Overview

Participants learn about intelligence-driven SOC processes, standard operating procedures (SOPs), and monitoring tools. They learn to recognize the formats associated with the various sources of information available in a network environment. The program follows the end-to-end workflow of a Security Analyst, including all appropriate steps that are needed to handle each type of identified security incident.

Duration:

02 days (16 hours)

Course Objectives

Upon completing the program, participants should be able to:

• Identify the roles and responsibilities in a SOC.
• Interpret sources of information in a SOC.
• Describe how Security Analysts interact with information and data in the SOC environment.
• Monitor incoming event queues for potential security events and/or incidents using various security
• tools per operational procedures.
• Perform initial investigation and triage of potential incidents.
• Investigate/analyze an incident.
• Escalate an incident for further analysis aligned to SOPs.
• Document and communicate investigative results aligned to escalation and/or handoff SOPs.
• Walk through an incident from alert to escalation to closure.
• Apply concepts that are learned in the classroom setting to their specific working environment

Who should attend

IT professionals with 2 to 3 years of experience in a troubleshooting role, such as a systems/network engineer, a system administrator, network operations analyst, or a newly-hired security analyst. Knowledge of security fundamentals is required.

Course outline

1.     Roles and Responsibilities in a Security Operations Center

• Describe the purpose of a Security Operations Center (SOC) and its basic structure.
• Define an event and an incident and describe the difference between the two terms.
•  Identify the roles and responsibilities in a SOC.
• Name some of the tools that are commonly used to monitor events in the SOC.
• Outline some of the key components in the incident processing workflow

2.     Interpreting Sources of Information

• Diagram the components and tools of technical environment you are working in
• Categorize sources of information available to a security analyst
• Recognize information formats
• Establish the context of the observed information/data
• Assimilate external threat data and threat intelligence
• Apply internal and external sources of intelligence to an incident

3.     Interacting with Information (Identifying Events)

• Become the ‘eyes on glass’
• Analyze logs from distributed system and network security devices
• Monitor all alerting systems
• Inspect network packet data
• View information using a console

4.     Correlating Events

• Define event correlation o Use several correlation engines
• Assist in the identification of potential computer and communications security issues
• Correlate events and incidents with knowledge base of historical events and incidents

5.     Triaging Events

• Follow the triage process
• Prioritize incidents
• Apply standard operating procedures

6.     Analyzing incidents using sources of information

• Explain the incident – is your system infected?
• Demonstrate fundamental understanding of all standard information sources
• Determine whether an incident occurred and handle appropriately

7.     Escalation and Handoff

• Escalate an event for further analysis to the incident handler
• Follow the SLA to resolution or escalation
• Standard operating procedures and analysis

8.     Documenting and Communicating Issues

• Update the internal knowledge base and wiki
• Perform maintenance activities on security related databases
•  Assimilate external threat data and threat intelligence