I

II
 ABSTRACT

Cyber Security Virtual Internship is generally used as substitute with the terms
Information Security and Computer Security. This work involves an introduction to
the Cyber Security and history of Cyber Security is also discussed. This also
includes Cyber Security that goes beyond the limits of the traditional information
security to involve not only the security of information tools but also the other assets,
involving the person's own confidential information.

In computer security or information security, relation to the human is basically to relate their
duty(s) in the security process. In Cyber security, the factor has an added dimension, referring
humans as the targets for the cyber-attacks or even becoming the part of the cyber-
attack unknowingly. This also involves the details about the cybercriminals and
cyber risks going ahead with the classification of the Cybercrimes which is
against individual, property, organization and society.

Impacts of security breaches are also discussed. Countermeasures for computer security are
discussed along with the Cyber security standards, services, products, consultancy
services, governance and strategies. Risk management with the security architecture has also
been discussed. Other section involves the regulation and certification controls; recovery
and continuity plans and Cyber security skills.

In a meantime, we provide company overview, followed by the internship description and

core objectives. Then we state my contribution to the period of internship and the report, too.

Moreover, we have discussed the importance of cyber security, cyber risk, coupled
with the approach of computer and information security.

Organization Information:

Palo Alto Networks, Inc. is an American multinational cybersecurity company with

headquarters in Santa Clara, California. The core product is a platform that includes
advanced firewalls and cloud-based offerings that extend those firewalls to cover other
aspects of security. The company serves over 70,000 organizations in over 150 countries,
including 85 of the Fortune 100. It is home to the Unit 42 threat research team and hosts the
Ignite cybersecurity conference. It is a partner organization of the World Economic Forum.
In 2018, Palo Alto Networks was listed 8th in the Forbes Digital 100. In June 2018,
former Google and SoftBank executive Nikesh Arora joined the company
as Chairman and CEO.

Palo Alto Networks is a well-known cybersecurity organization that specializes in advanced

security solutions for various IT environments, including network, cloud, and endpoint
security. Founded in 2005 by Nir Zuk and headquartered in Santa Clara, California, the
company has become a prominent player in the cybersecurity industry.

The three pillars of Palo Alto networks strategy are

• Visibility and access control

II
• Data loss protection
• Threat Prevention

Programs and opportunities:

The Institute combines pioneering research with top class education. An innovative
curriculum allows the student flexibility in selecting courses and projects. Students, even at
the undergraduate level, get to participate in ongoing research and technology
development - an opportunity unprecedented in India. As a result, a vibrant
undergraduate programme co-exists with a strong postgraduate programme

II
 INDEX

S.NO CONTENTS

1. Introduction
2. Cyber Security Networks

2.1 Introduction to Cyber Security

2.2 Fundamentals of Network Security
2.3 Fundamentals of Cloud Security
2.4 Fundamentals of SOC (security operation center)

3. Certificates
3.1 Introduction to Cybersecurity
3.2 Fundamentals of Network Security
3.3 Fundamentals of Cloud Security
3.4 The Fundamentals of SOC (Security Operations Centre)

4. Conclusion

II
 Introduction Palo Alto Networks

Palo Alto Networks offers an enterprise cybersecurity platform that provides network
security, cloud security, endpoint protection, and various cloud-delivered security services.
Palo Alto Networks is one such vendor that offers a comprehensive and easy-to-use set of
firewalls, including NGFWs and Web Application and API Security platform, which includes
a built-in WAF. Palo Alto has a dedicated management interface, which makes it easy to
manage the device and handle the initial configuration. It has fantastic throughput, and its
connection speed is pretty fair, even when dealing with a high-traffic load. With Palo Alto, I
can configure and manage with REST API integration. Palo Alto Networks Next Generation
Firewalls (NGFW) give security teams complete visibility and control over all networks
using powerful traffic identification, malware prevention, and threat intelligence
technologies.

