity planning, SOC development, 95–96, 99

careers vs. jobs, 210–211

case management, Phantom, 562–563

CEF format, logs, 278

centralized data management, 144–146, 260–261, 263

API, 303–307

architectures, 304–305

leveraging, 303–304

big data, 307–308

Hadoop, 308–312

threat feeds, 312

data assessments, 267

antivirus data assessment example, 267–269

SOC services, 270–272

data context, 265–267

access privileges, 265

asset information, 265

identity context, 265

network maps and geolocation, 266

nontechnical feeds, 266

process and operational context, 266

social and online context, 266

vulnerability context, 266

data types

booleans, 265

bytes, 264

chars, 265

doubles, 264

floats, 264

int, 264

longs, 264

primitive data types, 263–265

shorts, 264

logs, 272, 279

application event logs, 273

CEF format, 278

common log format, 278

directory service logs, 273

DNS server logs, 273

ELF, 278

endpoint logs, 272

formats of, 274–279

IoT logs, 273

JSON, 276

network device logs, 273

replication logs, 273

security tool logs, 273

syslog, 275

types of, 272–274

Windows event logs, 277

ML, 313

AI, 315

cross-validation models, 316–317

cybersecurity, 314

hold-out models, 316

models of, 315–317

semi-structured data, 263

SIEM, 279

dat digest flows, 283

data correlation, 281–282

data enrichment, 283

data processing, 280–281

IBM QRadar dashboard, 299–302

solution planning, 284–285

Splunk dashboard, 291–300, 311–312

troubleshooting, 287–301

tuning, 285–287

strategic data, 262

structured data, 263

tactical data, 262

threat mapping, 270

unstructured data, 263

Certero dashboard, vulnerability management, 522

certifications, 255–256, 331–332

chain of custody, digital forensics, 470–474

chaining together attack behaviors, ATT&CK Model, 36–37

challenges for services, 152

lack of experience, 154

limited tools, 153

low maturity, 153

people, 152

change

as cyberthreat, 8

impact of, 11–13

management, SOC development, 135–136

char data type, 265

chatbots, 657

ChatOps tools, 594–595

checklists

content quality, 390–391

threat intelligence, 389–390

Chef, automated DevOps, 596

choosing

segmentation, 117–118

threat models, 38–39

CINS Score, 412

CIS Controls, 347–349

Cisco products, alerting levels, 142–143

Cisco Webex Teams, ChatOps, 595

CISO (Chief Information Security Officers), 231–233

clean rooms, facility design, 106

client/server segmentation, 118–119

cloning Gmail, 203–204

cloud programmability

DevOps, 609–612

IT services, 639

orchestration in, 611–612

cloud/database engineers, 215

COBIT (Control Objects for Information and Related Technology)

