100% found this document useful (1 vote)

219 views70 pages

NIST CSF Practitioner Chapter 8 - Security Operations Center (SOC)

This document discusses security operations centers (SOCs) and continuous security monitoring. It focuses on the goals and objectives of continuous security monitoring, the technology and tools used, and the people, processes, and services involved. The document outlines learning objectives around understanding information security continuous monitoring (ISCM) programs, SIEM solutions, SOC functions, technologies, personnel roles and responsibilities, incident management, best practices, use cases, and SOC alternatives.

Uploaded by

Arjun

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

219 views70 pages

NIST CSF Practitioner Chapter 8 - Security Operations Center (SOC)

Uploaded by

Arjun

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 70

NIST CSF Practitioner

Chapter 8 – Security Operations Center (SOC)

Slide 1

Security Operations Center (SOC)

Continuous monitoring enables information security professionals and others to see a continuous
stream of near real-time snapshots of the state of risk to their security, data, the network, end
points, and even cloud devices and applications. It improves the level of situational awareness of
current elements in the monitored environment through full network visibility. Continuous
monitoring, when implemented through a log manager or SIEM, helps organizations separate real
events from non-impact events, as well as locate and contain events.

This chapter focuses on three key areas:

(1) Goals and objectives of continuous security monitoring
(2) Technology and tools used for continuous security monitoring
(3) People, process and services involved in providing a continuous security monitoring
program

At the end of the chapter, we will discuss SOC alternatives and key decision criteria that an
organization should consider when selecting their best option for continuous security monitoring.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

Learning Objectives
• Understand
• What it will take to answer the question "Are we Secure“
• Information Security Continuous Monitoring (ISCM) definition, goals
and objectives
• The key steps in an ISCM program, SIEM solution, and SOC functions
• SOC technology solutions and how they map to cyber attacks
• SOC personnel, resources, roles, responsibilities, skills and duties
• Threat hunting approach for uncovering a threat actor's TTPs
• Incident management requirements
• SOC best practices including log sources, incident categories, threat
analysis
• Common SOC use cases, IOCs, and common log sources
• SOC alternatives (build, buy, outsource, etc.)
• Summarize the key benefits of an ISCM and include why
organizations fail to implement continuous monitoring programs
• In a given scenario, analyze and explain your rationale for the
implementation of an ISCM program

The NCSF Controls FactoryTM

The Current Profile (Before the Factory) The Target Profile (After the Factory)

Untrusted E The Engineering Center Trusted

Identity Identity
Cybersecurity
Threats & Assets &
Framework
Vulnerabilities Identities
Design + Build

T The Technology Center

Unmanaged Technology Cybersecurity Testing & Managed

Asset Program Operations Assurance Asset
Design + Build
Input Output

B The Business Center

Business Risk Mgmt.

Workforce
Program Program
Skills
Design + Build Design + Build

Lesson
Security Operations Overview

Are We Secure?
Information Security Continuous Monitoring (ISCM)
ISCM Technical Solutions aka A SIEM
ISCM Operations aka A SOC

Security Operations
Overview

Security Operations - Purpose, Goals & Objectives

• Purpose
• Provides continuous security monitoring
• Enables awareness of information security & supports
informed risk management decisions

• Goals
• Provide Security Information & Event Management (SIEM)
capability
• Support threat detection
• Incident response
• Real-time collection & historical analysis of security events
• Enable Compliance reporting & incident investigation

• Objectives
• Deploy a Security Operations Center (SOC)
• Continuously monitor & improve organizational security posture
• Prevent, detect, analyze and respond to cybersecurity incidents
• Use technology & well defined process & procedures

Are We Secure?

Most IT security teams struggle to establish and maintain ongoing awareness of the state of information security in their
company. Security professionals, when asked “Are we secure?" by executives, are unable to articulate the answer in a
manner that resonates with management.

Why can't we answer this question? The chief reason is the lack of continuous monitoring and real-time visibility into
the overall security picture that plagues many organizations.

Information Security Continuous Monitoring (ISCM)

What is Information Security Continuous Monitoring (ISCM)?

 NIST defines continuous monitoring as, “Maintaining ongoing awareness of

information security, vulnerabilities, and threats to support organizational
risk management decisions.”

 Given the dynamic nature of threats, security teams are at a strategic

disadvantage if they are unable to gauge their security posture in real-time.

 Setting the course for an organization's ISCM strategy is needed to enable

data driven control of the security information that is floating in different
silos throughout the organization's security architecture.

 Continuous security monitoring is an essential part of the risk management

process.

 An organization’s security architecture and security program require

continuous monitoring to ensure operations are within an acceptable level
of risk, despite any changes that occur.

ISCM Program Steps

NIST 800-137: The process for an ISCM strategy and an ISCM program:

1. Define an ISCM strategy. Based on risk tolerance that maintains clear visibility into
assets, awareness of vulnerabilities, up-to-date threat information and
mission/business impacts.

2. Establish an ISCM program. Determine metrics, status monitoring, control

assessment and an ISCM technical architecture.

3. Implement an ISCM program. Collect security-related information for metrics,

assessments, and reporting. Automate the collection, analysis, and reporting of
data.

4. Analyze the data collected and report findings. Determine appropriate response.

5. Respond to findings. Utilize technical, management, operational mitigating

activities or acceptance, transference/sharing, or avoidance/rejection.

6. Review and Update the monitoring program. Adjust the ISCM strategy and
measurement capabilities to increase visibility into assets and awareness of
vulnerabilities.

ISCM Technical Solutions

What is a Security Information & Event Management (SIEM)?

Security Devices
Event Correlation
Servers & Mainframes  Logs
True
 Flows Offense
Network & Virtual Activity  IP Location
 Geo Location Offense Identification
Suspected
Data Activity
 Credibility
 Severity
Application Activity Activity Baselining & Anomaly Detection  Performance

Configuration Info  User Activity

 Network Activity
Vulnerability & Threat  Application Activity

User Activity

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

Data security does not take care of itself. SIEM solutions take the edge off of these concerns by acting as a constant watchdog
that performs several services: logging information, correlating data, alerting security administrators as soon as a breach is
detected, and providing a dashboard of what is happening in the environment at any given time. Simply put, SIEM solutions
gives organizations visibility into their security posture by providing usable and actionable information.

SIEM Basics

Situation Resolution
 Security threats continue to be more sophisticated  SIEM can provide a great deal of visibility into an
and advanced with each day, with the majority organization’s networks and identify extremely
often going completely undetected. sophisticated threats that may have otherwise been
hidden.
 Organizations are usually scrambling to keep up and
implement new security controls to protect  By integrating with other security technologies, the
themselves, which adds a new layer of complexity. SIEM solution can act as a single window into the
threats and possible breaches that your
 With the rise of Advanced Persistent Threats (APTs) organization is facing.
and insider attacks, it becomes extremely difficult
for security staff to detect all the risks.  SIEM technology is also becoming more advanced
with the capability to use advanced correlation
 Many IT and IT Security staff are already stretched engines as well as big data analytics to provide
thin by keeping track of many different security insightful analysis and forensics into the overall
technologies that already exist. data.

SIEM Capabilities
1. Data aggregation: Log management aggregates data from many sources, including
network, security, servers, databases, applications, providing the ability to consolidate
monitored data to help avoid missing crucial events.

2. Correlation: Looks for common attributes, and links events together into meaningful
bundles. This technology provides a variety of correlation techniques to integrate different
sources, in order to turn data into useful information.

3. Alerting: The automated analysis of correlated events and production of alerts, to notify
recipients of immediate issues. Alerting can be to a dashboard, or sent via third party
channels such as email.

4. Dashboards: Tools can take event data and turn it into informational charts to assist in
seeing patterns, or identifying activity that is not forming a standard pattern.

5. Compliance: Applications can be employed to automate the gathering of compliance data,

producing reports that adapt to existing security, governance and auditing processes.

6. Retention: Employing long-term storage of historical data to facilitate correlation of data

over time, and to provide the retention necessary for compliance requirements.

