CYBER SECURITY VIRTUAL INTERNSHIP

An Internship Report submitted in

partial fulfillment of the

requirements for the award of the

degree of

Bachelor of Technology

In

Artificial Intelligence & Machine Learning

By

JULURU AVINASH
Reg.No: 21H71A6102

OFFERED BY

AICTE- EDUSKILLS-PALO ALTO

NETWORKS

Department of Artificial Intelligence

DVR & Dr. HS

MIC College of Technology

Autonomous
Kanchikacherla –521180, NTR Dist., Andhra Pradesh

SEPTEMBER-2024
 CERTIFICATE

This is to certify that the Internship Report entitled “Cybersecurity Virtual Internship”
submitted by Juluru Avinash (21H71A6102), to the DVR & Dr. HS MIC College of
Technology in partial fulfilment of the requirements for the award of the Degree of Bachelor
of Technology in Artificial Intelligence & Machine Learning is a bonafide record of work.

Internship Coordinator Head of the Department

Examiner 1 Examiner 2

Principal
 Acknowledgment

The satisfaction that accompanies the successful completion of any task would be incomplete
without the mention of the people who made it possible and whose constant guidance and
engagement crown all the efforts with success. I thank our college management and

respected Sri D. PANDURANGA RAO, CEO for providing us with the necessary
infrastructure
to carry out the Internship.

I express my sincere thanks to Dr. T. Vamsee Kiran, Director of Academics and Principal
who has been a great source of inspiration and motivation for the internship program.

I profoundly thank Dr. G Sai Chaitanya kumar, Head of Department of AI for permitting
me to carry out the internship.

I am thankful to the AICTE and Edu skills for enabling me an opportunity to carry out the
internship in such a prestigious organization.

I am thankful to our Internship Coordinator Mr.A Kalyan Kumar, Assistant Professor,

Department of AI for their internal support and professionalism who helped us in completing
the internship on time.

I take this opportunity to express our thanks to one and all who directly or indirectly helped
me in bringing this effort to present form.

Finally, my special thanks go to my family for their continuous support and help throughout
and for their continued support and encouragement for the completion of the Internship on
time.
 Abstract

Cybersecurity networks want to learn about cybersecurity and how it was performed in our
daily life. Cybersecurity is the practice of protecting systems, networks, and programs from
digital attacks and it is also known as computer security. In our daily life, we saw so many
problems like hacking banks, and conventional data and selling them this type of data are used
in the wrong way and also in the black market. However, considering there are around 2200
cyberattacks per day, that could equal more than 800,000 people being hacked per year. In this
cybersecurity network, we learn about how the attacker attacks the data and stole the data and
also how to protect the data from the attacker by using fire-wall, and cryptographic protocols
to encrypt emails, files, and other critical data.

Organization Information:

Palo Alto Networks offers an enterprise cybersecurity platform that provides network security,
cloud security, endpoint protection, and various cloud-delivered security services. It is one
such vendor that offers a comprehensive and easy-to-use set of firewalls and also provides
next-generation firewalls (NGFW) giving the security teams complete visibility and control
over all networks using powerful traffic identification, malware prevention, and threat
intelligence technologies.
The three pillars of Palo Alto networks strategy are
• Visibility and access control
• Data loss protection
• Threat Prevention

Opportunities

As organizations across a wide range of different industries such as banks, government, retail,
and BFSI sectors actively recruit cybersecurity professionals, the job demand will only go up.
 INDEX

S.NO CONTENTS PAGE NO

1 Introduction To Cybersecurity 2
1.1 Cybersecurity Landscape
1.2 Cyberattack Types
1.3 Cyberattack Techniques
1.4 APTs and Wi-Fi Vulnerabilities
1.5 Security Models
2 Network Security Fundamentals 8
2.1 The Connected Globe
2.2 Networking And Addressing
2.3 End Point Security
2.4 Network Security
3 Cybersecurity Fundamentals 13
3.1 Malware &AntiMalware
3.2 Secure the enterprise
3.3 App Id
3.4 User Id
4 Cloud Security Fundamentals 15
4.1 Cloud Computing
4.2 Cloud Native Technologies
4.3 Cloud Native Security
4.4 Hybrid Data Centre Security
4.5 Prisma Access SASE Security
4.6 Prisma SaaS
4.7 Prisma Cloud Security

