Security Operations Center Architecture (SoC) - DRAFT in progress ()
Security Operations Center Architecture (SoC) - DRAFT in progress
Author Rob Campbell
Version 0.02
Last Update 5/5/2020
Information Security
Threat Assessment
Threat Identification
Threat Modelling
Risk Reporting
Security Intelligence and Investigation
Intelligence Gathering
Intelligence Triage
Intelligence Disemination
Security Engineering
Secure Build Design
Secure by Design - Definnition and Service Design
Security Design Assurance
Security Design
IT (IT Security)
Principles
Security function must be coordinated centrally​
Defense-in-depth architecture
Centralised Threat intelligence
Maximise Reuse of existing capability
Use best of breed where possible
Use COTS products where possible
Goals
Respond rapidly and effectively to Cyber alerts
Provide effective and relevant threat intelligence
Use breach data for lessons learnt and control improvement
To be proactive in identifying, containing and treating security issues and incidents
To prevent exploitation of vulnerabilities leading to compromise
Share and Consume Intelligence Data
Detect and respond to unusual activity.
Monitor and respond to available intelligence
Reduction of Cyber Security and Privacy risks to tolerable levels
Keep abreast of current threats
Drivers
The business is a high value target for cyber criminals
Regulation
GDPR penalties are high.
The business depends on maintaining a good reputation. A disclosed incident could significantly damage our reputation
Increasing Threat Environment increasing the likelihood of a breach occurring.
Security Team Responsibilities
Security Testing
Penetration Testing - External
Penetration Testing - Internal
Vulnerability Scanning
Design Assessment
Developer Responsibilities
Developers
Secure Coding
Secure Code Testing
Code Signing
Security Operations Team Roles
Cyber Analyst
SIEM Engineer
Security SME
Threat Analyst
SoC Delivery Manager
Senior Security Analyst
SoC Manager
Red Team Analyst
SoC Responsibilities
First Response
Call Centre - first response
Real Time Monitoring and triage
Industry news analysis
Incident Triage
2nd Level
Incident Analysis
Incident Investigation
Forensic Artifact Handling
Malware Analysis
Trend Analytics
Vulnerability Analytics
Trending and Analysis
Threat Hunting
Intelligence Direction
Intelligence Collection
Intelligence Processing
Intelligence Disemination
Misuse and Abuse Case Development
Cyber Threat Analysis
SoC Engineering
Sensor and SIEM Tuning
Scripting and Automation
Tooling Deployment and Maintenance
SoC Delivery Management
Operational Oversight
Reporting
Incident Management Oversight
Security Operation Service Improvement
Crisis Escalation and Management
Media Management
SoC Manager
Stakeholder Communication
Policy Development
Escalation
Incident Review
Service Improvement
Crisis Communication Planning
Red Team Analyst
Breach Simulation
Security Testing
Reduce the vulnerabilites present within the architecture
Determine the impact and scale of a security breach
Prevent unauthorised changes to configuration
Reduce the attack surface on supported end points
Dev Ops Vulnerability Detection and Remediation Capability
Code review
Composition Analysis Tool
Static Analysis Testing Tool
Dynamic Application Security Testing Tool
Reduce vulnerabilities in code and deployed applications
Detect poor coding practices
Detect vulnerable software components and monitor
Check running applications for security vulnerabilities
Baseline Build Compliance Checking
Vulnerability Detection and Remediation
Penetration Testing
Secure Build
Code Testing
Vulnerability Scanner
Patch Deployment Tooling
Rebuild Vulnerable Containers
Patching
Security Team
Vulnerability Management Capability
Vulnerability Scanner
Reduce the number of Vulnerabilities present within organisation assets.
Infrastructure Vulnerability Scan
Vulnerability Detection and Remediation
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Composition Anaysis
Penetration Testing
Patching
Breach and Attack Simulation
Patch Deployment Tooling
Breach and Attack Simulation
Secure Build Testing
Improve SIEM Rules (SIGMA Rule Generation)
Security Monitoring Capability
Windows Event Log
Syslog
SIEM
Logs
Rules
Detect and respond to unusual activity.
Security Monitoring - Gather
Security Monitoring - Analyse
Security Monitoring - Determine
Security Monitoring - Respond
Security Monitoring - Recover
Security Orchestration and Response (SOAR)
Build and Build Compliance Processes
Build Compliance Reporting
Baseline Build Compliance Checking
Baseline Build Maintenance
Penetration Testing
Baseline Build Remediation
Build Compliance MI Generation and Distribution
Build Standards
Pentest Report
Build Design
Build Compliance Report
Build Compliance Schedule
Build Compliance MI
Secure Baseline Build Design
Vulnerability Scanning Processes
Configuration Maintenance
Vulnerability Signature Updates
Vulnerability Reporting
Vulnerability Scan
Vulnerability Remediation
Identify Targets and Maintain Target Asset Database
CVE Sources
Vulnerability Scanning Schedule
Vulnerability Management Policy
Vulnerability Scanning MI Generation and Distribution
Vulnerability Scanning MI
Security Monitoring Processes
Security Monitoring - Gather
Security Monitoring - Analyse
Security Monitoring - Determine
Security Monitoring - Respond
Security Monitoring - Recover
Log Data
Security Monitoring - MI Generation and Distribution
Protective Monitoring MI
Log Configuration
Business Misuse and Abuse Cases
System Misuse and Abuse Cases
Security Monitoring - Maintain
SIEM Configuration Management
Define and Maintain Correlation Rules
Define and Maintain Analysis Rules
Define and Maintain Misuse and Abuse Cases
Define and Maintain Capture and Alerting Requirements
Define and Maintain Audit Conditions
Define and Maintain Compliance Checks
Define and Maintain Intelligence Queries
Security Monitoring Design
Logging Design
Security Log Collection - Syslog
Security Log Collection - Windows Event Log
Security Log Collection - Other
SIEM
Define and Maintain SOAR workflows.
