The Modern Security Operations Center

This is the definitive, vendor-neutral guide to building, maintaining, and operating a modern Security Operations Center (SOC). Written by three leading security and networking experts, it brings together all the technical knowledge professionals need to deliver the right mix of security services to their organizations. The authors introduce the SOC as a service provider, and show how to use your SOC to integrate and transform existing security practices, making them far more effective. Writing for security and network professionals, managers, and other stakeholders, the authors cover: How SOCs have evolved, and today's key considerations in deploying them Key services SOCs can deliver, including organizational risk management, threat modeling, vulnerability assessment, incident response, investigation, forensics, and compliance People and process issues, including training, career development, job rotation, and hiring Centralizing and managing security data more effectively Threat intelligence and threat hunting Incident response, recovery, and vulnerability management Using data orchestration and playbooks to automate and control the response to any situation Advanced tools, including SIEM 2.0 The future of SOCs, including AI-Assisted SOCs, machine learning, and training models Note: This book's lead author, Joseph Muñiz, was also lead author of Security Operations Center: Building, Operating, and Maintaining your SOC (Cisco Press). The Modern Security Operations Center is an entirely new and fully vendor-neutral book.

Joseph Muniz is an architect and security researcher in the Cisco Security Sales and Engineering Organization. He is driven by making the world a safer place through education and adversary research. Joseph has extensive experience in designing security solutions and architectures as a trusted advisor for top Fortune 500 corporations and the U.S. government. Joseph is a researcher and industry thought leader. He speaks regularly at international conferences, writes for technical magazines, and is involved with developing training for various industry certifications. He invented the fictitious character of Emily Williams to create awareness around social engineering. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including titles ranging from security best practices to exploitation tactics. When Joseph is not using technology, you can find him on the fútbol (soccer) field or raising the next generation of hackers, also known as his children. Follow Joseph at https://www.thesecurityblogger.com and @SecureBlogger

Preface Chapter 1: Introducing Security Operations and the SOC Introducing the SOC Factors Leading to a Dysfunctional SOC Cyberthreats Investing in Security The Impact of a Breach Establishing a Baseline The Impact of Change Fundamental Security Capabilities Signature Detection Behavior Detection Anomaly Detection Best of Breed vs. Defense in Depth Standards, Guidelines, and Frameworks NIST Cybersecurity Framework ISO 3100:2018 FIRST Service Frameworks Applying Frameworks Industry Threat Models The Cyber Kill Chain Model The Diamond Model MITRE ATT&CK Model Choosing a Threat Model Vulnerabilities and Risk Endless Vulnerabilities Business Challenges In-House vs. Outsourcing Services Advantages Services Disadvantages Hybrid Services SOC Services SOC Maturity Models SOC Maturity Assessment SOC Program Maturity SOC Goals Assessment Defining Goals SOC Goals Ranking Threats Ranking SOC Goals Assessment Summarized SOC Capabilities Assessment Capability Maps SOC Capabilities Gaps Analysis Capability Map Next Steps SOC Development Milestones Summary References Chapter 2: Developing a Security Operations Center Mission Statement and Scope Statement Developing Mission and Scope Statements SOC Scope Statement Developing a SOC SOC Procedures Designing Procedures Security Tools Evaluating Vulnerabilities Preventive Technologies Detection Technologies Mobile Device Security Concerns Planning a SOC Capacity Planning Developing a Capacity Plan Designing a SOC Facility Physical SOC vs. Virtual SOC SOC Location SOC Interior SOC Rooms SOC Computer Rooms SOC Layouts Network Considerations Segmentation Logical Segmentation Choosing Segmentation Client/Server Segmentation Active Directory Segmentation Throughput Connectivity and Redundancy Disaster Recovery Security Considerations Policy and Compliance Network Access Control Encryption Internal Security Tools Intrusion Detection and