MODULE 2 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards
The Modern Security Operations Center
Elements of a SOC Defending against today’s threats requires a formalized, structured, and disciplined approach.
Organizations typically use the services of professionals in a Security Operations Center (SOC). SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs.
SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services. As illustrated in the figure, the major elements of a SOC, are people, processes, and technologies.
https://snipboard.io/n9l7Yd.jpg
People in the SOC :
Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 1 Alert Analyst :
These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
People in the SOC :
Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 2 Incident Responder :
These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.
People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
Tier 3 Threat Hunter :
These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed.
They are also deeply involved in hunting for potential threats and implementing threat detection tools.
Threat hunters search for cyber threats that are present in the network but have not yet been detected.
People in the SOC : Job roles in a SOC are rapidly evolving.
Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.
First tier jobs are more entry level, while third tier jobs require extensive expertise.
– Tier 1 Alert Analyst
– Tier 2 Incident Responder
– Tier 3 Threat Hunter
– SOC Manager
SOC Manager :
This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.
The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.
https://snipboard.io/035Sfj.jpg
This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.
The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.
https://snipboard.io/035Sfj.jpg
Process in the SOC The day of a Cybersecurity Analyst typically begins with monitoring security alert queues.
A ticketing system is frequently used to assign alerts to a queue for an analyst to investigate.
Because the software that generates alerts can trigger false alarms, one job of the Cybersecurity Analyst might be to verify that an alert represents a true security incident.
When verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon. Otherwise, the alert may be dismissed as a false alarm.
If a ticket cannot be resolved, the Cybersecurity Analyst will forward the ticket to a Tier 2 Incident Responder for deeper investigation and remediation.
If the Incident Responder cannot resolve the ticket, it will be forwarded it to Tier 3 personnel with in-depth knowledge and threat hunting skills.
https://snipboard.io/6MpfRx.jpg
Technologies in the SOC: SIEM As shown in the figure, a SOC needs a security information and event management system (SIEM), or its equivalent.
SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.
SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.
SIEM systems may also and manage resources to implement preventive measures and address future threats.
SOC technologies include one or more of the following:
Event collection,
correlation, and analysis
Security monitoring
Security control
Log management
Vulnerability assessment
Vulnerability tracking
Threat intelligence
https://snipboard.io/q0mNOV.jpg
Technologies in the SOC: SOAR SIEM and security orchestration, automation and response (SOAR) are often paired together as they have capabilities that complement each other.
Large security operations (SecOps) teams use both technologies to optimize their SOC.
It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.
SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.
However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
https://snipboard.io/uQ5nCh.jpg
SOAR security platforms: Gather alarm data from each component of the system. Provide tools that enable cases to be researched, assessed, and investigated.
Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.
Include pre-defined playbooks that enable automatic response to specific threats.
Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.
SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.
This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.
SOAR emphasizes integration tools and automation of SOC workflows.
It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.
This frees security personnel to address more pressing matters and high-end investigation and threat remediation.
The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.
SIEM systems necessarily produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible.
SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.
SOC Metrics A SOC is critically important to the security of an organization.
Whether the SOC is internal to an organization, or providing services to multiple organizations, it is important to understand how well the SOC is functioning in order so that improvements can be made to the people, processes, and technologies that comprise the SOC.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Dwell Time :
The length of time that threat actors have access to a network before they are detected, and their access is stopped.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Mean Time to Detect (MTTD) :
The average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.
Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:
– Dwell Time
– Mean Time to Detect (MTTD)
– Mean Time to Respond (MTTR)
– Mean Time to Contain (MTTC)
– Time to Control
Mean Time to Respond (MTTR) :
the average time that it takes to stop and remediate a security incident.