SOC Management

مهدی میرسلطانی

• پیشرفته
• مسیر آبی
• ۵ درس

درباره‌ی این دوره

این دوره به چه افرادی توصیه می‌شود؟

• مدیران مراکز عملیات امنیت
• راهبران امنیت
• اعضای جدید تیم‌های مرکز عملیات امنیت
• راهبران و کارشناسان ارشد تحلیل
• مدیران ارشد امنیت اطلاعات سازمان‌ها

برای حضور در این دوره چه دانش‌هایی باید داشته باشم؟

• آشنایی با مفاهیم، تعاریف امنیت و حمله‌های سایبری
• آشنایی با مفاهیم شبکه
• آشنایی با مفاهیم و تعاریف تحلیل وقایع و لاگ
• حداقل دو سال تجربه‌ی کار در زمینه‌ی امنیت سایبری
• آشنایی با حمله‌ها در سطح APT

• SOC Design and Operational Planning
  • Introduction
    • What we are up against/industry surveys
    • The average SOC
    • What top-performing SOCs have in common
    • SOC trends
    • Class goals
  • SOC Functions
    • High-level SOC diagram
    • SOC functions
    • Core activities
    • Auxiliary functions
  • SOC Planning
    • Do you need a dedicated internal SOC?
    • What is and what is not a SOC?
    • Mission and purpose
    • Requirements
    • Standards and frameworks
    • Policies
    • Roles
    • Staffing levels
    • Constituency
    • Steering committee
    • Services/Capabilities
    • Charter
  • Team Creation, Hiring, and Training
    • Organizational charts
    • Choosing a tiered vs. tierless SOC
    • Building a dream team
    • Interviewing tips and techniques
    • Interviewing mistakes and avoiding bias
    • Training plans
  • Building the SOC
    • Physical space
    • Analyst/SOC IT considerations
    • Protecting SOC data
  • SOC Tools and Technology
    • Foundational network and endpoint collection and detection technologies
    • “Next-gen” must-have capabilities
    • Advanced detection technologies
    • Analyst core toolset
    • Live response tools
    • Playbooks and SOAR
    • Planning tools and frameworks
  • SOC Enclave and Networking
    • Requirements for SOC connectivity
    • Protecting SOC Data
    • SOC networking
    • SOC data flow
• SOC Telemetry and Analysis
  • Cyber Defense Theory and Mental Models
    • Ops Tempo and the OODA Loop
    • Threat modeling
    • MITRE ATT&CK/Kill Chain
    • Threat Intel – F3EAD
    • Pyramid of pain and analytic types
    • The SOC as an “infinite game”
  • Prevention and the Future of Security
    • Defensible network architecture
    • Hardening at the network and host level
    • Zero trust best practices
    • Identity security
    • Balancing productivity and security
  • SOC Data Collection
    • The SOC data collection system
    • Open-source NSM and host-data tools
    • Collection issues
    • Tactical log collection
    • Audit policy flexibility
    • Most important data sources
    • How to collect data
    • Parsing, filtering, enrichment, and storage
    • Secure protocols and encrypted traffic analysis
  • Other Monitoring Use Cases
    • DevOps telemetry
    • Chaos engineering and security monitoring
    • Supply chain security
    • Business e-mail compromise
    • Insider threat
    • Major breach case studies
  • Using MITRE ATT&CK to Plan Collection
    • Key data sources
    • Defense mapping
    • Assessing your capabilities using DETT&CT
  • Cyber Threat Intelligence
    • Threat intelligence types and sources
    • Consuming and producing intelligence
    • Mental models for threat intel
    • Intel transport and use
    • Threat intelligence platforms and integration
  • Practical Collection Concerns
    • Security data collection
    • Parsing, filtering, categorization, and normalization
    • Data enrichment
    • Storage and indexing
• Attack Detection, Hunting, and Triage
  • Efficient Alert Triage
    • Triage approach in various SOC staffing models
    • Where to triage alerts
    • What analysis must know
    • Prioritizing sensitive and high-risk accounts
    • Data classification
  • Capacity Planning
    • Basic and complicating factors in triage capacity planning
    • Estimating workload
    • Factors contributing to alert count
    • Determining the “right” number of alerts
    • Approaches for handling excessive alerts