7. Forensic analysis: The ability to search across logs on different nodes and time periods
based on specific criteria. This mitigates manual aggregation of log information or
searching through thousands and thousands of logs.

ISCM Operations
Attackers target every layer of the IT Infrastructure

Network

Web Shut Data Web Attacks (SQL Injection)

Defacement Down Breach

A cyber security operations center (or " SOC ") is a location where enterprise information systems (web
sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are
continuously monitored, assessed, and defended.

SOC Inputs and Outputs

Input Identify, Assess, Remediate Output

Reported Security Issues Management Team

Security Operations Center (SOC)

Help Desk, Assessment Findings SOC Technologies & Tools

Managed & Unmanaged Assets Metrics & Reports

Scan, Monitor, Filter Technology Incident Response Team

Cyber-Intelligence Services
CSIRT
SOC People & Process

Advisories, Incidents, Data Breaches

Zero-day threats & vulnerabilities

Security Events, Attacks, Incidents

SOC Technology Filtering SOC Analyst Filtering

Security Events Security Attacks Security Incidents

Annual Annual Annual

100 M 20 K 100

Monthly Monthly Monthly

10 M 2K 10

Weekly Weekly Weekly

1M 300 2

SOC Technologies SOC People & Process

100 M Annual 100 Annual

Security Events Security Incidents
20 K Annual
Security Attacks Drop
Drop

19.90 K Annual
99.98 M Annual
Security Attacks
Security Events

SOC Core Functions

• Security Monitoring • Event and Incident Investigations

 Intrusion Detection / Prevention Systems • Incident Handling
 Anti-virus Scanning  Incident Analysis
 Data Loss Prevention  Incident Response
 Vulnerability Scanning • Vulnerability Handling
 Incident Tracking  Vulnerability Analysis
• Vulnerability Management  Vulnerability Response
 Vulnerability Mitigation • Forensic Analysis
• Incident Management  Evidence Handling
• Communications and Reporting  Evidence Analysis
• Penetration Testing

“A SOC is related with the people, processes and technologies involved in providing situational awareness
through the detection, containment, and remediation of IT threats. A SOC manages incidents for the
enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated
and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and
determines if it is a real, malicious threat (incident), and if it could have a business impact.”
- Wikipedia

SOC Building Blocks

SOC Technology SOC People

SOC Process SOC Services

Lesson
SOC Technology

SOC Technology: Solutions

SOC Technology: Map to Cyber-Attacks
SOC Technology – Map to Assets

SOC Technology

SOC Technology - Purpose, Goals & Objectives

• Purpose
• Introduces intelligence & automation to the collection, correlation &
analysis log & alert data
• Enables security analysts to focus on the most important cybersecurity
events

• Goals
• SOC; inclusive of trained staff, processes & procedures and enabling
technology
• Early detection of cybersecurity events
• Comprehensive reporting system
• Demonstrable reduction of noncompliance

• Objectives
• Deployment of SEIM technology
• Development of a cybersecurity reporting system
• Development & deployment of cross-functional teams

SOC Technology: Monitoring Security Devices

 Firewalls
 IDS / IPS
 Anti-Malware
 Email Gateway Security
SecurityDevices
Devices
 Web Gateway Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
Network & Virtual Activity  IP Location
 Geo Location Offense Identification A K J 10
Data Activity
 Credibility
A K Q J 10
 Severity
Application Activity Activity Baselining & Anomaly Detection  Performance
A K Q J 10
Configuration Info  User Activity
 Network Activity
Vulnerability & Threat  Application Activity Attacks, audits, status
User Activity
events and
vulnerabilities from
SIEM & IPS

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Helps find threats by combining Network Protection’s Protocol Analysis Module signature analysis and anomaly detection capabilities
• Enables real-time threat awareness and offense prioritization to establish definitive attack evidence and visibility into attacker
communications
• Integrates security content such as threat intelligence and vulnerability awareness
• Outstanding coverage available within full SIEM solution or targeted Network Anomaly Detection offering

SOC Technology: Monitoring Servers & Mainframes

 Windows OS
 Linux OS
Security Devices
 RACF Event Correlation
 AIX Servers
Serversand Mainframes
& Mainframes  Logs
 Z/OS
 Flows A K Q J 10
Network & Virtual Activity  IP Location
 Geo Location Offense Identification K J 10
A
Data Activity
 Credibility
 Severity A K Q J 10
Application Activity Activity Baselining & Anomaly Detection  Performance
A K Q J 10
Configuration Info  User Activity
 Network Activity
Vulnerability & Threat  Application Activity
Alerts, unauthorized
User Activity log-ins, policy
violations,
configuration
changes, etc.
Exceptionally Accurate &
Extensive Data Sources + Deep Intelligence = Actionable Insight

• Centralizes enterprise security view allowing identification and remediation of excess mainframe access, threats and concerns
• Strengthens mainframe security operations and helps improve protection for critical mainframe environment
• Triggers complex correlation of threats, insider fraud and business risk as easy to understand “offenses” for further investigation and follow-ups
• Stores event data in forensically secure database to address regulation mandates
• Improves compliance reporting by simplifying audit and management efforts

SOC Technology: Monitoring Networks & Virtual Activity

Security Devices
 Switches Event Correlation
Routers
Servers & Mainframes  Logs
Firewalls
 Flows A K Q J 10
Access Points Network and Virtual Activity
Network & Virtual Activity  IP Location
NetFlow  Geo Location Offense Identification
A K J 10
Data Activity
 Credibility
 Severity A K Q J 10
Application Activity Activity Baselining & Anomaly Detection  Performance

Configuration Info A K Q J 10
 User Activity
 Network Activity
Vulnerability & Threat  Application Activity
Alerts, unauthorized
User Activity log-ins, policy
violations,
configuration changes,
etc.
Exceptionally Accurate &
Extensive Data Sources + Deep Intelligence = Actionable Insight

• Centralizes enterprise security view allowing identification and remediation of network device access, threats and concerns
• Strengthens network security operations and helps improve protection for critical switches, routers, firewalls
• Triggers complex correlation of threats, insider fraud and business risk as easy to understand “offenses” for investigation and follow-ups
• Stores event data in forensically secure database to address regulation mandates
• Improves compliance reporting by simplifying audit and management efforts

SOC Technology: Monitoring Data Activity

Security Devices
Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
 Databases
Network & Virtual Activity  IP Location
 Data Warehouses  Geo Location Offense Identification K J 10
A
 Hadoop based Data Activity
Activity
systems  Credibility
 Severity K Q J 10
 File shares A
Application Activity Activity Baselining & Anomaly Detection  Performance
A K Q J 10
Configuration Info  User Activity
 Network Activity
Vulnerability & Threat  Application Activity
In-depth data activity
monitoring and
User Activity
security insights

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Detects anomalistic behavior and malicious access to sensitive data

• Focuses customers on key data access events while saving operational costs by not transmitting and storing insignificant events
• Provides broader, enterprise network security context for alerts and events helping identify advanced threats
• Improves compliance reporting with automated data access reports

SOC Technology: Monitoring Application Activity

Security Devices
Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
Network & Virtual Activity  IP Location
 Web applications  Geo Location Offense Identification K J 10
A
 Mobile applications Data Activity
 Web services  Credibility
K Q J 10
 Desktop applications Application Activity  Severity A
Application Activity Activity Baselining & Anomaly Detection  Performance
A K Q J 10
Configuration Info  User Activity
 Network Activity
Vulnerability & Threat  Application Activity
Application
User Activity vulnerability
assessments

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Strengthens threat detection and offense scoring capabilities

• Correlates known application vulnerabilities with other real-time events and alerts to elevate meaningful offenses
• Enhances proactive risk management assessments by prioritizing critical application vulnerabilities

