Description

This curriculum spans the technical and operational rigor of a multi-phase SOC build and optimization program, comparable to advisory engagements that integrate detection engineering, threat intelligence, and response orchestration across network, endpoint, and identity domains.

Module 1: Establishing Security Operations Center (SOC) Architecture

Selecting between centralized, decentralized, or hybrid SOC models based on organizational footprint and threat exposure.
Designing network segmentation to isolate SOC infrastructure from corporate networks while enabling data ingestion.
Integrating SIEM with existing logging sources such as firewalls, endpoints, and cloud workloads without overloading collectors.
Implementing high-availability and failover mechanisms for critical SOC components like log servers and correlation engines.
Choosing between on-premises, cloud-hosted, or managed SIEM solutions based on data sovereignty and latency requirements.
Defining data retention policies for raw logs and enriched events in alignment with compliance and forensic readiness.

Module 2: Threat Detection Engineering and Rule Development

Developing custom detection rules in Sigma or YARA-L to identify lateral movement via PowerShell command patterns.
Tuning correlation rules to reduce false positives from legitimate administrative activity in privileged access workflows.
Integrating threat intelligence feeds (e.g., STIX/TAXII) and mapping IOCs to detection logic with automated enrichment.
Creating behavioral baselines for user and entity activity to detect anomalies in authentication and data access.
Validating detection logic using historical log data through controlled playback in the SIEM environment.
Implementing version control and peer review processes for detection rule changes in a SOC change management framework.

Module 3: Incident Triage and Response Orchestration

Classifying incoming alerts using a standardized severity matrix based on MITRE ATT&CK techniques and business impact.
Automating initial enrichment tasks such as DNS lookups, user session checks, and endpoint process queries via SOAR playbooks.
Escalating incidents to IR teams with standardized packages including timeline, affected assets, and IOC summary.
Coordinating containment actions such as user account disablement or host isolation with identity and endpoint management teams.
Documenting response actions in a centralized case management system with audit trails for regulatory review.
Conducting post-escalation reviews to refine triage criteria and reduce mean time to acknowledge (MTTA).

Module 4: Endpoint Detection and Response (EDR) Integration

Deploying EDR agents across heterogeneous endpoints while minimizing performance impact on critical systems.
Configuring EDR policies to enable real-time monitoring without blocking legitimate software deployment processes.
Correlating EDR alerts with network-based detections to validate compromise across multiple vectors.
Executing live forensic collection from endpoints during active investigations using EDR query capabilities.
Negotiating access to endpoint telemetry with business units that manage specialized or legacy systems.
Managing decryption of TLS traffic for EDR-to-cloud communication in compliance with privacy policies.

Module 5: Network Traffic Analysis and Forensics

Deploying network TAPs and SPAN ports to capture full packet data for critical network segments without introducing latency.
Configuring packet brokers to filter and forward relevant traffic to IDS and full packet capture systems.
Using Zeek (Bro) logs to reconstruct command-and-control communication from DNS tunneling behavior.
Integrating netflow data with SIEM to detect data exfiltration via unusual volume or destination patterns.
Responding to encrypted threat traffic by combining JA3 fingerprinting with behavioral analysis of client-server handshakes.
Preserving packet captures for legal hold during ongoing investigations with chain-of-custody documentation.

Module 6: Identity and Access Monitoring in the SOC

Monitoring authentication logs for signs of pass-the-hash or Kerberos ticket abuse in Active Directory environments.
Correlating failed login spikes with geolocation anomalies to detect credential stuffing attacks.
Integrating cloud identity providers (e.g., Azure AD, Okta) into SOC monitoring for real-time anomaly detection.
Responding to privileged account compromise by coordinating immediate password resets and session invalidation.
Establishing thresholds for acceptable MFA bypass events during emergency access procedures.
Mapping user entitlements to detection rules to identify privilege escalation via group membership changes.

Module 7: Threat Intelligence Program Integration

Curating internal threat intelligence from past incidents and enriching it with external CTI feeds.
Automating IOC ingestion from ISACs and commercial providers into firewall and EDR blocklists.
Assessing the relevance and reliability of threat actor TTPs before incorporating them into detection logic.
Sharing anonymized IOCs with industry partners while adhering to data privacy and legal constraints.
Conducting red team emulation exercises based on current threat intelligence to validate detection coverage.
Measuring the operational impact of intelligence-driven detections through reduction in dwell time.

Module 8: SOC Governance, Metrics, and Continuous Improvement

Defining KPIs such as mean time to detect (MTTD) and mean time to respond (MTTR) with stakeholder agreement.
Conducting quarterly detection coverage assessments against MITRE ATT&CK to identify visibility gaps.
Performing tabletop exercises with executive leadership to validate incident communication protocols.
Managing access controls to SOC tools using role-based permissions and just-in-time elevation.
Conducting peer reviews of escalated cases to ensure consistency in analysis and documentation.
Updating runbooks and response playbooks based on lessons learned from actual incidents and red team findings.