Security Operations Center: Building, Operating, and Maintaining your SOC, 1st edition
Published by Cisco Press (October 29, 2015) © 2016
- Joseph Muniz
- Gary McIntyre
- Nadhem AlFardan
Price Reduced From: $54.99
Details
- A print text
- Free shipping
- Also available for purchase as an ebook from all major ebook resellers, including InformIT.com
This product is expected to ship within 3-6 business days for US and 5-10 business days for Canadian customers.
This is the first complete guide to building, operating, managing, and operating Security Operations Centers in any business or organizational environment. Two leading IT security experts review the characteristics, strengths, and weaknesses of each SOC model (including virtual SOCs). Next, they walk students through every phase required to establish and operate an effective SOC, including all significant people, process and technology issues.
Introduction xx
Part I SOC Basics
Chapter 1 Introduction to Security Operations and the SOC 1
Cybersecurity Challenges 1
   Threat Landscape 4
   Business Challenges 7
       The Cloud 8
       Compliance 9
       Privacy and Data Protection 9
Introduction to Information Assurance 10
Introduction to Risk Management 11
Information Security Incident Response 14
   Incident Detection 15
   Incident Triage 16
       Incident Categories 17
       Incident Severity 17
   Incident Resolution 18
   Incident Closure 19
   Post-Incident 20
SOC Generations 21
   First-Generation SOC 22
   Second-Generation SOC 22
   Third-Generation SOC 23
   Fourth-Generation SOC 24
Characteristics of an Effective SOC 24
Introduction to Maturity Models 27
Applying Maturity Models to SOC 29
Phases of Building a SOC 31
Challenges and Obstacles 32
Summary 32
References 33
Chapter 2 Overview of SOC Technologies 35
Data Collection and Analysis 35
   Data Sources 37
   Data Collection 38
       The Syslog Protocol 39
       Telemetry Data: Network Flows 45
       Telemetry Data: Packet Capture 48
   Parsing and Normalization 49
   Security Analysis 52
       Alternatives to Rule-Based Correlation 55
       Data Enrichment 56
       Big Data Platforms for Security 57
Vulnerability Management 58
   Vulnerability Announcements 60
Threat Intelligence 62
Compliance 64
Ticketing and Case Management 64
Collaboration 65
SOC Conceptual Architecture 66
Summary 67
References 67
Part II: The Plan Phase
Chapter 3 Assessing Security Operations Capabilities 69
Assessment Methodology 69
   Step 1: Identify Business and IT Goals 71
   Step 2: Assessing Capabilities 73
       Assessing IT Processes 75
   Step 3: Collect Information 82
   Step 4: Analyze Maturity Levels 84
   Step 5: Formalize Findings 87
       The Organization’s Vision and Strategy 87
       The Department’s Vision and Strategy 87
       External and Internal Compliance Requirements 87
       Organization’s Threat Landscape 88
       History of Previous Information Security Incidents 88
       SOC Sponsorship 89
       Allocated Budget 89
       Presenting Data 89
       Closing 90
Summary 90
References 90
Chapter 4 SOC Strategy 91
Strategy Elements 91
   Who Is Involved? 92
   SOC Mission 92
   SOC Scope 93
   Example 1: A Military Organization 94
       Mission Statement 94
       SOC Scope Statement 95
   Example 2: A Financial Organization 95
       Mission Statement 95
       SOC Scope Statement 95
SOC Model of Operation 95
   In-House and Virtual SOC 96
SOC Services 98
SOC Capabilities Roadmap 99
Summary 101
Part III: The Design Phase
Chapter 5 The SOC Infrastructure 103
Design Considerations 103
Model of Operation 104
Facilities 105
   SOC Internal Layout 106
       Lighting 107
       Acoustics 107
   Physical Security 108
   Video Wall 108
   SOC Analyst Services 109
Active Infrastructure 110
   Network 111
       Access to Systems 112
   Security 112
   Compute 115
       Dedicated Versus Virtualized Environment 116
       Choice of Operating Systems 118
   Storage 118
       Capacity Planning 119
   Collaboration 119
       Ticketing 120
