The Modern Security Operations Center

The Industry Standard, Vendor-Neutral Guide to Managing SOCs and Delivering SOC Services This completely new, vendor-neutral guide brings together all the knowledge you need to build, maintain, and operate a modern Security Operations Center (SOC) and deliver security services as efficiently and cost-effectively as possible. Leading security architect Joseph Muniz helps you assess current capabilities, align your SOC to your business, and plan a new SOC or evolve an existing one. He covers people, process, and technology; explores each key service handled by mature SOCs; and offers expert guidance for managing risk, vulnerabilities, and compliance. Throughout, hands-on examples show how advanced red and blue teams execute and defend against real-world exploits using tools like Kali Linux and Ansible. Muniz concludes by previewing the future of SOCs, including Secure Access Service Edge (SASE) cloud technologies and increasingly sophisticated automation. This guide will be indispensable for everyone responsible for delivering security services—managers and cybersecurity professionals alike. * Address core business and operational requirements, including sponsorship, management, policies, procedures, workspaces, staffing, and technology * Identify, recruit, interview, onboard, and grow an outstanding SOC team * Thoughtfully decide what to outsource and what to insource  * Collect, centralize, and use both internal data and external threat intelligence * Quickly and efficiently hunt threats, respond to incidents, and investigate artifacts * Reduce future risk by improving incident recovery and vulnerability management * Apply orchestration and automation effectively, without just throwing money at them * Position yourself today for emerging SOC technologies

Table of Contents:
Preface Chapter 1: Introducing Security Operations and the SOC Introducing the SOC Factors Leading to a Dysfunctional SOC Cyberthreats Investing in Security The Impact of a Breach Establishing a Baseline     The Impact of Change Fundamental Security Capabilities     Signature Detection     Behavior Detection     Anomaly Detection     Best of Breed vs. Defense in Depth Standards, Guidelines, and Frameworks     NIST Cybersecurity Framework     ISO 3100:2018     FIRST Service Frameworks     Applying Frameworks Industry Threat Models     The Cyber Kill Chain Model     The Diamond Model     MITRE ATT&CK Model     Choosing a Threat Model Vulnerabilities and Risk     Endless Vulnerabilities Business Challenges In-House vs. Outsourcing     Services Advantages     Services Disadvantages     Hybrid Services SOC Services SOC Maturity Models     SOC Maturity Assessment     SOC Program Maturity SOC Goals Assessment     Defining Goals     SOC Goals Ranking     Threats Ranking     SOC Goals Assessment Summarized SOC Capabilities Assessment     Capability Maps     SOC Capabilities Gaps Analysis     Capability Map Next Steps SOC Development Milestones Summary References Chapter 2: Developing a Security Operations Center Mission Statement and Scope Statement     Developing Mission and Scope Statements     SOC Scope Statement Developing a SOC SOC Procedures     Designing Procedures Security Tools     Evaluating Vulnerabilities     Preventive Technologies     Detection Technologies     Mobile Device Security Concerns Planning a SOC     Capacity Planning     Developing a Capacity Plan Designing a SOC Facility     Physical SOC vs. Virtual SOC     SOC Location     SOC Interior     SOC Rooms     SOC Computer Rooms     SOC Layouts Network Considerations     Segmentation     Logical Segmentation     Choosing Segmentation     Client/Server Segmentation     Active Directory Segmentation     Throughput     Connectivity and Redundancy Disaster Recovery Security Considerations     Policy and Compliance     Network Access Control     Encryption Internal Security Tools     Intrusion Detection and Prevention     Network Flow and Capturing Packets     Change Management     Host Systems Guidelines and Recommendations for Securing Your SOC Network     Tool Collaboration SOC Tools     Reporting and Dashboards     Throughput and Storage     Centralized Data Management Summary References Chapter 3: SOC Services Fundamental SOC Services     SOC Challenges The Three Pillars of Foundational SOC Support Services     Pillar 1: Work Environment     Pillar 2: People     Pillar 3: Technology     Evaluating the Three Pillars of Foundational SOC Support Services SOC Service Areas     FIRST’s CSIRT     Developing SOC Service Areas     In-House Services vs. External Services     Contracted vs. Employee Job Roles SOC Service Job Goals     Resource Planning Service Maturity: If You Build It, They Will Come SOC Service 1: Risk Management     Four Responses to Risk     Reducing Risk     Addressing Risk SOC Service 2: Vulnerability Management     Vulnerability Management Best Practice     Vulnerability Scanning Tools     Penetration Testing SOC Service 3: Compliance     Meeting Compliance