Cybersecurity

Cybersecurity is the protection of internet-connected systems such as hardware,

software, and data from cyber threats. The practice is used by individuals and enterprises to
protect against unauthorized access to data centers and other computerized systems.
Cybersecurity is crucial because it safeguards all types of data against theft and loss.
Sensitive data protected health information (PHI), personally identifiable information (PII),
intellectual property, personal information, data, and government and business information
systems are all included. An IDS is a security system that monitors computer systems and
network traffic. It analyses that traffic for possible hostile attacks originating from the
outsider and for system misuse or attacks originating from the insider.

II
 Cybersecurity Networks
• Introduction to Cybersecurity
• Fundamentals of Network Security
• Fundamentals of Cloud Security
• The Fundamentals of SOC (Security Operations Centre)

Introduction to Cybersecurity

It introduces the fundamentals of cybersecurity, including the concepts needed to

recognize and potentially mitigate attacks against home networks and mission-critical
infrastructure.

II
 In the introduction to cybersecurity, we learn 5 types. They are
• Cybersecurity Landscape
• Cyberattack Types
• Cyberattack Techniques
• APTs and Wi-Fi Vulnerabilities
• Security Models

Cybersecurity Landscape
The modern cybersecurity landscape is a rapidly evolving hostile environment
with advanced threats and increasingly sophisticated threat actors. It describes
the current cybersecurity landscape, explains SaaS application challenges,
describes various security and data protection regulations and standards,
identifies cybersecurity threats and attacker profiles, and explains the steps in
the cyberattack lifecycle.

Modern Computing Trends

The nature of enterprise computing has changed dramatically over the past
decade. It changes to the web 2.0 to web 3.0. The vision of Web 3.0 is to return
the power of the internet to individual users, in much the same way that the
original Web 1.0 was envisioned. To some extent, Web 2.0 has become shaped
and characterized, if not controlled, by governments and large corporations
dictating the content that is made available to individuals and raising many
concerns about individual security, privacy, and liberty. In web 3.0, we have AI
and Machine Learning, Blockchain, Data Mining, Mixed Reality, and Natural
Language Search.

Introduction to SaaS
Data is located everywhere in today’s enterprise networks, including in many
locations that are not under the organization’s control. New data security
challenges emerge for organizations that permit SaaS use in their networks. With
SaaS applications, data is often stored where the application resides – in the
cloud. Thus, the data is no longer under the organization’s control, and visibility
is often lost. SaaS vendors do their best to protect the data in their applications,
but it is ultimately not their responsibility. Just as in any other part of the
network, the IT team is responsible for protecting and controlling the data,

II
regardless of its location.

SaaS Application Risks

The average employee uses at least eight applications. As employees add and use
more SaaS apps that connect to the corporate network, the risk of sensitive data
being stolen, exposed or compromised increases. It is important to consider the
security of the apps, what data they have access to, and how employees are using
them. Because of the nature of SaaS applications, their use is very difficult to
control – or have visibility into – after the data leaves the network perimeter.
This lack of control presents a significant security challenge: End users are now
acting as their own “shadow” IT department, with control over the SaaS
applications they use and how they use them. Click the arrows for more
information about the inherent data exposure and threat insertion risks of SaaS.
In SaaS is used Malicious Outsiders, Malicious Insiders, Accidental Data
Exposure, Accidental Share, Promiscuous Share, and Ghost Share.

Attacker Profiles
News outlets are usually quick to showcase high-profile attacks, but the sources
of these attacks are not always easy to identify. Each of the different attacker
types or profiles generally has a specific motivation for the attacks they generate.
Here are some traditional attacker profile types. Because these different attacker
profiles have different motivations, information security professionals must
design cybersecurity defenses that can identify the different attacker motivations

II
and apply appropriate deterrents. Click the arrows for more information about
the profile type of each attacker.

Cyberattack Types
Attackers use a variety of techniques and attack types to achieve their
objectives. Malware and exploits are integral to the modern cyberattack strategy.
This lesson describes the different malware types and properties, the relationship
between vulnerabilities and exploits, and how modern malware plays a central
role in a coordinated attack against a target. This lesson also explains the
timeline for eliminating a vulnerability.

