Elements of Soc

ELEMENTS
OF SECURITY
OPERATIONS
2ND EDITION
An essential guide of capabilities,
best practices and innovative
techniques to power your
modern SOC Cn
Written by John Caimano and Austin Robertson
With Foreword by Niall Browne, CISO, Palo Alto Networks
Consistency
Fa Li
Layer 7
Facility Inspection
Br Nac Sase
G Breach
Response
Network
Access
Control
Secure
Access
Server
Edge
Soar Governance
I
Security Ct
Orchestration
Automation Cloud
Response
Threat
Analysis
Investigation
Ea Asm As
Et
M
Attack
Enterprise Surface
Architecture Management AppSec
Encrypted E
Traffic
Visibility Employee
Utilization
Hd
Ce
Help
Desk
Ia
Content
Engineering Interface Mission
Agreement
ELEMENTS
OF SECURITY
OPERATIONS
2ND EDITION
An essential guide of capabilities, best
practices and innovative techniques
to power your modern SOC
Written by John Caimano and Austin Robertson
With Foreword by Niall Browne, CISO, Palo Alto Networks
TABLE OF CONTENTS
Foreword 7
Introduction 10
Security Operations Definition 12
Security Operations Delivery Options 14
An Overview of Elements of Security Operations 15
Processes Pillar Elements 20
Affiliates Pillar Elements 38
People Pillar Elements 64
Business Pillar Elements 74
Visibility Pillar Elements 89
Technology Pillar Elements 107
Appendices 130
About Palo Alto Networks 140
Table of Contents 5
FOREWORD
Modern security threats are evolving

at a faster pace than security technologies.
While well-funded threat actors are investing in new tools like machine learning (ML),
automation and artificial intelligence (AI), Security Operations Centers (SOCs) built
around legacy security information and event management (SIEM) fail to provide a flexible
and scalable solution that keeps pace with digital transformation, cloud initiatives and
advanced attack campaigns.
Today’s expanded enterprise attack surface generates much more security data, which
is both more complex and siloed, than only a few years ago. Network, endpoint, identity
and cloud data remain in separate systems. Endpoint telemetry is locked in an endpoint
detection and response (EDR) system, cloud data is in a separate cloud security tool and
more. As a result, SOC analysts must manually analyze data to triage alerts and take
effective action. Alerts overload analysts, so threats are missed, and dwell times remain
long. Security engineers struggle to integrate new data streams and create new detection
rules and playbooks, while security architects integrate the latest new point product.
The results are predictable: alert fatigue, slow investigations and attackers who hide in
networks for months.
The modern way to scale an effective SOC is with automation, leveraging AI and ML as
the foundation and with analysts working on a small set of high-risk incidents. Just as
operating a self-driving vehicle no longer requires constant, hands-on control by the
operator, an automation-led SOC handles the bulk of low-risk, repeated alerts, analysis
tasks and mitigations. This frees the analysts to work on urgent, high-impact incidents
while the underlying platform autopilots the SOC to safe outcomes, learning from each
activity and offering information and effective recommendations to the SOC manager.
This is our vision for the modern SOC.
A recent research report from ESG surveyed 376 IT and cybersecurity professionals in the
U.S. and Canada personally responsible for evaluating, purchasing and utilizing threat
detection and response security products and services. It found the following:
MOST COMMONLY REALIZED BENEFITS FROM SECOPS PROCESS AUTOMATION
Improved threat detection Improved mean time

using playbooks to respond
Improved incident Quicker isolation

prioritization of infected assets
Source: ESG – SOC Modernization and the Role of XDR, 2022
Foreword 7
At Palo Alto Networks, we believe that advanced
detection and response within the SOC requires
six pillars:
Processes
The steps a SOC must take to identify, investigate and mitigate
a suspected security incident
Affiliates
Individuals, teams or organizations that are involved in or provide
support to the SOC’s incident response activities
People
Enhancing a SOC staff with a skill development plan, optimized
utilization and professional growth plans
Business
Stakeholders and their business needs are always a factor in
our goals
Visibility
Real-time awareness to the SOC of activities and events generated
by an attacker within an organization’s IT infrastructure
Technology
The combined sensors and prevention capabilities a SOC needs for
real-time incident response
The information in this book should help any small or large organization with planning
a SOC, either to build it on-premises or plan for outsourcing services as a collaborative
effort. For businesses with an existing SOC, the information in this book will help you to
enhance and evolve into a world-class modern SOC. Planning for a SOC is a long-term
project requiring several moving parts: Process Development, Affiliate Alignment, Staffing,
Visibility and Technology Capabilities. You can use this book to learn the necessary building
blocks to plan for a SOC and reduce your chance of pitfalls from costly mistakes.
Niall Browne, CISO, Palo Alto Networks
8 Foreword
Three wishes from every
operations engineer:
1. Fewer alerts in the SOC
2. Effective access to tools for quick investigations
3. Reduced time for threat containment

