دوره SANS MGT551

  • آنلاین
    دوره SANS MGT551
    قیمت 2,500,000 تومان
    مدت زمان(ساعت) 30
    برنامه پنج‌شنبه و جمعه 9 الی 14
    تاریخ شروع پنجشنبه، 23 تیر 1401

    اساتید

    مهندس زمانی

دوره SANS MGT551 - دوره ساخت و رهبری مرکز SOC

فناوری اطلاعات چنان در تار و پود کسب وکارهای مدرن بافته شده است که خطر سایبری به خطر تجاری تبدیل شده است. تیم‌های SOC برای کمک به مدیریت این خطرات، با شناسایی و پاسخ‌گویی به تهدیدات در مجموعه‌ای از زیرساخت‌ها، فرایندهای تجاری و کاربران، بیش از هر زمان دیگری با فشار مواجه هستند. علاوه‌ بر این، مدیران SOC در موقعیت منحصر به فردی هستند که باید شکاف بین فرایندهای تجاری و وظایف بسیار فنی را که در SOC انجام می‌شود، مدیریت کنند. افراد با حضور در دوره SANS MGT551 خواهند آموخت که چگونه سیستم‌های دفاعی خود را براساس الزامات سازمانی منحصر به فرد و مخصات ریسک، طراحی کنند. در این دوره ابزارهایی در اختیار شما قرار خواهد گرفت تا یک سیستم دفاعی مبتنی بر حفاظت اطلاعات، طراحی و پیاده‌سازی کرده و فرایندهای پیشرفته‌تری مانند شکار تهدیدات، دفاع فعال و ارزیابی مداوم SOC را توسعه دهید.

مدیریت یک مرکز عملیات امنیت، مستلزم ترکیبی منحصر به فرد از دانش فنی، مهارت‌های مدیریتی و توانایی رهبری است. دوره SANS MGT551 با ارائه ابزارهای فنی برای ایجاد یک دفاع موثر و ابزارهای مدیریتی برای ایجاد یک تیم موثر، شکاف‌ها را پر می‌کند. چه به دنبال ساخت یک SOC جدید باشید و چه قصد این را داشته باشید که تیم فعلی خود را به سطح بعدی ارتقا دهید، MGT551 افراد، ابزارها و فرایندهای شما را تقویت می‌کند.

مزایای آکادمی لیان

سرفصل‌های دوره SANS MGT551

سرفصل‌های دوره SANS MGT551 براساس سرفصل‌های ارائه شده توسط شرکت SANS طراحی و ارائه خواهد شد. در حالی که این دوره بر روی مدیریت و رهبری تیم SOC متمرکز است، اما به هیچ وجه به فرایندهای تئوری محدود نمی‌شود و با تمرین‌های عملی، سعی در ایجاد محیطی واقعی به منظور درک عمیق از مباحث، خواهد شد. همچنین لازم به ذکر است با توجه به اینکه هدف اصلی آکادمی لیان، آماده‌سازی دانشجویان برای بازار کار می‌باشد، امکان تغییر سرفصل‌ها بنا به نظر استاد وجود دارد.

content-photos/371/3777/lkT70O1xCsWfTb44_6.webp

سرفصل‌های دوره SANS MGT551

سرفصل‌های دوره SANS MGT551 براساس سرفصل‌های ارائه شده توسط شرکت SANS طراحی و ارائه خواهد شد. در حالی که این دوره بر روی مدیریت و رهبری تیم SOC متمرکز است، اما به هیچ وجه به فرایندهای تئوری محدود نمی‌شود و با تمرین‌های عملی، سعی در ایجاد محیطی واقعی به منظور درک عمیق از مباحث، خواهد شد. همچنین لازم به ذکر است با توجه به اینکه هدف اصلی آکادمی لیان، آماده‌سازی دانشجویان برای بازار کار می‌باشد، امکان تغییر سرفصل‌ها بنا به نظر استاد وجود دارد.

content-photos/371/3777/lkT70O1xCsWfTb44_6.webp

Overview

MGT551 starts with the critical elements necessary to build your Security Operations Center: understanding your enemies, planning your requirements, making a physical space, building your team, and deploying a core toolset. Throughout this course section, students will learn how to build a strong foundation upon which an SOC can operate, focusing first on the most important users and data, and tailoring defense plans to threats most likely to impact your organization. Through workflow optimization, information organization, and data collection, you will learn how to ensure that your security operations will hit the ground running as efficiently as possible while protecting privileged SOC users and data. Exercises show how to implement these concepts through threat group and asset profiling, mapping likely attack paths into your environment, and implementing use cases repeatable playbooks to identify the threats and attack vectors you have identified.