SOC Technology: Monitoring Configuration Information

Security Devices
Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
Network & Virtual Activity  IP Location
 Geo Location Offense Identification A K J 10
Data Activity
 Credibility
 Servers A K Q J 10
 Severity
 Clients Application Activity Activity Baselining & Anomaly Detection  Performance
 Mobile devices A K Q J 10
Configuration Info
Configuration Info  User Activity
 POS, ATM, Kiosks
 Network Activity
Vulnerability & Threat  Application Activity
Endpoint intelligence
User Activity data from Endpoint
Manager

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Increases vulnerability database accuracy improving offense and risk analytics to limit potential offenses
• Establishes baseline for endpoint states and improves alerting on variations to detect threats other SIEMs might miss
• Speeds remediation of discovered offenses using Endpoint Manager automation
• Represents AV/DLP alerts within consolidated enterprise security view helping correlate advanced threat activities
• Improves compliance reporting with deep endpoint state data

SOC Technology: Monitoring Vulnerabilities and Threats

Security Devices
Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
Network & Virtual Activity  IP Location
 Geo Location Offense Identification A K J 10
Data Activity
 Credibility
A K Q J 10
 Severity
Application Activity Activity Baselining & Anomaly Detection
 Server Vulnerability  Performance
 Endpoint Vulnerability A K Q J 10
Configuration Info  User Activity
 Web App Vulnerability
 Network Vulnerability  Network Activity
Vulnerability
Vulnerability&&Threat
Threat  Application Activity
 IOCs
Vulnerability & Threat
User Activity Information

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Real-time vulnerability information for servers, endpoints, applications, networks

• Identifies common threat vectors and common Indicators of Compromise (IOCs)
• Enables threat intelligence sharing via industry standards STIX, TAXII, CybOX
• Integrates with network-based and system-based anti-malware solutions
• Improves compliance reporting with deep endpoint state data

SOC Technology: Monitoring User Activity

Security Devices
Event Correlation
Servers & Mainframes  Logs
A K Q J 10
 Flows
Network & Virtual Activity  IP Location
 Geo Location Offense Identification A K J 10
Data Activity
 Credibility
A K Q J 10
 Severity
Application Activity Activity Baselining & Anomaly Detection  Performance
A K Q J 10
Configuration Info  User Activity
 Network Activity
Vulnerability & Threat  Application Activity
Identity information
 User log-ins User Activity
Activity and user activity from
User
 Access rights IAM products
 Group memberships

Exceptionally Accurate &

Extensive Data Sources + Deep Intelligence = Actionable Insight

• Provides ability to insert user names into reference sets used for writing searches, reports, and rules
• Improves ability to defend against insider threats involving privilege escalations or inappropriate data access
• Facilitates compliance reporting by pairing user identities with access to sensitive data

Lesson
SOC People

SOC Resources
SOC Roles / Responsibilities / Skills
SOC Analyst Levels, Functions, Schedule

SOC People

SOC People - Purpose, Goals & Objectives

• Purpose
• SOC staffed with
• Deep technical knowledge
• Broad range of capabilities
• Diverse experience
• SOC staff efficiently analyzes large volume of data & identifies events
requiring further investigation

• Goals
• Staff with qualified analysts, security engineers and SOC Manager

• Objectives
• Seek individuals with an
• Understanding of basic computer science:
• Understanding of IT operations:
• Ability to communicate:
• Understanding of adversary motivations:
• Understanding of security operations concepts:

SOC Roles & Resources

• Roles and duties of a typical SOC staff:
• Tier 1: Security Analyst – Continuous monitoring of systems and alerts in place,
from all sensors and endpoints.
• Tier2: Security Specialist – In-depth analysis of incidents based on correlated
data, impact analysis, and remediation recommendations.
• Tier 3: Subject Matter Expert – In-depth knowledge of network events with
forensics and malware reverse engineering skills. Closely involved in threat
detection analytics.
• SOC Manager/Director – Responsible for the technology strategy to meet
Service-Level Agreements (SLAs), with a deep understanding of incidents. Acts as
the organizational coordinator for business-critical incidents while providing input
to the overall security strategy.

• Each role is equally important and an effective SOC requires good cooperation
between the roles while also following the Standard Operating Procedures (SOP) in
place.

• SOC resources cover all shifts (24 x 7), including one-hour shift transfers, considering
time off, sick days and holidays.
SOC
• SOC Manager actively directs the SOC strategy by prioritizing tasks, appropriate Roles &
decisions for mitigating incidents, ensure minimal impact to the business as new Responsibilities
attacks and threats emerge

Source: “Building a World Class Security Operations Center: A Roadmap”, May, 2015, Alissa Torres

SOC Roles / Responsibilities / Skills

Job Title Duties Required Skills / Training
Tier 1 Continuously monitors the alert queue; triages security Alert triage procedures; intrusion detection; network,
alerts; monitors health of security sensors and endpoints; Security Information and Event Management (SIEM)
Alert Analyst collects data and context necessary to initiate Tier 2 work and host-based investigative training; and other tool-
specific training.

Tier 2 Performs deep dive incident analysis by correlating data Advanced network forensics, host-based forensics,
from various sources; determines if a critical system or incident response procedures, log reviews, basic
Incident Responder data set has been impacted; advises on remediation; malware assessment, network forensics and threat
provides support for new analytic methods for detecting intelligence.
threats.

Tier 3 Processes in-depth knowledge on network, endpoint, Advanced training on anomaly-detection; tool-specific
threat intelligence, forensics and malware reverse training for data aggregation and analysis and threat
Subject Matter engineering, as well as the functioning of specific intelligence.
Expert / Hunter applications or underlying IT infrastructure; acts as an
incident “hunter”, not waiting for escalated incidents;
closely involved in developing, tuning and implementing
threat detection analytics.
Tier 4 Manages resources to include personnel, budget, shift Project management, incident response management
scheduling and technology strategy to meet SLAs; training; general people management skills.
SOC Manager communicates with management; serves as
organizational point person for business-critical incidents;
provides overall direction for the SOC and input to the
overall security strategy.
Source: “Building a World Class Security Operations Center: A Roadmap”, May, 2015, Alissa Torres

Sample SOC Analyst Levels

Skill Skill Level 1 Skill Level 2
Anomaly Detection Basic understanding of baseline data sets and Able to apply anomaly detection concepts
identification of non-conforming data. utilizing thresholds and statistics derived by more
advanced analysis

Data Loss Prevention (DLP) Familiar with basic DLP concepts and popular Understanding of DLP engine, rule sets, and
products. Able to recognize priority alerts and operations. Can perform basic DLP tuning
escalate. procedures based on findings.

Data Integrity / File Integrity / Host Knowledge of system security and data Experience configuring OS specific host policies to
intrusion prevention service (HIPS) integrity concepts used to monitor and alert identify, monitor, and alert on data, file, and
on data, file, and system changes. system changes.

Digital forensics Basic understanding of forensics concepts as Demonstrates knowledge and experience
they apply to digital attacks and evidence conducting forensic investigations and solid
handling understanding of evidence, chain of custody, and
its application to security operations.

Source: “Building a World Class Security Operations Center: A Roadmap”, May, 2015, Alissa Torres

Sample SOC Analyst Functions

Networks
Tier 1
Tier 2
Front Lines Alert
Incident
Analyst Responder SME /
Hunter

Tier 1
Alert Applications
Analyst Threats

SME /
SME / SOC
Hunter
Hunter Manager
Tier 1
Alert
Analyst
Tier 2
Tier 1 Incident
Front Lines Alert Responder SME /
Analyst
Hunter
Servers

SOC Manager
In addition to SOC analysts, a security operations center requires a ringmaster for its many moving parts. The SOC manager often fights
fires, within and outside of the SOC. The SOC manager is prioritizes work and organizes resources with the ultimate goal of detecting,
investigating and mitigating incidents that could impact the business. The SOC manager develops a workflow model and implements
standard operating procedures (SOPs) for the incident-handling process that guides analysts through triage and response procedures.

