Security Operations Center: Building, Operating, and Maintaining your SOC

Series
Cisco Press
Author
Joseph Muniz / Gary McIntyre / Nadhem AlFardan  
Publisher
Pearson
Cover
Softcover
Edition
1
Language
English
Total pages
448
Pub.-date
October 2015
ISBN13
9780134052014
ISBN
0134052013
Related Titles


Product detail

Product Price CHF Available  
9780134052014
Security Operations Center: Building, Operating, and Maintaining your SOC
60.50 approx. 7-9 days

Description

This is the first complete guide to building, operating, managing, and operating Security Operations Centers in any business or organizational environment. Two leading IT security experts review the characteristics, strengths, and weaknesses of each SOC model (including virtual SOCs). Next, they walk students through every phase required to establish and operate an effective SOC, including all significant people, process and technology issues.

Features

  • How to organize IT security for an era of unprecedented, fast-changing, and increasingly complex threats
  • Thoroughly introduces SOC roles, technologies, and use cases
  • Helps students systematically assess the maturity of existing security operation environments, and then improve them
  • Guides students through developing their own SOC "playbook"

Table of Contents

Introduction xx

Part I SOC Basics

Chapter 1 Introduction to Security Operations and the SOC 1

Cybersecurity Challenges 1

Threat Landscape 4

Business Challenges 7

 The Cloud 8

 Compliance 9

 Privacy and Data Protection 9

Introduction to Information Assurance 10

Introduction to Risk Management 11

Information Security Incident Response 14

Incident Detection 15

Incident Triage 16

 Incident Categories 17

 Incident Severity 17

Incident Resolution 18

Incident Closure 19

Post-Incident 20

SOC Generations 21

First-Generation SOC 22

Second-Generation SOC 22

Third-Generation SOC 23

Fourth-Generation SOC 24

Characteristics of an Effective SOC 24

Introduction to Maturity Models 27

Applying Maturity Models to SOC 29

Phases of Building a SOC 31

Challenges and Obstacles 32

Summary 32

References 33

Chapter 2 Overview of SOC Technologies 35

Data Collection and Analysis 35

Data Sources 37

Data Collection 38

 The Syslog Protocol 39

 Telemetry Data: Network Flows 45

 Telemetry Data: Packet Capture 48

Parsing and Normalization 49

Security Analysis 52

 Alternatives to Rule-Based Correlation 55

 Data Enrichment 56

 Big Data Platforms for Security 57

Vulnerability Management 58

Vulnerability Announcements 60

Threat Intelligence 62

Compliance 64

Ticketing and Case Management 64

Collaboration 65

SOC Conceptual Architecture 66

Summary 67

References 67

Part II: The Plan Phase

Chapter 3 Assessing Security Operations Capabilities 69

Assessment Methodology 69

Step 1: Identify Business and IT Goals 71

Step 2: Assessing Capabilities 73

 Assessing IT Processes 75

Step 3: Collect Information 82

Step 4: Analyze Maturity Levels 84

Step 5: Formalize Findings 87

 The Organization’s Vision and Strategy 87

 The Department’s Vision and Strategy 87

 External and Internal Compliance Requirements 87

 Organization’s Threat Landscape 88

 History of Previous Information Security Incidents 88

 SOC Sponsorship 89

 Allocated Budget 89

 Presenting Data 89

 Closing 90

Summary 90

References 90

Chapter 4 SOC Strategy 91

Strategy Elements 91

Who Is Involved? 92

SOC Mission 92

SOC Scope 93

Example 1: A Military Organization 94

 Mission Statement 94

 SOC Scope Statement 95

Example 2: A Financial Organization 95

 Mission Statement 95

 SOC Scope Statement 95

SOC Model of Operation 95

In-House and Virtual SOC 96

SOC Services 98

SOC Capabilities Roadmap 99

Summary 101

Part III: The Design Phase

Chapter 5 The SOC Infrastructure 103

Design Considerations 103

Model of Operation 104

Facilities 105

SOC Internal Layout 106

 Lighting 107

 Acoustics 107

Physical Security 108

Video Wall 108

SOC Analyst Services 109

Active Infrastructure 110

Network 111

 Access to Systems 112

Security 112

Compute 115

 Dedicated Versus Virtualized Environment 116

 Choice of Operating Systems 118

Storage 118

 Capacity Planning 119

Collaboration 119

 Ticketing 120

Summary 120

References 120

Chapter 6 Security Event Generation and Collection 123

Data Collection 123

Calculating EPS 124

 Ubuntu Syslog Server 124

Network Time Protocol 129

 Deploying NTP 130

Data-Collection Tools 134

