LDR551-Book2 Flashcards
What should a user do if they disagree with the CLA terms?
Not access the Courseware, return for refund
What actions are prohibited without SANS Institute’s consent?
Copying, reproducing, distributing, modifying Courseware
What are the consequences of breaching the CLA?
Irreparable harm, enforceable by injunction
What must the user warrant regarding sanction programs?
Not listed on OFAC or BIS denied party lists
What must the user avoid regarding U.S. export control laws?
Not allow access to embargoed countries
What are the key topics in Section 2 of LDR551?
Collection and Monitoring, Cyber Defense Theory, SOC Tools, MITRE ATT&CK
What mindset should modern cyber defense teams adopt?
Presumption of Compromise
What is a key focus of modern cyber defense?
Detection-Oriented Defense
Who should proactively assume compromise in a SOC?
Hunt teams
What should be the priority for hunt teams?
Post-exploitation stage attacks
What should hunt teams do when they find an issue?
Take care of it quickly and thoroughly
What is a risk-informed strategy in SOC?
Align defenses to prevent most damaging scenarios.
What is the Lockheed Martin Cyber Kill Chain designed to model?
Advanced persistent threats (APTs).
What is a common misuse of the Cyber Kill Chain?
Applying it to all alerts.
What is the purpose of the Kill Chain and Mandiant Attack Cycle?
Visualize attack progress and steps.
What happens if the Kill Chain is used beyond its intended purpose?
It leads to confusion.
What is the advantage of Org 2’s defense strategy?
Better “defense in depth” posture.
What does the Pyramid of Pain illustrate?
Different levels of detection difficulty.
What is a drawback of relying on bottom layer items in the Pyramid of Pain?
Easy to bypass detection capability.
Why is a spread of detection capabilities important?
Provides defense in depth across the pyramid.
What are the characteristics of items at the top of the pyramid?
Longer living, broad coverage, lower fidelity
What are the characteristics of indicators at the bottom of the pyramid?
Short-lived, easy to identify attacks
Why do the two types of analytics team up well?
Provide depth of coverage in different scenarios
What should you do if your analytics distribution is lacking?
Make it a priority to build up the missing piece
What does MITRE ATT&CK provide?
Standardized vocabulary of tactics and techniques
What do tactics describe in the MITRE ATT&CK framework?
Goals attackers need to accomplish
What happens when a new attack technique is found by MITRE?
It is added under one or more tactics
What should you do if you can detect relevant items on the MITRE ATT&CK framework?
Give yourself a pat on the back
How does MITRE ATT&CK help newer analysts?
Provides learning opportunity for attacker TTPs
What can you do if you have no threat intel but know APT X attacks your industry?
Prioritize techniques used by APT X
How can MITRE ATT&CK be used to measure defensive team improvement?
Objectively measure defensive team improvement
What indicates Blue Team improvement in MITRE ATT&CK?
Rise in percentage or count of covered techniques
What is the PICERL model based on?
NIST SP 800-61 “Computer Security Incident Handling Guide”
What stage do most analysts drop in during the PICERL model?
Identify stage
What does the DAIR model address compared to PICERL?
Practical application criticisms like least privilege
What does DAIR highlight the need for?
Security monitoring, threat intelligence, vulnerability remediation
How does DAIR conceptualize incident response?
As multiple events occurring across time.
How does DAIR differ from the PICERL model?
DAIR uses waypoints, outcomes, and activities.
Are PICERL and DAIR mutually exclusive?
No, they complement each other.
What is the OODA loop?
Observe, Orient, Decide, Act.
Who designed the OODA loop?
John Boyd, a military strategist.
What does the OODA loop represent for a SOC?
Stages to go head-to-head with adversaries.
What drives the operations tempo in a SOC?
The OODA loop.
What is the key step in the OODA loop?
The “Orient” phase.
What is the main takeaway from the OODA loop model?
Faster, accurate loops win head-to-head situations.
What differentiates a manager from a leader according to Peter Drucker?
Manager does things right; leader does the right things.
What are the two roles required to run a SOC?
Management and leadership.
What must a leader of a SOC be aware of?
Industry news, trends, and available tools.
What is necessary for day-to-day SOC operations?
Balanced workload, following processes, securing the organization.