INTRODUCTION
In today’s ever-evolving digital landscape, SOCs are at the forefront of defending
organizations against cyberthreats. However, these vital security hubs are experiencing a
transformative paradigm shift. By embracing cutting-edge technologies such as security
orchestration, automation and response (SOAR), AI, data analytics and behavioral analysis,
SOC teams are revolutionizing their operations and capabilities. This forward-thinking
approach enables them to expedite incident response activities, enhancing their speed and
agility while simultaneously handling a greater volume of threats without overwhelming
workloads. Enter the 84 elements of security operations, a comprehensive guide for
establishing a modern SOC, ready to face the challenges of expanding attacker capabilities.
Businesses require continuous improvement in

operations to face ever-evolving threats.
With the expansion of attacker capabilities, adversaries have begun incorporating their
own ML and AI technologies to enhance their arsenal of attacks. This includes leveraging
ML algorithms for sophisticated phishing campaigns and employing AI-driven techniques
for effective end-user social engineering. As attackers continue to evolve and become
more sophisticated, defenders are compelled to adapt and counter these emerging threats.
In response, the defender’s strategy is shifting toward leveraging generative AI, which
empowers SOCs to proactively detect, analyze and mitigate cyberthreats. By harnessing
the capabilities of generative AI, defenders can stay one step ahead of adversaries and
strengthen their overall cybersecurity posture.
Generative AI is about to revolutionize the SOC, ushering in a new era of cybersecurity

capabilities and transforming the way organizations defend against threats. With its ability
to analyze vast amounts of data, detect patterns and make informed decisions, generative
AI will empower SOC teams to stay one step ahead of cybercriminals and proactively
protect critical assets.
10 Introduction
AI algorithms excel at analyzing large volumes of data in real time. By continuously
monitoring network logs, system activities and user behaviors, AI can swiftly identify
suspicious patterns and indicators of potential threats. This enables SOC analysts to
proactively detect and respond to emerging threats, minimizing the risk of security
breaches.
Generative AI will serve as a dedicated assistant to analysts, working together to swiftly

identify, thoroughly investigate and effectively mitigate security threats. With its advanced
capabilities, generative AI provides valuable insights, automates time-consuming tasks
and assists analysts in making informed decisions, bolstering the overall effectiveness and
efficiency of security operations.
Generative AI will innovate the way cyberattack victims are supported by providing
personalized responses that assist them in navigating the remediation process and
gaining valuable lessons for future resilience. Imagine every end user having their own
cybersecurity expert to review suspicious emails and provide a customized response to
their concerns.
Introduction 11
SECURITY OPERATIONS DEFINITION
A SOC is a team focused on the identification and remediation of threats to the
organization. The SOC has evolved through the years as malware and threats continue to
emerge. In the dynamic landscape of security operations, AI will work alongside security
analysts in SOCs to alleviate their workload, enhance efficiency and improve the quality of
threat identification and remediation. However, as AI advances, attackers will also leverage
the technology to develop more sophisticated and automated techniques to breach security
defenses, posing new challenges for SOC teams.
Security operations can be defined more broadly as a function that identifies, investigates
and mitigates threats. For example, it includes staff who are responsible for looking at
security logs. Continuous improvement is also a key activity of a security operations
organization.
Therefore, the four main functions of security operations are:

1. Identify – Identify an alert as potentially malicious and open an incident
2. Investigate – Investigate the root cause and impact of the incident
3. Mitigate – Recommend mitigation options to isolate and remove a threat
4. Continuous Improvement – Constantly adapt to process, visibility and

technology to improve in real time as incidents occur
The majority of a security operations analyst’s time is spent in the identify phase due to
false positives and low-fidelity alerts they must sort through. Correctly implemented
prevention-based architecture and automated correlation help reduce analyst exhaustion
and the time needed for this phase. Analyst exhaustion is a phenomenon where an
analyst no longer trusts the system designed to alert them of incidents. This lack of trust
comes from too many false positives or a system that does not properly report incidents
for effective response and investigation. It’s critical that the SOC is equipped with
infrastructure that analysts trust to fully respond to every alert.
Much of an analyst’s time is also spent in the mitigate phase. This is caused by the lack of
automated remediation along with unavailable or slow-to-respond teams outside of the
security operations organization that need to be involved in halting the attack.
12 Security Operations Definition

