Agile Security Operations

Agile Security Operations

by Hinne Hettema
Released February 2022
Publisher(s): Packt Publishing
ISBN: 9781801815512

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get to grips with security operations through incident response, the ATT&CK framework, active defense, and agile threat intelligence

Key Features

  • Explore robust and predictable security operations based on measurable service performance
  • Learn how to improve the security posture and work on security audits
  • Discover ways to integrate agile security operations into development and operations

Book Description

Agile security operations allow organizations to survive cybersecurity incidents, deliver key insights into the security posture of an organization, and operate security as an integral part of development and operations. It is, deep down, how security has always operated at its best.

Agile Security Operations will teach you how to implement and operate an agile security operations model in your organization. The book focuses on the culture, staffing, technology, strategy, and tactical aspects of security operations. You'll learn how to establish and build a team and transform your existing team into one that can execute agile security operations. As you progress through the chapters, you'll be able to improve your understanding of some of the key concepts of security, align operations with the rest of the business, streamline your operations, learn how to report to senior levels in the organization, and acquire funding.

By the end of this Agile book, you'll be ready to start implementing agile security operations, using the book as a handy reference.

What you will learn

  • Get acquainted with the changing landscape of security operations
  • Understand how to sense an attacker's motives and capabilities
  • Grasp key concepts of the kill chain, the ATT&CK framework, and the Cynefin framework
  • Get to grips with designing and developing a defensible security architecture
  • Explore detection and response engineering
  • Overcome challenges in measuring the security posture
  • Derive and communicate business values through security operations
  • Discover ways to implement security as part of development and business operations

Who this book is for

This book is for new and established CSOC managers as well as CISO, CDO, and CIO-level decision-makers. If you work as a cybersecurity engineer or analyst, you'll find this book useful. Intermediate-level knowledge of incident response, cybersecurity, and threat intelligence is necessary to get started with the book.

