Unit 2 Modern Security Operations Center

Question 1

Tier 1 Alert Analyst

Answer 1

These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.

Question 2

Tier 2 Incident Responder

Answer 2

• These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.

Question 3

Tier 3 Threat Hunter

Answer 3

– These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools. Threat hunters search for cyber threats that are present in the network but have not yet been detected.

Question 4

SOC Manager

Answer 4

– This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.

Question 5

How can SOC be implemented?

Answer 5

SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs. SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services.

Question 6

What is SIEM?

Answer 6

A SOC needs a security information and event management system (SIEM), or its equivalent. SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.

SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats

Question 7

SIEM systems may also manage resources to implement preventive measures and address future threats. SOC technologies include what processes (7)?

Answer 7

Event collection, correlation, and analysis
Security monitoring
Security control
Log management
Vulnerability assessment
Vulnerability tracking
Threat intelligence

Question 8

What are some of the processes/events that the SOC Monitoring System filters/evaluates?

Answer 8

Network traffic
Network Flows
System Logs
Endpoint Data
Intel Threat Feeds
Security Events
Identify Asset Context

Filtered through SIEM - Security information and event management.

Question 9

What does SOAR stand for?

Answer 9

SOAR - Security orchestration, automation and response.

Question 10

T/F

It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.

SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.

Answer 10

True.

Question 11

SOAR Orchestration

Answer 11

Creates a customized platform that integrates and coordinates numerous security tools and resources.

Question 12

SOAR - Automation

Answer 12

Executes security processes with a minimum amount of human intervention. Helps address the shortage in cybersecurity analyst talent and increases efficiency.

Question 13

SOAR - Response

Answer 13

Prescribes and executes security procedures to be followed in response to security events. Can be in the form of a security runbooks that consist of rule-based automated responses that were created to address specific types of events.

Question 14

T/F

SOAR emphasizes integration tools and automation of SOC workflows

Answer 14

True.

SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary. This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.

Question 15

SOAR security platforms performs or provides/includes?

Answer 15

1- Gather alarm data from each component of the system.
2- Provide tools that enable cases to be researched, assessed, and investigated.
3- Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.
4- Include pre-defined playbooks that enable automatic response to specific threats. Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.

Question 16

T/F

SecOps teams can easily investigate threats/alerts because SIEM produce a minimal amount of alerts.

Answer 16

False

SIEM systems produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible. SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.

Question 17

Differences and similarities between SIEM and SOAR?

Answer 17

SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts. However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.

Question 18

What is KPI and what does it stand for?

Answer 18

Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance.

Question 19

Five common measured KPI’s

Answer 19

• Dwell Time – the length of time that threat actors have access to a network before they are detected, and their access is stopped.
• Mean Time to Detect (MTTD) – the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
• Mean Time to Respond (MTTR) – the average time that it takes to stop and remediate a security incident.
• Mean Time to Contain (MTTC) – the time required to stop the incident from causing further damage to systems or data.
• Time to Control – the time required to stop the spread of malware in the network.

Question 20

What is the tolerance of network downtime?

Answer 20

That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime. For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure. However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.

Question 21

Availability vs 9’s downtime explained.

Answer 21

Preferred uptime is often measured in the number of down minutes in a year, as shown in the table.

99. 8% - 17.52 hours
100. 9% (“three nines”) - 8.76 hours
101. 99% (“ four nines” ) - 52.56 minutes
102. 999% (“five nines”) - 5.256 minutes
103. 9999% (“six nines“ ) - 31.56 seconds
104. 99999% (“seven nines“ ) - 3.16 seconds

Question 22

Which SOC job role manages all the resources of the SOC and serves as a point of contact for the larger organization or customer?

A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder

Answer 22

B. SOC Manager

Question 23

Which SOC job role processes security alerts and forwards tickets to Tier 2 if necessary?

A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder

Answer 23

C. Cyber Security Analyst

Question 24

Which SOC job role is responsible for deep investigation of incidents?

A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder

Answer 24

D. Incident responder

Question 25

Which device integrates security information and event management into a single platform?

A. SIEM
B. SOAR
C. Threat Hunter

Answer 25

A. SIEM

Question 26

Which device integrates orchestration tools and resources to automatically respond to security events?

A. SIEM
B. SOAR
C. Threat Hunter

Answer 26

B. SOAR

Question 27

Major elements of the SOC include people, processes, and technologies. Job roles are rapidly evolving and include tiers based on expertise and experience. What are these tiers?

Answer 27

These roles include a Tier 1 Alert Analyst, a Tier 2 Incident Responder, a Tier 3 Threat hunter, and an SOC Manager. A Tier 1 Analyst will monitor incidents, open tickets, and perform basic threat mitigation.

Question 28

(MTTD)

Answer 28

Mean Time to Detect – the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network. key performance indicators (KPI)

Question 29

(MTTR)

Answer 29

Mean Time to Respond – the average time that it takes to stop and remediate a security incident. key performance indicators (KPI)

Question 30

(MTTC)

Answer 30

Mean Time to Contain - the time required to stop the incident from causing further damage to systems or data. key performance indicators (KPI)

Question 31

Dwell Time

Answer 31

The length of time that threat actors have access to a network before they are detected, and their access is stopped. key performance indicators (KPI)

Question 32

Time to Control

Answer 32

Time to Control – the time required to stop the spread of malware in the network. key performance indicators (KPI)

Question 33

Types of Cyber Security Certifications.

Answer 33

A variety of cybersecurity certifications that are relevant to careers in SOCs are available from different organizations. They include Cisco Certified CyberOps Associate, CompTIA Cybersecurity Analyst Certification, (ISC)2 Information Security Certifications, Global Information Assurance Certification (GIAC)

Question 34

Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident?

Answer 34

Tier 1 personnel

Question 35

After a security incident is verified in a SOC, an incident responder reviews the incident but cannot identify the source of the incident and form an effective mitigation procedure. To whom should the incident ticket be escalated?

Answer 35

An SME for further investigation

Question 36

Which two services are provided by security operations centers?

Answer 36

Managing comprehensive threat solutions.

Monitoring networking security threats.

Question 37

Which metric is used in SOCs to evaluate the average time that it takes to identify that valid security incidents have occurred in the network?

Answer 37

MTTD

Question 38

Which KPI metric does SOAR use to measure the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped?

Answer 38

Dwell Time

Question 39

What is the role of SIEM?

Answer 39

Analyze data that firewalls, network appliances, intrusion detection systems, and other devices generate and institute preventative measures.

Question 40

What is a characteristic of the SOAR security platform?

Answer 40

To include predefined playbooks that enable automatic responses to specific threats.

Question 41

A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee?

Answer 41

Further investigating security incidents.

Question 42

If a SOC has a goal of 99.99% uptime, how many minutes of downtime a year would be considered within its goal?

Answer 42

52.26

Question 43

Which organization offers the vendor-neutral CySA+ certification?

Answer 43

CompTIA

Question 44

In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?

Answer 44

Ticketing System

Question 45

In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?

Answer 45

Collecting and filtering data

Question 46

Which three technologies should be included in a security information and event management system in a SOC? (Choose three.)

Answer 46

Vulnerability tracking
Security monitoring
Threat intelligence