Security Operations Center
Gary McIntyre, Joey Muniz, Nadhem Alfardan
Security Operations Center
Gary McIntyre, Joey Muniz, Nadhem Alfardan
- Producent: Addison Wesley Publishing Company
- Rok produkcji: 2015
- ISBN: 9780134052014
- Ilość stron: 448
- Oprawa: Miękka
Niedostępna
Opis: Security Operations Center - Gary McIntyre, Joey Muniz, Nadhem Alfardan
Security Operations Center Building, Operating, and Maintaining Your SOC The complete, practical guide to planning, building, and operating an effective Security Operations Center (SOC) Security Operations Center is the complete guide to building, operating, and managing Security Operations Centers in any environment. Drawing on experience with hundreds of customers ranging from Fortune 500 enterprises to large military organizations, three leading experts thoroughly review each SOC model, including virtual SOCs. You'll learn how to select the right strategic option for your organization, and then plan and execute the strategy you've chosen. Security Operations Center walks you through every phase required to establish and run an effective SOC, including all significant people, process, and technology capabilities. The authors assess SOC technologies, strategy, infrastructure, governance, planning, implementation, and more. They take a holistic approach considering various commercial and open-source tools found in modern SOCs. This best-practice guide is written for anybody interested in learning how to develop, manage, or improve a SOC. A background in network security, management, and operations will be helpful but is not required. It is also an indispensable resource for anyone preparing for the Cisco SCYBER exam. * Review high-level issues, such as vulnerability and risk management, threat intelligence, digital investigation, and data collection/analysis * Understand the technical components of a modern SOC * Assess the current state of your SOC and identify areas of improvement * Plan SOC strategy, mission, functions, and services * Design and build out SOC infrastructure, from facilities and networks to systems, storage, and physical security * Collect and successfully analyze security data * Establish an effective vulnerability management practice * Organize incident response teams and measure their performance * Define an optimal governance and staffing model * Develop a practical SOC handbook that people can actually use * Prepare SOC to go live, with comprehensive transition plans * React quickly and collaboratively to security incidents * Implement best practice security operations, including continuous enhancement and improvementIntroduction xx Part I SOC Basics Chapter 1 Introduction to Security Operations and the SOC 1 Cybersecurity Challenges 1 Threat Landscape 4 Business Challenges 7 The Cloud 8 Compliance 9 Privacy and Data Protection 9 Introduction to Information Assurance 10 Introduction to Risk Management 11 Information Security Incident Response 14 Incident Detection 15 Incident Triage 16 Incident Categories 17 Incident Severity 17 Incident Resolution 18 Incident Closure 19 Post-Incident 20 SOC Generations 21 First-Generation SOC 22 Second-Generation SOC 22 Third-Generation SOC 23 Fourth-Generation SOC 24 Characteristics of an Effective SOC 24 Introduction to Maturity Models 27 Applying Maturity Models to SOC 29 Phases of Building a SOC 31 Challenges and Obstacles 32 Summary 32 References 33 Chapter 2 Overview of SOC Technologies 35 Data Collection and Analysis 35 Data Sources 37 Data Collection 38 The Syslog Protocol 39 Telemetry Data: Network Flows 45 Telemetry Data: Packet Capture 48 Parsing and Normalization 49 Security Analysis 52 Alternatives to Rule-Based Correlation 55 Data Enrichment 56 Big Data Platforms for Security 57 Vulnerability Management 58 Vulnerability Announcements 60 Threat Intelligence 62 Compliance 64 Ticketing and Case Management 64 Collaboration 65 SOC Conceptual Architecture 66 Summary 67 References 67 Part II: The Plan Phase Chapter 3 Assessing Security Operations Capabilities 69 Assessment Methodology 69 Step 1: Identify Business and IT Goals 71 Step 2: Assessing Capabilities 73 Assessing IT Processes 75 Step 3: Collect Information 82 Step 4: Analyze Maturity Levels 84 Step 5: Formalize Findings 87 The Organization's Vision and Strategy 87 The Department's Vision and Strategy 87 External and Internal Compliance Requirements 87 Organization's Threat Landscape 88 History of Previous Information Security Incidents 88 SOC Sponsorship 89 Allocated Budget 89 Presenting Data 89 Closing 90 Summary 90 References 90 Chapter 4 SOC Strategy 91 Strategy Elements 91 Who Is Involved? 