Security Operations Center: Building, Operating and Maintaining your SOC

Security Operations Center: Building, Operating and Maintaining your SOC

by Joey Muniz, Gary McIntyre, Nadhem AlFardan
Released November 2015
Publisher(s): Cisco Press
ISBN: 9780134052083

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This is the Rough Cut version of the printed book.

This is the first complete guide to building, operating, managing, and operating Security Operations Centers in any business or organizational environment. Three leading IT security experts review the characteristics, strengths, and weaknesses of each SOC model (including virtual SOCs) -- thereby helping you select the right strategic option for your organization. Next, they walk you through every phase required to establish and operate an effective SOC, including all significant people, process and technology issues. You'll also find complete configuration examples covering the open source, Cisco, and non-Cisco components most likely to be found in modern, fully operational SOCs. Coverage includes:

  • An up-to-date review of modern security operations and challenges, from information assurance and risk management to incident response

  • How SOCs emerged and have evolved: what SOCs can do that other security approaches can't

  • A New SOC Maturity Model: evaluating where you stand and where you need to go

  • Planning your SOC: strategy, mission, functions, services, and more

  • Designing infrastructure, facilities, networks, and physical security

  • Comparing dedicated and virtualized SOC environments

  • Collecting and analyzing security data

  • Integrating vulnerability and risk management

  • Organizing effective incident response teams, and measuring their performance

  • Building out your SOC infrastructure: network, security, systems, storage, and collaboration

  • Developing an SOC handbook your people can use (including a practical example)

  • Best practice operations: maintenance, reviews, metrics, and continuous enhancement