Incident Management Processes
Incident Identification and Reporting
Incident Logging
Incident Investigation
Incident Resolution and Recovery
Incident Closure
Incident Reporting
Incident Escalation
Incident Management MI Generation and Distribution
Incident Report
Incident Management MI
Incident Record
Crisis Management
Security Incident - Advice and Guidance Guidlines
Incident Management Tooling
Intelligence Management Processes
Produce Intelligence Summary Report
Produce Intelligence Threat Report
Produce Intelligence Thematic Report
Produce Intelligence Report
Strategy Development
External Malware Intelligence
External Threat Summary
Industry News
Intelligence from Partners
Internal Intelligence Sources
Gather Intelligence
Triage Intelligence
Respond
Manage Intelligence Feeds
Developers
Network Team
Maintain WAFs
Maintain IDS/IPS
Server Team
Build Compliance
Define and Maintain Builds
Build Compliance Checking
Operate and Maintain Infrastructure as Code (IAC)
System Hardening
Security Patching
Breach and Attack Simulation
Prevent vulnerabilities from being exploited
Endpoint Protection
Endpoint UEBA Application
Anti Malware
Prevent Web Attacks
Web Application Firewall
Prevent Malware from executing
Intrusion Detection and Prevention (IDS/IDP)
Cloud Access Security Broker (CASB)
Work with external Cyber security communities, regulators and others groups
Crisis Management Processes
Crisis Team Formation
Media Management
Internal Comms
Customer Reporting
Crisis Preparation and Testing
Crisis Simulations
Scenario Planning
Crisis Reporting
Security Monitoring Service - Overarching Process Flow
Security Monitoring - Gather
SIEM Log Database
SIEM - Aggregate Data
SIEM - Normalise data
SIEM - Gather Event Data
Events
SIEM - Enrich Data
SIEM - Capture Event Data
SIEM - Maintain Event Data
Create Logging Configuration
Service Provider
Subject Matter Expert (SME)
Project Team
Define Capture and Alerting Requirements
Log Sources
System A
System B
Device A
Events
Events
Events
SIEM - Define Correlation Rules
SIEM - Define Analysis Rules
SIEM Define Classification and Priority
Audit Query
Intelligence Query
Define Rules in SIEM
Security Monitoring - Analyse
SIEM - Analyse
SIEM - Correlate
Security Monitoring - Determine
SIEM - Triage
SIEM - Classify
SIEM - Prioritise
Sec Mon - Investigate
Define Compliance Checks
Security Monitoring - Respond
Reports
Risk Assessment
Audit Report
Learning Points
Trend Reports
Threat Reports
Sec Mon - Respond
Raise Incident
Produce Recomendations
Monitor and Report
Incident Management
Initiate Crisis Management
Crisis Management
Initiate Forensics
Digital Forensics
Sec Mon - Continuous Improvement
SIEM
Security Monitoring - Recovery
Recover and Repair
Restore from Backup
Rebuild System
Customer Communications
Legal Response
Media Management
GDPR Reporting
Manage Reputation
Define Threat Hunting Query
SIEM Engineer
Cyber Analyst
Senior Security Analyst
Audit and Investigations Consultant
Threat Analyst
Maintain - Continuous Improvement
Sec Mon - Maintain data Integrity
Sec Mon - Replay Queries
Sec Mon - Update Log Inventory
Sec Mon - Tune Rules
Sec Mon - Maintain Misuse and Abuse Cases
Governance, Risk and Compliance Consultant
Security Orchestration and Response (SOAR)
Security Orchestration and Response
Key
Business Driver
Business Goal
Principles
Business Role
Business Actor
Assessment or Description
Business Process
Business Service (Capabilitiy)
Data or Report
Technology Process
Node
Equipment
Device
Artifact
Technology Service
Technology Event
Technology Function
System Software
Application Service
Audit and Investigations Consultant
Security Intelligence Service - Overarching Process Flow
Replay Attack Scenario Development
Obtain Intelligence
MI and Reporting
Internal Intelligence Sources
SIEM Feed
EDR Alerts
Business Strategy
Technology Strategy
Operational Alert
Malware Alert
Evaluate Intelligence
Intelligence Interrogation
Define Intelligence Queries
Maintain Intelligence Queries
Execute inteligence Queries
Threat Hunting
External Intelligence Sources
Malware Intelligence Feed
Threat Intelligence Feeds
Vulnerability Feeds
Peer Sharing (Industry Intelligence)
Malware Detection and Response
Malware Event
Internal Threat Hunting
Replay Attack Scenario
Intelligence Report
Diseminate Intelligence
Enrich Intelligence
Test Inteligence against SIEM
Social Media Threat Hunting
Intelligence Correlation
Breach and Attack Simulation Service
Breach and Attack Simulation (BAS)
Define Attack Vectors
Produce Control Failure Reports
Produce Breach Status Reports
Network Designs
Organisations Threat Matrix
Perimeter Defense Designs
Email System Designs
Raise a Change
Create Sigma Rules
Deploy and Maintain BAS Peers
Historical Attack Detection
Update Secure Builds
