3D printing, 638
Abuse.ch Feodo Tracker, 412
access
ACL, segmentation, 117
computer rooms, access control, 113
NAC
automated NAC, 501
manual NAC, 501
profiling, 128
privileges, 265
RBAC, 140
accreditation policies, 331–332
ACL, segmentation, 117
acoustics, facility design, 104
actionable intelligence, 378, 392
flowcharts, 414
processing data, 414
active vulnerability scanning, 86–87, 515–516
activity threads, 33
actors, threat, 5
cyberterrorists, 7
insider threats, 7
motivations of, 7
business contingency planning, 173
advanced static analysis, 448–451
adware, 456
aesthetics, SOC interior design, 105
AI (Artificial Intelligence), 315
airflow, computer rooms, 108–109
aisles, hot/cold design, 108–109
alerting levels in Cisco products, 142–143
AlienVault OTX (Open Threat Exchange), 412–413
AM (Account Managers), 214
dynamic analysis, 200
hidden extensions diagrams, 197
job roles, 240
TrIDNET, 197
Ansible
automated DevOps, 596
installing, 597
antivirus data assessment example, 267–269
API (Application Programming Interfaces), 303–304
event-driven/streams, 305
network programmability, NetDevOps, 605
REST, 304
RPC, 305
applications
event logs, 273
firewalls, 534
NBAR and SOC development, 93
artifacts, incident response
file identification tools, 445
identifying artifact types, 443–444
file identification tools, 445
ASHRAE, temperature/humidity in computer rooms, 108–109
assessments, 355
capabilities assessments, 60–65
data, 267
antivirus data assessment example, 267–269
FedRAMP security assessment reports, 356
goal assessments, 53
summary of, 60
impact assessments, 356
results of, 357
risk assessment phase, vulnerability management, 504
risk assessments, 356
threat assessments, 355
vulnerabilities
weaknesses of, 361
asset inventory phase, vulnerability management, 500–502
assets, 265
vulnerability evaluation
prioritizing assets, 536
vulnerability management, 522, 527
assigning tasks to incident response playbooks, 427–430
assurance of information, 9
Atomic Red Team, penetration testing, 182–185
ATT&CK Model, 35
chaining together attack behaviors, 36–38
using, 38
attack graphs
Diamond Model attack graphs, 34–35
attack vectors, tactical threat intelligence, 394–395
audits, 351
firewall audit example, 351–352
authenticated scanning, 86
automation
ML, 651
NAC, 501
upgrades, SASE, 630
avoiding risk, 542
backdoors, 456
baseline security, establishing, 11, 94, 133–135
behavior detection, 15
best-of-breed capabilities, 17
big data, centralized data management, 307–308
Hadoop, 308
threat feeds, 312
black-box testing, 181
block pages, reputation security, 89–90
Blocklist.de, 412
blue teaming. See threat hunting
boolean data type, 265
botnets, 457
branch networks, capability maps, 64–65
breaches
Verizon 2020 Data Breach Investigations Report, 189–190
business challenges, SOC, 40–41
business contingency planning, 173
bytes, 264
capability assessments, 60
capacity planning, SOC development, 95–96, 99
case management, Phantom, 562–563
CEF format, logs, 278
centralized data management, 144–146, 260–261, 263
threat feeds, 312
data assessments, 267
antivirus data assessment example, 267–269
access privileges, 265
asset information, 265
identity context, 265
network maps and geolocation, 266
nontechnical feeds, 266
process and operational context, 266
social and online context, 266
vulnerability context, 266
data types
booleans, 265
bytes, 264
chars, 265
doubles, 264
floats, 264
int, 264
longs, 264
shorts, 264
application event logs, 273
CEF format, 278
common log format, 278
directory service logs, 273
DNS server logs, 273
ELF, 278
endpoint logs, 272
IoT logs, 273
JSON, 276
network device logs, 273
replication logs, 273
security tool logs, 273
syslog, 275
Windows event logs, 277
ML, 313
AI, 315
cross-validation models, 316–317
cybersecurity, 314
hold-out models, 316
semi-structured data, 263
SIEM, 279
dat digest flows, 283
data enrichment, 283
Splunk dashboard, 291–300, 311–312
strategic data, 262
structured data, 263
tactical data, 262
threat mapping, 270
unstructured data, 263
Certero dashboard, vulnerability management, 522
certifications, 255–256, 331–332
chain of custody, digital forensics, 470–474
chaining together attack behaviors, ATT&CK Model, 36–37
challenges for services, 152
lack of experience, 154
limited tools, 153
low maturity, 153
people, 152
change
as cyberthreat, 8
management, SOC development, 135–136
char data type, 265
chatbots, 657
checklists
Chef, automated DevOps, 596
choosing
CINS Score, 412
Cisco products, alerting levels, 142–143
Cisco Webex Teams, ChatOps, 595
CISO (Chief Information Security Officers), 231–233
clean rooms, facility design, 106
client/server segmentation, 118–119
cloud programmability
IT services, 639
cloud/database engineers, 215
COBIT (Control Objects for Information and Related Technology)
ISACA COBIT 5 Process Assessment Model, 49–51
ISACA COBIT 2019, 349
severity model, impact of incidents, 195
collaboration tools, SOC development, 138–140
collecting/processing threat intelligence, 399–400
actionable intelligence, 414
operational threat intelligence data, 402
strategic threat intelligence data, 400–402
technical threat intelligence data, 407
Abuse.ch Feodo Tracker, 412
Blocklist.de, 412
CINS Score, 412
CSV, 411
Cyber Threat System from FortiGuard Labs, 413
Dan.me.uk, 412
Emerging Threats Rule Server, 412
FBI InfraGard, 412
IBM X-Force Exchange, 413
OpenIOC, 408
Regex, 411
XML, 407
common log format, 278
company cultures, 257
competitive workplaces, 252
assessments, 355
FedRAMP security assessment reports, 356
impact assessments, 356
results of, 357
risk assessments, 356
threat assessments, 355
vulnerability assessments, 355–356
vulnerability scanning, 360–361
weaknesses of, 361
audits, 351
firewall audit example, 351–352
exceeding compliance, 321, 350–351
FIRST CSIRT services framework, 350
ISACA COBIT 2019, 349
NIST CSF, 342
capability assessments, 344–345
mapping Cisco security products to CSF, 354
officers, 214
known environments, 367