Summary 120
References 120
Chapter 6 Security Event Generation and Collection 123
Data Collection 123
   Calculating EPS 124
       Ubuntu Syslog Server 124
   Network Time Protocol 129
       Deploying NTP 130
   Data-Collection Tools 134
       Company 135
       Product Options and Architecture 136
       Installation and Maintenance 136
       User Interface and Experience 136
       Compliance Requirements 137
   Firewalls 137
       Stateless/Stateful Firewalls 137
       Cisco Adaptive Security Appliance ASA 138
       Application Firewalls 142
       Cisco FirePOWER Services 142
Cloud Security 152
   Cisco Meraki 153
       Exporting Logs from Meraki 154
   Virtual Firewalls 155
       Cisco Virtual Firewalls 156
       Host Firewalls 157
Intrusion Detection and Prevention Systems 157
   Cisco FirePOWER IPS 160
   Meraki IPS 161
   Snort 162
   Host-Based Intrusion Prevention 162
Routers and Switches 163
Host Systems 166
Mobile Devices 167
Breach Detection 168
   Cisco Advanced Malware Prevention 168
   Web Proxies 169
       Cisco Web Security Appliance 170
   Cloud Proxies 172
       Cisco Cloud Web Security 172
DNS Servers 173
   Exporting DNS 174
Network Telemetry with Network Flow Monitoring 174
   NetFlow Tools 175
       StealthWatch 177
       Exporting Data from StealthWatch 179
   NetFlow from Routers and Switches 182
   NetFlow from Security Products 184
   NetFlow in the Data Center 186
Summary 187
References 188
Chapter 7 Vulnerability Management 189
Identifying Vulnerabilities 190
Security Services 191
Vulnerability Tools 193
Handling Vulnerabilities 195
   OWASP Risk Rating Methodology 197
       Threat Agent Factors 198
       Vulnerability Factors 198
       Technical Impact Factors 200
       Business Impact Factors 200
   The Vulnerability Management Lifecycle 202
Automating Vulnerability Management 205
   Inventory Assessment Tools 205
   Information Management Tools 206
   Risk-Assessment Tools 206
   Vulnerability-Assessment Tools 206
   Report and Remediate Tools 206
   Responding Tools 207
Threat Intelligence 208
   Attack Signatures 209
   Threat Feeds 210
   Other Threat Intelligence Sources 211
Summary 213
References 214
Chapter 8 People and Processes 215
Key Challenges 215
   Wanted: Rock Stars, Leaders, and Grunts 216
   The Weight of Process 216
   The Upper and Lower Bounds of Technology 217
Designing and Building the SOC Team 218
   Starting with the Mission 218
   Focusing on Services 219
       Security Monitoring Service Example 220
   Determining the Required SOC Roles 223
       Leadership Roles 224
       Analyst Roles 224
       Engineering Roles 224
       Operations Roles 224
       Other Support Roles 224
   Working with HR 225
       Job Role Analysis 225
       Market Analysis 225
       Organizational Structure 226
       Calculating Team Numbers 227
   Deciding on Your Resourcing Strategy 228
       Building Your Own: The Art of Recruiting SOC Personnel 229
       Working with Contractors and Service Bureaus 229
       Working with Outsourcing and Managed Service Providers 230
Working with Processes and Procedures 231
   Processes Versus Procedures 231
   Working with Enterprise Service Management Processes 232
       Event Management 232
       Incident Management 233
       Problem Management 233
       Vulnerability Management 233
       Other IT Management Processes 233
   The Positives and Perils of Process 234
   Examples of SOC Processes and Procedures 236
       Security Service Management 236
       Security Service Engineering 237
       Security Service Operations 238
       Security Monitoring 239
       Security Incident Investigation and Response 239
       Security Log Management 240
       Security Vulnerability Management 241
       Security Intelligence 241
       Security Analytics and Reporting 242
       Breach Discovery and Remediation 242
Summary 243
Part IV: The Build Phase
Chapter 9 The Technology 245
In-House Versus Virtual SOC 245
Network 246
   Segmentation 247
   VPN 251