    •

    Table of contents

    1. About This E-Book
    2. Title Page
    3. Copyright Page
    4. About the Authors
    5. About the Technical Reviewers
    6. Dedications
    7. Acknowledgments
    8. Contents at a Glance
    9. Contents
    10. Command Syntax Conventions
    11. Introduction
      1. Who Should Read This Book?
      2. How This Book Is Organized
    12. Part I: SOC Basics
      1. Chapter 1. Introduction to Security Operations and the SOC
        1. Cybersecurity Challenges
          1. Threat Landscape
          2. Business Challenges
        2. Introduction to Information Assurance
        3. Introduction to Risk Management
        4. Information Security Incident Response
          1. Incident Detection
          2. Incident Triage
          3. Incident Resolution
          4. Incident Closure
          5. Post-Incident
        5. SOC Generations
          1. First-Generation SOC
          2. Second-Generation SOC
          3. Third-Generation SOC
          4. Fourth-Generation SOC
        6. Characteristics of an Effective SOC
        7. Introduction to Maturity Models
        8. Applying Maturity Models to SOC
        9. Phases of Building a SOC
        10. Challenges and Obstacles
        11. Summary
        12. References
      2. Chapter 2. Overview of SOC Technologies
        1. Data Collection and Analysis
          1. Data Sources
          2. Data Collection
          3. Parsing and Normalization
          4. Security Analysis
        2. Vulnerability Management
          1. Vulnerability Announcements
        3. Threat Intelligence
        4. Compliance
        5. Ticketing and Case Management
        6. Collaboration
        7. SOC Conceptual Architecture
        8. Summary
        9. References
    13. Part II: The Plan Phase
      1. Chapter 3. Assessing Security Operations Capabilities
        1. Assessment Methodology
          1. Step 1: Identify Business and IT Goals
          2. Step 2: Assessing Capabilities
          3. Step 3: Collect Information
          4. Step 4: Analyze Maturity Levels
          5. Step 5: Formalize Findings
        2. Summary
        3. References
      2. Chapter 4. SOC Strategy
        1. Strategy Elements
          1. Who Is Involved?
          2. SOC Mission
          3. SOC Scope
          4. Example 1: A Military Organization
          5. Example 2: A Financial Organization
        2. SOC Model of Operation
          1. In-House and Virtual SOC
        3. SOC Services
        4. SOC Capabilities Roadmap
        5. Summary
    14. Part III: The Design Phase
      1. Chapter 5. The SOC Infrastructure
        1. Design Considerations
        2. Model of Operation
        3. Facilities
          1. SOC Internal Layout
          2. Physical Security
          3. Video Wall
          4. SOC Analyst Services
        4. Active Infrastructure
          1. Network
          2. Security
          3. Compute
          4. Storage
          5. Collaboration
        5. Summary
        6. References
      2. Chapter 6. Security Event Generation and Collection
        1. Data Collection
          1. Calculating EPS
          2. Network Time Protocol
          3. Data-Collection Tools
          4. Firewalls
        2. Cloud Security
          1. Cisco Meraki
          2. Virtual Firewalls
        3. Intrusion Detection and Prevention Systems
          1. Cisco FirePOWER IPS
          2. Meraki IPS
          3. Snort
          4. Host-Based Intrusion Prevention
        4. Routers and Switches
        5. Host Systems
        6. Mobile Devices
        7. Breach Detection
          1. Cisco Advanced Malware Prevention
          2. Web Proxies
          3. Cloud Proxies
        8. DNS Servers
          1. Exporting DNS
        9. Network Telemetry with Network Flow Monitoring
          1. NetFlow Tools
          2. NetFlow from Routers and Switches
          3. NetFlow from Security Products
          4. NetFlow in the Data Center
        10. Summary
        11. References
      3. Chapter 7. Vulnerability Management
        1. Identifying Vulnerabilities
        2. Security Services
        3. Vulnerability Tools
        4. Handling Vulnerabilities
          1. OWASP Risk Rating Methodology
          2. The Vulnerability Management Lifecycle
        5. Automating Vulnerability Management
          1. Inventory Assessment Tools
          2. Information Management Tools
          3. Risk-Assessment Tools
          4. Vulnerability-Assessment Tools
          5. Report and Remediate Tools
          6. Responding Tools
        6. Threat Intelligence
          1. Attack Signatures
          2. Threat Feeds
          3. Other Threat Intelligence Sources
        7. Summary
        8. References
      4. Chapter 8. People and Processes
        1. Key Challenges
          1. Wanted: Rock Stars, Leaders, and Grunts
          2. The Weight of Process
          3. The Upper and Lower Bounds of Technology
        2. Designing and Building the SOC Team
          1. Starting with the Mission
          2. Focusing on Services
          3. Determining the Required SOC Roles
          4. Working with HR
          5. Deciding on Your Resourcing Strategy
        3. Working with Processes and Procedures
          1. Processes Versus Procedures
          2. Working with Enterprise Service Management Processes
          3. The Positives and Perils of Process
          4. Examples of SOC Processes and Procedures
        4. Summary
    15. Part IV: The Build Phase
      1. Chapter 9. The Technology
        1. In-House Versus Virtual SOC
        2. Network
          1. Segmentation
          2. VPN
          3. High Availability
          4. Support Contracts
        3. Security
          1. Network Access Control
          2. Authentication
          3. On-Network Security
          4. Encryption
        4. Systems
          1. Operating Systems
          2. Hardening Endpoints
          3. Endpoint Breach Detection
          4. Mobile Devices
          5. Servers
        5. Storage
          1. Data-Loss Protection
          2. Cloud Storage
        6. Collaboration
          1. Collaboration for Pandemic Events
        7. Technologies to Consider During SOC Design
          1. Firewalls
          2. Routers and Switches
          3. Network Access Control
          4. Web Proxies
          5. Intrusion Detection/Prevention
        8. Breach Detection
          1. Honeypots
          2. Sandboxes
          3. Endpoint Breach Detection
          4. Network Telemetry
          5. Network Forensics
        9. Final SOC Architecture
        10. Summary
        11. References
      2. Chapter 10. Preparing to Operate
        1. Key Challenges
          1. People Challenges
          2. Process Challenges
          3. Technology Challenges
        2. Managing Challenges Through a Well-Managed Transition
          1. Elements of an Effective Service Transition Plan
          2. Determining Success Criteria and Managing to Success
          3. Managing Project Resources Effectively
          4. Marching to Clear and Attainable Requirements
          5. Using Simple Checks to Verify That the SOC Is Ready
        3. Summary
    16. Part V: The Operate Phase
      1. Chapter 11. Reacting to Events and Incidents
        1. A Word About Events
        2. Event Intake, Enrichment, Monitoring, and Handling
          1. Events in the SIEM
          2. Events in the Security Log Management Solution
          3. Events in Their Original Habitats
          4. Events Through Communications and Collaboration Platforms
          5. Working with Events: The Malware Scenario
          6. Handling and Investigating the Incident Report
          7. Creating and Managing Cases
        3. Closing and Reporting on the Case
        4. Summary
      2. Chapter 12. Maintain, Review, and Improve
        1. Reviewing and Assessing the SOC
          1. Determining Scope
          2. Scheduled and Ad Hoc Reviews
          3. Internal Versus External Assessments
          4. Assessment Methodologies
        2. Maintaining and Improving the SOC
          1. Maintaining and Improving Services
          2. Maintain and Improving Your Team
          3. Maintaining and Improving the SOC Technology Stack
        3. Conclusions
    17. Index
    18. Code Snippets

    Product information

    • Title: Security Operations Center: Building, Operating and Maintaining your SOC
    • Author(s): Joey Muniz, Gary McIntyre, Nadhem AlFardan
    • Release date: November 2015
    • Publisher(s): Cisco Press
    • ISBN: 9780134052083