Description
Book SynopsisJoseph Muniz is a consultant at Cisco Systems and security researcher. Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects, ranging from Fortune 500 corporations to large federal networks. Joseph is the author of and contributor to several books and is a speaker for popular security conferences. Check out his blog, http://www.thesecurityblogger.com, which showcases the latest security events, research, and technologies.
Gary McIntyre is a seasoned information security professional focusing on the development and operation of large-scale information security programs. As an architect, manager, and consultant, he has worked with a wide range of public and pr
Table of Contents
Introduction xx
Part I SOC Basics
Chapter 1 Introduction to Security Operations and the SOC 1
Cybersecurity Challenges 1
Threat Landscape 4
Business Challenges 7
The Cloud 8
Compliance 9
Privacy and Data Protection 9
Introduction to Information Assurance 10
Introduction to Risk Management 11
Information Security Incident Response 14
Incident Detection 15
Incident Triage 16
Incident Categories 17
Incident Severity 17
Incident Resolution 18
Incident Closure 19
Post-Incident 20
SOC Generations 21
First-Generation SOC 22
Second-Generation SOC 22
Third-Generation SOC 23
Fourth-Generation SOC 24
Characteristics of an Effective SOC 24
Introduction to Maturity Models 27
Applying Maturity Models to SOC 29
Phases of Building a SOC 31
Challenges and Obstacles 32
Summary 32
References 33
Chapter 2 Overview of SOC Technologies 35
Data Collection and Analysis 35
Data Sources 37
Data Collection 38
The Syslog Protocol 39
Telemetry Data: Network Flows 45
Telemetry Data: Packet Capture 48
Parsing and Normalization 49
Security Analysis 52
Alternatives to Rule-Based Correlation 55
Data Enrichment 56
Big Data Platforms for Security 57
Vulnerability Management 58
Vulnerability Announcements 60
Threat Intelligence 62
Compliance 64
Ticketing and Case Management 64
Collaboration 65
SOC Conceptual Architecture 66
Summary 67
References 67
Part II: The Plan Phase
Chapter 3 Assessing Security Operations Capabilities 69
Assessment Methodology 69
Step 1: Identify Business and IT Goals 71
Step 2: Assessing Capabilities 73
Assessing IT Processes 75
Step 3: Collect Information 82
Step 4: Analyze Maturity Levels 84
Step 5: Formalize Findings 87
The Organization’s Vision and Strategy 87
The Department’s Vision and Strategy 87
External and Internal Compliance Requirements 87
Organization’s Threat Landscape 88
History of Previous Information Security Incidents 88
SOC Sponsorship 89
Allocated Budget 89
Presenting Data 89
Closing 90
Summary 90
References 90
Chapter 4 SOC Strategy 91
Strategy Elements 91
Who Is Involved? 92
SOC Mission 92
SOC Scope 93
Example 1: A Military Organization 94
Mission Statement 94
SOC Scope Statement 95
Example 2: A Financial Organization 95
Mission Statement 95
SOC Scope Statement 95
SOC Model of Operation 95
In-House and Virtual SOC 96
SOC Services 98
SOC Capabilities Roadmap 99
Summary 101
Part III: The Design Phase
Chapter 5 The SOC Infrastructure 103
Design Considerations 103
Model of Operation 104
Facilities 105
SOC Internal Layout 106
Lighting 107
Acoustics 107
Physical Security 108
Video Wall 108
SOC Analyst Services 109
Active Infrastructure 110
Network 111
Access to Systems 112
Security 112
Compute 115
Dedicated Versus Virtualized Environment 116
Choice of Operating Systems 118
Storage 118
Capacity Planning 119
Collaboration 119
Ticketing 120
Summary 120
References 120
Chapter 6 Security Event Generation and Collection 123
Data Collection 123
Calculating EPS 124
Ubuntu Syslog Server 124
Network Time Protocol 129
Deploying NTP 130
Data-Collection Tools 134
Company 135
Product Options and Architecture 136
Installation and Maintenance 136
User Interface and Experience 136
Compliance Requirements 137
Firewalls 137
Stateless/Stateful Firewalls 137
Cisco Adaptive Security Appliance ASA 138
Application Firewalls 142
Cisco FirePOWER Services 142
Cloud Security 152
Cisco Meraki 153
Exporting Logs from Meraki 154
Virtual Firewalls 155
Cisco Virtual Firewalls 156
Host Firewalls 157
Intrusion Detection and Prevention Systems 157
Cisco FirePOWER IPS 160
Meraki IPS 161
Snort 162
Host-Based Intrusion Prevention 162
Routers and Switches 163
Host Systems 166
Mobile Devices 167
Breach Detection 168
Cisco Advanced Malware Prevention 168
Web Proxies 169
Cisco Web Security Appliance 170
Cloud Proxies 172
Cisco Cloud Web Security 172
DNS Servers 173
Exporting DNS 174
Network Telemetry with Network Flow Monitoring 174
NetFlow Tools 175
StealthWatch 177
Exporting Data from StealthWatch 179
NetFlow from Routers and Switches 182
NetFlow from Security Products 184
NetFlow in the Data Center 186
Summary 187
References 188
Chapter 7 Vulnerability Management 189
Identifying Vulnerabilities 190
Security Services 191
Vulnerability Tools 193
Handling Vulnerabilities 195
OWASP Risk Rating Methodology 197
Threat Agent Factors 198
Vulnerability Factors 198
Technical Impact Factors 200
Business Impact Factors 200
The Vulnerability Management Lifecycle 202
Automating Vulnerability Management 205
Inventory Assessment Tools 205
Information Management Tools 206
Risk-Assessment Tools 206
Vulnerability-Assessment Tools 206
Report and Remediate Tools 206
