RSA Intelligence-Driven Event Analysis

Overview

Participants learn about intelligence-driven SOC processes, standard operating procedures (SOPs), and monitoring tools. They learn to recognize the formats associated with the various sources of information available in a network environment. The program follows the end-to-end workflow of a Security Analyst, including all appropriate steps that are needed to handle each type of identified security incident.

Duration:

02 days (16 hours)

Course Objectives

Upon completing the program, participants should be able to:

  • Identify the roles and responsibilities in a SOC.
  • Interpret sources of information in a SOC.
  • Describe how Security Analysts interact with information and data in the SOC environment.
  • Monitor incoming event queues for potential security events and/or incidents using various security
  • tools per operational procedures.
  • Perform initial investigation and triage of potential incidents.
  • Investigate/analyze an incident.
  • Escalate an incident for further analysis aligned to SOPs.
  • Document and communicate investigative results aligned to escalation and/or handoff SOPs.
  • Walk through an incident from alert to escalation to closure.
  • Apply concepts that are learned in the classroom setting to their specific working environment
Who should attend

IT professionals with 2 to 3 years of experience in a troubleshooting role, such as a systems/network engineer, a system administrator, network operations analyst, or a newly-hired security analyst. Knowledge of security fundamentals is required.

Course outline

    1.     Roles and Responsibilities in a Security Operations Center

    • Describe the purpose of a Security Operations Center (SOC) and its basic structure.
    • Define an event and an incident and describe the difference between the two terms.
    •  Identify the roles and responsibilities in a SOC.
    • Name some of the tools that are commonly used to monitor events in the SOC.
    • Outline some of the key components in the incident processing workflow

    2.     Interpreting Sources of Information

    • Diagram the components and tools of technical environment you are working in
    • Categorize sources of information available to a security analyst
    • Recognize information formats
    • Establish the context of the observed information/data
    • Assimilate external threat data and threat intelligence
    • Apply internal and external sources of intelligence to an incident

    3.     Interacting with Information (Identifying Events)

    • Become the ‘eyes on glass’
    • Analyze logs from distributed system and network security devices
    • Monitor all alerting systems
    • Inspect network packet data
    • View information using a console

    4.     Correlating Events

    • Define event correlation o Use several correlation engines
    • Assist in the identification of potential computer and communications security issues
    • Correlate events and incidents with knowledge base of historical events and incidents

    5.     Triaging Events

    • Follow the triage process
    • Prioritize incidents
    • Apply standard operating procedures

    6.     Analyzing incidents using sources of information

    • Explain the incident – is your system infected?
    • Demonstrate fundamental understanding of all standard information sources
    • Determine whether an incident occurred and handle appropriately

    7.     Escalation and Handoff

    • Escalate an event for further analysis to the incident handler
    • Follow the SLA to resolution or escalation
    • Standard operating procedures and analysis

    8.     Documenting and Communicating Issues

    • Update the internal knowledge base and wiki
    • Perform maintenance activities on security related databases
    •  Assimilate external threat data and threat intelligence
    • Học tại Hồ Chí Minh

    • Học tại Hà Nội

    • Học trực tuyến


    Các khóa học khác