capability scoring, 49–51

ISACA COBIT 5 Process Assessment Model, 49–51

ISACA COBIT 2019, 349

severity model, impact of incidents, 195

collaboration tools, SOC development, 138–140

collecting/processing threat intelligence, 399–400

actionable intelligence, 414

operational threat intelligence data, 402

Google Alerts, 402–403

scrapers, 403–404

social media, 404–407

strategic threat intelligence data, 400–402

technical threat intelligence data, 407

Abuse.ch Feodo Tracker, 412

AlienVault OTX, 412–413

Blocklist.de, 412

CINS Score, 412

CSV, 411

Cyber Threat System from FortiGuard Labs, 413

Dan.me.uk, 412

Emerging Threats Rule Server, 412

FBI InfraGard, 412

IBM X-Force Exchange, 413

JSON, 407–408

OpenIOC, 408

Regex, 411

SSH Bruteforce logs, 412–413

STIX, 408–409

TAXII, 409–411

XML, 407

common log format, 278

company cultures, 257

competitive workplaces, 252

compliance, 316–317

assessments, 355

executive summaries, 357–360

FedRAMP security assessment reports, 356

impact assessments, 356

results of, 357

risk assessments, 356

templates, 357–360

threat assessments, 355

types of, 355–356

vulnerability assessments, 355–356

vulnerability scanning, 360–361

weaknesses of, 361

audits, 351

example of, 351–352

external auditors, 353–354

firewall audit example, 351–352

internal audits, 352–353

tools, 354–355

CIS Controls, 347–349

exceeding compliance, 321, 350–351

FIRST CSIRT services framework, 350

frameworks, 340–350

guidelines, 340–350

industry compliance, 371–375

ISACA COBIT 2019, 349

ISO/IEC 27005, 345–347

NIST CSF, 342

capability assessments, 344–345

mapping Cisco security products to CSF, 354

tiers, 343–344

officers, 214

penetration testing, 361–362

known environments, 367

NIST Special Publication 800-115, 362–367

partially known environments, 367

planning, 368–371

scope statements, 369–371

types of, 367

unknown environments, 367

policies, 322, 327

accreditation, 331–332

certifications, 331–332

definitions and terms, 327

enforcing, 330–331

history of, 328

launching, 328–329

overview, 322–324

procedures, 332–333

purpose of, 324

scope of, 325

statements, 325–327

tabletop exercises, 334–340

services, 45, 151, 187–188

audits, 188–189

job roles, 240

SOC design considerations, 127–128

standards, 340–350

tools, vulnerability management, 522

Compromise (IOC), Indicators of, 382

computer rooms, 107

access control, 113

airflow, 108–109

equipment racks, 109

fire safety, 112

flood protection, 112

grounding, 111

hot/cold aisle design, 108–109

humidity/temperature, 108–109

lighting, 110

locks, 113

monitoring, 112

power requirements, 107–108

power-dense equipment, 109

raised floors, 111

redundancy planning, 110–111

temperature/humidity, 108–109

video surveillance, 113

connectivity (inline), network considerations, 123

containment

eradication and recovery phase, 455–483

incident response, threat hunting, 455–456

example of, 460–462

grouping, 455–456

maturity models, 460–462

performing, 459–460

stack counting, 459

techniques, 458–459

content quality, threat intelligence, 390

checklists, 390–391

key factors, 390

context

data, 265, 266–267

access privileges, 265

asset information, 265

identity context, 265

network maps and geolocation, 266

nontechnical feeds, 266

process and operational context, 266

social and online context, 266

vulnerability context, 266

threat intelligence, 379, 385–388

contingency planning, business, 173

contracted job roles, services, 165

corrective actions, vulnerability management, 539

correlating data, SIEM, 281–282

cross-validation models, ML, 316–317

CrowdStrike Falcon dashboard, EDR, 566–569

cryptographers/cryptologists, 229–230

CSF (NIST Cybersecurity Framework), 20–21, 342

capability assessments, 344–345

Framework Core, 21–22

mapping Cisco security products to CSF, 354

tiers, 343–344

CSIRT (Computer Security Incident Response Teams), 23, 350, 493–494

CSV, processing technical threat intelligence data, 411

Cuckoo sandboxes, dynamic analysis, 454

cultures of companies, 257

custody (digital forensics), chain of, 470–474

CVSS (Common Vulnerabilities Scoring System), 86, 507–508

CVSS v2, 508–512

CVSS v3, 512–514

cyber insurance, 544–547

Cyber Kill Chains, 25–29, 132

Cyber Threat System from FortiGuard Labs, 413

cybercriminals, 5

cybersecurity, ML, 314

cyberterrorists, 7

cyberthreats, 4–8

change as cyberthreat, 8

hacktivists, 5–6

insider threats, 7

motivations of, 7

D

Dan.me.uk, 412

dashboards

Certero dashboard, vulnerability management, 522

CrowdStrike Falcon dashboard, EDR, 566–569

IBM QRadar dashboard

API, 303–306

SIEM troubleshooting, 299–302

Khan Academy, 647–648

QRadar dashboard, centralized data management, 144–145

SD-WAN, 622–623

SOC development, 140–141

Splunk dashboard

centralized data management, 144–145

Hadoop, 311–312

SIEM troubleshooting, 291–300

data

assessments, 267

antivirus data assessment example, 267–269

SOC services, 270–272

at rest/in motion, SOC development, 92–93

breaches

impact of, 9–10

Verizon 2020 Data Breach Investigations Report, 189–190

context of, 265, 266–267

access privileges, 265

asset information, 265

identity context, 265

network maps and geolocation, 266

nontechnical feeds, 266

process and operational context, 266

social and online context, 266

vulnerability context, 266

correlating, SIEM, 281–282

digest flows, SIEM, 283

logs, 272, 279

application event logs, 273

CEF format, 278

common log format, 278

directory service logs, 273

DNS server logs, 273

ELF, 278

endpoint logs, 272

formats of, 274–279

IoT logs, 273

JSON, 276

network device logs, 273

replication logs, 273

security tool logs, 273

syslog, 275

types of, 272–274

Windows event logs, 277

modeling, DevOps, 589–590

processing, SIEM, 280–281

SIEM, 279

data digest flows, 283

data correlation, 281–282

data enrichment, 283

data processing, 280–281

IBM QRadar dashboard, 299–302

solution planning, 284–285

Splunk dashboard, 291–300, 311–312

troubleshooting, 287

tuning, 285–287

structures of

semi-structured data, 263

structured data, 263

unstructured data, 263

threat mapping, 270

types of

booleans, 265

bytes, 264

chars, 265

doubles, 264

floats, 264

int, 264

longs, 264

primitive data types, 263–265

shorts, 264

data management (centralized), 144–146, 260–261, 263

API, 303–307

architectures, 304–305

leveraging, 303–304

big data, 307–308

Hadoop, 308–312

threat feeds, 312

data assessments, 267

antivirus data assessment example, 267–269

SOC services, 270–272

data context, 265–267