92 SOC Mission 92 SOC Scope 93 Example 1: A Military Organization 94 Mission Statement 94 SOC Scope Statement 95 Example 2: A Financial Organization 95 Mission Statement 95 SOC Scope Statement 95 SOC Model of Operation 95 In-House and Virtual SOC 96 SOC Services 98 SOC Capabilities Roadmap 99 Summary 101 Part III: The Design Phase Chapter 5 The SOC Infrastructure 103 Design Considerations 103 Model of Operation 104 Facilities 105 SOC Internal Layout 106 Lighting 107 Acoustics 107 Physical Security 108 Video Wall 108 SOC Analyst Services 109 Active Infrastructure 110 Network 111 Access to Systems 112 Security 112 Compute 115 Dedicated Versus Virtualized Environment 116 Choice of Operating Systems 118 Storage 118 Capacity Planning 119 Collaboration 119 Ticketing 120 Summary 120 References 120 Chapter 6 Security Event Generation and Collection 123 Data Collection 123 Calculating EPS 124 Ubuntu Syslog Server 124 Network Time Protocol 129 Deploying NTP 130 Data-Collection Tools 134 Company 135 Product Options and Architecture 136 Installation and Maintenance 136 User Interface and Experience 136 Compliance Requirements 137 Firewalls 137 Stateless/Stateful Firewalls 137 Cisco Adaptive Security Appliance ASA 138 Application Firewalls 142 Cisco FirePOWER Services 142 Cloud Security 152 Cisco Meraki 153 Exporting Logs from Meraki 154 Virtual Firewalls 155 Cisco Virtual Firewalls 156 Host Firewalls 157 Intrusion Detection and Prevention Systems 157 Cisco FirePOWER IPS 160 Meraki IPS 161 Snort 162 Host-Based Intrusion Prevention 162 Routers and Switches 163 Host Systems 166 Mobile Devices 167 Breach Detection 168 Cisco Advanced Malware Prevention 168 Web Proxies 169 Cisco Web Security Appliance 170 Cloud Proxies 172 Cisco Cloud Web Security 172 DNS Servers 173 Exporting DNS 174 Network Telemetry with Network Flow Monitoring 174 NetFlow Tools 175 StealthWatch 177 Exporting Data from StealthWatch 179 NetFlow from Routers and Switches 182 NetFlow from Security Products 184 NetFlow in the Data Center 186 Summary 187 References 188 Chapter 7 Vulnerability Management 189 Identifying Vulnerabilities 190 Security Services 191 Vulnerability Tools 193 Handling Vulnerabilities 195 OWASP Risk Rating Methodology 197 Threat Agent Factors 198 Vulnerability Factors 198 Technical Impact Factors 200 Business Impact Factors 200 The Vulnerability Management Lifecycle 202 Automating Vulnerability Management 205 Inventory Assessment Tools 205 Information Management Tools 206 Risk-Assessment Tools 206 Vulnerability-Assessment Tools 206 Report and Remediate Tools 206 Responding Tools 207 Threat Intelligence 208 Attack Signatures 209 Threat Feeds 210 Other Threat Intelligence Sources 211 Summary 213 References 214 Chapter 8 People and Processes 215 Key Challenges 215 Wanted: Rock Stars, Leaders, and Grunts 216 The Weight of Process 216 The Upper and Lower Bounds of Technology 217 Designing and Building the SOC Team 218 Starting with the Mission 218 Focusing on Services 219 Security Monitoring Service Example 220 Determining the Required SOC Roles 223 Leadership Roles 224 Analyst Roles 224 Engineering Roles 224 Operations Roles 224 Other Support Roles 224 Working with HR 225 Job Role Analysis 225 Market Analysis 225 Organizational Structure 226 Calculating Team Numbers 227 Deciding on Your Resourcing Strategy 228 Building Your Own: The Art of Recruiting SOC Personnel 229 Working with Contractors and Service Bureaus 229 Working with Outsourcing and Managed Service Providers 230 Working with Processes and Procedures 231 Processes Versus Procedures 231 Working with Enterprise Service Management Processes 232 Event Management 232 Incident Management 233 Problem Management 233 Vulnerability Management 233 Other IT Management Processes 233 The Positives and Perils of Process 234 Examples of SOC Processes and Procedures 236 Security Service Management 236 