LDR551_Book1 Flashcards

1
Q

What are common goals of attackers?

A

Intellectual property theft, extortion, destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How might an attacker exploit key IT assets?

A

To damage or hijack value creation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the main categories to break down a SOC?

A

Business Alignment, Technology, People, Process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is crucial for SOCs to avoid reliance on ‘tribal knowledge’?

A

Solid foundation of processes and procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What has driven increased understanding of cyber risk by businesses?

A

Heightened awareness and impact of breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What do most organizations focus on in their cyber defense programs?

A

Technology solutions and tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What functions are consolidated in security operations?

A

Hunt, threat intelligence, IR functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What has brought increased visibility to the cyber security function?

A

Better articulated requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What aspect of the maturity model saw the biggest single-year jump?

A

People

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What happens to SOCs without solid processes and procedures?

A

Reliant on ‘tribal knowledge’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What cripples the capability of SOCs lacking good processes?

A

Turnover of individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What stands out in the most capable cyber defense programs?

A

Repeatability, continuous improvement, metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the average measured maturity score for security operations teams?

A

Between 1 and 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does a score between 1 and 2 indicate about SOCs?

A

Tools not well-integrated, lack of structured process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What makes the effectiveness of most cyber defense programs unpredictable?

A

Lack of repeatability, metrics, continuous improvement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the ideal maturity level for most enterprise SOCs?

A

Level 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the ideal maturity level for most managed service provider SOCs?

A

Level 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a key characteristic of level 5 maturity?

A

Processes are rigid and less flexible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a significant downside of rigid processes in SOC management?

A

Significant overhead outweighs benefits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What can rigid processes and overhead lead to in SOCs?

A

They can become counter-productive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can rigid processes affect SOC workforce engagement?

A

They can create a less engaged workforce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a potential consequence of a less engaged SOC workforce?

A

Higher turnover in the SOC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the biggest challenges for SOCs according to the SANS SOC Survey?

A

Lack of context, skilled staff, visibility, and automation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is one of the goals for new SOCs in the course?

A

Building a solid starting foundation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a key focus for all SOCs in the course?

A

Move toward “level 3-4” maturity level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What tactics will be used to ensure continuous improvement in SOCs?

A

Continuous improvement tactics and metrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the purpose of automation and orchestration in SOCs?

A

To “do more with less”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the three main sections of the class?

A

Creating your SOC, Execution, Continuous Improvement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the fictional organization used for scenario-driven problem solving in the class?

A

Ops Outpost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the course roadmap for the SOC class?

A

Design and Planning, Telemetry and Analysis, Detection and Triage, Response, Metrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is included in SOC Planning Overview?

A

SOC Mission, Requirements, Goals, Standards, Policies, Roles, Staffing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the first step in SOC planning?

A

Decide between internal SOC, MSSP, or hybrid model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What should and shouldn’t be considered a SOC?

A

Occasionally, the term “SOC” is used inappropriately.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What follows the discussion on SOC models?

A

Defining the mission, constituents, and capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What does defining SOC standards include?

A

Standards, policies, services, roles, staffing, charter, steering committee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a common solution for organizations with 0-1,000 users?

A

MSSP + non-dedicated internal security team.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a common solution for organizations with 1,000-10,000 users?

A

MSSP Hybrid with some functions in-house.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is a common solution for organizations with 10,000-100,000 users?

A

Full internal SOC with possible outsourcing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is a common solution for organizations with 100,000+ users?

A

Full-fledged internal SOC with auxiliary services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What determines if a dedicated internal SOC is right for an organization?

A

Number of employees and assets to protect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Why might a small organization not need a dedicated security group?

A

Cost-prohibitive due to headcount and hardware requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

When might a small organization need a dedicated security team?

A

If dealing with regulatory compliance, health, or payment data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is a common practice for companies with fewer than 1,000 people?

A

Utilize managed security service providers (MSSPs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is a hybrid SOC model?

A

MSSP handles monitoring, in-house specialists handle incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What is a key consideration for organizations with over 10,000 people?

A

Full-fledged SOC with most roles covered in-house.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What should you define when planning a SOC?

A

Mission, goals, threats, requirements, constituency, capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What are common high-level goals of a SOC?

A

Situational awareness, monitoring, preventing/minimizing impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is the mission of the average security-focused SOC?