Prioritise Patch Schedule
IT Support
Intelligence Management
Provide effective and relevant threat intelligence
Work with external Cyber security communities, regulators and others groups
Governance, Risk and Compliance Consultant
Security Operation Centre - Mission Statement
Security Engineer or Designer
Threat Assessment Threat Identification
Threat Assessment Threat Modelling
Threat Assessment Risk Reporting
Security Intelligence and Investigation Intelligence Gathering
Security Intelligence and Investigation Intelligence Triage
Security Intelligence and Investigation Intelligence Disemination
Security Engineering Secure Build Design
Security Engineering Secure by Design - Definnition and Service Design
Security Engineering Security Design Assurance
Security Engineering Security Design
Respond rapidly and effectively to Cyber alerts To be proactive in identifying, containing and treating security issues and incidents
Provide effective and relevant threat intelligence Work with external Cyber security communities, regulators and others groups
To be proactive in identifying, containing and treating security issues and incidents Reduce the vulnerabilites present within the architecture
To be proactive in identifying, containing and treating security issues and incidents Determine the impact and scale of a security breach
To be proactive in identifying, containing and treating security issues and incidents Prevent unauthorised changes to configuration
To be proactive in identifying, containing and treating security issues and incidents Reduce the attack surface on supported end points
Detect and respond to unusual activity. Respond rapidly and effectively to Cyber alerts
Monitor and respond to available intelligence To be proactive in identifying, containing and treating security issues and incidents
Monitor and respond to available intelligence Share and Consume Intelligence Data
Reduction of Cyber Security and Privacy risks to tolerable levels To be proactive in identifying, containing and treating security issues and incidents
Reduction of Cyber Security and Privacy risks to tolerable levels Work with external Cyber security communities, regulators and others groups
Keep abreast of current threats Reduction of Cyber Security and Privacy risks to tolerable levels
Security Testing Penetration Testing - External
Security Testing Penetration Testing - Internal
Security Testing Vulnerability Scanning
Security Testing Design Assessment
Developers Secure Coding
Developers Secure Code Testing
Developers Code Signing
Security Operations Team Roles Cyber Analyst
Security Operations Team Roles SIEM Engineer
Security Operations Team Roles Security SME
Security Operations Team Roles Threat Analyst
Security Operations Team Roles SoC Delivery Manager
Security Operations Team Roles Senior Security Analyst
Security Operations Team Roles SoC Manager
Security Operations Team Roles Red Team Analyst
Cyber Analyst First Response
Cyber Analyst 2nd Level
SIEM Engineer 2nd Level
SIEM Engineer SoC Engineering
Security SME 2nd Level
Threat Analyst Trending and Analysis
SoC Delivery Manager SoC Delivery Management
Senior Security Analyst 2nd Level
SoC Manager SoC Manager
Red Team Analyst Red Team Analyst
First Response Call Centre - first response
First Response Real Time Monitoring and triage
First Response Industry news analysis
First Response Incident Triage
2nd Level Incident Analysis
2nd Level Incident Investigation
2nd Level Forensic Artifact Handling
2nd Level Malware Analysis
2nd Level Trend Analytics
2nd Level Vulnerability Analytics
Trending and Analysis Threat Hunting
Trending and Analysis Intelligence Direction
Trending and Analysis Intelligence Collection
Trending and Analysis Intelligence Processing
Trending and Analysis Intelligence Disemination
Trending and Analysis Misuse and Abuse Case Development
Trending and Analysis Cyber Threat Analysis
SoC Engineering Sensor and SIEM Tuning
SoC Engineering Scripting and Automation
SoC Engineering Tooling Deployment and Maintenance
SoC Delivery Management Operational Oversight
SoC Delivery Management Reporting
SoC Delivery Management Incident Management Oversight
SoC Delivery Management Security Operation Service Improvement
SoC Delivery Management Crisis Escalation and Management
SoC Delivery Management Media Management
SoC Manager Stakeholder Communication
SoC Manager Policy Development
SoC Manager Escalation
SoC Manager Incident Review
SoC Manager Service Improvement
SoC Manager Crisis Communication Planning
Red Team Analyst Breach Simulation
Red Team Analyst Security Testing
Dev Ops Vulnerability Detection and Remediation Capability Code review
Dev Ops Vulnerability Detection and Remediation Capability Reduce vulnerabilities in code and deployed applications
