reading-notes

Dedicated to my thoughts while learning cybersec

View the Project on GitHub jakeoverall/reading-notes

ISCM with Nagios

What is the difference between SOC and a CSIRT?
The SOC protects the company from security breaches by identifying, analyzing and reacting to cybersecurity threats. The core function of a CSIRT is to minimize and manage damage caused by an incident, the CSIRT also communicates with stakeholders. The SOC often oversees the CSIRT
  • SOC: DETECTION - Security Operations Center
  • CSIRT: RESPONSE - Computer Security Incident Response Team
What are the first 5 Steps to establish a SOC?
  • The Soc != IT

    The SOC protects an entire organization from security breaches. They are not help desk for internal employees or external customers. Creates the VPN / Doesn't help you connect to it

    </li>

  • Provide Tooling and Training

    Without the appropriate tools and training a SOC is only an illusion of safety.

    </li>

  • Vet and Hire

    Security analysts and security engineers are supervised by an SOC manager. The SOC manager needs to have strong security expertise, management skills, and battle-tested crisis management experience.

    </li>

  • Have an incident response plan ready

    It is not a question of if you will be attacked but rather when you will be attacked. Have a plan in place and ready to be executed.

    </li>

  • Defend

    Every point of entry or communcation between machines is a potential vulnerability. Never trust the client and assume every request is malicious.

    </li> </ul> </details>

    Name 3 best practices for a SOC?
    1. Detect threats through all stages of an attack

      All attacks have three stages Pre-Attack, Attack, Post-Attack. All stages are equally important but only one can be addressed before an issue exists.

    2. Investigate all alerts to ensure nothing is overlooked

      "It always does that" is not a good excuse to allow a problem to persist.

    3. Gather forensic evidence for investigation and remediation

      AAA (Arrange-Act-Assert), then Red, Green, Refactor.

    What is SIEM?
    Security information and event management
    What is GRC?
    Governance, risk and compliance
    What is IDS/IPS/WIP?
    • Intrusion Detection Systems
    • Intrusion Prevention Systems
    • Wireless Intrusion Prevention
    What is SIEM?
    Security information and event management
    What is Nagios?
    A tool to monitor systems, infrastructure, and networks to identify performance bottlenecks and send alerts.