Prevention Network Flow and Capturing Packets Change Management Host Systems Guidelines and Recommendations for Securing Your SOC Network Tool Collaboration SOC Tools Reporting and Dashboards Throughput and Storage Centralized Data Management Summary References Chapter 3: SOC Services Fundamental SOC Services SOC Challenges The Three Pillars of Foundational SOC Support Services Pillar 1: Work Environment Pillar 2: People Pillar 3: Technology Evaluating the Three Pillars of Foundational SOC Support Services SOC Service Areas FIRST’s CSIRT Developing SOC Service Areas In-House Services vs. External Services Contracted vs. Employee Job Roles SOC Service Job Goals Resource Planning Service Maturity: If You Build It, They Will Come SOC Service 1: Risk Management Four Responses to Risk Reducing Risk Addressing Risk SOC Service 2: Vulnerability Management Vulnerability Management Best Practice Vulnerability Scanning Tools Penetration Testing SOC Service 3: Compliance Meeting Compliance with Audits SOC Service 4: Incident Management NIST Special Publication 800-61 Revision 2 Incident Response Planning Incident Impact Playbooks SOC Service 5: Analysis Static Analysis Dynamic Analysis SOC Service 6: Digital Forensics SOC Service 7: Situational and Security Awareness User Training SOC Service 8: Research and Development Summary References Chapter 4: People and Process Career vs. Job Developing Job Roles General Schedule Pay Scale IT Industry Job Roles Common IT Job Roles SOC Job Roles Security Analyst Penetration Tester Assessment Officer Incident Responder Systems Analyst Security Administrator Security Engineer Security Trainer Security Architect Cryptographer/Cryptologist Forensic Engineer Chief Information Security Officer NICE Cybersecurity Workforce Framework Nice Framework Components Role Tiers SOC Services and Associated Job Roles Risk Management Service Vulnerability Management Service Incident Management Service Analysis Service Compliance Service Digital Forensics Service Situational and Security Awareness Service Research and Development Service Soft Skills Evaluating Soft Skills SOC Soft Skills Security Clearance Requirements Pre-Interviewing Interviewing Interview Prompter Post Interview Onboarding Employees Onboarding Requirements Managing People Job Retention Training Training Methods Certifications Company Culture Summary References Chapter 5: Centralizing Data Data in the SOC Strategic and Tactical Data Data Structure Data Types Data Context Data-Focused Assessment Data Assessment Example: Antivirus Threat Mapping Data Applying Data Assessments to SOC Services Logs Log Types Log Formats Security Information and Event Management SIEM Data Processing Data Correlation Data Enrichment SIEM Solution Planning SIEM Tuning Troubleshooting SIEM Logging SIEM Troubleshooting Part 1: Data Input SIEM Troubleshooting Part 2: Data Processing and Validation SIEM Troubleshooting Examples Additional SIEM Features APIs Leveraging APIs API Architectures API Examples Big Data Hadoop Big Data Threat Feeds Machine Learning Machine Learning in Cybersecurity Artificial Intelligence Machine Learning Models Summary References Chapter 6: Reducing Risk and Exceeding Compliance Why Exceeding Compliance Policies Policy Overview Policy Purpose Policy Scope Policy Statement Policy Compliance Related Standards, Policies, Guidelines, and Processes Definitions and Terms History Launching a New Policy Steps for Launching a New Policy Policy Enforcement Certification and Accreditation Procedures Procedure Document Tabletop Exercise Tabletop Exercise Options Tabletop Exercise Execution Tabletop Exercise Format Tabletop Exercise Template Example Standards, Guidelines, and Frameworks NIST Cybersecurity Framework ISO/IEC 27005 CIS Controls ISACA COBIT 2019 FIRST CSIRT Services Framework Exceeding Compliance Audits Audit Example Internal Audits External Auditors Audit Tools Assessments Assessment Types Assessment Results Assessment Template Vulnerability Scanners Assessment Program Weaknesses Penetration Test NIST Special Publication 800-115 Additional NIST SP 800-115 Guidance Penetration Testing Types Penetration Testing Planning Industry Compliance Compliance Requirements Summary References Chapter 7: Threat Intelligence Threat Intelligence Overview Threat Data Threat Intelligence Categories Strategic Threat Intelligence Tactical Threat Intelligence Operational Threat Intelligence Technical Threat Intelligence Threat Intelligence Context Threat Context Evaluating Threat