Exercises

  • Threat actor assessment
  • Attack path development
  • Developing and implementing SOC playbooks

Topics

Introduction

  • What we are up against/industry surveys
  • The average SOC
  • What top-performing SOCs have in common
  • SOC trends
  • Class goals

SOC Functions

  • High-level SOC diagram
  • SOC functions
  • Core activities
  • Auxiliary functions

SOC Planning

  • Do you need a dedicated internal SOC?
  • What is and what is not a SOC?
  • Mission and purpose
  • Requirements
  • Standards and frameworks
  • Policies
  • Roles
  • Staffing levels
  • Constituency
  • Steering committee
  • Services/Capabilities
  • Charter

Team Creation, Hiring, and Training

  • Organizational charts
  • Choosing a tiered vs. tierless SOC
  • Building a dream team
  • Interviewing tips and techniques
  • Interviewing mistakes and avoiding bias
  • Training plans

Building the SOC

  • Physical space
  • Analyst/SOC IT considerations
  • Protecting SOC data

SOC Tools and Technology

  • Foundational network and endpoint collection and detection technologies
  • "Next-gen" must-have capabilities
  • Advanced detection technologies
  • Analyst core toolset
  • Live response tools
  • Playbooks and SOAR
  • Planning tools and frameworks

SOC Enclave and Networking

  • Requirements for SOC connectivity
  • Protecting SOC Data
  • SOC networking
  • SOC data flow

Overview

Section 2 of MGT551 focuses on expanding our understanding of attacker tactics, techniques, and procedures and how we might identify them in our environment. We will discuss defensive theory and mental models that can guide our assessment and planning efforts, data collection and monitoring priorities, and cyber threat intelligence collection. We will also cover more specialized security monitoring use cases like DevOps, supply chain, insider threat, and business e-mail compromise. Exercises include using the MITRE ATT&CK framework to plan security data collection and writing solid threat intelligence requirements for relevant, timely information that answers your most pressing defensive questions.

Exercises

  • Attack Tree Assessment
  • Visualizing Attack Techniques and Security Controls
  • Writing Priority Intelligence Requirements

Topics

Cyber Defense Theory and Mental Models

  • Ops Tempo and the OODA Loop
  • Threat modeling
  • MITRE ATT&CK/Kill Chain
  • Threat Intel - F3EAD
  • Pyramid of pain and analytic types
  • The SOC as an "infinite game"

Prevention and the Future of Security

  • Defensible network architecture
  • Hardening at the network and host level
  • Zero trust best practices
  • Identity security
  • Balancing productivity and security

SOC Data Collection

  • The SOC data collection system
  • Open-source NSM and host-data tools
  • Collection issues
    • Tactical log collection
    • Audit policy flexibility
    • Most important data sources
    • How to collect data
    • Parsing, filtering, enrichment, and storage
  • Secure protocols and encrypted traffic analysis

Other Monitoring Use Cases

  • DevOps telemetry
  • Chaos engineering and security monitoring
  • Supply chain security
  • Business e-mail compromise
  • Insider threat
  • Major breach case studies

Using MITRE ATT&CK to Plan Collection

  • Key data sources
  • Defense mapping
  • Assessing your capabilities using DETT&CT

Cyber Threat Intelligence

  • Threat intelligence types and sources
  • Consuming and producing intelligence
  • Mental models for threat intel
  • Intel transport and use
  • Threat intelligence platforms and integration

Practical Collection Concerns

  • Security data collection
  • Parsing, filtering, categorization, and normalization
  • Data enrichment
  • Storage and indexing

Overview

Section 3 of MGT551 is all about improving detections. We begin with effective triage and analysis and then move to more effective alerting mechanisms, starting with the fundamentals of analytic design. We will discuss detection engineering as a core SOC discipline to be planned, tracked, and measured. You will learn a repeatable, data-driven approach to SOC capacity planning and apply that process in a hands-on exercise using custom tools that you can take back to your own environment. We will also cover the different types of proactive threat hunting, see a structured approach that results in measurable improvements to your detection capability, and apply that approach in a hands-on threat hunting lab. Finally, we will look at active defense concepts and their role in a mature security operations capability. Taking the tools, processes, and concepts from section 3 of MGT551 back to your SOC will ensure that no (virtual) stone in your environment remains unturned.