NIST Special Publication 800-115, 362–367
partially known environments, 367
types of, 367
unknown environments, 367
definitions and terms, 327
history of, 328
purpose of, 324
scope of, 325
job roles, 240
SOC design considerations, 127–128
tools, vulnerability management, 522
Compromise (IOC), Indicators of, 382
computer rooms, 107
access control, 113
equipment racks, 109
fire safety, 112
flood protection, 112
grounding, 111
hot/cold aisle design, 108–109
lighting, 110
locks, 113
monitoring, 112
power-dense equipment, 109
raised floors, 111
video surveillance, 113
connectivity (inline), network considerations, 123
containment
eradication and recovery phase, 455–483
incident response, threat hunting, 455–456
stack counting, 459
content quality, threat intelligence, 390
key factors, 390
context
access privileges, 265
asset information, 265
identity context, 265
network maps and geolocation, 266
nontechnical feeds, 266
process and operational context, 266
social and online context, 266
vulnerability context, 266
threat intelligence, 379, 385–388
contingency planning, business, 173
contracted job roles, services, 165
corrective actions, vulnerability management, 539
correlating data, SIEM, 281–282
cross-validation models, ML, 316–317
CrowdStrike Falcon dashboard, EDR, 566–569
cryptographers/cryptologists, 229–230
CSF (NIST Cybersecurity Framework), 20–21, 342
capability assessments, 344–345
mapping Cisco security products to CSF, 354
CSIRT (Computer Security Incident Response Teams), 23, 350, 493–494
CSV, processing technical threat intelligence data, 411
Cuckoo sandboxes, dynamic analysis, 454
cultures of companies, 257
custody (digital forensics), chain of, 470–474
CVSS (Common Vulnerabilities Scoring System), 86, 507–508
Cyber Threat System from FortiGuard Labs, 413
cybercriminals, 5
cybersecurity, ML, 314
cyberterrorists, 7
change as cyberthreat, 8
insider threats, 7
motivations of, 7
Dan.me.uk, 412
dashboards
Certero dashboard, vulnerability management, 522
CrowdStrike Falcon dashboard, EDR, 566–569
IBM QRadar dashboard
QRadar dashboard, centralized data management, 144–145
Splunk dashboard
centralized data management, 144–145
data
assessments, 267
antivirus data assessment example, 267–269
at rest/in motion, SOC development, 92–93
breaches
Verizon 2020 Data Breach Investigations Report, 189–190
access privileges, 265
asset information, 265
identity context, 265
network maps and geolocation, 266
nontechnical feeds, 266
process and operational context, 266
social and online context, 266
vulnerability context, 266
digest flows, SIEM, 283
application event logs, 273
CEF format, 278
common log format, 278
directory service logs, 273
DNS server logs, 273
ELF, 278
endpoint logs, 272
IoT logs, 273
JSON, 276
network device logs, 273
replication logs, 273
security tool logs, 273
syslog, 275
Windows event logs, 277
SIEM, 279
data digest flows, 283
data enrichment, 283
Splunk dashboard, 291–300, 311–312
troubleshooting, 287
structures of
semi-structured data, 263
structured data, 263
unstructured data, 263
threat mapping, 270
types of
booleans, 265
bytes, 264
chars, 265
doubles, 264
floats, 264
int, 264
longs, 264
shorts, 264
data management (centralized), 144–146, 260–261, 263
threat feeds, 312
data assessments, 267
antivirus data assessment example, 267–269
access privileges, 265
asset information, 265
identity context, 265
network maps and geolocation, 266
nontechnical feeds, 266
process and operational context, 266
social and online context, 266
vulnerability context, 266
data types
booleans, 265
bytes, 264
chars, 265
doubles, 264
floats, 264
int, 264
longs, 264
shorts, 264
application event logs, 273
CEF format, 278
common log format, 278
directory service logs, 273
DNS server logs, 273
ELF, 278
endpoint logs, 272
IoT logs, 273
JSON, 276
network device logs, 273
replication logs, 273
security tool logs, 273
syslog, 275
Windows event logs, 277
ML, 313
AI, 315
cross-validation models, 316–317
cybersecurity, 314
hold-out models, 316
recovery, digital forensics, 479–480
semi-structured data, 263
SIEM, 279
dat digest flows, 283
data enrichment, 283
Splunk dashboard, 291–300, 311–312
sovereignty laws, 374
stealing software/keyloggers, 457
strategic data, 262
structured data, 263
tactical data, 262
threat mapping, 270
unstructured data, 263
data orchestration
DevOps, 582
Ansible and DevOps labs, 596–598
cloud programmability, 609–612
IaaS DevOps, 610
JSON, 586
PaaS DevOps, 610
RESTCONF, 591
targets, 592
tools, 591
EDR
CrowdStrike Falcon dashboard, 566–569
NISTIR 8011 Attack Methodologies, 566
network programmability, NetDevOps, 604–605
API, 605
playbooks, 569
malware outbreak playbooks, 196, 572–575
SIEM, SOAR comparisons, 558
Phantom, case management, 562–563
Phantom, DevOps usage example, 564–566
SIEM comparisons, 558
database/cloud engineers, 215
datacenters, accessing, 661–662
defense-in-depth strategies, 9, 17, 136–137
defining goals, SOC goal assessments, 54–55
designing
interior design of SOC, 103–105
SOC facilities
in-house services vs. outsourcing, 102–103
locating, 103
physical vs. virtual SOC, 102–103
desktop support, IT job roles, 215
detecting/preventing
detection and analysis phase, incident response lifecycle, 438–454
baselines, 94
behavior detection, 15
best-of-breed capabilities, 17
defense-in-depth strategies, 17
evaluating security technologies, 17–18
honeypots, 94
intrusions, 133
NBAR, 93
researching security technologies, 18–19
signature detection, 14
developing SOC
centralized data management, 144–146
detection technologies, 93
baselines, 94
honeypots, 94
NBAR, 93
evaluating vulnerabilities
active vulnerability scanning, 86–87
CVSS, 86
passive vulnerability scanning, 87–88
facility design
in-house services vs. outsourcing, 102–103
locating, 103
physical vs. virtual SOC, 102–103
internal security tools, 132
intrusion detection/prevention, 133
mobile device security concerns, 94–95
network considerations, 114–115
inline connectivity, 123
redundancy, risks reduction, 124–125
