Overview

Security Operations Center Building, Operating, and Maintaining Your SOC   The complete, practical guide to planning, building, and operating an effective Security Operations Center (SOC) Security Operations Center is the complete guide to building, operating, and managing Security Operations Centers in any environment. Drawing on experience with hundreds of customers ranging from Fortune 500 enterprises to large military organizations, three leading experts thoroughly review each SOC model, including virtual SOCs. You’ll learn how to select the right strategic option for your organization, and then plan and execute the strategy you’ve chosen. Security Operations Center walks you through every phase required to establish and run an effective SOC, including all significant people, process, and technology capabilities. The authors assess SOC technologies, strategy, infrastructure, governance, planning, implementation, and more. They take a holistic approach considering various commercial and open-source tools found in modern SOCs. This best-practice guide is written for anybody interested in learning how to develop, manage, or improve a SOC. A background in network security, management, and operations will be helpful but is not required. It is also an indispensable resource for anyone preparing for the Cisco SCYBER exam.   ·         Review high-level issues, such as vulnerability and risk management, threat intelligence, digital investigation, and data collection/analysis ·         Understand the technical components of a modern SOC ·         Assess the current state of your SOC and identify areas of improvement ·         Plan SOC strategy, mission, functions, and services ·         Design and build out SOC infrastructure, from facilities and networks to systems, storage, and physical security ·         Collect and successfully analyze security data ·         Establish an effective vulnerability management practice ·         Organize incident response teams and measure their performance ·         Define an optimal governance and staffing model ·         Develop a practical SOC handbook that people can actually use ·         Prepare SOC to go live, with comprehensive transition plans ·         React quickly and collaboratively to security incidents ·         Implement best practice security operations, including continuous enhancement and improvement   

Full Product Details

Author:   Joseph Muniz ,  Gary McIntyre ,  Nadhem AlFardan ,  Gary McIntyre
Publisher:   Pearson Education (US)
Imprint:   Cisco Press
Dimensions:   Width: 19.00cm , Height: 2.00cm , Length: 23.00cm
Weight:   0.756kg
ISBN:  

9780134052014

ISBN 10:   0134052013
Pages:   448
Publication Date:   19 November 2015
Audience:   Professional and scholarly ,  Professional & Vocational
Format:   Paperback
Publisher's Status:   Active
Availability:   Available To Order  
We have confirmation that this item is in stock with the supplier. It will be ordered in for you and dispatched immediately.

