MODULE 2 - CERTIFICATION CYBER OPS ASSOCIATE Flashcards

1
Q

The Modern Security Operations Center

Elements of a SOC Defending against today’s threats requires a formalized, structured, and disciplined approach.

Organizations typically use the services of professionals in a Security Operations Center (SOC). SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs.

SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services. As illustrated in the figure, the major elements of a SOC, are people, processes, and technologies.

https://snipboard.io/n9l7Yd.jpg

A

People in the SOC :

Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

A

Tier 1 Alert Analyst :

These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

People in the SOC :

Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

A

Tier 2 Incident Responder :

These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

People in the SOC : Job roles in a SOC are rapidly evolving. Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

A

Tier 3 Threat Hunter :

These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed.

They are also deeply involved in hunting for potential threats and implementing threat detection tools.

Threat hunters search for cyber threats that are present in the network but have not yet been detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

People in the SOC : Job roles in a SOC are rapidly evolving.

Traditionally, SOCs assign job roles by tiers, according to the expertise and responsibilities required for each.

First tier jobs are more entry level, while third tier jobs require extensive expertise.

– Tier 1 Alert Analyst

– Tier 2 Incident Responder

– Tier 3 Threat Hunter

– SOC Manager

A

SOC Manager :

This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.

The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.

https://snipboard.io/035Sfj.jpg

A

This course offers preparation for a certification suitable for the position of Tier 1 Alert Analyst, also known as Cybersecurity Analyst or CyberOps Associate.

The figure, which is originally from the SANS Institute, graphically represents how these roles interact with each other.

https://snipboard.io/035Sfj.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Process in the SOC The day of a Cybersecurity Analyst typically begins with monitoring security alert queues.

A ticketing system is frequently used to assign alerts to a queue for an analyst to investigate.

Because the software that generates alerts can trigger false alarms, one job of the Cybersecurity Analyst might be to verify that an alert represents a true security incident.

When verification is established, the incident can be forwarded to investigators or other security personnel to be acted upon. Otherwise, the alert may be dismissed as a false alarm.

A

If a ticket cannot be resolved, the Cybersecurity Analyst will forward the ticket to a Tier 2 Incident Responder for deeper investigation and remediation.

If the Incident Responder cannot resolve the ticket, it will be forwarded it to Tier 3 personnel with in-depth knowledge and threat hunting skills.

https://snipboard.io/6MpfRx.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Technologies in the SOC: SIEM As shown in the figure, a SOC needs a security information and event management system (SIEM), or its equivalent.

SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.

SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.

SIEM systems may also and manage resources to implement preventive measures and address future threats.

A

SOC technologies include one or more of the following:

Event collection,

correlation, and analysis

Security monitoring

Security control

Log management

Vulnerability assessment

Vulnerability tracking

Threat intelligence

https://snipboard.io/q0mNOV.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Technologies in the SOC: SOAR SIEM and security orchestration, automation and response (SOAR) are often paired together as they have capabilities that complement each other.

Large security operations (SecOps) teams use both technologies to optimize their SOC.

It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.

A

SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.

However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.

https://snipboard.io/uQ5nCh.jpg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SOAR security platforms: Gather alarm data from each component of the system. Provide tools that enable cases to be researched, assessed, and investigated.

Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.

Include pre-defined playbooks that enable automatic response to specific threats.

Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.

A

SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.

This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SOAR emphasizes integration tools and automation of SOC workflows.

It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary.

This frees security personnel to address more pressing matters and high-end investigation and threat remediation.

The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.

A

SIEM systems necessarily produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible.

SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SOC Metrics A SOC is critically important to the security of an organization.

Whether the SOC is internal to an organization, or providing services to multiple organizations, it is important to understand how well the SOC is functioning in order so that improvements can be made to the people, processes, and technologies that comprise the SOC.

A

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

A

Dwell Time :

The length of time that threat actors have access to a network before they are detected, and their access is stopped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

A

Mean Time to Detect (MTTD) :

The average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

A

Mean Time to Respond (MTTR) :

the average time that it takes to stop and remediate a security incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

A

Mean Time to Contain (MTTC) :

The time required to stop the incident from causing further damage to systems or data.

17
Q

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance. However, five metrics are commonly used as SOC metrics.

Note however, that metrics that describe blanket performance frequently do not paint an accurate picture of SOC operation due to the diversity of cybersecurity threats. Several common metrics compiled by SOC managers are:

– Dwell Time

– Mean Time to Detect (MTTD)

– Mean Time to Respond (MTTR)

– Mean Time to Contain (MTTC)

– Time to Control

A

Time to Control :

The time required to stop the spread of malware in the network.

18
Q

Enterprise and Managed Security

For medium and large networks, the organization will benefit from implementing an enterprise-level SOC.

The SOC can be a complete in-house solution.

However, many larger organizations will outsource at least part of the SOC operations to a security solutions provider.