access privileges, 265

asset information, 265

identity context, 265

network maps and geolocation, 266

nontechnical feeds, 266

process and operational context, 266

social and online context, 266

vulnerability context, 266

data types

booleans, 265

bytes, 264

chars, 265

doubles, 264

floats, 264

int, 264

longs, 264

primitive data types, 263–265

shorts, 264

logs, 272, 279

application event logs, 273

CEF format, 278

common log format, 278

directory service logs, 273

DNS server logs, 273

ELF, 278

endpoint logs, 272

formats of, 274–279

IoT logs, 273

JSON, 276

network device logs, 273

replication logs, 273

security tool logs, 273

syslog, 275

types of, 272–274

Windows event logs, 277

ML, 313

AI, 315

cross-validation models, 316–317

cybersecurity, 314

hold-out models, 316

models of, 315–317

recovery, digital forensics, 479–480

semi-structured data, 263

SIEM, 279

dat digest flows, 283

data correlation, 281–282

data enrichment, 283

data processing, 280–281

IBM QRadar dashboard, 299–302

solution planning, 284–285

Splunk dashboard, 291–300, 311–312

troubleshooting, 287–301

tuning, 285–287

sovereignty laws, 374

stealing software/keyloggers, 457

strategic data, 262

structured data, 263

tactical data, 262

threat mapping, 270

unstructured data, 263

data orchestration

blueprinting, 600–601

DevOps, 582

Amazon DevOps, 612–613

Ansible and DevOps labs, 596–598

automated DevOps, 595–596

cloud programmability, 609–612

common data formats, 585–589

data management, 583–584

data modeling, 589–590

IaaS DevOps, 610

JSON, 586

manual DevOps, 592–595

NETCONF, 590–591

NetDevOps, 604–609

PaaS DevOps, 610

RESTCONF, 591

SaaS DevOps, 610, 613–614

targets, 592

text-file formats, 584–585

tools, 591

XML, 585–586

YAML, 586–589

YANG serializers, 589–590

EDR

CrowdStrike Falcon dashboard, 566–569

NISTIR 8011 Attack Methodologies, 566

network programmability, NetDevOps, 604–605

API, 605

examples of, 606–609

OODA loop diagrams, 557–558

playbooks, 569

automation, 575–578

components of, 569–570

IRC, 571–572

malware outbreak playbooks, 196, 572–575

workflows, 570–571

workflows, examples, 579–582

SIEM, SOAR comparisons, 558

SOAR, 556–558, 560–561

Phantom, case management, 562–563

Phantom, DevOps usage example, 564–566

Phantom, example of, 561–562

Phantom, playbooks, 563–564

SIEM comparisons, 558

XDR, 559–560

database/cloud engineers, 215

datacenters, accessing, 661–662

defense-in-depth strategies, 9, 17, 136–137

defining goals, SOC goal assessments, 54–55

designing

interior design of SOC, 103–105

procedures, 83–84

SOC facilities

computer rooms, 107–113

in-house services vs. outsourcing, 102–103

interior design, 103–105

layouts, 113–114

locating, 103

physical vs. virtual SOC, 102–103

rooms, 106–113

WBDG, 101–102

desktop support, IT job roles, 215

detecting/preventing

detection and analysis phase, incident response lifecycle, 438–454

detection, 13–14

anomaly detection, 15–16

baselines, 94

behavior detection, 15

best-of-breed capabilities, 17

defense-in-depth strategies, 17

evaluating security technologies, 17–18

honeypots, 94

intrusions, 133

NBAR, 93

NetFlow, 93, 133–134

researching security technologies, 18–19

signature detection, 14

SOC development, 93–94

developing SOC

baseline tools, 133–135

centralized data management, 144–146

change management, 135–136

compliance, 127–128

dashboards, 140–141

data retention and, 143–144

detection technologies, 93

baselines, 94

honeypots, 94

NBAR, 93

NetFlow, 93, 133–134

encryption, 130–131

evaluating vulnerabilities

active vulnerability scanning, 86–87

CVSS, 86

passive vulnerability scanning, 87–88

facility design

computer rooms, 107–113

in-house services vs. outsourcing, 102–103

interior design, 103–105

layouts, 113–114

locating, 103

physical vs. virtual SOC, 102–103

rooms, 106–113

WBDG, 101–102

host systems, 136–137

internal security tools, 132

intrusion detection/prevention, 133

mobile device security concerns, 94–95

NAC, 128–130

NetFlow, 133–134

network considerations, 114–115

disaster recovery, 125–126

inline connectivity, 123

redundancy, risks reduction, 124–125

segmentation, 115–120

throughput, 120–121

network security guidelines, 137–138

packet capturing, 133–134

phases of development, 80–82

planning, 95

capacity planning, 95–96, 99

goal alignment, 96

growth planning, 96–97

redundancy planning, 98

resource planning, 98

technology planning, 97–98

preventive technologies, 88–89

data at rest/in motion, 92–93

firewalls, 89

NAC, 92, 128–130

reputation security, 89–91

VPN, 91–92

procedures, 83–85

reporting, 140–141

security

considerations, 126–127

tools, 85

storage

data retention and, 143–144

throughput and, 141–144

throughput, 141–144

tool collaboration, 138–140

development milestones, SOC, 69–70

device fingerprints, SASE, 628

DevOps, 582

Amazon DevOps, 612–613

Ansible and DevOps labs, 596–598

automated DevOps, 595–596

cloud programmability, 609–612

common data formats, 585–589

data management, 583–584

data modeling, 589–590

IaaS DevOps, 610

JSON, 586

learning, 670–671

manual DevOps, 592–593

ChatOps tools, 594–595

wikis, 593–594

NETCONF, 590–591

NetDevOps, 604–609

PaaS DevOps, 610

Phantom usage example, 564–566

RESTCONF, 591

SaaS DevOps, 610, 613–614

targets, 592

text-file formats, 584–585

tools, 591

training, future of, 650

XML, 585–586

YAML, 586–589

YANG serializers, 589–590

Diamond Model, 30–31

attack graphs, 34–35

Diamond Model for Incident Management, 32–33

Extended Diamond Model, 31

digital forensics

incident response, 467–468, 482–483

chain of custody, 470–474

data recovery, 479–480

dynamic analysis, 480–482

evidence, 474–476

first responders, 470

hashing, 476–478

process of, 468–469

static analysis, 478–479

volatile data, 480–482

labs, facility design, 106

services, 46, 151, 200–202, 240–241

directory service logs, 273

disaster recovery, network considerations, 125–126

disposal (secure), facility design, 104

disassemblers, static analysis, 199–200

distance, networks, 534–535

DLP, SASE, 629

DMZ, IDS/IPS, 534–535

DNS server logs, 273

documentation, risk documentation, 171–172

double data type, 264

downloaders, 456

DRP (Disaster Recovery Planning), 125–126

duplicating evidence, digital forensics, 474–476

dynamic analysis

analysis services, 200, 452

isolated systems, 453

sandboxes, 453–454

forensic dynamic analysis, 480–482

dynamic users/device fingerprints, SASE, 628

dysfunctional SOC, factors of, 3–4

E

EDR (Endpoint Detection and Response)