What is the main goal in infinite games?
Stay in the game as long as possible
What are examples of finite games?
Sports, board games
What are examples of infinite games?
Business, marriage, education, life
What is the primary difference between finite and infinite games?
How you win
What happens in infinite games by definition?
They have no end
What is the goal of finite games?
To beat out your opponent
What do finite games have that infinite games lack?
A clear outcome at the ending time
What do infinite games require for long-term success?
Infinite strategies
What mindset is doomed for sub-optimal results in infinite games?
Finite game mindset
What do finite-minded players tend to overlook?
Second order effects
What does Sinek say about finite-minded businesses?
They may rely too heavily on a single product
What does human nature drive us to focus on in finite games?
Personal rewards
What is necessary to succeed in an infinite game?
Focus on the long term
What is the focus of a short-term SOC strategy?
Ticket numbers closed, time-based goals
What should a SOC optimize for in an infinite game strategy?
Job satisfaction, retention, engagement
What is a key aspect of playing with an infinite strategy in SOC?
Sustainability of workload
What does Sinek’s infinite game strategy emphasize for SOCs?
Continuous improvement, team building
What should a human-focused SOC prioritize?
Challenging, growing, and creative employees
What is the benefit of cybersecurity mental models?
Help analysts understand complex events
What is the goal of SOC Theory and Models?
Avoid misapplying models, help operations
What are the main tools used daily by SOC analysts?
EDR/XDR, SIEM, TIP, IMS
What does SOAR stand for?
Security Orchestration, Automation, & Response
What is the role of EDR/XDR in a SOC?
Central interface for querying, detection, analysis
What is the function of a SIEM?
Nexus of all log data
What does a Threat Intelligence Platform provide?
Context around matched IOCs
What is the purpose of an Incident Management System?
Ticketing system for working incidents
What does SOAR focus on in a SOC?
Automation tools for efficiency
What do Use Case Databases/Playbooks/SOPs inform analysts about?
Actions to take when an alert triggers
What is stored in an Unstructured Information Knowledgebase?
Additional reference data for analysts
What is a common use for systems like OneNote or SharePoint in a SOC?
Collaboratively adding and editing data
What is the main job of a SIEM?
Receive and parse all logs correctly
Why is high-quality data important for a SIEM?
Better chances for successful detection
What is the role of a Threat Intelligence Platform in a SOC?
Stores tactical, operational, strategic threat intel
What must be exported periodically to a SIEM or IDS?
All atomic indicators
What should a TIP ideally contain?
Info on how, when, and why each atomic item was marked as an IOC.
What does an analyst need to do when an alert goes off?
Find why the IP was marked bad.
What is the main source of incoming data for the IMS?
Alerts sent from the environment.
What should analysts do once incidents are investigated and closed?
Close the associated ticket.
What is a key item to note when closing an incident ticket?
Categorization of the incident.
Why should metrics be noted in a structured way?
To help SOC managers allocate budget.
What should be done before selecting or changing an IMS?
Thoroughly test contenders with real-world scenarios.
Who should drive the testing of IMS contenders?
Analysts.
What should a SOC knowledgebase include?
Unstructured documents, reference info, and general storage.
What is essential for a knowledgebase to be useful?
Usability and ease of maintenance.
What is the first step in selecting the right technology?
Identify the opportunity.
What is the second step in selecting the right technology?
Define analysis criteria.
What is the third step in selecting the right technology?
Identify alternatives.
What is the fourth step in selecting the right technology?
Compare features & functionality.
What is a major element of security operations?
Technology
Why is it important to maintain governance over SOC technologies?
To manage changes and improvements
What must you quantify when investing in SOC technology?
Return on investment
What is MITRE’s formal analysis process called?
Analysis of Alternatives (AoA)
What does AoA provide a framework for?
Evaluating and comparing solutions
What can help keep your decision data-driven and objective?
Using the AoA process as a reference
What did the US Government Accountability Office report about the Department of Defense?
Caused budget overruns by not evaluating alternatives
What can conducting a proper evaluation when selecting new tools help reduce?
Cost and operational risks
What are the five phases of the AoA process?
Identify opportunity, define criteria, identify alternatives, compare, report
What should strategic priorities inform?
Tool deployment and data collection
What can attack tree diagrams help with?
