Unit 2 Modern Security Operations Center Flashcards
Tier 1 Alert Analyst
These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
Tier 2 Incident Responder
- These professionals are responsible for deep investigation of incidents and advise remediation or action to be taken.
Tier 3 Threat Hunter
– These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering. They are experts at tracing the processes of the malware to determine its impact and how it can be removed. They are also deeply involved in hunting for potential threats and implementing threat detection tools. Threat hunters search for cyber threats that are present in the network but have not yet been detected.
SOC Manager
– This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
How can SOC be implemented?
SOCs provide a broad range of services, from monitoring and management, to comprehensive threat solutions and hosted security that can be customized to meet customer needs. SOCs can be wholly in-house, owned and operated by a business, or elements of a SOC can be contracted out to security vendors, such as Cisco’s Managed Security Services.
What is SIEM?
A SOC needs a security information and event management system (SIEM), or its equivalent. SIEM makes sense of all the data that firewalls, network appliances, intrusion detection systems, and other devices generate.
SIEM systems are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats
SIEM systems may also manage resources to implement preventive measures and address future threats. SOC technologies include what processes (7)?
Event collection, correlation, and analysis Security monitoring Security control Log management Vulnerability assessment Vulnerability tracking Threat intelligence
What are some of the processes/events that the SOC Monitoring System filters/evaluates?
Network traffic Network Flows System Logs Endpoint Data Intel Threat Feeds Security Events Identify Asset Context
Filtered through SIEM - Security information and event management.
What does SOAR stand for?
SOAR - Security orchestration, automation and response.
T/F
It is estimated that 15% of organizations with a security team of larger than five people will utilize SOAR by the end of 2020.
SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts.
True.
SOAR Orchestration
Creates a customized platform that integrates and coordinates numerous security tools and resources.
SOAR - Automation
Executes security processes with a minimum amount of human intervention. Helps address the shortage in cybersecurity analyst talent and increases efficiency.
SOAR - Response
Prescribes and executes security procedures to be followed in response to security events. Can be in the form of a security runbooks that consist of rule-based automated responses that were created to address specific types of events.
T/F
SOAR emphasizes integration tools and automation of SOC workflows
True.
SOAR emphasizes integration tools and automation of SOC workflows. It orchestrates many manual processes such as investigation of security alerts only requiring human intervention when necessary. This frees security personnel to address more pressing matters and high-end investigation and threat remediation. The future adoption of sophisticated SOAR platforms will remake SOC operations and job roles.
SOAR security platforms performs or provides/includes?
1- Gather alarm data from each component of the system.
2- Provide tools that enable cases to be researched, assessed, and investigated.
3- Emphasize integration as a means of automating complex incident response workflows that enable more rapid response and adaptive defense strategies.
4- Include pre-defined playbooks that enable automatic response to specific threats. Playbooks can be initiated automatically based on predefined rules or may be triggered by security personnel.
T/F
SecOps teams can easily investigate threats/alerts because SIEM produce a minimal amount of alerts.
False
SIEM systems produce more alerts than most SecOps teams can realistically investigate in order to conservatively capture as many potential exploits as possible. SOAR will process many of these alerts automatically and will enable security personnel to focus on more complex and potentially damaging exploits.
Differences and similarities between SIEM and SOAR?
SOAR platforms are similar to SIEMs in that they aggregate, correlate, and analyze alerts. However, SOAR technology goes a step further by integrating threat intelligence and automating incident investigation and response workflows based on playbooks developed by the security team.
What is KPI and what does it stand for?
Many metrics, or key performance indicators (KPI) can be devised to measure different specific aspects of SOC performance.
Five common measured KPI’s
- Dwell Time – the length of time that threat actors have access to a network before they are detected, and their access is stopped.
- Mean Time to Detect (MTTD) – the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
- Mean Time to Respond (MTTR) – the average time that it takes to stop and remediate a security incident.
- Mean Time to Contain (MTTC) – the time required to stop the incident from causing further damage to systems or data.