Dev Ops Vulnerability Detection and Remediation Capability Baseline Build Compliance Checking
Dev Ops Vulnerability Detection and Remediation Capability Vulnerability Detection and Remediation
Dev Ops Vulnerability Detection and Remediation Capability Penetration Testing
Dev Ops Vulnerability Detection and Remediation Capability Secure Build
Dev Ops Vulnerability Detection and Remediation Capability Code Testing
Dev Ops Vulnerability Detection and Remediation Capability Rebuild Vulnerable Containers
Dev Ops Vulnerability Detection and Remediation Capability Patching
Code review Reduce vulnerabilities in code and deployed applications
Composition Analysis Tool Detect vulnerable software components and monitor
Static Analysis Testing Tool Detect poor coding practices
Dynamic Application Security Testing Tool Check running applications for security vulnerabilities
Detect poor coding practices Code Testing
Detect vulnerable software components and monitor Secure Build
Check running applications for security vulnerabilities Baseline Build Compliance Checking
Check running applications for security vulnerabilities Rebuild Vulnerable Containers
Vulnerability Detection and Remediation Reduce vulnerabilities in code and deployed applications
Penetration Testing Reduce vulnerabilities in code and deployed applications
Secure Build Reduce vulnerabilities in code and deployed applications
Code Testing Reduce vulnerabilities in code and deployed applications
Vulnerability Scanner Dev Ops Vulnerability Detection and Remediation Capability
Vulnerability Scanner Vulnerability Detection and Remediation
Patch Deployment Tooling Dev Ops Vulnerability Detection and Remediation Capability
Patch Deployment Tooling Patching
Rebuild Vulnerable Containers Reduce vulnerabilities in code and deployed applications
Security Team Security Testing
Vulnerability Management Capability Reduce the number of Vulnerabilities present within organisation assets.
Vulnerability Management Capability Infrastructure Vulnerability Scan
Vulnerability Management Capability Vulnerability Detection and Remediation
Vulnerability Management Capability Penetration Testing
Vulnerability Management Capability Patching
Vulnerability Management Capability Breach and Attack Simulation
Vulnerability Management Capability Secure Build Testing
Vulnerability Management Capability Improve SIEM Rules (SIGMA Rule Generation)
Vulnerability Scanner Infrastructure Vulnerability Scan
Infrastructure Vulnerability Scan Reduce the number of Vulnerabilities present within organisation assets.
Vulnerability Detection and Remediation Reduce the number of Vulnerabilities present within organisation assets.
Static Application Security Testing (SAST) Vulnerability Detection and Remediation
Dynamic Application Security Testing (DAST) Vulnerability Detection and Remediation
Composition Anaysis Vulnerability Detection and Remediation
Penetration Testing Reduce the number of Vulnerabilities present within organisation assets.
Patching Reduce the number of Vulnerabilities present within organisation assets.
Breach and Attack Simulation Vulnerability Management Capability
Breach and Attack Simulation Breach and Attack Simulation
Breach and Attack Simulation Secure Build Testing
Breach and Attack Simulation Improve SIEM Rules (SIGMA Rule Generation)
Patch Deployment Tooling Vulnerability Management Capability
Patch Deployment Tooling Patching
Breach and Attack Simulation Reduce the number of Vulnerabilities present within organisation assets.
Secure Build Testing Reduce the number of Vulnerabilities present within organisation assets.
Improve SIEM Rules (SIGMA Rule Generation) Reduce the number of Vulnerabilities present within organisation assets.
Security Monitoring Capability Logs
Security Monitoring Capability Rules
Security Monitoring Capability Detect and respond to unusual activity.
Security Monitoring Capability Security Monitoring - Gather
Security Monitoring Capability Security Monitoring - Analyse
Security Monitoring Capability Security Monitoring - Determine
Security Monitoring Capability Security Monitoring - Respond
Security Monitoring Capability Security Monitoring - Recover
Windows Event Log SIEM
Syslog SIEM
SIEM Security Monitoring - Analyse
SIEM Security Monitoring - Gather
SIEM Security Monitoring - Determine
SIEM Security Monitoring - Respond
SIEM Security Monitoring - Recover
Logs SIEM
Rules SIEM
Security Monitoring - Gather Detect and respond to unusual activity.
Security Monitoring - Analyse Detect and respond to unusual activity.
Security Monitoring - Determine Detect and respond to unusual activity.
Security Monitoring - Respond Detect and respond to unusual activity.
Security Monitoring - Recover Detect and respond to unusual activity.