Modern security operations will reduce or eliminate repetitive
activities in the SOC and contain:
• ML-curated alerts to identify attackers in the weeds
• Correlation of low-confidence alerts to produce high-confidence alerting
• Documented roles and responsibilities to clearly define who owns each element of
security operations
• Continuous improvement applied to every incident
• Processes designed to ease the adoption of automation while accommodating manual
response activities
• Consistent protection across the network, cloud and endpoints
• Automated threat prevention for updates to security controls in minutes, not days
EXPLANATION OF SOC TERMS

Alert: A notification of a potential risk to the organization.
Threat: A cyberattack that could cause damage to an organization.
Incident: An alert or series of alerts that require an investigation or remediation.
Event: While an incident indicates potential threats, an event is any tracked activity on the
network. An event is not necessarily malicious, but it might be something to consider while
investigating an incident.
Threat prevention: Technology and processes used to mitigate, contain or stop a threat
before it damages systems or compromises infrastructure.
Endpoint: A device or application connecting to the internal environment. It can be a point

of compromise or allow malware to access the corporate environment.
Prioritization: A value assigned typically by a sensor to an alert that helps analysts decide
which alerts should be reviewed first.
Security Operations Definition 13

SECURITY OPERATIONS DELIVERY OPTIONS
Organizations use various delivery

options for SecOps.
Security operations are usually driven by key factors, including the needs of the business,
global presence, access to resources and funding. These factors can influence whether a
business chooses in-house or outsourced security operations.
An in-house, next-generation SOC keeps the knowledge and control of the environment
within the business, provides flexibility in alerting, automates repetitive tasks, utilizes AI
with ML to prioritize and generate high-value alerts, and applies continuous improvement.
It can require a considerable investment upfront and will require all 84 elements of security
to be implemented.
Outsourced security operations, or SOC as a service, provides access to experts, advanced

technology, mature processes and quick implementation. However, they still require
in-house resources to carry out remediation activities and can reduce the number of
custom processes that can be put in place. This option also requires detailed service-level
agreements (SLAs) and consistent monitoring and testing of the SLAs to ensure quality.
This setup may also cause concerns around compliance at different global locations, gaps
in visibility and lack of internal knowledge.
Many organizations choose a hybrid solution with some functions outsourced, such as
using level one analysts to identify priorities. This solution provides access to subject
matter experts that may not be present in-house and can provide both flexibility and
scalability. It requires stringent communication agreements and tight processes around
escalations so that external and internal staff have the flexibility and ability to quickly
respond to incidents.
Regardless of the security operations delivery option, for the purposes of this book, the
security operations function will also be referred to as SecOps.
14 Security Operations Delivery Options

S
Staffing
Id Vt
Incident Visibility
Distribution Tuning
Cc F Ds
Co Change
Control Forensics DevSecOps
A Collaboration
Sa
Em
Security
Email
Alerting Security Automation
Rc Iiot Fw
T
I
Industrial
Risk & Internet of
Compliance Things Firewall
Dt
Training Deception
Techniques
Ti
Si
Threat
Intelligence
Ia
SOC
Infrastructure Interface Investigation
Agreement
AN OVERVIEW OF ELEMENTS OF SECURITY OPERATIONS

Security operations can be complex, but by breaking a SOC into its basic elements, it’s
possible to create a foundation for a CISO’s journey to the modern SOC. The element
foundation can be used to evolve security operations to provide better, faster prevention
and remediation. In addition, it will equip the SOC with fundamental pillars to embrace
advanced capabilities like automation and generative AI.
The SOC’s elements of security operations are organized into six pillars, encompassing the
capabilities crucial for meeting the business’s requirements.
All elements in this book work together to build an effective SOC. Removing just one
element will greatly affect the security and efficacy of a SOC, so the whole is greater than
the sum of its parts. The following is a brief overview of each pillar, but later sections will
expand on these definitions and explain each element in more detail.