Source: “Building a World Class Security Operations Center: A Roadmap”, May, 2015, Alissa Torres

Sample SOC Analyst Schedule

Level 1 Security Analysts Level 2 Security Analysts
Time Analyst 1 Analyst 2 Analyst 3 Analyst 4
6:00 On Console Escalation / OOB Daily Operations Meeting
7:00 On Console Unstructured Analysis Escalation / OOB
8:00 QA & AAR On Console Escalation / OOB
9:00 Escalation / OOB On Console Break
10:00 Break On Console Escalation / OOB
11:00 On Console Break Escalation / OOB
12:00 On Console Escalation / OOB Meetings Unstructured Analysis
13:00 On Console Escalation / OOB Meetings Meetings
14:00 Break On Console Meetings Escalation / OOB
15:00 Escalation / OOB On Console Meetings
16:00 On Console Escalation / OOB Unstructured Analysis
17:00 On Console Break Escalation / OOB
18:00 Unstructured Analysis On Console Break
19:00 Escalation / OOB On Console Escalation / OOB
20:00 Break On Console QA & AAR
21:00 On Console Break Escalation / OOB
22:00 On Console Escalation / OOB
23:00 On Console Unstructured Analysis
0:00 QA & AAR On Console

Source: “Building a World Class Security Operations Center: A Roadmap”, May, 2015, Alissa Torres

Lesson
SOC Process / Procedures

Cyber Threat Hunting Process

Threat Hunting Maturity Model
Threat Hunting Loop & Matrix
Incident Management Process
NIST 800-61 Incident Response Lifecycle SOC Process/Procedures

SOC Processes - Purpose, Goals & Objectives

• What are the key SOC processes?
• Cyber threat hunting is a focused and iterative approach to searching out,
identifying and understanding adversaries internal to the defender’s networks.
• Incident Response is an organized approach to addressing and managing the
aftermath of a security breach or attack

• Cyber Threat Hunting Goals and Objectives

• Threat hunting is not a single state but a progression based on what data is
available to search and how to sort through it
• A threat hunting approach should be tailored to the organization and its threat
landscape
• Waiting until the attack cycle is complete is costly and the damage has been
done

• Incident Response Goals and Objectives

• Handle the situation in a way that limits damage and reduces recovery time
and costs
• An incident response plan includes a policy that defines an incident and a step-
by-step process that is followed when an incident occurs

SOC Processes - Purpose, Goals & Objectives

• Purpose
• Search out, identify & understand adversaries internal to the defender’s
networks
• Enables a proactive threat search tailored to the organization’s threat
landscape

• Goal
• A cyber threat hunting capability to iteratively search out and identify
• Threats
• Understanding of the adversary
• Cybersecurity incident response process

• Objectives
• Handle cyber events in a way that
• Limits damage
• Reduces recovery time & costs
• An incident response plan that includes a policy that defines
• An incident
• A step-by-step process that is followed when an incident occurs

Cyber Threat Hunting Process

Cyber Threat Hunting is the process of proactively and iteratively searching through
networks to detect and isolate advanced threats that evade existing security
solutions. Threat hunters use various techniques to find the adversary, and no
single one of them is always “right”.

Hunting consists of manual or machine-assisted techniques, as opposed to relying

only on automated systems like SIEMs. Alerting is important, but cannot be the only
focus of a detection program.

One of the chief goals of hunting should be to improve automated detection by

prototyping new ways to detect malicious activity and then turning those
prototypes into effective new automations.

Factors to consider when judging an organization’s hunting ability:

• The quantity and quality of the data collected;
• The ways to visualize and analyze various types of data;
• The kinds of automated analytics apply to data to enhance analyst insights

The quality and quantity of the data that an organization collects from its IT
environment is a strong factor in determining their level of Hunting Maturity.

Threat Hunting Maturity Model (HMM)

Threat hunting can be a manual process, in which a security analyst sifts
through various data information using their own knowledge and familiarity
with the network to create hypotheses about potential threats, such as, but not
limited to, Lateral Movement by Threat Actors. To be even more effective and
efficient, however, threat hunting can be partially automated, or machine-
assisted, as well. In this case, the analyst utilizes software that
leverages machine learning and user and entity behavior analytics (UEBA) to Automates the majority of
successful data analysis
inform the analyst of potential risks. The analyst then investigates these HM4 procedures. High or very high
potential risks, tracking suspicious behavior in the network. Thus hunting is
level of routine data collection.
an iterative process, meaning that it must be continuously carried out in a
loop, beginning with a hypothesis.
Creates new data analysis
HM3 procedures. High or very high
level of routine data collection.

Follows data analysis procedures

HM2 created by others. High or very high
level of routine data collection.

There are three types of hypotheses:

Incorporates threat intelligence
indicator searches. Moderate or high 1. Analytics-Driven: Machine-learning and UEBA,
HM1 used to develop aggregated risk scores that can
level of routine data collections
also serve as hunting hypotheses
2. Situational-Awareness Driven: Crown Jewel
Relies primarily on automated analysis, enterprise risk assessments, company-
HM0 alerting. Little or no routine or employee-level trends
data collection 3. Intelligence-Driven: Threat intelligence reports,
threat intelligence feeds, malware analysis,
Used with permission from SQRRL vulnerability scans

Hunting Maturity Level 0 - 2

HM0 (Initial) HM1 (Minimal) HM 2 (Procedural)

HM0 organizations are not considered HM1 is the first level in which any type of HM2 is the most common level among
to be capable of hunting. hunting occurs, even though it is minimal. organizations that have hunting programs.

Organizations rely primarily on Organizations rely primarily on automated Organizations learn and apply procedures
automated alerting tools such as IDS, alerting to drive their incident response process, developed by others on a somewhat regular
SIEM or antivirus to detect malicious but they supplement with some routine basis.
activity across the enterprise. collection of IT data.
They may make minor changes, but are not
They incorporate signature updates or These organizations are intel-driven, they base yet capable of creating new procedures
threat intelligence indicators, and their detection in large part on available threat themselves.
create their own signatures or intelligence. They track latest threat reports
indicators, but these are fed directly from a combination of open and closed sources. HM2 organizations usually collect a large
into the monitoring systems. amount of data from across their
HM1 organizations routinely collect at least a enterprise.
The human effort at HM0 is directed few types of data from their enterprise into a
primarily toward alert resolution. central location such as a SIEM or log
management product.
HM0 organizations also do not collect
much information from their IT systems Some may actually collect a lot of information.
so their ability to proactively find
threats is limited. When new threats come to their attention,
analysts are able to extract the key indicators
from these reports and search historical data to
find out if they have been seen in at least the
recent past.

Used with permission from SQRRL

Hunting Maturity Level 3 - 4

HM3 (Innovative) HM4 (Leading)

HM3 organizations can be quite effective at finding and combating HM4 organizations are extremely effective at resisting adversary
threat actor activity. actions.

Organizations have at least a few hunters who understand a variety The organization is essentially the same as one at HM3, with one
of different types of data analysis techniques and are able to apply important difference: automation.
them to identify malicious activity.
Any successful hunting process will be operationalized and turned
Instead of relying on procedures developed by others, these into automated detection.
organizations are usually the ones who are creating and publishing
the procedures. This frees the analysts from the burden of running the same
processes over and over, and allows them instead to concentrate
Analytic skills may be as simple as basic statistics or involve more on improving existing processes or creating new ones.
advanced topics such as linked data analysis, data visualization or
machine learning. Data collection is typically more advanced. The high level of automation allows them to focus their efforts on
creating a stream of new hunting processes, which results in
The key at this stage is for analysts to apply these techniques to constant improvement to the detection program as a whole.
create repeatable procedures, which are documented and
performed on a frequent basis.

As the number of hunting processes they develop increases over

time, they may face scalability problems trying to perform them all
on a reasonable schedule unless they increase the number of
available analysts to match.

Used with permission from SQRRL

NIST 800-61 Incident Response Lifecycle

IT Administrators monitor systems and networks for events, or observable occurrences, which may evolve into an incident. The major
phases of the incident response process include preparation, detection and analysis, containment, eradication and recovery, and post-
incident activity.

