Description

This curriculum spans the design and operation of a full-scale security operations center, comparable in scope to a multi-workshop technical advisory program for establishing and maturing SOC capabilities across architecture, detection, response, and compliance functions.

Module 1: SOC Architecture and Operational Design

Selecting between centralized, decentralized, and hybrid SOC models based on organizational footprint and threat landscape.
Designing network segmentation to ensure SOC tools have necessary visibility without introducing lateral movement risks.
Integrating SIEM with existing logging infrastructure while managing data ingestion costs and retention policies.
Establishing secure remote access protocols for SOC analysts working from untrusted networks.
Defining escalation paths and handoff procedures between Tier 1, Tier 2, and Tier 3 analysts.
Implementing high-availability configurations for critical SOC components like log collectors and correlation engines.
Aligning SOC workflow tools (ticketing, case management) with incident response lifecycle stages.
Configuring data parsing rules to normalize logs from heterogeneous sources without losing forensic fidelity.

Module 2: Threat Intelligence Integration and Management

Evaluating commercial, open-source, and ISAC-provided threat feeds based on timeliness and relevance to industry vertical.
Automating IOC ingestion into SIEM and EDR platforms while filtering out false positives from noisy sources.
Mapping threat actor TTPs to MITRE ATT&CK and aligning detection rules accordingly.
Establishing processes for validating and enriching raw intelligence with internal telemetry.
Managing access controls to sensitive threat intelligence data across analyst tiers.
Developing playbooks that incorporate threat context into alert triage and investigation workflows.
Assessing the operational impact of sharing internal threat data with external partners.
Rotating and retiring outdated IOCs from detection systems to prevent performance degradation.

Module 3: SIEM Configuration and Tuning

Designing correlation rules that balance detection sensitivity with analyst workload.
Implementing rule versioning and change control to track detection logic modifications.
Tuning false positive rates by adjusting time windows, thresholds, and exclusion lists.
Creating custom parsers for proprietary application logs not supported by default.
Allocating storage quotas per data source to prevent high-volume systems from overwhelming retention.
Validating parser accuracy through sample log injection and output verification.
Configuring role-based dashboards to provide relevant context for different analyst roles.
Establishing performance baselines for search query response times under peak load.

Module 4: Endpoint Detection and Response (EDR) Operations

Defining containment policies for EDR that minimize business disruption during active investigations.
Configuring real-time monitoring rules to detect suspicious process injection and lateral movement.
Managing EDR agent update cycles to ensure coverage without introducing endpoint instability.
Conducting live memory analysis from EDR console during active incident response.
Integrating EDR telemetry with SIEM for centralized correlation and alerting.
Setting up automated isolation triggers based on confirmed malware execution.
Reviewing EDR console access logs to detect potential misuse or unauthorized queries.
Developing forensic collection scripts to extract artifacts from quarantined endpoints.

Module 5: Network Detection and Traffic Analysis

Deploying network TAPs and SPAN ports to capture full packet data without impacting production traffic.
Configuring NetFlow collectors to aggregate and store metadata for long-term anomaly analysis.
Using packet capture (PCAP) data to reconstruct command-and-control communications.
Integrating IDS signatures with threat intelligence to detect known malicious domains.
Implementing SSL/TLS decryption at strategic network chokepoints with proper legal oversight.
Monitoring DNS query patterns to identify data exfiltration or beaconing behavior.
Establishing baselines for normal network behavior to detect deviations indicative of compromise.
Coordinating with network operations to validate alerts against legitimate changes like patching or migrations.

Module 6: Incident Response and Case Management

Documenting chain of custody for digital evidence collected during live response.
Assigning severity levels to incidents using standardized frameworks like CVSS or DREAD.
Initiating cross-functional response teams involving legal, PR, and IT operations.
Preserving volatile data from affected systems before containment actions.
Generating executive summaries that communicate impact without disclosing technical vulnerabilities.
Tracking incident resolution timelines to meet regulatory reporting requirements.
Conducting post-incident reviews to update detection rules and response playbooks.
Managing communication channels to prevent information leakage during active incidents.

Module 7: SOC Automation and Orchestration (SOAR)

Identifying repetitive tasks suitable for automation, such as IOC lookups and user lockouts.
Developing playbooks that integrate API calls across SIEM, EDR, email security, and firewall platforms.
Testing automated responses in isolated environments before production deployment.
Implementing approval workflows for high-risk actions like system isolation or account disablement.
Monitoring SOAR execution logs to detect failed automations or unintended consequences.
Version-controlling playbooks to support auditability and rollback capabilities.
Integrating SOAR with ticketing systems to ensure human oversight of automated actions.
Measuring time saved per alert through automation while tracking false positive escalations.

Module 8: Compliance, Auditing, and Governance

Mapping SOC controls to regulatory requirements such as GDPR, HIPAA, or NIST CSF.
Generating audit-ready reports that demonstrate detection coverage and response effectiveness.
Implementing least-privilege access for SOC tools and ensuring segregation of duties.
Conducting regular access reviews for analyst accounts and privileged toolsets.
Documenting retention policies for logs, alerts, and investigation records per legal mandates.
Preparing for third-party audits by maintaining evidence of control implementation.
Establishing data handling procedures for PII and other regulated data within SOC systems.
Reviewing alert disposition accuracy to demonstrate operational diligence during compliance reviews.

Module 9: Threat Hunting and Proactive Defense

Scheduling regular hunting campaigns based on emerging threats and internal risk assessments.
Developing hypotheses using threat intelligence, anomalous logs, or red team findings.
Querying endpoint and network data at scale to validate or refute compromise indicators.
Using statistical analysis to detect outliers in user behavior or system activity.
Documenting hunting methodology and findings for peer review and knowledge sharing.
Converting successful hunt techniques into automated detection rules.
Coordinating with system owners to investigate suspicious artifacts without disrupting operations.
Measuring hunting efficacy through metrics like dwell time reduction and detection rate improvement.