CrowdStrike Falcon dashboard, 566–569

NISTIR 8011 Attack Methodologies, 566

ELF (Extended Log Format), 278

email

ESA, 420–421

threat intelligence security, 420

deploying email security, 421

ESA, 420–421

Emerging Threats Rule Server, 412

Emily Williams hacking example, IT services, 633–636

employees

certifications, 255–256

company cultures, 247

job roles, 165

managing, 250–252

onboarding, 249–250

training, 253–255

EMV (Expected Monetary Value), 170–171

encoding files, malware, 14

encryption

LAN, 131

SOC development, 130–131

endpoint logs, 272

endpoint security

capability maps, 61–63

defense in depth strategy, 136–137

enforcing policies, 330–331

enriching data, SIEM, 283

EPS (Events Per Second)

digesting by a monitoring system, 141–142

reducing, 142–143

equipment racks, computer rooms, 109

eradication phase, incident response, 462

eradication playbooks, 464–465

system order, 463

ESA (Email Security Appliance), 420–421

evaluating

security technologies, 17–18

soft skills, 242–243

threat intelligence, 388–389

Three Pillars of Foundational SOC Support Services, The, 159

vulnerabilities, SOC development

active vulnerability scanning, 86–87

CVSS, 86

passive vulnerability scanning, 87–88

evaluation procedures, vulnerability management, 528–539

asset collection, 529–532

choosing corrective actions, 539

launch scanning, 537–539

event-driven/streams, API, 305

evidence, digital forensics, 474–476

exceeding compliance, 321, 350–351

exceptions, vulnerability management, 552–553

executive summaries, assessment template, 357–360

experience (lack of), challenges for services, 154

exploitation tools, vulnerability management, 520–521

Extended Diamond Model, 31

extensions diagrams, hidden, 197

external auditors, 353–354

external SOC services, 164

external threat intelligence, 385–386

F

Facebook, Emily Williams social engineering attack example, 634–635

facility design

computer rooms, 107–113

future of, 659–661

in-house services vs. outsourcing, 102–103

interior design, 103–105

layouts, 113–114

locating, 103

physical vs. virtual SOC, 102–103

rooms, 106–113

WBDG, 101–102

Falcon dashboard (CrowdStrike), EDR, 566–569

false positives, anomaly detection, 16

FBI InfraGard, 412

FedRAMP (Federal Risk and Authorization Management Program)

industry compliance, 374

security assessment reports, 356

feedback, threat intelligence, 421–422

file identification tools, artifact identification, 445

finding people for services, 152, 157

fingerprints

device fingerprints, SASE, 628

Nmap, 503

fire safety, computer rooms, 112

Firepower passive vulnerability scanning, 87–88, 306–307

firewalls

application-layer firewalls, 534

audit example, 351–352

SOC development, 89

first-generation SOC, 51

first responders, digital forensics, 470

FIRST service frameworks, 493

CSIRT, 23, 160–161, 350, 493–494

PSIRT, 23–24, 493

FISMA (Federal Information Security Modernization Act), 373–374

float data type, 264

flood protection, computer rooms, 112

floor layouts, facility design, 113–114

Foremost data recovery, 479–480

forensics (digital)

incident response, 467–468, 482–483

chain of custody, 470–474

data recovery, 479–480

dynamic analysis, 480–482

evidence, 474–476

first responders, 470

hashing, 476–478

process of, 468–469

static analysis, 478–479

volatile data, 480–482

labs, facility design, 106

services, 46, 151, 200–202, 240–241

forensic dynamic analysis, 480–482

forensic engineers, 230–231

forensic static analysis, 478–479

formalizing pay scales, 212–213

Foundational SOC Support Services, 154–155

evaluating, 159

people, 156–157

technology, 158–159

fourth-generation SOC, 52

Framework Core, CSF, 21–22

frameworks

compliance/risk reduction, 340–350

NIST CSF, 342–344

security, 19–20

applying, 24–25

CSF, 11, 20–22

FIRST service frameworks, 23–24, 350

free training, 644

fundamental security capabilities, 13

anomaly detection, 15–16

behavior detection, 15

best-of-breed capabilities, 17

defense-in-depth strategies, 17

evaluating security technologies, 17–18

researching security technologies, 18–19

signature detection, 14

fundamental SOC services, 150–152

G

gamifying learning, 644–645

gaps in SOC capabilities, analyzing, 66–68

geolocation and network maps, 266

Gmail, cloning, 203–204

goals

alignment, SOC development, 96

assessments, SOC, 53

defining goals, 54–55

ranking goals, 56–58

ranking threats, 58–59

summary of, 60

service job roles, 165–166

Google

Google Alerts, operational threat intelligence data, 402–403

reputation warning banners, 90–91

governance references, SOC scope statements, 80

gray-box testing, 181

grounding, computer rooms, 111

group tags, 664–665

grouping, threat hunting, 459

growth planning, SOC development, 96–97

GS pay scales, 211–213

guidelines

compliance/risk reduction, 340–350

security, 19–20

ISO 3100:2018, 22–23

NIST, 22

SOC network security, 137–138

H

hacktivists, 5–6

Hadoop, 308

challenges, 309–311

securing, 311–312

hash matches, 458

hashing, digital forensics, 476–478

heat mapping, risk, 173–174

helpdesks, IT job roles, 215

hidden extensions diagrams, 197

HIPAA (Health Insurance Portability and Accountability Act), 373

HipChat, ChatOps, 595

hold-out models, ML, 316

honeypots, 29, 94

host scanning, 516, 534

host systems, SOC development, 136–137

hot/cold aisle design, computer rooms, 108–109

humidity/temperature, computer rooms, 108–109

hunting threats, incident response, 424, 455–456

consortium playbooks, 196

example of, 460–462

grouping, 455–456

incidents, defining, 425

lifecycle of, 425–426

containment, eradication and recovery phase, 426–438

detection and analysis phase, 438–454

post-incident activity phase, 484–492

preparation phase, 426–438

maturity models, 460–462

performing, 459–460

planning, 194

SOC job roles, 221–222

stack counting, 459

techniques, 458–459

hybrid services, 44

I

IaaS, DevOps, 610

IBM QRadar dashboard

API, 303–306

SIEM troubleshooting, 299–302

IBM X-Force Exchange, 413

identity context, 265

IDS/IPS (Intrusion Detection/Prevention Systems), 534

impact assessments, 356

impact of incidents, incident management services, 194–195

incident management

Diamond Model for Incident Management, 32–33

services, 45, 151

COBIT severity model, 195

impact of incidents, 194–195

incident response planning, 194

job roles, 239–240

NIST Special Publication 800–61 Revision 2, 190–193

playbooks, 195

Verizon 2020 Data Breach Investigations Report, 189–190

incident response, 424

artifacts

analyzing, 442–443

identifying artifact types, 443–445

breach defense tools, 439–440

communication, 430–431

containment phase, threat hunting

example of, 460–462

grouping, 455–456

maturity models, 460–462

performing, 459–460

stack counting, 459

techniques, 458–459

core security capabilities, 439–440

detecting malware behavior, 441

digital forensics, 467–468, 482–483

chain of custody, 470–474

data recovery, 479–480

dynamic analysis, 480–482

evidence, 474–476

first responders, 470

hashing, 476–478

process of, 468–469

static analysis, 478–479

volatile data, 480–482

dynamic analysis, 452

isolated systems, 453

sandboxes, 453–454

eradication phase, 462

eradication playbooks, 464–465

system order, 463

FIRST service frameworks, 493

CSIRT, 493–494

PSIRT, 493

guidelines, 492–494

incident detection, 438–439

incidents, defining, 425

infected systems, 441–442

law enforcement, 432–435

Lessons Learned reports, 489–492

lifecycle of, 425–426

containment, eradication and recovery phase, 426–438

detection and analysis phase, 438–454

post-incident activity phase, 484–492

preparation phase, 426–438

malware

categories of, 456–457

threat hunting, 455–456, 458–462

packing files, 445–447

planning, 194

planning templates, 437

playbooks

consortium playbooks, 196

eradication playbooks, 464–465

recovery playbooks, 466

task assignments, 427–430

recovery phase, 466

SOC job roles, 221–222

static analysis, 446–447

advanced static analysis, 448–451

Pframe, 448

WannaCry kill switch malware analysis, 451–452

third-party interactions, 431–432

threat analysis, 440

threat hunting, 455–456

example of, 460–462

grouping, 455–456

maturity models, 460–462

performing, 459–460

stack counting, 459

techniques, 458–459

ticketing systems, 435–436

industry compliance, 371–372

data sovereignty laws, 374

FedRAMP, 374

FISMA, 373–374

HIPAA, 373

SOX, 373

industry threat models, 25

ATT&CK Model, 35–38

chaining together attack behaviors, 38

PRE-ATT&CK research, 36–37

using, 38

choosing, 38–39

Cyber Kill Chain model, 25–29

Diamond Model, 30–31

attack graphs, 34–35

Diamond Model for Incident Management, 32–33

Extended Diamond Model, 31

social-political meta-features, 31

technology meta-features, 31

infected systems, incident response, 441–442

information assurance, 9

information management phase, vulnerability management, 502–503

ingesting log data from security devices, service areas, 162–163

in-house SOC services, 42, 102–103, 164

advantages of, 42–43

disadvantages of, 43–44

inline connectivity, network considerations, 123

insider threats, 7

installation/post-sales engineers, 214

int data type, 264

interior design of SOC, 103–105

internal audits, 352–353

internal security tools

Cyber Kill Chains, 132

SOC development, 132

internal threat intelligence, 385–386

interviewing, job roles, 247

interview prompters, 247–248

post interview process, 249

intrusion detection/prevention, SOC development, 133

investing in security

defense-in-depth strategies, 9

information assurance, 9

NSA Information Assurance and Defense-in-Depth Strategy, 8–9

Investment (ROI), Return on, 421–422

IOC (Indicators of Compromise), 382, 408

IoT logs, 273

IRC playbooks, 571–572

ISACA COBIT 5 Process Assessment Model, 49–51

ISACA COBIT 2019, 349

ISO (International Organization for Standardization)