network security guidelines, 137–138
planning, 95
goal alignment, 96
redundancy planning, 98
resource planning, 98
preventive technologies, 88–89
firewalls, 89
security
tools, 85
storage
development milestones, SOC, 69–70
device fingerprints, SASE, 628
DevOps, 582
Ansible and DevOps labs, 596–598
cloud programmability, 609–612
IaaS DevOps, 610
JSON, 586
PaaS DevOps, 610
Phantom usage example, 564–566
RESTCONF, 591
targets, 592
tools, 591
training, future of, 650
Diamond Model for Incident Management, 32–33
Extended Diamond Model, 31
digital forensics
incident response, 467–468, 482–483
first responders, 470
labs, facility design, 106
services, 46, 151, 200–202, 240–241
directory service logs, 273
disaster recovery, network considerations, 125–126
disposal (secure), facility design, 104
disassemblers, static analysis, 199–200
DLP, SASE, 629
DNS server logs, 273
documentation, risk documentation, 171–172
double data type, 264
downloaders, 456
DRP (Disaster Recovery Planning), 125–126
duplicating evidence, digital forensics, 474–476
dynamic analysis
isolated systems, 453
forensic dynamic analysis, 480–482
dynamic users/device fingerprints, SASE, 628
dysfunctional SOC, factors of, 3–4
EDR (Endpoint Detection and Response)
CrowdStrike Falcon dashboard, 566–569
NISTIR 8011 Attack Methodologies, 566
ELF (Extended Log Format), 278
threat intelligence security, 420
deploying email security, 421
Emerging Threats Rule Server, 412
Emily Williams hacking example, IT services, 633–636
employees
company cultures, 247
job roles, 165
EMV (Expected Monetary Value), 170–171
encoding files, malware, 14
encryption
LAN, 131
endpoint logs, 272
endpoint security
defense in depth strategy, 136–137
enriching data, SIEM, 283
EPS (Events Per Second)
digesting by a monitoring system, 141–142
equipment racks, computer rooms, 109
eradication phase, incident response, 462
eradication playbooks, 464–465
system order, 463
ESA (Email Security Appliance), 420–421
evaluating
Three Pillars of Foundational SOC Support Services, The, 159
vulnerabilities, SOC development
active vulnerability scanning, 86–87
CVSS, 86
passive vulnerability scanning, 87–88
evaluation procedures, vulnerability management, 528–539
choosing corrective actions, 539
event-driven/streams, API, 305
evidence, digital forensics, 474–476
exceeding compliance, 321, 350–351
exceptions, vulnerability management, 552–553
executive summaries, assessment template, 357–360
experience (lack of), challenges for services, 154
exploitation tools, vulnerability management, 520–521
Extended Diamond Model, 31
extensions diagrams, hidden, 197
external SOC services, 164
external threat intelligence, 385–386
Facebook, Emily Williams social engineering attack example, 634–635
facility design
in-house services vs. outsourcing, 102–103
locating, 103
physical vs. virtual SOC, 102–103
Falcon dashboard (CrowdStrike), EDR, 566–569
false positives, anomaly detection, 16
FBI InfraGard, 412
FedRAMP (Federal Risk and Authorization Management Program)
industry compliance, 374
security assessment reports, 356
feedback, threat intelligence, 421–422
file identification tools, artifact identification, 445
finding people for services, 152, 157
fingerprints
device fingerprints, SASE, 628
Nmap, 503
fire safety, computer rooms, 112
Firepower passive vulnerability scanning, 87–88, 306–307
firewalls
application-layer firewalls, 534
SOC development, 89
first-generation SOC, 51
first responders, digital forensics, 470
FIRST service frameworks, 493
CSIRT, 23, 160–161, 350, 493–494
FISMA (Federal Information Security Modernization Act), 373–374
float data type, 264
flood protection, computer rooms, 112
floor layouts, facility design, 113–114
Foremost data recovery, 479–480
forensics (digital)
incident response, 467–468, 482–483
first responders, 470
labs, facility design, 106
services, 46, 151, 200–202, 240–241
forensic dynamic analysis, 480–482
forensic static analysis, 478–479
formalizing pay scales, 212–213
Foundational SOC Support Services, 154–155
evaluating, 159
fourth-generation SOC, 52
frameworks
compliance/risk reduction, 340–350
FIRST service frameworks, 23–24, 350
free training, 644
fundamental security capabilities, 13
behavior detection, 15
best-of-breed capabilities, 17
defense-in-depth strategies, 17
evaluating security technologies, 17–18
researching security technologies, 18–19
signature detection, 14
fundamental SOC services, 150–152
gaps in SOC capabilities, analyzing, 66–68
geolocation and network maps, 266
goals
alignment, SOC development, 96
assessments, SOC, 53
summary of, 60
Google Alerts, operational threat intelligence data, 402–403
reputation warning banners, 90–91
governance references, SOC scope statements, 80
gray-box testing, 181
grounding, computer rooms, 111
grouping, threat hunting, 459
growth planning, SOC development, 96–97
guidelines
compliance/risk reduction, 340–350
NIST, 22
Hadoop, 308
hash matches, 458
hashing, digital forensics, 476–478
helpdesks, IT job roles, 215
hidden extensions diagrams, 197
HIPAA (Health Insurance Portability and Accountability Act), 373
HipChat, ChatOps, 595
hold-out models, ML, 316
host systems, SOC development, 136–137
hot/cold aisle design, computer rooms, 108–109
humidity/temperature, computer rooms, 108–109
hunting threats, incident response, 424, 455–456
consortium playbooks, 196
incidents, defining, 425
containment, eradication and recovery phase, 426–438
detection and analysis phase, 438–454
post-incident activity phase, 484–492
planning, 194
stack counting, 459
hybrid services, 44
IaaS, DevOps, 610
IBM QRadar dashboard
IBM X-Force Exchange, 413
identity context, 265
IDS/IPS (Intrusion Detection/Prevention Systems), 534
impact assessments, 356
impact of incidents, incident management services, 194–195
incident management
Diamond Model for Incident Management, 32–33
COBIT severity model, 195
incident response planning, 194
NIST Special Publication 800–61 Revision 2, 190–193
playbooks, 195
Verizon 2020 Data Breach Investigations Report, 189–190