Malware
Malware usually has one or more of the following objectives: to provide a remote
control for an attacker to use an infected machine, to send spam from theinfected
machine to unsuspecting targets, to investigate the infected user’s localnetwork,
and to steal sensitive data. Malware is varied in type and capabilities. Let us
review several malware types those are Logic Bombs, Rootkits, Backdoors,
Anti-AV, etc….

Advanced or modern malware leverages networks to gain power and resilience.

Modern malware can be updated—just like any other software application—so
that an attacker can change course and dig deeper into the network or make
changes and enact countermeasures.

II
Ransomware
Ransomware is malware that locks a computer or device (locker ransomware) or
encrypts data (crypto-ransomware) on an infected endpoint with an encryption
key that only the attacker knows, thereby making the data unusable until the
victim pays a ransom (usually in cryptocurrency such as Bitcoin). Reve ton and
Locker are two examples of locker ransomware, while Locky, Tesla
Crypt/Encrypt, Crypto locker, and Crypto wall are examples of crypto
ransomware.

Cyberattack Techniques

Attackers use a variety of techniques and attack types to achieve their objectives.
Spamming and phishing are commonly employed techniques to deliver malware
and exploits to an endpoint via an email executable or a web link to a malicious
website. Once an endpoint is compromised, an attacker typically installs back
doors, remote access Trojans (RATs), and other malware to ensure persistence.
This lesson describes spamming and phishing techniques, how bots and botnet’s
function, and the different types of botnets.

Phishing Attacks
We often think of spamming and phishing as the same thing, but they are
separate processes, and they each require mitigations and defenses. Phishing
attacks, in contrast to spam, are becoming more sophisticated and difficult to

II
identify. In phishing attacks there are some types those are Spear Phishing,
Whaling, Watering Hole, and Pharming.

Advanced Persistent Threats and Wi-Fi vulnerabilities

With the explosive growth in fixed and mobile devices over the past decade,
wireless (Wi-Fi) networks are growing exponentially—and so is the attack
surface for advanced persistent threats (ATP). This lesson describes Wi-Fi
vulnerabilities and attacks and APT s.

Wi-Fi Attacks

There are different types of Wi-Fi attacks that hackers use to eavesdrop on
wireless network connections to obtain credentials and spread malware. There

are two types of Doppelgangers and Cookie Guzzler. To protect Wi-Fi, Wi-Fi
Protected Access (WPA) security standard was published as an interim standard
in 2004, quickly followed by WPA2. WPA/WPA2 contains improvements to
protect against the inherent flaws in the Wired Equivalent Privacy (WEP),
including changes to the encryption.

Evil Twin
Perhaps the easiest way for an attacker to find a victim to exploit is to set up a
wireless access point that serves as a bridge to a real network. An attacker can
inevitably bait a few victims with “free Wi-Fi access.”

Baiting a victim with free Wi-Fi access requires a potential victim to stumble on
the access point and connect. The attacker can’t easily target a specific victim,
because the attack depends on the victim initiating the connection. Attackers now
try to use a specific name that mimics a real access point. Click the arrows for
more information about how the Evil Twin attack is executed.

II
Security Models
The goal of a security model is to provide measurable threat prevention through
trusted and untrusted entities. This can be a complicated process, as every
security model will have its customizations, and many variables need to be
identified. This lesson describes the core concepts of a security model and why
the model is important, the functions of a perimeter-based security model, the
Zero Trust security model design principles, and how the principle of least
privilege applies to the Zero Trust security model.

Zero Trust Security Model

The Zero Trust security model addresses some of the limitations of perimeter-
based network security strategies by removing the assumption of trust from the
equation. With a Zero Trust model, essential security capabilities are deployed
in a way that provides policy enforcement and protection for all users, devices,
applications, and data resources, as well as the communications traffic between
them, regardless of location. There are a few types those are No Default Trust,
Monitor and Inspect, and Compartmentalize.