Exercises

  • SOC Capacity Planning
  • Structuring, Documenting, and Organizing Use Cases
  • Planning a Threat Hunt

Topics

Efficient Alert Triage

  • Triage approach in various SOC staffing models
  • Where to triage alerts
  • What analysis must know
  • Prioritizing sensitive and high-risk accounts
  • Data classification

 

Capacity Planning

  • Basic and complicating factors in triage capacity planning
  • Estimating workload
  • Factors contributing to alert count
  • Determining the "right" number of alerts
  • Approaches for handling excessive alerts

 

Detection Engineering

  • SOC threat detection systems
  • Analytic outcomes and tuning
  • Writing high-fidelity rules
  • Use case tracking and storage
  • Risk-based scoring and alert aggregation

 

Analytic and Analysis Frameworks and Tools

  • Blue team knowledge standardization and upcoming tools
  • ATT&CK Navigator
  • Yara
  • Sigma
  • Jupyter notebooks
  • Detection testing labs

 

Threat Hunting

  • What is threat hunting and why is it needed?
  • Scheduling
  • Data quality
  • Hunting process and techniques
  • Hunting maturity model
  • Showing the value of threat hunting

 

Active Defense

  • What is active defense/deception?
  • Active defense techniques and goals
  • Active defense tooling

Overview

From toolsets to proven frameworks to tips and tricks learned in countless real-world scenarios, section four covers the full response cycle, from preparation to identification to containment, eradication, and recovery, for operations managers. The fourth section of MGT551 begins with the fundamentals of investigation: effective triage, investigative mindset, and tools for avoiding bias. Then the focus turns to preparing your environment to be defended by deploying security controls, identifying high-value assets and users, and designing playbooks to guide your response efforts. Finally, we will review best of breed incident response tools and free frameworks to guide your planning. Lab exercises in section four include incident response playbook design using the free RE&CT framework, investigation review and quality control, and tabletop exercise development.

Exercises

  • Designing Tabletop Exercises
  • Planning Incident Response Using RE&CT
  • Investigation Quality Control

Topics

Investigation

  • Investigation mindset
  • Avoiding bias
  • Analysis of Competing Hypothesis
  • Useful investigative techniques

 

Incident Response (IR) Planning

  • IR policy, plans, and procedures
  • Staffing for IR
  • Communication guidelines and methods
  • Incident response procedure overview

 

Preparation

  • Defensible network architecture
  • The Center for Internet Security (CIS) Controls
  • Securing high-value assets
  • Incident response procedures
  • Developing IR playbooks using RE&CT
  • Incident response communications

 

Identification, Containment, and Eradication

  • When to call incident
  • Triggering the incident response process and assembling the team
  • Incident categorization
  • Data acquisition
  • Containment procedures
  • Incident documentation
  • Preparing your IR "go bag"
  • Threat eradication
  • Preserving evidence and engaging law enforcement

 

Recovery and Post-Incident

  • Writing the incident report
  • Collecting intelligence
  • Additional logging during and after incidents
  • IR plan improvement

 

Incident Response in the Cloud

  • Preparing your cloud environment for detection and response
  • Containment in the cloud

 

Dealing with a Breach

  • Crisis management process and key functions
  • Crisis communications
  • Breach case studies

 

IR Tools

  • EDR, NDR, and XDR
  • Windows Management Instrumentation and command line incident response
  • Live response tools
  • Forensic analysis tools
  • Malware analysis tools

 

Continuous Improvement

  • Collaborative problem solving
  • Improving shared knowledge
  • Designing tabletop exercises

Overview

The fifth and final section of MGT551 is all about measuring and improving security operations. We focus on three areas: developing and improving people, measuring SOC performance, and continuous validation through assessment and adversary emulation. We will also cover some of the more challenging elements of managing people in a dynamic and often high-pressure environment: building the right culture, addressing damaging behaviors, and handling common pitfalls of daily operations. By demonstrating value through structured testing and fostering a culture of learning, collaboration, and continuous improvement, we can ensure long term growth and success. In section five, you'll receive the tools, techniques, and insights to do just that. Hands-on exercises will include building skills self-assessments and training plans for your analysts, designing SOC metrics, and continuous assessment and validation.

