MGT551: Building and Leading Security Operations Centers

Overview

MGT551 starts with the critical elements necessary to build your Security Operations Center: understanding your enemies, planning your requirements, making a physical space, building your team, and deploying a core toolset. Throughout this course section, students will learn how to build a strong foundation upon which an SOC can operate, focusing first on the most important users and data, and tailoring defense plans to threats most likely to impact your organization. Through workflow optimization, information organization, and data collection, you will learn how to ensure that your security operations will hit the ground running as efficiently as possible while protecting privileged SOC users and data. Exercises show how to implement these concepts through threat group and asset profiling, mapping likely attack paths into your environment, and implementing use cases repeatable playbooks to identify the threats and attack vectors you have identified.

Exercises

• Threat actor assessment
• Attack path development
• Developing and implementing SOC playbooks

Topics

Introduction

• What we are up against/industry surveys
• The average SOC
• What top-performing SOCs have in common
• SOC trends
• Class goals

SOC Functions

• High-level SOC diagram
• SOC functions
• Core activities
• Auxiliary functions

SOC Planning

• Do you need a dedicated internal SOC?
• What is and what is not a SOC?
• Mission and purpose
• Requirements
• Standards and frameworks
• Policies
• Roles
• Staffing levels
• Constituency
• Steering committee
• Services/Capabilities
• Charter

Team Creation, Hiring, and Training

• Organizational charts
• Choosing a tiered vs. tierless SOC
• Building a dream team
• Interviewing tips and techniques
• Interviewing mistakes and avoiding bias
• Training plans

Building the SOC

• Physical space
• Analyst/SOC IT considerations
• Protecting SOC data

SOC Tools and Technology

• Foundational network and endpoint collection and detection technologies
• "Next-gen" must-have capabilities
• Advanced detection technologies
• Analyst core toolset
• Live response tools
• Playbooks and SOAR
• Planning tools and frameworks

SOC Enclave and Networking

• Requirements for SOC connectivity
• Protecting SOC Data
• SOC networking
• SOC data flow

Overview

Section 2 of MGT551 focuses on expanding our understanding of attacker tactics, techniques, and procedures and how we might identify them in our environment. We will discuss defensive theory and mental models that can guide our assessment and planning efforts, data collection and monitoring priorities, and cyber threat intelligence collection. We will also cover more specialized security monitoring use cases like DevOps, supply chain, insider threat, and business e-mail compromise. Exercises include using the MITRE ATT&CK framework to plan security data collection and writing solid threat intelligence requirements for relevant, timely information that answers your most pressing defensive questions.

Exercises

• Attack Tree Assessment
• Visualizing Attack Techniques and Security Controls
• Writing Priority Intelligence Requirements

Topics

Cyber Defense Theory and Mental Models

• Ops Tempo and the OODA Loop
• Threat modeling
• MITRE ATT&CK/Kill Chain
• Threat Intel - F3EAD
• Pyramid of pain and analytic types
• The SOC as an "infinite game"

Prevention and the Future of Security

• Defensible network architecture
• Hardening at the network and host level
• Zero trust best practices
• Identity security
• Balancing productivity and security

SOC Data Collection

• The SOC data collection system
• Open-source NSM and host-data tools
• Collection issues
• Tactical log collection
• Audit policy flexibility
• Most important data sources
• How to collect data
• Parsing, filtering, enrichment, and storage
• Secure protocols and encrypted traffic analysis

Other Monitoring Use Cases

• DevOps telemetry
• Chaos engineering and security monitoring
• Supply chain security
• Business e-mail compromise
• Insider threat
• Major breach case studies

Using MITRE ATT&CK to Plan Collection

• Key data sources
• Defense mapping
• Assessing your capabilities using DETT&CT

Cyber Threat Intelligence

• Threat intelligence types and sources
• Consuming and producing intelligence
• Mental models for threat intel
• Intel transport and use
• Threat intelligence platforms and integration

Practical Collection Concerns

• Security data collection
• Parsing, filtering, categorization, and normalization
• Data enrichment
• Storage and indexing

Overview

Section 3 of MGT551 is all about improving detections. We begin with effective triage and analysis and then move to more effective alerting mechanisms, starting with the fundamentals of analytic design. We will discuss detection engineering as a core SOC discipline to be planned, tracked, and measured. You will learn a repeatable, data-driven approach to SOC capacity planning and apply that process in a hands-on exercise using custom tools that you can take back to your own environment. We will also cover the different types of proactive threat hunting, see a structured approach that results in measurable improvements to your detection capability, and apply that approach in a hands-on threat hunting lab. Finally, we will look at active defense concepts and their role in a mature security operations capability. Taking the tools, processes, and concepts from section 3 of MGT551 back to your SOC will ensure that no (virtual) stone in your environment remains unturned.