The six pillars
1. Processes
Tactical steps needed to execute security goals
2. Affiliates
External functions to help achieve security goals
3. People
Who will perform the work
4. Business
Goals and outcomes
5. Visibility
Information needed to accomplish goals
6. Technology
Infrastructure and architecture needed to provide visibility
and enable staff functions
The Elements of Security Operations
PROCESSES AFFILIATES
PEOPLE BUSINESS
VISIBILITY TECHNOLOGY

The Elements of Security Operations
OPERATIONALIZATION
A Cd Sa
Case Security
Alerting Documentation Automation
In St Ce F
Initial Severity Content
Research Triage Engineering Forensics
Ep Id Si Th Ti
Escalation Incident SOC Threat Threat
Process Distribution Infrastructure Hunting Intelligence
I Ia Bl Grc Rp T B
Governance, Red &
Interface Business Risk & Purple
Investigation Agreement Liaison Compliance Teams Training B
Br Mi Ea Asm As Cn Me
Attack
Breach Enterprise Surface
Response Mitigation Architecture Management AppSec Consistency M
Pa Cc Hd Am Ds Tt C
Pre-approved
Mitigation Change Help Asset Tabletop
Scenarios Control Desk Management DevSecOps Exercise Con
Vt Pi It So Ots E S
Information Operational
Visibility
Visibility Process Technology Server Technology Employee
Tuning Improvement Operations Operations Security Utilization S
Ci Qr Ns Es Cs Cp G
Career
Capability Quality Network Endpoint Cloud Path
Improvement Review Security Security Security Progression Gove
PROCESSES AFFILIATES PEOPLE B
18 An Overview of Elements of Security Operations

CAPABILITIES
Cr Ls Soar
Security
Orchestration
Log Automation
Correlation Storage Response
Cm Tm Da MI
Machine
Learning &
Case Threat Intelligence Data Artificial
Management Management Analytics Intelligence
M Vm At Ba Epp
Vulnerability Asset
Management Management Behavioral Endpoint
Mission Tools Tools Analysis Security
B P An Km Ips Em
Knowledge Intrusion
Analysis Management Prevention Email
Training Budget Planning Tools Tools Systems Security
n Me R Et Li Fw Waf
Encrypted Web
Traffic Layer 7 Application
Consistency Metrics Reporting Visibility Inspection Firewall Firewall
C Fa Va Ct Ms Dt
Virtual Cloud
Tabletop Asset Threat Malware Deception
Exercise Continuity Facility Protection Analysis Sandbox Techniques
S Co Dc Ot Iam Nac
Identity & Network
Employee Data Operational Access Access
Utilization Staffing Collaboration Capture Technology Management Control
p G Rc Iot Iiot Vpn Sase

Secure
Career Industrial Virtual Access
Path Risk & Internet of Internet of Private Service
Progression Governance Compliance Things Things Network Edge
OPLE BUSINESS VISIBILITY TECHNOLOGY

SECURITY PILLAR 1:
PROCESSES
The processes pillar defines the procedures executed by the SOC. Process elements are
broken up into four phases: identify, investigate, mitigate and continuous improvement.
These phases provide the foundations for an effective next-generation SOC.
When determining your processes, ask the following questions:

• What processes need to be defined?
• Where will the processes and procedures be documented?
• How will this documentation be accessed and communicated?
• Who will be responsible for updating this documentation?
• How often will the processes need to be reviewed and updated?
• When will affiliates be needed to assist the SOC?
Process elements effectively protect digital assets and business data.
This section explains the strategies necessary to implement SOC functions and facilitate
effective incident response.
20 Processes Pillar Elements

Security leaders should have clear
incident response processes in place
when building an autonomous SOC.
This clarity is required to ensure that
automated response is operating
properly and can be clearly analyzed
and measured for improvement
opportunities.
SCOTT COLEMAN
Global Solution Architect,
Cortex XSIAM—Security Operations,
Palo Alto Networks
ALERTING
A Having the right alerts is paramount for the
SOC to be successful. Alerting defines the
Alerting importance of an event and indicates whether
or not it becomes an actionable incident.
Before an analyst starts processing alerts, security operations must benchmark standards
to determine when intervention for manual analysis is necessary.
Security operations should leverage alerting strategies to define what alerts analysts
should be looking at. Alerting strategies include the intended purpose of the alert,
prioritization, the types of technology and visibility that present alerts, technical context
provided, true positive validation and use cases for alerting analysts. Palo Alto Networks
uses the Alert Detection Strategy (ADS) framework. The ADS framework maps to the
MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) Framework.
The ATT&CK Framework will categorize an alert so that an engineer can quickly review
and prioritize incidents for review. Creating a well-defined alerting strategy ensures that
analysts can actively monitor meaningful alerts and begin performing initial research on
an incident. Incorporating automation improves accuracy of alerts and reduces the number
of false positives.
Related Elements:
Change Governance Risk Case Virtual Asset Machine Learning &

