این دوره به چه افرادی توصیه می‌شود؟

• مدیران مراکز عملیات امنیت
• راهبران امنیت
• اعضای جدید تیم‌های مرکز عملیات امنیت
• راهبران و کارشناسان ارشد تحلیل
• مدیران ارشد امنیت اطلاعات سازمان‌ها

برای حضور در این دوره چه دانش‌هایی باید داشته باشم؟

• آشنایی با مفاهیم و تعاریف امنیت و حملات سایبری
• آشنایی با مفاهیم شبکه
• آشنایی با مفاهیم و تعاریف تحلیل وقایع و لاگ
• حداقل ۲ سال تجربه‌ی کار در زمینه‌ی امنیت سایبری
• آشنایی با حملات در سطح APT

سرفصل‌های دوره

Chapter 1: SOC Design and Operational Planning

1.1 Introduction

1.1.1 What we are up against/industry surveys

1.1.2 The average SOC

1.1.3 What top-performing SOCs have in common

1.1.4 SOC trends

1.1.5 Class goals

1.2 SOC Functions

1.2.1 High-level SOC diagram

1.2.2 SOC functions

1.2.3 Core activities

1.2.4 Auxiliary functions

1.3 SOC Planning

1.3.1 Do you need a dedicated internal SOC?

1.3.2 What is and what is not a SOC?

1.3.3 Mission and purpose

1.3.4 Requirements

1.3.5 Standards and frameworks

1.3.6 Policies

1.3.7 Roles

1.3.8 Staffing levels

1.3.9 Constituency

1.3.10 Steering committee

1.3.11 Services/Capabilities

1.3.12 Charter

1.4 Team Creation, Hiring, and Training

1.4.1 Organizational charts

1.4.2 Choosing a tiered vs. tierless SOC

1.4.3 Building a dream team

1.4.4 Interviewing tips and techniques

1.4.5 Interviewing mistakes and avoiding bias

1.4.6 Training plans

1.5 Building the SOC

1.5.1 Physical space

1.5.2 Analyst/SOC IT considerations

1.5.3 Protecting SOC data

1.6 SOC Tools and Technology

1.6.1 Foundational network and endpoint collection and detection technologies

1.6.2 “Next-gen” must-have capabilities

1.6.3 Advanced detection technologies

1.6.4 Analyst core toolset

1.6.5 Live response tools

1.6.6 Playbooks and SOAR

1.6.7 Planning tools and frameworks

1.7 SOC Enclave and Networking

1.7.1 Requirements for SOC connectivity

1.7.2 Protecting SOC Data

1.7.3 SOC networking

1.7.4 SOC data flow

Chapter 2: SOC Telemetry and Analysis

2.1 Cyber Defense Theory and Mental Models

2.1.1 Ops Tempo and the OODA Loop

2.1.2 Threat modeling

2.1.3 MITRE ATT&CK/Kill Chain

2.1.4 Threat Intel – F3EAD

2.1.5 Pyramid of pain and analytic types

2.1.6 The SOC as an “infinite game”

2.2 Prevention and the Future of Security

2.2.1 Defensible network architecture

2.2.2 Hardening at the network and host level

2.2.3 Zero trust best practices

2.2.4 Identity security

2.2.5 Balancing productivity and security

2.3 SOC Data Collection

2.3.1 The SOC data collection system

2.3.2 Open-source NSM and host-data tools

2.3.3 Collection issues

2.3.4 Tactical log collection

2.3.5 Audit policy flexibility

2.3.6 Most important data sources

2.3.7 How to collect data

2.3.8 Parsing, filtering, enrichment, and storage

2.3.9 Secure protocols and encrypted traffic analysis

2.4 Other Monitoring Use Cases

2.4.1 DevOps telemetry

2.4.2 Chaos engineering and security monitoring

2.4.3 Supply chain security

2.4.4 Business e-mail compromise

2.4.5 Insider threat

2.4.6 Major breach case studies

2.5 Using MITRE ATT&CK to Plan Collection

2.5.1 Key data sources

2.5.2 Defense mapping

2.5.3 Assessing your capabilities using DETT&CT

2.6 Cyber Threat Intelligence

2.6.1 Threat intelligence types and sources

2.6.2 Consuming and producing intelligence

2.6.3 Mental models for threat intel

2.6.4 Intel transport and use

2.6.5 Threat intelligence platforms and integration

2.7 Practical Collection Concerns

2.7.1 Security data collection

2.7.2 Parsing, filtering, categorization, and normalization

2.7.3 Data enrichment

2.7.4 Storage and indexing

Chapter 3: Attack Detection, Hunting, and Triage

3.1 Efficient Alert Triage

3.1.1 Triage approach in various SOC staffing models

3.1.2 Where to triage alerts

3.1.3 What analysis must know

3.1.4 Prioritizing sensitive and high-risk accounts

3.1.5 Data classification

3.2 Capacity Planning

3.2.1 Basic and complicating factors in triage capacity planning

3.2.2 Estimating workload

3.2.3 Factors contributing to alert count

3.2.4 Determining the “right” number of alerts

3.2.5 Approaches for handling excessive alerts

3.3 Detection Engineering

3.3.1 SOC threat detection systems

3.3.2 Analytic outcomes and tuning

3.3.3 Writing high-fidelity rules

3.3.4 Use case tracking and storage

3.3.5 Risk-based scoring and alert aggregation

3.4 Analytic and Analysis Frameworks and Tools