Incident Management – Step 1

Step 1: Preparing to Handle Incidents

Step 1: Organizations establish Incident Management capability consisting of policies and procedures, system documentation, Incident
Response Team (IRT), and monitoring, communication, and mitigation tools. Network and security monitoring tools are used to evaluate
traffic across the network against policies and configurations that have been defined to implement effective security controls.

Incident Management – Step 2

Step 2: Detecting and Analyzing Incidents

Step 2: Detecting potential security incidents may be difficult since many initially evade recognition by the sole use of monitoring tools.
Knowing how a system usually behaves and learning which symptoms can indicate potential incidents is a way to recognize when you
should investigate. Correlation and analysis of events may help to identify potential incidents that may have been overlooked, which could
become a more serious problem. Early awareness of potential incidents can stop damage, disclosure, and other harmful effects before they
happen. Incident detection and analysis may take several individuals reviewing activity before it is realized that an incident has occurred.

Incident Management – Step 3a

Step 3: Incident Containment, Eradication and Recovery

Step 3a: There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If
evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker. Containment strategies vary based on the
type of incident. Criteria for determining the appropriate strategy include the potential damage to and theft of resources, need for evidence
preservation, service availability (e.g., network connectivity, services provided to external parties), time and resources needed to implement
the strategy, effectiveness of the strategy (e.g., partially contains the incident, fully contains the incident), and duration of the solution
(emergency workaround vs. temporary workaround vs. permanent solution)

Incident Management – Step 3b

Step 3: Incident Containment, Eradication and Recovery

Step 3b: After an incident has been contained and evidence preserved, as appropriate, eradication may be necessary to eliminate
components of the incident. Deleting malicious code and disabling breached user accounts are examples of eradication. For some
incidents, eradication is either not necessary or is performed during recovery. During recovery, IT Administrators restore systems to
normal operation and, as necessary, harden systems to prevent similar incidents. Recovery may involve such actions as restoring systems
from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing
passwords, and adding or strengthening other security controls.

Incident Management – Step 4

Step 4: Post Incident Activity

Step 4: As an IT Administrator, you may be asked to participate in such “lessons learned” exercises to discuss: Exactly what happened,
and at what times? How well did staff and management perform in dealing with the incident? Were the documented procedures followed?
Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What
would the staff and management do differently the next time a similar incident occurs? What corrective actions can prevent similar
incidents in the future? What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

Lesson
SOC Services

SOC Services Purpose, Goals and Objectives

Managed Security Services
Security Consulting and Testing Services
Managed Network Security Services
Managed Monitoring and Operations
Incident Response and Forensics Services SOC Services

SOC Services – Purpose, Goals & Objectives

• Purpose
• Manage security threats & attacks on an organization’s digital perimeter & applications
• Provide ongoing security expertise to keep pace with
• Changing compliance requirements
• Emerging threats
• Changing business demands

• Goals
• Improved ROI: Reduce costs by outsourcing security operations and leveraging
investments in technology and trained resources
• Enhanced security posture: Manage risks through skilled resources, defined processes,
and leading edge technologies
• Regulatory & policy compliance: Security policy and regulations relating to log
retention, data protection, data privacy, etc.
• Business aligned reporting: Integrated view of threats, vulnerabilities, performance and
compliance dashboard for effective decision making relating to security

• Objectives
• Deploy capabilities for 24 x 7
• Monitoring & managing security infrastructure
• Operational security issues
• Deploy IT security tools to solve security issues

Managed Security Services

Security Consulting & Testing Managed Network Security

Services Services

Managed Security Services

Incident Response (IR) & Forensics

Managed Monitoring & Operations
Services

Security Consulting & Testing Services

• Cyber Risk Assessment: Review internal and external security controls against a broad number
of cyber threats. Produce a quarterly risk-assessment score against key security controls.
Include risk-reducing recommendations and implementation roadmap. Calculate and compare
the organization’s controls against key control frameworks and industry peers.

• Penetration Testing: Pen testing helps organizations identify how a malicious user can gain
unauthorized access to assets and affect the security of systems, files, logs and/or information
assets. Pen testers attempt to access to the organization’s sensitive information by exploiting
vulnerabilities in applications, systems and / or information. The tester will analyze the
collected data and create a report with recommendations to mitigate vulnerabilities that were
discovered.

• Vulnerability Management: Vulnerability management is the cyclical practice of identifying,

classifying, remediating, and mitigating vulnerabilities. Vulnerability management includes
four steps:
• Step 1: Identify the organizations assets and assign a criticality value to each asset
• Step 2: Identify the system owner(s) for each system
• Step 3: Establish a vulnerability scanning program and determine the frequency of scanning.
• Step 4: establish and document timelines and thresholds for remediation

• Web Application Testing: Application analysis is an important part of enterprise security. Web
application testing can find and fix security flaws in software and prevent the damage that
unforeseen vulnerabilities can cause to a business.

• Compliance Audit: A compliance audit is a comprehensive review of an organization's

adherence to regulatory guidelines. Independent accounting, security or IT consultants
evaluate the strength and thoroughness of compliance preparations.

Managed Network Security Services

• Managed Firewalls: Operational management of the firewall environment, including
installation, configuration, monitoring, incident, change, patching, and reporting.

• Managed IDS / IPS: Operational management of intrusion detection and prevention

systems, including installation, configuration, monitoring, incident, change, policy
tuning, patching, and reporting.

• Managed Malware: Operational management of malware tools that alert on network-

based zero-day exploit attempts, and advanced malware.

• Managed Proxy: Operational management of proxy, including installation,

configuration, monitoring, incident, change, patching, and reporting.

• Managed Authentication: Management and monitoring of two-factor authentication

solution to secure remote access by authorized parties

• DDoS Protection: DDoS mitigation is a set of techniques or tools for resisting or

mitigating the impact of distributed denial-of-service (DDoS) attacks on networks
attached to the Internet by protecting the target and relay networks

• Threat Monitoring and Analysis: Continuous analysis, assessment, and review of

security related data collected from all sources for detecting any attempted or
successful breach of the security of a facility, operation, or system

Managed Monitoring and Operations Services

• Log Management: Collect, store, and search raw logs for systems, networks, applications, security devices,
etc. Typical services include the storage of logs for one year and indexed logs for up to 90 days. The log
management capability includes filtering, along with raw log searches and downloads.

• Managed SIEM: Security devices generate threat data in the form of logs or events. The data is collected
in near-real time and send it to managed SIEM, which performs correlation and classification of events.
The SIEM filters out benign security events and escalates identifies incidents most likely to pose a threat.
Each incident is assigned a risk rating with reference to the specific threat-detection use case.

• Threat Detection: Threat categories are based on a near-real-time, behavior-based, multifactor correlation
capability. The SIEM evaluates and correlates reputational and behavioral patterns and characteristics, as
well as signature-based detection methods. The solution includes research and threat analyses conducted
by the security intelligence team, composed of use cases, event correlation, watch lists, findings, threat
intelligence, threat actor tactics, techniques and procedures and known indicators of compromise.

• Device Health Monitoring and Management: Device availability and health monitoring platform uses IP
blacklists to help protect against known threats. Applications are kept up to date with the latest software
patches, configuration and policy management, and backup and restore capabilities.

Incident Response (IR) and Forensics Services

• IR Services Based on the NIST 800-61 Process:
• Step 1 - Preparation: This phase includes all the initial planning such as the definition of an
ongoing incident management program life cycle and the creation of a cross-functional team.
• Step 2 - Detection and analysis: Provide a clear identification and escalation process for
incidents and tightly integrate with existing incident management processes in the NOC and
SOC.
• Step 3 - Containment, eradication, recovery: Ensure the incident is truly contained or
remediated.
• Step 4 - Post-incident activity: Incorporate lessons learned into future incident response
plans.
• Step 5 - Testing and Training: At least once a year conduct an incident response test that goes
beyond the confines of IT or the information security staff. Train the staff to understand what
an incident is, how to respond, and how to put incident response into the greater context of
information security.

