Key topics covered:
- Practical approaches to building, running and assessing a Security Operations Center (SOC)
- Overview of essential SOC services, including SOC Management, Log Management, Incident Monitoring, Incident Response, SOC Architecture & Engineering, Threat Intelligence, Threat Hunting, Vulnerability Management, Self-Assessment, and Digital Forensics
- A deep dive into the people, processes, and technologies behind SOCs
Skills acquired:
After this course, participants will be able to:
- Understand the different types of SOC as well as their architectures and operating modes
- Define key SOC services and how they relate to people, processes, and technologies
- Understand the main roles and responsibilities of SOCs
- Set up liaisons between different SOC services
- Identify and gather critical logs for SOC detection capabilities
- Create and support a diverse and capable team
- Develop playbooks and manage detection use cases
- Differentiate between a broad set of SOC tools and technologies
- Design essential SOC documentation to support day-to-day operations
- Leverage threat intelligence to enhance every service in the SOC
- Build a comprehensive Threat Intelligence Program
- Proactively seek out and respond to threats through threat hunting
- Address vulnerabilities in infrastructure by building a robust vulnerability management program
- Plan and execute effective incident response
- Establish metrics and long-term strategies to improve SOC performance
- Provide team members with career paths, training and support and prevent burnout
- Conduct SOC assessments through penetration testing, red teaming, attack surface management, security controls gaps assessment, SOC-CMM, and MITRE Assessment
- Run commercial SOC (MSSP) and CSIRT
- Put to use the hands-on experience gained in several SOC services (practical tasks)
Target participants:
- SOC Manager
- Lead Analyst, Tier 3 Analyst
- CISO and Security Manager
Course program
Day 1
On the first day of the course, we will cover the definition of SOC, its major types, architecture, and modes of operation. We will discuss major SOC frameworks, the structure of the Group-IB SOC framework, comparisons of in-house versus outsourced services, recent trends, and surveys related to SOC structure.
Next, attendees will be introduced to SOC capacity planning, identifying critical assets in your infrastructure, and defining impact and incident categories.
We will then take a look at hiring and onboarding, career paths for SOC staff, retention strategies, and approaches to combat burnout.
We will cover budget justification, selecting security tools for your SOC, internal and external SOC metrics, communication and reporting methods, and current SOC challenges and solutions.
Finally, we will provide an overview of the SOC roadmap and share insights on how to create it.
Day 2
On the second day, we will take a deep dive into three critical SOC services: Log Management, Incident Monitoring, and Incident Response.
We will discuss the key roles and responsibilities of the people involved, the skills required, the related tools and technologies, and the processes and interrelationships between each SOC service.
The Log Management service will guide you through the necessary log sources, why they are important and how to prioritize them, how to maintain logs, and the free and commercial tools that can be used for log management.
In the Incident Monitoring section, we will introduce you to the Enhanced Pyramid of Pain and explore how to construct different types of detection use cases based on it, including technique-based, IOC-based, and anomaly-based use cases.
We will also discuss containment, eradication, and recovery during incident response, as well as lessons learned activities. We will also look at examples of supporting operational documentation and metrics to help measure the effectiveness of each service, and discuss playbooks.
During the lab, participants will be tasked with performing various activities related to each of the SOC services discussed. This will allow them to become familiar with the roles of the SOC Manager, Tier 1/Tier 2 Analyst, and SOC Architect.
Day 3
The third day is dedicated to three more SOC services: Threat Intelligence, Threat Hunting, and Vulnerability Management.
Attendees will learn the cornerstones of threat intelligence-priority intelligence requirements, threat landscape, threat intelligence platform, threat intelligence feeds, and how to build a threat intelligence program in your organization.
We will introduce you to the key concepts of threat hunting and why it is important, the hypothesis generation approach, and strategies for successful threat hunting.
In the Vulnerability Management section, we will define the overall process of managing vulnerabilities, how to measure the effectiveness of the vulnerability management service, and what tools can be used in this service.
To practice and reinforce the skills learned, participants will design a simple threat landscape, practice hypothesis generation, and practice some vulnerability management tasks.
Day 4
The final day begins with an overview of digital forensics services, a broad range of self-assessment services including penetration testing, red-teaming, tabletop exercises, and security controls gap assessment, followed by a detailed explanation of the SOC Capability & Maturity Assessment (SOC-CMM) and the SOC MITRE ATT&CK® Assessment. We also provide recommendations on the frequency and purpose of different types of assessments.
Attendees will also be introduced to the concept of operating a SOC for commercial needs (MSSP), as well as tips for operating a national or industry CSIRT.Finally, we will discuss SOC best practices and summarize what we have covered so far.