3.4.1 Blue team knowledge standardization and upcoming tools

3.4.2 ATT&CK Navigator

3.4.3 Yara

3.4.4 Sigma

3.4.5 Jupyter notebooks

3.4.6 Detection testing labs

3.5 Threat Hunting

3.5.1 What is threat hunting and why is it needed?

3.5.2 Scheduling

3.5.3 Data quality

3.5.4 Hunting process and techniques

3.5.5 Hunting maturity model

3.5.6 Showing the value of threat hunting

3.6 Active Defense

3.6.1 What is active defense/deception?

3.6.2 Active defense techniques and goals

3.6.3 Active defense tooling

Chapter 4: Incident Response

4.1 Investigation

4.1.1 Investigation mindset

4.1.2 Avoiding bias

4.1.3 Analysis of Competing Hypothesis

4.1.4 Useful investigative techniques

4.2 Incident Response (IR) Planning

4.2.1 IR policy, plans, and procedures

4.2.2 Staffing for IR

4.2.3 Communication guidelines and methods

4.2.4 Incident response procedure overview

4.3 Preparation

4.3.1 Defensible network architecture

4.3.2 The Center for Internet Security (CIS) Controls

4.3.3 Securing high-value assets

4.3.4 Incident response procedures

4.3.5 Developing IR playbooks using RE&CT

4.3.6 Incident response communications

4.4 Identification, Containment, and Eradication

4.4.1 When to call incident

4.4.2 Triggering the incident response process and assembling the team

4.4.3 Incident categorization

4.4.4 Data acquisition

4.4.5 Containment procedures

4.4.6 Incident documentation

4.4.7 Preparing your IR “go bag”

4.4.8 Threat eradication

4.4.9 Preserving evidence and engaging law enforcement

4.5 Recovery and Post-Incident

4.5.1 Writing the incident report

4.5.2 Collecting intelligence

4.5.3 Additional logging during and after incidents

4.5.4 IR plan improvement

4.6 Incident Response in the Cloud

4.6.1 Preparing your cloud environment for detection and response

4.6.2 Containment in the cloud

4.7 Dealing With a Breach

4.7.1 Crisis management process and key functions

4.7.2 Crisis communications

4.7.3 Breach case studies

4.8 IR Tools

4.8.1 EDR, NDR, and XDR

4.8.2 Windows Management Instrumentation and command line incident response

4.8.3 Live response tools

4.8.4 Forensic analysis tools

4.8.5 Malware analysis tools

4.9 Continuous Improvement

4.9.1 Collaborative problem solving

4.9.2 Improving shared knowledge

4.9.3 Designing tabletop exercises

Chapter 5: Metrics, Automation, and Continuous Improvement

5.1 Staff Retention and Mitigation of Burnout

5.1.1 Cultivating intrinsic motivation in your team

5.1.2 SOC human capital model

5.1.2.1 Growth, skills, empowerment, and creativity

5.1.2.2 Automation, Ops efficiency, management/metrics

5.1.3 Burnout mitigation tactics for new and experienced analysts

5.1.4 Optimizing tasks for analyst growth

5.1.5 Performance management

5.2 Metrics, Goals, and Effective Execution

5.2.1 Daily Ops vs. initiatives

5.2.2 Metrics vs. KPIs. vs. OKRs

5.2.3 Selecting Metrics

5.2.3.1 Metrics sampling rates

5.2.4 Selecting KPIs

5.2.4.1 Organizing operational measures

5.2.5 Creating OKRs

5.2.6 Successful execution

5.2.6.1 Metrics types

5.2.6.2 Goal setting

5.2.6.3 Acting on the right metrics

5.2.6.4 Scoreboards

5.2.6.5 Keeping a cadence of accountability

5.3 Measurement and Prioritization Issues

5.3.1 Levels and types of measurement

5.3.2 The downside of risk matrices and CVSS scoring

5.3.3 The right kinds of measurements

5.3.4 Quantitative and qualitative measurement with examples

5.4 Strategic Planning and Communications

5.4.1 Building a strategic SOC plan

5.4.2 Executing your strategic plan

5.4.3 Maintaining direction, alignment, and commitment

5.4.4 Measuring SOC maturity with SOC-CMM

5.4.5 Storytelling and visualization in security

5.5 Analytic Testing and Adversary Emulation

5.5.1 Analytic testing

5.5.1.1 Analytic testing tools

5.5.1.2 Automated assessments

5.5.2 Penetration testing, red teaming, and adversary emulation

5.5.3 Purple team vs. red team execution and benefits

5.5.4 Purple teaming

5.5.4.1 Benefits

5.5.4.2 Methodology and execution

5.5.4.3 Reporting and tracking tools

5.6 Automation and Analyst Engagement

5.6.1 Types of automation

5.6.2 A 5-step approach to applying automation in the SOC

5.6.3 Automating SOC workflows with SOAR

5.6.4 Six sigma concepts

5.6.5 Gamification of SOC tasks and workflows

5.6.6 Optimizing for continuous engagement