Librería Portfolio

Security Operations Center

Building, Operating, and Maintaining Your SOC

The complete, practical guide to planning, building, and operating an effective Security Operations Center (SOC)



Security Operations Center is the complete guide to building, operating, and managing Security Operations Centers in any environment. Drawing on experience with hundreds of customers ranging from Fortune 500 enterprises to large military organizations, three leading experts thoroughly review each SOC model, including virtual SOCs. You'll learn how to select the right strategic option for your organization, and then plan and execute the strategy you've chosen.



Security Operations Center walks you through every phase required to establish and run an effective SOC, including all significant people, process, and technology capabilities. The authors assess SOC technologies, strategy, infrastructure, governance, planning, implementation, and more. They take a holistic approach considering various commercial and open-source tools found in modern SOCs.



This best-practice guide is written for anybody interested in learning how to develop, manage, or improve a SOC. A background in network security, management, and operations will be helpful but is not required. It is also an indispensable resource for anyone preparing for the Cisco SCYBER exam.

· Review high-level issues, such as vulnerability and risk management, threat intelligence, digital investigation, and data collection/analysis

· Understand the technical components of a modern SOC

· Assess the current state of your SOC and identify areas of improvement

· Plan SOC strategy, mission, functions, and services

· Design and build out SOC infrastructure, from facilities and networks to systems, storage, and physical security

· Collect and successfully analyze security data

· Establish an effective vulnerability management practice

· Organize incident response teams and measure their performance

· Define an optimal governance and staffing model

· Develop a practical SOC handbook that people can actually use

· Prepare SOC to go live, with comprehensive transition plans

· React quickly and collaboratively to security incidents

· Implement best practice security operations, including continuous enhancement and improvement



Introduction xx

Part I SOC Basics

Chapter 1 Introduction to Security Operations and the SOC 1

Cybersecurity Challenges 1

Threat Landscape 4

Business Challenges 7

The Cloud 8

Compliance 9

Privacy and Data Protection 9

Introduction to Information Assurance 10

Introduction to Risk Management 11

Information Security Incident Response 14

Incident Detection 15

Incident Triage 16

Incident Categories 17

Incident Severity 17

Incident Resolution 18

Incident Closure 19

Post-Incident 20

SOC Generations 21

First-Generation SOC 22

Second-Generation SOC 22

Third-Generation SOC 23

Fourth-Generation SOC 24

Characteristics of an Effective SOC 24

Introduction to Maturity Models 27

Applying Maturity Models to SOC 29

Phases of Building a SOC 31

Challenges and Obstacles 32

Summary 32

References 33

Chapter 2 Overview of SOC Technologies 35

Data Collection and Analysis 35

Data Sources 37

Data Collection 38

The Syslog Protocol 39

Telemetry Data: Network Flows 45

Telemetry Data: Packet Capture 48

Parsing and Normalization 49

Security Analysis 52

Alternatives to Rule-Based Correlation 55

Data Enrichment 56

Big Data Platforms for Security 57

Vulnerability Management 58

Vulnerability Announcements 60

Threat Intelligence 62

Compliance 64

Ticketing and Case Management 64

Collaboration 65

SOC Conceptual Architecture 66

Summary 67

References 67

Part II: The Plan Phase

Chapter 3 Assessing Security Operations Capabilities 69

Assessment Methodology 69

Step 1: Identify Business and IT Goals 71

Step 2: Assessing Capabilities 73

Assessing IT Processes 75

Step 3: Collect Information 82

Step 4: Analyze Maturity Levels 84

Step 5: Formalize Findings 87

The Organization's Vision and Strategy 87

The Department's Vision and Strategy 87

External and Internal Compliance Requirements 87

Organization's Threat Landscape 88

History of Previous Information Security Incidents 88

SOC Sponsorship 89

Allocated Budget 89

Presenting Data 89

Closing 90

Summary 90

References 90

Chapter 4 SOC Strategy 91

Strategy Elements 91

Who Is Involved? 92

SOC Mission 92

SOC Scope 93

Example 1: A Military Organization 94

Mission Statement 94

SOC Scope Statement 95

Example 2: A Financial Organization 95

Mission Statement 95

SOC Scope Statement 95

SOC Model of Operation 95

In-House and Virtual SOC 96

SOC Services 98

SOC Capabilities Roadmap 99

Summary 101

Part III: The Design Phase

Chapter 5 The SOC Infrastructure 103

Design Considerations 103

Model of Operation 104

Facilities 105

SOC Internal Layout 106

Lighting 107

Acoustics 107

Physical Security 108

Video Wall 108

SOC Analyst Services 109

Active Infrastructure 110

Network 111

Access to Systems 112

Security 112

Compute 115

Dedicated Versus Virtualized Environment 116

Choice of Operating Systems 118

Storage 118

Capacity Planning 119

Collaboration 119

Ticketing 120

Summary 120

References 120

Chapter 6 Security Event Generation and Collection 123

Data Collection 123

Calculating EPS 124

Ubuntu Syslog Server 124

Network Time Protocol 129

Deploying NTP 130

Data-Collection Tools 134

Company 135

Product Options and Architecture 136

Installation and Maintenance 136

User Interface and Experience 136

Compliance Requirements 137

Firewalls 137

Stateless/Stateful Firewalls 137

Cisco Adaptive Security Appliance ASA 138

Application Firewalls 142

Cisco FirePOWER Services 142

Cloud Security 152

Cisco Meraki 153

Exporting Logs from Meraki 154

Virtual Firewalls 155

Cisco Virtual Firewalls 156

Host Firewalls 157

Intrusion Detection and Prevention Systems 157

Cisco FirePOWER IPS 160

Meraki IPS 161

Snort 162

Host-Based Intrusion Prevention 162

Routers and Switches 163

Host Systems 166

Mobile Devices 167

Breach Detection 168

Cisco Advanced Malware Prevention 168

Web Proxies 169

Cisco Web Security Appliance 170

Cloud Proxies 172

Cisco Cloud Web Security 172

DNS Servers 173

Exporting DNS 174

Network Telemetry with Network Flow Monitoring 174

NetFlow Tools 175

StealthWatch 177

Exporting Data from StealthWatch 179

NetFlow from Routers and Switches 182

NetFlow from Security Products 184

NetFlow in the Data Center 186

Summary 187

References 188

Chapter 7 Vulnerability Management 189

Identifying Vulnerabilities 190

Security Services 19