A

Cisco has a team of experts who help ensure timely and accurate incident resolution. Cisco offers a wide range of incident response, preparedness, and management capabilities including:

Cisco Smart Net Total Care Service for Rapid Problem Resolution

Cisco Product Security Incident Response Team (PSIRT)

Cisco Computer Security Incident Response Team (CSIRT)

Cisco Managed Services Cisco Tactical Operations (TacOps)

Cisco’s Safety and Physical Security Program

19
Q

Security vs. Availability

Most enterprise networks must be up and running at all times.

Security personnel understand that for the organization to accomplish its priorities, network availability must be preserved.

A

Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.

For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.

However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.

20
Q

Each business or industry has a limited tolerance for network downtime. That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime.

For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure.

However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.

A

Preferred uptime is often measured in the number of down minutes in a year, as shown in the table. For example, a “five nines” uptime means that the network is up 99.999% of the time or down for no more than 5 minutes a year. “Four nines” would be a downtime of 53 minutes a year.

https://snipboard.io/AS642b.jpg

However, security cannot be so strong that it interferes with the needs of employees or business functions.

It is always a tradeoff between strong security and permitting efficient business functioning.

21
Q

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

A

Cisco Certified CyberOps Associate :

The Cisco Certified CyberOps Associate certification provides a valuable first step in acquiring the knowledge and skills needed to work with a SOC team.

It can be a valuable part of a career in the exciting and growing field of cybersecurity operations.

22
Q

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

A

CompTIA Cybersecurity Analyst Certification :

The CompTIA Cybersecurity Analyst (CySA+) certification is a vendor-neutral IT professional certification.

It validates knowledge and skills required to configure and use threat detection tools, perform data analysis, interpret the results to identify vulnerabilities, threats and risks to an organization.

The end goal is the ability to secure and protect applications and systems within an organization.

23
Q

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

A

(ISC)² Information Security Certifications :

(ISC)² is an international non-profit organization that offers the highly-acclaimed CISSP certification.

They offer a range of other certifications for various specialties in cybersecurity.

24
Q

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

A

Global Information Assurance Certification (GIAC) :

GIAC, which was founded in 1999, is one of the oldest security certification organizations.

It offers a wide range of certifications in seven categories.

25
Q

Certifications : A variety of cybersecurity certifications that are relevant to careers in SOCs are available from several different organizations.

– Cisco Certified CyberOps Associate

– CompTIA Cybersecurity Analyst Certification

– (ISC)² Information Security Certifications

– Global Information Assurance Certification (GIAC)

– Other Security-Related Certifications

A

Other Security-

Related Certifications Search for “cybersecurity certifications” on the internet to find information about other vendor and vendor-neutral certifications.

26
Q

Further Education Degrees Anyone considering a career in the cybersecurity field, should seriously consider pursuing a technical degree or bachelor’s degree in computer science, electrical engineering, information technology, or information security.

Many educational institutions offer security-related specialized tracks and certifications. Python Programming Computer programming is an essential skill for anyone who wishes to pursue a career in cybersecurity.

If you have never learned how to program, then Python might be the first language to learn. Python is an open-source, object-oriented language that is routinely used by cybersecurity analysts. It is also a popular programming language for Linux-based systems and software-defined networking (SDN).

A

Linux Skills Linux is widely used in SOCs and other networking and security environments.

Linux skills are a valuable addition to your skillset as you work to develop a career in cybersecurity.

27
Q

Sources of Career Information : A variety of websites and mobile applications advertise information technology jobs. Each site targets a variety of job applicants and provides different tools for candidates to research their ideal job position. Many sites are job site aggregators. Job site aggregators gather listings from other job boards and company career sites and display them in a single location.

Indeed.com Advertised as the world’s #1 job site, Indeed.com attracts over 180 million unique visitors every month from over 50 different countries. Indeed.com is truly a worldwide job site. It helps companies of all sizes hire the best talent and offers the best opportunity for job seekers.

A

CareerBuilder.com CareerBuilder serves many large and prestigious companies. As a result, this site attracts specific candidates that typically have more education and higher credentials.

The employers posting on CareerBuilder commonly get more candidates with college degrees, advanced credentials, and industry certifications. USAJobs.gov The United States federal government posts any openings on the USAJobs website.

28
Q

Glassdoor The website glassdoor.com provides salary information for different job types, companies, and locations. Search for “cyber security analyst” to see salaries and requirements for current job openings.

LinkedIn

LinkedIn is a professional network of more the 630 million users in more than 150 countries with the mission of helping people be more productive and successful. LinkedIn is also a great source for career information and job opportunities.

A

Getting Experience Internships Internships are an excellent method for entering the cybersecurity field. Sometimes, internships turn into an offer of full time employment. However, even a temporary internship allows you the opportunity to gain experience in the inner workings of a cybersecurity organization.

The contacts you make during an internship can also prove to be a valuable resource as you continue your career. Search the internet for the best websites to locate network security internships. Scholarships and Awards To help close the security skills gap, organizations like Cisco and INFOSEC have introduced scholarship and awards programs that provide money to students who meet qualification requirements. Search the internet to discover opportunities that are currently offered.