Cc Grc Cm Va Ml
Control & Compliance Management Protection Artificial Intelligence
Case Network Correlation Vulnerability Malware

Cd Ns Cr Vm Ms
Documentation Security Management Sandbox
Tools
Red & Purple Cloud Threat Behavioral Network Access
I Investigation Rp Ct Ba Nac
Teams Analysis Analysis Control
Initial SOC Data Data Secure Access

In Si Dc Da Sase
Research Infrastructure Capture Analytics Service Edge
Asset Threat Encrypted Deception Security

Am Th Et Dt Soar
Management Hunting Traffic Visibility Techniques Orchestration
Automation
Threat Email Response
As AppSec Ti Iiot Industrial IoT Em
Intelligence Security
Virtual Private
Vpn
Network
Attack Surface Employee Internet of Endpoint
Asm E Iot Epp
Management Utilization Things Security
Web Application
Waf
Firewall
Content Tabletop Knowledge
Ce
Engineering Tt
Exercises Km
Management Fw Firewall
Tools
Cloud Layer 7 Identity & Access
Cs R Reporting Li Iam
Security Inspection Management
DevSecOps Asset Operational Intrusion

Ds At Ot Ips
Management Technology Prevention Systems
Tools
Endpoint Analysis Threat Log
Es An Tm Ls
Security Tools Intelligence Storage
Management

CASE DOCUMENTATION
Cd Case documentation in a SOC is crucial for
capturing and recording essential information
Case
Documentation related to cybersecurity incidents.
Case documentation serves as a comprehensive record of incident response activities,

enabling SOC teams to leverage past experiences and lessons learned for more effective
incident handling in the future. Additionally, it facilitates collaboration among team
members and stakeholders, promotes transparent communication and supports
continuous improvement by identifying areas for process refinement and enhancing
overall security operations. By maintaining accurate and detailed case documentation, SOC
teams can strengthen their incident response capabilities and better protect organizations
against evolving cyberthreats.
Related Elements:
Escalation Pre-approved Content

A Alerting Ep Pa Ce R Reporting
Process Mitigation Engineering
Breach Interface Process Governance, Risk Case

Br Ia Pi Grc Cm
Response Agreement Improvement & Compliance Management
Change Incident Quality Red & Purple Knowledge

Cc Id Qr Rp Km
Control Distribution Review Teams ManagementTools
Capability Initial Severity Threat Data

Ci In St Th Da
Improvement Research Triage Hunting Analytics
Visibility Tabletop Log

I Investigation Mi Mitigation Vt Tt Ls
Tuning Exercise Storage
If you can document the steps to do an investigation or perform

mitigation, chances are good you can automate it. Find those
opportunities.
STUART SAVAGE
Global Solutions Architect,
Security Operations & Endpoint Security Services,
Palo Alto Networks

INITIAL RESEARCH
In Early incident exploration for triage and action
as appropriate.
Initial
Research
Results from the initial research provide context around an incident to help gather
information to triage, escalate and determine if further investigation is needed or if the
alert is malicious or benign.
When an alert is triggered, the security operations team needs an easy way to gather
the information required to determine its severity and build the foundation for an
investigation. Initial research helps new and experienced analysts align to a set of common
tools to collect artifacts required for severity triage.
In legacy security operations teams, research was manually performed, often taking
the bulk of an analyst’s time to resolve an incident. With the development of SOAR
technologies, analysts now have the ability to document and automate initial research,
significantly reducing the effort required to process an alert. Automation plays a crucial
role in gathering and merging context from different technologies, simplifying access
to information related to an alert so analysts can conduct preliminary research more
conveniently.
Related Elements:
Governance, Risk Vulnerability Security

