Security Operations Center - Analyst Guide
eBook - ePub

Security Operations Center - Analyst Guide

SIEM Technology, Use Cases and Practices

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Security Operations Center - Analyst Guide

SIEM Technology, Use Cases and Practices

About this book

Security analytics can be defined as the process of continuously monitoring and analyzing all the activities in your enterprise network to ensure the minimal number of occurrences of security breaches. Security Analyst is the individual that is qualified to perform the functions necessary to accomplish the security monitoring goals of the organization. This book is intended to improve the ability of a security analyst to perform their day to day work functions in a more professional manner. Deeper knowledge of tools, processes and technology is needed for this.
A firm understanding of all the domains of this book is going to be vital in achieving the desired skill set to become a professional security analyst. The attempt of this book is to address the problems associated with the content development (use cases and correlation rules) of SIEM deployments

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Security Operations Center - Analyst Guide by Arun Thomas in PDF and/or ePUB format, as well as other popular books in Computer Science & Information Technology. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Arun E Thomas
Year
2017
eBook ISBN
9781641365123
Edition
1
Topic
Computer Science
Subtopic
Information Technology
Index
Computer Science

Module 1

Security Operations Center Fundamentals

Why do we need a SOC?

The Security Operations Center plays a significant role in real time detection of threats and post threat response. There are several tools and solutions that are in use in SOC environments. This book will take you through all the must know SOC technologies and tools. The Security Operation Center is the place where all network devices, security solutions, applications and database systems are monitored. SOC also deals with the periodic assessment of threats through the use of vulnerability management tools, network security monitoring solutions, and continuous security monitoring products. End point security management, Incident Response, compliance monitoring etc. are also the other major functions of the Security Operations Center team.
SOC Challenges
There are several challenges in security monitoring, in the following section you will find more details about it.
Amount of Data
SOC tools must have the capability to handle tons of data from disparate systems, platforms, and applications. Security monitoring solutions will be acting as the collection and aggregation points of logs, the huge amount of data collection should not create any performance or throughput issues. Performance issues may directly result in interruption of monitoring services or SLA violations in case of MSSPs. The lack of raw or indexed logs will result in compliance violations. So it is extremely important to select the throughput and efficiency of SOC solutions before selecting and deploying it in your SOC.
Log rate limiting is a common practice security practitioners follow to reduce the amount of logs getting aggregated in SOC collection points, Log managers or SIEM collection points. Log rate limiting polices limit the number of logs generated at the event source itself. This ensures effective utilization of your SIEM’s Events Per Second (EPS) based license.
However, rate limiting is not always priority driven. Most of the network security vendors do not offer selective rate limiting. This means you may miss highly critical logs due to the implementation of log rate limiting.
Along with rate limiting, organizations may also have control over the type or class of logs generated by the security systems. For example, Cisco IOS gives an option to selectively generate logs. Example -1 Shows the log rate limiting policy configuration in a Cisco Router.
In the above example logging rate-limit configuration command limits the number of syslog packets sent to the syslog server to 20 events per second. In this case, it is a selective rate limiting configuration as the policing is not applicable for “warning” category logs.
Numerous End-points and Billions of Logs
Several sets of network infrastructure and security devices are in place in enterprise networks, all of these products generate logs, moreover thousands of end users get connected to the corporate network over wireless or mobile networks. The present security controls do not count the peer to peer communication between connected wireless or cellular end points. The recent developments in networking like SDN - Software Defined Networking is slowly redefining the network infrastructure architecture itself. This brings in a need for revised Information Security Policy or Logging configuration. Organizations are increasingly using cloud deployed instances or applications, most of these applications are business critical, so are the logs generated by them.
Sophisticated Attacks
It is quite difficult to initially detect the modern day sophisticated attacks just by monitoring, collecting and correlating the logs generated by different end points. Most of the time the characteristics of the threat will be identified only by deep post threat analysis.
For Example, Detection of “Lateral Movements” of an Advanced Persistent Threat (APT), needs cross correlation of multiple logs from different event sources.
Regulatory Compliance Requirements
Compliance standards mandate retention of security data. The log archiving should be in such a way that it is easy for the auditors to go back to logs from previous years to trace security breaches. The type of the security data needed, penalties for non-compliance and the minimum retention period vary per regulations.
No organization will be interested in taking the risk of not retaining logs as per the compliance requirements. Non-compliance may result in huge monetary fines and civil or executive liability, moreover having the organizations name associated with a security breach will affect the trust association it has with the customers and the existence of the business itself.
The below table lists the retention requirements of different compliance standards.
SOC Services
SOC functions seven days a week, 24 hours in a day. Typical services offered by SOC are,
  • Continuous Threat monitoring and Incident Detection
  • Incident Response
  • Threat Mitigation
  • Rule/Signature updates
  • Threat Intelligence Integration
  • Vulnerability Assessment
  • Web Application Scanning
  • Compliance Monitoring
  • Managed Devices
Continuous Threat Monitoring and Incident Detection
Continuous Threat monitoring and Incident Detection - This is achieved with the monitoring of SIM/SIEM consoles, IPS/IDS consoles, AV/AS/UTM consoles and DLP/SIV/Endpoint security consoles.
Incident Response
It includes preliminary incident response, isolation of threats and coordination of different functional teams responsible for threat mitigation. Incident response is one of the major functions of the Security Operations Team.
Threat Mitigation
Most of the time SOC team members play a significant role in threat mitigation, they also do ...

Table of contents

  1. Security Operation Center – Analyst Guide
  2. Module 1
  3. Module 2
  4. Module 3
  5. Module 4
  6. Module 5
  7. Answers to Review Questions