Table of Contents

Preface

Chapter 1: Introducing Security Operations and the SOC

Introducing the SOC

Factors Leading to a Dysfunctional SOC

Cyberthreats

Investing in Security

The Impact of a Breach

Establishing a Baseline

The Impact of Change

Fundamental Security Capabilities

Signature Detection

Behavior Detection

Anomaly Detection

Best of Breed vs. Defense in Depth

Standards, Guidelines, and Frameworks

NIST Cybersecurity Framework

ISO 3100:2018

FIRST Service Frameworks

Applying Frameworks

Industry Threat Models

The Cyber Kill Chain Model

The Diamond Model

MITRE ATT&CK Model

Choosing a Threat Model

Vulnerabilities and Risk

Endless Vulnerabilities

Business Challenges

In-House vs. Outsourcing

Services Advantages

Services Disadvantages

Hybrid Services

SOC Services

SOC Maturity Models

SOC Maturity Assessment

SOC Program Maturity

SOC Goals Assessment

Defining Goals

SOC Goals Ranking

Threats Ranking

SOC Goals Assessment Summarized

SOC Capabilities Assessment

Capability Maps

SOC Capabilities Gaps Analysis

Capability Map Next Steps

SOC Development Milestones

Summary

References

Chapter 2: Developing a Security Operations Center

Mission Statement and Scope Statement

Developing Mission and Scope Statements

SOC Scope Statement

Developing a SOC

SOC Procedures

Designing Procedures

Security Tools

Evaluating Vulnerabilities

Preventive Technologies

Detection Technologies

Mobile Device Security Concerns

Planning a SOC

Capacity Planning

Developing a Capacity Plan

Designing a SOC Facility

Physical SOC vs. Virtual SOC

SOC Location

SOC Interior

SOC Rooms

SOC Computer Rooms

SOC Layouts

Network Considerations

Segmentation

Logical Segmentation

Choosing Segmentation

Client/Server Segmentation

Active Directory Segmentation

Throughput

Connectivity and Redundancy

Disaster Recovery

Security Considerations

Policy and Compliance

Network Access Control

Encryption

Internal Security Tools

Intrusion Detection and Prevention

Network Flow and Capturing Packets

Change Management

Host Systems

Guidelines and Recommendations for Securing Your SOC Network

Tool Collaboration

SOC Tools

Reporting and Dashboards

Throughput and Storage

Centralized Data Management

Summary

References

Chapter 3: SOC Services

Fundamental SOC Services

SOC Challenges

The Three Pillars of Foundational SOC Support Services

Pillar 1: Work Environment

Pillar 2: People

Pillar 3: Technology

Evaluating the Three Pillars of Foundational SOC Support Services

SOC Service Areas

FIRST’s CSIRT

Developing SOC Service Areas

In-House Services vs. External Services

Contracted vs. Employee Job Roles

SOC Service Job Goals

Resource Planning

Service Maturity: If You Build It, They Will Come

SOC Service 1: Risk Management

Four Responses to Risk

Reducing Risk

Addressing Risk

SOC Service 2: Vulnerability Management

Vulnerability Management Best Practice

Vulnerability Scanning Tools

Penetration Testing

SOC Service 3: Compliance

Meeting Compliance with Audits

SOC Service 4: Incident Management

NIST Special Publication 800-61 Revision 2

Incident Response Planning

Incident Impact

Playbooks

SOC Service 5: Analysis

Static Analysis

Dynamic Analysis

SOC Service 6: Digital Forensics

SOC Service 7: Situational and Security Awareness

User Training

SOC Service 8: Research and Development

Summary

References

Chapter 4: People and Process

Career vs. Job

Developing Job Roles

General Schedule Pay Scale

IT Industry Job Roles

Common IT Job Roles

SOC Job Roles

Security Analyst

Penetration Tester

Assessment Officer

Incident Responder

Systems Analyst

Security Administrator

Security Engineer

Security Trainer

Security Architect

Cryptographer/Cryptologist

Forensic Engineer

Chief Information Security Officer

