CHAPTER-3: SIEM & SOAR - Better Together

Understand the integrated functional requirements both for SIEM?& SOAR?so that majority of the event correlation is done and presented to you for you to take the next step

Managing security operations can be daunting and causes burnout for the analysts even faster, as security teams must deal with a large volume of alerts, a shortage of skilled analysts, and a lack of integration and automation across tools and processes. We will talk about the SIEM’s capabilities which provide primary correlations of data as events, from where, the analysts take over each case.

Fortunately, there are two technologies in the market that’s available right now that can help security teams overcome these challenges and improve their security posture: SIEM?and SOAR.

What is SIEM

SIEM?stands for Security Information and Event Management. It is a technology that collects, analyzes, and correlates security data from various sources, such as network devices, systems, and applications. SIEM?provides real-time visibility into the security status of an organization, by detecting anomalies, generating alerts, and supporting compliance and incident management.

SIEM?is essential for security monitoring and threat detection, as it provides a centralized view of the security events and incidents across the organization. SIEM?can also provide threat intelligence by identifying patterns and trends in security data and creating dashboards and reports for easy reference.

What is SOAR?

SOAR?stands for Security Orchestration, Automation, and Response. It is a technology that streamlines and automates security operations, by integrating data and tools, prioritizing, and responding to alerts, and orchestrating workflows and actions. SOAR?aims to improve the efficiency and effectiveness of security operations, by reducing manual tasks, human errors, and response times.

SOAR?is essential for security response and remediation, as it helps security teams manage and resolve security incidents faster and more accurately. SOAR?can also provide security automation and orchestration, by executing predefined actions and workflows based on triggers and conditions and coordinating tasks and resources across different teams and tools.

How SIEM and SOAR Work Better Together

While both SIEM?and SOAR?are valuable technologies for security operations, they are not mutually exclusive. In fact, they work better together, as they complement each other’s capabilities and functions.

By integrating SIEM?and SOAR, security teams can leverage the best of both worlds: SIEM’s powerful data collection and analysis capabilities, and SOAR’s advanced automation and orchestration capabilities.

Some of the benefits of integrating SIEM?and SOAR?are:

·??????? Faster and more accurate threat detection: SIEM?can provide SOAR?with rich and relevant security data, which SOAR?can use to prioritize and respond to alerts more effectively. SOAR?can also enrich SIEM?data with additional threat intelligence from external sources and provide feedback to SIEM?to improve its detection accuracy and reduce false positives.

·??????? Faster and more effective threat response: SOAR?can automate and orchestrate the response actions and workflows based on the alerts generated by SIEM?and execute them in a timely and consistent manner. SOAR?can also coordinate the response activities across different teams and tools and provide SIEM?with the status and outcome of the response actions.

·??????? Improved security performance and productivity: By integrating SIEM?and SOAR, security teams can reduce the workload and complexity of security operations and focus on the most critical and strategic tasks. SIEM?and SOAR?can also provide security teams with comprehensive and actionable insights into the security performance and metrics and help them optimize and improve their security processes and practices.

A screenshot of a SIEM: IBM QRader IBM Security QRadar SIEM

SIEM and SOAR - Operational Architecture

The below picture illustrates operational architecture of the SIEM?& SOAR?in an integrated function (the Visio file is provided in the Job Aids named “SIEM?& SOAR?Architecture”).

This is where the big picture comes in, from ingress to egress. As you can see in the picture the data collectors need to be configured in each device, either by agent or agentless or by default the OS or firmware has data plane, management plane and console plane pre-configured, and if you have the ERP or identical solution in place, they most likely have some sort of API or service wise and identifiable services that can be automatically scanned, configured to generate and produce actionable logs that can be fed into the SIEM?& SOAR?combined.

Now, that you have configured your data or log shipping to a central repository, you should have a data retention plan of how many days you need to keep them or to append them in a certain day or not. As it will prove to be a serious burden in longer times. When SIEM?gets its hands on the logs, it starts correlations, and types of events are grouped together, to have a more meaningful insight. As the SIEM?starts you will get a burst of events populated, don’t worry, apply those visibility rules for data correlations. Ingestion rules will minimize the log correlations, and only when required, enable, or disable certain rules which is not required. Do remember, approve all documents, as the moment you have raised things for approval, it would be known to the SOC manager and to the SOC director, the moment you will not be asked or been accountable anymore.