incident response, 424
artifacts
identifying artifact types, 443–445
containment phase, threat hunting
stack counting, 459
core security capabilities, 439–440
detecting malware behavior, 441
digital forensics, 467–468, 482–483
first responders, 470
dynamic analysis, 452
isolated systems, 453
eradication phase, 462
eradication playbooks, 464–465
system order, 463
FIRST service frameworks, 493
PSIRT, 493
incidents, defining, 425
Lessons Learned reports, 489–492
containment, eradication and recovery phase, 426–438
detection and analysis phase, 438–454
post-incident activity phase, 484–492
malware
threat hunting, 455–456, 458–462
planning, 194
planning templates, 437
playbooks
consortium playbooks, 196
eradication playbooks, 464–465
recovery playbooks, 466
recovery phase, 466
advanced static analysis, 448–451
Pframe, 448
WannaCry kill switch malware analysis, 451–452
third-party interactions, 431–432
threat analysis, 440
stack counting, 459
data sovereignty laws, 374
FedRAMP, 374
HIPAA, 373
SOX, 373
industry threat models, 25
chaining together attack behaviors, 38
using, 38
Diamond Model for Incident Management, 32–33
Extended Diamond Model, 31
social-political meta-features, 31
technology meta-features, 31
infected systems, incident response, 441–442
information assurance, 9
information management phase, vulnerability management, 502–503
ingesting log data from security devices, service areas, 162–163
in-house SOC services, 42, 102–103, 164
inline connectivity, network considerations, 123
insider threats, 7
installation/post-sales engineers, 214
int data type, 264
interior design of SOC, 103–105
internal security tools
Cyber Kill Chains, 132
SOC development, 132
internal threat intelligence, 385–386
interviewing, job roles, 247
post interview process, 249
intrusion detection/prevention, SOC development, 133
investing in security
defense-in-depth strategies, 9
information assurance, 9
NSA Information Assurance and Defense-in-Depth Strategy, 8–9
Investment (ROI), Return on, 421–422
IOC (Indicators of Compromise), 382, 408
IoT logs, 273
ISACA COBIT 5 Process Assessment Model, 49–51
ISACA COBIT 2019, 349
ISO (International Organization for Standardization)
isolated systems, dynamic analysis, 453
AM, 214
compliance officers, 214
database/cloud engineers, 215
desktop support, 215
helpdesks, 215
installation/post-sales engineers, 214
managers, 215
marketing engineers, 214
network engineers, 215
SE, 214
software engineers, 215
3D printing, 638
cloud programmability, 639
hacking, Emily Williams example, 633–636
IT operations, defined, 631–633
IT services, IT operations defined, 631–633
SASE, 637
virtualized computers, 638–639
IT teams, vulnerability management, 527
Jenkins, automated DevOps, 596
analysis services, 240
company cultures, 247
competitive workplaces, 252
compliance services, 240
digital forensics services, 240–241
incident management services, 239–240
interviewing, 247
post interview process, 249
AM, 214
compliance officers, 214
database/cloud engineers, 215
desktop support, 215
helpdesks, 215
installation/post-sales engineers, 214
managers, 215
marketing engineers, 214
network engineers, 215
SE, 214
software engineers, 215
pay scales
research and development services, 241
risk management services, 239
services
contracted vs. employee job roles, 165
situational and security awareness services, 241
SOC job roles, 216–217, 231–233
cryptographers/cryptologists, 229–230
security administrators, 224–225
security trainers, 227
SOC services and associated job roles, 238–241
vulnerability management services, 239
Joe sandbox, dynamic analysis, 453–454
JSON (JavaScript Object Notation), 276
DevOps, 586
processing technical threat intelligence data, 407–408
Kali Linux, penetration testing, 186
keyloggers/data stealing software, 457
Khan Academy, on-demand/personalized learning, 647–648
known environment penetration testing, 367
lack of experience, challenges for services, 154
LAN, encryption, 131
launchers, 456
law enforcement, incident response, 432–435
layouts, facility design, 113–114
learning
LMS, 645
personalized learning, 646–648
Lessons Learned reports, 489–492
lighting
computer rooms, 110
facility design, 104
limited tools, challenges for services, 153
LinkedIn, Emily Williams hacking example, 634
Linux (Kali), penetration testing, 186
LMS (Learning Management Systems), 645
locating SOC facilities, 103
lockers, facility design, 105
locks, computer rooms, 113
application event logs, 273
CEF format, 278
common log format, 278
data (security devices), ingesting for service areas, 162–163
directory service logs, 273
DNS server logs, 273
ELF, 278
endpoint logs, 272
IoT logs, 273
JSON, 276
network device logs, 273
replication logs, 273
security tool logs, 273
syslog, 275
Windows event logs, 277
long data type, 264
low maturity, services, 153
malware
adware, 456
backdoors, 456
botnets, 457
detecting behavior, 441
downloaders, 456
encoding files, 14
keyloggers/data stealing software, 457
launchers, 456
matching hashes, 458
outbreak playbooks, 196, 572–575
packing files, analysis services, 445–447
phoning home, 457
ransomware, 457
rootkits, 456
scareware, 457
signature detection, 14
spam, 457
stack counting, 459
viruses, 457
WannaCry kill switch malware analysis, 451–452
worms, 457
managers, IT job roles, 215
manager’s office, facility design, 106
managing
analysis services, job roles, 240
asset management, vulnerabilities, 522
change, SOC development, 135–136
compliance services, job roles, 240
data management (centralized), 144–146, 260–261
data structures, 263
semi-structured data, 263
strategic data, 262
structured data, 263
tactical data, 262
threat mapping data, 270
unstructured data, 263
digital forensics services, job roles, 240–241
incident management services, 45, 151
COBIT severity model, 195
incident response planning, 194
NIST Special Publication 800–61 Revision 2, 190–193
playbooks, 195
Verizon 2020 Data Breach Investigations Report, 189–190