A

Maintain situational awareness, monitor events, prevent damage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What should SOCs maintain awareness of?

A

Situational awareness of the threat landscape.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What is the key goal of any SOC?

A

Situational awareness of internal and external security environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What is the “detection” piece of the SOC process?

A

Monitoring network and endpoint events for suspicious activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What is the ideal role of a SOC in cyber incidents?

A

Preventing or minimizing damage and disruption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What should a SOC do when bad things happen?

A

Run down the ground truth, clean up, and restore order.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is a “mission statement” for a SOC?

A

Output of the phase defining SOC’s goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What are key questions in threat modeling?

A

What to protect, from whom, likelihood, consequences, and effort.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is the essence of Sun Tzu’s quote in threat modeling?

A

Preparation, understanding the enemy, and resource optimization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is required for effective defense?

A

Starting with the best possible threat model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What should everyone in a SOC think about daily?

A

Who the enemy is, what they want, and how they’ll get it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

What is the entire point of threat intelligence?

A

Developing a strategic and tactical advantage over adversaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

What must SOCs consider in their operations?

A

Compliance frameworks, standards, company policies, service levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What are common compliance frameworks affecting infosec?

A

GDPR, PCI-DSS, HIPAA, NIST SP 800-171, SOX, GLBA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What does GDPR require?

A

Businesses must protect EU citizen personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What is PCI-DSS designed to protect?

A

Credit cardholder data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What does HIPAA regulate?

A

Privacy and security rules for health care information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What does NIST 800-171 recommend?

A

Security requirements for protecting Controlled Unclassified Information (CUI).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What are examples of control frameworks?

A

CIS Critical Security Controls, NIST SP 800-53.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What are examples of program frameworks?

A

NIST Cyber Security Framework (CSF), ISO/IEC 27001.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What are examples of risk frameworks?

A

NIST SP 800-30, SP 800-37, SP 800-39, ISO/IEC 27005.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What are the three main types of cybersecurity frameworks?

A

Controls frameworks, program frameworks, and risk assessment frameworks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What is the purpose of controls frameworks?

A

To provide baseline controls to mitigate cyber intrusions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

How do controls frameworks help established SOCs?

A

They assess technical capability and prioritize budget use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Name two examples of controls frameworks.

A

CIS Controls and NIST SP 800-53.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What are the three implementation groups in the CIS Controls list?

A

Basic cyber hygiene, implementation group one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What is the NIST Cyber Security Framework?

A

A program framework for structuring and operating security programs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is the purpose of risk frameworks?

A

To provide a standard way of assessing risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

Name one example of a risk framework.

A

NIST SP 800-30 Guide for Conducting Risk Assessments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is SOC-CMM?

A

A tool for assessing SOC capabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What should you do if creating new cybersecurity policies?

A

Leverage pre-made IT policy templates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What is the SOC’s constituency?

A

The set of users, assets, networks, or organizations secured by the SOC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What should be well defined for the SOC?

A

Group scope of protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What should you consider when selecting SOC services?

A

Size and capacity of your team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What are small organizations’ SOC services focused on?

A

Monitoring and detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What might large organizations’ SOC services include?

A

Core SOC functions and auxiliary capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What is encouraged when choosing SOC services?

A

Not to boil the ocean from the start

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What is a smart plan for SOC service offerings?

A

Break into phases for rollout

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

What should a SOC charter include?

A

Goals, mission statement, scope, authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Why is the SOC charter important?

A

Authorizes SOC build and operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Who should sign off the SOC charter?

A

Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What is the purpose of the SOC steering committee?

A

Ensure business alignment and correct activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

What is the role of the steering committee in SOC planning?

A

Provides two-way communication with business

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

When should steering committee meetings be held?

A

Regularly or with significant changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

What is the goal regarding security in new initiatives?

A

Ensure security has a seat at the table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What does “shift left” in DevSecOps mean?

A

Add security from the start

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What is a better approach to cloud security?

A

Notify security before usage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What is a good way to ensure security stays aware and represented in initiatives?

A

Constant engagement with IT, Legal, and Finance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What is the “10 tight/25 right/100 light” rule for tracking key relationships?

A

10 close, 25 regular, 100 occasional contacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What should you create to list SOC services and major organization/business units?

A

An alignment matrix

98
Q

Why is it important to show up for discussions outside of your immediate responsibilities?