Brainstorming damaging attacks and planning defenses
What is a vital step in devising a threat-informed defense?
Using threat modeling output for planning
What tools are commonly used in SOCs?
EDR & XDR, SIEM, Threat Intelligence Platform, Incident Management System
What should be the goal when purchasing SOC tools?
Improve analyst workflow and organize detection data
What is the goal of the initial course section?
Understand what to purchase now and what can wait.
What is the first step in the core SOC process?
Data collection.
What will be reviewed in the systems-level model of the collection function?
Most important sources of log data.
What complicates data collection according to the text?
New encryption protocols.
What is crucial in the SOC process for effective detection and triage?
Appropriate data collection.
What does the collection system include?
Environment, Auditing, Collection Policy.
What is the first core function discussed in the text?
Data collection capability.
What happens between events being generated and collected?
Events are logged/recorded and centralized.
What influences whether events are recorded locally or centrally?
Auditing policy and collection policy.
What is the ideal collection system for security data?
Perfect Auditing Policy, Complete Collection.
What should be centralized in an ideal collection system?
Events of security value.
What major input influences the ability to detect attacks?
Threat intelligence.
What characterizes the realistic collection system in average organizations?
Imperfect Auditing Policy, Best effort Collection Policy.
Why might some important events not be recorded centrally?
Gaps in knowledge, affordability, visibility.
What drives the best effort solution in realistic collection systems?
Volume, access, threat intel.
What is a consequence of not having a proper auditing policy?
Inadequate attack detection capability.
What is the first step in setting up an effective system for attack detection?
Setting up an auditing policy and network infrastructure
What must thorough collection be matched with?
A solid centralization and collection strategy
Why is starting off with a good auditing and collection policy important?
It gives the best chance of attack detection downstream
What are the two components of complete collection?
Network Security Monitoring (NSM) and Continuous Security Monitoring (CSM)
What does Network Security Monitoring (NSM) include?
Full packet capture and network metadata
What does Continuous Security Monitoring (CSM) include?
Endpoint/device-generated data and application/SaaS logs
What are the two major types of data in the collection function?
Network data and endpoint data
What does network data tell us?
Who is talking to whom, protocols used, and conversation content
What does endpoint and application data provide?
Details about processes and access nature
Why is it important to have both network and endpoint data?
Attackers may subvert endpoint data collection
What is a key aspect of audit policy in a SOC?
Flexibility, as collection needs may change
What drives log volume in a collection policy?
Collection policy
What should you consider when deciding what to collect?
Specific goals for collection
What are some goals for log collection?
IOC-based matching, advanced attack detection, audit, compliance
What is a common misconception about compliance and log collection?
That it means full collection of everything possible
What are the three common strategies for log centralization?
Input-driven, output-driven, and a balanced approach
What is the most cost-effective and high-performing way of collecting logs?
Output-driven collection
What is the hybrid collection approach?
Start input-driven, then reduce noise
What should be done with high-volume, likely not useful items?
Turn them off
What should be done with low-volume, potentially useful logs?
Leave them on
Which approach does the SANS Blue Team Operations curriculum recommend?
Hybrid approach
What is a key feature of the hybrid approach?
Emphasizes tactical collection
Why should your auditing and collection strategy be in constant flux?
To adapt to changing threats
What course is recommended for SIEM engineers and SOC analysts?
SEC555: SIEM with Tactical Analytics
What is a key to success in audit policy flexibility?
Fast approval process for changes
Why must your collection policy be nimble?
To keep up with attackers
What should be centrally managed in a nimble collection policy?
Audit policies
What should be fast-tracked in emergency situations?
Pushing changes
What is a benefit of having control over audit policy changes?
Maintain OODA loop pace
What is the goal of tactical collection?
Balance centralization and local storage
Why are PowerShell logs often not recorded?
They can be very high volume
What does FireEye recommend for logging PowerShell?
Centrally log specific events
What is an alternative if you can’t centralize all logs?
Store them locally
What is the easiest method for log collection?
SIEM agent
What is the most customizable log collection method?
SIEM agent/Third-party agent
What is the built-in OS forwarding method for Windows?
Windows Event Forwarding
What is the built-in OS forwarding method for Linux?