Fundamentals of Network Security

This training introduces someone with no prior knowledge of the fundamentals
of network security including concepts they must understand to recognize and
potentially defend home networks and mission-critical infrastructure. In
Fundamentals of Network Security, there are 5 types are

• The Connected Globe

II
 • Addressing and Encapsulation
• Network Security Technologies
• Endpoint Security and Protection

• Secure the Enterprise

The Connected Globe

In this, we will discuss how hundreds of millions of routers deliver Transmission
Control Protocol/Internet Protocol (TCP/IP) packets using various routing
protocols across local-area networks and wide-area networks. We also will
discuss how the Domain Name System (DNS) enables internet addresses, such
as www.facebook.com, to be translated into routable IP addresses.

The Net
In the 1960s, the U.S. Défense Advanced Research Projects Agency (DARPA)
created ARPANET, the precursor to the modern internet. ARPANET was the
first packet-switched network. A packet-switched network breaks data into small
blocks (packets), transmits each packet from node to node toward its destination,
and then reassembles the individual packets in the correct order at the
destination. The ARPANET evolved into the internet (often referred to as the network
of networks) because the internet connects multiple local area networks (LAN) to a
worldwide wide area network (WAN) backbone. Today billions of devices worldwide
are connected to the Internet
and use the transport communications protocol/internet protocol (TCP/IP) to
communicate with each over a packet-switched network. Specialized devices and
technologies such as routers, routing protocols, SD-WAN, the domain name system
(DNS), and the world wide web (WWW) facilitate communications between connected
devices.

II
Internet of Things (IoT)
With almost five billion internet users worldwide in 2022, which represents well
over half the world’s population, the internet connects businesses, governments,
and people across the globe. Our reliance on the internet will continue to grow,
with nearly 30 billion devices “thing” – including autonomous vehicles,
household appliances, wearable technology, and more – connecting to the
internet of things (IoT) and nearly nine billion worldwide smartphone
subscriptions that will use a total of 160 EB of monthly data by 2025. IoT
connectivity technologies are broadly categorized into five areas: cellular,
satellite, short-range wireless, low-power WAN and other wireless WAN, and
Identity of Things (IDOT).

Addressing and Encapsulation

It describes the functions of physical, logical, and virtual addressing in
networking, IP addressing basics, subnetting fundamentals, OSI and the TCP/IP
models, and the packet lifecycle.

TCP/IP Overview
In cybersecurity, you must understand that applications sending data from one
host computer to another host computer will first segment the data into blocks
and will then forward these data blocks to the TCP/IP stack for transmission.
The TCP stack places the block of data into an output buffer on the server and
determines the maximum segment size of individual TCP blocks permitted by
the server operating system. The TCP stack then divides the data blocks into
appropriately sized segments, adds a TCP header, and sends the segment to the

II
IP stack on the server. The IP stack adds source and destination IP addresses to
the TCP segment and notifies the server operating system that it has an outgoing
message that is ready to be sent across the network. When the server operating
system is ready, the IP packet is sent to the network adapter, which converts the
IP packet to bits and sends the message across the network.

Numbering Systems

You must understand how network systems are addressed before following the
path data takes across internetworks. Physical, logical, and virtual addressing in
computer networks requires a basic understanding of decimal (base 10),
hexadecimal (base 16), and binary (base 2) numbering.

Network Security Technologies

In this, we will discuss the basics of network security technologies such as
firewalls, intrusion detection systems (IDSs) and intrusion prevention systems
(IPSs), web content filters, virtual private networks (VPNs), data loss prevention
(DLP), and unified threat management (UTM), which are deployed across the
industry. security

Legacy Firewalls
Firewalls have been central to network security since the early days of the
internet. A firewall is a hardware platform or software platform or both that
controls the flow of traffic between a trusted network (such as a corporate LAN)
and an untrusted network (such as the internet).