Security Service Engineering 237 Security Service Operations 238 Security Monitoring 239 Security Incident Investigation and Response 239 Security Log Management 240 Security Vulnerability Management 241 Security Intelligence 241 Security Analytics and Reporting 242 Breach Discovery and Remediation 242 Summary 243 Part IV: The Build Phase Chapter 9 The Technology 245 In-House Versus Virtual SOC 245 Network 246 Segmentation 247 VPN 251 High Availability 253 Support Contracts 254 Security 255 Network Access Control 255 Authentication 257 On-Network Security 258 Encryption 259 Systems 260 Operating Systems 261 Hardening Endpoints 262 Endpoint Breach Detection 263 Mobile Devices 264 Servers 264 Storage 265 Data-Loss Protection 266 Cloud Storage 270 Collaboration 271 Collaboration for Pandemic Events 272 Technologies to Consider During SOC Design 273 Firewalls 273 Firewall Modes 273 Firewall Clustering 276 Firewall High Availability 276 Firewall Architecture 277 Routers and Switches 279 Securing Network Devices 280 Hardening Network Devices 280 Network Access Control 281 Deploying NAC 282 NAC Posture 284 Architecting NAC 285 Web Proxies 290 Reputation Security 290 Proxy Architecture 292 Intrusion Detection/Prevention 295 IDS IPS Architecture 295 Evaluating IDS IPS Technology 296 Tuning IDS/IPS 298 Breach Detection 300 Honeypots 301 Sandboxes 302 Endpoint Breach Detection 303 Network Telemetry 306 Enabling NetFlow 308 Architecting Network Telemetry Solutions 310 Network Forensics 312 Digital Forensics Tools 313 Final SOC Architecture 314 Summary 317 References 318 Chapter 10 Preparing to Operate 319 Key Challenges 319 People Challenges 319 Process Challenges 320 Technology Challenges 321 Managing Challenges Through a Well-Managed Transition 321 Elements of an Effective Service Transition Plan 322 Determining Success Criteria and Managing to Success 322 Deploying Against Attainable Service Levels 323 Focusing on Defined Use Cases 325 Managing Project Resources Effectively 328 Marching to Clear and Attainable Requirements 329 Staffing Requirements for Go-Live 329 Process Requirements for Go-Live 330 Technology Requirements for Go-Live 331 Using Simple Checks to Verify That the SOC Is Ready 332 People Checks 332 Process Checks 336 Technology Checks 340 Summary 346 Part V: The Operate Phase Chapter 11 Reacting to Events and Incidents 347 A Word About Events 348 Event Intake, Enrichment, Monitoring, and Handling 348 Events in the SIEM 349 Events in the Security Log Management Solution 350 Events in Their Original Habitats 350 Events Through Communications and Collaboration Platforms 350 Working with Events: The Malware Scenario 351 Handling and Investigating the Incident Report 353 Creating and Managing Cases 354 Working as a Team 355 Working with Other Parts of the Organization 357 Working with Third Parties 359 Closing and Reporting on the Case 362 Summary 363 Chapter 12 Maintain, Review, and Improve 365 Reviewing and Assessing the SOC 366 Determining Scope 366 Examining the Services 367 Personnel/Staffing 369 Processes, Procedures, and Other Operational Documentation 371 Technology 372 Scheduled and Ad Hoc Reviews 373 Internal Versus External Assessments 374 Internal Assessments 374 External Assessments 374 Assessment Methodologies 375 Maturity Model Approaches 375 Services-Oriented Approaches 376 Post-Incident Reviews 378 Maintaining and Improving the SOC 381 Maintaining and Improving Services 381 Maintain and Improving Your Team 383 Improving Staff Recruitment 383 Improving Team Training and Development 384 Improving Team Retention 386 Maintaining and Improving the SOC Technology Stack 387 Improving Threat, Anomaly, and Breach-Detection Systems 388 Improving Case and Investigation Management Systems 391 Improving Analytics and Reporting 392 Improving Technology Integration 392 Improving Security Testing and Simulation Systems 393 Improving Automated Remediation 394 Conclusions 395 9780134052014 TOC 10/12/2015
Szczegóły: Security Operations Center - Gary McIntyre, Joey Muniz, Nadhem Alfardan
Tytuł: Security Operations Center
Autor: Gary McIntyre, Joey Muniz, Nadhem Alfardan
Producent: Addison Wesley Publishing Company
ISBN: 9780134052014
Rok produkcji: 2015
Ilość stron: 448
Oprawa: Miękka
Waga: 0.73 kg