Description

This curriculum spans the design and operational challenges of an enterprise-wide threat management program, comparable in scope to a multi-phase security transformation engagement involving threat intelligence, identity, endpoint, network, cloud, and governance teams.

Module 1: Threat Landscape Analysis and Intelligence Integration

Selecting and integrating commercial threat intelligence feeds based on industry-specific relevance and false positive rates.
Mapping adversary tactics, techniques, and procedures (TTPs) to MITRE ATT&CK for internal detection rule development.
Establishing thresholds for automated ingestion of Indicators of Compromise (IOCs) into SIEM and firewall systems.
Deciding whether to participate in ISACs and determining data-sharing boundaries under legal and compliance constraints.
Validating the credibility of open-source intelligence (OSINT) reports before operationalizing findings.
Designing a process for quarterly threat landscape reassessment aligned with business expansion or M&A activity.

Module 2: Identity and Access Management in Hostile Environments

Implementing step-up authentication workflows for privileged access during suspected credential compromise.
Enforcing time-bound just-in-time (JIT) access for third-party vendors with automated deprovisioning.
Choosing between on-premises and cloud-based identity providers based on regulatory and resilience requirements.
Responding to password spray attacks by adjusting lockout policies without increasing helpdesk burden.
Integrating identity telemetry into UEBA systems to detect anomalous login behavior across hybrid environments.
Managing the risk of dormant service accounts through automated discovery and attestation cycles.

Module 3: Endpoint Detection and Response (EDR) Operations

Configuring EDR agents to balance telemetry volume with endpoint performance impact on critical workstations.
Developing custom detection rules for living-off-the-land binaries (LOLBins) based on observed attacker behavior.
Responding to EDR console alerts with predefined runbooks while avoiding over-reliance on automated containment.
Coordinating EDR data collection with legal teams during incident investigations to preserve chain of custody.
Negotiating EDR vendor SLAs for threat-hunting support during active breaches.
Managing agent updates across global endpoints without disrupting production systems or patching windows.

Module 4: Network Security and Segmentation Strategies

Designing micro-segmentation policies for data center workloads without introducing latency or management overhead.
Deploying network detection and response (NDR) sensors at choke points while minimizing bandwidth consumption.
Responding to lateral movement detection by dynamically isolating compromised subnets via firewall APIs.
Deciding whether to decrypt TLS traffic at inspection points based on privacy regulations and key management complexity.
Integrating netflow data from cloud and on-prem environments into a centralized analytics platform.
Updating firewall rulebases following application modernization projects while maintaining least privilege.

Module 5: Cloud Security Posture and Workload Protection

Configuring CSPM tools to prioritize misconfigurations based on exploitability and data sensitivity.
Implementing runtime protection for serverless functions with minimal code instrumentation.
Managing shared responsibility model gaps in IaaS environments, particularly around guest OS hardening.
Enforcing container image signing and scanning in CI/CD pipelines without delaying deployments.
Responding to unauthorized S3 bucket exposure by automating remediation and access logging.
Aligning cloud security policies across multi-cloud environments with divergent native controls and APIs.

Module 6: Incident Response and Threat Containment

Activating predefined incident response playbooks based on attack classification while allowing for tactical deviation.
Coordinating cross-functional response efforts between legal, PR, IT, and executive leadership during ransomware events.
Preserving forensic evidence from cloud workloads where ephemeral storage complicates data retention.
Deciding whether to engage law enforcement based on data exfiltration scope and jurisdictional implications.
Conducting tabletop exercises with updated scenarios reflecting current ransomware TTPs and double extortion.
Managing communication channels during incidents to prevent information leakage or insider coordination with attackers.

Module 7: Security Automation and SOAR Implementation

Mapping repetitive SOC tasks to SOAR playbooks while maintaining human oversight for high-risk actions.
Integrating threat intelligence platforms with SOAR for automated enrichment of phishing alerts.
Testing SOAR playbook logic in staging environments to avoid unintended system outages or data corruption.
Establishing approval workflows for automated actions that impact production systems or user access.
Measuring SOAR effectiveness through metrics such as mean time to acknowledge (MTTA) and containment rate.
Managing API rate limits and authentication across integrated tools to ensure reliable automation execution.

Module 8: Governance, Risk, and Compliance in Threat Management

Aligning cyber threat mitigation efforts with internal audit findings and regulatory requirements such as GDPR or HIPAA.
Reporting threat exposure metrics to board members using business-aligned KPIs, not technical jargon.
Conducting risk acceptance reviews for vulnerabilities where remediation would disrupt critical operations.
Updating business impact analyses (BIAs) following changes in threat actor targeting patterns.
Managing third-party risk by assessing vendor security controls against threat-specific benchmarks.
Documenting control exceptions for compensating measures implemented during extended remediation timelines.