Description

This curriculum spans the design and operationalization of host security within a SOC, comparable in scope to a multi-workshop program that integrates telemetry management, detection engineering, and response orchestration across diverse enterprise environments.

Module 1: Defining Host Security Scope and Integration with SOC Operations

Selecting which host types (servers, workstations, cloud instances) are in scope based on data sensitivity and regulatory requirements.
Establishing ownership boundaries between SOC analysts, endpoint security teams, and system administrators for host monitoring.
Integrating host telemetry into the SIEM while managing data ingestion costs and retention policies.
Defining escalation paths for host-based alerts that require immediate containment versus those requiring deeper investigation.
Aligning host security monitoring with existing SOC runbooks and incident classification frameworks.
Implementing tagging standards for hosts to enable automated alert routing based on environment (production, staging, DMZ).

Module 2: Host-Based Data Collection and Telemetry Normalization

Choosing between agent-based and agentless collection for different host platforms based on performance and coverage needs.
Configuring logging levels on endpoint detection and response (EDR) agents to balance visibility and system impact.
Normalizing process execution, file modification, and registry events across Windows, Linux, and macOS hosts.
Mapping host logs to MITRE ATT&CK techniques during ingestion to support threat-centric analysis.
Validating log source reliability by monitoring agent heartbeat and detecting silent failures.
Handling encrypted or obfuscated telemetry from hosts in high-risk environments without degrading detection fidelity.

Module 3: Detection Engineering for Host-Centric Threats

Developing correlation rules that identify lateral movement via PowerShell or SSH command patterns across multiple hosts.
Building behavioral baselines for normal host activity to detect anomalous outbound connections or privilege escalation.
Creating detection logic for living-off-the-land binaries (LOLBins) such as certutil, bitsadmin, or wget.
Implementing thresholds for repetitive failed login attempts across hosts to distinguish brute force attacks from misconfigurations.
Writing Sigma rules that translate across different EDR platforms for consistent detection deployment.
Managing false positives by excluding known software deployment tools from suspicious execution alerts.

Module 4: Host Containment and Response Orchestration

Defining automated isolation policies for hosts exhibiting ransomware-like behavior based on file encryption patterns.
Coordinating with network teams to enforce host quarantine via VLAN reassignment or firewall rule updates.
Validating that remote response actions (process kill, file quarantine) do not disrupt critical business services.
Staging response playbooks for hosts in air-gapped or offline environments where real-time commands fail.
Logging all containment actions in the ticketing system to maintain audit trails for compliance reviews.
Requiring dual approval for mass host isolation events to prevent accidental denial-of-service during incident response.

Module 5: Vulnerability and Configuration Management Integration

Prioritizing patch deployment based on exploit availability and host exposure level (internet-facing vs internal).
Correlating unpatched vulnerabilities with active threats observed in the threat intelligence feed.
Automating host re-scanning after patch application to confirm remediation and update asset risk scores.
Enforcing configuration baselines (e.g., disabled SMBv1, restricted RDP access) through group policy or configuration management tools.
Handling exceptions for legacy applications that require insecure configurations with compensating controls.
Integrating vulnerability scanner outputs into the SOC dashboard to contextualize host risk during triage.

Module 6: Host Forensics and Evidence Preservation

Preserving volatile memory from compromised hosts before powering down for forensic analysis.
Using write-blockers or forensic imaging tools to create bit-for-bit copies of host storage for legal admissibility.
Documenting chain of custody for forensic images when transferring between SOC, legal, and external investigators.
Extracting prefetch, shimcache, and event logs to reconstruct attacker activity timelines.
Handling encrypted drives by coordinating with key management systems to enable decryption during analysis.
Storing forensic data in isolated, access-controlled repositories to prevent tampering or unauthorized access.

Module 7: Threat Hunting on Hosts Using EDR and Logs

Designing hunts to detect credential dumping by searching for lsass memory access across endpoint telemetry.
Querying EDR databases for unusual parent-child process relationships indicative of process injection.
Using host file integrity monitoring (FIM) data to identify unauthorized changes to system binaries.
Scheduling recurring hunts for persistence mechanisms such as scheduled tasks, services, or startup folders.
Validating hunt results by cross-referencing with network flows and authentication logs.
Documenting and sharing new host-based indicators of compromise (IOCs) with the broader SOC team.

Module 8: Governance, Compliance, and Continuous Improvement

Aligning host monitoring practices with regulatory frameworks such as PCI DSS, HIPAA, or NIST 800-53.
Conducting periodic access reviews for SOC personnel with elevated privileges to host systems.
Measuring detection coverage gaps by performing purple team exercises focused on host attack paths.
Updating host security policies based on post-incident reviews and lessons learned from real breaches.
Benchmarking EDR tool efficacy using metrics like mean time to detect (MTTD) and mean time to respond (MTTR) on hosts.
Rotating encryption keys and API tokens used for host agent communication to limit long-term exposure.