• Computer Forensics Services:

• The practice of collecting, analyzing and reporting on digital data in a way that is legally
admissible. A typical forensics process includes:
• Protect the evidence so it isn’t damaged, destroyed or otherwise compromised during the
investigation
• Establish and maintain a continuing chain of evidentiary custody, and perform due diligence to confirm
evidence and processes comply with Federal Rules of Evidence
• Acquire and examine devices known or suspected to be infected with malware, without putting other
systems at risk

Lesson
SOC Options

SOC Alternatives
SOC Decision Criteria
Closing Thoughts on SOCs
SOC Options

SOC Alternatives

Do It Yourself (DIY)
Central Log Management Security Information and Event
Management (SIEM)

Managed Security Services (MSS) Co-Managed SIEM

Central Log Management

• Purpose: The primary drivers for log management implementations are concerns about security, system
and network operations and regulatory compliance.

• Event Log Sources: Operating systems, devices and applications all generate logs that contain system-
specific events and notifications.

• Log Collection and Storage: Organizations deploy centralized syslog servers or use commercial products to
address the log acquisition, transport and storage issues.

• Log Management Challenges: Analyzing large volumes of diverse logs:

• Volume: log data can reach hundreds of gigabytes of data per day for a large organization. Simply
collecting, centralizing and storing data at this volume can be challenging.
• Normalization: logs are produced in multiple formats. The process of normalization is designed to
provide a common output for analysis from diverse sources.
• Velocity: The speed at which logs are produced from devices can make collection and aggregation
difficult
• Veracity: Log events may not be accurate. This is especially problematic from systems that perform
detection, such as intrusion detection systems
Event Log
• Benefits and Weaknesses
• Generally the lowest cost alternative
• Requires investment for implementation and ongoing management
• Threat detection is not as strong as SIEM based options

DIY Security Information and Event Management (SIEM)

• Purpose: SIEM products typically provide many of the features required for log management but add event-
reduction, alerting and real-time analysis capabilities. Most organizations recognize that after the log
management is addressed analysis and monitoring will become immediately apparent.

• SIEM Operations: A SIEM is an in-house technology that supports threat detection and security incident
response through collection and analysis of security events from a variety of event and data sources.
• Once you have the logs, to get real value, you need a solution that will find problems and sort through
the massive amounts of data quickly.
• SIEMs provide the layer of technology that allows one to say with confidence that not only are logs being
gathered but they are also being reviewed.
• SIEM also allows for the importation of data that isn't necessarily event-driven (such as vulnerability
scanning reports) - hence the "Information" portion of SIEM.

• SIEM Challenges: Some of the key challenges include:

• Collecting the right type of data. Not collecting enough data can result in gaps while collecting too much
may overwhelm the system and may violate the technology’s licensing.
• Analysts can be inundated with security alerts.
• Security operations tools failing to be smoothly integrated into an organization’s security operations. By
cobbling together disparate security tools crucial threats can slip through the cracks.

• SIEM Benefits and Weaknesses

• Provides additional intelligence vs. central log management
• Requires significant investment in technology and people to implement
• Requires additional cost for 24 x 7 operation

Managed Security Service Providers (MSSPs)

• Purpose: Provide outsourced monitoring and management of security devices and systems

• MSSP Services: MSSPs use high-availability security operation centers (either from their own
facilities or from other data center providers) to provide 24/7 services designed to reduce the
number of operational security personnel an enterprise needs to hire, train and retain to
maintain an acceptable security posture. With an MSSP, log monitoring and management is
a service, so organizations are able to rely on MSSP experts to monitor and manage event
logs instead of doing it themselves.

• MSSP Advantages:
• Extension of the security team
• Expertise without staff turnover
• Specialized duties and defined processes
• Advanced threat detection and global threat intelligence
• Knowledge of incidents and events
• Less time that organizations need to spend reviewing logs

• MSSP Weaknesses:
• Lack of detailed knowledge & understanding of the organization’s IT and business environment
• Alerts may be basic and require customers to perform triage and forensics
• Any deviation from MSSPs basic services come at an additional cost

Co-Managed SIEM
• Purpose: Co-management uses a roles-based security model to outline rules of engagement
inside the customer’s environment by enabling the service provider to be actively logged in
and monitoring real time without sending customer data to a third-party.

• Co-Management Services: Provides guidance, support and expertise for SIEM and other
security solutions, while the organization maintains full control of their data and
technologies. The service provider acts as an extension of the organization’s security team,
ensuring technologies are running efficiently.

• Traditional MSSP Challenges: Challenges with outsourced services include:

• Service provider’s lack of knowledge of the client’s environment,
• Service provider’s standardization of services into a “one-size-fits-all” offering
• Client’s lack of visibility into the service provider’s environment
• Lack of clearly defined role-based security between the client and the service provider.

• Co-Management Benefits:
• Customers work directly with the service provider to understand the environment while tuning and
optimizing the technology specific to customer’s needs.
• Removes the “black box” issues created by an MSSP trying to make judgments from afar, instead of
working directly in the customer’s environment

• Co-Management Challenges
• Co-managed security services must coordinate security tasks the in-house company performs vs.
security capabilities the outside party is going to perform.
• Boundary lines between client and provider need to mesh properly to avoid duplication and to
prevent openings in security at the boundaries.

SOC Decision Analysis

10. Risk Tolerance 1. Size of Organization

1
10
2 2. Industry Regulations
9. Business Need
9

3
8. Vendor Relationship 8 ? 3. Geographic Footprint

4
4. Timeline
7
7. Budget

6 5

6. Current Expertise 5. Growth Rate

SOC Decision Considerations

• Size of operation - No organization is too small for a security operations capability. However, if you
are a smaller company you may not have the adequate budget to build your own SOC.
• Compliance Obligations - If the purpose of the security operations program is compliance and
audit readiness, then an MSS provider is usually the best option.
• Geographic Footprint - Multiple geographies come with complexities that need to be included in
the analysis.
• Implementation Timeline - If you have experienced a public breach you may need a SOC
yesterday. There are services available that will set up a security operations capability with staff in
24–72 hours.
• Organizational / Security Growth - If you are in a rapidly growing environment then it may not be
plausible to have an in-house SOC keep up with the increasing event flows.
• Organizational / Security Expertise - If you do not have the security management and security
operations expertise in your organization then you have three choices. You can acquire or hire the
expertise, look to your partners for in-house staffing of your SOC, or outsource to an MSS.
• Size of Budget – Based on the requirements of the security operations capability, you should
identify the right solution to address those requirements, and then ascertain the budget needed
for that solution.
• Existing Vendor Relationships - In the case of these established (and healthy) relationships, it is
worth checking to see if the vendor also provides managed security services.
• Vendor Bias – A strategy for a successful outcome includes due diligence on the available options
and if there is no strong bias one way or the other, then go with the group preference.
• Risk Tolerance - Every organization is different and should consider business needs, risk tolerance,
and ability carefully to maintain different security operations implementations.

Summary
Security Operations Center (SOC)

• ISCM is not going away

• Situational awareness is here to stay Background

• Doing nothing is not a viable option &

Introduction

Deliverables Engineering

Business Technology

Security Operations Center

A security operations center (SOC) is a dedicated site where enterprise information systems (web sites,
applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored,
assessed, and defended. The purpose of a SOC is to identify, investigate, prioritize, and resolve issues that
could affect the security of an organization’s critical infrastructure and data.

A well-developed and well-run SOC can perform real-time threat detection and incident response with SOC
analysts that can deliver rapid security intelligence to stakeholders and senior management identifying when
an attack starts, who is attacking, how the attack is being conducted, and what data or systems are being
compromised. A SOC is an essential component of a continuous monitoring security capability.

Because the network is constantly being evaluated, continuous monitoring greatly improves the level of
situational awareness for IT managers. Situational awareness is the awareness of current elements in the
monitored environment that are relevant because they may potentially impact that environment today or in
the future.

Situational awareness through full network visibility is a key means for mitigating risk. Effective command and
control requires a fundamental awareness of what's occurring across the affected domain. With this
awareness, negative situations can be recognized and managed as they occur.