information management phase, vulnerability management, 502–503
power
power-dense equipment, computer rooms, 109
research and development services, job roles, 241
risk management services, 45, 150, 169
four responses to risk, 169–170
job roles, 239
situational and security awareness services, job roles, 241
vulnerability management, 498–499, 501
asset access, 535
asset inventory phase, 500–502
asset management, 522
Certero dashboard, 522
deployment example, 535
evaluation procedures, 528–539
host scanning, 516
information management phase, 502–503
measuring vulnerabilities, 506
network scanners, 501–502, 515
report and remediate phase, 505
reporting, 552
respond and repeat phase, 506
risk assessment phase, 504
Struts vulnerability example, 507, 512–514
temporal/environmental metrics, 511
threat detection tools, 524–525
vulnerability assessments, 505
vulnerability scanning, 515–520
vulnerability management services, 45, 150, 175, 525
job roles, 239
OpenVAS, 178
Tenable.sc vulnerability tracking, 177
vulnerability tracking, 179
manual NAC (Network Access Control), 501
maps
data, threats, 270
marketing engineers, 214
matching hashes, 458
maturity (low), services, 153
maturity models, 47
ISACA COBIT 5 Process Assessment Model, 49–51
SOC-CMM Model, 49
threat hunting, incident response, 460–462
MDM (Mobile Device Management), 94–95
measuring vulnerabilities, 506
Metasploit, penetration testing, 14, 186–187
Microsoft Teams, ChatOps, 595
chaining together attack behaviors, 36–37
penetration testing, 182
using, 38
ML (Machine Learning), 313, 651–652
AI, 315
automation, 651
chatbots, 657
cross-validation models, 316–317
cybersecurity, 314
hold-out models, 316
training, 655
mobile devices
security concerns, SOC development, 94–95
modified waterfall model, processing threat intelligence, 400–402
monitoring, computer rooms, 112
monitoring systems, EPS, digesting, 141–142
Moodle, LMS, 645
motivations of threat actors, 7
NAC (Network Access Control), 12
automated NAC, 501
profiling, 128
vulnerability management, 522–524
name servers, rogue, 282
NAT (Network Address Translation), 534
NBAR (Network-Based Application Recognition), 93
NERC CIP (North American Electric Reliability Corporation, Critical Infrastructure Protection), 375
API, 605
application-layer firewalls, 534
IDS/IPS, 534
network scanners, 515
perimeter networks (DMZ), 535
VPN, 534
networks
branch networks, capability maps, 64–65
connectivity, inline connectivity, 123
device logs, 273
engineers, 215
LAN, encryption, 131
maps and geolocation, 266
perimeter networks (DMZ), 535
programmability, NetDevOps, 601–604
API, 605
redundancy, risks reduction, 124–125
DLP, 629
security, capability maps, 63–64
ACL, 117
client/server segmentation, 118–119
SOC design considerations, 114–115
network security guidelines, 137–138
VPN, 534
Nexpose vulnerability scanner, 86–87
NIST (National Institute of Standards and Technology)
capability assessments, 344–345
mapping Cisco security products to CSF, 354
guidelines, 22
SP 800–61 Rev. 2 Incident Response Lifecycle, 425–426
containment, eradication and recovery phase, 426–438
preparation phase, 426–454, 484–492
SP 800-84, future of SOC staff, 666–667
SP 800-86, digital forensics services, 201–202
SP 800-115, penetration testing, 180–182, 362–367
NISTIR 8011 Attack Methodologies, 566
Nmap
fingerprinting, 503
nontechnical feeds, 266
nontechnical intelligence. See strategic threat intelligence
NSA Information Assurance and Defense-in-Depth Strategy, 8–9
on-demand experts, future of training, 649
online and social data context, 266
OpenIOC, processing technical threat intelligence data, 408
OpenVAS, vulnerability scanning, 178
operational threat intelligence, 205, 382, 384–385
processing data, 402
operations rooms, facility design, 106
OPEX (Operating Expenses), 628
orchestrating data
DevOps, 582
Ansible and DevOps labs, 596–598
cloud programmability, 609–612
IaaS DevOps, 610
JSON, 586
PaaS DevOps, 610
RESTCONF, 591
targets, 592
tools, 591
EDR
CrowdStrike Falcon dashboard, 566–569
NISTIR 8011 Attack Methodologies, 566
network programmability, NetDevOps, 604–605
API, 605
playbooks, 569
malware outbreak playbooks, 196, 572–575
SIEM, SOAR comparisons, 558
Phantom, case management, 562–563
Phantom, DevOps usage example, 564–566
SIEM comparisons, 558
Osquery
outsourcing services, 42, 102–103
PaaS, DevOps, 610
packed files
packet capturing, SOC development, 135
packing files, analysis services, 445–447
partially known environment penetration testing, 367
passive vulnerability scanning, 87–88, 516–517
patching systems, vulnerability management, 547–549
pay scales
Peframe packed file analysis, 198–199
penetration testing, 179, 361–362
black-box testing, 181
Emily Williams example, hacking IT services, 635–636
gray-box testing, 181
Kali Linux, 186
known environments, 367
MITRE ATT&CK Model, 182
NIST SP 800–115, 180–182, 362–367
partially known environments, 367
Surveyor, 185
types of, 367
unknown environments, 367
people
finding for services, 152, 157
Three Pillars of Foundational SOC Support Services, The, 156–157
perimeter networks (DMZ), 535
personalized learning, 646–648
Pframe, static analysis, 448
Phantom
phases of SOC development, 80–82
phoning home, malware, 457
physical SOC, facility design, 102–103
planning
business contingency planning, 173
incident response planning, 194
incident response planning templates, 437
redundancy planning, computer rooms, 110–111
resource planning, service job roles, 166–167
SOC, 95
goal alignment, 96
redundancy planning, 98
resource planning, 98
solution planning, SIEM, 284–285
vulnerability evaluation procedures, planning, 532–537
playbooks, 569
eradication playbooks, 464–465
incident management services, 195
incident response
consortium playbooks, 196
eradication playbooks, 464–465
malware outbreak playbooks, 196, 572–575
Phantom usage example, 563–564
recovery playbooks, 466
workflows
symbols, 570
policies, 322
compliance, 327
definitions and terms, 327
history of, 328
purpose of, 324
scope of, 325
