Description

This curriculum spans the technical and procedural rigor of a multi-workshop SOC readiness program, covering infrastructure setup, detection engineering, and incident response execution comparable to an internal capability build-out for mid-sized enterprise security operations.

Module 1: Establishing SOC Infrastructure and Operational Baselines

Selecting between on-premises, cloud-native, or hybrid SIEM deployments based on data residency, latency, and compliance requirements.
Defining normal network and user behavior baselines using historical logs to reduce false positives in detection rules.
Implementing centralized log collection from firewalls, endpoints, and cloud workloads with appropriate log retention policies.
Configuring time synchronization across all SOC systems to ensure accurate event correlation and forensic timelines.
Designing role-based access controls (RBAC) for SOC analysts to prevent privilege escalation and ensure auditability.
Documenting standard operating procedures (SOPs) for incident intake, triage, and escalation paths within the SOC.

Module 2: Threat Detection Engineering and Rule Development

Writing and tuning Sigma rules to detect suspicious PowerShell usage across Windows endpoints without triggering on legitimate automation.
Developing correlation rules in the SIEM to identify lateral movement via RDP or SMB after initial compromise indicators.
Integrating threat intelligence feeds (e.g., STIX/TAXII) and filtering for relevance to the organization’s threat model.
Validating detection logic using purple teaming exercises to confirm detection coverage and reduce blind spots.
Managing rule lifecycle by deprecating outdated signatures and documenting false positive rates per detection.
Implementing automated suppression of known benign events to reduce analyst alert fatigue.

Module 3: Endpoint Monitoring and Response Integration

Deploying EDR agents with disk encryption and memory scanning enabled while assessing performance impact on critical servers.
Configuring real-time alerting on process injection, suspicious registry modifications, and unsigned binaries execution.
Establishing containment workflows to isolate compromised endpoints without disrupting business operations.
Conducting live memory forensics on suspected machines using EDR tools to identify rootkit presence.
Enforcing application allow-listing policies on high-risk systems and managing exception requests.
Coordinating endpoint data collection with legal and HR during insider threat investigations.

Module 4: Log Management and Data Integrity Controls

Classifying log sources by criticality and setting different retention periods for firewall vs. workstation logs.
Implementing log integrity checks using cryptographic hashing to detect tampering in syslog streams.
Normalizing log formats from diverse vendors into a common schema for consistent querying.
Allocating storage resources for high-volume data sources like DNS and proxy logs with compression strategies.
Restricting write-access to log repositories to prevent unauthorized modification or deletion.
Validating log source authenticity using mutual TLS or syslog signing to prevent spoofed entries.

Module 5: Incident Response Playbook Execution

Activating predefined playbooks for ransomware incidents, including network segmentation and backup verification steps.
Coordinating with IT operations to preserve disk images before reimaging infected systems.
Documenting chain of custody for forensic evidence collected during incident investigations.
Executing domain-wide password resets following credential dumping detection, balancing security and usability.
Initiating communication protocols with legal and PR teams when data exfiltration is confirmed.
Conducting post-incident timeline reconstruction using correlated logs from multiple sources.

Module 6: Vulnerability Management Integration with SOC

Prioritizing vulnerability remediation based on exploit availability and asset criticality from SIEM context.
Automating alerts when unpatched systems exhibit scanning or exploitation attempts in network logs.
Correlating vulnerability scan results with active threats to justify emergency change requests.
Coordinating patching windows with operations teams to minimize exposure without causing downtime.
Tracking known exploited vulnerabilities (KEVs) and adjusting detection rules accordingly.
Validating patch effectiveness by monitoring for recurrence of exploit-related indicators.

Module 7: Continuous Monitoring and Threat Hunting

Scheduling proactive hunts for living-off-the-land binaries (LOLBins) using PowerShell and WMI.
Developing custom queries to identify anomalous outbound DNS queries indicative of data exfiltration.
Using MITRE ATT&CK mapping to assess coverage gaps in detection capabilities.
Rotating hunting hypotheses based on recent industry breaches and threat actor TTPs.
Documenting hunting findings and converting successful techniques into automated detection rules.
Measuring hunt efficacy through metrics such as mean time to detect (MTTD) and number of undetected threats found.

Module 8: Governance, Compliance, and SOC Maturity Assessment

Aligning SOC operations with NIST CSF and ISO 27001 controls for audit readiness.
Conducting quarterly access reviews to remove inactive or overprivileged analyst accounts.
Performing tabletop exercises to validate incident response coordination with external partners.
Measuring detection coverage against MITRE ATT&CK to identify under-defended tactics.
Reporting key SOC metrics (e.g., mean time to acknowledge, false positive rate) to executive leadership.
Updating policies to reflect changes in regulatory requirements such as SEC disclosure rules or GDPR.