Afterwards, SIEM?and SOAR?will continuously check for the rules for flow analysis, and will gather information for review and detection engineering takes place for the notifications, real-time alerts may take place or the event will go through alert analysis and policy filtering, if the event is known or unknown kind. Data analysis finalized by deep investigation and a managed orchestration takes place within the integrated SIEM?and SOAR?to produce actionable results, and a case is generated with all of OSINT data, correlations, attack type mapping, and compliance mapping with kill-chain and actionable content put together for the analysts to take on a deeper investigation. Playbooks are then initiated for a manual case investigation, and by type, the rollout takes place. The identified source and its data can be quarantined in this phase should it required. A ticket gets generated with a severity class, hash data reviewed, remediated, and action API gets executed for KB generation and if a tune-up required for the data aggregation, it flags for a revisiting of rules for the defensive, offensive, forensic and deception automation services. ?

Any thoughts on disaster recovery on your SOC?

Since you are going to deploy a SOC, how would you deploy these SOC servers? Standalone mode? You should at least have multiple servers in HA mode with either in OS cluster or service cluster mode. I would recommend for the OS cluster mode and have a separate DB cluster as well for faster indexing and R/W requirements. And the primary requirements should be made, if one of the servers or VM is down, it should be automatically re-routed to another server as a replica VM, where operational effect must be zero.

Importance of Required Applications in a Disaster Recovery Plan

A disaster recovery plan is a strategy that helps organizations recover their IT systems and data after a disruptive event, such as a natural disaster, a cyberattack, or a human error. A disaster recovery plan is important because it ensures business continuity, resilience, and compliance. It also reduces the impact of data loss, downtime, and operational disruption, which are a core component of ERM, BCP?& DRP.

This is not the end of the story, there are much design considerations that takes place all over your requirements which also defines

1.????? how data travels to multiple sites

2.????? network availability and lambda providers for a ring circuit

3.????? what types of operating systems needs data replication

4.????? software’s are aware of replication stages, integrations and replication movement is smooth, steady and synchronous, while having witness server types to ensure steady heartbeat.

5.????? live data, data at rest, and geo located data replication and restoral services.

6.????? SDN capabilities that can prioritize policy based data transmission requirements

7. Lastly, security considerations

These points need to be understood thoroughly and laid out within your infrastructure and readiness.

Some of the benefits of having a disaster recovery plan are:

?????? Faster recovery time: A disaster recovery plan outlines the steps and procedures to restore critical systems, applications, and data as quickly as possible after a disaster. This minimizes the duration and severity of business interruption and customer dissatisfaction.

?????? Reduced data loss: A disaster recovery plan includes backup and restore solutions that protect data from being corrupted, deleted, or stolen during a disaster. This prevents data breaches, legal liabilities, and reputational damage.

?????? Enhanced resilience: A disaster recovery plan prepares organizations for various types of disasters and scenarios, enabling them to adapt and respond effectively. This improves the ability to cope with uncertainty and change, and reduces the risk of failure.

?????? Improved compliance: A disaster recovery plan helps organizations meet the regulatory and industry standards for data protection and security. This avoids penalties, fines, and audits, and demonstrates the commitment to operational reliability and customer service.

Some of the applications that are associated with a disaster recovery plan are:

?????? Backup and restore solutions: These are tools that create copies of data and store them in a secure location, such as the cloud, a remote server, or a physical device. They allow organizations to retrieve and recover data in case of data loss or corruption.

?????? Replication and synchronization solutions: These are tools that create duplicates of data and systems and keep them updated across different locations, such as the primary and secondary sites. They allow organizations to switch to the backup site in case of a disaster or outage at the primary site.

?????? Monitoring and testing solutions: These are tools that track the performance and availability of systems and data, and alert organizations of any issues or anomalies. They also allow organizations to test and validate their disaster recovery plan regularly and ensure its effectiveness and readiness.

Hot, Cold and Warm Sites

Disaster recovery sites are locations where a business can resume its operations after a disaster. There are three types of disaster recovery sites:

·??????? Hot site: A location where the target environment is already up and running and can be immediately activated by a failover. This is the most expensive and reliable option.

·??????? Cold site: A location where the target environment needs to be activated once a recovery process is initiated. This is the cheapest and least reliable option.

·??????? Warm site: A location where the target environment has some components installed and configured, but not fully operational. This is a middle ground between hot and cold sites.

Consider your desired Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs):

·??????? RTO: Time from disaster occurrence to system functionality.

·??????? RPO: How far back in time data can be restored without affecting business continuity.

Assess your budget, criticality of data, and acceptable downtime to make an informed decision.

Benefits of a Functional Security Operations Center (SOC)

A SOC provides numerous benefits to an organization: some of them are listed below:

Source: Typical SOC Workflow and How DSM Fits in (Author's Diagram) | Download Scientific Diagram (researchgate.net)

Security Information and Event Management (SIEM)?is a security solution that helps organizations recognize and address potential security threats and vulnerabilities before they have a chance to disrupt business operations. SIEM?systems help enterprise security teams detect user behavior anomalies and use artificial intelligence (AI)?(though every SIEM?does not have this yet, but in a year they will have automated services as well) to automate many of the manual processes associated with threat detection and incident response. The primary functions of a SIEM?solution are to aggregate, normalize, and correlate security events to provide a holistic view of all the activities that happen in an IT infrastructure. It ingests event data from a wide range of sources (firewalls, routers, switches, endpoints, printers (printers has HDD in it, and doesn’t wipe its content automatically, as it saves the files being printed!), servers, applications, other IoT (Internet of things (IoT))?sensors etc.) across an organization’s entire IT infrastructure, including on-premises and cloud environments.

SIEM?systems also integrate with third-party threat intelligence feeds to correlate their internal security data against previously recognized threat signatures and profiles. This integration enables teams to block or detect new types of attack signatures.?SIEM?systems categorize events and map them to a standard, then generate or invoke an incident ticket for the analyst to investigate the severity and take appropriate measures to remedy the event.

As a company expands, so does its infrastructure and capacity. This includes routers, switches, physical servers, applications, gateways, and payment processing systems, which grows exponentially. As a result, you should expect numerous exposed ports, IP addresses, and access systems that require fine-tuning. In most cases, you would want to minimize the attack surface area to mitigate risks. SOC analysts are there to inform you of any visible attack scopes, so you can take appropriate measures, and some of them are:

1.????? Continuous Network Monitoring: Cybercriminals operate round the clock, often performing their attacks after hours or on weekends to maximize their probability of success.?A SOC provides 24/7 monitoring of the organization’s IT infrastructure and data, ensuring that security analysts and incident responders are always available.

2.????? Centralized Visibility: With the growth of digital transformation initiatives, enterprise networks are becoming more complex.?A SOC provides centralized visibility into the network infrastructure and potential attack vectors, enabling an organization to effectively secure a diverse network.

3.????? Reduced Cybersecurity Costs: Maintaining strong corporate cybersecurity can be expensive due to the need for multiple platforms and licenses and obviously the cost of skilled manpower.?A centralized SOC enables an organization to reduce these costs by sharing them across the entire organization.

4.????? Better Collaboration: A SOC fosters better collaboration among security professionals, enabling a more coordinated and efficient incident response process.

5.????? Faster Threat Detection and Response: By using a combination of manual and automated tools, a SOC can more quickly detect and respond to security threats.

6.????? Proactive Defense: A SOC provides proactive defense against incidents and intrusions, improving security incident detection and reducing incident response times.

24/7 Staffing Requirements for the CSOC Monitoring

A 24/7 Cybersecurity Operations Center (CSOC) requires a well-structured team of security professionals to ensure continuous monitoring and response to security threats. Here are the key roles typically required:

·??????? CSOC Manager/Director: This is the person in charge of the entire operations. They oversee the SOC’s activities, manage the team, and make critical decisions.

·??????? Security Analysts: These are the frontline workers in a CSOC. They monitor security events, analyze alerts, and investigate security incidents. Security analysts are often divided into tiers (Tier 1, Tier 2, etc.) based on their expertise and responsibilities.

·??????? Incident Responders: They are responsible for managing and responding to security incidents.

·??????? Threat Intelligence Analysts: These analysts gather and analyze information about emerging threats to help the organization stay ahead of potential attacks.

·??????? Security Engineers: They are responsible for maintaining and improving the SOC’s security infrastructure.

