Modern Security Operations Center, The

Häftad, Engelska, 2021

411 kr

Beställningsvara. Skickas inom 7-10 vardagar. Fri frakt över 249 kr.

Beskrivning

The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services

This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible.

Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation.

This guide will be indispensable for everyone responsible for delivering security services—managers and cybersecurity professionals alike.

Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology

Identify, recruit, interview, onboard, and grow an outstanding SOC team

Thoughtfully decide what to outsource and what to insource

Collect, centralize, and use both internal data and external threat intelligence

Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts

Reduce future risk by improving incident recovery and vulnerability management

Apply orchestration and automation effectively, without just throwing money at them

Position yourself today for emerging SOC technologies

Produktinformation

Utgivningsdatum:2021-07-27
Mått:179 x 232 x 42 mm
Vikt:1 310 g
Format:Häftad
Språk:Engelska
Antal sidor:752
Upplaga:1
Förlag:Pearson Education
ISBN:9780135619858

Utforska kategorier

Nätverk och kommunikation inom Data och IT

Mer om författaren

Joseph Muniz is an architect and security researcher in the Cisco Security Sales and Engineering Organization. He is driven by making the world a safer place through education and adversary research. Joseph has extensive experience in designing security solutions and architectures as a trusted advisor for top Fortune 500 corporations and the U.S. government.Joseph is a researcher and industry thought leader. He speaks regularly at international conferences, writes for technical magazines, and is involved with developing training for various industry certifications. He invented the fictitious character of Emily Williams to create awareness around social engineering. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including titles ranging from security best practices to exploitation tactics.When Joseph is not using technology, you can find him on the fútbol (soccer) field or raising the next generation of hackers, also known as his children. Follow Joseph at https://www.thesecurityblogger.com and @SecureBlogger

