You are previewing Security Operations Center: Building, Operating, and Maintaining your SOC.
O'Reilly logo
Security Operations Center: Building, Operating, and Maintaining your SOC

Book Description

This is the Rough Cut version of the printed book.

Security Operations Center

Building, Operating, and Maintaining Your SOC

The complete, practical guide to planning, building, and operating an effective Security Operations Center (SOC)


Security Operations Center is the complete guide to building, operating, and managing Security Operations Centers in any environment. Drawing on experience with hundreds of customers ranging from Fortune 500 enterprises to large military organizations, three leading experts thoroughly review each SOC model, including virtual SOCs. You’ll learn how to select the right strategic option for your organization, and then plan and execute the strategy you’ve chosen.


Security Operations Center walks you through every phase required to establish and run an effective SOC, including all significant people, process, and technology capabilities. The authors assess SOC technologies, strategy, infrastructure, governance, planning, implementation, and more. They take a holistic approach considering various commercial and open-source tools found in modern SOCs.

This best-practice guide is written for anybody interested in learning how to develop, manage, or improve a SOC. A background in network security, management, and operations will be helpful but is not required. It is also an indispensable resource for anyone preparing for the Cisco SCYBER exam.

·         Review high-level issues, such as vulnerability and risk management, threat intelligence, digital investigation, and data collection/analysis

·         Understand the technical components of a modern SOC

·         Assess the current state of your SOC and identify areas of improvement

·         Plan SOC strategy, mission, functions, and services

·         Design and build out SOC infrastructure, from facilities and networks to systems, storage, and physical security

·         Collect and successfully analyze security data

·         Establish an effective vulnerability management practice

·         Organize incident response teams and measure their performance

·         Define an optimal governance and staffing model

·         Develop a practical SOC handbook that people can actually use

·         Prepare SOC to go live, with comprehensive transition plans

·         React quickly and collaboratively to security incidents

·         Implement best practice security operations, including continuous enhancement and improvement

  