The exact staffing requirements can vary depending on the size and needs of your organization. It’s also important to note that staffing a CSOC is not just about the number of personnel, but also about their skills, training, and tools they have at their disposal, and you should have at least n+1 on the critical roles. You should have rotating personnel, on-call status, load balancing with a minimal set of analysts and scaling that based on log ingestion.

So, You Want to be a CISO?

So, you should, let me tell you why. If you are learning your trade in developing computing environment discipline, you should know the path what to do, where to go, job aids that will provide you the necessary tools, learning to reach your goal, therefore, plan early as well. As you can understand that this is not going to happen overnight, and your “Want” and your “Need” for this will fuel your journey on how badly you want this. Do remember, if you are not doing it, someone else will, and each step you take today, will become the knowledgebase and experience to support you tomorrow, and do spend more than a dollar on yourself, make a monthly plan according to your ability, later on, you will find out that these hard earned knowledge is invaluable throughout your life, that pays throughout your life.

Here is some domain knowledge a CISO shall have even though you are starting out as a PC builder and gradually you started integrating networks across the region, and then BAM! You are now in the ocean of information that needs protection services to protect the data. And in the future, you should be able to derive server specs, develop BoQ accordingly with network devices as well.

This picture is derived from Rafeeq Rehman’s CISO mind map, represented by Cobalt.io:

1.????? Rafeeq Rehman’s CISO MindMap: CISO MindMap 2023: What do InfoSec Professionals Really do?Rafeeq Rehman | Cyber | Automation | Digital

2.????? Cobalt.io: ciso mindmap - Search Images (bing.com)

3.????? SANS CISO Mindmap: download (sans.org)

The above illustration clearly defines the responsibilities of a CISO, but somehow, he/she reports to the CIO, maybe I am wrong, but my understanding is that, all of the roles of a CIO (network architect - infrastructure background), CTO (software architect - comes from developer background) roles falls also into the CISO roles.

In most cases, the technology team is seen as a cost center. Whether the team is developing or producing sellable products or not, developing, implementing, and supporting the whole infrastructure; and the historical journey is taught in that way, and till today management team & CEO’s perceived understanding is still smirking in their brain.

My thought – other than the technology personnel, sales & marketing, finance, distribution channels all of these organizational units are the cost centers, as you are paying them a hefty amount of salary (lesser salary for the tech guys, where you are asking to deliver a world for the company, and you lay-off whenever the financial calculation says it’s better to have one senior guys and lay-off four and there will be a salary savings! For the organization?), incentives to sell your product (that were created by the technical folks) …that’s how things are, but these perspectives are changing. And yes, we are poor by nature and our extreme capabilities are not intentionally heard by the management at all.

Source: unknown

As we are going to dig deep of how the SOC is formulated and how effectively it’s going to help us secure the organizational aspects of their data, access and assets, one thing that tops on all aspects is the mindset of the personnel who would be engaged in the SOC operations, do follow these tips:

1.????? Ethics rules the game.

2.????? Document, document and document, and lastly document everything that needs a lineup, layout processes, functions, roles, activities, tasks. Reminder: skills requirements and daily activities are two different things, which never lines up or mentioned in the JD that you have accepted, but now things are changing, but slowly, ask for your daily activities list from the HR or from you line manager.

3.????? Do not intake any rockstar, tends to deviate from the goal, and affect all the surrounding personnel and their activities, even mind shift takes place. Try to look for an activated brain, juniors are the best, mix different types of blood, who can be taught without any conservation, but do remember seniors are the ones who are playing the mentor role.

4.????? Rules, processes, functions, activities go for everyone, no exceptions. If the CxO’s thinks that these rules don’t apply to them then make them accountable for such workarounds

5.????? Every level of activities needs to be precise; workflow must be in place for L1, L2, L3. Tabletop exercise goes a long way, engrave these processes to the engineers, and always fine tune your activities, lower the engagements on events, known or unknown, reduce analyst burnouts.

People will grow to become L2 and L3, let them grow, they are human beings, they also have all the problems of life just like you. Feed them knowledge of how they can become their best self. Give them ways to grow, do remember, salary is never equal to your effort, your knowledge is.

Dunning-Kruger Effect – The Imposter Syndrome

The Dunning-Kruger effect is a type of cognitive bias in which people believe they are smarter and more capable than they are. Essentially, low-ability people do not possess the skills needed to recognize their own incompetence. The combination of poor self-awareness and low cognitive ability leads them to overestimate their capabilities. Incompetent people, the researchers suggested, were not only poor performers but were also unable to accurately assess and recognize the quality of their work. This effect can have a profound impact on what people believe, the decisions they make, and the actions they take.

Another contributing factor is that sometimes a tiny bit of knowledge on a subject can lead people to mistakenly believe that they know all there is to know about it. As the old saying goes, a little bit of knowledge can be a dangerous thing.

Some effects:

·??????? Overestimate their skill levels.

·??????? Fail to recognize the genuine skill and expertise of other people.

·??????? Fail to recognize their own mistakes and lack of skill.

Dunning-Kruger Effect vs. Imposter Syndrome: So, if the incompetent tends to think they are experts, what do genuine experts think of their own abilities? Dunning and Kruger found that those at the high end of the competence spectrum did hold more realistic views of their own knowledge and capabilities. However, these experts tended to underestimate their own abilities relative to how others did.

I really hope that these kinds of personalities are absent in the security industry, and learning from them will prove to be hazardous. The best action is to stay away from them. I have observed some individuals who are somehow with the technical team and learned some scenarios and some acronyms and they started lecturing about the things they are unaware of! Do stay away from such characters, and if you are in a position to hire someone, do skip them, identify early, and you should be a better judge of a character for selecting your teammates.

Attack Surface Management (ASM)

As business requirements expand and wherever your solution resides either in a collocated datacenter or in the cloud, the ever-growing need for security is endless. The application platform and its portals for different OU’s, access to those portals, networked devices, endpoints, servers, firewalls, routers, switches, load balancers etc. these devices needs the benchmarked configurations in place which also needs regular ?assessment to check for vulnerabilities, as patches takes place and undoubtedly every patch management calls for a recalibration of configurations as it enables more features and a re-assessment is required to know if the patch is enabling something unwanted or unaccounted for. As for a different ASM team regularly performs these operations to gain visibilities on the mentioned devices, since it is critical for the detection team to mitigate of increasing risks, and this functions also reduces SIEM?notifications in the first place, where it’s also a burden for the SOC analysts. The ASM team’s primary function is to identify and notifies the security operations team of any vulnerabilities so they can work with either enterprise affiliates to decommission servers or security affiliates to retire legacy systems that exposes increased vulnerabilities, which are simply unpatchable. Decommissioning of those devices is undertaken by a different team who are the owner or the custodian. Use case of ASM team (Source: SANS Webcast- Evaluating Attack Surface Management 116765 by Pierre Lidome):

·??????? Identifying external gaps in visibility.

·??????? Discovering unknown assets and shadow IT.

·??????? Attack surface risk management.

·??????? Risk-based vulnerability prioritization.

·??????? Assessing M&A and subsidiary risk.

Operational workflow of the ASM Team

Implement Risk Based Vulnerability Management

Vulnerability management is not just about fixing systems and applications. It involves a comprehensive process that covers patching, alternative controls, network design, isolation, and enhanced security monitoring.

Technology is constantly evolving and so are the vulnerabilities, it’s a forever journey. Trying to eliminate them all will take up all your department’s time and resources. And your efforts will soon become outdated as new vulnerabilities will emerge. What’s more, some systems are simply unpatchable (old systems that simply don’t have the latest firmware or capability within the hardware and in the OS, as they went EoL).

The key is to assess the vulnerabilities and the risks they pose to your organization, to prioritize wisely and to look for other solutions besides patching. A risk-based approach to vulnerability management will help you focus on the most important issues and safeguard the business. Minimize the potential risk exposure. Some outline could help you formulate the requirements:

Initiate & describe the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents that were already took place or that you know of, or the potential exposure of assets. It may sound simple to address but the insights can be:

a.????? Develop an SOP?for vulnerability assessment & penetration testing.

?????????????????????????????????????????????????????? i.????? Vulnerability tracking.

????????????????????????????????????????????????????? ii.????? Vulnerability risk assessment.

??????????????????????????????????????????????????? iii.????? Vulnerability workflow.

??????????????????????????????????????????????????? iv.????? Vulnerability management policy.

b.????? Identify vulnerability sources.

c.????? Triage vulnerabilities and assign priorities.

d.????? Remediate vulnerabilities.

e.????? Measure and formalize.