ISO 3100:2018, 22–23

ISO/IEC 27005, 345–347

isolated systems, dynamic analysis, 453

IT job roles, 213–214, 216

AM, 214

compliance officers, 214

database/cloud engineers, 215

desktop support, 215

helpdesks, 215

installation/post-sales engineers, 214

managers, 215

marketing engineers, 214

network engineers, 215

SE, 214

software engineers, 215

IT services, 631, 639–640

3D printing, 638

cloud programmability, 639

hacking, Emily Williams example, 633–636

IT operations, defined, 631–633

IT services, IT operations defined, 631–633

SASE, 637

training, 640–651

virtualized computers, 638–639

IT teams, vulnerability management, 527

J

Jenkins, automated DevOps, 596

job retention, 252–253

job roles, 206, 210–211

analysis services, 240

careers vs. jobs, 210–211

certifications, 255–256

company cultures, 247

competitive workplaces, 252

compliance services, 240

developing, 211–213

digital forensics services, 240–241

incident management services, 239–240

interviewing, 247

interview prompters, 247–248

post interview process, 249

IT job roles, 213–214, 216

AM, 214

compliance officers, 214

database/cloud engineers, 215

desktop support, 215

helpdesks, 215

installation/post-sales engineers, 214

managers, 215

marketing engineers, 214

network engineers, 215

SE, 214

software engineers, 215

managing employees, 250–252

NICE Framework, 233–237

onboarding employees, 249–250

pay scales

formalizing, 212–213

GS pay scales, 211–213

pre-interviewing, 246–247

research and development services, 241

retaining jobs, 252–253

risk management services, 239

security clearances, 244–245

services

contracted vs. employee job roles, 165

goals, 165–166

resource planning, 166–167

situational and security awareness services, 241

SOC job roles, 216–217, 231–233

assessment officers, 220–221

cryptographers/cryptologists, 229–230

forensic engineers, 230–231

incident responders, 221–222

penetration testers, 218–219

security administrators, 224–225

security analysts, 217–218

security architects, 227–229

security engineers, 225–226

security trainers, 227

systems analysts, 222–224

SOC services and associated job roles, 238–241

soft skills, 241–242

evaluating, 242–243

SOC soft skills, 243–244

tiers, 237–238

training employees, 253–255

vulnerability management services, 239

Joe sandbox, dynamic analysis, 453–454

JSON (JavaScript Object Notation), 276

DevOps, 586

processing technical threat intelligence data, 407–408

K

Kali Linux, penetration testing, 186

keyloggers/data stealing software, 457

Khan Academy, on-demand/personalized learning, 647–648

known environment penetration testing, 367

L

lack of experience, challenges for services, 154

LAN, encryption, 131

launchers, 456

launching policies, 328–329

law enforcement, incident response, 432–435

layouts, facility design, 113–114

learning

DevOps, 670–671

gamifying, 644–645

LMS, 645

on-demand learning, 646–648

personalized learning, 646–648

Lessons Learned reports, 489–492

lighting

computer rooms, 110

facility design, 104

limited tools, challenges for services, 153

LinkedIn, Emily Williams hacking example, 634

Linux (Kali), penetration testing, 186

LMS (Learning Management Systems), 645

locating SOC facilities, 103

lockers, facility design, 105

locks, computer rooms, 113

logical segmentation, 116–118

logs, 272, 279

application event logs, 273

CEF format, 278

common log format, 278

data (security devices), ingesting for service areas, 162–163

directory service logs, 273

DNS server logs, 273

ELF, 278

endpoint logs, 272

formats of, 274–279

IoT logs, 273

JSON, 276

network device logs, 273

replication logs, 273

security tool logs, 273

SSH Bruteforce logs, 412–413

syslog, 275

types of, 272–274

Windows event logs, 277

long data type, 264

low maturity, services, 153

M

magic numbers, 443–444

malware

adware, 456

backdoors, 456

botnets, 457

categories of, 456–457

detecting behavior, 441

downloaders, 456

encoding files, 14

keyloggers/data stealing software, 457

launchers, 456

matching hashes, 458

outbreak playbooks, 196, 572–575

packing files, analysis services, 445–447

phoning home, 457

port scanning, 457–458

ransomware, 457

rootkits, 456

scareware, 457

signature detection, 14

spam, 457

threat hunting, 455–456

example of, 460–462

grouping, 455–456

maturity models, 460–462

performing, 459–460

stack counting, 459

techniques, 458–459

viruses, 457

WannaCry kill switch malware analysis, 451–452

worms, 457

managers, IT job roles, 215

manager’s office, facility design, 106

managing

analysis services, job roles, 240

asset management, vulnerabilities, 522

change, SOC development, 135–136

compliance services, job roles, 240

data management (centralized), 144–146, 260–261

API, 303–307

big data, 307–313

data assessments, 267–272

data context, 265–267

data structures, 263

data types, 263–265

Hadoop, 308–312

logs, 272–279

ML, 314–317

semi-structured data, 263

SIEM, 279–302

strategic data, 262

structured data, 263

tactical data, 262

threat mapping data, 270

unstructured data, 263

digital forensics services, job roles, 240–241

incident management services, 45, 151

COBIT severity model, 195

impact of incidents, 194–195

incident response planning, 194

job roles, 239–240

NIST Special Publication 800–61 Revision 2, 190–193

playbooks, 195

Verizon 2020 Data Breach Investigations Report, 189–190

information management phase, vulnerability management, 502–503

MDM, 94–95

Nmap scanning, 501–502

people, 250–252

power

power-dense equipment, computer rooms, 109

UPS, computer rooms, 110–111

research and development services, job roles, 241

risk management services, 45, 150, 169

addressing risk, 172–174

four responses to risk, 169–170

job roles, 239

reducing risk, 169–172

situational and security awareness services, job roles, 241

vulnerability management, 498–499, 501

accuracy, 540–541

asset access, 535

asset inventory phase, 500–502

asset management, 522

best practices, 499–500

Certero dashboard, 522

CVSS, 507–514

cyber insurance, 544–547

deployment example, 535

evaluation procedures, 528–539

exceptions, 552–553

exploitation tools, 520–521

host scanning, 516

information management phase, 502–503

measuring vulnerabilities, 506

NAC, 501, 522–524

network scanners, 501–502, 515

patching systems, 547–549

process summary, 554–555

program diagrams, 527–528

remediation approval, 550–551

report and remediate phase, 505

reporting, 552

respond and repeat phase, 506

responses, 540, 542–544

risk assessment phase, 504

shorthand, 511–512

Struts vulnerability example, 507, 512–514

temporal/environmental metrics, 511

threat detection tools, 524–525

vulnerability assessments, 505

vulnerability scanning, 515–520

vulnerability management services, 45, 150, 175, 525

best practices, 175–176

job roles, 239

OpenVAS, 178

penetration testing, 179–187

roles, 527–528

scannng services, 525–527

Tenable.sc vulnerability tracking, 177

vulnerability tracking, 179

manual DevOps, 592–593

ChatOps tools, 594–595

wikis, 593–594

manual NAC (Network Access Control), 501

maps

capability maps, 61, 68–69

branch networks, 64–65

endpoint security, 61–63

gap analysis, 66–68

network security, 63–64

data, threats, 270

risk heat maps, 173–174

marketing engineers, 214

matching hashes, 458

maturity (low), services, 153

maturity models, 47

assessments, 47–48

ISACA COBIT 5 Process Assessment Model, 49–51

program maturity, 51–53

services, 167–168

SOC-CMM Model, 49

threat hunting, incident response, 460–462

MDM (Mobile Device Management), 94–95

measuring vulnerabilities, 506

Metasploit, penetration testing, 14, 186–187

Microsoft Teams, ChatOps, 595

mission statements, 74–75

developing, 75–76

sample statements, 76–77

MITRE ATT&CK Model, 35–38

chaining together attack behaviors, 36–37

penetration testing, 182

PRE-ATT&CK research, 36–37

using, 38

ML (Machine Learning), 313, 651–652

AI, 315

applied, 653–654

automation, 651

chatbots, 657

cross-validation models, 316–317

cybersecurity, 314

future of, 656–659

hold-out models, 316

hurdles of, 652–653

models of, 315–317

training, 655

mobile devices

MDM, 94–95

security concerns, SOC development, 94–95

modified waterfall model, processing threat intelligence, 400–402

monitoring, computer rooms, 112

monitoring systems, EPS, digesting, 141–142

Moodle, LMS, 645

motivations of threat actors, 7

N

NAC (Network Access Control), 12

automated NAC, 501

profiling, 128

SOC development, 92, 128–130

values, 129–130

vulnerability management, 522–524

name servers, rogue, 282

NAT (Network Address Translation), 534

NBAR (Network-Based Application Recognition), 93

NERC CIP (North American Electric Reliability Corporation, Critical Infrastructure Protection), 375

NETCONF, 590–591

NetDevOps, 604–605

API, 605

examples of, 606–609

NetFlow, 93, 133–134

network scanners, 501–502

application-layer firewalls, 534

distance, networks, 534–535

IDS/IPS, 534

NAC, 522–524

network scanners, 515

perimeter networks (DMZ), 535

segmentation, 534–535

templates, 534, 536

VPN, 534

networks

branch networks, capability maps, 64–65

connectivity, inline connectivity, 123

device logs, 273

disaster recovery, 125–126

distance, 534–535

engineers, 215

LAN, encryption, 131

maps and geolocation, 266

perimeter networks (DMZ), 535

programmability, NetDevOps, 601–604

API, 605

examples of, 606–609

redundancy, risks reduction, 124–125

SD-WAN, 618–622

benefits of, 622–623

dashboard example, 622–623

DLP, 629

tier one support, 629–630

security, capability maps, 63–64

segmentation, 115–116

ACL, 117

AD segmentation, 119–120

choosing, 117–118

client/server segmentation, 118–119

logical segmentation, 116–118

server segmentation, 118–119

SOC design considerations, 114–115

network security guidelines, 137–138

segmentation, 115–120

throughput, 120–121

throughput, 120–121

requirements, 121–123

VPN, 534

SASE, 628–629

SOC development, 91–92

WAN, 618–620

Nexpose vulnerability scanner, 86–87

NICE Framework, 233–237

NIST (National Institute of Standards and Technology)