6 Conclusion 23

1
 Introduction
Palo Alto Networks offers an enterprise cybersecurity platform that provides network security,
cloud security, endpoint protection, and various cloud-delivered security services. Palo
Alto Networks is one such vendor that offers a comprehensive and easy-to-use set of
firewalls, including NGFWs and Web Application and API Security platform, which includes a
built-in WAF. Palo Alto has a dedicated management interface, which makes it easy to
manage the device and handle the initial configuration. It has fantastic throughput, and its
connection speed is pretty fair, even when dealing with a high-traffic load. With Palo Alto, I can
configure and manage with REST API integration. Palo Alto Networks NextGeneration
Firewalls (NGFW) give security teams complete visibility and control over all networks using
powerful traffic identification, malware prevention, and threat intelligence technologies.

Cybersecurity
Cybersecurity is the protection of internet-connected systems such as hardware, software,
and data from cyber threats. The practice is used by individuals and enterprises to protect
against unauthorized access to data centres and other computerized systems. Cybersecurity is
crucial because it safeguards all types of data against theft and loss. Sensitive data protected
health information (PHI), personally identifiable information (PII), intellectual property,
personal information, data, and government and business information systems are all included.
An IDS is a security system that monitors computer systems and network traffic. It analyses that
traffic for possible hostile attacks originating from the outsider and for system misuse or attacks
originating from the insider.

2
Cybersecurity Networks

• Introduction to Cybersecurity

• Fundamentals of Network Security

• Fundamentals of Cloud Security

• The Fundamentals of SOC (Security Operations Centre)

Introduction to Cybersecurity
It introduces the fundamentals of cybersecurity, including the concepts needed to recognize
and potentially mitigate attacks against home networks and mission-critical infrastructure.

In the introduction to cybersecurity, we learn 5 types. They are

• Cybersecurity Landscape
• Cyberattack Types
• Cyberattack Techniques
• APTs and Wi-Fi Vulnerabilities
• Security Models

3
Cybersecurity Landscape
The modern cybersecurity landscape is a rapidly evolving hostile environment with advanced
threats and increasingly sophisticated threat actors. It describes the current cybersecurity
landscape, explains SaaS application challenges, describes various security and data protection
regulations and standards, identifies cybersecurity threats and attacker profiles, and explains the
steps in the cyberattack lifecycle.

Modern Computing Trends

The nature of enterprise computing has changed dramatically over the past decade. It changes
to the web 2.0 to web 3.0. The vision of Web 3.0 is to return the power of the internet to
individual users, in much the same way that the original Web 1.0 was envisioned. To some
extent, Web 2.0 has become shaped and characterized, if not controlled, by governments and
large corporations dictating the content that is made available to individuals and raising many
concerns about individual security, privacy, and liberty. In web 3.0, we have AI and Machine
Learning, Blockchain, Data Mining, Mixed Reality, and Natural Language Search.

Introduction to SaaS
Data is located everywhere in today’s enterprise networks, including in many locations that are
not under the organization’s control. New data security challenges emerge for organizations that
permit SaaS use in their networks. With SaaS applications, data is often stored where the
application resides – in the cloud. Thus, the data is no longer under the organization’s control,
and visibility is often lost. SaaS vendors do their best to protect the data in their applications,
but it is ultimately not their responsibility. Just as in any other part of the network, the IT team
is responsible for protecting and controlling the data, regardless of its location.

SaaS Application Risks

The average employee uses at least eight applications. As employees add and use more SaaS
apps that connect to the corporate network, the risk of sensitive data being stolen, exposed or
compromised increases. It is important to consider the security of the apps, what data they have
access to, and how employees are using them. Because of the nature of SaaS applications, their
use is very difficult to control – or have visibility into – after the data leaves the network
perimeter. This lack of control presents a significant security challenge: End users are now
acting as their own “shadow” IT department, with control over the SaaS applications they use
and how they use them. Click the arrows for more information about the inherent data exposure
and threat insertion risks of SaaS. In SaaS is used Malicious Outsiders, Malicious Insiders,
Accidental Data Exposure, Accidental Share, Promiscuous Share, and Ghost Share.