post interview process, 249
post-incident activity phase, incident response lifecycle, 484–492
post-sales/installation engineers, 214
power management
power-dense equipment, computer rooms, 109
power requirements, computer rooms, 107–108
power-dense equipment, computer rooms, 109
pre-interviewing, job roles, 246–247
preparation phase, incident response lifecycle, 426–438
prevalence, threat intelligence, 387
preventing intrusions, SOC development, 133
preventive technologies
data at rest/in motion, SOC development, 2–93
firewalls, SOC development, 89
NAC
profiling, 128
reputation security, SOC development, 89–91
prioritizing assets, vulnerability evaluation, 536
procedures, 82
process and operational context, 266
processing data, SIEM, 280–281
processing threat intelligence, 399–400
actionable intelligence, 414
operational threat intelligence data, 402
strategic threat intelligence data, 400–402
technical threat intelligence data, 407
Abuse.ch Feodo Tracker, 412
Blocklist.de, 412
CINS Score, 412
CSV, 411
Cyber Threat System from FortiGuard Labs, 413
Dan.me.uk, 412
Emerging Threats Rule Server, 412
FBI InfraGard, 412
IBM X-Force Exchange, 413
OpenIOC, 408
Regex, 411
XML, 407
profiling NAC, 128
proxy servers, rogue, 282
PSIRT (Product Incident Response Teams), 23–24, 493
Puppet, automated DevOps, 596
QRadar dashboard, centralized data management, 144–145
quality of content, threat intelligence, 390
key factors, 390
raised floors, computer rooms, 111
ranking
ransomware, 457
Rapid7 Nexpose
Struts vulnerability example, 514
RBAC (Role-Based Access Control), 140
recovering data, digital forensics, 479–480
recovery phase, incident response, 466
assessments, 355
FedRAMP security assessment reports, 356
impact assessments, 356
results of, 357
risk assessments, 356
threat assessments, 355
vulnerability assessments, 355–356
vulnerability scanning, 360–361
weaknesses of, 361
audits, 351
firewall audit example, 351–352
FIRST CSIRT services framework, 350
ISACA COBIT 2019, 349
NIST CSF, 342
capability assessments, 344–345
mapping Cisco security products to CSF, 354
known environments, 367
NIST Special Publication 800–115, 362–367
partially known environments, 367
types of, 367
unknown environments, 367
policies, 322
compliance, 327
definitions and terms, 327
history of, 328
purpose of, 324
scope of, 325
risk register systems, 172
redundancy
planning
SOC development, 98
Regex (Regular Expressions), 411
remediation approval, vulnerability management, 550–551
remote users, 661
replication logs, 273
report and remediate phase, vulnerability management, 505
reporting
vulnerability management, 552
reputation security
Google reputation warning banners, 90–91
reputation warning banners, Google, 90–91
research and development services, 46, 151, 205–206, 241
researching security technologies, 18–19
residual risk, 550
resource planning
SOC development, 98
respond and repeat phase, vulnerability management, 506
REST (Representational State Transfer), 304
RESTCONF, 591
reverse engineering files, static analysis, 199–200
assessment phase, vulnerability management,
avoidance, 542
contingency, 171
modifying, 542
register systems, 172
retention, 542
scope statements, managing risk, 80
transfer/sharing, 542
risk management services, 45, 150, 169
business contingency planning, 173
four responses to risk, 169–170
job roles, 239
reducing risk, 169
risk register systems, 172
assessments, 355
FedRAMP security assessment reports, 356
impact assessments, 356
results of, 357
risk assessments, 356
threat assessments, 355
vulnerability assessments, 355–356
vulnerability scanning, 360–361
weaknesses of, 361
audits, 351
firewall audit example, 351–352
FIRST CSIRT services framework, 350
ISACA COBIT 2019, 349
NIST CSF, 342
capability assessments, 344–345
mapping Cisco security products to CSF, 354
known environments, 367
NIST Special Publication 800–115, 362–367
partially known environments, 367
types of, 367
unknown environments, 367
policies, 322
compliance, 327
definitions and terms, 327
history of, 328
purpose of, 324
scope of, 325
rogue name servers, 282
rogue proxy servers, 282
ROI, threat intelligence feedback, 421–422
rootkits, 456
RPC (Remote Procedure Calls), 305
SaaS (Software as a Service)
future of, 627
SaltStack, automated DevOps, 596
sandboxes, dynamic analysis, 453–454
SANS, vulnerability management best practices, 12
SASE (Secure Access Service Edge), 616–617, 623–625
automated upgrades, 630
dynamic users/device fingerprints, 628
IT services, 637
OPEX, 628
SaaS, 627
scanning for vulnerabilities, 12, 176–177
active vulnerability scanning, 86–87
authenticated scanning, 86
Nexpose vulnerability scanner, 86–87
passive vulnerability scanning, 87–88
unauthenticated scanning, 86
scanning services, vulnerability management, 525–527
scareware, 457
SCIF (Sensitive Compartmented Information Facilities), 106
scope of policies, 325
governance references, 80
risk management references, 80
scrapers, operational threat intelligence data, 403–404
SD-WAN (Software-Defined Wide-Area Networks), 618–622
DLP, 629
SE (Sales Engineers), 214
second-generation SOC, 51
secure disposal, facility design, 104
security
baselines, establishing, 11, 94
clearances, job roles, 244–245
behavior detection, 15
best-of-breed capabilities, 17
defense-in-depth strategies, 17
evaluating security technologies, 17–18
researching security technologies, 18–19
signature detection, 14
email, threat intelligence security, 420
deploying email security, 421
endpoint security, defense in depth strategy, 136–137
evaluating security technologies, 17–18
facility design, 104
CSIRT, 23
FIRST service frameworks, 23–24
fundamental security capabilities, 13
behavior detection, 15
best-of-breed capabilities, 17
defense-in-depth strategies, 17
evaluating security technologies, 17–18
researching security technologies, 18–19
signature detection, 14
NIST, 22
incident response, 424
consortium playbooks, 196
core security capabilities, 439–440
detecting malware behavior, 441