CSF, 11, 20–21, 342

capability assessments, 344–345

Framework Core, 21–22

mapping Cisco security products to CSF, 354

tiers, 343–344

guidelines, 22

SP 800–61 Rev. 2 Incident Response Lifecycle, 425–426

containment, eradication and recovery phase, 426–438

incident management, 190–193

preparation phase, 426–454, 484–492

SP 800-84, future of SOC staff, 666–667

SP 800-86, digital forensics services, 201–202

SP 800-115, penetration testing, 180–182, 362–367

NISTIR 8011 Attack Methodologies, 566

Nmap

fingerprinting, 503

scanning, 501–502

nontechnical feeds, 266

nontechnical intelligence. See strategic threat intelligence

NSA Information Assurance and Defense-in-Depth Strategy, 8–9

O

onboarding employees, 249–250

on-demand experts, future of training, 649

on-demand learning, 646–648

online and social data context, 266

OODA loop diagrams, 557–558

OpenIOC, processing technical threat intelligence data, 408

OpenVAS, vulnerability scanning, 178

operational threat intelligence, 205, 382, 384–385

data expectations, 396–397

processing data, 402

Google Alerts, 403–404

scrapers, 403–404

social media, 404–407

operations rooms, facility design, 106

OPEX (Operating Expenses), 628

orchestrating data

blueprinting, 600–601

DevOps, 582

Amazon DevOps, 612–613

Ansible and DevOps labs, 596–598

automated DevOps, 595–596

cloud programmability, 609–612

common data formats, 585–589

data management, 583–584

data modeling, 589–590

IaaS DevOps, 610

JSON, 586

manual DevOps, 592–595

NETCONF, 590–591

NetDevOps, 604–609

PaaS DevOps, 610

RESTCONF, 591

SaaS DevOps, 610, 613–614

targets, 592

text-file formats, 584–585

tools, 591

XML, 585–586

YAML, 586–589

YANG serializers, 589–590

EDR

CrowdStrike Falcon dashboard, 566–569

NISTIR 8011 Attack Methodologies, 566

network programmability, NetDevOps, 604–605

API, 605

examples of, 606–609

OODA loop diagrams, 557–558

playbooks, 569

automation, 575–578

components of, 569–570

IRC, 571–572

malware outbreak playbooks, 196, 572–575

workflows, 570–571, 579–582

SIEM, SOAR comparisons, 558

SOAR, 556–558, 560–561

Phantom, case management, 562–563

Phantom, DevOps usage example, 564–566

Phantom, example of, 561–562

Phantom, playbooks, 563–564

SIEM comparisons, 558

XDR, 559–560

Osquery

blueprinting, 600–601

running, 601–604

outsourcing services, 42, 102–103

P

PaaS, DevOps, 610

packed files

Peframe, 198–199

static analysis, 197–199

packet capturing, SOC development, 135

packing files, analysis services, 445–447

partially known environment penetration testing, 367

passive vulnerability scanning, 87–88, 516–517

patching systems, vulnerability management, 547–549

pay scales

formalizing, 212–213

GS pay scales, 211–213

PDCA cycle, audits, 188–189

Peframe packed file analysis, 198–199

penetration testing, 179, 361–362

Atomic Red Team, 182–185

black-box testing, 181

Emily Williams example, hacking IT services, 635–636

future of, 667–668

gray-box testing, 181

Kali Linux, 186

known environments, 367

Metasploit, 14, 186–187

MITRE ATT&CK Model, 182

NIST SP 800–115, 180–182, 362–367

partially known environments, 367

planning, 368–371

scope statements, 369–371

SOC job roles, 218–219

Surveyor, 185

types of, 367

unknown environments, 367

people

finding for services, 152, 157

managing, 250–252

Three Pillars of Foundational SOC Support Services, The, 156–157

perimeter networks (DMZ), 535

personalized learning, 646–648

Pframe, static analysis, 448

Phantom

case management, 562–563

DevOps usage example, 564–566

playbooks, 563–564

SOAR example, 561–562

phases of SOC development, 80–82

phoning home, malware, 457

physical SOC, facility design, 102–103

pivoting, analytic, 30–31

planning

business contingency planning, 173

DRP, 125–126

incident response planning, 194

incident response planning templates, 437

penetration testing, 368–371

redundancy planning, computer rooms, 110–111

resource planning, service job roles, 166–167

SOC, 95

capacity planning, 95–96, 99

goal alignment, 96

growth planning, 96–97

redundancy planning, 98

resource planning, 98

technology planning, 97–98

solution planning, SIEM, 284–285

threat intelligence, 393–398

vulnerability evaluation procedures, planning, 532–537

work environments, 155–156

playbooks, 569

Ansible, 598–600

automation, 575–578

components of, 569–570

eradication playbooks, 464–465

incident management services, 195

incident response

consortium playbooks, 196

eradication playbooks, 464–465

IRC, 571–572

malware outbreak playbooks, 196, 572–575

Phantom usage example, 563–564

recovery playbooks, 466

workflows

examples, 579–582

sample workflow, 570–571

symbols, 570

policies, 322

accreditation, 331–332

certifications, 331–332

compliance, 327

definitions and terms, 327

enforcing, 330–331

history of, 328

launching, 328–329

overview, 322–324

procedures, 332–333

purpose of, 324

scope of, 325

statements, 325–327

tabletop exercises, 334–335

example of, 337–340

executing, 336–337

format of, 337–338

options, 334–335

port scanning, 457–458

post interview process, 249

post-incident activity phase, incident response lifecycle, 484–492

post-sales/installation engineers, 214

power management

power-dense equipment, computer rooms, 109

UPS, computer rooms, 110–111

power requirements, computer rooms, 107–108

power-dense equipment, computer rooms, 109

PRE-ATT&CK research, 36–37

pre-interviewing, job roles, 246–247

preparation phase, incident response lifecycle, 426–438

prevalence, threat intelligence, 387

preventing intrusions, SOC development, 133

preventive technologies

data at rest/in motion, SOC development, 2–93

firewalls, SOC development, 89

NAC

profiling, 128

SOC development, 92, 128–130

values, 129–130

reputation security, SOC development, 89–91

SOC development, 88–93

VPN, SOC development, 91–92

primitive data types, 263–265

prioritizing assets, vulnerability evaluation, 536

procedures, 82

designing, 83–84

examples of, 84–85

policies, 332–333

process and operational context, 266

processing data, SIEM, 280–281

processing threat intelligence, 399–400

actionable intelligence, 414

operational threat intelligence data, 402

Google Alerts, 402–403

scrapers, 403–404

social media, 404–407

strategic threat intelligence data, 400–402

technical threat intelligence data, 407

Abuse.ch Feodo Tracker, 412

AlienVault OTX, 412–413

Blocklist.de, 412

CINS Score, 412

CSV, 411

Cyber Threat System from FortiGuard Labs, 413

Dan.me.uk, 412

Emerging Threats Rule Server, 412

FBI InfraGard, 412

IBM X-Force Exchange, 413

JSON, 407–408

OpenIOC, 408

Regex, 411

SSH Bruteforce logs, 412–413

STIX, 408–409

TAXII, 409–411

XML, 407

profiling NAC, 128

proxy servers, rogue, 282

PSIRT (Product Incident Response Teams), 23–24, 493

Puppet, automated DevOps, 596

Q

QRadar dashboard, centralized data management, 144–145

quality of content, threat intelligence, 390

checklists, 390–391

key factors, 390

R

raised floors, computer rooms, 111

ranking

SOC goals, 56–58

threats, 58–59

ransomware, 457

Rapid7 Nexpose

API, 303–304, 305–307

Struts vulnerability example, 514

RBAC (Role-Based Access Control), 140

recovering data, digital forensics, 479–480

recovery phase, incident response, 466

reducing EPS, 142–143

reducing risk, 169, 316–317

assessments, 355

executive summaries, 357–360

FedRAMP security assessment reports, 356

impact assessments, 356

results of, 357

risk assessments, 356

templates, 357–360

threat assessments, 355

types of, 355–356

vulnerability assessments, 355–356

vulnerability scanning, 360–361

weaknesses of, 361

audits, 351

example of, 351–352

external auditors, 353–354

firewall audit example, 351–352

internal audits, 352–353

tools, 354–355

CIS Controls, 347–349

EMV approach, 170–171

FIRST CSIRT services framework, 350

frameworks, 340–350

guidelines, 340–350

industry compliance, 371–375

ISACA COBIT 2019, 349

ISO/IEC 27005, 345–347

NIST CSF, 342

capability assessments, 344–345

mapping Cisco security products to CSF, 354

tiers, 343–344

penetration testing, 361–362

known environments, 367

NIST Special Publication 800–115, 362–367

partially known environments, 367

planning, 368–371

scope statements, 369–371

types of, 367

unknown environments, 367

policies, 322

accreditation, 331–332

certifications, 331–332

compliance, 327

definitions and terms, 327

enforcing, 330–331

history of, 328

launching, 328–329

overview, 322–324

procedures, 332–333

purpose of, 324

scope of, 325

statements, 325–327

tabletop exercises, 334–340

redundancy, 124–125

risk documentation, 171–172

risk register systems, 172

standards, 340–350

redundancy

planning

computer rooms, 110–111

SOC development, 98

reducing risk, 124–125

Regex (Regular Expressions), 411

remediation approval, vulnerability management, 550–551

remote users, 661

replication logs, 273

report and remediate phase, vulnerability management, 505

reporting

SOC development, 140–141

vulnerability management, 552

reputation security

block pages, 89–90

Google reputation warning banners, 90–91

SOC development, 89–91

reputation warning banners, Google, 90–91

research and development services, 46, 151, 205–206, 241

researching security technologies, 18–19

residual risk, 550

resource planning

service job roles, 166–167

SOC development, 98

respond and repeat phase, vulnerability management, 506

REST (Representational State Transfer), 304

RESTCONF, 591

retaining jobs, 252–253

reverse engineering files, static analysis, 199–200

risk, 39–40

assessment phase, vulnerability management,

assessments, 356, 504

avoidance, 542

contingency, 171

flowcharts, 542–543

heat mapping, 173–174

modifying, 542

reducing, redundancy, 124–125

register systems, 172

retention, 542

scope statements, managing risk, 80

transfer/sharing, 542

risk management services, 45, 150, 169

addressing risk, 172–173

business contingency planning, 173

risk heat mapping, 173–174

four responses to risk, 169–170

job roles, 239

reducing risk, 169

EMV approach, 170–171

risk documentation, 171–172

risk register systems, 172

risk reduction, 316–317

assessments, 355

executive summaries, 357–360

FedRAMP security assessment reports, 356

impact assessments, 356

results of, 357

risk assessments, 356

templates, 357–360

threat assessments, 355

types of, 355–356

vulnerability assessments, 355–356

vulnerability scanning, 360–361

weaknesses of, 361

audits, 351

example of, 351–352

external auditors, 353–354

firewall audit example, 351–352

internal audits, 352–353

tools, 354–355

CIS Controls, 347–349

FIRST CSIRT services framework, 350

frameworks, 340–350

guidelines, 340–350

industry compliance, 371–375

ISACA COBIT 2019, 349

ISO/IEC 27005, 345–347

NIST CSF, 342

capability assessments, 344–345

mapping Cisco security products to CSF, 354

tiers, 343–344

penetration testing, 361–362

known environments, 367

NIST Special Publication 800–115, 362–367

partially known environments, 367

planning, 368–371

scope statements, 369–371

types of, 367

unknown environments, 367

policies, 322

accreditation, 331–332

certifications, 331–332

compliance, 327

definitions and terms, 327

enforcing, 330–331

history of, 328

launching, 328–329

overview, 322–324

procedures, 332–333

purpose of, 324

scope of, 325

statements, 325–327

tabletop exercises, 334–340

standards, 340–350

rogue name servers, 282

rogue proxy servers, 282

ROI, threat intelligence feedback, 421–422

rootkits, 456

RPC (Remote Procedure Calls), 305

S

SaaS (Software as a Service)