NICE Cybersecurity Workforce Framework

Nice Framework Components

Role Tiers

SOC Services and Associated Job Roles

Risk Management Service

Vulnerability Management Service

Incident Management Service

Analysis Service

Compliance Service

Digital Forensics Service

Situational and Security Awareness Service

Research and Development Service

Soft Skills

Evaluating Soft Skills

SOC Soft Skills

Security Clearance Requirements

Pre-Interviewing

Interviewing

Interview Prompter

Post Interview

Onboarding Employees

Onboarding Requirements

Managing People

Job Retention

Training

Training Methods

Certifications

Company Culture

Summary

References

Chapter 5: Centralizing Data

Data in the SOC

Strategic and Tactical Data

Data Structure

Data Types

Data Context

Data-Focused Assessment

Data Assessment Example: Antivirus

Threat Mapping Data

Applying Data Assessments to SOC Services

Logs

Log Types

Log Formats

Security Information and Event Management

SIEM Data Processing

Data Correlation

Data Enrichment

SIEM Solution Planning

SIEM Tuning

Troubleshooting SIEM Logging

SIEM Troubleshooting Part 1: Data Input

SIEM Troubleshooting Part 2: Data Processing and Validation

SIEM Troubleshooting Examples

Additional SIEM Features

APIs

Leveraging APIs

API Architectures

API Examples

Big Data

Hadoop

Big Data Threat Feeds

Machine Learning

Machine Learning in Cybersecurity

Artificial Intelligence

Machine Learning Models

Summary

References

Chapter 6: Reducing Risk and Exceeding Compliance

Why Exceeding Compliance

Policies

Policy Overview

Policy Purpose

Policy Scope

Policy Statement

Policy Compliance

Related Standards, Policies, Guidelines, and Processes

Definitions and Terms

History

Launching a New Policy

Steps for Launching a New Policy

Policy Enforcement

Certification and Accreditation

Procedures

Procedure Document

Tabletop Exercise

Tabletop Exercise Options

Tabletop Exercise Execution

Tabletop Exercise Format

Tabletop Exercise Template Example

Standards, Guidelines, and Frameworks

NIST Cybersecurity Framework

ISO/IEC 27005

CIS Controls

ISACA COBIT 2019

FIRST CSIRT Services Framework

Exceeding Compliance

Audits

Audit Example

Internal Audits

External Auditors

Audit Tools

Assessments

Assessment Types

Assessment Results

Assessment Template

Vulnerability Scanners

Assessment Program Weaknesses

Penetration Test

NIST Special Publication 800-115

Additional NIST SP 800-115 Guidance

Penetration Testing Types

Penetration Testing Planning

Industry Compliance

Compliance Requirements

Summary

References

Chapter 7: Threat Intelligence

Threat Intelligence Overview

Threat Data

Threat Intelligence Categories

Strategic Threat Intelligence

Tactical Threat Intelligence

Operational Threat Intelligence

Technical Threat Intelligence

Threat Intelligence Context

Threat Context

Evaluating Threat Intelligence

Threat Intelligence Checklist

Content Quality

Testing Threat Intelligence

Planning a Threat Intelligence Project

Data Expectations for Strategic Threat Intelligence

Data Expectations for Tactical Threat Intelligence

Data Expectations for Operational Threat Intelligence

Data Expectations for Technical Threat Intelligence

Collecting and Processing Intelligence

Processing Nontechnical Data

Operational Data and Web Processing

Technical Processing

Technical Threat Intelligence Resources

Actionable Intelligence

Security Tools and Threat Intelligence

Feedback

Summary

References

Chapter 8: Threat Hunting and Incident Response

Security Incidents

Incident Response Lifecycle

Phase 1: Preparation

Assigning Tasks with Playbooks

Communication

Third-Party Interaction

Law Enforcement

Law Enforcement Risk

Ticketing Systems

Other Incident Response Planning Templates

Phase 1: Preparation Summary