Syslog Daemon (Rsyslog, Syslog-ng)
What should you consider when choosing a log collection method?
What you are optimizing for
What is a downside of packaged SIEM agents?
May lack advanced features
What is a suggested third-party log agent with a free edition?
NXLog
What is the built-in logging method for Linux/Unix?
syslog daemon
What is the built-in logging method for Windows?
Windows Event Forwarding
What is a benefit of using the OS’s built-in logging method?
Path of least resistance
What can you set up if built-in logging methods are not an option?
Agentless pickup via remote system
What are the separable functions inside a SIEM?
Parsing, Filtering, Enrichment, Indexing, Storage
What does parsing in SIEM involve?
Breaking logs into constituent fields
What is the purpose of filtering in SIEM?
Decide if log is stored or discarded
What does enrichment in SIEM do?
Correlates logs with external data
What is the role of indexing in SIEM?
Index log entries for quick retrieval
Why is data quality important in SIEM?
Determines the usefulness of logs
What happens if data is not parsed correctly in SIEM?
SIEM can’t understand it
What is categorization in SIEM?
Labeling events with tags
What is normalization in SIEM?
Standardizing field names across sources
What does data enrichment involve in SIEM?
Supplementing logs with additional context
What does enrichment help with in threat hunting?
Turns event logs into detailed threat hunting data
What are some highest-value host-based data sources?
Authentication events, process creation, IOC matches
Why do we need the output of security tools like antivirus?
They match known IOCs and provide high-fidelity detections
What makes a great starting point for detecting malicious activity?
Authentication events
What should SOCs look deeper into beyond brute force attempts?
Context of logins and their origins
What is a fast-acting detection for privileged accounts?
Identifying use outside expected locations
What information do host process creation events provide?
What ran, when, where, hash, signature, arguments
What are high-value items to monitor for malware persistence?
Autorun keys, installed services, scheduled tasks
Why is it important to compare autorun programs across an enterprise?
To find malicious items by ranking common autoruns
What are some highest-value network-based data sources?
Network service logs, proxy/web logs, DNS, DHCP
What do network service logs help with?
Identify anomalies during threat hunting
What do proxy and weblogs, DNS, and DHCP help us find?
What is on the network and where devices are going
What protocols help catch potential lateral movement?
SSH, SMB, PowerShell Remoting, VNC, RDP
What are some new challenges for network-based data collection?
TLS 1.3, DoH/DoT, HTTP/2 & 3, QUIC
What does TLS 1.3 enforce that affects traffic decryption?
Perfect forward secrecy
What is the impact of encrypted certificate details in TLS 1.3?
Cannot passively record certificate info
What does Encrypted Client Hello (ECH) hide?
Domain name, leaving only IP address visible
What is TLS 1.3?
A new TLS encryption standard released in 2018.
When was TLS 1.2 released?
2008
What does TLS 1.3 fix compared to TLS 1.2?
Many security issues present in TLS 1.2
What type of cipher suites does TLS 1.3 allow?
Only those providing “perfect forward secrecy” (PFS)
What is required to decrypt a TLS 1.3 connection?
Unique information from every TLS connection
How could traffic be decrypted in older standards?
With the server’s private key
What must be present for the entire conversation in TLS 1.3?
The interception proxy
What certificate details are no longer visible in TLS 1.3?
Details for the site the user is connecting to
What field can still be used to detect the domain name in TLS 1.3?
The “SNI” field
What does Encrypted Client Hello (ECH) encrypt?
The entire “Client Hello” portion of a TLS handshake
What will be the only details left without decryption with ECH?
IP address and port
Who originally developed TLS fingerprinting?
Salesforce’s security team
What is JA4 in TLS fingerprinting?
Client fingerprint
What is JA4S in TLS fingerprinting?
Server fingerprint
What does JA4 concatenate and hash?
Fields from “ClientHello” TLS packet
What can JA4 fingerprints help identify?
Good and bad connections without decryption
What can network security monitoring tools like Zeek create?
JA4 and JA4S hashes
What does JARM do differently from JA4?
Actively probes a server and fingerprints responses
How can JARM be used to identify malicious servers?
By creating a JARM fingerprint of the server
What is a potential risk of using endpoint telemetry over network layer visibility?