4
Attacker Profiles

News outlets are usually quick to showcase high-profile attacks, but the sources of these attacks
are not always easy to identify. Each of the different attacker types or profiles generally has a
specific motivation for the attacks they generate. Here are some traditional attacker profile types.
Because these different attacker profiles have different motivations, information security
professionals must design cybersecurity defences that can identify the different attacker
motivations and apply appropriate deterrents. Click the arrows for more information about the
profile type of each attacker.

Cyberattack Types
Attackers use a variety of techniques and attack types to achieve their objectives. Malware and
exploits are integral to the modern cyberattack strategy. This lesson describes the different
malware types and properties, the relationship between vulnerabilities and exploits, and how
modern malware plays a central role in a coordinated attack against a target. This lesson also
explains the timeline for eliminating a vulnerability.

5
Malware
Malware usually has one or more of the following objectives: to provide a remote control for an
attacker to use an infected machine, to send spam from the infected machine to unsuspecting
targets, to investigate the infected user’s local network, and to steal sensitive data. Malware is
varied in type and capabilities. Let us review several malware types those are Logic Bombs,
Rootkits, Backdoors, Anti-AV, etc….

Advanced or modern malware leverages networks to gain power and resilience. Modern
malware can be updated—just like any other software application—so that an attacker can
change course and dig deeper into the network or make changes and enact countermeasures.

Ransomware
Ransomware is malware that locks a computer or device (locker ransomware) or encrypts data
(crypto-ransomware) on an infected endpoint with an encryption key that only the attacker
knows, thereby making the data unusable until the victim pays a ransom (usually in
cryptocurrency such as Bitcoin). Reve ton and Locker are two examples of locker ransomware,
while Locky, Tesla Crypt/Encrypt, Crypto locker, and Crypto wall are examples of crypto
ransomware.

Cyberattack Techniques
Attackers use a variety of techniques and attack types to achieve their objectives. Spamming
and phishing are commonly employed techniques to deliver malware and exploits to an endpoint
via an email executable or a web link to a malicious website. Once an endpoint is compromised,
an attacker typically installs back doors, remote access Trojans (RATs), and other malware to

6
ensure persistence. This lesson describes spamming and phishing techniques, how bots and
botnets function, and the different types of botnets.

Phishing Attacks

We often think of spamming and phishing as the same thing, but they are separate processes,
and they each require mitigations and defences. Phishing attacks, in contrast to spam, are
becoming more sophisticated and difficult to identify. In phishing attacks there are some types
those are Spear Phishing, Whaling, Watering Hole, and Pharming.

Advanced Persistent Threats and Wi-Fi vulnerabilities

With the explosive growth in fixed and mobile devices over the past decade, wireless (Wi-Fi)
networks are growing exponentially—and so is the attack surface for advanced persistent threats
(ATP). This lesson describes Wi-Fi vulnerabilities and attacks and APT s.

Wi-Fi Attacks
There are different types of Wi-Fi attacks that hackers use to eavesdrop on wireless network
connections to obtain credentials and spread malware. There are two types of Doppelgangers and
Cookie Guzzler. To protect Wi-Fi, Wi-Fi Protected Access (WPA) security standard was published
as an interim standard in 2004, quickly followed by WPA2. WPA/WPA2 contains improvements
to protect against the inherent flaws in the Wired Equivalent Privacy (WEP), including changes to
the encryption.

Evil Twin
Perhaps the easiest way for an attacker to find a victim to exploit is to set up a wireless access
point that serves as a bridge to a real network. An attacker can inevitably bait a few victims with
“free Wi-Fi access.”