Intelligence Threat Intelligence Checklist Content Quality Testing Threat Intelligence Planning a Threat Intelligence Project Data Expectations for Strategic Threat Intelligence Data Expectations for Tactical Threat Intelligence Data Expectations for Operational Threat Intelligence Data Expectations for Technical Threat Intelligence Collecting and Processing Intelligence Processing Nontechnical Data Operational Data and Web Processing Technical Processing Technical Threat Intelligence Resources Actionable Intelligence Security Tools and Threat Intelligence Feedback Summary References Chapter 8: Threat Hunting and Incident Response Security Incidents Incident Response Lifecycle Phase 1: Preparation Assigning Tasks with Playbooks Communication Third-Party Interaction Law Enforcement Law Enforcement Risk Ticketing Systems Other Incident Response Planning Templates Phase 1: Preparation Summary Phase 2: Detection and Analysis Incident Detection Core Security Capabilities Threat Analysis Detecting Malware Behavior Infected Systems Analyzing Artifacts Identifying Artifact Types Packing Files Basic Static Analysis Advanced Static Analysis Dynamic Analysis Phase 2: Detection and Analysis Summary Phase 3: Containment, Eradication, and Recovery Containment Responding to Malware Threat Hunting Techniques Eradicate Recovery Digital Forensics Digital Forensic Process First Responder Chain of Custody Working with Evidence Duplicating Evidence Hashes Forensic Static Analysis Recovering Data Forensic Dynamic Analysis Digital Forensics Summary Phase 3: Containment, Eradication, and Recovery Summary Phase 4: Post-Incident Activity Post-Incident Response Process Phase 4: Post-Incident Response Summary Incident Response Guidelines FIRST Services Frameworks Summary References Chapter 9: Vulnerability Management Vulnerability Management Phase 1: Asset Inventory Phase 2: Information Management Phase 3: Risk Assessment Phase 4: Vulnerability Assessment Phase 5: Report and Remediate Phase 6: Respond and Repeat Measuring Vulnerabilities Common Vulnerabilities and Exposures Common Vulnerability Scoring System CVSS Standards Vulnerability Technology Vulnerability Scanners Currency and Coverage Tuning Vulnerability Scanners Exploitation Tools Asset Management and Compliance Tools Network Scanners and Network Access Control Threat Detection Tools Vulnerability Management Service Scanning Services Vulnerability Management Service Roles Vulnerability Evaluation Procedures Vulnerability Response Vulnerability Accuracy Responding to Vulnerabilities Cyber Insurance Patching Systems Residual Risk Remediation Approval Reporting Exceptions Vulnerability Management Process Summarized Summary References Chapter 10: Data Orchestration Introduction to Data Orchestration Comparing SIEM and SOAR The Rise of XDR Security Orchestration, Automation, and Response SOAR Example: Phantom Endpoint Detection and Response EDR Example: CrowdStrike Playbooks Playbook Components Constructing Playbooks Incident Response Consortium Playbook Examples: Malware Outbreak Automation Automating Playbooks Common Targets for Automation Automation Pitfalls Playbook Workflow DevOps Programming Data Management Text-File Formats Common Data Formats Data Modeling DevOps Tools DevOps Targets Manual DevOps Automated DevOps DevOps Lab Using Ansible Ansible Playbooks Blueprinting with Osquery Running Osquery Network Programmability Learning NetDevOps APIs NetDevOps Example Cloud Programmability Orchestration in the Cloud Amazon DevOps SaaS DevOps Summary References Chapter 11: Future of the SOC All Eyes on SD-WAN and SASE VoIP Adoption As Prologue to SD-WAN Adoption Introduction of SD-WAN Challenges with the Traditional WAN SD-WAN to the Rescue SASE Solves SD-WAN Problems SASE Defined Future of SASE IT Services Provided by the SOC IT Operations Defined Hacking IT Services IT Services Evolving Future of IT Services Future of Training Training Challenges Training Today Case Study: Training I Use Today Free Training Gamifying Learning On-Demand and Personalized Learning Future of Training Full Automation with Machine Learning Machine Learning Machine Learning Hurdles Machine Learning Applied Training Machine Learning Future of Machine Learning Future of Your SOC: Bringing It All Together Your Future Facilities and Capabilities Group Tags Your Future SOC Staff Audits, Assessments, and Penetration Testing Future Impact to Your Services Hunting for Tomorrow’s Threats Summary References 9780135619858 TOC 3/24/2021