1. Which of the following is a primary reason IT security teams struggle to maintain

an ongoing awareness of the state of IT security in their company?
A. Lack of a security policy
B. Lack of a firewall solution
C. Lack of continuous monitoring
D. Lack of vulnerability scanning

2. Which of the following offers the best definition of Information Security

Continuous Monitoring (ISCM)?
A. ICSM is maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management
decisions.
B. ISCM is a set of related programs, located at a network gateway server
that protects the resources of a private network from users from other
networks.
C. ISCM is computer software used to prevent, detect and remove malicious
software.
D. ISCM is a security management system for computers and networks that
analyzes information from various areas within a computer or a network to
identify possible security breaches, intrusions and misuse.

3. Which of the following devices are typical data sources for a Security Information
and Event Management (SIEM) solution?
A. Servers and mainframes
B. Application activity
C. Vulnerabilities and threats
D. All of the above

4. Which of the following capabilities are typically provided by a SIEM solution?

A. Network access control, event monitoring, anomaly detection
B. Correlation, data aggregation, alerting
C. Vulnerability scanning, event monitoring, network segmentation
D. Threat modeling, user access control, vulnerability scanning
5. Which of the following provides best describes the purpose of a Security
Operations Center (SOC)?
A. The purpose of a SOC is to troubleshoot problems or provide guidance
about products such as computers, electronic equipment, food, apparel, or
software.
B. The purpose of a SOC is to monitor networking equipment and servers for
availability, performance and capacity.
C. The purpose of a SOC is to monitor threat, vulnerability, security event
logs of applications, databases, servers, networks, desktops for detecting
and responding to security events.
D. The purpose of a SOC is for a group of cyber security practitioners from
organizations that have chosen to work together in good faith to share
threat information.

6. Which of the following is typically NOT included as a Security Consulting and

Testing Service?
A. Cyber Risk Assessment: Review internal and external security controls
against a broad number of cyber threats. Produce a quarterly risk-
assessment score against key security controls.
B. Managed Firewalls: Operational management of the firewall environment,
including installation, configuration, monitoring, incident, change, patching,
and reporting.
C. Penetration Testing: Help organizations identify how a malicious user can
gain unauthorized access to assets and affect the security of systems,
files, logs and/or information assets. P
D. Vulnerability Management: The cyclical practice of identifying, classifying,
remediating, and mitigating vulnerabilities.

7. Which of the following best describes duties of a Tier 2 Incident Responder?

A. Continuously monitors the alert queue; triages security alerts; monitors
health of security sensors and endpoints
B. Performs deep dive incident analysis by correlating data from various
sources; determines if a critical system or data set is impacted
C. Processes in-depth knowledge on network, endpoint, threat intelligence,
forensics and malware reverse engineering, as well as the functioning of
specific applications or underlying IT infrastructure.
D. Manages resources to include personnel, budget, shift scheduling and
technology strategy to meet SLA.
8. Which of the following describes cyber threat hunting?
A. Cyber Threat Hunting is a strategy for managing patches or upgrades for
software applications and technologies
B. Cyber Threat Hunting is the process of proactively and iteratively
searching through networks to detect and isolate advanced threats that
evade existing security solution
C. Cyber Threat Hunting is a systems engineering process for establishing
and maintaining consistency of a product's performance, functional and
physical attributes with its requirements, design and operational
information throughout its life.
D. Cyber Threat Hunting is maintaining ongoing awareness of information
security, vulnerabilities, and threats to support organizational risk
management decisions.

9. Which of the following are the four steps of incident response as defined by NIST
Publication 800-61?
A. Identify; Protect; Detect; Respond and Recover
B. Plan; Do; Check; Act
C. Preparation; Detection & Analysis; Containment, Eradication & Recovery;
Post-incident Activity
D. Preparation; Detection; Analysis; Action on Objectives

10. Which of the following is not a consideration in building a Security Operations

Center vs. outsourcing to a Managed Security Services Provider (MSSP)?
A. Size of Budget
B. Timeline for Implementing a Solution
C. Current Expertise in the Organization
D. Average salary of workforce
Answer Key:
1. C
The chief reason is the lack of continuous monitoring and real-time visibility into
the overall security picture plagues many organization. A security policy, firewall
solution and vulnerability scanning are examples of security controls, however
they do not provide ongoing awareness of the state of security

2. A
ICSM is maintaining ongoing awareness of information security, vulnerabilities,
and threats to support organizational risk management decisions. Answer B
describes a firewall. Answer C describes anti-virus software. Answer D describes
an Intrusion Detection System.

3. D
All of the above are data sources for a SIEM

4. B
SIEM solutions typically provide correlation of logs / events, activity baselining
and anomaly detection, IP reputation. Choices A, C and are incorrect because
SIEM solutions do not provide network access control, vulnerability scanning,
network segmentation, threat modeling, or user access control.

5. C
The purpose of a SOC is to monitor threat, vulnerability, security event logs of
applications, databases, servers, networks, desktops for detecting and
responding to security events. Answer A describes a Help Desk. Answer B
describes a Network Operations Center (NOC). Answer D describes Threat
Sharing.

6. B
Managed Firewalls is a Managed Network Security Service. All other answers, A,
C, D, are Security Consulting and Testing Services.

7. B
A Tier 2 Incident Responder performs deep dive incident analysis by correlating
data from various sources; determines if a critical system or data set is impacted.
Answer A describes a Tier 1 Analyst. Answer C describes a Tier 3 Subject Matter
Expert / Hunter. Answer D describes a SOC manager.
8. B
Cyber Threat Hunting is the process of proactively and iteratively searching
through networks to detect and isolate advanced threats that evade existing
security solutions. Answer A is patch management. Answer C is configuration
management. Answer D describes Information Security Continuous Monitoring
(ICSM).

9. C
The four steps of incident response as defined by NIST Publication 800-61 are:
Preparation; Detection & Analysis; Containment, Eradication and Recovery;
Post-incident Activity.

10. D
Average workforce salary is not typically a consideration when deciding whether
to build a SOC vs. Outsourcing to an MSSP. All other answers A, B, C are
considerations.

