MODULE 2 - CERTIFICATION CYBER OPS ASSOCIATE

Question 1

The Modern Security Operations Center

Elements of a SOC Defending against today’s threats requires a formalized, structured, and disciplined approach.

Organizations typically use the services of professionals in a Security Operations Center (SOC). SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs.

SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services. As illustrated in the figure, the major elements of a SOC, are people, processes, and technologies.

https://snipboard.io/n9l7Yd.jpg

Answer 1

People in the SOC :

Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

Question 2

People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

Answer 2

Tier 1 Alert Analyst :

These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.

Question 3

People in the SOC :

Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

Answer 3

Tier 2 Incident Responder :

These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.

Question 4

People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

Answer 4

Tier 3 Threat Hunter :

These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed.

They are also deeply involved in hunting for potential threats and implementing threat detection tools.

Threat hunters search for cyber threats that are present in the network but have not yet been detected.

Question 5

People in the SOC : Job roles in a SOC are rapidly evolving.

Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

Answer 5

SOC Manager :

This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.

Question 6

This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.

The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.

https://snipboard.io/035Sfj.jpg

Answer 6

This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.

The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.

https://snipboard.io/035Sfj.jpg

Question 7

Process in the SOC The day of a Cybersecurity Analyst typically begins with monitoring security alert queues.

A ticketing system is frequently used to assign alerts to a queue for an analyst to investigate.

Because the software that generates alerts can trigger false alarms, one job of the Cybersecurity Analyst might be to verify that an alert represents a true security incident.

When verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon. Otherwise, the alert may be dismissed as a false alarm.

Answer 7

If a ticket cannot be resolved, the Cybersecurity Analyst will forward the ticket to a Tier 2 Incident Responder for deeper investigation and remediation.

If the Incident Responder cannot resolve the ticket, it will be forwarded it to Tier 3 personnel with in-depth knowledge and threat hunting skills.

https://snipboard.io/6MpfRx.jpg

Question 8

Technologies in the SOC: SIEM As shown in the figure, a SOC needs a security information and event management system (SIEM), or its equivalent.

SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.

SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.

SIEM systems may also and manage resources to implement preventive measures and address future threats.

Answer 8

SOC technologies include one or more of the following:

Event collection,

correlation, and analysis

Security monitoring

Security control

Log management

Vulnerability assessment

Vulnerability tracking

Threat intelligence

https://snipboard.io/q0mNOV.jpg

Question 9

Technologies in the SOC: SOAR SIEM and security orchestration, automation and response (SOAR) are often paired together as they have capabilities that complement each other.

Large security operations (SecOps) teams use both technologies to optimize their SOC.

It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.

Answer 9

SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.

However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.

https://snipboard.io/uQ5nCh.jpg

Question 10

SOAR security platforms: Gather alarm data from each component of the system. Provide tools that enable cases to be researched, assessed, and investigated.

Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.

Include pre-defined playbooks that enable automatic response to specific threats.

Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.

Answer 10

SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.

This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.

Question 11

SOAR emphasizes integration tools and automation of SOC workflows.

It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.

This frees security personnel to address more pressing matters and high-end investigation and threat remediation.

The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.

Answer 11

SIEM systems necessarily produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible.

SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.

Question 12

SOC Metrics A SOC is critically important to the security of an organization.

Whether the SOC is internal to an organization, or providing services to multiple organizations, it is important to understand how well the SOC is functioning in order so that improvements can be made to the people, processes, and technologies that comprise the SOC.

Answer 12

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Question 13

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Answer 13

Dwell Time :

The length of time that threat actors have access to a network before they are detected, and their access is stopped.

Question 14

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Answer 14

Mean Time to Detect (MTTD) :

The average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.

Question 15

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Answer 15

Mean Time to Respond (MTTR) :

the average time that it takes to stop and remediate a security incident.

Question 16

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Answer 16

Mean Time to Contain (MTTC) :

The time required to stop the incident from causing further damage to systems or data.

Question 17

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

Answer 17

Time to Control :

The time required to stop the spread of malware in the network.

Question 18

Enterprise and Managed Security

For medium and large networks, the organization will benefit from implementing an enterprise-level SOC.

The SOC can be a complete in-house solution.

However, many larger organizations will outsource at least part of the SOC operations to a security solutions provider.

Answer 18

Cisco has a team of experts who help ensure timely and accurate incident resolution. Cisco offers a wide range of incident response, preparedness, and management capabilities including:

Cisco Smart Net Total Care Service for Rapid Problem Resolution

Cisco Product Security Incident Response Team (PSIRT)

Cisco Computer Security Incident Response Team (CSIRT)

Cisco Managed Services Cisco Tactical Operations (TacOps)

Cisco’s Safety and Physical Security Program

Question 19

Security vs. Availability

Most enterprise networks must be up and running at all times.