It may ruin your OPSEC.
What is a recommended action if you can’t get approval for TLS decryption?
Deploy tools to check JA4 hashes.
What is DNS over HTTPS (DoH)?
DNS traffic over port 443 using TLS/HTTPS.
What does DoH mean for DNS traffic?
DNS traffic becomes indistinguishable from web traffic.
What is a security concern with DoH?
Blocking non-controlled DNS servers becomes harder.
What must you do to log DNS requests with DoH?
Intercept TLS or provide your own DoH server.
Which applications use DoH by default, bypassing system DNS settings?
Firefox.
How can you identify DoH traffic without decryption?
Check destination IP addresses of well-known DoH providers.
What should you search for to test normal uses of DoH on your network?
Port 443 traffic to known DNS server IPs.
What is a challenge with HTTP/2 and HTTP/3 for SOCs?
Interception is required to view the protocol.
Why is interception required for protocol analysis?
To even view the protocol.
What is a major challenge with HTTP/2 and HTTP/3 for SOCs?
They complicate data analysis.
How has data representation changed in HTTP/2 and HTTP/3?
It has drastically changed for performance.
What is a limitation of Wireshark with HTTP/2?
Cannot carve files out automatically.
What makes analysis of malicious activity over HTTP/2 and HTTP/3 difficult?
Guaranteed usage of encryption.
What did James Kettle’s research at DEF CON 2021 reveal?
Issues with HTTP/2 in some applications.
What problem did James Kettle demonstrate with a SaaS vendor’s application?
Users logged in as random others.
What is a challenge with NSM in the cloud?
Cloud collection options are less developed.
What level of visibility do most SOCs consider adequate for cloud assets?
Flow log-level visibility.
Which cloud platform has the most feature complete offerings for visibility?
AWS.
What is a key consideration for SOC data collection?
Clear goals and careful planning.
What must SOC managers be good stewards of?
Organization’s data and investments.
What does the MITRE ATT&CK framework help with in SOCs?
Data source prioritization.
What can threat groups be translated into?
Tactics and techniques
What is the numeric identification scheme for mitigations in ATT&CK?
M####
What do group pages in the ATT&CK knowledge base list?
Techniques and software used
What are groups in the ATT&CK framework?
Sets of related attack campaigns
Give examples of named threat groups.
APT1, DarkHotel, Turla
What does the software category in ATT&CK enumerate?
Tools and open-source software used by attackers
What is the numeric identification scheme for software in ATT&CK?
S####
What do data sources in ATT&CK list?
Sources of information for detecting techniques
What new addition was made in ATT&CK v12?
Tracking individual campaigns
Which data source covers the most ATT&CK techniques?
Command execution
How many techniques does Command Execution cover?
155 techniques
What is the second most relevant data component after Command Execution?
Process Creation
What is the purpose of ATT&CK Navigator?
Identify priority attack techniques and detection gaps
What is the first step in using ATT&CK Navigator for assessments?
Make a layer for each threat group
What should be done after creating layers in ATT&CK Navigator?
Sum the layers to find highest numbers
What is the first step in using the ATT&CK Navigator application?
Make separate layers for each threat group
How does MITRE ATT&CK fill in techniques for threat groups?
Using its built-in knowledge
What does each technique receive in the ATT&CK Navigator?
A “score” to differentiate it
What is the result of adding all individual threat group layers together?
A super-layer of all threat group activities
What can you enter to take the analysis further in ATT&CK Navigator?
Data sources and mitigations
What emerges after combining threat layers with mitigation and data source layers?
A quick way to assess gaps in coverage
What is the difficult piece of the puzzle in detection?
Detection logic itself
What does MITRE’s Cyber Analytics Repository provide?
Pre-made detection rules
What question does a SOC detection capability answer?
Can you detect technique x?
What complicates detection capabilities?
Nuance and different environments
What is the goal of tracking detection capabilities?
Track meaningful metrics
What should you consider when tracking detection capabilities?
Balance between details and simplicity
What is the DeTT&CT project?
Tools to label and visualize capabilities
What does the DeTT&CT script generate?
An ATT&CK Navigator layer
What is the GitHub URL for DeTTECT?
https://github.com/rabobank-cdc/DeTTECT
Who are the authors licensed to in the text?