 Company 135

 Product Options and Architecture 136

 Installation and Maintenance 136

 User Interface and Experience 136

 Compliance Requirements 137

Firewalls 137

 Stateless/Stateful Firewalls 137

 Cisco Adaptive Security Appliance ASA 138

 Application Firewalls 142

 Cisco FirePOWER Services 142

Cloud Security 152

Cisco Meraki 153

 Exporting Logs from Meraki 154

Virtual Firewalls 155

 Cisco Virtual Firewalls 156

 Host Firewalls 157

Intrusion Detection and Prevention Systems 157

Cisco FirePOWER IPS 160

Meraki IPS 161

Snort 162

Host-Based Intrusion Prevention 162

Routers and Switches 163

Host Systems 166

Mobile Devices 167

Breach Detection 168

Cisco Advanced Malware Prevention 168

Web Proxies 169

 Cisco Web Security Appliance 170

Cloud Proxies 172

 Cisco Cloud Web Security 172

DNS Servers 173

Exporting DNS 174

Network Telemetry with Network Flow Monitoring 174

NetFlow Tools 175

 StealthWatch 177

 Exporting Data from StealthWatch 179

NetFlow from Routers and Switches 182

NetFlow from Security Products 184

NetFlow in the Data Center 186

Summary 187

References 188

Chapter 7 Vulnerability Management 189

Identifying Vulnerabilities 190

Security Services 191

Vulnerability Tools 193

Handling Vulnerabilities 195

OWASP Risk Rating Methodology 197

 Threat Agent Factors 198

 Vulnerability Factors 198

 Technical Impact Factors 200

 Business Impact Factors 200

The Vulnerability Management Lifecycle 202

Automating Vulnerability Management 205

Inventory Assessment Tools 205

Information Management Tools 206

Risk-Assessment Tools 206

Vulnerability-Assessment Tools 206

Report and Remediate Tools 206

Responding Tools 207

Threat Intelligence 208

Attack Signatures 209

Threat Feeds 210

Other Threat Intelligence Sources 211

Summary 213

References 214

Chapter 8 People and Processes 215

Key Challenges 215

Wanted: Rock Stars, Leaders, and Grunts 216

The Weight of Process 216

The Upper and Lower Bounds of Technology 217

Designing and Building the SOC Team 218

Starting with the Mission 218

Focusing on Services 219

 Security Monitoring Service Example 220

Determining the Required SOC Roles 223

 Leadership Roles 224

 Analyst Roles 224

 Engineering Roles 224

 Operations Roles 224

 Other Support Roles 224

Working with HR 225

 Job Role Analysis 225

 Market Analysis 225

 Organizational Structure 226

 Calculating Team Numbers 227

Deciding on Your Resourcing Strategy 228

 Building Your Own: The Art of Recruiting SOC Personnel 229

 Working with Contractors and Service Bureaus 229

 Working with Outsourcing and Managed Service Providers 230

Working with Processes and Procedures 231

Processes Versus Procedures 231

Working with Enterprise Service Management Processes 232

 Event Management 232

 Incident Management 233

 Problem Management 233

 Vulnerability Management 233

 Other IT Management Processes 233

The Positives and Perils of Process 234

Examples of SOC Processes and Procedures 236

 Security Service Management 236

 Security Service Engineering 237

 Security Service Operations 238

 Security Monitoring 239

 Security Incident Investigation and Response 239

 Security Log Management 240

 Security Vulnerability Management 241

 Security Intelligence 241

 Security Analytics and Reporting 242

 Breach Discovery and Remediation 242

Summary 243

Part IV: The Build Phase

Chapter 9 The Technology 245

In-House Versus Virtual SOC 245

Network 246

Segmentation 247

VPN 251

High Availability 253

Support Contracts 254

Security 255

Network Access Control 255

Authentication 257

On-Network Security 258

Encryption 259

Systems 260

Operating Systems 261

Hardening Endpoints 262

Endpoint Breach Detection 263

Mobile Devices 264

Servers 264

Storage 265

Data-Loss Protection 266

Cloud Storage 270

Collaboration 271

Collaboration for Pandemic Events 272

Technologies to Consider During SOC Design 273

Firewalls 273

 Firewall Modes 273

 Firewall Clustering 276

 Firewall High Availability 276

 Firewall Architecture 277

Routers and Switches 279

 Securing Network Devices 280

 Hardening Network Devices 280

Network Access Control 281

 Deploying NAC 282

 NAC Posture 284

 Architecting NAC 285

Web Proxies 290

 Reputation Security 290

 Proxy Architecture 292

Intrusion Detection/Prevention 295

 IDS IPS Architecture 295

 Evaluating IDS IPS Technology 296

 Tuning IDS/IPS 298

Breach Detection 300

Honeypots 301

Sandboxes 302