Security Orchestration and Response (SOAR) SIEM
Build and Build Compliance Processes Penetration Testing
Build and Build Compliance Processes Build Compliance Reporting
Build and Build Compliance Processes Build Compliance MI
Build and Build Compliance Processes Baseline Build Remediation
Build and Build Compliance Processes Pentest Report
Build and Build Compliance Processes Baseline Build Maintenance
Build and Build Compliance Processes Baseline Build Compliance Checking
Build and Build Compliance Processes Build Compliance Schedule
Build and Build Compliance Processes Build Standards
Build and Build Compliance Processes Secure Baseline Build Design
Build and Build Compliance Processes Build Compliance Report
Build and Build Compliance Processes Build Design
Build and Build Compliance Processes Build Compliance MI Generation and Distribution
Build Compliance Reporting Build Compliance Report
Baseline Build Maintenance Build Design
Penetration Testing Pentest Report
Build Compliance MI Generation and Distribution Build Compliance MI
Build Standards Baseline Build Remediation
Build Standards Baseline Build Compliance Checking
Build Standards Secure Baseline Build Design
Build Standards Baseline Build Maintenance
Build Design Secure Baseline Build Design
Build Compliance Schedule Build Compliance Reporting
Vulnerability Scanning Processes Identify Targets and Maintain Target Asset Database
Vulnerability Scanning Processes CVE Sources
Vulnerability Scanning Processes Vulnerability Scanning Schedule
Vulnerability Scanning Processes Vulnerability Signature Updates
Vulnerability Scanning Processes Vulnerability Remediation
Vulnerability Scanning Processes Vulnerability Scan
Vulnerability Scanning Processes Vulnerability Reporting
Vulnerability Scanning Processes Vulnerability Scanning MI
Vulnerability Scanning Processes Vulnerability Management Policy
Vulnerability Scanning Processes Vulnerability Scanning MI Generation and Distribution
Vulnerability Scanning Processes Configuration Maintenance
Vulnerability Reporting Vulnerability Remediation
Vulnerability Scan Vulnerability Reporting
Vulnerability Remediation Vulnerability Scanning MI Generation and Distribution
Identify Targets and Maintain Target Asset Database Configuration Maintenance
CVE Sources Vulnerability Signature Updates
CVE Sources Configuration Maintenance
Vulnerability Scanning Schedule Vulnerability Scan
Vulnerability Scanning Schedule Configuration Maintenance
Vulnerability Management Policy Vulnerability Remediation
Vulnerability Management Policy Vulnerability Reporting
Vulnerability Management Policy Vulnerability Scan
Vulnerability Scanning MI Generation and Distribution Vulnerability Scanning MI
Security Monitoring Processes Security Monitoring - Recover
Security Monitoring Processes Security Monitoring - Analyse
Security Monitoring Processes System Misuse and Abuse Cases
Security Monitoring Processes Security Monitoring - Maintain
Security Monitoring Processes Security Monitoring - Gather
Security Monitoring Processes Security Monitoring - Respond
Security Monitoring Processes Log Data
Security Monitoring Processes Business Misuse and Abuse Cases
Security Monitoring Processes Log Configuration
Security Monitoring Processes Protective Monitoring MI
Security Monitoring Processes Security Monitoring - Determine
Security Monitoring Processes Security Monitoring - MI Generation and Distribution
Security Monitoring - Gather Log Configuration
Log Data Security Monitoring - Gather
Security Monitoring - MI Generation and Distribution Protective Monitoring MI
Business Misuse and Abuse Cases Security Monitoring - Gather
System Misuse and Abuse Cases Security Monitoring - Gather
Security Monitoring - Maintain SIEM Configuration Management
Security Monitoring - Maintain Define and Maintain Correlation Rules
Security Monitoring - Maintain Define and Maintain Analysis Rules
Security Monitoring - Maintain Define and Maintain Misuse and Abuse Cases
Security Monitoring - Maintain Define and Maintain Capture and Alerting Requirements
Security Monitoring - Maintain Define and Maintain Audit Conditions
Security Monitoring - Maintain Define and Maintain Compliance Checks
Security Monitoring - Maintain Define and Maintain Intelligence Queries
Security Monitoring - Maintain Define and Maintain SOAR workflows.
SIEM Configuration Management Security Log Collection - Syslog
SIEM Configuration Management Security Log Collection - Windows Event Log
SIEM Configuration Management Security Log Collection - Other
SIEM Configuration Management SIEM
Define and Maintain Correlation Rules SIEM
Define and Maintain Misuse and Abuse Cases SIEM
Define and Maintain Capture and Alerting Requirements SIEM
Define and Maintain Audit Conditions SIEM
Define and Maintain Compliance Checks SIEM
Define and Maintain Intelligence Queries SIEM
Security Monitoring Design Security Monitoring - Maintain
Security Monitoring Design SIEM Configuration Management
Logging Design Security Monitoring - Maintain
Logging Design SIEM Configuration Management
Security Log Collection - Syslog Security Monitoring - Maintain
Security Log Collection - Windows Event Log Security Monitoring - Maintain
Security Log Collection - Other Security Monitoring - Maintain
SIEM Security Monitoring - Maintain
Define and Maintain SOAR workflows. SIEM
Incident Management Processes Incident Management MI Generation and Distribution
Incident Management Processes Incident Reporting