Baiting a victim with free Wi-Fi access requires a potential victim to stumble on the access point
and connect. The attacker can’t easily target a specific victim, because the attack depends on the
victim initiating the connection. Attackers now try to use a specific name that mimics a real access
point. Click the arrows for more information about how the Evil Twin attack is executed.
7
Security Models
The goal of a security model is to provide measurable threat prevention through trusted and
untrusted entities. This can be a complicated process, as every security model will have its
customizations, and many variables need to be identified. This lesson describes the core
concepts of a security model and why the model is important, the functions of a perimeter-based
security model, the Zero Trust security model design principles, and how the principle of least
privilege applies to the Zero Trust security model.

Zero Trust Security Model

The Zero Trust security model addresses some of the limitations of perimeter-based network
security strategies by removing the assumption of trust from the equation. With a Zero Trust
model, essential security capabilities are deployed in a way that provides policy enforcement
and protection for all users, devices, applications, and data resources, as well as the
communications traffic between them, regardless of location. There are a few types those are
No Default Trust, Monitor and Inspect, and Compartmentalize.

Fundamentals of Network Security

This training introduces someone with no prior knowledge of the fundamentals of network
security including concepts they must understand to recognize and potentially defend home
networks and mission-critical infrastructure. In Fundamentals of Network Security, there are 5
types are

• The Connected Globe

• Addressing and Encapsulation
• Network Security Technologies
• Endpoint Security and Protection
8
 • Secure the Enterprise
The Connected Globe
In this, we will discuss how hundreds of millions of routers deliver Transmission Control
Protocol/Internet Protocol (TCP/IP) packets using various routing protocols across local-area
networks and wide-area networks. We also will discuss how the Domain Name System (DNS)
enables internet addresses, such as www.facebook.com, to be translated into routable IP
addresses.

The Net
In the 1960s, the U.S. Défense Advanced Research Projects Agency (DARPA) created
ARPANET, the precursor to the modern internet. ARPANET was the first packet-switched
network. A packet-switched network breaks data into small blocks (packets), transmits each
packet from node to node toward its destination, and then reassembles the individual packets in
the correct order at the destination. The ARPANET evolved into the internet (often referred to as the
network of networks) because the internet connects multiple local area networks (LAN) to a worldwide
wide area network (WAN) backbone. Today billions of devices worldwide are connected to the Internet
and use the transport communications protocol/internet protocol (TCP/IP) to communicate with each
over a packet-switched network. Specialized devices and technologies such as routers, routing protocols,
SD-WAN, the domain name system (DNS), and the world wide web (WWW) facilitate communications
between connected devices.

Internet of Things (IoT)

With almost five billion internet users worldwide in 2022, which represents well over half the
world’s population, the internet connects businesses, governments, and people across the globe.
Our reliance on the internet will continue to grow, with nearly 30 billion devices “thing” –
including autonomous vehicles, household appliances, wearable technology, and more –
connecting to the internet of things (IoT) and nearly nine billion worldwide smartphone
subscriptions that will use a total of 160 EB of monthly data by 2025. IoT connectivity

9
technologies are broadly categorized into five areas: cellular, satellite, short-range wireless, low-
power WAN and other wireless WAN, and Identity of Things (IDOT).

Addressing and Encapsulation

It describes the functions of physical, logical, and virtual addressing in networking, IP
addressing basics, subnetting fundamentals, OSI and the TCP/IP models, and the packet
lifecycle.

TCP/IP Overview
In cybersecurity, you must understand that applications sending data from one host computer to
another host computer will first segment the data into blocks and will then forward these data
blocks to the TCP/IP stack for transmission. The TCP stack places the block of data into an
output buffer on the server and determines the maximum segment size of individual TCP blocks
permitted by the server operating system. The TCP stack then divides the data blocks into
appropriately sized segments, adds a TCP header, and sends the segment to the IP stack on the
server. The IP stack adds source and destination IP addresses to the TCP segment and notifies
the server operating system that it has an outgoing message that is ready to be sent across the
network. When the server operating system is ready, the IP packet is sent to the network adapter,
which converts the IP packet to bits and sends the message across the network.

