Continuous Monitoring and Security Operations

This course assesses the current state of security architecture and continuous monitoring, and provides a new approach to security architecture that can be easily understood and defended. When students finish, they have a list of action items in hand for making their organization one of the most effective vehicles for frustrating adversaries. Students are able to assess deficiencies in their own organization’s security architectures and affect meaningful changes that are continuously monitored for deviations from their expected security posture.( Online classes available)

Course Key Learnings:

Analyze modern hybrid enterprises for deficient protection/detection strategies
Apply the principles learned in the course to design a defensible cloud, network, and endpoint security architecture and operations
Understand the importance of detection-dominant security architecture and Security Operations Centers (SOC) for hybrid enterprises
Identify the key components of cloud, network, and endpoint protection and monitoring across hybrid infrastructure
Determine appropriate security monitoring needs for organizations of all sizes

Business Takeaways

This course will help your organization:

Enable effective cloud, network, and endpoint protection and detection strategies
Design defensible security architecture and operations for modern hybrid enterprises
Materially improve your organization’s security operations capabilities
Identify protection and detection gaps across hybrid infrastructure
Maximize the capabilities of current infrastructure and assets
Make sense of data to enable the detection of potential intrusions or unauthorized actions rapidly

Course Content:

Module1: Current State Assessment and Security Architecture

We begin with the end in mind by defining the key techniques and principles that will allow us to get there.
An effective modern Security Operations Center (SOC) or security architecture must enable an organization’s
ability to rapidly find intrusions to facilitate containmentand response. Both significant knowledge and a
commitment to continuous monitoring are required to achieve this goal.

Topics

Current State Assessment, SOCs, and Security
Architecture; Modern Security Architecture Principles;
Frameworks and Enterprise Security Architecture; Security
Architecture – Key Techniques/Practices

Module2: Network Security Architecture

Understanding the problems with the current environment and realizing where we need to get to is far from sufficient; we need a detailed roadmap to bridge the gap between the current and desired state.
Section 2 introduces and details the components of our infrastructure that become part of a defensible network security architecture and SOC. We are long past the days when a perimeter firewall and ubiquitous antivirus were sufficient security. There are many pieces and moving parts that make up a modern
defensible security architecture.

Topics

SOCs/Security Architecture – Key Infrastructure
Devices; Segmented Internal Networks; Defensible
Network Security Architecture Principles Applied

Module 3: Network Security Monitoring

Designing a SOC or security architecture that enhancesvisibility and detection capabilities represents a paradigmshift for most organizations. However, the design is simplythe beginning. The most important element of a modern
security architecture is the emphasis on detection. The network security architecture presented in days one
and two emphasized baking visibility and detection capabilities into the design. Now we must figure out
how to look at the data and continuously monitor the enterprise for evidence of compromise or changes that increase the likelihood of compromise.

TOPICS:

Continuous Monitoring Overview;
Network
Security Monitoring (NSM);
Practical NSM Issues;
Cornerstone NSM

Module4: : Endpoint Security Architecture

One of the hallmarks of modern attacks is an emphasis on client-side exploitation. The days of breaking into networks via direct frontal assaults on unpatched mail, web, or DNS servers are largely behind us. We must
focus on mitigating the risk of compromise of clients. Section four details ways in which endpoint systems
can be both more resilient to attack and also enhance detection capabilities.

TOPICS:

Security Architecture
Endpoint Protection;
Dangerous Endpoin
Applications; Patching

Module5: : Automation and Continuous

Security Monitoring Network Security Monitoring (NSM) is the beginning; we need to not only detect active intrusions and unauthorized actions, but also know when our systems, networks, and applications are at an increased likelihood
for compromise. A strong way to achieve this is through Continuous Security Monitoring (CSM) or Continuous
Diagnostics and Mitigation (CDM). Rather than waiting for the results of a quarterly scan or an annual penetration
test to determine what needs to be addressed, continuous monitoring proactively and repeatedly
assesses and reassesses the current security posture for potential weaknesses that need to be addressed.

TOPICS:

CSM Overview; Industry Best Practices;
Winning CSM Techniques; Maintaining Situational
Awareness; Host, Port and Service Discovery;
Vulnerability Scanning; Monitoring Patching; Monitoring
Applications; Monitoring Service Logs; Monitoring
Change to Devices and Appliances; Leveraging Proxy and Firewall Data; Configuring Centralized Windows
Event Log Collection
Monitotoring Critical Windows
Events; Scripting and Automation

Module6: : Capstone: Design, Detect, Defend

The course culminates in a team-based design, detect, and defend the flag competition that is a full day of
hands-on work applying the principles taught throughout the week.

TOPICS: