Description

This curriculum spans the technical and operational rigor of a multi-phase security operations rollout, comparable to establishing a enterprise-scale monitoring program across hybrid environments with ongoing tuning, compliance alignment, and cross-team coordination.

Module 1: Defining Monitoring Scope and Asset Inventory

Select which network segments require full packet capture versus flow-based monitoring based on regulatory exposure and data sensitivity.
Integrate asset discovery tools with CMDB systems to maintain accurate records of authorized and shadow IT devices.
Decide whether to include cloud-hosted workloads in the monitoring perimeter and determine data egress points for telemetry collection.
Establish criteria for classifying assets by criticality to prioritize monitoring intensity and alerting thresholds.
Implement automated tagging of devices by function (e.g., POS, SCADA, executive endpoints) to enable context-aware alerting.
Resolve conflicts between network teams and security teams over access to switch port mirroring and NetFlow data.

Module 2: Sensor Placement and Data Collection Architecture

Deploy passive taps at core aggregation points to ensure full visibility without introducing single points of failure.
Configure SPAN ports on key switches while managing bandwidth limitations and potential packet drops during traffic spikes.
Choose between inline and out-of-band IDS/IPS deployment based on tolerance for latency and operational risk.
Design a hierarchical data collection model using forwarders to route logs from remote offices to central SIEM systems.
Implement encrypted log forwarding using TLS or mutual authentication to prevent tampering in transit.
Balance the need for full packet capture against storage costs and privacy regulations by applying selective capture rules.

Module 3: Log Aggregation and Normalization

Select a log ingestion schema that accommodates vendor-specific extensions while preserving standard fields for correlation.
Configure parsers to handle inconsistent timestamp formats from firewalls, proxies, and endpoint agents.
Map disparate user identifiers (e.g., UPN, SID, email) across systems to enable unified user behavior tracking.
Implement log retention policies that satisfy audit requirements while managing tiered storage (hot/warm/cold).
Address gaps in logging coverage by enforcing syslog or API-based collection from legacy systems.
Validate log integrity using checksums or blockchain-style hashing to detect post-event tampering.

Module 4: Threat Detection Rule Development

Write Sigma rules to detect lateral movement via SMB beaconing across internal subnets.
Adjust threshold-based alerts for DNS tunneling to reduce false positives in environments with high legitimate DNS volume.
Develop correlation rules that link failed authentication bursts on domain controllers with subsequent successful logins.
Implement behavioral baselines for protocol usage (e.g., FTP, RDP) to flag deviations without blocking business operations.
Integrate threat intelligence feeds to enrich alerts with known malicious IPs while managing feed update frequency and accuracy.
Test detection logic in staging using red team emulation data to measure detection time and precision.

Module 5: Real-Time Alerting and Triage Workflows

Configure alert deduplication to prevent analyst fatigue during widespread scanning events.
Assign severity levels based on asset criticality, attacker context, and exploit confidence, not just rule type.
Integrate SOAR playbooks to automatically enrich alerts with AD group membership and recent user activity.
Define escalation paths for high-severity alerts that bypass ticketing systems during active incidents.
Implement time-based alert suppression for scheduled maintenance windows without creating detection gaps.
Conduct weekly alert tuning reviews to disable or refine rules generating chronic false positives.

Module 6: Network Forensics and Packet Analysis

Use Wireshark display filters to isolate C2 traffic by reconstructing HTTP headers from PCAPs after an intrusion.
Reassemble exfiltrated files from fragmented TCP streams when full content inspection was not enabled.
Correlate session IDs from firewall logs with packet timestamps to reconstruct attack timelines.
Identify encrypted tunneling tools by analyzing packet size distributions and connection timing patterns.
Preserve chain of custody for packet captures by hashing files and logging access during forensic investigations.
Respond to legal requests for network data by producing filtered PCAPs that exclude unrelated user traffic.

Module 7: Compliance, Auditing, and Reporting

Generate quarterly reports demonstrating coverage of PCI DSS Requirement 11.4 for internal network monitoring.
Configure audit trails for SIEM administrative actions to meet SOX requirements for change tracking.
Validate that monitoring systems capture all required event types for NIST 800-92 log management guidelines.
Prepare for external audits by producing evidence of log retention, access controls, and alert response times.
Redact personally identifiable information from dashboards shared with non-security stakeholders.
Document exceptions for systems excluded from monitoring due to technical or operational constraints.

Module 8: Performance Optimization and System Maintenance

Monitor indexer performance in the SIEM and rebalance data loads across nodes during peak ingestion periods.
Rotate and archive old indices using ILM policies to maintain query performance without data loss.
Update parser configurations after firmware upgrades on network devices that change log formats.
Schedule maintenance windows for sensor software updates to avoid gaps in coverage.
Conduct capacity planning exercises based on projected growth in endpoints and cloud workloads.
Validate backup integrity of configuration files for monitoring tools to enable rapid recovery after outages.