with Audits SOC Service 4: Incident Management     NIST Special Publication 800-61 Revision 2     Incident Response Planning     Incident Impact     Playbooks SOC Service 5: Analysis     Static Analysis     Dynamic Analysis SOC Service 6: Digital Forensics SOC Service 7: Situational and Security Awareness     User Training SOC Service 8: Research and Development Summary References Chapter 4: People and Process Career vs. Job Developing Job Roles     General Schedule Pay Scale     IT Industry Job Roles     Common IT Job Roles SOC Job Roles     Security Analyst     Penetration Tester     Assessment Officer     Incident Responder     Systems Analyst     Security Administrator     Security Engineer     Security Trainer     Security Architect     Cryptographer/Cryptologist     Forensic Engineer     Chief Information Security Officer NICE Cybersecurity Workforce Framework     Nice Framework Components Role Tiers SOC Services and Associated Job Roles     Risk Management Service     Vulnerability Management Service     Incident Management Service     Analysis Service     Compliance Service     Digital Forensics Service     Situational and Security Awareness Service     Research and Development Service Soft Skills     Evaluating Soft Skills     SOC Soft Skills Security Clearance Requirements Pre-Interviewing Interviewing     Interview Prompter     Post Interview Onboarding Employees     Onboarding Requirements Managing People Job Retention Training     Training Methods Certifications Company Culture Summary References Chapter 5: Centralizing Data Data in the SOC     Strategic and Tactical Data     Data Structure     Data Types     Data Context Data-Focused Assessment     Data Assessment Example: Antivirus     Threat Mapping Data     Applying Data Assessments to SOC Services Logs     Log Types     Log Formats Security Information and Event Management     SIEM Data Processing     Data Correlation     Data Enrichment     SIEM Solution Planning     SIEM Tuning Troubleshooting SIEM Logging     SIEM Troubleshooting Part 1: Data Input     SIEM Troubleshooting Part 2: Data Processing and Validation     SIEM Troubleshooting Examples     Additional SIEM Features APIs     Leveraging APIs     API Architectures     API Examples Big Data     Hadoop     Big Data Threat Feeds Machine Learning     Machine Learning in Cybersecurity     Artificial Intelligence     Machine Learning Models Summary References Chapter 6: Reducing Risk and Exceeding Compliance Why Exceeding Compliance Policies     Policy Overview     Policy Purpose     Policy Scope     Policy Statement     Policy Compliance     Related Standards, Policies, Guidelines, and Processes     Definitions and Terms     History Launching a New Policy     Steps for Launching a New Policy Policy Enforcement     Certification and Accreditation Procedures     Procedure Document Tabletop Exercise     Tabletop Exercise Options     Tabletop Exercise Execution     Tabletop Exercise Format     Tabletop Exercise Template Example Standards, Guidelines, and Frameworks     NIST Cybersecurity Framework     ISO/IEC 27005     CIS Controls     ISACA COBIT 2019     FIRST CSIRT Services Framework     Exceeding Compliance Audits     Audit Example     Internal Audits     External Auditors     Audit Tools Assessments     Assessment Types     Assessment Results     Assessment Template     Vulnerability Scanners     Assessment Program Weaknesses Penetration Test     NIST Special Publication 800-115     Additional NIST SP 800-115 Guidance     Penetration Testing Types     Penetration Testing Planning Industry Compliance     Compliance Requirements Summary References Chapter 7: Threat Intelligence Threat Intelligence Overview     Threat Data Threat Intelligence Categories     Strategic Threat Intelligence     Tactical Threat Intelligence     Operational Threat Intelligence     Technical Threat Intelligence Threat Intelligence Context     Threat Context Evaluating Threat Intelligence     Threat Intelligence Checklist     Content Quality     Testing Threat Intelligence Planning a Threat Intelligence Project     Data Expectations for Strategic Threat Intelligence     Data Expectations for Tactical Threat Intelligence     Data Expectations for Operational Threat Intelligence     Data Expectations for Technical Threat Intelligence Collecting and Processing Intelligence     Processing Nontechnical Data     Operational Data and Web Processing     Technical Processing     Technical Threat Intelligence Resources Actionable Intelligence     Security Tools and Threat Intelligence Feedback Summary References Chapter 8: Threat Hunting and Incident Response Security Incidents Incident Response Lifecycle Phase 1: Preparation     Assigning Tasks with Playbooks     Communication     Third-Party Interaction     Law Enforcement     Law Enforcement Risk     Ticketing Systems     Other Incident Response Planning Templates     Phase 1: Preparation Summary Phase 2: Detection and Analysis     Incident Detection     Core Security Capabilities     Threat