A Alerting Grc R Reporting Vm Soar
& Compliance Management Orchestration,
Tools Automation &
Case Red & Purple Analysis Quality Response
Cd Rp An Da
Documentation Teams Tools Review
Severity Threat Knowledge Log

St Ti Km Ls
Triage Intelligence Management Storage
Tools
Asset Tabletop Threat Machine Learning &
Am Tt Tm Ml
Management Exercise Intelligence Artificial Intelligence
Management

SEVERITY TRIAGE
St Defining an incident’s severity will help with
prioritization and determine impact to the
Severity
Triage business based on initial research.
Severity triage allows analysts to easily communicate an incident’s risk and ensure
the appropriate response. The alert’s severity will also help guide an analyst’s actions
throughout the incident response lifecycle.
Every organization must determine its own risk tolerance and severity classifications. The
exact descriptions and business impact will vary from business to business. A 1–5 severity
level is recommended. The severity triage labels are critical, high, medium, low and
informational. A critical alert, or severity 1, calls for immediate attention and is indicative
of a breach. Some companies add a severity 0 to indicate an ongoing breach where the
attacker is attempting to exfiltrate, encrypt or corrupt data.
Incident risk and severity should be agreed upon between the business and the security
operations team, ensuring the appropriate responses occur when an incident arises.
Automation can also play a role in assigning severity.
Related Elements:
Governance, Risk Threat
A Alerting Grc
& Compliance Co Collaboration R Reporting Tm
Intelligence
Management
Case Red & Purple Risk & Data
Cd
Documentation Rp
Teams Fa Facility Rc
Compliance Da
Analytics
Threat Log
I Investigation Ti G Governance S Staffing Ls
Intelligence Storage
Initial Tabletop
In Tt M Mission R Reporting
Research Exercise
Asset Analysis
Am B Budget Me Metrics An
Management Tools
Knowledge
F Forensics C Continuity P Planning Km
Management
Tools

ESCALATION PROCESS
Ep The business and security operations teams need a set of guidelines that
enable them to increase an organization’s awareness of a potential issue
and receive the necessary support needed to mitigate. If a lower-severity
Escalation
Process alert needs escalation, it should be prioritized and given necessary
escalation when needed. Escalation can occur within SecOps staff tiers or
between affiliating teams.
In the case of a critical severity alert, the escalation

process ensures the alert receives immediate attention and
acknowledgment from the necessary people.
Inside security operations, escalation may occur within staff tiers when an alert is outside
the scope of something an analyst has the ability to handle. These escalations serve as
learning opportunities for analysts. As organizations continue to automate security
operations, the need to escalate decreases, allowing tier 3 analysts more time to focus on
projects that work toward generating higher-fidelity alerts.
Sometimes an alert may require additional information from an affiliating team.

Interface agreements should be established between affiliating teams and the security
operations team regarding expectations during an escalation. The agreement should
define the severity level at which increased awareness from the business is required,
outline documentation parameters and clearly state the communication expectations
from all stakeholders. Impactful interface, or communication, agreements document an
escalation matrix that showcases specific scenarios and the associated escalation steps.
Interface agreements should be updated and reviewed frequently to reflect changes and
ensure accuracy, including backup contacts and procedures to address unresponsiveness is
strongly recommended.
See the Interface Agreements Element section for more information.
Related Elements:
Case Governance, Risk Tabletop Data Security

Cd Grc Tt Da Soar
Documentation & Compliance Exercise Analytics Orchestration,
Automation &
Interface Red & Purple Log Response
Ia
Agreement Rp
Teams R Reporting Ls
Storage
Security Knowledge Machine Learning &

F Forensics Sa Km Ml
Automation Management Artificial Intelligence
Tools

INCIDENT DISTRIBUTION
Id Distributing a broad range of incidents to
analysts ensures a diverse incident-handling
Incident
Distribution experience.
Empowering analysts with the responsibility to address a diverse range of alerts not only
expands their knowledge and expertise but also fosters a comprehensive understanding
of different use cases. By encountering unfamiliar alert types, analysts are constantly
challenged to broaden their skill set and become well-rounded in their field. Distributing
incidents across analysts ensures that they become acquainted with available resources
and mitigates the inclination to solely focus on familiar alerts. This approach cultivates
a proactive mindset, enabling analysts to handle any alert that comes their way with
improved speed, efficiency and effectiveness.
Furthermore, working with diversified alert types helps prepare analysts. By regularly
engaging with a wide range of alerts, analysts develop the capacity to quickly assess the
severity and significance of each situation, then prioritize and allocate resources effectively.
This exposure to diverse alert types hones their ability to identify patterns, recognize
anomalies and discern critical indicators, enabling them to respond promptly and make
informed decisions.
Overall, the intentional allocation of diverse alerts to analysts fosters continuous growth,
allowing them to expand their skill set, stay adaptable and remain agile in the face of
evolving threats. It creates a dynamic environment that encourages constant learning,
enhances problem-solving capabilities and strengthens the overall effectiveness of the
security operations team.
Related Elements:
Case Governance, Risk Security Data