   High Availability 253
   Support Contracts 254
Security 255
   Network Access Control 255
   Authentication 257
   On-Network Security 258
   Encryption 259
Systems 260
   Operating Systems 261
   Hardening Endpoints 262
   Endpoint Breach Detection 263
   Mobile Devices 264
   Servers 264
Storage 265
   Data-Loss Protection 266
   Cloud Storage 270
Collaboration 271
   Collaboration for Pandemic Events 272
Technologies to Consider During SOC Design 273
   Firewalls 273
       Firewall Modes 273
       Firewall Clustering 276
       Firewall High Availability 276
       Firewall Architecture 277
   Routers and Switches 279
       Securing Network Devices 280
       Hardening Network Devices 280
   Network Access Control 281
       Deploying NAC 282
       NAC Posture 284
       Architecting NAC 285
   Web Proxies 290
       Reputation Security 290
       Proxy Architecture 292
   Intrusion Detection/Prevention 295
       IDS IPS Architecture 295
       Evaluating IDS IPS Technology 296
       Tuning IDS/IPS 298
Breach Detection 300
   Honeypots 301
   Sandboxes 302
   Endpoint Breach Detection 303
   Network Telemetry 306
       Enabling NetFlow 308
       Architecting Network Telemetry Solutions 310
   Network Forensics 312
       Digital Forensics Tools 313
Final SOC Architecture 314
Summary 317
References 318
Chapter 10 Preparing to Operate 319
Key Challenges 319
   People Challenges 319
   Process Challenges 320
   Technology Challenges 321
Managing Challenges Through a Well-Managed Transition 321
   Elements of an Effective Service Transition Plan 322
   Determining Success Criteria and Managing to Success 322
       Deploying Against Attainable Service Levels 323
       Focusing on Defined Use Cases 325
   Managing Project Resources Effectively 328
   Marching to Clear and Attainable Requirements 329
       Staffing Requirements for Go-Live 329
       Process Requirements for Go-Live 330
       Technology Requirements for Go-Live 331
   Using Simple Checks to Verify That the SOC Is Ready 332
       People Checks 332
       Process Checks 336
       Technology Checks 340
Summary 346
Part V: The Operate Phase
Chapter 11 Reacting to Events and Incidents 347
A Word About Events 348
Event Intake, Enrichment, Monitoring, and Handling 348
   Events in the SIEM 349
   Events in the Security Log Management Solution 350
   Events in Their Original Habitats 350
   Events Through Communications and Collaboration Platforms 350
   Working with Events: The Malware Scenario 351
   Handling and Investigating the Incident Report 353
   Creating and Managing Cases 354
       Working as a Team 355
       Working with Other Parts of the Organization 357
       Working with Third Parties 359
Closing and Reporting on the Case 362
Summary 363
Chapter 12 Maintain, Review, and Improve 365
Reviewing and Assessing the SOC 366
   Determining Scope 366
       Examining the Services 367
       Personnel/Staffing 369
       Processes, Procedures, and Other Operational Documentation 371
       Technology 372
   Scheduled and Ad Hoc Reviews 373
   Internal Versus External Assessments 374
       Internal Assessments 374
       External Assessments 374
   Assessment Methodologies 375
       Maturity Model Approaches 375
       Services-Oriented Approaches 376
       Post-Incident Reviews 378
Maintaining and Improving the SOC 381
   Maintaining and Improving Services 381
   Maintain and Improving Your Team 383
       Improving Staff Recruitment 383
       Improving Team Training and Development 384
       Improving Team Retention 386
   Maintaining and Improving the SOC Technology Stack 387
       Improving Threat, Anomaly, and Breach-Detection Systems 388
       Improving Case and Investigation Management Systems 391
       Improving Analytics and Reporting 392
       Improving Technology Integration 392
       Improving Security Testing and Simulation Systems 393
       Improving Automated Remediation 394
Conclusions 395
Â
Â
9780134052014Â Â Â TOCÂ Â Â 10/12/2015
Â
Need help? Get in touch