Analysis     Detecting Malware Behavior     Infected Systems     Analyzing Artifacts     Identifying Artifact Types     Packing Files     Basic Static Analysis     Advanced Static Analysis     Dynamic Analysis     Phase 2: Detection and Analysis Summary Phase 3: Containment, Eradication, and Recovery     Containment     Responding to Malware     Threat Hunting Techniques     Eradicate     Recovery Digital Forensics     Digital Forensic Process     First Responder     Chain of Custody     Working with Evidence     Duplicating Evidence     Hashes     Forensic Static Analysis     Recovering Data     Forensic Dynamic Analysis     Digital Forensics Summary     Phase 3: Containment, Eradication, and Recovery Summary Phase 4: Post-Incident Activity     Post-Incident Response Process     Phase 4: Post-Incident Response Summary Incident Response Guidelines     FIRST Services Frameworks Summary References Chapter 9: Vulnerability Management Vulnerability Management     Phase 1: Asset Inventory     Phase 2: Information Management     Phase 3: Risk Assessment     Phase 4: Vulnerability Assessment     Phase 5: Report and Remediate     Phase 6: Respond and Repeat Measuring Vulnerabilities     Common Vulnerabilities and Exposures     Common Vulnerability Scoring System     CVSS Standards Vulnerability Technology     Vulnerability Scanners     Currency and Coverage     Tuning Vulnerability Scanners     Exploitation Tools     Asset Management and Compliance Tools     Network Scanners and Network Access Control     Threat Detection Tools Vulnerability Management Service     Scanning Services     Vulnerability Management Service Roles     Vulnerability Evaluation Procedures Vulnerability Response     Vulnerability Accuracy     Responding to Vulnerabilities     Cyber Insurance     Patching Systems     Residual Risk     Remediation Approval     Reporting     Exceptions Vulnerability Management Process Summarized Summary References Chapter 10: Data Orchestration Introduction to Data Orchestration     Comparing SIEM and SOAR     The Rise of XDR Security Orchestration, Automation, and Response     SOAR Example: Phantom Endpoint Detection and Response     EDR Example: CrowdStrike Playbooks     Playbook Components     Constructing Playbooks     Incident Response Consortium     Playbook Examples: Malware Outbreak Automation     Automating Playbooks     Common Targets for Automation     Automation Pitfalls     Playbook Workflow DevOps Programming     Data Management     Text-File Formats     Common Data Formats     Data Modeling DevOps Tools     DevOps Targets     Manual DevOps     Automated DevOps     DevOps Lab Using Ansible     Ansible Playbooks Blueprinting with Osquery     Running Osquery Network Programmability     Learning NetDevOps     APIs     NetDevOps Example Cloud Programmability     Orchestration in the Cloud     Amazon DevOps     SaaS DevOps Summary References Chapter 11: Future of the SOC All Eyes on SD-WAN and SASE     VoIP Adoption As Prologue to SD-WAN Adoption     Introduction of SD-WAN     Challenges with the Traditional WAN     SD-WAN to the Rescue     SASE Solves SD-WAN Problems     SASE Defined     Future of SASE IT Services Provided by the SOC     IT Operations Defined     Hacking IT Services     IT Services Evolving     Future of IT Services Future of Training     Training Challenges     Training Today     Case Study: Training I Use Today     Free Training     Gamifying Learning     On-Demand and Personalized Learning     Future of Training Full Automation with Machine Learning     Machine Learning     Machine Learning Hurdles     Machine Learning Applied     Training Machine Learning     Future of Machine Learning Future of Your SOC: Bringing It All Together     Your Future Facilities and Capabilities     Group Tags     Your Future SOC Staff     Audits, Assessments, and Penetration Testing     Future Impact to Your Services     Hunting for Tomorrow’s Threats Summary References 9780135619858   TOC    3/24/2021

About the Author :
Joseph Muniz is an architect and security researcher in the Cisco Security Sales and Engineering Organization. He is driven by making the world a safer place through education and adversary research. Joseph has extensive experience in designing security solutions and architectures as a trusted advisor for top Fortune 500 corporations and the U.S. government. Joseph is a researcher and industry thought leader. He speaks regularly at international conferences, writes for technical magazines, and is involved with developing training for various industry certifications. He invented the fictitious character of Emily Williams to create awareness around social engineering. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including titles ranging from security best practices to exploitation tactics. When Joseph is not using technology, you can find him on the fútbol (soccer) field or raising the next generation of hackers, also known as his children. Follow Joseph at https://www.thesecurityblogger.com and @SecureBlogger