Always Learning

Advanced Search

Security Operations Center

Security Operations Center

Building, Operating, and Maintaining your SOC

Joseph Muniz, Gary McIntyre, Nadhem AlFardan

Nov 2015, Paperback, 448 pages
ISBN13: 9780134052014
ISBN10: 0134052013
Special online offer - Save 30%
Was 40.49, Now 28.34Save: 12.15
  • Print pagePrint page
  • Email this pageEmail page
  • Share

Security Operations Center

Building, Operating, and Maintaining Your SOC

The complete, practical guide to planning, building, and operating an effective Security Operations Center (SOC)


Security Operations Center is the complete guide to building, operating, and managing Security Operations Centers in any environment. Drawing on experience with hundreds of customers ranging from Fortune 500 enterprises to large military organizations, three leading experts thoroughly review each SOC model, including virtual SOCs. You’ll learn how to select the right strategic option for your organization, and then plan and execute the strategy you’ve chosen.


Security Operations Center walks you through every phase required to establish and run an effective SOC, including all significant people, process, and technology capabilities. The authors assess SOC technologies, strategy, infrastructure, governance, planning, implementation, and more. They take a holistic approach considering various commercial and open-source tools found in modern SOCs.


This best-practice guide is written for anybody interested in learning how to develop, manage, or improve a SOC. A background in network security, management, and operations will be helpful but is not required. It is also an indispensable resource for anyone preparing for the Cisco SCYBER exam.

· Review high-level issues, such as vulnerability and risk management, threat intelligence, digital investigation, and data collection/analysis

· Understand the technical components of a modern SOC

· Assess the current state of your SOC and identify areas of improvement

· Plan SOC strategy, mission, functions, and services

· Design and build out SOC infrastructure, from facilities and networks to systems, storage, and physical security

· Collect and successfully analyze security data

· Establish an effective vulnerability management practice

· Organize incident response teams and measure their performance

· Define an optimal governance and staffing model

· Develop a practical SOC handbook that people can actually use

· Prepare SOC to go live, with comprehensive transition plans

· React quickly and collaboratively to security incidents

· Implement best practice security operations, including continuous enhancement and improvement