Table of contents

  1. Agile Security Operations
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
  6. Section 1: Incidence Response: The Heart of Security
  7. Chapter 1: How Security Operations Are Changing
    1. Why security is hard
      1. Security operations
      2. Cybersecurity, threats, and risk
      3. Five types of cyber defense
    2. Security incidents
    3. Security solutions in search of a problem
    4. The scope of security operations
    5. Where security operations turn agile
      1. Agile incident response
      2. Agile security operations
    6. Summary
  8. Chapter 2: Incident Response – A Key Capability in Security Operations
    1. Facing up to breaches
      1. The incident response cycle
    2. Knowing an incident – detection and analysis
      1. Detection engineering
      2. Repurposing
      3. Analyzing threats
    3. Branches and pivots – how incidents change
      1. The kill chain model
      2. Expanding the options for defense
      3. Lateral movement
    4. Agile incident response
      1. Compromise is eternal
      2. Incidents and compromises
      3. Why incident response needs to be agile
      4. Team structure for incident response
    5. Learning from incidents – from resolution to tactics to strategy
    6. Summary
  9. Chapter 3: Engineering for Incident Response
    1. From incident response to agile security operations engineering
      1. Mapping the incident loop
      2. Feedback – closing the incident loop
    2. The businesslike weaknesses of attackers
    3. A brief discussion of agile frameworks
      1. Lean
      2. Kanban
      3. Scrum
    4. Agile security operations
    5. Key activities in agile security operations
      1. Breach
      2. Detect
      3. Analyze
      4. Contain
      5. Eradicate
      6. Recover
      7. Develop context and TTPs
      8. Updating the architecture, strategy, and risk
      9. Detection engineering
      10. Improvements – prevention, discovery, and prediction
    6. Tooling – defend to respond
      1. Passive defense
      2. Active defense – Mitre ATT&CK and Shield
    7. Summary
  10. Section 2: Defensible Organizations
  11. Chapter 4: Key Concepts in Cyber Defense
    1. What is cyber defense?
      1. Enduring failure
      2. The fit of security operations
    2. Coordination and discoordination
      1. Coordination games
      2. Discoordination games
    3. A framework for uncertainty
      1. A brief overview of the Cynefin framework
      2. Constraints
      3. Resolving crises
    4. Structured analytic techniques
    5. Is this part of the security skillset?
    6. Summary
  12. Chapter 5: Defensible Architecture
    1. The definition of defensible architecture
      1. Pareto optimizable attacks
      2. Understanding the kill chain
    2. Requirements of defensible architecture
    3. Defense in depth
      1. Implied trust in network segments
      2. Trust in the endpoints of the architecture
      3. Defense in depth as an evolution
    4. The new security boundaries
      1. Principles of the defensible architecture
    5. Roots of trust
      1. Identity as a root of trust
      2. Data controls as a root of trust
      3. Algorithmic integrity as a root of trust
      4. Roots of trust and verifiability
    6. Elements of the defensible architecture
      1. Prevention
      2. Visibility and forensic readiness
      3. Threat modeling
      4. Attack path modeling
    7. Defensible architecture tradeoffs
      1. On-premises infrastructure
      2. Cloud
      3. Industrial
    8. Summary
  13. Chapter 6: Active Defense
    1. The role of active defense
      1. Active defense as one of the five types of cyber defense
      2. Compromise is eternal
      3. Agile incident response
      4. An approach to active defense
    2. The agile active defense process
    3. Understanding the adversary
      1. People and processes
      2. Technology
    4. Active defense during a crisis
    5. Active defense for eternal compromise
      1. Assess
      2. Adapt
      3. The pivot or [<>]
      4. Exapt
      5. Transcend
    6. Summary
  14. Chapter 7: How Secure Are You? – Measuring Security Posture
    1. Security as risk reduction
    2. Measuring risk reduction
      1. Description
      2. Financial aspects of risks
      3. Controls
      4. Risk management versus enabling the business
    3. Strategy maps – security as business value
      1. Constructing strategy maps
      2. Strategy map layers
      3. Security strategy maps
      4. Starting a security strategy
    4. Working with the security strategy map
      1. Financial metrics
      2. Customer metrics
      3. Operations metrics
      4. Metrics for capabilities
    5. Summary
  15. Section 3: Advanced Agile Security Operations
  16. Chapter 8: Red, Blue, and Purple Teaming
    1. Red teaming and blue teaming
      1. Why red team?
      2. What is a red team?
      3. What is a blue team?
    2. Threat hunting
      1. Hunt leads
      2. Analytic queries
      3. Alternative hunt leads – alert streams and detections
      4. Implementing a threat hunting practice
    3. Purple teaming concepts
      1. Purple team activities
      2. Characteristics of blue and red teams
    4. Agile approaches to purple teaming
    5. Purple teaming operations
      1. Planning – sources of attack data
      2. Planning – cadence and process
      3. Executing the red side of purple teaming
      4. Feedback – moving to an agile approach
    6. Closing into threat-informed defense
      1. Business value from purple teaming
      2. Security baselining
      3. Security posture improvement
      4. Threat-informed defense
    7. Summary
  17. Chapter 9: Running and Operating Security Services
    1. The essential security services
      1. What is a service?
      2. Service worksheets
      3. Strategy service
      4. Policies
      5. Architecture
      6. Deployment
      7. Monitoring and alerting
      8. Incident response
      9. Other services
    2. Service maturity
      1. Maturity management
      2. Practices – components of a service
      3. Measuring effectiveness
      4. Maturity models
      5. Defining Capability
      6. Maturity does not stand alone
      7. Drawbacks of Maturity
    3. Agile approaches to the six security services
      1. Agile
      2. DevOps cycle
    4. Summary
  18. Chapter 10: Implementing Agile Threat Intelligence
    1. What threat intelligence is and isn't
    2. A threat intelligence program
      1. Acquiring threat intelligence
      2. Running your own function
      3. Using threat intelligence
    3. Direction
      1. Understanding risk reduction
      2. Using past attacks as a guide
      3. Scoping prospective groups
      4. Business capabilities and operational context
      5. The influence on direction
    4. Collection and collation
      1. The data funnel
      2. External feeds
      3. Feeds meeting internal logs
    5. Interpretation
      1. Using structured analytic techniques
      2. Threat groups
    6. Dissemination
      1. Risk analysis
      2. Alerting, hunting, and detection
      3. Infrastructure hardening
    7. Summary
  19. Appendix
    1. Principles of cybersecurity operations
  20. Further reading
    1. Background
      1. Cynefin framework
      2. Cynefin Field guide
      3. Structured analytic techniques
      4. Architecture
      5. Threat modeling
      6. Organizations
    2. Operations
      1. Principles for operations
      2. SOC operations
    3. People to follow
    4. Why subscribe?
  21. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Agile Security Operations
  • Author(s): Hinne Hettema
  • Release date: February 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781801815512