DevOps, 610, 613–614

future of, 627

SaltStack, automated DevOps, 596

sandboxes, dynamic analysis, 453–454

SANS, vulnerability management best practices, 12

SASE (Secure Access Service Edge), 616–617, 623–625

automated upgrades, 630

defined, 625–626

dynamic users/device fingerprints, 628

future of, 627–631

IT services, 637

OPEX, 628

SaaS, 627

VPN, 628–629

scanning for vulnerabilities, 12, 176–177

active vulnerability scanning, 86–87

assessments, 360–361

authenticated scanning, 86

Firepower, 87–88, 306–307

Nexpose vulnerability scanner, 86–87

passive vulnerability scanning, 87–88

unauthenticated scanning, 86

scanning services, vulnerability management, 525–527

scareware, 457

SCIF (Sensitive Compartmented Information Facilities), 106

scope of policies, 325

scope statements, 74–75

challenges of, 79–80

developing, 77–78

governance references, 80

penetration testing, 369–371

risk management references, 80

sample statements, 78–79

scrapers, operational threat intelligence data, 403–404

SD-WAN (Software-Defined Wide-Area Networks), 618–622

benefits of, 622–623

dashboard example, 622–623

DLP, 629

tier one support, 629–630

SE (Sales Engineers), 214

second-generation SOC, 51

secure disposal, facility design, 104

security

administrators, 224–225

analysts, 217–218

architects, 227–229

baselines, establishing, 11, 94

breaches, impact of, 9–10

change, impact of, 11–13

clearances, job roles, 244–245

detection capabilities, 13–14

anomaly detection, 15–16

behavior detection, 15

best-of-breed capabilities, 17

defense-in-depth strategies, 17

evaluating security technologies, 17–18

researching security technologies, 18–19

signature detection, 14

email, threat intelligence security, 420

deploying email security, 421

ESA, 420–421

endpoint security, defense in depth strategy, 136–137

engineers, 225–226, 527

evaluating security technologies, 17–18

facility design, 104

frameworks, 19–20

applying, 24–25

CSF, 11, 20–22

CSIRT, 23

FIRST service frameworks, 23–24

PSIRT, 23–24

fundamental security capabilities, 13

anomaly detection, 15–16

behavior detection, 15

best-of-breed capabilities, 17

defense-in-depth strategies, 17

evaluating security technologies, 17–18

researching security technologies, 18–19

signature detection, 14

guidelines, 19–20

ISO 3100:2018, 22–23

NIST, 22

incident response, 424

artifact analysis, 442–443

breach defense tools, 439–440

communication, 430–431

consortium playbooks, 196

core security capabilities, 439–440

detecting malware behavior, 441

identifying artifact types, 443–445

incidents, defining, 425

incidents, detecting, 438–439

infected systems, 441–442

law enforcement, 432–435

lifecycle of, 425–426

lifecycle of, containment, eradication and recovery phase, 426–438

lifecycle of, detection and analysis phase, 438–454

lifecycle of, post-incident activity phase, 484–492

lifecycle of, preparation phase, 426–438

packing files, 445–447

planning, 194

planning templates, 437

playbooks, 196, 427–430

SOC job roles, 221–222

static analysis, 446–448

third-party interactions, 431–432

threat analysis, 440

ticketing systems, 435–436

internal security tools

Cyber Kill Chains, 132

SOC development, 132

investing in

defense-in-depth strategies, 9

information assurance, 9

NSA Information Assurance and Defense-in-Depth Strategy, 8–9

log data from security devices, ingesting for service areas, 162–163

mobile devices, SOC development, 94–95

officers, vulnerability management, 527

reputation security, 89–91

block pages, 89–90

Google reputation warning banners, 90–91

researching security technologies, 18–19

SOC design considerations, 126–127

SOC technology, 158–159

standards, 19–20

threat intelligence security tools, 414–416

email security, 420–421

SIEM, 416–419

tools

logs, 273

SOC development, 85

trainers, 227

segmentation, 115–116, 534

ACL, 117

AD segmentation, 119–120

choosing, 117–118

client/server segmentation, 118–119

group tags, 664–665

logical segmentation, 116–118

server segmentation, 118–119

semi-structured data, 263

servers

compromise, 282

rogue name servers, 282

rogue proxy servers, 282

segmentation, 118–119

service areas, 160

developing, 161–163

FIRST CSIRT services/service areas, 160–161

log data from security devices, ingesting, 162–163

services, 46, 150

analysis services, 45, 151

dynamic analysis, 200

hidden extensions diagrams, 197

job roles, 240

static analysis, 197–200

TrIDNET, 197

challenges, 152

lack of experience, 154

limited tools, 153

low maturity, 153

people, 152

compliance services, 45, 151, 187–188

audits, 188–189

job roles, 240

SOC design considerations, 127–128

data assessments, 270–272

digital forensics services, 46, 151, 200–202, 240–241

external SOC services, 164

FIRST CSIRT services/service areas, 160–161

fundamental services, 150–152

future impact of, 669–671

in-house services, 42, 102–103, 164

advantages of, 42–43

disadvantages of, 43–44

incident management services, 45, 151

COBIT severity model, 195

impact of incidents, 194–195

incident response planning, 194

job roles, 239–240

NIST Special Publication 800–61 Revision 2, 190–193

playbooks, 195

Verizon 2020 Data Breach Investigations Report, 189–190

IT services, 631, 639–640

3D printing, 638

cloud programmability, 639

hacking, Emily Williams example, 633–636

SASE, 637

training, 640–651

virtualized computers, 638–639

job roles

contracted vs. employee job roles, 165

goals, 165–166

resource planning, 166–167

SOC services and associated job roles, 238–241

tiers, 237–238

maturity models, 167–168

outsourcing services, 42, 102–103

research and development services, 46, 151, 205–206, 241

risk management services, 45, 150, 169

addressing risk, 172–174

four responses to risk, 169–170

job roles, 239

reducing risk, 169, 170–172

scanning services, vulnerability management, 525–527

situational and security awareness services, 46, 151, 202–203

cloning Gmail, SET, 203–205

job roles, 241

user training, 203–205

Three Pillars of Foundational SOC Support Services, The, 154–155

evaluating, 159

people, 156–157

technology, 158–159

vulnerability management services, 45, 150, 175, 525

best practices, 175–176

job roles, 239

OpenVAS, 178

penetration testing, 179–187

roles, 527–528

Tenable.sc vulnerability tracking, 177

vulnerability tracking, 179

SET, cloning Gmail, 203–204

short data type, 264

SIEM (Security Information and Event Management), 279

dat digest flows, 283

data correlation, 281–282

data enrichment, 283

data processing, 280–281

IBM QRadar dashboard, 299–306

SOAR comparisons, 558

solution planning, 284–285

Splunk dashboard, 291–300, 311–312

threat intelligence security, 416–419

troubleshooting, 287, 291

actionable intelligence, 300–301

data input, 288, 293–299

data processing, 289–291

data storage, 291–293

IBM QRadar dashboard, 299–302

Splunk dashboard, 291–300, 311–312

validating results, 299–300

tuning, 285–287

signature detection, 14

situation rooms, facility design, 106

situational and security awareness services, 46, 151, 202–203

cloning Gmail, SET, 203–205

job roles, 241

user training, 203–205

Slack, ChatOps, 595

SOAR (Security Orchestration, Automation and Response), 557–558, 560–561

Phantom

case management, 562–563

DevOps usage example, 564–566

example of, 561–562

playbooks, 563–564

SIEM comparisons, 558

SOC (Security Operations Center), 2–3

business challenges, 40–41

capabilities assessments, 60

capability maps, 61–65

gap analysis, 68–69

developing

baseline tools, 133–135

centralized data management, 144–146

change management, 135–136

compliance, 127–128

dashboards, 140–141

data retention and, 143–144

detection technologies, 93–94

encryption, 130–131

evaluating vulnerabilities, 86–88

facility design, 101–114

host systems, 136–137

internal security tools, 132

intrusion detection/prevention, 133

mobile device security concerns, 94–95

NAC, 128–130

NetFlow, 133–134

network considerations, 114–125

network security guidelines, 137–138

packet capturing, 133–134

phases of development, 80–82

planning SOC, 95–99

preventive technologies, 88–93

procedures, 83–85

reporting, 140–141

security tools, 85

throughput, 141–144

tool collaboration, 138–140

development milestones, 69–70

dysfunctional SOC, factors of, 3–4

facility design

computer rooms, 107–113

future of, 659–661

in-house services vs. outsourcing, 102–103

interior design, 103–105

layouts, 113–114

locating, 103

physical vs. virtual SOC, 102–103

rooms, 106–113

WBDG, 101–102

first-generation SOC, 51

fourth-generation SOC, 52

future of, 659

goal assessments, 53

defining goals, 54–55

ranking goals, 56–58

ranking threats, 58–59

summary of, 60

job roles, 216–217, 231–233

analysis services, 240

assessment officers, 220–221

certifications, 255–256

company cultures, 247

competitive workplaces, 252

compliance services, 240

cryptographers/cryptologists, 229–230

digital forensics services, 240–241

forensic engineers, 230–231

incident management services, 239–240

incident responders, 221–222

interviewing, 247–249

managing employees, 250–252

onboarding employees, 249–250

penetration testers, 218–219

pre-interviewing, 246–247

research and development services, 241

retaining jobs, 252–253

risk management services, 239

security administrators, 224–225

security analysts, 217–218

security architects, 227–229

security clearances, 244–245

security engineers, 225–226

