MODULE 2 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
The Modern Security Operations Center
Elements of a SOC Defending against today’s threats requires a formalized, structured, and disciplined approach.
Organizations typically use the services of professionals in a Security Operations Center (SOC). SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs.
SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services. As illustrated in the figure, the major elements of a SOC, are people, processes, and technologies.
https://snipboard.io/n9l7Yd.jpg
People in the SOC :
Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 1 Alert Analyst :
These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
People in the SOC :
Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 2 Incident Responder :
These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.
People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 3 Threat Hunter :
These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed.
They are also deeply involved in hunting for potential threats and implementing threat detection tools.
Threat hunters search for cyber threats that are present in the network but have not yet been detected.
People in the SOC : Job roles in a SOC are rapidly evolving.
Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
SOC Manager :
This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.
The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.
https://snipboard.io/035Sfj.jpg
This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.
The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.
https://snipboard.io/035Sfj.jpg
Process in the SOC The day of a Cybersecurity Analyst typically begins with monitoring security alert queues.
A ticketing system is frequently used to assign alerts to a queue for an analyst to investigate.
Because the software that generates alerts can trigger false alarms, one job of the Cybersecurity Analyst might be to verify that an alert represents a true security incident.
When verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon. Otherwise, the alert may be dismissed as a false alarm.
If a ticket cannot be resolved, the Cybersecurity Analyst will forward the ticket to a Tier 2 Incident Responder for deeper investigation and remediation.
If the Incident Responder cannot resolve the ticket, it will be forwarded it to Tier 3 personnel with in-depth knowledge and threat hunting skills.
https://snipboard.io/6MpfRx.jpg
Technologies in the SOC: SIEM As shown in the figure, a SOC needs a security information and event management system (SIEM), or its equivalent.
SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.
SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.
SIEM systems may also and manage resources to implement preventive measures and address future threats.
SOC technologies include one or more of the following:
Event collection,
correlation, and analysis
Security monitoring
Security control
Log management
Vulnerability assessment
Vulnerability tracking
Threat intelligence
https://snipboard.io/q0mNOV.jpg
Technologies in the SOC: SOAR SIEM and security orchestration, automation and response (SOAR) are often paired together as they have capabilities that complement each other.
Large security operations (SecOps) teams use both technologies to optimize their SOC.
It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.
SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.
However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
https://snipboard.io/uQ5nCh.jpg
SOAR security platforms: Gather alarm data from each component of the system. Provide tools that enable cases to be researched, assessed, and investigated.
Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.
Include pre-defined playbooks that enable automatic response to specific threats.
Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.
SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.
This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.
SOAR emphasizes integration tools and automation of SOC workflows.
It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.
This frees security personnel to address more pressing matters and high-end investigation and threat remediation.
The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.
SIEM systems necessarily produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible.
SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.
SOC Metrics A SOC is critically important to the security of an organization.
Whether the SOC is internal to an organization, or providing services to multiple organizations, it is important to understand how well the SOC is functioning in order so that improvements can be made to the people, processes, and technologies that comprise the SOC.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Dwell Time :
The length of time that threat actors have access to a network before they are detected, and their access is stopped.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Mean Time to Detect (MTTD) :
The average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Mean Time to Respond (MTTR) :
the average time that it takes to stop and remediate a security incident.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Mean Time to Contain (MTTC) :
The time required to stop the incident from causing further damage to systems or data.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Time to Control :
The time required to stop the spread of malware in the network.
Enterprise and Managed Security
For medium and large networks, the organization will benefit from implementing an enterprise-level SOC.
The SOC can be a complete in-house solution.
However, many larger organizations will outsource at least part of the SOC operations to a security solutions provider.
Cisco has a team of experts who help ensure timely and accurate incident resolution. Cisco offers a wide range of incident response, preparedness, and management capabilities including:
Cisco Smart Net Total Care Service for Rapid Problem Resolution
Cisco Product Security Incident Response Team (PSIRT)
Cisco Computer Security Incident Response Team (CSIRT)
Cisco Managed Services Cisco Tactical Operations (TacOps)
Cisco’s Safety and Physical Security Program
Security vs. Availability
Most enterprise networks must be up and running at all times.
Security personnel understand that for the organization to accomplish its priorities, network availability must be preserved.
Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.
For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.
However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.
Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.
For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.
However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.
Preferred uptime is often measured in the number of down minutes in a year, as shown in the table. For example, a “five nines” uptime means that the network is up 99.999% of the time or down for no more than 5 minutes a year. “Four nines” would be a downtime of 53 minutes a year.
https://snipboard.io/AS642b.jpg
However, security cannot be so strong that it interferes with the needs of employees or business functions.
It is always a tradeoff between strong security and permitting efficient business functioning.
Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.
– Cisco Certified CyberOps Associate
– CompTIA Cybersecurity Analyst Certification
– (ISC)² Information Security Certifications
– Global Information Assurance Certification (GIAC)
– Other Security-Related Certifications
Cisco Certified CyberOps Associate :
The Cisco Certified CyberOps Associate certification provides a valuable first step in acquiring the knowledge and skills needed to work with a SOC team.
It can be a valuable part of a career in the exciting and growing field of cybersecurity operations.
Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.
– Cisco Certified CyberOps Associate
– CompTIA Cybersecurity Analyst Certification
– (ISC)² Information Security Certifications
– Global Information Assurance Certification (GIAC)
– Other Security-Related Certifications
CompTIA Cybersecurity Analyst Certification :
The CompTIA Cybersecurity Analyst (CySA+) certification is a vendor-neutral IT professional certification.
It validates knowledge and skills required to configure and use threat detection tools, perform data analysis, interpret the results to identify vulnerabilities, threats and risks to an organization.
The end goal is the ability to secure and protect applications and systems within an organization.
Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.
– Cisco Certified CyberOps Associate
– CompTIA Cybersecurity Analyst Certification
– (ISC)² Information Security Certifications
– Global Information Assurance Certification (GIAC)
– Other Security-Related Certifications
(ISC)² Information Security Certifications :
(ISC)² is an international non-profit organization that offers the highly-acclaimed CISSP certification.
They offer a range of other certifications for various specialties in cybersecurity.
Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.
– Cisco Certified CyberOps Associate
– CompTIA Cybersecurity Analyst Certification
– (ISC)² Information Security Certifications
– Global Information Assurance Certification (GIAC)
– Other Security-Related Certifications
Global Information Assurance Certification (GIAC) :
GIAC, which was founded in 1999, is one of the oldest security certification organizations.
It offers a wide range of certifications in seven categories.