In the landscape where cyber threats have become very common, traditional vulnerability management may fall short of addressing the most critical risks in the organization. Adopting a risk-based approach allows us to prioritize vulnerabilities based on their potential impact, enabling us to allocate resources efficiently and effectively. Key Components of Risk-based Vulnerability Management

1. Risk Assessment: Conduct thorough risk assessments to evaluate vulnerabilities in the context of your specific environment, business processes, and critical assets.
2. Prioritization: Prioritize vulnerabilities based on the risk they expose, considering factors like exploitation, potential impact on the operations, and the value of the affected devices.
3. Continuous Monitoring: Establish a continuous monitoring system to keep track of emerging threats and promptly respond to new vulnerabilities that may arise.
4. Mitigation Strategies: Implementing effective mitigation strategies that address identified vulnerabilities, whether through patches or other proactive measures.

By embracing risk-based vulnerability management, you can enhance your cybersecurity and minimize the impact of security threats.

Cybersecurity Reference Architecture by Microsoft

Reference architectures are crucial since they form the foundation for all systems and integrations. As the saying goes, ‘If you think good architecture is expensive, try bad architecture.’ We want to avoid bad architecture since it can lead to significant costs over time and cause the organization to suffer. It’s important to correct and avoid deploying unconventional methods that may be hazardous.

Source: Microsoft Cybersecurity Reference Architectures (MCRA) - Security documentation | Microsoft Learn

A reference architecture provides detailed description of a company’s mission, vision, and strategy. It helps to establish a shared understanding across multiple products, organizations, and disciplines about the current architecture and the future direction. Reference architectures are important because they standardize language and organizational context, making it easier to solve problems by implementing clear guidelines.?They also provide resources for designing IT architecture, teams, and solution requirements.

If you have built out a SOC where the infrastructure architecture is out of balance, fix those problems first, please. You will go nowhere with those problems attached to your SOC as a dog-tail. Some of the assessments of infrastructure job-aids are shared and you can find the link at the bottom of the book.

______________________________________________________________________________________

???FREE eBook - 476 Pages

?? Complete Guide to Cyber Security Operation Center??

I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC. This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.

A big shout out to Brad Voris for his review of the book, his insights made this book even richer.

Knowledge Areas Covered

? Enterprise architecture strategy to better formulate your SOC.

? Visibility & data ingress requirements for your SOC

? SOC functions, KPI’s, processes, frameworks, and automation requirements

? Derive your Analyst-JD aligned to international frameworks

? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities

? SIEM & SOAR architecture design guidelines to achieve more from these integrations.

? Detection engineering with OSINT, CTEM.

? Incident response with CSIRT, DFIR.

? Tabletop exercises explained and operationalized

? Artificial Intelligence & Data Science in SOC

? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided

? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.

?? Download the eBook

???Download this eBook (pdf): https://lnkd.in/gTRnhmPp

?? DM me for the DOCX version of the book.

???Join Discord: Please DM me on LinkedIn, I will Send you the link to join.???1000+ Job aids – download extra documentation.

???60 Body of Knowledge (BoK) links.

???1500+ curated list of VA/PT tools as job aids.

???200+ References to support your SOC operations even further.

?? Download all the available documents from here: https://lnkd.in/eNNUm9XW

?? Download Job Aids: https://lnkd.in/gCKq6R-D

If you find it useful and informative, please share/repost the book with your network.

#infosec #cyber #cybersec #cybersecurity #informationsecurity #enterprisearchitect #cybersecurityarchitect #csoc #soc #security #securityoperationcenter #securityoperations #blueteam #redteam #purpleteam #siem #soar #c2 #noc #threatintelligence #stride #iso27001 #cref #mitre #securityanalyst #eql #sigmarules #securitytriage #threathunting #detection #detectionengineering #cti #incidentresponse #ttp #ioc #playbook #runbook #osint #soc #csoc #csirt #dfir #ctem #cspm #tabletop #cognitivebias #opensourcesoc #vulnerabilityassessment #penetrationtesting #forensic #blackbox #greybox #whitebox #datascience #technology #siem #soar #bgdegovcirt #independentuniversity #artificialintelligence #governance #strategy