Numbering Systems

You must understand how network systems are addressed before following the path data takes
across internetworks. Physical, logical, and virtual addressing in computer networks requires a
basic understanding of decimal (base 10), hexadecimal (base 16), and binary (base 2)
numbering.

Network Security Technologies

In this, we will discuss the basics of network security technologies such as firewalls, intrusion
detection systems (IDSs) and intrusion prevention systems (IPSs), web content filters, virtual
10
private networks (VPNs), data loss prevention (DLP), and unified threat management (UTM),
which are deployed across the industry. security

Legacy Firewalls
Firewalls have been central to network security since the early days of the internet. A hardware
platform or software platform or both that controls the flow of traffic between a trusted network
(such as a corporate LAN) and an untrusted network (such as the internet).

Stateful Packet Inspection Firewalls

Stateful packet inspection firewalls operate up to Layer 4 (Transport layer) of the OSI model
and maintain state information about the communication sessions that have been established
between hosts on two different networks. These firewalls inspect individual packet headers to
determine the source and destination IP address, protocol (TCP, UDP, and ICMP), and port
number (during session establishment only). The firewalls compare header information to
firewall rules to determine if each session should be allowed, blocked, or dropped. After a
permitted connection is established between two hosts, the firewall allows traffic to flow
between the two hosts without further inspection of individual packets during the session.

Application Firewalls

Third-generation application firewalls are also known as application-layer gateways,

proxybased firewalls, and reverse-proxy firewalls. Application firewalls operate up to Layer 7
(the application layer) of the OSI model and control access to specific applications and services
on the network. These firewalls proxy network traffic rather than permit direct communication
between hosts. Requests are sent from the originating host to a proxy server, which analyses the
contents of the data packets and, if the request is permitted, sends a copy of the original data
packets to the destination host.

Virtual Private Networks

A VPN creates a secure, encrypted connection (or tunnel) across the internet between two
endpoints. A client VPN establishes a secure connection between a user and an organization's
network. A site-to-site VPN establishes a secure connection between two organizations'
networks, usually geographically separated. VPN client software is typically installed on mobile
endpoints, such as laptop computers and smartphones, to extend a network beyond the physical
boundaries of the organization. The VPN client connects to a VPN server, such as a firewall,
11
router, or VPN appliance (or concentrator). After a VPN tunnel is established, a remote user can
access network resources, such as file servers, printers, and Voice over IP (VoIP) phones, as if
they were physically in the office.

Secure sockets Layer (SSL)

SSL is an asymmetric/symmetric encryption protocol that secures communication sessions. SSL
has been superseded by TLS, although SSL is still the more commonly used terminology. An
SSL VPN can be deployed as an agent-based or agentless browser-based connection. An
agentless SSL VPN requires only that users launch a web browser, use HTTPS to open a VPN
portal or webpage and log in to the network with their user credentials. An agent-based SSL
VPN connection creates a secure tunnel between an SSL VPN client installed on a host
computer/laptop and a VPN concentrator device in an organization's network. Agent-based SSL
VPNs are often used to securely connect remote users to an organization's network. SSL VPN
technology is the standard method of connecting remote endpoint devices back to the enterprise
network. IPsec is most commonly used in site-to-site or device-to-device VPN connections,
such as connecting a branch office network to a headquarters network or data center.

Endpoint Security and Protection

In this lesson, we will explore endpoint security challenges and solutions, including malware
protection, anti-malware software, personal firewalls, host-based intrusion prevention systems
(HIPSs), and mobile device management (MDM) software. We will also introduce network
operations concepts, including server and systems administration, directory services, and
structured host and network troubleshooting.

12
Malware and Anti-Malware
Malware protection using antivirus (or anti-malware) software has been one of the first and most
basic tenets of information security since the early 1980s. Antivirus software uses file signatures
to discover and mitigate malware on an endpoint. These antivirus software signatures must be
constantly updated to match new or evolving malware-attacking endpoints. Malspam is the most
popular delivery method for malware. Malspam consists of unsolicited emails that direct users to
malicious websites or prompt users to open attached files with hidden malware. Many Palo Alto
Networks products are powered by high-fidelity threat intelligence algorithms that help keep our
products up to date on threats "in the wild."