II
Stateful Packet Inspection Firewalls

Stateful packet inspection firewalls operate up to Layer 4 (Transport layer) of the

OSI model and maintain state information about the communication sessionsthat
have been established between hosts on two different networks. These firewalls
inspect individual packet headers to determine the source and destination IP
address, protocol (TCP, UDP, and ICMP), and port number (during session
establishment only). The firewalls compare header information to firewall rules
to determine if each session should be allowed, blocked, or dropped. After a
permitted connection is established between two hosts, the firewall allows traffic
to flow between the two hosts without further inspection of individual packets
during the session.

Application Firewalls
Third-generation application firewalls are also known as application-layer
gateways, proxy based firewalls, and reverse-proxy firewalls. Application
firewalls operate up to Layer 7 (the application layer) of the OSI model and
control access to specific applications and services on the network. These
firewalls proxy network traffic rather than permit direct communication between
hosts. Requests are sent from the originating host to a proxy server, which
analyses the contents of the data packets and, if the request is permitted, sends a
copy of the original data packets to the destination host.

II
Virtual Private Networks
A VPN creates a secure, encrypted connection (or tunnel) across the internet
between two endpoints. A client VPN establishes a secure connection between
a user and an organization's network. A site-to-site VPN establishes a secure
connection between two organizations' networks, usually geographically
separated. VPN client software is typically installed on mobile endpoints, such
as laptop computers and smartphones, to extend a network beyond the physical
boundaries of the organization. The VPN client connects to a VPN server, such
as a firewall, router, or VPN appliance (or concentrator). After a VPN tunnel is
established, a remote user can access network resources, such as file servers,
printers, and Voice over IP (VoIP) phones, as if they were physically in the
office.

II
Secure sockets Layer (SSL)
SSL is an asymmetric/symmetric encryption protocol that secures
communication sessions. SSL has been superseded by TLS, although SSL is still
the more commonly used terminology. An SSL VPN can be deployed as an
agent-based or agentless browser-based connection. An agentless SSL VPN
requires only that users launch a web browser, use HTTPS to open a VPN portal
or webpage and log in to the network with their user credentials. An agent-based
SSL VPN connection creates a secure tunnel between an SSL VPN client
installed on a host computer/laptop and a VPN concentrator device in an
organization's network. Agent-based SSL VPNs are often used to securely
connect remote users to an organization's network. SSL VPN technology is the
standard method of connecting remote endpoint devices back to the enterprise
network. IPsec is most commonly used in site-to-site or device-to-device VPN
connections, such as connecting a branch office network to a headquarters
network or data center.

Endpoint Security and Protection

In this lesson, we will explore endpoint security challenges and solutions,

including malware protection, anti-malware software, personal firewalls, host-
based intrusion prevention systems (HIPSs), and mobile device management
(MDM) software. We will also introduce network operations concepts,

II
including server and systems administration, directory services, and structured
host and network troubleshooting.

Malware and Anti-Malware

Malware protection using antivirus (or anti-malware) software has been one of
the first and most basic tenets of information security since the early 1980s.
Antivirus software uses file signatures to discover and mitigate malware on an
endpoint. These antivirus software signatures must be constantly updated to
match new or evolving malware-attacking endpoints. Malspam is the most
popular delivery method for malware. Malspam consists of unsolicited emails
that direct users to malicious websites or prompt users to open attached files with
hidden malware. Many Palo Alto Networks products are powered by high-
fidelity threat intelligence algorithms that help keep our products up to date on
threats "in the wild."

Structured Host and Network Troubleshooting

Network administrators should use a systematic process to troubleshoot network
problems when they occur to restore the network to full production as quickly as
possible without causing new issues or introducing new security vulnerabilities.
Resolving network problems quickly and efficiently is a skill thatis highly sought
after in IT.