Introduction xx

Part I SOC Basics

Chapter 1 Introduction to Security Operations and the SOC 1

Cybersecurity Challenges 1

Threat Landscape 4

Business Challenges 7

The Cloud 8

Compliance 9

Privacy and Data Protection 9

Introduction to Information Assurance 10

Introduction to Risk Management 11

Information Security Incident Response 14

Incident Detection 15

Incident Triage 16

Incident Categories 17

Incident Severity 17

Incident Resolution 18

Incident Closure 19

Post-Incident 20

SOC Generations 21

First-Generation SOC 22

Second-Generation SOC 22

Third-Generation SOC 23

Fourth-Generation SOC 24

Characteristics of an Effective SOC 24

Introduction to Maturity Models 27

Applying Maturity Models to SOC 29

Phases of Building a SOC 31

Challenges and Obstacles 32

Summary 32

References 33

Chapter 2 Overview of SOC Technologies 35

Data Collection and Analysis 35

Data Sources 37

Data Collection 38

The Syslog Protocol 39

Telemetry Data: Network Flows 45

Telemetry Data: Packet Capture 48

Parsing and Normalization 49

Security Analysis 52

Alternatives to Rule-Based Correlation 55

Data Enrichment 56

Big Data Platforms for Security 57

Vulnerability Management 58

Vulnerability Announcements 60

Threat Intelligence 62

Compliance 64

Ticketing and Case Management 64

Collaboration 65

SOC Conceptual Architecture 66

Summary 67

References 67

Part II: The Plan Phase

Chapter 3 Assessing Security Operations Capabilities 69

Assessment Methodology 69

Step 1: Identify Business and IT Goals 71

Step 2: Assessing Capabilities 73

Assessing IT Processes 75

Step 3: Collect Information 82

Step 4: Analyze Maturity Levels 84

Step 5: Formalize Findings 87

The Organization’s Vision and Strategy 87

The Department’s Vision and Strategy 87

External and Internal Compliance Requirements 87

Organization’s Threat Landscape 88

History of Previous Information Security Incidents 88

SOC Sponsorship 89

Allocated Budget 89

Presenting Data 89

Closing 90

Summary 90

References 90

Chapter 4 SOC Strategy 91

Strategy Elements 91

Who Is Involved? 92

SOC Mission 92

SOC Scope 93

Example 1: A Military Organization 94

Mission Statement 94

SOC Scope Statement 95

Example 2: A Financial Organization 95

Mission Statement 95

SOC Scope Statement 95

SOC Model of Operation 95

In-House and Virtual SOC 96

SOC Services 98

SOC Capabilities Roadmap 99

Summary 101

Part III: The Design Phase

Chapter 5 The SOC Infrastructure 103

Design Considerations 103

Model of Operation 104

Facilities 105

SOC Internal Layout 106

Lighting 107

Acoustics 107

Physical Security 108

Video Wall 108

SOC Analyst Services 109

Active Infrastructure 110

Network 111

Access to Systems 112

Security 112

Compute 115

Dedicated Versus Virtualized Environment 116

Choice of Operating Systems 118

Storage 118

Capacity Planning 119

Collaboration 119

Ticketing 120

Summary 120

References 120

Chapter 6 Security Event Generation and Collection 123

Data Collection 123

Calculating EPS 124

Ubuntu Syslog Server 124

Network Time Protocol 129

Deploying NTP 130

Data-Collection Tools 134

Company 135

Product Options and Architecture 136

Installation and Maintenance 136

User Interface and Experience 136

Compliance Requirements 137

Firewalls 137

Stateless/Stateful Firewalls 137

Cisco Adaptive Security Appliance ASA 138

Application Firewalls 142

Cisco FirePOWER Services 142

Cloud Security 152

Cisco Meraki 153

Exporting Logs from Meraki 154

Virtual Firewalls 155

Cisco Virtual Firewalls 156

Host Firewalls 157

Intrusion Detection and Prevention Systems 157

Cisco FirePOWER IPS 160

Meraki IPS 161

Snort 162

Host-Based Intrusion Prevention 162

Routers and Switches 163

Host Systems 166

Mobile Devices 167

Breach Detection 168

Cisco Advanced Malware Prevention 168

Web Proxies 169

Cisco Web Security Appliance 170

Cloud Proxies 172

Cisco Cloud Web Security 172

DNS Servers 173

Exporting DNS 174

Network Telemetry with Network Flow Monitoring 174

NetFlow Tools 175

StealthWatch 177

Exporting Data from StealthWatch 179

NetFlow from Routers and Switches 182

NetFlow from Security Products 184

NetFlow in the Data Center 186

Summary 187

References 188

Chapter 7 Vulnerability Management 189

Identifying Vulnerabilities 190

Security Services 191

Vulnerability Tools 193

Handling Vulnerabilities 195

OWASP Risk Rating Methodology 197

Threat Agent Factors 198

Vulnerability Factors 198

Technical Impact Factors 200

Business Impact Factors 200

The Vulnerability Management Lifecycle 202

Automating Vulnerability Management 205

Inventory Assessment Tools 205

Information Management Tools 206

Risk-Assessment Tools 206

Vulnerability-Assessment Tools 206

Report and Remediate Tools 206

Responding Tools 207

Threat Intelligence 208

Attack Signatures 209

Threat Feeds 210

Other Threat Intelligence Sources 211

Summary 213

References 214

Chapter 8 People and Processes 215

Key Challenges 215

Wanted: Rock Stars, Leaders, and Grunts 216

The Weight of Process 216

The Upper and Lower Bounds of Technology 217

Designing and Building the SOC Team 218

Starting with the Mission 218

Focusing on Services 219

Security Monitoring Service Example 220

Determining the Required SOC Roles 223

Leadership Roles 224

Analyst Roles 224

Engineering Roles 224

Operations Roles 224

Other Support Roles 224

Working with HR 225

Job Role Analysis 225

Market Analysis 225

Organizational Structure 226

Calculating Team Numbers 227

Deciding on Your Resourcing Strategy 228

Building Your Own: The Art of Recruiting SOC Personnel 229

Working with Contractors and Service Bureaus 229

Working with Outsourcing and Managed Service Providers 230

Working with Processes and Procedures 231

Processes Versus Procedures 231

Working with Enterprise Service Management Processes 232

Event Management 232

Incident Management 233

Problem Management 233

Vulnerability Management 233

Other IT Management Processes 233

The Positives and Perils of Process 234

Examples of SOC Processes and Procedures 236

Security Service Management 236

Security Service Engineering 237

Security Service Operations 238