Incident Management Processes Incident Logging
Incident Management Processes Incident Escalation
Incident Management Processes Incident Identification and Reporting
Incident Management Processes Crisis Management
Incident Management Processes Incident Record
Incident Management Processes Incident Closure
Incident Management Processes Incident Report
Incident Management Processes Incident Management MI
Incident Management Processes Incident Resolution and Recovery
Incident Management Processes Incident Investigation
Incident Management Processes Security Incident - Advice and Guidance Guidlines
Incident Management Processes Incident Management Tooling
Incident Logging Incident Record
Incident Investigation Incident Record
Incident Resolution and Recovery Incident Record
Incident Closure Incident Record
Incident Reporting Incident Report
Incident Escalation Crisis Management
Incident Management MI Generation and Distribution Incident Management MI
Incident Record Incident Management Tooling
Security Incident - Advice and Guidance Guidlines Incident Identification and Reporting
Intelligence Management Processes Produce Intelligence Summary Report
Intelligence Management Processes Produce Intelligence Threat Report
Intelligence Management Processes Produce Intelligence Thematic Report
Intelligence Management Processes Produce Intelligence Report
Intelligence Management Processes Strategy Development
Intelligence Management Processes External Malware Intelligence
Intelligence Management Processes External Threat Summary
Intelligence Management Processes Industry News
Intelligence Management Processes Intelligence from Partners
Intelligence Management Processes Internal Intelligence Sources
Intelligence Management Processes Gather Intelligence
Intelligence Management Processes Triage Intelligence
Intelligence Management Processes Respond
Intelligence Management Processes Manage Intelligence Feeds
External Malware Intelligence Produce Intelligence Summary Report
External Threat Summary Produce Intelligence Summary Report
Industry News Produce Intelligence Summary Report
Intelligence from Partners Produce Intelligence Summary Report
Internal Intelligence Sources Produce Intelligence Summary Report
Gather Intelligence Triage Intelligence
Triage Intelligence Respond
Developers Developers
Network Team Maintain WAFs
Network Team Maintain IDS/IPS
Server Team Build Compliance
Server Team System Hardening
Server Team Security Patching
Build Compliance Define and Maintain Builds
Build Compliance Build Compliance Checking
Build Compliance Operate and Maintain Infrastructure as Code (IAC)
Breach and Attack Simulation Prevent vulnerabilities from being exploited
Endpoint Protection Endpoint UEBA Application
Endpoint Protection Anti Malware
Endpoint Protection Prevent Malware from executing
Prevent Web Attacks Prevent vulnerabilities from being exploited
Web Application Firewall Prevent Web Attacks
Prevent Malware from executing Prevent vulnerabilities from being exploited
Intrusion Detection and Prevention (IDS/IDP) Prevent Web Attacks
Cloud Access Security Broker (CASB) Prevent Web Attacks
Work with external Cyber security communities, regulators and others groups Share and Consume Intelligence Data
Work with external Cyber security communities, regulators and others groups Use breach data for lessons learnt and control improvement
Crisis Management Processes Crisis Team Formation
Crisis Management Processes Media Management
Crisis Management Processes Internal Comms
Crisis Management Processes Customer Reporting
Crisis Management Processes Scenario Planning
Crisis Management Processes Crisis Reporting
Security Monitoring Service - Overarching Process Flow Project Team
Security Monitoring Service - Overarching Process Flow Senior Security Analyst
Security Monitoring Service - Overarching Process Flow Create Logging Configuration
Security Monitoring Service - Overarching Process Flow SIEM Engineer
Security Monitoring Service - Overarching Process Flow SIEM
Security Monitoring Service - Overarching Process Flow Define Compliance Checks
Security Monitoring Service - Overarching Process Flow Audit Query
Security Monitoring Service - Overarching Process Flow Define Capture and Alerting Requirements
Security Monitoring Service - Overarching Process Flow Threat Analyst
Security Monitoring Service - Overarching Process Flow Audit and Investigations Consultant
Security Monitoring Service - Overarching Process Flow Cyber Analyst
Security Monitoring Service - Overarching Process Flow Define Threat Hunting Query
Security Monitoring Service - Overarching Process Flow Security Monitoring - Recovery
Security Monitoring Service - Overarching Process Flow Security Monitoring - Respond
Security Monitoring Service - Overarching Process Flow Security Monitoring - Determine
Security Monitoring Service - Overarching Process Flow Security Monitoring - Analyse
Security Monitoring Service - Overarching Process Flow Define Rules in SIEM
Security Monitoring Service - Overarching Process Flow Intelligence Query
Security Monitoring Service - Overarching Process Flow SIEM Define Classification and Priority
Security Monitoring Service - Overarching Process Flow SIEM - Define Analysis Rules
Security Monitoring Service - Overarching Process Flow SIEM - Define Correlation Rules
Security Monitoring Service - Overarching Process Flow Log Sources