Table of Contents

Introduction xx Part I SOC Basics Chapter 1 Introduction to Security Operations and the SOC 1 Cybersecurity Challenges 1     Threat Landscape 4     Business Challenges 7         The Cloud 8         Compliance 9         Privacy and Data Protection 9 Introduction to Information Assurance 10 Introduction to Risk Management 11 Information Security Incident Response 14     Incident Detection 15     Incident Triage 16         Incident Categories 17         Incident Severity 17     Incident Resolution 18     Incident Closure 19     Post-Incident 20 SOC Generations 21     First-Generation SOC 22     Second-Generation SOC 22     Third-Generation SOC 23     Fourth-Generation SOC 24 Characteristics of an Effective SOC 24 Introduction to Maturity Models 27 Applying Maturity Models to SOC 29 Phases of Building a SOC 31 Challenges and Obstacles 32 Summary 32 References 33 Chapter 2 Overview of SOC Technologies 35 Data Collection and Analysis 35     Data Sources 37     Data Collection 38         The Syslog Protocol 39         Telemetry Data: Network Flows 45         Telemetry Data: Packet Capture 48     Parsing and Normalization 49     Security Analysis 52         Alternatives to Rule-Based Correlation 55         Data Enrichment 56         Big Data Platforms for Security 57 Vulnerability Management 58     Vulnerability Announcements 60 Threat Intelligence 62 Compliance 64 Ticketing and Case Management 64 Collaboration 65 SOC Conceptual Architecture 66 Summary 67 References 67 Part II: The Plan Phase Chapter 3 Assessing Security Operations Capabilities 69 Assessment Methodology 69     Step 1: Identify Business and IT Goals 71     Step 2: Assessing Capabilities 73         Assessing IT Processes 75     Step 3: Collect Information 82     Step 4: Analyze Maturity Levels 84     Step 5: Formalize Findings 87         The Organization’s Vision and Strategy 87         The Department’s Vision and Strategy 87         External and Internal Compliance Requirements 87         Organization’s Threat Landscape 88         History of Previous Information Security Incidents 88         SOC Sponsorship 89         Allocated Budget 89         Presenting Data 89         Closing 90 Summary 90 References 90 Chapter 4 SOC Strategy 91 Strategy Elements 91     Who Is Involved? 92     SOC Mission 92     SOC Scope 93     Example 1: A Military Organization 94         Mission Statement 94         SOC Scope Statement 95     Example 2: A Financial Organization 95         Mission Statement 95         SOC Scope Statement 95 SOC Model of Operation 95     In-House and Virtual SOC 96 SOC Services 98 SOC Capabilities Roadmap 99 Summary 101 Part III: The Design Phase Chapter 5 The SOC Infrastructure 103 Design Considerations 103 Model of Operation 104 Facilities 105     SOC Internal Layout 106         Lighting 107         Acoustics 107     Physical Security 108     Video Wall 108     SOC Analyst Services 109 Active Infrastructure 110     Network 111         Access to Systems 112     Security 112     Compute 115         Dedicated Versus Virtualized Environment 116         Choice of Operating Systems 118     Storage 118         Capacity Planning 119     Collaboration 119         Ticketing 120 Summary 120 References 120 Chapter 6 Security Event Generation and Collection 123 Data Collection 123     Calculating EPS 124         Ubuntu Syslog Server 124     Network Time Protocol 129         Deploying NTP 130     Data-Collection Tools 134         Company 135         Product Options and Architecture 136         Installation and Maintenance 136         User Interface and Experience 136         Compliance Requirements 137     Firewalls 137         Stateless/Stateful Firewalls 137         Cisco Adaptive Security Appliance ASA 138         Application Firewalls 142         Cisco FirePOWER Services 142 Cloud Security 152     Cisco Meraki 153         Exporting Logs from Meraki 154     Virtual Firewalls 155         Cisco Virtual Firewalls 156         Host Firewalls 157 Intrusion Detection and Prevention Systems 157     Cisco FirePOWER IPS 160     Meraki IPS 161     Snort 162     Host-Based Intrusion Prevention 162 Routers and Switches 163 Host Systems 166 Mobile Devices 167 Breach Detection 168     Cisco Advanced Malware Prevention 168     Web Proxies 169         Cisco Web Security Appliance 170     Cloud Proxies 172         Cisco Cloud Web Security 172 DNS Servers 173     Exporting DNS 174 Network Telemetry with Network Flow Monitoring 174     NetFlow Tools 175         StealthWatch 177         Exporting Data from StealthWatch 179     NetFlow from Routers and Switches 182     NetFlow from Security Products 184     NetFlow in the Data Center 186 Summary 187 References 188 Chapter 7 Vulnerability Management 189 Identifying Vulnerabilities 190 Security Services 191 Vulnerability Tools 193 Handling Vulnerabilities 195     OWASP Risk Rating Methodology 197         Threat Agent Factors 198         Vulnerability Factors 198         Technical Impact Factors 200         Business Impact Factors 200     The Vulnerability Management Lifecycle 202 Automating Vulnerability Management 205     Inventory Assessment Tools 205     Information Management Tools 206     Risk-Assessment Tools 206     Vulnerability-Assessment Tools 206     Report and Remediate Tools 206     Responding Tools 207 Threat Intelligence 208     Attack Signatures 209     Threat Feeds 210     Other Threat Intelligence Sources 211 Summary 213 References 214 Chapter 8 People and Processes 215 Key Challenges 215     Wanted: Rock Stars, Leaders, and Grunts 216     The Weight of Process 216     The Upper and Lower Bounds of Technology 217 Designing and Building the SOC Team 218     Starting with the Mission 218     Focusing on Services 219         Security Monitoring Service Example 220     Determining the Required SOC Roles 223         Leadership Roles 224         Analyst Roles 224         Engineering Roles 224         Operations Roles 224         Other Support Roles 224     Working with HR 225         Job Role Analysis 225         Market Analysis 225         Organizational Structure 226         Calculating Team Numbers 227     Deciding on Your Resourcing Strategy 228         Building Your Own: The Art of Recruiting SOC Personnel 229         Working with Contractors and Service Bureaus 229         Working with Outsourcing and Managed Service Providers 230 Working with Processes and Procedures 231     Processes Versus Procedures 231     Working with Enterprise Service Management Processes 232         Event Management 232         Incident Management 233         Problem Management 233         Vulnerability Management 233         Other IT Management Processes 233     The Positives and Perils of Process 234     Examples of SOC Processes and Procedures 236         Security Service Management 236         Security Service Engineering 237         Security Service Operations 238         Security Monitoring 239         Security Incident Investigation and Response 239         Security Log Management 240         Security Vulnerability Management 241         Security Intelligence 241         Security Analytics and Reporting 242         Breach Discovery and Remediation 242 Summary 243 Part IV: The Build Phase Chapter 9 The Technology 245 In-House Versus Virtual SOC 245 Network 246     Segmentation 247     VPN 251     High Availability 253     Support Contracts 254 Security 255     Network Access Control 255     Authentication 257     On-Network Security 258     Encryption 259 Systems 260     Operating Systems 261     Hardening Endpoints 262     Endpoint Breach Detection 263     Mobile Devices 264     Servers 264 Storage 265     Data-Loss Protection 266     Cloud Storage 270 Collaboration 271     Collaboration for Pandemic Events 272 Technologies to Consider During SOC Design 273     Firewalls 273         Firewall Modes 273         Firewall Clustering 276         Firewall High Availability 276         Firewall Architecture 277     Routers and Switches 279         Securing Network Devices 280         Hardening Network Devices 280     Network Access Control 281         Deploying NAC 282         NAC Posture 284         Architecting NAC 285     Web Proxies 290         Reputation Security 290         Proxy Architecture 292     Intrusion Detection/Prevention 295         IDS IPS Architecture 295         Evaluating IDS IPS Technology 296         Tuning IDS/IPS 298 Breach Detection 300     Honeypots 301     Sandboxes 302     Endpoint Breach Detection 303     Network Telemetry 306         Enabling NetFlow 308         Architecting Network Telemetry Solutions 310     Network Forensics 312         Digital Forensics Tools 313 Final SOC Architecture 314 Summary 317 References 318 Chapter 10 Preparing to Operate 319 Key Challenges 319     People Challenges 319     Process Challenges 320     Technology Challenges 321 Managing Challenges Through a Well-Managed Transition 321     Elements of an Effective Service Transition Plan 322     Determining Success Criteria and Managing to Success 322         Deploying Against Attainable Service Levels 323         Focusing on Defined Use Cases 325     Managing Project Resources Effectively 328     Marching to Clear and Attainable Requirements 329         Staffing Requirements for Go-Live 329         Process Requirements for Go-Live 330         Technology Requirements for Go-Live 331     Using Simple Checks to Verify That the SOC Is Ready 332         People Checks 332         Process Checks 336         Technology Checks 340 Summary 346 Part V: The Operate Phase Chapter 11 Reacting to Events and Incidents 347 A Word About Events 348 Event Intake, Enrichment, Monitoring, and Handling 348     Events in the SIEM 349     Events in the Security Log Management Solution 350     Events in Their Original Habitats 350     Events Through Communications and Collaboration Platforms 350     Working with Events: The Malware Scenario 351     Handling and Investigating the Incident Report 353     Creating and Managing Cases 354         Working as a Team 355         Working with Other Parts of the Organization 357         Working with Third Parties 359 Closing and Reporting on the Case 362 Summary 363 Chapter 12 Maintain, Review, and Improve 365 Reviewing and Assessing the SOC 366     Determining Scope 366         Examining the Services 367         Personnel/Staffing 369         Processes, Procedures, and Other Operational Documentation 371         Technology 372     Scheduled and Ad Hoc Reviews 373     Internal Versus External Assessments 374         Internal Assessments 374         External Assessments 374     Assessment Methodologies 375         Maturity Model Approaches 375         Services-Oriented Approaches 376         Post-Incident Reviews 378 Maintaining and Improving the SOC 381     Maintaining and Improving Services 381     Maintain and Improving Your Team 383         Improving Staff Recruitment 383         Improving Team Training and Development 384         Improving Team Retention 386     Maintaining and Improving the SOC Technology Stack 387         Improving Threat, Anomaly, and Breach-Detection Systems 388         Improving Case and Investigation Management Systems 391         Improving Analytics and Reporting 392         Improving Technology Integration 392         Improving Security Testing and Simulation Systems 393         Improving Automated Remediation 394 Conclusions 395     9780134052014    TOC    10/12/2015  