A

To build key relationships

99
Q

What should you do to prepare for meetings and interactions?

A

Prepare for both major meetings and 1-on-1 interactions

100
Q

How can you stay informed about your company’s mission or business?

A

Read 10-K, annual reports, analyst reports, and strategy documents

101
Q

What is the first step in SOC Planning according to the SOC Planning Summary?

A

Define your mission and specific goals

102
Q

What is the purpose of creating an SOC Charter and Mission?

A

To build an organizationally-aligned security team

103
Q

What is the first step in SOC functions?

A

Collection

104
Q

What follows detection in SOC functions?

A

Triage

105
Q

What is the final step in SOC functions?

A

Incident Response

106
Q

What must be done to identified activity?

A

Triage for closer analysis

107
Q

What happens to confirmed malicious activity?

A

Passed to incident response

108
Q

What is required for all SOC steps?

A

Continuous improvement

109
Q

What does “garbage in, garbage out” imply in SOC?

A

Good data is essential

110
Q

What does the SOC take as its main input?

A

Environment data

111
Q

What is considered the second input in SOC?

A

Threat intelligence

112
Q

What is the output of the SOC?

A

Identified, minimized, remediated incidents

113
Q

What does threat intelligence help identify?

A

Potential attacks

114
Q

What must be done to understand SOC in detail?

A

Zoom in on SOC workings

115
Q

What does SOC collect from the environment?

A

Network transactions, file downloads, etc.

116
Q

What is the goal of understanding SOC functions?

A

Clear model of SOC functions

117
Q

What helps understand data flow in SOC?

A

Zooming in on SOC functions

118
Q

What does breaking down SOC help achieve?

A

Common terminology

119
Q

What is necessary for each function in attack identification?

A

Constant stream of feedback

120
Q

What does deconstructing security operations help with?

A

Shows factors required for success

121
Q

What are the core SOC activities?

A

Data Collection, Detection, Triage, Incident Response

122
Q

What are the specialty/auxiliary functions?

A

Threat Intelligence, Forensics, Self-Assessment

123
Q

Who typically performs core SOC activities?

A

SOC engineers, analysts, incident responders

124
Q

What is the role of threat intelligence in SOC?

A

Improves attack detection

125
Q

What does forensics support in SOC?

A

Incident Response (IR)

126
Q

What is the purpose of self-assessment in SOC?

A

Feedback on SOC performance

127
Q

What does the self-assessment function include?

A

Vulnerability assessments, penetration testing, Red Teaming

128
Q

What drives the detection capability in SOC?

A

Threat intelligence

129
Q

What happens to detected items in SOC?

A

Passed to triage and investigation

130
Q

What assists incident response in SOC?

A

Specialty forensics

131
Q

What is the output of incident response?

A

Remediated or prevented issues

132
Q

What is the first step in the SOC process?

A

Collection

133
Q

What is the output of the collection step in SOC?

A

Events (logs, network traffic, metadata)

134
Q

Where is data turned into events typically generated?

A

On an endpoint device or from network traffic.

135
Q

How is data centrally collected for SIEM indexing?

A

Via an endpoint agent or sensor.

136
Q

What is analyzed against detection rules in SIEM?

A

Output events (logs and traffic metadata).

137
Q

What is the goal of the data collection stage?

A

Thorough collection of all security relevant data.

138
Q

Who determines the type of data you can record?

A

Data, infrastructure, or endpoint engineers.

139
Q

What determines the Windows logs that are generated?

A

Audit policy set in Windows Group Policy Objects.

140
Q

What requires cooperation with the network operations team?

A

Network taps.

141
Q

What informs the specific data to be collected?

A

Threat intelligence function.

142
Q

What is required for a thorough collection strategy in most SOCs?

A

Cooperation across multiple teams and budget.

143
Q

What are the inputs and outputs of the detection stage?

A

Input: Events + threat intel, Output: Alerts.

144
Q

Who is responsible for detection in SOCs?

A

Detection/Content Engineering, SOC Analysts, Threat Hunters.

145
Q

How are potential attacks identified from collected data?

A

Automated analytics engines or manual threat hunting.

146
Q

Who typically creates analytics or correlation rules in larger organizations?

A

A dedicated detection engineering team.

147
Q

What is the goal of the detection stage?

A

Find malicious activity and alert with minimal false positives.

148
Q

What correlates with SOC effectiveness in detection?