Table of Contents

  1. About This E-Book
  2. Title Page
  3. Copyright Page
  4. About the Authors
  5. About the Technical Reviewers
  6. Dedications
  7. Acknowledgments
  8. Contents at a Glance
  9. Contents
  10. Command Syntax Conventions
  11. Introduction
    1. Who Should Read This Book?
    2. How This Book Is Organized
  12. Part I: SOC Basics
    1. Chapter 1. Introduction to Security Operations and the SOC
      1. Cybersecurity Challenges
        1. Threat Landscape
        2. Business Challenges
      2. Introduction to Information Assurance
      3. Introduction to Risk Management
      4. Information Security Incident Response
        1. Incident Detection
        2. Incident Triage
        3. Incident Resolution
        4. Incident Closure
        5. Post-Incident
      5. SOC Generations
        1. First-Generation SOC
        2. Second-Generation SOC
        3. Third-Generation SOC
        4. Fourth-Generation SOC
      6. Characteristics of an Effective SOC
      7. Introduction to Maturity Models
      8. Applying Maturity Models to SOC
      9. Phases of Building a SOC
      10. Challenges and Obstacles
      11. Summary
      12. References
    2. Chapter 2. Overview of SOC Technologies
      1. Data Collection and Analysis
        1. Data Sources
        2. Data Collection
        3. Parsing and Normalization
        4. Security Analysis
      2. Vulnerability Management
        1. Vulnerability Announcements
      3. Threat Intelligence
      4. Compliance
      5. Ticketing and Case Management
      6. Collaboration
      7. SOC Conceptual Architecture
      8. Summary
      9. References
  13. Part II: The Plan Phase
    1. Chapter 3. Assessing Security Operations Capabilities
      1. Assessment Methodology
        1. Step 1: Identify Business and IT Goals
        2. Step 2: Assessing Capabilities
        3. Step 3: Collect Information
        4. Step 4: Analyze Maturity Levels
        5. Step 5: Formalize Findings
      2. Summary
      3. References
    2. Chapter 4. SOC Strategy
      1. Strategy Elements
        1. Who Is Involved?
        2. SOC Mission
        3. SOC Scope
        4. Example 1: A Military Organization
        5. Example 2: A Financial Organization
      2. SOC Model of Operation
        1. In-House and Virtual SOC
      3. SOC Services
      4. SOC Capabilities Roadmap
      5. Summary
  14. Part III: The Design Phase
    1. Chapter 5. The SOC Infrastructure
      1. Design Considerations
      2. Model of Operation
      3. Facilities
        1. SOC Internal Layout
        2. Physical Security
        3. Video Wall
        4. SOC Analyst Services
      4. Active Infrastructure
        1. Network
        2. Security
        3. Compute
        4. Storage
        5. Collaboration
      5. Summary
      6. References
    2. Chapter 6. Security Event Generation and Collection
      1. Data Collection
        1. Calculating EPS
        2. Network Time Protocol
        3. Data-Collection Tools
        4. Firewalls
      2. Cloud Security
        1. Cisco Meraki
        2. Virtual Firewalls
      3. Intrusion Detection and Prevention Systems
        1. Cisco FirePOWER IPS
        2. Meraki IPS
        3. Snort
        4. Host-Based Intrusion Prevention
      4. Routers and Switches
      5. Host Systems
      6. Mobile Devices
      7. Breach Detection
        1. Cisco Advanced Malware Prevention
        2. Web Proxies
        3. Cloud Proxies
      8. DNS Servers
        1. Exporting DNS
      9. Network Telemetry with Network Flow Monitoring
        1. NetFlow Tools
        2. NetFlow from Routers and Switches
        3. NetFlow from Security Products
        4. NetFlow in the Data Center
      10. Summary
      11. References
    3. Chapter 7. Vulnerability Management
      1. Identifying Vulnerabilities
      2. Security Services
      3. Vulnerability Tools
      4. Handling Vulnerabilities
        1. OWASP Risk Rating Methodology
        2. The Vulnerability Management Lifecycle
      5. Automating Vulnerability Management
        1. Inventory Assessment Tools
        2. Information Management Tools
        3. Risk-Assessment Tools
        4. Vulnerability-Assessment Tools
        5. Report and Remediate Tools
        6. Responding Tools
      6. Threat Intelligence
        1. Attack Signatures
        2. Threat Feeds
        3. Other Threat Intelligence Sources
      7. Summary
      8. References
    4. Chapter 8. People and Processes
      1. Key Challenges
        1. Wanted: Rock Stars, Leaders, and Grunts
        2. The Weight of Process
        3. The Upper and Lower Bounds of Technology
      2. Designing and Building the SOC Team
        1. Starting with the Mission
        2. Focusing on Services
        3. Determining the Required SOC Roles
        4. Working with HR
        5. Deciding on Your Resourcing Strategy
      3. Working with Processes and Procedures
        1. Processes Versus Procedures
        2. Working with Enterprise Service Management Processes
        3. The Positives and Perils of Process
        4. Examples of SOC Processes and Procedures
      4. Summary
  15. Part IV: The Build Phase
    1. Chapter 9. The Technology
      1. In-House Versus Virtual SOC
      2. Network
        1. Segmentation
        2. VPN
        3. High Availability
        4. Support Contracts
      3. Security
        1. Network Access Control
        2. Authentication
        3. On-Network Security
        4. Encryption
      4. Systems
        1. Operating Systems
        2. Hardening Endpoints
        3. Endpoint Breach Detection
        4. Mobile Devices
        5. Servers
      5. Storage
        1. Data-Loss Protection
        2. Cloud Storage
      6. Collaboration
        1. Collaboration for Pandemic Events
      7. Technologies to Consider During SOC Design
        1. Firewalls
        2. Routers and Switches
        3. Network Access Control
        4. Web Proxies
        5. Intrusion Detection/Prevention
      8. Breach Detection
        1. Honeypots
        2. Sandboxes
        3. Endpoint Breach Detection
        4. Network Telemetry
        5. Network Forensics
      9. Final SOC Architecture
      10. Summary
      11. References
    2. Chapter 10. Preparing to Operate
      1. Key Challenges
        1. People Challenges
        2. Process Challenges
        3. Technology Challenges
      2. Managing Challenges Through a Well-Managed Transition
        1. Elements of an Effective Service Transition Plan
        2. Determining Success Criteria and Managing to Success
        3. Managing Project Resources Effectively
        4. Marching to Clear and Attainable Requirements
        5. Using Simple Checks to Verify That the SOC Is Ready
      3. Summary
  16. Part V: The Operate Phase
    1. Chapter 11. Reacting to Events and Incidents
      1. A Word About Events
      2. Event Intake, Enrichment, Monitoring, and Handling
        1. Events in the SIEM
        2. Events in the Security Log Management Solution
        3. Events in Their Original Habitats
        4. Events Through Communications and Collaboration Platforms
        5. Working with Events: The Malware Scenario
        6. Handling and Investigating the Incident Report
        7. Creating and Managing Cases
      3. Closing and Reporting on the Case
      4. Summary
    2. Chapter 12. Maintain, Review, and Improve
      1. Reviewing and Assessing the SOC
        1. Determining Scope
        2. Scheduled and Ad Hoc Reviews
        3. Internal Versus External Assessments
        4. Assessment Methodologies
      2. Maintaining and Improving the SOC
        1. Maintaining and Improving Services
        2. Maintain and Improving Your Team
        3. Maintaining and Improving the SOC Technology Stack
      3. Conclusions
  17. Index
  18. Code Snippets