Exercises

  • Building a Skills Self-Assessment and Training Plan
  • Creating, Classifying, and Communicating Your Metrics
  • Purple Team Assessment

Topics

Staff Retention and Mitigation of Burnout

  • Cultivating intrinsic motivation in your team
  • SOC human capital model
    • Growth, skills, empowerment, and creativity
    • Automation, Ops efficiency, management/metrics
  • Burnout mitigation tactics for new and experienced analysts
  • Optimizing tasks for analyst growth
  • Performance management

 

Metrics, Goals, and Effective Execution

  • Daily Ops vs. initiatives
  • Metrics vs. KPIs. vs. OKRs

Selecting Metrics

  • Metrics sampling rates

Selecting KPIs

  • Organizing operational measures
  • Creating OKRs
  • Successful execution
    • Metrics types
    • Goal setting
    • Acting on the right metrics
    • Scoreboards
    • Keeping a cadence of accountability

 

Measurement and Prioritization Issues

  • Levels and types of measurement
  • The downside of risk matrices and CVSS scoring
  • The right kinds of measurements
  • Quantitative and qualitative measurement with examples

 

Strategic Planning and Communications

  • Building a strategic SOC plan
  • Executing your strategic plan
  • Maintaining direction, alignment, and commitment
  • Measuring SOC maturity with SOC-CMM
  • Storytelling and visualization in security

 

Analytic Testing and Adversary Emulation

  • Analytic testing
    • Analytic testing tools
    • Automated assessments
  • Penetration testing, red teaming, and adversary emulation
  • Purple team vs. red team execution and benefits
  • Purple teaming
    • Benefits
    • Methodology and execution
    • Reporting and tracking tools

 

Automation and Analyst Engagement

  • Types of automation
  • A 5-step approach to applying automation in the SOC
  • Automating SOC workflows with SOAR
  • Six sigma concepts
  • Gamification of SOC tasks and workflows
  • Optimizing for continuous engagement

همان‌طور که بالاتر اشاره شد، هدف این دوره مدیریت و راهبری موثر تیم SOC است، به همین دلیل برای ورود به این دوره نیاز به حداقل 2 سال سابقه فعالیت در مرکز عملیات امنیت دارید. همچنین پیشنهاد می‌شود قبل از گذراندن این دوره، دوره SANS SEC450 که در مورد مفاهیم بلوتیم می‌باشد، بگذرانید. توجه داشته باشید که این دوره برای کسانی که به تازگی وارد حوزه SOC شده‌اند، توصیه نمی‌شود، در صورتی که علاقمند به حوزه SOC هستید می توانید با دوره جامع SOC Tier 1 مسیر آموزشی خود را شروع کنید.

  • جمع‌آوری مهم‌ترین گزارش‌ها و اطلاعات شبکه
  • ایجاد، آموزش و توانمندسازی یک تیم SOC
  • استفاده از اطلاعات تهدید (threat intelligence) به منظور تمرکز بر شناسایی تهدیدات
  • شکار تهدید و استراتژی‌های دفاع فعال 
  • برنامه‌ریزی و اجرای موثر واکنش به حادثه
  • انتخاب معیارها و استراتژی بلند مدت برای بهبود SOC

این دوره برای کسانی در نظر گرفته شده است که ب به دنبال ایجاد یک مرکز عملیات امنیت یا بهبود مرکز آن، هستند. نقش‌های شغلی ایده‌آل برای این دوره عبارتند از:

  • مدیران یا رهبران مرکز عملیات امنیت
  • مدیران امنیت اطلاعات
  • اعضای تیم SOC بخصوص تیرهای 2 و 3
  • تحلیل‌گران ارشد SOC
  • مدیران ارشد امنیت اطلاعات (CISO)