Phase 2: Detection and Analysis

Incident Detection

Core Security Capabilities

Threat Analysis

Detecting Malware Behavior

Infected Systems

Analyzing Artifacts

Identifying Artifact Types

Packing Files

Basic Static Analysis

Advanced Static Analysis

Dynamic Analysis

Phase 2: Detection and Analysis Summary

Phase 3: Containment, Eradication, and Recovery

Containment

Responding to Malware

Threat Hunting Techniques

Eradicate

Recovery

Digital Forensics

Digital Forensic Process

First Responder

Chain of Custody

Working with Evidence

Duplicating Evidence

Hashes

Forensic Static Analysis

Recovering Data

Forensic Dynamic Analysis

Digital Forensics Summary

Phase 3: Containment, Eradication, and Recovery Summary

Phase 4: Post-Incident Activity

Post-Incident Response Process

Phase 4: Post-Incident Response Summary

Incident Response Guidelines

FIRST Services Frameworks

Summary

References

Chapter 9: Vulnerability Management

Vulnerability Management

Phase 1: Asset Inventory

Phase 2: Information Management

Phase 3: Risk Assessment

Phase 4: Vulnerability Assessment

Phase 5: Report and Remediate

Phase 6: Respond and Repeat

Measuring Vulnerabilities

Common Vulnerabilities and Exposures

Common Vulnerability Scoring System

CVSS Standards

Vulnerability Technology

Vulnerability Scanners

Currency and Coverage

Tuning Vulnerability Scanners

Exploitation Tools

Asset Management and Compliance Tools

Network Scanners and Network Access Control

Threat Detection Tools

Vulnerability Management Service

Scanning Services

Vulnerability Management Service Roles

Vulnerability Evaluation Procedures

Vulnerability Response

Vulnerability Accuracy

Responding to Vulnerabilities

Cyber Insurance

Patching Systems

Residual Risk

Remediation Approval

Reporting

Exceptions

Vulnerability Management Process Summarized

Summary

References

Chapter 10: Data Orchestration

Introduction to Data Orchestration

Comparing SIEM and SOAR

The Rise of XDR

Security Orchestration, Automation, and Response

SOAR Example: Phantom

Endpoint Detection and Response

EDR Example: CrowdStrike

Playbooks

Playbook Components

Constructing Playbooks

Incident Response Consortium

Playbook Examples: Malware Outbreak

Automation

Automating Playbooks

Common Targets for Automation

Automation Pitfalls

Playbook Workflow

DevOps Programming

Data Management

Text-File Formats

Common Data Formats

Data Modeling

DevOps Tools

DevOps Targets

Manual DevOps

Automated DevOps

DevOps Lab Using Ansible

Ansible Playbooks

Blueprinting with Osquery

Running Osquery

Network Programmability

Learning NetDevOps

APIs

NetDevOps Example

Cloud Programmability

Orchestration in the Cloud

Amazon DevOps

SaaS DevOps

Summary

References

Chapter 11: Future of the SOC

All Eyes on SD-WAN and SASE

VoIP Adoption As Prologue to SD-WAN Adoption

Introduction of SD-WAN

Challenges with the Traditional WAN

SD-WAN to the Rescue

SASE Solves SD-WAN Problems

SASE Defined

Future of SASE

IT Services Provided by the SOC

IT Operations Defined

Hacking IT Services

IT Services Evolving

Future of IT Services

Future of Training

Training Challenges

Training Today

Case Study: Training I Use Today

Free Training

Gamifying Learning

On-Demand and Personalized Learning

Future of Training

Full Automation with Machine Learning

Machine Learning

Machine Learning Hurdles

Machine Learning Applied

Training Machine Learning

Future of Machine Learning

Future of Your SOC: Bringing It All Together

Your Future Facilities and Capabilities

Group Tags

Your Future SOC Staff

Audits, Assessments, and Penetration Testing

Future Impact to Your Services

Hunting for Tomorrow’s Threats

Summary

References

Index

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
35.171.159.141