Structured Host and Network Troubleshooting

Network administrators should use a systematic process to troubleshoot network problems when
they occur to restore the network to full production as quickly as possible without causing new
issues or introducing new security vulnerabilities. Resolving network problems quickly and
efficiently is a skill that is highly sought after in IT.

Logical Troubleshooting Using the OSI Model

The OSI model provides a logical model for troubleshooting complex host and network issues.
Depending on the situation, you might use the bottom-up, top-down, or divide-and-conquer
approach when you use the OSI model to guide your troubleshooting efforts. In other situations,
you might make an educated guess about the source of the issue and begin investigating the
corresponding layer of the OSI model. You could also use the substitution method (replacing a
bad component with a known good component) to quickly identify and isolate the cause of the
issue.

Secure the Enterprise

The networking infrastructure of an enterprise can be extraordinarily complex. The Palo Alto
Networks’ prevention-first security architecture secures enterprises' perimeter networks, data
centres, cloud-native applications, SaaS applications, branch offices, and remote users with a
fully integrated and automated platform that simplifies security.

13
App-ID
App-ID, or application identification, accurately identifies applications regardless of port,
protocol, evasive techniques, or encryption. It provides application visibility and granular,
policy-based control. Port-based stateful packet inspection technology was created more than
25 years ago to control applications using ports and IP addresses. Using port-based stateful
inspection to identify applications depends on an application strictly adhering to its assigned
port(s). This presents a problem because applications can easily be configured to use any port.

As a result, many of today’s applications cannot be identified, much less controlled, by the port-
based firewall, and no amount of “after the fact” traffic classification by firewall “helpers” can
solve the problems associated with port-based application identification.

User-ID
The next-generation firewall accurately identifies users for policy control. A key component of
security policies based on application use is identifying the users who should be able to use
those applications. IP addresses are ineffective identifiers of users or server roles within the
network. With the User-ID and Dynamic Address Group (DAG) features, you can dynamically
associate an IP address with a user or server role in the data center. You can then define user-
and role-based security policies that adapt dynamically to changing environments.

URL Filtering Service

To complement the next-generation firewall's threat prevention and application control
capabilities, a fully integrated, on-box URL Filtering database enables security teams to control
end-user web surfing activities and combine URL context with application and user rules. The
URL Filtering service complements App-ID by enabling you to configure the next-generation
firewall to identify and control access to websites and to protect your organization from websites
hosting malware and phishing pages. You can use the URL category as a match criterion in
policies, which permits exception-based behaviour and granular policy enforcement. For
example, you can deny access to malware and hacking sites for all users, but allow access to
users who belong to the IT Security group.

14
Fundamentals of cloud security
It shows that someone with no prior knowledge of the fundamentals of cloud security including
concepts they must understand to recognize threats and potentially defend data centers,
enterprise networks, and small office/home office (SOHO) networks from cloud-based attacks.

In the Fundamentals of cloud security, we have a few types those are

• Cloud Computing
• Cloud Native Technologies
• Cloud Native Security
• Hybrid Data Centre Security
• Prisma Access SASE Security
• Prisma SaaS
• Prisma Cloud Security

Cloud Computing
The move toward cloud computing not only brings cost and operational benefits but also
technology benefits. Data and applications are easily accessed by users no matter where they
reside, projects can scale easily, and consumption can be tracked effectively.

Cloud Security

In general terms, the cloud provider is responsible for the security of the cloud, including the
physical security of the cloud data centres, and foundational networking, storage, computing,
and virtualization services. The cloud customer is responsible for security in the cloud, which is further
delineated by the cloud service model.

15
 Network Security vs. Cloud Security

With the use of cloud computing technologies, your data centre environment can evolve
from a fixed environment where applications run on dedicated servers toward an
environment that is dynamic and automated.