  • Detection Engineering
    • SOC threat detection systems
    • Analytic outcomes and tuning
    • Writing high-fidelity rules
    • Use case tracking and storage
    • Risk-based scoring and alert aggregation
  • Analytic and Analysis Frameworks and Tools
    • Blue team knowledge standardization and upcoming tools
    • ATT&CK Navigator
    • Yara
    • Sigma
    • Jupyter notebooks
    • Detection testing labs
  • Threat Hunting
    • What is threat hunting and why is it needed?
    • Scheduling
    • Data quality
    • Hunting process and techniques
    • Hunting maturity model
    • Showing the value of threat hunting
  • Active Defense
    • What is active defense/deception?
    • Active defense techniques and goals
    • Active defense tooling
• Incident Response
  • Investigation
    • Investigation mindset
    • Avoiding bias
    • Analysis of Competing Hypothesis
    • Useful investigative techniques
  • Incident Response (IR) Planning
    • IR policy, plans, and procedures
    • Staffing for IR
    • Communication guidelines and methods
    • Incident response procedure overview
  • Preparation
    • Defensible network architecture
    • The Center for Internet Security (CIS) Controls
    • Securing high-value assets
    • Incident response procedures
    • Developing IR playbooks using RE&CT
    • Incident response communications
  • Identification, Containment, and Eradication
    • When to call incident
    • Triggering the incident response process and assembling the team
    • Incident categorization
    • Data acquisition
    • Containment procedures
    • Incident documentation
    • Preparing your IR “go bag”
    • Threat eradication
    • Preserving evidence and engaging law enforcement
  • Recovery and Post-Incident
    • Writing the incident report
    • Collecting intelligence
    • Additional logging during and after incidents
    • IR plan improvement
  • Incident Response in the Cloud
    • Preparing your cloud environment for detection and response
    • Containment in the cloud
  • Dealing With a Breach
    • Crisis management process and key functions
    • Crisis communications
    • Breach case studies
  • IR Tools
    • EDR, NDR, and XDR
    • Windows Management Instrumentation and command line incident response
    • Live response tools
    • Forensic analysis tools
    • Malware analysis tools
  • Continuous Improvement
    • Collaborative problem solving
    • Improving shared knowledge
    • Designing tabletop exercises
• Metrics, Automation, and Continuous Improvement
  • Staff Retention and Mitigation of Burnout
    • Cultivating intrinsic motivation in your team
    • SOC human capital model
    • Burnout mitigation tactics for new and experienced analysts
    • Optimizing tasks for analyst growth
    • Performance management
  • Metrics, Goals, and Effective Execution
    • Daily Ops vs. initiatives
    • Metrics vs. KPIs. vs. OKRs
    • Selecting Metrics
    • Selecting KPIs
    • Creating OKRs
    • Successful execution
  • Measurement and Prioritization Issues
    • Levels and types of measurement
    • The downside of risk matrices and CVSS scoring
    • The right kinds of measurements
    • Quantitative and qualitative measurement with examples
  • Strategic Planning and Communications
    • Building a strategic SOC plan
    • Executing your strategic plan
    • Maintaining direction, alignment, and commitment
    • Measuring SOC maturity with SOC-CMM
    • Storytelling and visualization in security
  • Analytic Testing and Adversary Emulation
    • Analytic testing
    • Penetration testing, red teaming, and adversary emulation
    • Purple team vs. red team execution and benefits
    • Purple teaming
  • Automation and Analyst Engagement
    • Types of automation
    • A 5-step approach to applying automation in the SOC
    • Automating SOC workflows with SOAR
    • Six sigma concepts
    • Gamification of SOC tasks and workflows
    • Optimizing for continuous engagement

گواهینامه‌ی دوره