identifying artifact types, 443–445
incidents, defining, 425
lifecycle of, containment, eradication and recovery phase, 426–438
lifecycle of, detection and analysis phase, 438–454
lifecycle of, post-incident activity phase, 484–492
lifecycle of, preparation phase, 426–438
planning, 194
planning templates, 437
third-party interactions, 431–432
threat analysis, 440
internal security tools
Cyber Kill Chains, 132
SOC development, 132
investing in
defense-in-depth strategies, 9
information assurance, 9
NSA Information Assurance and Defense-in-Depth Strategy, 8–9
log data from security devices, ingesting for service areas, 162–163
mobile devices, SOC development, 94–95
officers, vulnerability management, 527
Google reputation warning banners, 90–91
researching security technologies, 18–19
SOC design considerations, 126–127
threat intelligence security tools, 414–416
tools
logs, 273
SOC development, 85
trainers, 227
ACL, 117
client/server segmentation, 118–119
semi-structured data, 263
servers
compromise, 282
rogue name servers, 282
rogue proxy servers, 282
service areas, 160
FIRST CSIRT services/service areas, 160–161
log data from security devices, ingesting, 162–163
dynamic analysis, 200
hidden extensions diagrams, 197
job roles, 240
TrIDNET, 197
challenges, 152
lack of experience, 154
limited tools, 153
low maturity, 153
people, 152
compliance services, 45, 151, 187–188
job roles, 240
SOC design considerations, 127–128
digital forensics services, 46, 151, 200–202, 240–241
external SOC services, 164
FIRST CSIRT services/service areas, 160–161
in-house services, 42, 102–103, 164
incident management services, 45, 151
COBIT severity model, 195
incident response planning, 194
NIST Special Publication 800–61 Revision 2, 190–193
playbooks, 195
Verizon 2020 Data Breach Investigations Report, 189–190
3D printing, 638
cloud programmability, 639
hacking, Emily Williams example, 633–636
SASE, 637
virtualized computers, 638–639
job roles
contracted vs. employee job roles, 165
SOC services and associated job roles, 238–241
outsourcing services, 42, 102–103
research and development services, 46, 151, 205–206, 241
risk management services, 45, 150, 169
four responses to risk, 169–170
job roles, 239
scanning services, vulnerability management, 525–527
situational and security awareness services, 46, 151, 202–203
job roles, 241
Three Pillars of Foundational SOC Support Services, The, 154–155
evaluating, 159
vulnerability management services, 45, 150, 175, 525
job roles, 239
OpenVAS, 178
Tenable.sc vulnerability tracking, 177
vulnerability tracking, 179
short data type, 264
SIEM (Security Information and Event Management), 279
dat digest flows, 283
data enrichment, 283
SOAR comparisons, 558
Splunk dashboard, 291–300, 311–312
threat intelligence security, 416–419
actionable intelligence, 300–301
Splunk dashboard, 291–300, 311–312
signature detection, 14
situation rooms, facility design, 106
situational and security awareness services, 46, 151, 202–203
job roles, 241
Slack, ChatOps, 595
SOAR (Security Orchestration, Automation and Response), 557–558, 560–561
Phantom
SIEM comparisons, 558
SOC (Security Operations Center), 2–3
capabilities assessments, 60
developing
centralized data management, 144–146
evaluating vulnerabilities, 86–88
internal security tools, 132
intrusion detection/prevention, 133
mobile device security concerns, 94–95
network considerations, 114–125
network security guidelines, 137–138
preventive technologies, 88–93
security tools, 85
dysfunctional SOC, factors of, 3–4
facility design
in-house services vs. outsourcing, 102–103
locating, 103
physical vs. virtual SOC, 102–103
first-generation SOC, 51
fourth-generation SOC, 52
future of, 659
goal assessments, 53
summary of, 60
analysis services, 240
company cultures, 247
competitive workplaces, 252
compliance services, 240
cryptographers/cryptologists, 229–230
digital forensics services, 240–241
incident management services, 239–240
research and development services, 241
risk management services, 239
security administrators, 224–225
security trainers, 227
situational and security awareness services, 241
SOC services and associated job roles, 238–241
vulnerability management services, 239
maturity models, 47
ISACA COBIT 5 Process Assessment Model, 49–51
SOC-CMM Model, 49
network considerations, 114–115
inline connectivity, 123
redundancy, risks reduction, 124–125
physical vs. virtual SOC, 102–103
planning, 95
goal alignment, 96
redundancy planning, 98
resource planning, 98
procedures, 82
governance references, 80
risk management references, 80
second-generation SOC, 51
security considerations, 126–127
service areas, 160
FIRST CSIRT services/service areas, 160–161
ingesting log data from security devices, 162–163
services, 46
analysis services, 45, 151, 197–200, 240
compliance services, 45, 151, 187–189, 240
digital forensics services, 46, 151, 200–202, 240–241
external SOC services, 164
FIRST CSIRT services/service areas, 160–161
in-house services, 42–44, 102–103
in-house SOC services, 164
hybrid services, 44
incident management services, 45, 151, 189–195, 239–240
outsourcing services, 42, 102–103
research and development services, 46, 151, 205–206, 241
risk management services, 45, 150, 169–174, 239
situational and security awareness services, 46, 151, 202–205, 241
Three Pillars of Foundational SOC Support Services, The, 154–159
vulnerability management services, 45, 150, 175–187, 239
third-generation SOC, 52
SOC-CMM maturity model, 49
social and online data context, 266
social engineering
attack example, hacking IT services, 634–635
social media, operational threat intelligence data, 404–407
social-political meta-features, 31
soft skills, job roles, 241–242
software
engineers, 215
solution planning, SIEM, 284–285
sovereignty of data, 374
SOX (Sarbanes-Oxley Act), 373
spam bots, 282
spam malware, 457
Splunk
dashboard
centralized data management, 144–145
Phantom
stack counting, threat hunting, 459
standards
compliance/ risk reduction, 340–350