- Time to Control – the time required to stop the spread of malware in the network.
What is the tolerance of network downtime?
That tolerance is usually based upon a comparison of the cost of the downtime in relation to the cost of ensuring against downtime. For example, in a small retail business with only one location, it may be tolerable to have a router as a single point of failure. However, if a large portion of that business’s sales are from online shoppers, then the owner may decide to provide a level of redundancy to ensure that a connection is always available.
Availability vs 9’s downtime explained.
Preferred uptime is often measured in the number of down minutes in a year, as shown in the table.
- 8% - 17.52 hours
- 9% (“three nines”) - 8.76 hours
- 99% (“ four nines” ) - 52.56 minutes
- 999% (“five nines”) - 5.256 minutes
- 9999% (“six nines“ ) - 31.56 seconds
- 99999% (“seven nines“ ) - 3.16 seconds
Which SOC job role manages all the resources of the SOC and serves as a point of contact for the larger organization or customer?
A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder
B. SOC Manager
Which SOC job role processes security alerts and forwards tickets to Tier 2 if necessary?
A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder
C. Cyber Security Analyst
Which SOC job role is responsible for deep investigation of incidents?
A. SME Threat hunter
B. SOC Manager
C. Cyber Security Analyst
D. Incident responder
D. Incident responder
Which device integrates security information and event management into a single platform?
A. SIEM
B. SOAR
C. Threat Hunter
A. SIEM
Which device integrates orchestration tools and resources to automatically respond to security events?
A. SIEM
B. SOAR
C. Threat Hunter
B. SOAR
Major elements of the SOC include people, processes, and technologies. Job roles are rapidly evolving and include tiers based on expertise and experience. What are these tiers?
These roles include a Tier 1 Alert Analyst, a Tier 2 Incident Responder, a Tier 3 Threat hunter, and an SOC Manager. A Tier 1 Analyst will monitor incidents, open tickets, and perform basic threat mitigation.
(MTTD)
Mean Time to Detect – the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network. key performance indicators (KPI)
(MTTR)
Mean Time to Respond – the average time that it takes to stop and remediate a security incident. key performance indicators (KPI)
(MTTC)
Mean Time to Contain - the time required to stop the incident from causing further damage to systems or data. key performance indicators (KPI)
Dwell Time
The length of time that threat actors have access to a network before they are detected, and their access is stopped. key performance indicators (KPI)
Time to Control
Time to Control – the time required to stop the spread of malware in the network. key performance indicators (KPI)
Types of Cyber Security Certifications.
A variety of cybersecurity certifications that are relevant to careers in SOCs are available from different organizations. They include Cisco Certified CyberOps Associate, CompTIA Cybersecurity Analyst Certification, (ISC)2 Information Security Certifications, Global Information Assurance Certification (GIAC)
Which personnel in a SOC is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident?
Tier 1 personnel
After a security incident is verified in a SOC, an incident responder reviews the incident but cannot identify the source of the incident and form an effective mitigation procedure. To whom should the incident ticket be escalated?
An SME for further investigation
Which two services are provided by security operations centers?
Managing comprehensive threat solutions.
Monitoring networking security threats.
Which metric is used in SOCs to evaluate the average time that it takes to identify that valid security incidents have occurred in the network?
MTTD
Which KPI metric does SOAR use to measure the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped?
Dwell Time
What is the role of SIEM?
Analyze data that firewalls, network appliances, intrusion detection systems, and other devices generate and institute preventative measures.
What is a characteristic of the SOAR security platform?
To include predefined playbooks that enable automatic responses to specific threats.
A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee?
Further investigating security incidents.
If a SOC has a goal of 99.99% uptime, how many minutes of downtime a year would be considered within its goal?
52.26
Which organization offers the vendor-neutral CySA+ certification?
CompTIA
In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?
Ticketing System
In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?
Collecting and filtering data
Which three technologies should be included in a security information and event management system in a SOC? (Choose three.)
Vulnerability tracking
Security monitoring
Threat intelligence
