Cybersecurity involves carrying out complete and continuous activities to investigate and eliminate threats. As a recommended solution, a security operations center (SOC) allows an organization to achieve a level of security by monitoring the operation of information systems security, providing the appropriate response to security incidents as well as to detected anomalies. The book The modern security operations center provides all those interested in this topic with a solid knowledge base to address new security issues for any organization, regardless of its size. Whether beginners or security professionals, readers will find in this book vendor-neutral products for designing and implementing a modern SOC, from the perspective of new solutions for processes such as the management of risk, vulnerabilities, and incidents; of cloud-based and software-defined WAN (SD-WAN) technologies; of integration, automation, and orchestration; as well as of specialist training.
The modern security operations center is structured in 11 chapters, each chapter incorporating a summary and reference list and citing several resources, many of them free. It is beneficial for the reader that some topics such as concepts are addressed in the first chapters more concisely, to later be developed in the following chapters dedicated to more detailed discussion.
Chapter 1 is a step-by-step approach to the basic concepts of cybersecurity as well as to those specific to building an organization’s tailored SOC, based on people, processes, and technologies, in the context of cyber threats, risks, and vulnerabilities. Identified as a challenge for any organization, the development of a mature SOC is presented as being program- and model-based, given the assessment and capability of the objectives. The solutions are carefully analyzed, argued, and exemplified.
Chapter 2 illustrates the key points to consider when developing an organization-specific SOC, beginning with setting its mission and aim and continuing with its planning, design, construction, and operation. The main aspects related to the network and its security are addressed and modeling and implementation solutions are indicated, along with their careful analyses and correct argumentation.
In line with the FIRST computer security incident response team (CSIRT) services framework and the NIST cybersecurity framework (CSF), chapter 3 identifies, explains, and exemplifies eight basic services of modern SOCs. They are recommended to organizations regardless of the solution adopted, either the use of an internal SOC (in-house SOC) or of an external SOC (SOC-as-a-service company), and in relation to the work environment, people, and technology.
Chapter 4 refers to one of the main pillars of the existence of a SOC, namely people. To be effective, modern SOCs need specialized people and beneficiaries of security clearance, with skills that would recommend them to hold positions specific to the provision of each of the implemented SOC services. Along with a wide range of SOC job roles, the national initiative for cybersecurity education (NICE) framework is recommended as a resource that strengthens the relationship between cybersecurity job requirements and the cybersecurity workforce. Recommendations are provided on the development, planning, training, and education of the workforce recruited for a SOC.
For modern SOCs, centralized security data is recommended, as this supports automated tasks, data reuse, data sharing, and a more productive, uninterrupted workflow. This is the solution covered in chapter 5, which presents some SOC-specific data types, their formats, as well as ways to evaluate and interpret them. A central point of this chapter is the very precise and intuitive explanation of the security information and event management (SIEM) tools used to simultaneously manage security events and information within an organization, allowing it to centralize all security information in a single tool. Examples based on Splunk and IBM QRadar SIEM tools are especially useful for the reader.
Assessing risk, formulating a strategic plan through appropriate policies and procedures, and implementing security risk management and monitoring capabilities to support compliance are fundamental requirements of a SOC. Chapter 6 addresses the need for any organization to develop and evaluate policies and procedures to serve as a basis for its security strategy. Several standards, guidelines, and frameworks are presented and used as beneficial solutions for evaluating a strategic security plan, along with appropriate auditing solutions.
Chapter 7 explains the difference between threat data and threat intelligence, in the context that, at the level of a SOC, faster and more informed security decisions are made based on threat intelligence. Threat intelligence is presented and exemplified by category, along with solutions, including security tools, for its assessment, planning, collection, and processing.
Chapter 8 outlines ways to respond to an incident to enable the rapid resolution of security issues after discovery. Solutions and templates are specified to create an incident response plan to protect a system against new and old attacks, but also to adjust the plan as needed when new information is obtained.
Chapter 9 highlights key aspects of vulnerability management. The six phases of the vulnerability management model allow the reader to benefit from very well-structured material, accompanied by solutions and their analyses, templates, frameworks, and utilities, to which are added a series of recommendations based on the author’s experience. These focus on both proactive solutions, which require identifying and resolving risks before an attack occurs, and reactive solutions, which require a quick response to resume activity following an attack.
Chapter 10 covers two topics of great interest to a SOC: orchestration, which focuses on technologies that help change cyber threats, and automation, which covers technologies that enable automation and orchestration within security operations. The coordination, execution, and automation of tasks between various people and instruments, all in a single platform of a SOC, are presented by the author through the comprehensive security orchestration, automation, and response (SOAR) approach. DevOps, network programmability, and cloud programmability are key points of a modern SOC; this chapter will deepen the reader’s understanding of these topics.
Orchestration and automation are also present when we refer to the future of the SOC, of course with new opportunities for services, employee training, and technology. Chapter 11 highlights this aspect and is a guide for the reader to move from what the SOC is today to what it could be by addressing topics of great interest: software-defined wide area networking (SD-WAN), secure access service edge (SASE), which converges WANs and network security services into a single service model delivered in the cloud, artificial intelligence (AI), and machine learning.
With extensive experience in the field of information security, the author offers readers a wide-ranging work. It is an excellent book, very well structured and documented and very well written. The use of clear language, with many practical examples and rich bibliographic references, makes The modern security operations center a particularly accessible work, both for readers unfamiliar or unsure of the subject and for professionals in the field. Hence why I highly recommend this book to anyone who wants a solid guide to building and maintaining a truly modern, mature SOC, one that is ready for the threats an organization may face.
More reviews about this item: Amazon