Joseph Muniz
Pearson Education
e druk, 2021
9780135619902
The Modern Security Operations Center
Specificaties
E-book, blz.
|
Engels
Pearson Education |
e druk, 2021
ISBN13: 9780135619902
Rubricering
Verwachte levertijd ongeveer 9 werkdagen
Samenvatting
The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services
This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible.
Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation.
This guide will be indispensable for everyone responsible for delivering security services—managers and cybersecurity professionals alike.
* Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology
* Identify, recruit, interview, onboard, and grow an outstanding SOC team
* Thoughtfully decide what to outsource and what to insource
* Collect, centralize, and use both internal data and external threat intelligence
* Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts
* Reduce future risk by improving incident recovery and vulnerability management
* Apply orchestration and automation effectively, without just throwing money at them
* Position yourself today for emerging SOC technologies
Specificaties
Inhoudsopgave
Preface <br> Chapter 1: Introducing Security Operations and the SOC <br>Introducing the SOC <br>Factors Leading to a Dysfunctional SOC <br>Cyberthreats <br>Investing in Security <br>The Impact of a Breach <br>Establishing a Baseline <br> The Impact of Change <br>Fundamental Security Capabilities <br> Signature Detection <br> Behavior Detection <br> Anomaly Detection <br> Best of Breed vs. Defense in Depth <br>Standards, Guidelines, and Frameworks <br> NIST Cybersecurity Framework <br> ISO 3100:2018 <br> FIRST Service Frameworks <br> Applying Frameworks <br>Industry Threat Models <br> The Cyber Kill Chain Model <br> The Diamond Model <br> MITRE ATT&CK Model <br> Choosing a Threat Model <br>Vulnerabilities and Risk <br> Endless Vulnerabilities <br>Business Challenges <br>In-House vs. Outsourcing <br> Services Advantages <br> Services Disadvantages <br> Hybrid Services <br>SOC Services <br>SOC Maturity Models <br> SOC Maturity Assessment <br> SOC Program Maturity <br>SOC Goals Assessment <br> Defining Goals <br> SOC Goals Ranking <br> Threats Ranking <br> SOC Goals Assessment Summarized <br>SOC Capabilities Assessment <br> Capability Maps <br> SOC Capabilities Gaps Analysis <br> Capability Map Next Steps <br>SOC Development Milestones <br>Summary <br>References <br> Chapter 2: Developing a Security Operations Center <br>Mission Statement and Scope Statement <br> Developing Mission and Scope Statements <br> SOC Scope Statement <br>Developing a SOC <br>SOC Procedures <br> Designing Procedures <br>Security Tools <br> Evaluating Vulnerabilities <br> Preventive Technologies <br> Detection Technologies <br> Mobile Device Security Concerns <br>Planning a SOC <br> Capacity Planning <br> Developing a Capacity Plan <br>Designing a SOC Facility <br> Physical SOC vs. Virtual SOC <br> SOC Location <br> SOC Interior <br> SOC Rooms <br> SOC Computer Rooms <br> SOC Layouts <br>Network Considerations <br> Segmentation <br> Logical Segmentation <br> Choosing Segmentation <br> Client/Server Segmentation <br> Active Directory Segmentation <br> Throughput <br> Connectivity and Redundancy <br>Disaster Recovery <br>Security Considerations <br> Policy and Compliance <br> Network Access Control <br> Encryption <br>Internal Security Tools <br> Intrusion Detection and Prevention <br> Network Flow and Capturing Packets <br> Change Management <br> Host Systems <br>Guidelines and Recommendations for Securing Your SOC Network <br> Tool Collaboration <br>SOC Tools <br> Reporting and Dashboards <br> Throughput and Storage <br> Centralized Data Management <br>Summary <br>References <br> Chapter 3: SOC Services <br>Fundamental SOC Services <br> SOC Challenges <br>The Three Pillars of Foundational SOC Support Services <br> Pillar 1: Work Environment <br> Pillar 2: People <br> Pillar 3: Technology <br> Evaluating the Three Pillars of Foundational SOC Support Services <br>SOC Service Areas <br> FIRST’s CSIRT <br> Developing SOC Service Areas <br> In-House Services vs. External Services <br> Contracted vs. Employee Job Roles <br>SOC Service Job Goals <br> Resource Planning <br>Service Maturity: If You Build It, They Will Come <br>SOC Service 1: Risk Management <br> Four Responses to Risk <br> Reducing Risk <br> Addressing Risk <br>SOC Service 2: Vulnerability Management <br> Vulnerability Management Best Practice <br> Vulnerability Scanning Tools <br> Penetration Testing <br>SOC Service 3: Compliance <br> Meeting Compliance with Audits <br>SOC Service 4: Incident Management <br> NIST Special Publication 800-61 Revision 2 <br> Incident Response Planning <br> Incident Impact <br> Playbooks <br>SOC Service 5: Analysis <br> Static Analysis <br> Dynamic Analysis <br>SOC Service 6: Digital Forensics <br>SOC Service 7: Situational and Security Awareness <br> User Training <br>SOC Service 8: Research and Development <br>Summary <br>References <br> Chapter 4: People and Process <br>Career vs. Job <br>Developing Job Roles <br> General Schedule Pay Scale <br> IT Industry Job Roles <br> Common IT Job Roles <br>SOC Job Roles <br> Security Analyst <br> Penetration Tester <br> Assessment Officer <br> Incident Responder <br> Systems Analyst <br> Security Administrator <br> Security Engineer <br> Security Trainer <br> Security Architect <br> Cryptographer/Cryptologist <br> Forensic Engineer <br> Chief Information Security Officer <br>NICE Cybersecurity Workforce Framework <br> Nice Framework Components <br>Role Tiers <br>SOC Services and Associated Job Roles <br> Risk Management Service <br> Vulnerability Management Service <br> Incident Management Service <br> Analysis Service <br> Compliance Service <br> Digital Forensics Service <br> Situational and Security Awareness Service <br> Research and Development Service <br>Soft Skills <br> Evaluating Soft Skills <br> SOC Soft Skills <br>Security Clearance Requirements <br>Pre-Interviewing <br>Interviewing <br> Interview Prompter <br> Post Interview <br>Onboarding Employees <br> Onboarding Requirements <br>Managing People <br>Job Retention <br>Training <br> Training Methods <br>Certifications <br>Company Culture <br>Summary <br>References <br> Chapter 5: Centralizing Data <br>Data in the SOC <br> Strategic and Tactical Data <br> Data Structure <br> Data Types <br> Data Context <br>Data-Focused Assessment <br> Data Assessment Example: Antivirus <br> Threat Mapping Data <br> Applying Data Assessments to SOC Services <br>Logs <br> Log Types <br> Log Formats <br>Security Information and Event Management <br> SIEM Data Processing <br> Data Correlation <br> Data Enrichment <br> SIEM Solution Planning <br> SIEM Tuning <br>Troubleshooting SIEM Logging <br> SIEM Troubleshooting Part 1: Data Input <br> SIEM Troubleshooting Part 2: Data Processing and Validation <br> SIEM Troubleshooting Examples <br> Additional SIEM Features <br>APIs <br> Leveraging APIs <br> API Architectures <br> API Examples <br>Big Data <br> Hadoop <br> Big Data Threat Feeds <br>Machine Learning <br> Machine Learning in Cybersecurity <br> Artificial Intelligence <br> Machine Learning Models <br>Summary <br>References <br> Chapter 6: Reducing Risk and Exceeding Compliance <br>Why Exceeding Compliance <br>Policies <br> Policy Overview <br> Policy Purpose <br> Policy Scope <br> Policy Statement <br> Policy Compliance <br> Related Standards, Policies, Guidelines, and Processes <br> Definitions and Terms <br> History <br>Launching a New Policy <br> Steps for Launching a New Policy <br>Policy Enforcement <br> Certification and Accreditation <br>Procedures <br> Procedure Document <br>Tabletop Exercise <br> Tabletop Exercise Options <br> Tabletop Exercise Execution <br> Tabletop Exercise Format <br> Tabletop Exercise Template Example <br>Standards, Guidelines, and Frameworks <br> NIST Cybersecurity Framework <br> ISO/IEC 27005 <br> CIS Controls <br> ISACA COBIT 2019 <br> FIRST CSIRT Services Framework <br> Exceeding Compliance <br>Audits <br> Audit Example <br> Internal Audits <br> External Auditors <br> Audit Tools <br>Assessments <br> Assessment Types <br> Assessment Results <br> Assessment Template <br> Vulnerability Scanners <br> Assessment Program Weaknesses <br>Penetration Test <br> NIST Special Publication 800-115 <br> Additional NIST SP 800-115 Guidance <br> Penetration Testing Types <br> Penetration Testing Planning <br>Industry Compliance <br> Compliance Requirements <br>Summary <br>References <br> Chapter 7: Threat Intelligence <br>Threat Intelligence Overview <br> Threat Data <br>Threat Intelligence Categories <br> Strategic Threat Intelligence <br> Tactical Threat Intelligence <br> Operational Threat Intelligence <br> Technical Threat Intelligence <br>Threat Intelligence Context <br> Threat Context <br>Evaluating Threat Intelligence <br> Threat Intelligence Checklist <br> Content Quality <br> Testing Threat Intelligence <br>Planning a Threat Intelligence Project <br> Data Expectations for Strategic Threat Intelligence <br> Data Expectations for Tactical Threat Intelligence <br> Data Expectations for Operational Threat Intelligence <br> Data Expectations for Technical Threat Intelligence <br>Collecting and Processing Intelligence <br> Processing Nontechnical Data <br> Operational Data and Web Processing <br> Technical Processing <br> Technical Threat Intelligence Resources <br>Actionable Intelligence <br> Security Tools and Threat Intelligence <br>Feedback <br>Summary <br>References <br> Chapter 8: Threat Hunting and Incident Response <br>Security Incidents <br>Incident Response Lifecycle <br>Phase 1: Preparation <br> Assigning Tasks with Playbooks <br> Communication <br> Third-Party Interaction <br> Law Enforcement <br> Law Enforcement Risk <br> Ticketing Systems <br> Other Incident Response Planning Templates <br> Phase 1: Preparation Summary <br>Phase 2: Detection and Analysis <br> Incident Detection <br> Core Security Capabilities <br> Threat Analysis <br> Detecting Malware Behavior <br> Infected Systems <br> Analyzing Artifacts <br> Identifying Artifact Types <br> Packing Files <br> Basic Static Analysis <br> Advanced Static Analysis <br> Dynamic Analysis <br> Phase 2: Detection and Analysis Summary <br>Phase 3: Containment, Eradication, and Recovery <br> Containment <br> Responding to Malware <br> Threat Hunting Techniques <br> Eradicate <br> Recovery <br>Digital Forensics <br> Digital Forensic Process <br> First Responder <br> Chain of Custody <br> Working with Evidence <br> Duplicating Evidence <br> Hashes <br> Forensic Static Analysis <br> Recovering Data <br> Forensic Dynamic Analysis <br> Digital Forensics Summary <br> Phase 3: Containment, Eradication, and Recovery Summary <br>Phase 4: Post-Incident Activity <br> Post-Incident Response Process <br> Phase 4: Post-Incident Response Summary <br>Incident Response Guidelines <br> FIRST Services Frameworks <br>Summary <br>References <br> Chapter 9: Vulnerability Management <br>Vulnerability Management <br> Phase 1: Asset Inventory <br> Phase 2: Information Management <br> Phase 3: Risk Assessment <br> Phase 4: Vulnerability Assessment <br> Phase 5: Report and Remediate <br> Phase 6: Respond and Repeat <br>Measuring Vulnerabilities <br> Common Vulnerabilities and Exposures <br> Common Vulnerability Scoring System <br> CVSS Standards <br>Vulnerability Technology <br> Vulnerability Scanners <br> Currency and Coverage <br> Tuning Vulnerability Scanners <br> Exploitation Tools <br> Asset Management and Compliance Tools <br> Network Scanners and Network Access Control <br> Threat Detection Tools <br>Vulnerability Management Service <br> Scanning Services <br> Vulnerability Management Service Roles <br> Vulnerability Evaluation Procedures <br>Vulnerability Response <br> Vulnerability Accuracy <br> Responding to Vulnerabilities <br> Cyber Insurance <br> Patching Systems <br> Residual Risk <br> Remediation Approval <br> Reporting <br> Exceptions <br>Vulnerability Management Process Summarized <br>Summary <br>References <br> Chapter 10: Data Orchestration <br>Introduction to Data Orchestration <br> Comparing SIEM and SOAR <br> The Rise of XDR <br>Security Orchestration, Automation, and Response <br> SOAR Example: Phantom <br>Endpoint Detection and Response <br> EDR Example: CrowdStrike <br>Playbooks <br> Playbook Components <br> Constructing Playbooks <br> Incident Response Consortium <br> Playbook Examples: Malware Outbreak <br>Automation <br> Automating Playbooks <br> Common Targets for Automation <br> Automation Pitfalls <br> Playbook Workflow <br>DevOps Programming <br> Data Management <br> Text-File Formats <br> Common Data Formats <br> Data Modeling <br>DevOps Tools <br> DevOps Targets <br> Manual DevOps <br> Automated DevOps <br> DevOps Lab Using Ansible <br> Ansible Playbooks <br>Blueprinting with Osquery <br> Running Osquery <br>Network Programmability <br> Learning NetDevOps <br> APIs <br> NetDevOps Example <br>Cloud Programmability <br> Orchestration in the Cloud <br> Amazon DevOps <br> SaaS DevOps <br>Summary <br>References <br> Chapter 11: Future of the SOC <br>All Eyes on SD-WAN and SASE <br> VoIP Adoption As Prologue to SD-WAN Adoption <br> Introduction of SD-WAN <br> Challenges with the Traditional WAN <br> SD-WAN to the Rescue <br> SASE Solves SD-WAN Problems <br> SASE Defined <br> Future of SASE <br>IT Services Provided by the SOC <br> IT Operations Defined <br> Hacking IT Services <br> IT Services Evolving <br> Future of IT Services <br>Future of Training <br> Training Challenges <br> Training Today <br> Case Study: Training I Use Today <br> Free Training <br> Gamifying Learning <br> On-Demand and Personalized Learning <br> Future of Training <br>Full Automation with Machine Learning <br> Machine Learning <br> Machine Learning Hurdles <br> Machine Learning Applied <br> Training Machine Learning <br> Future of Machine Learning <br>Future of Your SOC: Bringing It All Together <br> Your Future Facilities and Capabilities <br> Group Tags <br> Your Future SOC Staff <br> Audits, Assessments, and Penetration Testing <br> Future Impact to Your Services <br> Hunting for Tomorrow’s Threats <br>Summary <br>References <br> <br> <br>9780135619858 TOC 3/24/2021 <br> <br> <br>