security trainers, 227

situational and security awareness services, 241

SOC services and associated job roles, 238–241

soft skills, 241–244

systems analysts, 222–224

tiers, 237–238

training employees, 253–255

vulnerability management services, 239

maturity models, 47

assessments, 47–48

ISACA COBIT 5 Process Assessment Model, 49–51

program maturity, 51–53

SOC-CMM Model, 49

mission statements, 74–75

developing, 75–76

sample statements, 76–77

network considerations, 114–115

disaster recovery, 125–126

inline connectivity, 123

redundancy, risks reduction, 124–125

segmentation, 115–120

throughput, 120–121

phases of development, 80–82

physical vs. virtual SOC, 102–103

planning, 95

capacity planning, 95–96, 99

goal alignment, 96

growth planning, 96–97

redundancy planning, 98

resource planning, 98

technology planning, 97–98

procedures, 82

designing, 83–84

examples of, 84–85

risk, 39–40

scope statements, 74–75

challenges of, 79–80

developing, 77–78

governance references, 80

risk management references, 80

sample statements, 78–79

second-generation SOC, 51

security considerations, 126–127

service areas, 160

developing, 161–163

FIRST CSIRT services/service areas, 160–161

ingesting log data from security devices, 162–163

services, 46

analysis services, 45, 151, 197–200, 240

associated job roles, 238–241

challenges, 152–154

compliance services, 45, 151, 187–189, 240

data assessments, 270–272

digital forensics services, 46, 151, 200–202, 240–241

external SOC services, 164

FIRST CSIRT services/service areas, 160–161

fundamental services, 150–152

in-house services, 42–44, 102–103

in-house SOC services, 164

hybrid services, 44

incident management services, 45, 151, 189–195, 239–240

job roles, tiers, 237–238

maturity models, 167–168

outsourcing services, 42, 102–103

research and development services, 46, 151, 205–206, 241

risk management services, 45, 150, 169–174, 239

situational and security awareness services, 46, 151, 202–205, 241

Three Pillars of Foundational SOC Support Services, The, 154–159

vulnerability management services, 45, 150, 175–187, 239

staff, future of, 666–667

third-generation SOC, 52

vulnerabilities, 39–40

SOC-CMM maturity model, 49

social and online data context, 266

social engineering

attack example, hacking IT services, 634–635

SET, cloning Gmail, 203–204

social media, operational threat intelligence data, 404–407

social-political meta-features, 31

soft skills, job roles, 241–242

evaluating, 242–243

SOC soft skills, 243–244

software

engineers, 215

SaaS, 610, 613–614, 627

solution planning, SIEM, 284–285

sovereignty of data, 374

SOX (Sarbanes-Oxley Act), 373

spam bots, 282

spam malware, 457

Splunk

dashboard

centralized data management, 144–145

Hadoop, 311–312

SIEM troubleshooting, 291–300

Phantom

case management, 562–563

DevOps usage example, 564–566

playbooks, 563–564

SOAR example, 561–562

SSH Bruteforce logs, 412–413

stack counting, threat hunting, 459

standards

compliance/ risk reduction, 340–350

security, 19–20

state-sponsored actors, 6–7

static analysis

analysis services, 446–447

advanced static analysis, 448–451

disassemblers, 199–200

packed files, 197–199

Pframe, 448

reverse engineering files, 199–200

WannaCry kill switch malware analysis, 451–452

forensic dynamic analysis, 480–482

forensic static analysis, 478–479

stealth strategies, tactical threat intelligence, 395

STIX, processing technical threat intelligence data, 408–409

storage

data retention and, 143–144

facility design, 104

SOC development

data retention and, 143–144

throughput and, 141–144

throughput and, 141–144

strategic data, 262

strategic threat intelligence, 205, 382, 383

data expectations, 393

processing data, 400–402

strike packs, 18–19

structures of data, 263

semi-structured data, 263

structured data, 263

unstructured data, 263

surveillance (video), computer rooms, 113

Surveyor, penetration testing, 185

syslog, 275

system order, eradication phase (incident response), 463

systems analysts, 222–224

T

tabletop exercises, policies, 334–335

example of, 337–340

executing, 336–337

format of, 337–338

options, 335

tactical data, 262

tactical threat intelligence, 205, 382–384

attack vectors, 394–395

data expectations, 394–396

infrastructures, 395

stealth strategies, 395

tools, 395

task assignments to incident response playbooks, 427–430

TAXII, processing technical threat intelligence data, 409–411

technical threat intelligence, 206, 382, 385

Abuse.ch Feodo Tracker, 412

AlienVault OTX, 412–413

Blocklist.de, 412

CINS Score, 412

Cyber Threat System from FortiGuard Labs, 413

Dan.me.uk, 412

data expectations, 397–398

Emerging Threats Rule Server, 412

FBI InfraGard, 412

IBM X-Force Exchange, 413

processing data, 407

CSV, 411

JSON, 407–408

OpenIOC, 408

Regex, 411

STIX, 408–409

TAXII, 409–411

XML, 407

SSH Bruteforce logs, 412–413

technology

domains, 35

meta-features, 31

planning, SOC development, 97–98

securing SOC technology, 158–159

Three Pillars of Foundational SOC Support Services, The, 158–159

temperature/humidity, computer rooms, 108–109

Tenable.sc vulnerability tracking, 177

testing, threat intelligence, 392

text-file formats, DevOps, 584–585

third-generation SOC, 52

threat actors, 4–5, 6–7

cyberterrorists, 7

hacktivists, 5–6

insider threats, 7

motivations of, 7

threat hunting, incident response, 424, 455–456

consortium playbooks, 196

example of, 460–462

grouping, 455–456

incidents, defining, 425

lifecycle of, 425–426

containment, eradication and recovery phase, 426–438

detection and analysis phase, 438–454

post-incident activity phase, 484–492

preparation phase, 426–438

maturity models, 460–462

performing, 459–460

planning, 194

SOC job roles, 221–222

stack counting, 459

techniques, 458–459

threat intelligence, 205, 262, 378–379

actionable intelligence, 378, 392

flowcharts, 414

processing data, 414

categories of, 382–385

checklists, 389–390

collecting/processing, 399–400

operational threat intelligence data, 402–407

strategic threat intelligence data, 400–402

content quality, 390

checklists, 390–391

key factors, 390

context, 379, 385–388

evaluating, 388–389

external threat intelligence, 385–386

feedback, 421–422

internal threat intelligence, 385–386

IOC, 382

nontechnical intelligence. See strategic threat intelligence

operational threat intelligence, 205, 382, 384–385

data expectations, 396–397

processing data, 402–407

overview, 379

planning, 393–398

prevalence, 387

ROI, 421–422

security tools, 414–416

email security, 420–421

SIEM, 416–419

strategic threat intelligence, 205, 382–383

data expectations, 393

processing data, 400–402

tactical threat intelligence, 205, 382–384

attack vectors, 394–395

data expectations, 394–396

infrastructures, 395

stealth strategies, 395

tools, 395

technical threat intelligence, 206, 382, 385

data expectations, 397–398

processing data, 407–413

testing, 392

threat data, 380

example of, 380

limitations, 381–382

value of, 380–381

threat models, 25

ATT&CK Model, 35–38

chaining together attack behaviors, 38

PRE-ATT&CK research, 36–37

using, 38

choosing, 38–39

Cyber Kill Chain model, 25–29

Diamond Model, 30–31

attack graphs, 34–35

Diamond Model for Incident Management, 32–33

Extended Diamond Model, 31

social-political meta-features, 31

technology meta-features, 31

threats

assessments, 355

data, 380

example of, 380

limitations, 381–382

value of, 380–381

detection tools, vulnerability, 524–525

feeds, big data, 312

future of, 671–673

mapping data, 270

ranking, 58–59

response to future threats, 673

zero-day threats, 7

Three Pillars of Foundational SOC Support Services, The, 154–155

evaluating, 159

people, 156–157

technology, 158–159

throughput, 120–121

requirements, 121–123

SOC development, 141–144

storage and, 141–144

ticketing systems, incident response, 435–436

tools

collaboration, SOC development, 138–140

limited tools, challenges for services, 153

tracking vulnerabilities, 179

training, 640

case study, 643–644

challenges of, 640–641

DevOps, 650

employees, 253–255

free training, 644

future of

on-demand experts, 649

universal language/language translation, 649

learning

on-demand learning, 646–648

gamifying, 644–645

LMS, 645

personalized learning, 646–648

ML, 655

today's training, 641–643

TrIDNET analysis service, 197

troubleshooting SIEM, 287, 291

actionable intelligence, 300–301

data input, 288, 293–299

data processing, 289–291

data storage, 291–293

validating results, 299–300

tuning SIEM, 285–287

types of data

booleans, 265

bytes, 264

chars, 265

doubles, 264

floats, 264

int, 264

longs, 264

primitive data types, 263–265

shorts, 264

U

unauthenticated scanning, 86

unknown environment penetration testing, 367

unstructured data, 263

upgrades (automated), SASE, 630

UPS, computer rooms, 110–111

V

Verizon 2020 Data Breach Investigations Report, 189–190

video surveillance, computer rooms, 113

video walls, facility design, 104–105

virtualized computers, 638–639

viruses, 457

VirusTotal, 14

VoIP (Voice over IP), 617–618

volatile data, digital forensics, 480–482

VPN (Virtual Private Networks), 534

SASE, 628–629

SOC development, 91–92

vulnerabilities, 39–40

active vulnerability scanning, 86–87

assessments, 355–356, 505

authenticated scanning, 86

context, 266

CVSS, 86

evaluating, SOC development

active vulnerability scanning, 86–87

CVSS, 86