Security Monitoring Service - Overarching Process Flow Subject Matter Expert (SME)
Security Monitoring Service - Overarching Process Flow Service Provider
Security Monitoring Service - Overarching Process Flow Security Monitoring - Gather
Security Monitoring Service - Overarching Process Flow Maintain - Continuous Improvement
Security Monitoring Service - Overarching Process Flow Governance, Risk and Compliance Consultant
Security Monitoring Service - Overarching Process Flow Security Orchestration and Response (SOAR)
Security Monitoring Service - Overarching Process Flow Security Orchestration and Response
Security Monitoring - Gather SIEM - Maintain Event Data
Security Monitoring - Gather SIEM - Capture Event Data
Security Monitoring - Gather SIEM - Enrich Data
Security Monitoring - Gather Events
Security Monitoring - Gather SIEM - Gather Event Data
Security Monitoring - Gather SIEM - Normalise data
Security Monitoring - Gather SIEM - Aggregate Data
Security Monitoring - Gather SIEM Log Database
SIEM - Aggregate Data SIEM - Enrich Data
SIEM - Normalise data SIEM - Aggregate Data
SIEM - Gather Event Data SIEM Log Database
SIEM - Gather Event Data SIEM - Normalise data
Events SIEM - Capture Event Data
SIEM - Enrich Data SIEM - Correlate
SIEM - Capture Event Data SIEM - Gather Event Data
SIEM - Maintain Event Data SIEM - Enrich Data
SIEM - Maintain Event Data SIEM - Normalise data
SIEM - Maintain Event Data SIEM - Aggregate Data
Create Logging Configuration Log Sources
Service Provider Create Logging Configuration
Subject Matter Expert (SME) Create Logging Configuration
Project Team Create Logging Configuration
Define Capture and Alerting Requirements Create Logging Configuration
Log Sources Events
Log Sources Events
Log Sources Events
Log Sources Device A
Log Sources System B
Log Sources System A
Log Sources SIEM - Capture Event Data
System A Events
Events System B
Events Device A
SIEM - Define Correlation Rules Define Rules in SIEM
SIEM - Define Analysis Rules Define Rules in SIEM
SIEM Define Classification and Priority Define Rules in SIEM
Audit Query Sec Mon - Investigate
Intelligence Query Sec Mon - Investigate
Define Rules in SIEM SIEM
Define Rules in SIEM Security Monitoring - Determine
Define Rules in SIEM Security Monitoring - Analyse
Define Rules in SIEM Security Monitoring - Gather
Security Monitoring - Analyse SIEM - Correlate
Security Monitoring - Analyse SIEM - Analyse
SIEM - Analyse SIEM - Triage
SIEM - Correlate SIEM - Analyse
Security Monitoring - Determine Sec Mon - Investigate
Security Monitoring - Determine SIEM - Prioritise
Security Monitoring - Determine SIEM - Classify
Security Monitoring - Determine SIEM - Triage
SIEM - Triage SIEM - Classify
SIEM - Classify SIEM - Prioritise
SIEM - Prioritise Sec Mon - Investigate
Sec Mon - Investigate Sec Mon - Respond
Security Monitoring - Respond Sec Mon - Continuous Improvement
Security Monitoring - Respond Digital Forensics
Security Monitoring - Respond Initiate Forensics
Security Monitoring - Respond Crisis Management
Security Monitoring - Respond Initiate Crisis Management
Security Monitoring - Respond Incident Management
Security Monitoring - Respond Monitor and Report
Security Monitoring - Respond Produce Recomendations
Security Monitoring - Respond Raise Incident
Security Monitoring - Respond Sec Mon - Respond
Security Monitoring - Respond Reports
Reports Maintain - Continuous Improvement
Reports Threat Reports
Reports Trend Reports
Reports Learning Points
Reports Audit Report
Reports Risk Assessment
If Recovery Required Sec Mon - Respond Recover and Repair
Sec Mon - Respond Sec Mon - Continuous Improvement
Sec Mon - Respond Initiate Forensics
Sec Mon - Respond Initiate Crisis Management
Sec Mon - Respond Monitor and Report
Sec Mon - Respond Produce Recomendations
Sec Mon - Respond Raise Incident
Reclassify Sec Mon - Respond SIEM - Classify
Raise Incident Incident Management
Produce Recomendations Reports
Monitor and Report Reports
Initiate Crisis Management Crisis Management
Initiate Forensics Digital Forensics
Sec Mon - Continuous Improvement Maintain - Continuous Improvement
Security Monitoring - Recovery Manage Reputation
Security Monitoring - Recovery GDPR Reporting
Security Monitoring - Recovery Media Management
Security Monitoring - Recovery Legal Response
Security Monitoring - Recovery Customer Communications
Security Monitoring - Recovery Rebuild System
Security Monitoring - Recovery Restore from Backup
Security Monitoring - Recovery Recover and Repair
Recover and Repair Manage Reputation
Recover and Repair GDPR Reporting
Recover and Repair Legal Response
Recover and Repair Rebuild System
Recover and Repair Restore from Backup
Manage Reputation Media Management
Manage Reputation Customer Communications
Manage Reputation Legal Response
Define Threat Hunting Query Sec Mon - Investigate
SIEM Engineer SIEM - Define Analysis Rules
SIEM Engineer SIEM - Define Correlation Rules
SIEM Engineer SIEM Define Classification and Priority
SIEM Engineer Define Capture and Alerting Requirements
Cyber Analyst Sec Mon - Investigate
Senior Security Analyst Sec Mon - Investigate
Audit and Investigations Consultant Audit Query
Audit and Investigations Consultant Intelligence Query
Threat Analyst Define Threat Hunting Query
Maintain - Continuous Improvement Sec Mon - Maintain Misuse and Abuse Cases
Maintain - Continuous Improvement Sec Mon - Tune Rules
Maintain - Continuous Improvement Sec Mon - Update Log Inventory