A

Quality of tools and threat hunting capabilities.

149
Q

What does successful detection rely on?

A

Data availability from the collection stage.

150
Q

What are the inputs and outputs of the triage stage?

A

Input: Alerts, Output: Ranked alerts.

151
Q

What is the goal of the triage stage?

A

Identify and manage the most important alerts.

152
Q

What factors influence triage decisions?

A

Attack progression, system criticality, account privilege.

153
Q

What knowledge helps analysts in triage?

A

Lockheed Martin Cyber Kill Chain, MITRE ATT&CK framework.

154
Q

What is the goal of the investigation stage?

A

Accurate verification of alerts as true or false positives.

155
Q

What should analysts do when false positives occur?

A

Feed information back to the detection engineering team.

156
Q

How should analysts perform the investigation stage?

A

In a rigorous way, free of cognitive bias.

157
Q

What is the main trap new analysts fall into?

A

Confirmation bias

158
Q

What mistake do many analysts make when matching alerts?

A

Gather data to confirm their belief

159
Q

Why is matching alerts to beliefs the wrong approach?

A

Ignores other possible scenarios

160
Q

How should analysts verify a theory?

A

Attempt to disprove it

161
Q

What improves with thorough training and experience?

A

Verification of theories

162
Q

What should analysts do after completing an investigation?

A

Spin up incident response

163
Q

Who handles incident response in large organizations?

A

Separate team

164
Q

Who handles incident response in smaller organizations?

A

Analysts

165
Q

What is the goal of incident response?

A

Fast, complete remediation and recovery

166
Q

What tools help analysts quickly query events?

A

EDR and centralized SIEM logging

167
Q

What are the outputs of incident response?

A

Remediation and lessons learned

168
Q

Why is feedback crucial in incident response?

A

Prevents similar incidents

169
Q

What does tracking details over the long term provide?

A

Tactical and strategic advantage

170
Q

What is the final piece of the SOC process puzzle?

A

Continuous improvement

171
Q

What does conceptual feedback do?

A

Modifies input based on output

172
Q

What helps understand the health of the SOC process?

A

Metrics

173
Q

How should SOC functions be thought of?

A

Like steps in a manufacturing line

174
Q

What is the goal of useful metrics collection?

A

Optimize each function individually

175
Q

What are the core SOC activities?

A

Collection, detection, triage, investigation, incident response

176
Q

What do metrics provide in the SOC process?

A

Feedback for continuous improvement

177
Q

What is the importance of high-quality inputs in SOC operations?

A

High-quality inputs optimize SOC process outputs.

178
Q

What will be discussed in detail through the rest of the course?

A

Components of SOC functions and their KPIs.

179
Q

What are the key focuses of team creation in SOC?

A

Org charts, tiered vs. tierless, hiring, training.

180
Q

What should you consider when creating a SOC org chart?

A

Quick communication, manageable team size, mission effectiveness.

181
Q

What are the core functions of a SOC?

A

Detection, Incident Response, Support.

182
Q

What is the role of the IR group in organizations?

A

Clean separation of duties.

183
Q

What does the IR group typically include?

A

Analysts, forensics capacity.

184
Q

What functions support the SOC?

A

Architects, system administrators, engineers.

185
Q

Who may handle new analytic writing in some SOCs?

A

Analysts.

186
Q

What is the mission of the assessment team?

A

Ensure company is secured from cyber attacks.

187
Q

What is the goal of the threat intel team?

A

Support SOC activities.

188
Q

Why should the incident response and threat intel teams be under shared management?

A

Maximize communication and collaboration.

189
Q

What are the core SOC activities?

A

Detection, triage, analysis, IR.

190
Q

What might organizations need as they grow?

A

More subgroups or layers of management.

191
Q

Why might forensics be separate from the SOC?

A

Specialized knowledge different from analysts.

192
Q

What other groups might utilize forensic experts?

A

Internal corporate investigations, insider threats.

193
Q

Why keep lines of communication open between SOC and other teams?

A

Compensate for management separation.

194
Q

What is the traditional tiered analyst model?

A

Tier 1 triages alerts, escalates complex issues.

195
Q

What happens to alerts that analysts cannot determine or require complex solutions?

A

Get escalated to Tier 2

196
Q

Who handles alerts that Tier 2 cannot resolve?

A

Tier 3

197
Q

What is the job breakdown of Tier 1-3 dependent on?