Logical Troubleshooting Using the OSI Model

The OSI model provides a logical model for troubleshooting complex host and
network issues. Depending on the situation, you might use the bottom-up, top-
down, or divide-and-conquer approach when you use the OSI model to guide
your troubleshooting efforts. In other situations, you might make an educated
guess about the source of the issue and begin investigating the corresponding
layer of the OSI model. You could also use the substitution method (replacing a
bad component with a known good component) to quickly identify and isolate
the cause of the issue.

Secure the Enterprise

The networking infrastructure of an enterprise can be extraordinarily complex.
The Palo Alto
Networks’ prevention-first security architecture secures enterprises' perimeter

II
 networks, data centers, cloud-native applications, SaaS applications, branch
offices, and remote users with a fully integrated and automated platform that
simplifies security.

App-ID

App-ID, or application identification, accurately identifies applications

regardless of port, protocol, evasive techniques, or encryption. It provides
application visibility and granular, policy-based control. Port-based stateful
packet inspection technology was created more than 25 years ago to control
applications using ports and IP addresses. Using port-based stateful inspection
to identify applications depends on an application strictly adhering to its
assigned port(s). This presents a problem because applications can easily be
configured to use any port.

As a result, many of today’s applications cannot be identified, much less

controlled, by the port based firewall, and no amount of “after the fact” traffic
classification by firewall “helpers” can solve the problems associated with port-
based application identification.

User-ID
The next-generation firewall accurately identifies users for policy control. A key
component of security policies based on application use is identifying the users
who should be able to use those applications. IP addresses are ineffective
identifiers of users or server roles within the network. With the User-ID and
Dynamic Address Group (DAG) features, you can dynamically associate an IP
address with a user or server role in the data center. You can then define user-
and role-based security policies that adapt dynamically to changing
environments.

URL Filtering Service

To complement the next-generation firewall's threat prevention and application
control capabilities, a fully integrated, on-box URL Filtering database enables
security teams to control end-user web surfing activities and combine URL
context with application and user rules. The URL Filtering service complements
App-ID by enabling you to configure the next-generation firewall to identify and
control access to websites and to protect your organization from websites hosting

II
malware and phishing pages. You can use the URL category as a match criterion
in policies, which permits exception-based behavior and granular policy
enforcement. For example, you can deny access to malware and hacking sites
for all users, but allow access to users who belong to the IT Security group.

Fundamentals of cloud security

It shows that someone with no prior knowledge of the fundamentals of cloud
security including concepts they must understand to recognize threats and
potentially defend data centers, enterprise networks, and small office/home
office (SOHO) networks from cloud-based attacks.

In the Fundamentals of cloud security, we have a few types those are

• Cloud Computing
• Cloud Native Technologies
• Cloud Native Security
• Hybrid Data Centre Security
• Prisma Access SASE Security
• Prisma SaaS
• Prisma Cloud Security

Cloud Computing

The move toward cloud computing not only brings cost and operational benefits
but also technology benefits. Data and applications are easily accessed by users
no matter where they reside, projects can scale easily, and consumption can be
tracked effectively.

II
Cloud Security

In general terms, the cloud provider is responsible for the security of the cloud,
including the physical security of the cloud data centers, and foundational
networking, storage, computing, and virtualization services. The cloud customer
is responsible for security in the cloud, which is further delineated by the cloud service
model.

Network Security vs. Cloud Security

With the use of cloud computing technologies, your data center

environment can evolve from a fixed environment where applications run
on dedicated servers toward an environment that
is dynamic and automated.

Network Security Cloud Security

Isolation and Segmentation Shared Resources

Incompatible with Serverless Multi-Tenancy is Important

Applications

Process-Oriented Dynamic Computing

II
Cloud Native Technologies
A useful way to think of cloud-native technologies is as a continuum spanning
from virtual machines (VMs) to containers to serverless. On one end are
traditional VMs operated as stateful entities, as we’ve done for over a decade
now. On the other are completely stateless, serverless apps that are effectively
just bundles of app code without any packaged accompanying operating system
(OS) dependencies.

