SECOPS 1: Defining the SOC Flashcards
Three SOC types
Threat-centric SOCs
Compliance-based SOCs
Operational-based SOC’s
threat-centric SOC
proactively hunts for malicious threats on networks
Before an attack…
Comprehensive contextual awareness
in-depth analysis of network traffic.
During an attack
Ability to continuously detect the presence of threats
After an attack
ID Point of Entry Determine scope Contain threat Remediate host Minimize risk of reinfection
Key to successful compliance based SOC
Linking an org’s risk management and IR practices to an automated system compliance process
Compliance based SOC is focused on…
comparing the compliance posture of network systems to reference config templates and standard system builds
Operational based SOC
internally focused organization that is tasked with monitoring the security posture
CSIRT
Operational based SOC
Operational based SOC focused on
maintaining the operational integrity
SOC tools do these things:
Network mapping Network monitoring Vulnerability detection Penetration testing Data collection Threat and anomaly detection Data aggregation and correlation
NSM
network security monitoring
SOC automation tasks
Ticket generation
False positive alert handling
Report generation
Data analytics
Science of examining raw data or data sets with the purpose of drawing conclusions.
Data Set
Collection of related, discrete items of related data in a structure
Database contains or can be a…
Data Set
Dynamic analysis is
evaluation of a program by executing the data in real-time to find errors.
Sequencing
Reconstructing network traffic flow
Path analysis
Interpretation of a chain of consecutive events during a short period of time.
Path analysis purpose
Understand attackers behavior in order to gain actionable insights
Log clustering
Mine large amounts of log data to identify anomalous behavior.
Incidents are
Alerts or events that could pose a serious threat to the organization
Alarm prioritization
Relieves analysts from sorting through low-level and irrelevant alerts
NIST 800-181
Cyber-workforce framework