A

The organization

198
Q

What do SOCs with dedicated incident response teams use tiers for?

A

Increasing difficulty of triage and investigation

199
Q

What tasks are typically assigned to Tier 1 in SOCs without incident response groups?

A

Triage and alert investigation/validation

200
Q

What tasks are typically assigned to Tier 2 in SOCs without incident response groups?

A

Incident response

201
Q

What tasks are typically assigned to Tier 3 in SOCs without incident response groups?

A

Hunting, malware reversing, specialty tasks

202
Q

What should you consider when going with a tiered model for your SOC?

A

What’s most important to you and SOC structure

203
Q

How do analysts in tierless SOCs handle alerts?

A

All levels triage and investigate alerts

204
Q

What is a key characteristic of the analysis function in tierless SOCs?

A

Much flatter

205
Q

What is a downside of tiered SOCs for analysts?

A

Limits analyst growth

206
Q

What is a pro of tierless SOCs for analysts?

A

Uncapped analyst talent growth

207
Q

What is a con of tierless SOCs?

A

Less defined process

208
Q

What can cause analysts in tiered SOCs to lose enthusiasm?

A

Narrow track of repetitive tasks

209
Q

What might analysts do if they can’t quickly move to the next tier?

A

Look for another job

210
Q

Why might MSSPs prefer tiered SOCs?

A

Customers expect best practice

211
Q

What are some benefits of a tierless model for internal SOCs?

A

Long-term retention, analyst growth

212
Q

What should you consider when choosing between tiered and tierless models?

A

Defined process importance, analyst number, budget

213
Q

How many people are needed for a single 24x7x365 seat?

A

Five people

214
Q

What is a benefit of a 9x5 SOC with on-call positions?

A

Lower costs, less disruption

215
Q

What can MSSPs provide for off hours coverage?

A

If budget allows

216
Q

What is the minimum number of people needed for a 24/7 shift configuration?

A

10-12 people

217
Q

Why are 12-hour shifts not recommended?

A

Burnout, efficiency drop, personal life balance

218
Q

What are common shift durations for continuous coverage?

A

12-hour, 10-hour, 8-hour shifts

219
Q

What is a “follow-the-sun” coverage model?

A

Teams in multiple time zones cover 24/7

220
Q

What percentage of SOCs operate 24/7 according to the survey?

A

80%

221
Q

What are some alternative shift configurations mentioned?

A

9/80, 10/40, 12-hour shifts

222
Q

What should be included in an MSSP service contract?

A

Scope, alert validation, escalation plans

223
Q

What are three key questions for MSSP SLAs?

A

Value measurement, breach response, service continuity

224
Q

What is a critical part of MSSP onboarding?

A

Technology deployment, credential sharing, knowledge transfer

225
Q

What should technology deployment be treated as?

A

Its own major project or basic installation

226
Q

How should vendor-provided hardware and software be treated?

A

Subject to vulnerability assessment and updates

227
Q

What does credential sharing involve?

A

Creating domain accounts or establishing VPN connections

228
Q

What increases your attack surface in supply chain risk management?

A

Establishing trust relationships with vendors

229
Q

What has been a common initial access point for data breaches?

A

Trusted connections

230
Q

What should an analyst consider to validate alerts and investigate anomalies?

A

Network diagrams, asset lists, IP ranges

231
Q

What should you develop with your MSS for better incident management?

A

A communications plan

232
Q

How long does an escalation plan usually need to work out bugs?

A

Thirty to sixty days

233
Q

What do MSS relationships require for success?

A

Active engagement and ongoing management

234
Q

Why might SOC teams be unhappy with their MSSPs?

A

Little to no value from the service

235
Q

What is crucial for hiring the best candidates?

A

A solid recruiting effort

236
Q

What can steer interviews in the wrong direction?

A

Poorly performed interviews

237
Q

Where should you not only advertise your SOC jobs?

A

On your organization’s website

238
Q

Where can you meet potential infosec recruits in person?

A

Infosec conferences and local groups

239
Q

What type of attitude are you looking for in recruits?

A

Willing to learn more about infosec

240
Q

What can you do with ungraduated candidates from college clubs?

A

Pre-select them as interns

241
Q

Where do infosec enthusiasts commonly hang out online?

A

Forums, email lists, Slack, Discord

242
Q

Where can you find potential recruits during online CTFs?

A

RPG video game style boards