David Newsome
What is the URL for MITRE ATT&CK for Enterprise?
https://attack.mitre.org/
What is the URL for Malware Archaeology Logging Cheat Sheets?
https://www.malwarearchaeology.com/cheat-sheets
What is the URL for Roberto Rodriguez’s OSSEM Project?
https://github.com/OTRF/OSSEM
What is the first section in the Course Roadmap?
SOC Design and Operational Planning
What is the objective of Exercise 2.3?
ATT&CK Navigator for Attack Technique Prioritization
What is the ideal alert count scenario?
All true positives, zero false negatives
What are good causes for more alerts?
New tools, threat hunting
What are bad causes for fewer alerts?
Lack of visibility for attacks
What might increase alert count but be a good thing?
Detecting previously missed attacks
What is the goal of handling alerts in a SOC?
Drive down bad things, catch all true positives
What percentage of SOCs tune alerting features to reduce alert volume?
57%
What are two “bad” ways to handle too many alerts?
Turning off high-volume alerts, ignoring categories
What percentage of respondents hire more analysts to handle alerts?
38%
What is the goal for the alert queue size in a SOC?
Keep it at an average size of zero
What happens if alert generation rate exceeds triage rate?
Alert queue > 0
What is a basic formula for alert workload?
W = N * T
What are the key variables in triage capacity planning?
Average number of items, time per item
What is a method to estimate alert count for established teams?
Historical metrics
What is the best source of information for SOC’s alert count history?
Historical metrics from your own SOC.
What can historical metrics help you understand about alerts?
Average number of alerts and variance.
For which SOCs is the historical metrics approach best suited?
SOCs with months to years of data.
Why is it important to understand the variance in alert counts?
It affects capacity planning.
What do you need to estimate alert counts accurately?
Worst-case, average, and lowest numbers.
What should SOCs without years of data do?
Combine existing data with other approaches.
What can SOCs use if they haven’t started yet?
Survey data from others.
What is a drawback of using survey data for alert counts?
It can be wildly inaccurate.
What will replace survey data once SOC data starts coming in?
Historical averages.
How can you reduce inaccuracy in alert estimation?
Use alerts per person number.
What can probabilistic calculations help with?
Estimating minimum and maximum alert numbers.
What assumptions are key for probabilistic calculations?
Nature of alerts and time to address.
What is a major issue in defining “alert” for time calculation?
Not all alerts require evaluation.
Why are enormous alert numbers not useful for capacity planning?
They don’t reflect reality.
What complicates capacity planning based on alert count?
Duplicates, false positives, simulations.
What is a significant factor in the makeup of alert populations?
Many alerts are not unique or malicious.
Why do alert counts from analysts often not match up?
Analysts deal with aggregated alerts, not single items.
What does the Poisson distribution help estimate in cybersecurity?
Bounds on the number of cyber attacks.
What is a key characteristic of alerts in security operations?
Alerts are not 1:1 with potential issues.
What should be counted to better predict time required for investigations?
Count “potential issues” investigated.
What is the main goal of measuring aggregated issues?
To understand time spent on investigations.
What is a Poisson process?
Events occur randomly at a constant average rate.
Why is the Poisson distribution useful despite not being perfect?
Leads to better conclusions than guessing.
What is the relationship between the Poisson and binomial distributions?
Poisson is a specific case of binomial.
What is the Poisson distribution used for in SOCs?
Estimating expected rate of randomly occurring events.
What can be predicted if cyber attacks are assumed to be a Poisson process?
Average number of issues per day and bounds.
What does the upper left chart show for a SOC averaging two issues per day?
Distribution of alerts per day.
What percentage of days will a SOC with two issues per day see 0 alerts?
17% of days.
What is the probability of seeing 1 alert per day in a SOC with two issues per day?
27% of days.
What is the probability of seeing 2 alerts per day in a SOC with two issues per day?
27% of days.
How often will a SOC with two issues per day see 3 alerts?
18% of days.
How often will a SOC with two issues per day see 4 alerts?
9% of days.
How often will a SOC with two issues per day see 5 alerts?
4% of days.
How often will a SOC with two issues per day see 6 alerts?
1% of days.
How often will a SOC with two issues per day see 7 alerts?
0.3% of days.