Security Monitoring 239

Security Incident Investigation and Response 239

Security Log Management 240

Security Vulnerability Management 241

Security Intelligence 241

Security Analytics and Reporting 242

Breach Discovery and Remediation 242

Summary 243

Part IV: The Build Phase

Chapter 9 The Technology 245

In-House Versus Virtual SOC 245

Network 246

Segmentation 247

VPN 251

High Availability 253

Support Contracts 254

Security 255

Network Access Control 255

Authentication 257

On-Network Security 258

Encryption 259

Systems 260

Operating Systems 261

Hardening Endpoints 262

Endpoint Breach Detection 263

Mobile Devices 264

Servers 264

Storage 265

Data-Loss Protection 266

Cloud Storage 270

Collaboration 271

Collaboration for Pandemic Events 272

Technologies to Consider During SOC Design 273

Firewalls 273

Firewall Modes 273

Firewall Clustering 276

Firewall High Availability 276

Firewall Architecture 277

Routers and Switches 279

Securing Network Devices 280

Hardening Network Devices 280

Network Access Control 281

Deploying NAC 282

NAC Posture 284

Architecting NAC 285

Web Proxies 290

Reputation Security 290

Proxy Architecture 292

Intrusion Detection/Prevention 295

IDS IPS Architecture 295

Evaluating IDS IPS Technology 296

Tuning IDS/IPS 298

Breach Detection 300

Honeypots 301

Sandboxes 302

Endpoint Breach Detection 303

Network Telemetry 306

Enabling NetFlow 308

Architecting Network Telemetry Solutions 310

Network Forensics 312

Digital Forensics Tools 313

Final SOC Architecture 314

Summary 317

References 318

Chapter 10 Preparing to Operate 319

Key Challenges 319

People Challenges 319

Process Challenges 320

Technology Challenges 321

Managing Challenges Through a Well-Managed Transition 321

Elements of an Effective Service Transition Plan 322

Determining Success Criteria and Managing to Success 322

Deploying Against Attainable Service Levels 323

Focusing on Defined Use Cases 325

Managing Project Resources Effectively 328

Marching to Clear and Attainable Requirements 329

Staffing Requirements for Go-Live 329

Process Requirements for Go-Live 330

Technology Requirements for Go-Live 331

Using Simple Checks to Verify That the SOC Is Ready 332

People Checks 332

Process Checks 336

Technology Checks 340

Summary 346

Part V: The Operate Phase

Chapter 11 Reacting to Events and Incidents 347

A Word About Events 348

Event Intake, Enrichment, Monitoring, and Handling 348

Events in the SIEM 349

Events in the Security Log Management Solution 350

Events in Their Original Habitats 350

Events Through Communications and Collaboration Platforms 350

Working with Events: The Malware Scenario 351

Handling and Investigating the Incident Report 353

Creating and Managing Cases 354

Working as a Team 355

Working with Other Parts of the Organization 357

Working with Third Parties 359

Closing and Reporting on the Case 362

Summary 363

Chapter 12 Maintain, Review, and Improve 365

Reviewing and Assessing the SOC 366

Determining Scope 366

Examining the Services 367

Personnel/Staffing 369

Processes, Procedures, and Other Operational Documentation 371

Technology 372

Scheduled and Ad Hoc Reviews 373

Internal Versus External Assessments 374

Internal Assessments 374

External Assessments 374

Assessment Methodologies 375

Maturity Model Approaches 375

Services-Oriented Approaches 376

Post-Incident Reviews 378

Maintaining and Improving the SOC 381

Maintaining and Improving Services 381

Maintain and Improving Your Team 383

Improving Staff Recruitment 383

Improving Team Training and Development 384

Improving Team Retention 386

Maintaining and Improving the SOC Technology Stack 387

Improving Threat, Anomaly, and Breach-Detection Systems 388

Improving Case and Investigation Management Systems 391

Improving Analytics and Reporting 392

Improving Technology Integration 392

Improving Security Testing and Simulation Systems 393

Improving Automated Remediation 394

Conclusions 395

9780134052014 TOC 10/12/2015

  • How to organize IT security for an era of unprecedented, fast-changing, and increasingly complex threats
  • Thoroughly introduces SOC roles, technologies, and use cases
  • Helps students systematically assess the maturity of existing security operation environments, and then improve them
  • Guides students through developing their own SOC "playbook"

Joseph Muniz is a consultant at Cisco Systems and security researcher. Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects, ranging from Fortune 500 corporations to large federal networks. Joseph is the author of and contributor to several books and is a speaker for popular security conferences. Check out his blog, http://www.thesecurityblogger.com, which showcases the latest security events, research, and technologies.

Gary McIntyre is a seasoned information security professional focusing on the development and operation of large-scale information security programs. As an architect, manager, and consultant, he has worked with a wide range of public and private sector organizations around the world to design, build, and maintain small to large security operations teams. He currently holds a Masters degree from the University of Toronto and has also been a long-time (ISC)2 instructor.

Dr. Nadhem AlFardan has more than 15 years of experience in the area of information security and holds a Ph.D. in Information Security from Royal Holloway, University of London. Nadhem is a senior security solution architect working for Cisco Systems. Before joining Cisco, he worked for Schlumbeger and HSBC. Nadhem is CISSP certified and is an ISO 27001 lead auditor. He is also CCIE Security certified. In his Ph.D. research, Nadhem published a number of papers in prestige conferences, such as IEEE S&P and USENIX Security, mainly around cryptoanalysis topics. His work involved him working with organizations such as Google, Microsoft, Cisco, Mozilla, OpenSSL, and many others, mainly to help them assess and fix major findings in the Transport Layer Security/Secure Sockets Layer (TLS/SSL) protocol. His work is referenced in a number of IETF standards.