LDR551_Book1 Flashcards
What are common goals of attackers?
Intellectual property theft, extortion, destruction
How might an attacker exploit key IT assets?
To damage or hijack value creation.
What are the main categories to break down a SOC?
Business Alignment, Technology, People, Process.
What is crucial for SOCs to avoid reliance on ‘tribal knowledge’?
Solid foundation of processes and procedures.
What has driven increased understanding of cyber risk by businesses?
Heightened awareness and impact of breaches.
What do most organizations focus on in their cyber defense programs?
Technology solutions and tools.
What functions are consolidated in security operations?
Hunt, threat intelligence, IR functions.
What has brought increased visibility to the cyber security function?
Better articulated requirements
What aspect of the maturity model saw the biggest single-year jump?
People
What happens to SOCs without solid processes and procedures?
Reliant on ‘tribal knowledge’
What cripples the capability of SOCs lacking good processes?
Turnover of individuals
What stands out in the most capable cyber defense programs?
Repeatability, continuous improvement, metrics
What is the average measured maturity score for security operations teams?
Between 1 and 2
What does a score between 1 and 2 indicate about SOCs?
Tools not well-integrated, lack of structured process
What makes the effectiveness of most cyber defense programs unpredictable?
Lack of repeatability, metrics, continuous improvement
What is the ideal maturity level for most enterprise SOCs?
Level 3
What is the ideal maturity level for most managed service provider SOCs?
Level 4
What is a key characteristic of level 5 maturity?
Processes are rigid and less flexible
What is a significant downside of rigid processes in SOC management?
Significant overhead outweighs benefits.
What can rigid processes and overhead lead to in SOCs?
They can become counter-productive.
How can rigid processes affect SOC workforce engagement?
They can create a less engaged workforce.
What is a potential consequence of a less engaged SOC workforce?
Higher turnover in the SOC.
What are the biggest challenges for SOCs according to the SANS SOC Survey?
Lack of context, skilled staff, visibility, and automation.
What is one of the goals for new SOCs in the course?
Building a solid starting foundation.
What is a key focus for all SOCs in the course?
Move toward “level 3-4” maturity level.
What tactics will be used to ensure continuous improvement in SOCs?
Continuous improvement tactics and metrics.
What is the purpose of automation and orchestration in SOCs?
To “do more with less”.
What are the three main sections of the class?
Creating your SOC, Execution, Continuous Improvement.
What is the fictional organization used for scenario-driven problem solving in the class?
Ops Outpost.
What is the course roadmap for the SOC class?
Design and Planning, Telemetry and Analysis, Detection and Triage, Response, Metrics.
What is included in SOC Planning Overview?
SOC Mission, Requirements, Goals, Standards, Policies, Roles, Staffing.
What is the first step in SOC planning?
Decide between internal SOC, MSSP, or hybrid model.
What should and shouldn’t be considered a SOC?
Occasionally, the term “SOC” is used inappropriately.
What follows the discussion on SOC models?
Defining the mission, constituents, and capabilities.
What does defining SOC standards include?
Standards, policies, services, roles, staffing, charter, steering committee.
What is a common solution for organizations with 0-1,000 users?
MSSP + non-dedicated internal security team.
What is a common solution for organizations with 1,000-10,000 users?
MSSP Hybrid with some functions in-house.
What is a common solution for organizations with 10,000-100,000 users?
Full internal SOC with possible outsourcing.
What is a common solution for organizations with 100,000+ users?
Full-fledged internal SOC with auxiliary services.
What determines if a dedicated internal SOC is right for an organization?
Number of employees and assets to protect.
Why might a small organization not need a dedicated security group?
Cost-prohibitive due to headcount and hardware requirements.
When might a small organization need a dedicated security team?
If dealing with regulatory compliance, health, or payment data.
What is a common practice for companies with fewer than 1,000 people?
Utilize managed security service providers (MSSPs).
What is a hybrid SOC model?
MSSP handles monitoring, in-house specialists handle incidents.
What is a key consideration for organizations with over 10,000 people?
Full-fledged SOC with most roles covered in-house.
What should you define when planning a SOC?
Mission, goals, threats, requirements, constituency, capabilities.