Exercises

• SOC Capacity Planning
• Structuring, Documenting, and Organizing Use Cases
• Planning a Threat Hunt

Topics

Efficient Alert Triage

• Triage approach in various SOC staffing models
• Where to triage alerts
• What analysis must know
• Prioritizing sensitive and high-risk accounts
• Data classification

Capacity Planning

• Basic and complicating factors in triage capacity planning
• Estimating workload
• Factors contributing to alert count
• Determining the "right" number of alerts
• Approaches for handling excessive alerts

Detection Engineering

• SOC threat detection systems
• Analytic outcomes and tuning
• Writing high-fidelity rules
• Use case tracking and storage
• Risk-based scoring and alert aggregation

Analytic and Analysis Frameworks and Tools

• Blue team knowledge standardization and upcoming tools
• ATT&CK Navigator
• Yara
• Sigma
• Jupyter notebooks
• Detection testing labs

Threat Hunting

• What is threat hunting and why is it needed?
• Scheduling
• Data quality
• Hunting process and techniques
• Hunting maturity model
• Showing the value of threat hunting

Active Defense

• What is active defense/deception?
• Active defense techniques and goals
• Active defense tooling

Overview

From toolsets to proven frameworks to tips and tricks learned in countless real-world scenarios, section four covers the full response cycle, from preparation to identification to containment, eradication, and recovery, for operations managers. The fourth section of MGT551 begins with the fundamentals of investigation: effective triage, investigative mindset, and tools for avoiding bias. Then the focus turns to preparing your environment to be defended by deploying security controls, identifying high-value assets and users, and designing playbooks to guide your response efforts. Finally, we will review best of breed incident response tools and free frameworks to guide your planning. Lab exercises in section four include incident response playbook design using the free RE&CT framework, investigation review and quality control, and tabletop exercise development.

Exercises

• Designing Tabletop Exercises
• Planning Incident Response Using RE&CT
• Investigation Quality Control

Topics

Investigation

• Investigation mindset
• Avoiding bias
• Analysis of Competing Hypothesis
• Useful investigative techniques

Incident Response (IR) Planning

• IR policy, plans, and procedures
• Staffing for IR
• Communication guidelines and methods
• Incident response procedure overview

Preparation

• Defensible network architecture
• The Center for Internet Security (CIS) Controls
• Securing high-value assets
• Incident response procedures
• Developing IR playbooks using RE&CT
• Incident response communications

Identification, Containment, and Eradication

• When to call incident
• Triggering the incident response process and assembling the team
• Incident categorization
• Data acquisition
• Containment procedures
• Incident documentation
• Preparing your IR "go bag"
• Threat eradication
• Preserving evidence and engaging law enforcement

Recovery and Post-Incident

• Writing the incident report
• Collecting intelligence
• Additional logging during and after incidents
• IR plan improvement

Incident Response in the Cloud

• Preparing your cloud environment for detection and response
• Containment in the cloud

Dealing with a Breach

• Crisis management process and key functions
• Crisis communications
• Breach case studies

IR Tools

• EDR, NDR, and XDR
• Windows Management Instrumentation and command line incident response
• Live response tools
• Forensic analysis tools
• Malware analysis tools

Continuous Improvement

• Collaborative problem solving
• Improving shared knowledge
• Designing tabletop exercises

Overview

The fifth and final section of MGT551 is all about measuring and improving security operations. We focus on three areas: developing and improving people, measuring SOC performance, and continuous validation through assessment and adversary emulation. We will also cover some of the more challenging elements of managing people in a dynamic and often high-pressure environment: building the right culture, addressing damaging behaviors, and handling common pitfalls of daily operations. By demonstrating value through structured testing and fostering a culture of learning, collaboration, and continuous improvement, we can ensure long term growth and success. In section five, you'll receive the tools, techniques, and insights to do just that. Hands-on exercises will include building skills self-assessments and training plans for your analysts, designing SOC metrics, and continuous assessment and validation.

Exercises

• Building a Skills Self-Assessment and Training Plan
• Creating, Classifying, and Communicating Your Metrics
• Purple Team Assessment

Topics

Staff Retention and Mitigation of Burnout

• Cultivating intrinsic motivation in your team
• SOC human capital model
• Growth, skills, empowerment, and creativity
• Automation, Ops efficiency, management/metrics
• Burnout mitigation tactics for new and experienced analysts
• Optimizing tasks for analyst growth
• Performance management

Metrics, Goals, and Effective Execution

• Daily Ops vs. initiatives
• Metrics vs. KPIs. vs. OKRs

• Selecting Metrics

  • Metrics sampling rates

• Selecting KPIs

  • Organizing operational measures
• Creating OKRs
• Successful execution
• Metrics types
• Goal setting
• Acting on the right metrics
• Scoreboards
• Keeping a cadence of accountability

Measurement and Prioritization Issues

• Levels and types of measurement
• The downside of risk matrices and CVSS scoring
• The right kinds of measurements
• Quantitative and qualitative measurement with examples

Strategic Planning and Communications

• Building a strategic SOC plan
• Executing your strategic plan
• Maintaining direction, alignment, and commitment
• Measuring SOC maturity with SOC-CMM
• Storytelling and visualization in security

Analytic Testing and Adversary Emulation

• Analytic testing
• Analytic testing tools
• Automated assessments
• Penetration testing, red teaming, and adversary emulation
• Purple team vs. red team execution and benefits
• Purple teaming
• Benefits
• Methodology and execution
• Reporting and tracking tools

Automation and Analyst Engagement

• Types of automation
• A 5-step approach to applying automation in the SOC
• Automating SOC workflows with SOAR
• Six sigma concepts
• Gamification of SOC tasks and workflows
• Optimizing for continuous engagement