Security personnel understand that for the organization to accomplish its priorities, network availability must be preserved.

Answer 19

Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.

For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.

However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.

Question 20

Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.

For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.

However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.

Answer 20

Preferred uptime is often measured in the number of down minutes in a year, as shown in the table. For example, a “five nines” uptime means that the network is up 99.999% of the time or down for no more than 5 minutes a year. “Four nines” would be a downtime of 53 minutes a year.

https://snipboard.io/AS642b.jpg

However, security cannot be so strong that it interferes with the needs of employees or business functions.

It is always a tradeoff between strong security and permitting efficient business functioning.

Question 21

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

Answer 21

Cisco Certified CyberOps Associate :

The Cisco Certified CyberOps Associate certification provides a valuable first step in acquiring the knowledge and skills needed to work with a SOC team.

It can be a valuable part of a career in the exciting and growing field of cybersecurity operations.

Question 22

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

Answer 22

CompTIA Cybersecurity Analyst Certification :

The CompTIA Cybersecurity Analyst (CySA+) certification is a vendor-neutral IT professional certification.

It validates knowledge and skills required to configure and use threat detection tools, perform data analysis, interpret the results to identify vulnerabilities, threats and risks to an organization.

The end goal is the ability to secure and protect applications and systems within an organization.

Question 23

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

Answer 23

(ISC)² Information Security Certifications :

(ISC)² is an international non-profit organization that offers the highly-acclaimed CISSP certification.

They offer a range of other certifications for various specialties in cybersecurity.

Question 24

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

Answer 24

Global Information Assurance Certification (GIAC) :

GIAC, which was founded in 1999, is one of the oldest security certification organizations.

It offers a wide range of certifications in seven categories.

Question 25

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

Answer 25

Other Security-

Related Certifications Search for “cybersecurity certifications” on the internet to find information about other vendor and vendor-neutral certifications.

Question 26

Further Education Degrees Anyone considering a career in the cybersecurity field, should seriously consider pursuing a technical degree or bachelor’s degree in computer science, electrical engineering, information technology, or information security.

Many educational institutions offer security-related specialized tracks and certifications. Python Programming Computer programming is an essential skill for anyone who wishes to pursue a career in cybersecurity.

If you have never learned how to program, then Python might be the first language to learn. Python is an open-source, object-oriented language that is routinely used by cybersecurity analysts. It is also a popular programming language for Linux-based systems and software-defined networking (SDN).

Answer 26

Linux Skills Linux is widely used in SOCs and other networking and security environments.

Linux skills are a valuable addition to your skillset as you work to develop a career in cybersecurity.

Question 27

Sources of Career Information : A variety of websites and mobile applications advertise information technology jobs. Each site targets a variety of job applicants and provides different tools for candidates to research their ideal job position. Many sites are job site aggregators. Job site aggregators gather listings from other job boards and company career sites and display them in a single location.

Indeed.com Advertised as the world’s #1 job site, Indeed.com attracts over 180 million unique visitors every month from over 50 different countries. Indeed.com is truly a worldwide job site. It helps companies of all sizes hire the best talent and offers the best opportunity for job seekers.

Answer 27

CareerBuilder.com CareerBuilder serves many large and prestigious companies. As a result, this site attracts specific candidates that typically have more education and higher credentials.

The employers posting on CareerBuilder commonly get more candidates with college degrees, advanced credentials, and industry certifications. USAJobs.gov The United States federal government posts any openings on the USAJobs website.

Question 28

Glassdoor The website glassdoor.com provides salary information for different job types, companies, and locations. Search for “cyber security analyst” to see salaries and requirements for current job openings.

LinkedIn

LinkedIn is a professional network of more the 630 million users in more than 150 countries with the mission of helping people be more productive and successful. LinkedIn is also a great source for career information and job opportunities.

Answer 28

Getting Experience Internships Internships are an excellent method for entering the cybersecurity field. Sometimes, internships turn into an offer of full time employment. However, even a temporary internship allows you the opportunity to gain experience in the inner workings of a cybersecurity organization.

The contacts you make during an internship can also prove to be a valuable resource as you continue your career. Search the internet for the best websites to locate network security internships. Scholarships and Awards To help close the security skills gap, organizations like Cisco and INFOSEC have introduced scholarship and awards programs that provide money to students who meet qualification requirements. Search the internet to discover opportunities that are currently offered.