Innehållsförteckning

Preface Chapter 1: Introducing Security Operations and the SOC Introducing the SOCFactors Leading to a Dysfunctional SOCCyberthreatsInvesting in SecurityThe Impact of a BreachEstablishing a BaselineThe Impact of ChangeFundamental Security CapabilitiesSignature DetectionBehavior DetectionAnomaly DetectionBest of Breed vs. Defense in DepthStandards, Guidelines, and FrameworksNIST Cybersecurity FrameworkISO 3100:2018FIRST Service FrameworksApplying FrameworksIndustry Threat ModelsThe Cyber Kill Chain ModelThe Diamond ModelMITRE ATT&CK ModelChoosing a Threat ModelVulnerabilities and RiskEndless VulnerabilitiesBusiness ChallengesIn-House vs. OutsourcingServices AdvantagesServices DisadvantagesHybrid ServicesSOC ServicesSOC Maturity ModelsSOC Maturity AssessmentSOC Program MaturitySOC Goals AssessmentDefining GoalsSOC Goals RankingThreats RankingSOC Goals Assessment SummarizedSOC Capabilities AssessmentCapability MapsSOC Capabilities Gaps AnalysisCapability Map Next StepsSOC Development MilestonesSummaryReferencesChapter 2: Developing a Security Operations Center Mission Statement and Scope StatementDeveloping Mission and Scope StatementsSOC Scope StatementDeveloping a SOCSOC ProceduresDesigning ProceduresSecurity ToolsEvaluating VulnerabilitiesPreventive TechnologiesDetection TechnologiesMobile Device Security ConcernsPlanning a SOCCapacity PlanningDeveloping a Capacity PlanDesigning a SOC FacilityPhysical SOC vs. Virtual SOCSOC LocationSOC InteriorSOC RoomsSOC Computer RoomsSOC LayoutsNetwork ConsiderationsSegmentationLogical SegmentationChoosing SegmentationClient/Server SegmentationActive Directory SegmentationThroughputConnectivity and RedundancyDisaster RecoverySecurity ConsiderationsPolicy and ComplianceNetwork Access ControlEncryptionInternal Security ToolsIntrusion Detection and PreventionNetwork Flow and Capturing PacketsChange ManagementHost SystemsGuidelines and Recommendations for Securing Your SOC NetworkTool CollaborationSOC ToolsReporting and DashboardsThroughput and StorageCentralized Data ManagementSummaryReferencesChapter 3: SOC Services Fundamental SOC ServicesSOC ChallengesThe Three Pillars of Foundational SOC Support ServicesPillar 1: Work EnvironmentPillar 2: PeoplePillar 3: TechnologyEvaluating the Three Pillars of Foundational SOC Support ServicesSOC Service AreasFIRST’s CSIRTDeveloping SOC Service AreasIn-House Services vs. External ServicesContracted vs. Employee Job RolesSOC Service Job GoalsResource PlanningService Maturity: If You Build It, They Will ComeSOC Service 1: Risk ManagementFour Responses to RiskReducing RiskAddressing RiskSOC Service 2: Vulnerability ManagementVulnerability Management Best PracticeVulnerability Scanning ToolsPenetration TestingSOC Service 3: ComplianceMeeting Compliance with AuditsSOC Service 4: Incident ManagementNIST Special Publication 800-61 Revision 2 Incident Response PlanningIncident ImpactPlaybooksSOC Service 5: Analysis Static AnalysisDynamic AnalysisSOC Service 6: Digital ForensicsSOC Service 7: Situational and Security AwarenessUser TrainingSOC Service 8: Research and DevelopmentSummaryReferencesChapter 4: People and Process Career vs. JobDeveloping Job RolesGeneral Schedule Pay ScaleIT Industry Job RolesCommon IT Job RolesSOC Job RolesSecurity AnalystPenetration TesterAssessment OfficerIncident ResponderSystems AnalystSecurity AdministratorSecurity EngineerSecurity TrainerSecurity ArchitectCryptographer/Cryptologist Forensic EngineerChief Information Security OfficerNICE Cybersecurity Workforce FrameworkNice Framework ComponentsRole TiersSOC Services and Associated Job RolesRisk Management ServiceVulnerability Management ServiceIncident Management ServiceAnalysis ServiceCompliance ServiceDigital Forensics ServiceSituational and Security Awareness ServiceResearch and Development ServiceSoft SkillsEvaluating Soft SkillsSOC Soft SkillsSecurity Clearance RequirementsPre-InterviewingInterviewingInterview PrompterPost InterviewOnboarding EmployeesOnboarding RequirementsManaging PeopleJob RetentionTrainingTraining MethodsCertificationsCompany CultureSummaryReferencesChapter 5: Centralizing Data Data in the SOCStrategic and Tactical DataData StructureData TypesData ContextData-Focused AssessmentData Assessment Example: AntivirusThreat Mapping DataApplying Data Assessments to SOC ServicesLogsLog TypesLog FormatsSecurity Information and Event ManagementSIEM Data ProcessingData CorrelationData EnrichmentSIEM Solution PlanningSIEM TuningTroubleshooting SIEM LoggingSIEM Troubleshooting Part 1: Data InputSIEM Troubleshooting Part 2: Data Processing and ValidationSIEM Troubleshooting ExamplesAdditional SIEM FeaturesAPIsLeveraging APIsAPI ArchitecturesAPI ExamplesBig DataHadoopBig Data Threat FeedsMachine LearningMachine Learning in CybersecurityArtificial IntelligenceMachine Learning ModelsSummaryReferencesChapter 6: Reducing Risk and Exceeding ComplianceWhy Exceeding CompliancePoliciesPolicy OverviewPolicy PurposePolicy ScopePolicy StatementPolicy ComplianceRelated Standards, Policies, Guidelines, and ProcessesDefinitions and TermsHistoryLaunching a New PolicySteps for Launching a New PolicyPolicy EnforcementCertification and AccreditationProceduresProcedure DocumentTabletop ExerciseTabletop