Network Security Cloud Security

Isolation and Segmentation Shared Resources

Incompatible with Serverless Multi-Tenancy is Important

Applications

Process-Oriented Dynamic Computing

16
Cloud Native Technologies
A useful way to think of cloud-native technologies is as a continuum spanning from virtual
machines (VMs) to containers to serverless. On one end are traditional VMs operated as stateful
entities, as we’ve done for over a decade now. On the other are completely stateless, serverless
apps that are effectively just bundles of app code without any packaged accompanying operating
system (OS) dependencies.

Miro-VMs
Micro-VMs are scaled-down, lightweight virtual machines that run on hypervisor software.
Micro-VMs contains only the Linux operating system kernel features necessary to run a
container. Micro-VMs seeks to provide virtual machines that are not known or managed by the
users. Instead, users execute typical container commands such as “docker run,” and the
underlying platform automatically and invisibly creates a new VM, starts a container runtime
within it, and executes the command. The result is that the user has started a container in a
separate operating system instance, isolated from all others by a hypervisor. These VM
Integrated containers typically run a single container within a single VM.

Cloud Native Security

The speed and flexibility that are so desirable in today’s business world have led companies to
adopt cloud technologies that require not just more security but new security approaches. In the
cloud, you can have hundreds or even thousands of instances of an application, presenting
exponentially greater opportunities for attack and data theft.

The Four Cs of Cloud Native Security

The CNCF defines a container security model for Kubernetes in the context of cloud-native
security. Each layer provides a secure foundation for the next layer. The four cs of cloud-native
security are Cloud, Clusters, Containers, and Code.

17
Hybrid Data Centre Security
Data centres are rapidly evolving from a traditional, closed environment with static, hardware
based computing resources to an environment in which traditional and cloud computing
technologies are mixed.

Traditional Data Centre Vs Hybrid Cloud

The” ports first” traditional data centre security solution limits the ability to see all traffic on all
ports. The move toward a cloud computing model – private, public, or hybrid improves
operational efficiencies.

Traditional Data Centre Weaknesses Hybrid Cloud Strengths

• Limited Visibility and Control • Optimizes Resources

• No Concept of Unknown Traffic • Reduces Costs

• No Policy Reconciliation Tool • Increases Operational Flexibility

• Cumbersome Security Policy Update • Maximizes Efficiency

Process

18
The Fundamentals of SOC (Security Operations Centre)
The Fundamentals of Security Operations Centre training is a high-level introduction to the
general concepts of SOC and SecOps. It will introduce the Security Operations framework,
people, processes, and technology aspects required to support the business, the visibility that is
required to defend the business, and the interfaces needed with other organizations outside of
the SOC.

• The life of a SOC Analyst

• Business
• People
• Processes
• Interfaces
• Visibility
• Technology
• SOAR
• SOAR Solution

The Life of a SOC Analyst

Erik is a SOC analyst on the Security Operations team, and it is his job to triage alerts to
determine if there is a security threat. Before Erik starts his job, he will need to understand the
general concepts of SOC and SecOps and the business goals. Erik will need training and support
from the people he interacts with daily. While mitigating threats, Erik will need to know the
processes to follow, the teams he will be interacting with, and the technology he will be using
to gain visibility into the network.

19
Business
Both Erik and the SOC team are responsible for protecting the business. The reason for Security
Operations, for all of the equipment, for everything SOC does is ultimately to service one main
goal, protect the business. Without the Business pillar, there would be no need for Erik or the
SOC team. The elements in the Business Pillar and the first one is Mission, Governance,
Planning and the second one is Budget, Staffing, Facility and the third one is Metrics, Reporting,
and Collaboration.

People
The People pillar defines who will be accomplishing the goals of the Security Operations team
and how they will be managed. As a part of the People pillar, Erik received the training necessary
for him to be able to triage the alerts in addition to the other processes and functions within the
SOC. This training provides Erik with the skills necessary to become efficient at detecting and
prioritizing alerts. As Erik’s knowledge increases, he will have opportunities to grow on the
SOC team. He will also have the skills to advance in his career to other areas. The elements in
the Security operations People pillar define the roles for accomplishing the Security Operations
team goals and how those roles will be managed those are Employee Utilization, Training,
Career Path Progression, and Tabletop Exercises.