Miro-VMs

Micro-VMs are scaled-down, lightweight virtual machines that run on

hypervisor software. Micro-VMs contains only the Linux operating system
kernel features necessary to run a container. Micro-VMs seeks to provide virtual
machines that are not known or managed by the users. Instead, users execute
typical container commands such as “docker run,” and the underlying platform
automatically and invisibly creates a new VM, starts a container runtime within
it, and executes the command. The result is that the user has started a container
in a separate operating system instance, isolated from all others by a hypervisor.
These VMintegrated containers typically run a single container within a single
VM.

II
Cloud Native Security
The speed and flexibility that are so desirable in today’s business world have led
companies to adopt cloud technologies that require not just more security but
new security approaches. In the cloud, you can have hundreds or even thousands
of instances of an application, presenting exponentially greater opportunities for
attack and data theft.

The Four Cs of Cloud Native Security

The CNCF defines a container security model for Kubernetes in the context of
cloud-native security. Each layer provides a secure foundation for the next layer.
The four cs of cloud-native security are Cloud, Clusters, Containers, and Code.

Hybrid Data Centre Security

Data centers are rapidly evolving from a traditional, closed environment with
static, hardware based computing resources to an environment in which
traditional and cloud computing technologies are mixed.

Traditional Data Centre Vs Hybrid Cloud

The” ports first” traditional data center security solution limits the ability to see
all traffic on all ports. The move toward a cloud computing model – private,

II
public, or hybrid improves operational efficiencies.

Traditional Data Centre Weaknesses Hybrid Cloud Strengths

• Limited Visibility and Control • Optimizes Resources

• No Concept of Unknown Traffic • Reduces Costs

• No Policy Reconciliation Tool • Increases Operational Flexibility

• Cumbersome Security Policy Update • Maximizes Efficiency

Process

The Fundamentals of SOC (Security Operations Centre)

The Fundamentals of Security Operations Centre training is a high-level
introduction to the general concepts of SOC and SecOps. It will introduce the
Security Operations framework, people, processes, and technology aspects
required to support the business, the visibility that is required to defend the
business, and the interfaces needed with other organizations outside of the SOC.

• The life of a SOC Analyst

• Business

II
 • People
• Processes
• Interfaces
• Visibility
• Technology
• SOAR
• SOAR Solution

The Life of a SOC Analyst

Erik is a SOC analyst on the Security Operations team, and it is his job to triage
alerts to determine if there is a security threat. Before Erik starts his job, he will
need to understand the general concepts of SOC and SecOps and the business
goals. Erik will need training and support from the people he interacts with daily.
While mitigating threats, Erik will need to know the processes to follow, the
teams he will be interacting with, and the technology he will be using to gain
visibility into the network.

Business
Both Erik and the SOC team are responsible for protecting the business. The
reason for Security Operations, for all of the equipment, for everything SOC
does is ultimately to service one main goal, protect the business. Without the
Business pillar, there would be no need for Erik or the SOC team. The elements
in the Business Pillar and the first one is Mission, Governance, Planning and the
second one is Budget, Staffing, Facility and the third one is Metrics, Reporting,
and Collaboration.

People
The People pillar defines who will be accomplishing the goals of the Security
Operations team and how they will be managed. As a part of the People pillar,
Erik received the training necessary for him to be able to triage the alerts in
addition to the other processes and functions within the SOC. This training
provides Erik with the skills necessary to become efficient at detecting and
prioritizing alerts. As Erik’s knowledge increases, he will have opportunities to
grow on the SOC team. He will also have the skills to advance in his career to
other areas. The elements in the Security operations People pillar define the roles

II
for accomplishing the Security Operations team goals and how those roles will
be managed those are Employee Utilization, Training, Career Path Progression,
and Tabletop Exercises.

Processes
While monitoring the ticketing queue, Erik notices a new set of alerts that has
been sent to the SOC team by one of the network devices. Based on the alert
messages, Erik needs to determine whether the alert message is a security
incident, so he opens an incident ticket. Erik starts by doing his initial research
in the log files on the network device to determine if the threat is real.

