4 credit/unit hours – Four hours of lecture weekly; one term

This course is designed as an introduction to Security Operation Centers (SOCs) and the work analysts do in them. The course material and hands-on lab exercises prepares students for work as a Tier 1 Analyst in a SOC, performing various duties (e.g., mapping networks; scanning systems for vulnerabilities; monitoring networks and hosts; Security Information and Event Management (SIEM) administration).

Learning Objectives

Upon completion of this course the learner will be able to:

  • Monitor, detect, and analyze potential intrusions in real time and through historical trending on security-relevant data sources;
  • Scan systems for vulnerabilities;
  • Operate Computer Network Defense (CND) technologies (e.g., Intrusion Detection Systems (IDSes), data collection/analysis systems);
  • Describe countermeasure deployment coordination measures;
  • Provide situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate personnel;
  • Leverage information from a variety of external sources that provides insight into threats, vulnerabilities, and adversary Tactics, Techniques, and Procedures (TTPs); and
  • Operate as part of an Incident Response (IR) team

Main Topics

1.0 Introduction to a Security Operations Center (SOC)

  • What is it?
  • Mission and operations tempo
  • Characteristics
  • Capabilities
  • Situational Awareness
  • Incident tip-offs
  • Tools and data quality
  • Agility

2.0  Building a SOC

  • People
  • Processes
  • Tools
  • Threat Intelligence
  • Written authorities
  • Other enabling policies

3.0 Staffing

  • Capabilities
  • Capability maturation
  • Mind-set
  • Background
  • Skillset
  • Work roles
  • Retention

4.0 Technologies

  • Asset inventory
  • Network mapping
  • Vulnerability scanning
  • Network monitoring
  • Host monitoring and defense
  • Security Information and Event Management (SIEM)

5.0 Data Gathering

  • Sensor placement
  • Cost
  • Selecting and instrumenting data sources

6.0 Securing the SOC

  • Isolating network sensors
  • Designing the SOC enclave
  • Sources and methods

7.0 Cybersecurity Threat Intelligence

  • Cybersecurity Threat Analysis Cell (CTAC)
  • Where to get it, what to do with it

8.0 Incident Response (IR)

  • IR preparation
  • Incident identification
  • Containment, eradication, recovery
  • Impact analysis
  • Communication during IR process