Exercise OptionsTabletop Exercise ExecutionTabletop Exercise FormatTabletop Exercise Template ExampleStandards, Guidelines, and FrameworksNIST Cybersecurity FrameworkISO/IEC 27005CIS ControlsISACA COBIT 2019FIRST CSIRT Services FrameworkExceeding ComplianceAuditsAudit ExampleInternal AuditsExternal AuditorsAudit ToolsAssessmentsAssessment TypesAssessment ResultsAssessment TemplateVulnerability ScannersAssessment Program WeaknessesPenetration TestNIST Special Publication 800-115Additional NIST SP 800-115 GuidancePenetration Testing TypesPenetration Testing PlanningIndustry ComplianceCompliance RequirementsSummaryReferencesChapter 7: Threat Intelligence Threat Intelligence OverviewThreat DataThreat Intelligence CategoriesStrategic Threat IntelligenceTactical Threat IntelligenceOperational Threat IntelligenceTechnical Threat IntelligenceThreat Intelligence ContextThreat ContextEvaluating Threat IntelligenceThreat Intelligence ChecklistContent QualityTesting Threat IntelligencePlanning a Threat Intelligence ProjectData Expectations for Strategic Threat IntelligenceData Expectations for Tactical Threat IntelligenceData Expectations for Operational Threat IntelligenceData Expectations for Technical Threat IntelligenceCollecting and Processing IntelligenceProcessing Nontechnical DataOperational Data and Web ProcessingTechnical ProcessingTechnical Threat Intelligence Resources Actionable IntelligenceSecurity Tools and Threat IntelligenceFeedbackSummaryReferencesChapter 8: Threat Hunting and Incident Response Security IncidentsIncident Response LifecyclePhase 1: PreparationAssigning Tasks with PlaybooksCommunicationThird-Party InteractionLaw EnforcementLaw Enforcement RiskTicketing SystemsOther Incident Response Planning TemplatesPhase 1: Preparation SummaryPhase 2: Detection and AnalysisIncident DetectionCore Security CapabilitiesThreat AnalysisDetecting Malware BehaviorInfected SystemsAnalyzing ArtifactsIdentifying Artifact TypesPacking FilesBasic Static AnalysisAdvanced Static AnalysisDynamic AnalysisPhase 2: Detection and Analysis SummaryPhase 3: Containment, Eradication, and RecoveryContainmentResponding to MalwareThreat Hunting TechniquesEradicateRecoveryDigital ForensicsDigital Forensic ProcessFirst ResponderChain of CustodyWorking with EvidenceDuplicating Evidence HashesForensic Static AnalysisRecovering DataForensic Dynamic AnalysisDigital Forensics SummaryPhase 3: Containment, Eradication, and Recovery SummaryPhase 4: Post-Incident ActivityPost-Incident Response ProcessPhase 4: Post-Incident Response SummaryIncident Response GuidelinesFIRST Services FrameworksSummaryReferencesChapter 9: Vulnerability Management Vulnerability ManagementPhase 1: Asset InventoryPhase 2: Information ManagementPhase 3: Risk AssessmentPhase 4: Vulnerability AssessmentPhase 5: Report and Remediate Phase 6: Respond and RepeatMeasuring VulnerabilitiesCommon Vulnerabilities and ExposuresCommon Vulnerability Scoring SystemCVSS StandardsVulnerability TechnologyVulnerability ScannersCurrency and CoverageTuning Vulnerability ScannersExploitation ToolsAsset Management and Compliance ToolsNetwork Scanners and Network Access ControlThreat Detection ToolsVulnerability Management Service Scanning ServicesVulnerability Management Service RolesVulnerability Evaluation ProceduresVulnerability Response Vulnerability AccuracyResponding to VulnerabilitiesCyber InsurancePatching SystemsResidual RiskRemediation ApprovalReportingExceptionsVulnerability Management Process SummarizedSummaryReferencesChapter 10: Data Orchestration Introduction to Data OrchestrationComparing SIEM and SOARThe Rise of XDRSecurity Orchestration, Automation, and ResponseSOAR Example: PhantomEndpoint Detection and ResponseEDR Example: CrowdStrikePlaybooksPlaybook ComponentsConstructing PlaybooksIncident Response ConsortiumPlaybook Examples: Malware OutbreakAutomationAutomating PlaybooksCommon Targets for AutomationAutomation PitfallsPlaybook WorkflowDevOps ProgrammingData ManagementText-File FormatsCommon Data FormatsData ModelingDevOps ToolsDevOps TargetsManual DevOpsAutomated DevOpsDevOps Lab Using AnsibleAnsible PlaybooksBlueprinting with OsqueryRunning OsqueryNetwork ProgrammabilityLearning NetDevOpsAPIsNetDevOps ExampleCloud ProgrammabilityOrchestration in the CloudAmazon DevOpsSaaS DevOpsSummaryReferencesChapter 11: Future of the SOC All Eyes on SD-WAN and SASEVoIP Adoption As Prologue to SD-WAN AdoptionIntroduction of SD-WANChallenges with the Traditional WANSD-WAN to the RescueSASE Solves SD-WAN ProblemsSASE DefinedFuture of SASEIT Services Provided by the SOCIT Operations DefinedHacking IT ServicesIT Services EvolvingFuture of IT ServicesFuture of TrainingTraining ChallengesTraining TodayCase Study: Training I Use TodayFree TrainingGamifying LearningOn-Demand and Personalized LearningFuture of TrainingFull Automation with Machine LearningMachine LearningMachine Learning HurdlesMachine Learning AppliedTraining Machine LearningFuture of Machine LearningFuture of Your SOC: Bringing It All TogetherYour Future Facilities and CapabilitiesGroup TagsYour Future SOC StaffAudits, Assessments, and Penetration TestingFuture Impact to Your ServicesHunting for Tomorrow’s ThreatsSummaryReferences9780135619858 TOC 3/24/2021