What are common high-level goals of a SOC?
Situational awareness, monitoring, preventing/minimizing impact.
What is the mission of the average security-focused SOC?
Maintain situational awareness, monitor events, prevent damage.
What should SOCs maintain awareness of?
Situational awareness of the threat landscape.
What is the key goal of any SOC?
Situational awareness of internal and external security environments.
What is the “detection” piece of the SOC process?
Monitoring network and endpoint events for suspicious activity.
What is the ideal role of a SOC in cyber incidents?
Preventing or minimizing damage and disruption.
What should a SOC do when bad things happen?
Run down the ground truth, clean up, and restore order.
What is a “mission statement” for a SOC?
Output of the phase defining SOC’s goals.
What are key questions in threat modeling?
What to protect, from whom, likelihood, consequences, and effort.
What is the essence of Sun Tzu’s quote in threat modeling?
Preparation, understanding the enemy, and resource optimization.
What is required for effective defense?
Starting with the best possible threat model.
What should everyone in a SOC think about daily?
Who the enemy is, what they want, and how they’ll get it.
What is the entire point of threat intelligence?
Developing a strategic and tactical advantage over adversaries.
What must SOCs consider in their operations?
Compliance frameworks, standards, company policies, service levels.
What are common compliance frameworks affecting infosec?
GDPR, PCI-DSS, HIPAA, NIST SP 800-171, SOX, GLBA.
What does GDPR require?
Businesses must protect EU citizen personal data.
What is PCI-DSS designed to protect?
Credit cardholder data.
What does HIPAA regulate?
Privacy and security rules for health care information.
What does NIST 800-171 recommend?
Security requirements for protecting Controlled Unclassified Information (CUI).
What are examples of control frameworks?
CIS Critical Security Controls, NIST SP 800-53.
What are examples of program frameworks?
NIST Cyber Security Framework (CSF), ISO/IEC 27001.
What are examples of risk frameworks?
NIST SP 800-30, SP 800-37, SP 800-39, ISO/IEC 27005.
What are the three main types of cybersecurity frameworks?
Controls frameworks, program frameworks, and risk assessment frameworks.
What is the purpose of controls frameworks?
To provide baseline controls to mitigate cyber intrusions.
How do controls frameworks help established SOCs?
They assess technical capability and prioritize budget use.
Name two examples of controls frameworks.
CIS Controls and NIST SP 800-53.
What are the three implementation groups in the CIS Controls list?
Basic cyber hygiene, implementation group one.
What is the NIST Cyber Security Framework?
A program framework for structuring and operating security programs.
What is the purpose of risk frameworks?
To provide a standard way of assessing risk.
Name one example of a risk framework.
NIST SP 800-30 Guide for Conducting Risk Assessments.
What is SOC-CMM?
A tool for assessing SOC capabilities.
What should you do if creating new cybersecurity policies?
Leverage pre-made IT policy templates.
What is the SOC’s constituency?
The set of users, assets, networks, or organizations secured by the SOC.
What should be well defined for the SOC?
Group scope of protection
What should you consider when selecting SOC services?
Size and capacity of your team
What are small organizations’ SOC services focused on?
Monitoring and detection
What might large organizations’ SOC services include?
Core SOC functions and auxiliary capabilities
What is encouraged when choosing SOC services?
Not to boil the ocean from the start
What is a smart plan for SOC service offerings?
Break into phases for rollout
What should a SOC charter include?
Goals, mission statement, scope, authority
Why is the SOC charter important?
Authorizes SOC build and operation
Who should sign off the SOC charter?
Management
What is the purpose of the SOC steering committee?
Ensure business alignment and correct activities
What is the role of the steering committee in SOC planning?
Provides two-way communication with business
When should steering committee meetings be held?
Regularly or with significant changes
What is the goal regarding security in new initiatives?
Ensure security has a seat at the table
What does “shift left” in DevSecOps mean?
Add security from the start
What is a better approach to cloud security?
Notify security before usage
What is a good way to ensure security stays aware and represented in initiatives?
Constant engagement with IT, Legal, and Finance
What is the “10 tight/25 right/100 light” rule for tracking key relationships?
10 close, 25 regular, 100 occasional contacts