Processes
While monitoring the ticketing queue, Erik notices a new set of alerts that has been sent to the
SOC team by one of the network devices. Based on the alert messages, Erik needs to determine
whether the alert message is a security incident, so he opens an incident ticket. Erik starts by
doing his initial research in the log files on the network device to determine if the threat is real.

After reviewing the log files, Erik determines that the alert is a real threat. Based on the Severity
Triangle, Erik has determined that the severity level for this alert is currently High.

Interfaces
As Erik is investigating the alert generated by the network device, he partners with the Threat
Intelligence Team to identify the potential risks this threat may pose to the organization. Erik
also interfaces with the Help Desk, Network Security Team, and Endpoint Security Teams to
determine the extent of the threat that has infiltrated the network. Interfaces should be clearly
defined so that expectations between the different teams are known. Each team will have
different goals and motivations that can help with team interactions. Identifying the scope of
each team’s responsibility and separations of duties helps to reduce friction within an
organization. The interfaces are how processes connect to external functions or departments to
help achieve security operation goals. These are the Help Desk, Information Technology
20
Operations, DevOps, Operational Technology Team, Enterprise Architecture, SOC Engineering,
Endpoint Security Team, Network Security Team, Cloud Security Team, Threat Hunting,
Content Engineering, Security Automation, Forensics and Telemetry, Threat Intelligence Team,
Red & Purple Team, Vulnerability Management Team, Business Liaison, Governance, Risk and
Compliance.

Visibility
The Visibility pillar enables the SOC team to use tools and technology to capture network traffic,
limit access to certain URLs determine which applications are being used by end users, and
detect and prevent the accidental or malicious release of proprietary or sensitive information.
The visibility pillar is Network Traffic Capture, Endpoint Data Capture, Cloud Computing,
Application Monitoring, URL Filtering, SSL Decryption, Threat Intelligence Platform,
Vulnerability Management Tools, Analysis Tools, Asset Management, Knowledge
Management, Case Management, and Data Loss Prevention.

Technology
The Technology pillar includes tools and technology to increase our capabilities to prevent or
greatly minimize attempts to infiltrate your network. In the context of IT Security Operations,
technology increases our capabilities to securely handle, transport, present, and process
information beyond what we can do manually. By using technology, you amplify and extend
your abilities to work with Information securely. The Technology pillar is Firewall, Intrusion
Prevention/Detection System, Malware Sandbox, Endpoint Security, Behavioural Analytics,
Email Security, Network Access Control, Identity & Access Management, Honey pots &
Deception, Web Application Firewall, Virtual Private Networks, Mobile Device Management,
Security Information & Event Management, Security Orchestration Automation Response.

21
SOAR
The only reasonable long-term solution is to empower existing resources with a combination of
innovative orchestration, artificial intelligence, and machine learning technologies to automate
many of the manual processes that a SOC team faces each day. By automating processes, the
SOC team can focus its attention on what is truly critical: identifying, investigating, and
mitigating emerging cyber threats.
SOAR Solution
The SOAR solutions that improve SOC efficiency. Cortex XDR and Cortex XSOAR allow SOC
analysts like Erik to do in minutes what would take them hours to resolve otherwise. Are tools
such as these that will allow SOCs to scale into the future? Cortex is an artificial intelligence
based, continuous security platform. Cortex allows organizations to create, deliver, and consume
innovative new security products from any provider without additional complexity or
infrastructure.

22
 Conclusion

I have gained knowledge of cybersecurity, fundamentals of network security, cloud security and
SOC. These courses helped me to understand the overview of threat landscape and use various
tools and technology to defend todays cyberattacks.

I could identify different malware types and understand cyberattack techniques, spamming and
how phishing attacks are performed. I identified the capabilities of Palo Alto Networks
prevention first architecture. Various security models helped me understand how all these
security attacks can be avoided.

All the four courses helped me gain knowledge in cybersecurity operations, cloud computing
models, potential to defend home networks and mission critical infrastructure. It was delightful
as it helped me develop skills in rapidly changing technologies. This raised my interest in
cybersecurity and to pursue a career in cybersecurity platform.

23