Reviews

Author Information

Joseph Muniz is a consultant at Cisco Systems and security researcher. Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects, ranging from Fortune 500 corporations to large federal networks. Joseph is the author of and contributor to several books and is a speaker for popular security conferences. Check out his blog, http://www.thesecurityblogger.com, which showcases the latest security events, research, and technologies.   Gary McIntyre is a seasoned information security professional focusing on the development and operation of large-scale information security programs. As an architect, manager, and consultant, he has worked with a wide range of public and private sector organizations around the world to design, build, and maintain small to large security operations teams. He currently holds a Masters degree from the University of Toronto and has also been a long-time (ISC)2 instructor.   Dr. Nadhem AlFardan has more than 15 years of experience in the area of information security and holds a Ph.D. in Information Security from Royal Holloway, University of London. Nadhem is a senior security solution architect working for Cisco Systems. Before joining Cisco, he worked for Schlumbeger and HSBC. Nadhem is CISSP certified and is an ISO 27001 lead auditor. He is also CCIE Security certified. In his Ph.D. research, Nadhem published a number of papers in prestige conferences, such as IEEE S&P and USENIX Security, mainly around cryptoanalysis topics. His work involved him working with organizations such as Google, Microsoft, Cisco, Mozilla, OpenSSL, and many others, mainly to help them assess and fix major findings in the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. His work is referenced in a number of IETF standards.

Tab Content 6

Author Website:  

Customer Reviews

Recent Reviews

No review item found!

Add your own review!

Countries Available

All regions