Endpoint Breach Detection 303

Network Telemetry 306

 Enabling NetFlow 308

 Architecting Network Telemetry Solutions 310

Network Forensics 312

 Digital Forensics Tools 313

Final SOC Architecture 314

Summary 317

References 318

Chapter 10 Preparing to Operate 319

Key Challenges 319

People Challenges 319

Process Challenges 320

Technology Challenges 321

Managing Challenges Through a Well-Managed Transition 321

Elements of an Effective Service Transition Plan 322

Determining Success Criteria and Managing to Success 322

 Deploying Against Attainable Service Levels 323

 Focusing on Defined Use Cases 325

Managing Project Resources Effectively 328

Marching to Clear and Attainable Requirements 329

 Staffing Requirements for Go-Live 329

 Process Requirements for Go-Live 330

 Technology Requirements for Go-Live 331

Using Simple Checks to Verify That the SOC Is Ready 332

 People Checks 332

 Process Checks 336

 Technology Checks 340

Summary 346

Part V: The Operate Phase

Chapter 11 Reacting to Events and Incidents 347

A Word About Events 348

Event Intake, Enrichment, Monitoring, and Handling 348

Events in the SIEM 349

Events in the Security Log Management Solution 350

Events in Their Original Habitats 350

Events Through Communications and Collaboration Platforms 350

Working with Events: The Malware Scenario 351

Handling and Investigating the Incident Report 353

Creating and Managing Cases 354

 Working as a Team 355

 Working with Other Parts of the Organization 357

 Working with Third Parties 359

Closing and Reporting on the Case 362

Summary 363

Chapter 12 Maintain, Review, and Improve 365

Reviewing and Assessing the SOC 366

Determining Scope 366

 Examining the Services 367

 Personnel/Staffing 369

 Processes, Procedures, and Other Operational Documentation 371

 Technology 372

Scheduled and Ad Hoc Reviews 373

Internal Versus External Assessments 374

 Internal Assessments 374

 External Assessments 374

Assessment Methodologies 375

 Maturity Model Approaches 375

 Services-Oriented Approaches 376

 Post-Incident Reviews 378

Maintaining and Improving the SOC 381

Maintaining and Improving Services 381

Maintain and Improving Your Team 383

 Improving Staff Recruitment 383

 Improving Team Training and Development 384

 Improving Team Retention 386

Maintaining and Improving the SOC Technology Stack 387

 Improving Threat, Anomaly, and Breach-Detection Systems 388

 Improving Case and Investigation Management Systems 391

 Improving Analytics and Reporting 392

 Improving Technology Integration 392

 Improving Security Testing and Simulation Systems 393

 Improving Automated Remediation 394

Conclusions 395

 

 

9780134052014 TOC 10/12/2015

 

Author

Joseph Muniz is a consultant at Cisco Systems and security researcher. Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects, ranging from Fortune 500 corporations to large federal networks. Joseph is the author of and contributor to several books and is a speaker for popular security conferences. Check out his blog, http://www.thesecurityblogger.com, which showcases the latest security events, research, and technologies.

 

Gary McIntyre is a seasoned information security professional focusing on the development and operation of large-scale information security programs. As an architect, manager, and consultant, he has worked with a wide range of public and private sector organizations around the world to design, build, and maintain small to large security operations teams. He currently holds a Masters degree from the University of Toronto and has also been a long-time (ISC)2 instructor.

 

Dr. Nadhem AlFardan has more than 15 years of experience in the area of information security and holds a Ph.D. in Information Security from Royal Holloway, University of London. Nadhem is a senior security solution architect working for Cisco Systems. Before joining Cisco, he worked for Schlumbeger and HSBC. Nadhem is CISSP certified and is an ISO 27001 lead auditor. He is also CCIE Security certified. In his Ph.D. research, Nadhem published a number of papers in prestige conferences, such as IEEE S&P and USENIX Security, mainly around cryptoanalysis topics. His work involved him working with organizations such as Google, Microsoft, Cisco, Mozilla, OpenSSL, and many others, mainly to help them assess and fix major findings in the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. His work is referenced in a number of IETF standards.