After reviewing the log files, Erik determines that the alert is a real threat. Based
on the Severity Triangle, Erik has determined that the severity level for this alert
is currently High.

Interfaces
As Erik is investigating the alert generated by the network device, he partners
with the Threat Intelligence Team to identify the potential risks this threat may
pose to the organization. Erik also interfaces with the Help Desk, Network
Security Team, and Endpoint Security Teams to determine the extent of the
threat that has infiltrated the network. Interfaces should be clearly defined so that
expectations between the different teams are known. Each team will have
different goals and motivations that can help with team interactions. Identifying
the scope of each team’s responsibility and separations of duties helps to reduce
friction within an organization. The interfaces are how processes connect to
external functions or departments to help achieve security operation goals. These
are the Help Desk, Information Technology Operations, DevOps, Operational
Technology Team, Enterprise Architecture, SOC Engineering, Endpoint
Security Team, Network Security Team, Cloud Security Team, Threat Hunting,
Content Engineering, Security Automation, Forensics and Telemetry, Threat
Intelligence Team, Red & Purple Team, Vulnerability Management Team,
Business Liaison, Governance, Risk and Compliance.

Visibility
The Visibility pillar enables the SOC team to use tools and technology to capture

II
network traffic, limit access to certain URLs determine which applications are
being used by end users, and detect and prevent the accidental or malicious
release of proprietary or sensitive information. The visibility pillar is Network
Traffic Capture, Endpoint Data Capture, Cloud Computing, Application
Monitoring, URL Filtering, SSL Decryption, Threat Intelligence Platform,
Vulnerability Management Tools, Analysis Tools, Asset Management,
Knowledge Management, Case Management, and Data Loss Prevention.

Technology
The Technology pillar includes tools and technology to increase our capabilities
to prevent or greatly minimize attempts to infiltrate your network. In the context
of IT Security Operations, technology increases our capabilities to securely
handle, transport, present, and process information beyond what we can do
manually. By using technology, you amplify and extend your abilities to work
with Information securely. The Technology pillar is Firewall, Intrusion
Prevention/Detection System, Malware Sandbox, Endpoint Security, Behavioral
Analytics,
Email Security, Network Access Control, Identity & Access Management,
Honey pots & Deception, Web Application Firewall, Virtual Private Networks,
Mobile Device Management, Security Information & Event Management,
Security Orchestration Automation Response.

SOAR
The only reasonable long-term solution is to empower existing resources with a
combination of innovative orchestration, artificial intelligence, and machine

II
 learning technologies to automate many of the manual processes that a SOC
team faces each day. By automating processes, the SOC team can focus its
attention on what is truly critical: identifying, investigating, and mitigating
emerging cyber threats.
SOAR Solution
The SOAR solutions that improve SOC efficiency. Cortex XDR and Cortex
XSOAR allow SOC analysts like Erik to do in minutes what would take them
hours to resolve otherwise. Is tools such as these that will allow SOCs to scale
into the future? Cortex is an artificial intelligence based, continuous security
platform. Cortex allows organizations to create, deliver, and consume innovative
new security products from any provider without additional complexity or
infrastructure.

Cyber Security Job Role

• Security Specialist
• Incident Responder
• Security Administrator
• Vulnerability Assessor

II
 Conclusion
I have gained knowledge of cybersecurity, fundamentals of network security,
cloud security and SOC. These courses helped me to understand the overview
of threat landscape and use various tools and technology to defend todays
cyberattacks.

I could identify different malware types and understand cyberattack techniques,

spamming and how phishing attacks are performed. I identified the capabilities
of Palo Alto Networks prevention first architecture. Various security models
helped me understand how all these security attacks can be avoided.

All the four courses helped me gain knowledge in cybersecurity operations,

cloud computing models, potential to defend home networks and mission critical
infrastructure. It was delightful as it helped me develop skills in rapidly changing
technologies. This raised my interest in cybersecurity and to pursue a career in
cybersecurity platform.

II
II