SOC Analyst Course
No ratings yet
SOC Analyst Course
337 pages
SOC Building1
100% (1)
SOC Building1
36 pages
SIEM, SOAR and SOC
No ratings yet
SIEM, SOAR and SOC
4 pages
SOC, SecOps and SIEM - How They Work Together
100% (1)
SOC, SecOps and SIEM - How They Work Together
19 pages
CISSP V7 Slide Deck - Domain 1 - Part II
100% (1)
CISSP V7 Slide Deck - Domain 1 - Part II
74 pages
Zero Trust Maturity Assessment
No ratings yet
Zero Trust Maturity Assessment
132 pages
Mind Maps 2023 Cissp
100% (2)
Mind Maps 2023 Cissp
71 pages
Advances in Universal Web Design and Evaluation Sri Kurniawan Download
100% (6)
Advances in Universal Web Design and Evaluation Sri Kurniawan Download
81 pages
Cybersecurity Metrics: Supporting Accurate and Timely Decision-Making
100% (3)
Cybersecurity Metrics: Supporting Accurate and Timely Decision-Making
26 pages
Cisojourney
100% (1)
Cisojourney
317 pages
Microsoft Cybersecurity Reference Architectures (MCRA)
No ratings yet
Microsoft Cybersecurity Reference Architectures (MCRA)
47 pages
Student Guide - V2
No ratings yet
Student Guide - V2
515 pages
GRC, SOC Analyst
No ratings yet
GRC, SOC Analyst
75 pages
03-SC SOC Analyst - Threat Hunting
No ratings yet
03-SC SOC Analyst - Threat Hunting
22 pages
Deep Security 20 Administration Guide
No ratings yet
Deep Security 20 Administration Guide
1,837 pages
Daily Breakup Syllabus COPA
100% (1)
Daily Breakup Syllabus COPA
88 pages
2.0 Threat Intelligence
No ratings yet
2.0 Threat Intelligence
106 pages
Deploying A Layered Visibility and Cybersecurity Architecture
No ratings yet
Deploying A Layered Visibility and Cybersecurity Architecture
18 pages
Web Application Security Scanning Flow
No ratings yet
Web Application Security Scanning Flow
20 pages
2023 FRSecure CISSP Mentor Program - Class Two
No ratings yet
2023 FRSecure CISSP Mentor Program - Class Two
222 pages
CISSP Study Guide by Thor Teaches
No ratings yet
CISSP Study Guide by Thor Teaches
284 pages
GISPP - ISACA CRISC - Ch1-Identification
100% (1)
GISPP - ISACA CRISC - Ch1-Identification
56 pages
Incident Response Plan
No ratings yet
Incident Response Plan
7 pages
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
No ratings yet
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
11 pages
SOC Workshop
100% (1)
SOC Workshop
64 pages
NetPro Template Sent
100% (1)
NetPro Template Sent
186 pages
Security Operation Center Management - v1.0
No ratings yet
Security Operation Center Management - v1.0
26 pages
Stages of Incident Management: and How To Improve Them
No ratings yet
Stages of Incident Management: and How To Improve Them
15 pages
Deloitte Enterprise Network Security Architecture Evolution
No ratings yet
Deloitte Enterprise Network Security Architecture Evolution
10 pages
AnsibleAutomates AnsibleForSecurityAutomation
No ratings yet
AnsibleAutomates AnsibleForSecurityAutomation
38 pages
SLIDE HANDOUT - Tenable - SC Specialist Course
100% (1)
SLIDE HANDOUT - Tenable - SC Specialist Course
115 pages
NIST Cybersecurity Framework Policy Template Guide V2111online
100% (1)
NIST Cybersecurity Framework Policy Template Guide V2111online
13 pages
Host Hardening
100% (1)
Host Hardening
28 pages
How I Passed The CISSP Test: Lessons Learned in Certification
No ratings yet
How I Passed The CISSP Test: Lessons Learned in Certification
713 pages
SANS Security Awareness
100% (1)
SANS Security Awareness
2 pages
Diploma Engineering: Laboratory Manual
No ratings yet
Diploma Engineering: Laboratory Manual
301 pages
Zero Trust Solutions - IsC2 Presentations (9!26!2021) v4
No ratings yet
Zero Trust Solutions - IsC2 Presentations (9!26!2021) v4
28 pages
CCSK Overview
No ratings yet
CCSK Overview
24 pages
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
No ratings yet
NICF - Linux System Administration (SF) : 20 Slides Supplement To The Trainer's PP File Form Linux Foundation
22 pages
A Framerwork of SOC
50% (2)
A Framerwork of SOC
11 pages
SOC Kaspersky PDF
50% (2)
SOC Kaspersky PDF
34 pages
Qradar Notes
No ratings yet
Qradar Notes
36 pages
Prabh CV PDF
100% (1)
Prabh CV PDF
7 pages
Tenable Csis Compliance Whitepaper
No ratings yet
Tenable Csis Compliance Whitepaper
22 pages
CISO Mindmap 2022 No Headings
No ratings yet
CISO Mindmap 2022 No Headings
1 page
How To Crack The CISSP
No ratings yet
How To Crack The CISSP
3 pages
Cyber Security Vendor Landscape
100% (1)
Cyber Security Vendor Landscape
4 pages
Cyber Handbook Enterprise v1.5 1
No ratings yet
Cyber Handbook Enterprise v1.5 1
32 pages
Cybersecurity 101: Cyber Risks
No ratings yet
Cybersecurity 101: Cyber Risks
2 pages
Accenture Splunk Cyber Defense Solution PDF
No ratings yet
Accenture Splunk Cyber Defense Solution PDF
8 pages
Technical Scientific and Business English
100% (56)
Technical Scientific and Business English
14 pages
CISSP Cheat Sheet Domain 3
No ratings yet
CISSP Cheat Sheet Domain 3
1 page
CISSP Notes
No ratings yet
CISSP Notes
95 pages
CISSP
No ratings yet
CISSP
66 pages
Vulnerability Management Guideline v1.0.0 PUBLISHED
No ratings yet
Vulnerability Management Guideline v1.0.0 PUBLISHED
11 pages
Security Certifications Roadmap
No ratings yet
Security Certifications Roadmap
2 pages
Incident Handling - Step by Step
100% (1)
Incident Handling - Step by Step
27 pages
Security Information and Event Management
No ratings yet
Security Information and Event Management
2 pages
Issap Mindmap
No ratings yet
Issap Mindmap
1 page
What Is A Security Operations Center (SOC) ?
No ratings yet
What Is A Security Operations Center (SOC) ?
1 page
X IT Worksheets
No ratings yet
X IT Worksheets
32 pages
Autodesk Vault 2011 Implementation Guide
No ratings yet
Autodesk Vault 2011 Implementation Guide
140 pages
I.T Era 2
No ratings yet
I.T Era 2
67 pages
Caie As Computer Science 9618 Theory v1
No ratings yet
Caie As Computer Science 9618 Theory v1
20 pages
Explorating Partnership Opportunities in The Promotion of Green and Inclusive Finance in East Africa
No ratings yet
Explorating Partnership Opportunities in The Promotion of Green and Inclusive Finance in East Africa
64 pages
Web Browsing and Communication Notes
No ratings yet
Web Browsing and Communication Notes
19 pages
Junior Mobile and Smartphone Repairing Person - MSPRA
No ratings yet
Junior Mobile and Smartphone Repairing Person - MSPRA
9 pages
ADS301m - Group Assignment
No ratings yet
ADS301m - Group Assignment
5 pages
Semantic Web Literature Review
100% (2)
Semantic Web Literature Review
5 pages
PPT-unit-5 303105103
No ratings yet
PPT-unit-5 303105103
108 pages
70-643 Measure Up
No ratings yet
70-643 Measure Up
211 pages
SensePost Eye of A Needle
No ratings yet
SensePost Eye of A Needle
67 pages
Report RavleenKaur
No ratings yet
Report RavleenKaur
31 pages
Shell Boooy
No ratings yet
Shell Boooy
25 pages
Industrial Big Data Analytics: Challenges, Methodologies, and Applications
No ratings yet
Industrial Big Data Analytics: Challenges, Methodologies, and Applications
12 pages
AS-B Specification Sheet - SmartStruxure Solution
No ratings yet
AS-B Specification Sheet - SmartStruxure Solution
12 pages
Semrush-SEO Audit Report-Aerovexsystems Com-20. Dez. 2023
No ratings yet
Semrush-SEO Audit Report-Aerovexsystems Com-20. Dez. 2023
21 pages
Rate Card Zalo Solutions
No ratings yet
Rate Card Zalo Solutions
14 pages
20 Critical Controls Poster 062010
No ratings yet
20 Critical Controls Poster 062010
2 pages
Resume Divya (1) - 2
No ratings yet
Resume Divya (1) - 2
4 pages
Dijital Vatandaşlık - Senaryolar
No ratings yet
Dijital Vatandaşlık - Senaryolar
6 pages
Kundan Kumar: Web Developer
No ratings yet
Kundan Kumar: Web Developer
3 pages
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 1
No ratings yet
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 1
8 pages
01 How To Create A Youtube Channel
No ratings yet
01 How To Create A Youtube Channel
3 pages
Sebastián Ramirez: About Me
No ratings yet
Sebastián Ramirez: About Me
1 page
Importance of English in Education and The Relation With The Culture
No ratings yet
Importance of English in Education and The Relation With The Culture
4 pages
Insancita: Journal of Islamic Studies in Indonesia and Southeast Asia
No ratings yet
Insancita: Journal of Islamic Studies in Indonesia and Southeast Asia
2 pages
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
Network Security Complete Self-Assessment Guide
From Everand
Network Security Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Intrusion detection system Standard Requirements
From Everand
Intrusion detection system Standard Requirements
Gerardus Blokdyk
No ratings yet