Responding Tools 207
Threat Intelligence 208
Attack Signatures 209
Threat Feeds 210
Other Threat Intelligence Sources 211
Summary 213
References 214
Chapter 8 People and Processes 215
Key Challenges 215
Wanted: Rock Stars, Leaders, and Grunts 216
The Weight of Process 216
The Upper and Lower Bounds of Technology 217
Designing and Building the SOC Team 218
Starting with the Mission 218
Focusing on Services 219
Security Monitoring Service Example 220
Determining the Required SOC Roles 223
Leadership Roles 224
Analyst Roles 224
Engineering Roles 224
Operations Roles 224
Other Support Roles 224
Working with HR 225
Job Role Analysis 225
Market Analysis 225
Organizational Structure 226
Calculating Team Numbers 227
Deciding on Your Resourcing Strategy 228
Building Your Own: The Art of Recruiting SOC Personnel 229
Working with Contractors and Service Bureaus 229
Working with Outsourcing and Managed Service Providers 230
Working with Processes and Procedures 231
Processes Versus Procedures 231
Working with Enterprise Service Management Processes 232
Event Management 232
Incident Management 233
Problem Management 233
Vulnerability Management 233
Other IT Management Processes 233
The Positives and Perils of Process 234
Examples of SOC Processes and Procedures 236
Security Service Management 236
Security Service Engineering 237
Security Service Operations 238
Security Monitoring 239
Security Incident Investigation and Response 239
Security Log Management 240
Security Vulnerability Management 241
Security Intelligence 241
Security Analytics and Reporting 242
Breach Discovery and Remediation 242
Summary 243
Part IV: The Build Phase
Chapter 9 The Technology 245
In-House Versus Virtual SOC 245
Network 246
Segmentation 247
VPN 251
High Availability 253
Support Contracts 254
Security 255
Network Access Control 255
Authentication 257
On-Network Security 258
Encryption 259
Systems 260
Operating Systems 261
Hardening Endpoints 262
Endpoint Breach Detection 263
Mobile Devices 264
Servers 264
Storage 265
Data-Loss Protection 266
Cloud Storage 270
Collaboration 271
Collaboration for Pandemic Events 272
Technologies to Consider During SOC Design 273
Firewalls 273
Firewall Modes 273
Firewall Clustering 276
Firewall High Availability 276
Firewall Architecture 277
Routers and Switches 279
Securing Network Devices 280
Hardening Network Devices 280
Network Access Control 281
Deploying NAC 282
NAC Posture 284
Architecting NAC 285
Web Proxies 290
Reputation Security 290
Proxy Architecture 292
Intrusion Detection/Prevention 295
IDS IPS Architecture 295
Evaluating IDS IPS Technology 296
Tuning IDS/IPS 298
Breach Detection 300
Honeypots 301
Sandboxes 302
Endpoint Breach Detection 303
Network Telemetry 306
Enabling NetFlow 308
Architecting Network Telemetry Solutions 310
Network Forensics 312
Digital Forensics Tools 313
Final SOC Architecture 314
Summary 317
References 318
Chapter 10 Preparing to Operate 319
Key Challenges 319
People Challenges 319
Process Challenges 320
Technology Challenges 321
Managing Challenges Through a Well-Managed Transition 321
Elements of an Effective Service Transition Plan 322
Determining Success Criteria and Managing to Success 322
Deploying Against Attainable Service Levels 323
Focusing on Defined Use Cases 325
Managing Project Resources Effectively 328
Marching to Clear and Attainable Requirements 329
Staffing Requirements for Go-Live 329
Process Requirements for Go-Live 330
Technology Requirements for Go-Live 331
Using Simple Checks to Verify That the SOC Is Ready 332
People Checks 332
Process Checks 336
Technology Checks 340
Summary 346
Part V: The Operate Phase
Chapter 11 Reacting to Events and Incidents 347
A Word About Events 348
Event Intake, Enrichment, Monitoring, and Handling 348
Events in the SIEM 349
Events in the Security Log Management Solution 350
Events in Their Original Habitats 350
Events Through Communications and Collaboration Platforms 350
Working with Events: The Malware Scenario 351
Handling and Investigating the Incident Report 353
Creating and Managing Cases 354
Working as a Team 355
Working with Other Parts of the Organization 357
Working with Third Parties 359
Closing and Reporting on the Case 362
Summary 363
Chapter 12 Maintain, Review, and Improve 365
Reviewing and Assessing the SOC 366
Determining Scope 366
Examining the Services 367
Personnel/Staffing 369
Processes, Procedures, and Other Operational Documentation 371
Technology 372
Scheduled and Ad Hoc Reviews 373
Internal Versus External Assessments 374
Internal Assessments 374
External Assessments 374
Assessment Methodologies 375
Maturity Model Approaches 375
Services-Oriented Approaches 376
Post-Incident Reviews 378
Maintaining and Improving the SOC 381
Maintaining and Improving Services 381
Maintain and Improving Your Team 383
Improving Staff Recruitment 383
Improving Team Training and Development 384
Improving Team Retention 386
Maintaining and Improving the SOC Technology Stack 387
Improving Threat, Anomaly, and Breach-Detection Systems 388
Improving Case and Investigation Management Systems 391
Improving Analytics and Reporting 392
Improving Technology Integration 392
Improving Security Testing and Simulation Systems 393
Improving Automated Remediation 394
Conclusions 395
9780134052014 TOC 10/12/2015