static analysis
advanced static analysis, 448–451
Pframe, 448
reverse engineering files, 199–200
WannaCry kill switch malware analysis, 451–452
forensic dynamic analysis, 480–482
forensic static analysis, 478–479
stealth strategies, tactical threat intelligence, 395
STIX, processing technical threat intelligence data, 408–409
storage
facility design, 104
SOC development
strategic data, 262
strategic threat intelligence, 205, 382, 383
data expectations, 393
structures of data, 263
semi-structured data, 263
structured data, 263
unstructured data, 263
surveillance (video), computer rooms, 113
Surveyor, penetration testing, 185
syslog, 275
system order, eradication phase (incident response), 463
tabletop exercises, policies, 334–335
options, 335
tactical data, 262
tactical threat intelligence, 205, 382–384
infrastructures, 395
stealth strategies, 395
tools, 395
task assignments to incident response playbooks, 427–430
TAXII, processing technical threat intelligence data, 409–411
technical threat intelligence, 206, 382, 385
Abuse.ch Feodo Tracker, 412
Blocklist.de, 412
CINS Score, 412
Cyber Threat System from FortiGuard Labs, 413
Dan.me.uk, 412
Emerging Threats Rule Server, 412
FBI InfraGard, 412
IBM X-Force Exchange, 413
processing data, 407
CSV, 411
OpenIOC, 408
Regex, 411
XML, 407
technology
domains, 35
meta-features, 31
planning, SOC development, 97–98
securing SOC technology, 158–159
Three Pillars of Foundational SOC Support Services, The, 158–159
temperature/humidity, computer rooms, 108–109
Tenable.sc vulnerability tracking, 177
testing, threat intelligence, 392
text-file formats, DevOps, 584–585
third-generation SOC, 52
cyberterrorists, 7
insider threats, 7
motivations of, 7
threat hunting, incident response, 424, 455–456
consortium playbooks, 196
incidents, defining, 425
containment, eradication and recovery phase, 426–438
detection and analysis phase, 438–454
post-incident activity phase, 484–492
planning, 194
stack counting, 459
threat intelligence, 205, 262, 378–379
actionable intelligence, 378, 392
flowcharts, 414
processing data, 414
collecting/processing, 399–400
operational threat intelligence data, 402–407
strategic threat intelligence data, 400–402
content quality, 390
key factors, 390
external threat intelligence, 385–386
internal threat intelligence, 385–386
IOC, 382
nontechnical intelligence. See strategic threat intelligence
operational threat intelligence, 205, 382, 384–385
overview, 379
prevalence, 387
strategic threat intelligence, 205, 382–383
data expectations, 393
tactical threat intelligence, 205, 382–384
infrastructures, 395
stealth strategies, 395
tools, 395
technical threat intelligence, 206, 382, 385
testing, 392
threat data, 380
example of, 380
threat models, 25
chaining together attack behaviors, 38
using, 38
Diamond Model for Incident Management, 32–33
Extended Diamond Model, 31
social-political meta-features, 31
technology meta-features, 31
threats
assessments, 355
data, 380
example of, 380
detection tools, vulnerability, 524–525
feeds, big data, 312
mapping data, 270
response to future threats, 673
zero-day threats, 7
Three Pillars of Foundational SOC Support Services, The, 154–155
evaluating, 159
ticketing systems, incident response, 435–436
tools
collaboration, SOC development, 138–140
limited tools, challenges for services, 153
tracking vulnerabilities, 179
training, 640
DevOps, 650
free training, 644
future of
on-demand experts, 649
universal language/language translation, 649
learning
LMS, 645
personalized learning, 646–648
ML, 655
TrIDNET analysis service, 197
troubleshooting SIEM, 287, 291
actionable intelligence, 300–301
types of data
booleans, 265
bytes, 264
chars, 265
doubles, 264
floats, 264
int, 264
longs, 264
shorts, 264
unauthenticated scanning, 86
unknown environment penetration testing, 367
unstructured data, 263
upgrades (automated), SASE, 630
Verizon 2020 Data Breach Investigations Report, 189–190
video surveillance, computer rooms, 113
video walls, facility design, 104–105
virtualized computers, 638–639
viruses, 457
VirusTotal, 14
volatile data, digital forensics, 480–482
VPN (Virtual Private Networks), 534
active vulnerability scanning, 86–87
authenticated scanning, 86
context, 266
CVSS, 86
evaluating, SOC development
active vulnerability scanning, 86–87
CVSS, 86
passive vulnerability scanning, 87–88
Nexpose vulnerability scanner, 86–87
passive vulnerability scanning, 87–88
SANS vulnerability management, best practices, 12
tracking, 179
unauthenticated scanning, 86
vulnerability management, 498–499
assessments, 505
assets
access, 535
management, 522
Certero dashboard, 522
compliance tools, 522
deployment example, 535
evaluation procedures, 528–529
choosing corrective actions, 539
prioritizing assets, 536
host scanning, 516
information management phase, 502–503
management services, 45, 150, 175
job roles, 239
OpenVAS, 178
Tenable.sc vulnerability tracking, 177
vulnerability tracking, 179, 525
measuring vulnerabilities, 506
automated NAC, 501
manual NAC, 501
network scanners, 501–502, 515
Nmap
fingerprinting, 503
report and remediate phase, 505
reporting, 552
respond and repeat phase, 506
risk assessment phase, 504
Struts vulnerability example, 507
CVSS v2, 512
temporal/environmental metrics, 511
threat detection tools, 524–525
WAN (Wide-Area Networks), 618–620. See also SD-WAN
WannaCry kill switch malware analysis, 451–452
war rooms, facility design, 106
waterfall model (modified), processing threat intelligence, 400–402
WBDG (Whole Building Design Guide), SOC facility design, 101–102
Webex Teams, ChatOps, 595
Windows event logs, 277
work environments
Three Pillars of Foundational SOC Support Services, The, 155–156
workflows, playbooks
symbols, 570
workplaces, competitive, 252
workstations, facility design, 105
worms, 457
XDR (Cross-layered Detection and Response), 559–560
XML (Extensible Markup Language)
processing technical threat intelligence data, 407
YANG serializers, DevOps, 589–590
zero-day threats, 7
18.119.160.154