Maintain - Continuous Improvement Sec Mon - Replay Queries
Maintain - Continuous Improvement Sec Mon - Maintain data Integrity
Governance, Risk and Compliance Consultant Define Compliance Checks
Security Orchestration and Response (SOAR) SIEM
Security Orchestration and Response (SOAR) Security Monitoring - Gather
Security Orchestration and Response (SOAR) Security Monitoring - Analyse
Security Orchestration and Response (SOAR) Security Monitoring - Determine
Security Orchestration and Response Security Orchestration and Response (SOAR)
Security Intelligence Service - Overarching Process Flow Replay Attack Scenario Development
Security Intelligence Service - Overarching Process Flow Obtain Intelligence
Security Intelligence Service - Overarching Process Flow MI and Reporting
Security Intelligence Service - Overarching Process Flow Internal Intelligence Sources
Security Intelligence Service - Overarching Process Flow Evaluate Intelligence
Security Intelligence Service - Overarching Process Flow Intelligence Interrogation
Security Intelligence Service - Overarching Process Flow Threat Hunting
Security Intelligence Service - Overarching Process Flow External Intelligence Sources
Security Intelligence Service - Overarching Process Flow Malware Detection and Response
Security Intelligence Service - Overarching Process Flow Malware Event
Security Intelligence Service - Overarching Process Flow Internal Threat Hunting
Security Intelligence Service - Overarching Process Flow Replay Attack Scenario
Security Intelligence Service - Overarching Process Flow Intelligence Report
Security Intelligence Service - Overarching Process Flow Diseminate Intelligence
Security Intelligence Service - Overarching Process Flow Enrich Intelligence
Security Intelligence Service - Overarching Process Flow Test Inteligence against SIEM
Security Intelligence Service - Overarching Process Flow Social Media Threat Hunting
Security Intelligence Service - Overarching Process Flow Intelligence Correlation
Security Intelligence Service - Overarching Process Flow Breach and Attack Simulation Service
Replay Attack Scenario Development Replay Attack Scenario
Obtain Intelligence Social Media Threat Hunting
Obtain Intelligence Intelligence Correlation
Obtain Intelligence Internal Threat Hunting
MI and Reporting Intelligence Report
Internal Intelligence Sources Business Strategy
Internal Intelligence Sources Operational Alert
Internal Intelligence Sources Technology Strategy
Internal Intelligence Sources EDR Alerts
Internal Intelligence Sources SIEM Feed
Internal Intelligence Sources Malware Alert
Internal Intelligence Sources Obtain Intelligence
Internal Intelligence Sources Enrich Intelligence
Internal Intelligence Sources Threat Hunting
Evaluate Intelligence Enrich Intelligence
Intelligence Interrogation Obtain Intelligence
Intelligence Interrogation MI and Reporting
External Intelligence Sources Enrich Intelligence
External Intelligence Sources Peer Sharing (Industry Intelligence)
External Intelligence Sources Vulnerability Feeds
External Intelligence Sources Malware Intelligence Feed
External Intelligence Sources Obtain Intelligence
External Intelligence Sources Threat Intelligence Feeds
External Intelligence Sources Threat Hunting
Malware Detection and Response Obtain Intelligence
Malware Event Malware Detection and Response
Diseminate Intelligence Internal Intelligence Sources
Diseminate Intelligence External Intelligence Sources
Enrich Intelligence Test Inteligence against SIEM
Test Inteligence against SIEM Diseminate Intelligence
Test Inteligence against SIEM Replay Attack Scenario
Intelligence Correlation Evaluate Intelligence
Breach and Attack Simulation Service Threat Hunting
Breach and Attack Simulation (BAS) Define Attack Vectors
Breach and Attack Simulation (BAS) Produce Control Failure Reports
Breach and Attack Simulation (BAS) Produce Breach Status Reports
Breach and Attack Simulation (BAS) Network Designs
Breach and Attack Simulation (BAS) Organisations Threat Matrix
Breach and Attack Simulation (BAS) Perimeter Defense Designs
Breach and Attack Simulation (BAS) Email System Designs
Breach and Attack Simulation (BAS) Raise a Change
Breach and Attack Simulation (BAS) Create Sigma Rules
Breach and Attack Simulation (BAS) Deploy and Maintain BAS Peers
Breach and Attack Simulation (BAS) Historical Attack Detection
Breach and Attack Simulation (BAS) Update Secure Builds
Breach and Attack Simulation (BAS) Prioritise Patch Schedule
Define Attack Vectors Deploy and Maintain BAS Peers
Produce Control Failure Reports Raise a Change
Produce Control Failure Reports Create Sigma Rules
Produce Control Failure Reports Update Secure Builds
Produce Control Failure Reports Prioritise Patch Schedule
Network Designs Define Attack Vectors
Organisations Threat Matrix Define Attack Vectors
Perimeter Defense Designs Define Attack Vectors
Email System Designs Define Attack Vectors
IT Support Network Team
IT Support Server Team
Intelligence Management Provide effective and relevant threat intelligence
Intelligence Management Work with external Cyber security communities, regulators and others groups
Provide effective and relevant threat intelligence Work with external Cyber security communities, regulators and others groups
Governance, Risk and Compliance Consultant Threat Assessment
Governance, Risk and Compliance Consultant Security Intelligence and Investigation
Security Engineer or Designer Security Engineering