How can capacity planning be estimated with Poisson distribution?
By estimating issue count.
What is a critical variable in capacity planning using Poisson distribution?
Issue count.
What should a SOC do if staff can handle the worst days predicted?
No problem handling expected volume.
What is a limitation of using Poisson distribution for issue count?
Doesn’t address average time to deal with issues.
Where can you create interactive Poisson distribution charts?
Google or WolframAlpha.
What is the POISSON.DIST function used for in Excel?
Building Poisson distribution models.
What does the “cumulative” variable in POISSON.DIST determine?
Cumulative percentage up to that point.
What does using FALSE for the cumulative variable in POISSON.DIST show?
Probability of specific number of alerts.
What is shown by the cumulative distribution function?
Cumulative probability up to a point.
What should you do if you have data on investigation times?
Group by category, graph, and find distribution.
What should you do if you don’t have data on investigation times?
Use probabilistic modeling and surveys.
What should be estimated to understand alert volume?
Minimum, average, and high-volume alert days
What should be leveraged for estimating alert times?
Existing data
What will be discussed over the next few slides?
Sub-dividing alerts and estimating times
What does grouping triaged items by time show?
Multiple clusters of items
What is not a completely random variable?
Triage time
What tends to have an independent average time?
Items of one nature
What leads to large margins of error in prediction?
Using whole population average
What helps in better understanding alert times?
Breaking data into smaller groups
What emerges from showing types of alerts in a histogram?
Detailed and nuanced picture
What aligns well when further grouped by alert type?
Time taken to deal with alerts
What is better than knowing the overall average alert time?
Average and variance for each type
What allows more accurate workload prediction?
Detailed alert type data
What may lead to diminishing returns?
Getting too fancy with data breakdown
What are some options for estimating time?
Surveys, normal/log-normal, uniform, beta distributions
What is a good starting place for modeling alert times?
Log-normal distribution
What does survey data provide for estimating times?
Base data to start with
What do most analysts self-report about investigation times?
Twenty minutes or less
What might allow probabilistic estimation for investigation timing?
Choosing a good model like Poisson
What stands out as a good distribution for alert times?
Log-normal distribution
What is a log-normal distribution best used for?
Skewed data with no negative values
What does the log-normal distribution prevent?
Negative investigation times
What analysis is used to simulate total time required?
Monte Carlo analysis
What is the starting point for estimating time required for alerts?
Log-normal distribution
What tool can be used to subdivide alert types and categories for detailed estimates?
Excel
What is the easiest method for running capacity planning simulations?
Monte Carlo analysis
What does Monte Carlo analysis simulate for capacity planning?
Simulated distributions for count and time
What does Monte Carlo analysis produce besides an average?
A range of total time needed
What should be defined before running capacity planning calculations?
Exactly what is being calculated
What type of data should be used in capacity planning?
Historical data
What should be looked for in capacity planning besides averages?
Ranges
What distribution is used to understand expected investigation time?
Log-normal distribution
What distribution is used to bound expectations of alert count?
Poisson distribution
What is a key security consideration for SOC members?
Keeping SOC members safe
What should be separated to secure SOC data?
Separate SOC data and accounts
What is a nightmare scenario for SOC managers and security teams?
Attacker leveraging SOC infrastructure
What must be avoided to prevent a compromise of the security team?
Separate SOC data and accounts
Roles a SOC analyst must play
Normal employee, privileged user, investigator
Why is separation of accounts and assets important?
To safely perform different roles
What tasks might a SOC analyst perform?
Reading email, downloading files, browsing internet
What access might SOC analysts have?
Sensitive data, power to make changes
How can analysts operate safely in different roles?
Separate accounts and assets
Why separate accounts and computers for SOC analysts?
To prevent role-based mistakes
What is one risk of a single machine/account for SOC analysts?
Easy escalation for attackers
What happens if an analyst’s machine is compromised?
All credentials can leak
What is the benefit of separate machines and accounts?
Prevents privilege escalation
What is a drawback of using separate machines and accounts?
Increased complexity and reduced productivity
How can secure workstations be further protected?
Firewalling and hardened configurations
What if authentication systems are compromised?
Leads to access to all security info
What could mitigate domain controller compromise?
Separate authentication systems
