INFOASEC - Module 2
Cybersecurity Analyst
SOC job role processes security alerts and forwards tickets to Tier 2 if necessary.
Incident Responder
SOC job role responsible for deep investigation of incidents
SIEM (acronym)
Security Information and Event Management
SOC Acronym
Security operations center
Event collection, correlation, and analysis Security monitoring Security control Log management Vulnerability assessment Vulnerability tracking Threat intelligence
Technologies in a SOC should include the following:
Tier 3 Threat Hunter
These professionals have expert-level skill in network, endpoint, threat intelligence, and malware reverse engineering.
Tier 1 Alert Analyst
These professionals monitor incoming alerts, verify that a true incident has occurred, and forward tickets to Tier 2, if necessary.
SOC services
These services include monitoring threats to network security and managing comprehensive solutions to fight against threats. Ensuring secure routing exchanges and providing secure Internet connections are tasks typically performed by a network operations center (NOC). Responding to facility break-ins is typically the function and responsibility of the local police department.
Tier 3 Threat Hunter
They are also deeply involved in hunting for potential threats and implementing threat detection tools.
Tier 3 Threat Hunter
They are experts at tracing the processes of the malware to determine its impact and how it can be removed.
SOC Manager
This professional manages all the resources of the SOC and serves as the point of contact for the larger organization or customer.
to include predefined playbooks that enable automatic response to specific threats
What is a characteristic of the SOAR security platform?
to analyze all the data that firewalls, network appliances, intrusion detection systems, and other devices generate and institute preventive measures
What is the role of SIEM?
Dwell Time
Which KPI metric does SOAR use to measure the length of time that threat actors have access to a network before they are detected and the access of the threat actors stopped?
MTTD
Which metric is used in SOCs to evaluate the average time that it takes to identify that valid security incidents have occurred in the network?
CompTIA
Which organization offers the vendor-neutral CySA+ certification?
threat intelligence security monitoring vulnerability tracking
Which three technologies should be included in a security information and event management system in a SOC?
1. Monitoring network security threats 2. Managing comprehensive threat solutions
Which two services are provided by security operations centers?
KPI
are devised to measure different aspects of SOC performance
SIEM and security orchestration, automation and response (SOAR)
are often paired together as they have capabilities that complement each other.
SIEM systems
are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats
SIEM (Security Information and Event Management) systems
are used for collecting and filtering data, detecting and classifying threats, and analyzing and investigating threats.
SIEM (as device)
device that integrates security information and event management into a single platform
ticketing system
frequently used to assign alerts to a queue for an analyst to investigate.
Tier 2 Incident Responder
involved in deep investigation of incidents
Tier 1 personnel
personnel in SOC that is assigned the task of verifying whether an alert triggered by monitoring software represents a true security incident
SOAR (acronym)
security orchestration, automation and response
Mean Time to Detect (MTTD)
the average time that it takes for the SOC personnel to identify valid security incidents have occurred in the network.
Mean Time to Respond (MTTR)
the average time that it takes to stop and remediate a security incident.
dwell time
the length of time that threat actors have access to a network before they are detected, and their access is stopped.
Mean Time to Contain (MTTC)
the time required to stop the incident from causing further damage to systems or data.
Time to Control
the time required to stop the spread of malware in the network.
further investigating security incidents
A network security professional has applied for a Tier 2 position in a SOC. What is a typical job function that would be assigned to a new employee?
a SME for further investigation
After a security incident is verified in a SOC, an incident responder reviews the incident but cannot identify the source of the incident and form an effective mitigation procedure. To whom should the incident ticket be escalated?
SOAR Orchestration
Creates a customized platform that integrates and coordinates numerous security tools and resources.
SOC technologies include one or more of the following:
Event collection, correlation, and analysis Security monitoring Security control Log management Vulnerability assessment Vulnerability tracking Threat intelligence
SOAR Automation
Executes security processes with a minimum amount of human intervention. Helps address the shortage in cybersecurity analyst talent and increases efficiency
by collecting and filtering data
How can a security information and event management system in a SOC be used to help personnel fight against security threats?
52.56
If a SOC has a goal of 99.99% uptime, how many minutes of downtime a year would be considered within its goal?
ticketing system
In the operation of a SOC, which system is frequently used to let an analyst select alerts from a pool to investigate?
KPI (acronym)
Key Performance Indicator
SOAR Response
Prescribes and executes security procedures to be followed in response to security events. Can be in the form of a security runbooks that consist of rule-based automated responses that were created to address specific types of events