Cd
Documentation Grc
& Compliance Sa
Automation R Reporting Da
Analytics
Content Red & Purple Tabletop Knowledge Log

Ce Rp Tt Km Ls
Engineering Teams Exercise Management Storage
Tools
EXAMPLE OF EVENT TYPE

DISTRIBUTION TO A SINGLE
ANALYST
Meddler in the Middle

INVESTIGATION
I A comprehensive analysis of an incident is
crucial in order to establish its true intent,
Investigation ascertain the scale of the attack and effectively
document its impact.
While initial research is where analysts gather contextual data, an investigation seeks to
uncover the facts to more clearly understand the incident. An analyst should play the role
of a detective in the investigation phase. It’s a manual process that showcases the who,
what, when, where, why and how of an incident.
During the investigation phase, all relevant information is gathered and any remaining
gaps from the initial research are addressed. This includes identifying the affected IT assets
and business services and evaluating the effectiveness of available containment measures,
which inform the subsequent mitigation procedures. The primary goal is to gain a holistic
understanding of the security incident, including its potential impact, the objectives of the
adversary and the potential effectiveness of various containment measures. Armed with
this critical information, the analysts can make an informed decision on the appropriate
containment and mitigation strategy.
The investigation process plays a crucial role in confirming the validity of an incident,
allowing analysts to confidently distinguish between true incidents and false positives.
In the case of a false positive, providing feedback to content engineers or the security
engineering team becomes essential for fine-tuning alerts or updating controls,
respectively. This feedback loop ensures ongoing improvement and optimization of the
SOC’s detection and response capabilities.
By conducting thorough investigations, the SOC strengthens its ability to effectively

respond to security incidents, minimize the impact of threats and enhance overall incident
management. The SOC can also continuously refine its processes and improve its ability to
detect and respond to future incidents with accuracy and efficiency.
Related Elements:
Severity Red & Purple Analysis

A Alerting St
Triage Rp
Teams An
Tools
Case Visibility Threat Threat

Cd Vt Ti Tm
Documentation Tuning Intelligence Intelligence
Management
Capability Asset Tabletop Data
Ci Am Tt Da
Improvement Management Exercise Analytics
Process Governance, Risk Log

Pi Grc R Reporting Ls
Improvement & Compliance Storage

INTERFACE AGREEMENT
Ia Effective incident response relies on clear and
collaborative communication through interface
Interface
Agreement agreements.
These communication agreements outline the teams involved, scope of work, agreed-upon
expectations, communication paths and tools that will be utilized. Change request and
escalation processes must be defined within an interface agreement as a reference point.
It’s imperative the security operations team understand the minimum information
required to remediate an incident.. Given the ever-changing nature of business,
agreements need to be reviewed regularly to ensure contacts and information are
accurately updated.
Related Elements:
Case Cloud Help SOC Knowledge

Cd Cs Hd Si Km
Documentation Security Desk Infrastructure Management
Tools
Escalation Server Data
Ep Ds DevSecOps It IT Operations So Da
Process Operations Analytics
Asset Enterprise Network Threat Log

Am Ea Ns Th Ls
Management Architecture Security Hunting Storage
Endpoint Operational Threat

As AppSec Es Ots Ti
Security Technology Intelligence
Security
Attack Surface Red & Purple Tabletop
Asm
Management F Forensics Rp
Team Tt
Exercise
Content Governance, Risk Security Reporting

Ce Grc Sa R
Engineering & Compliance Automation

BREACH RESPONSE
Br A plan for assessing and mitigating the risk
potentially affected by a breach.
Breach
Response
A breach is indicative of the attacker’s ability to exploit vulnerabilities, evade detection

mechanisms and carry out malicious actions, such as stealing sensitive data, causing
operational disruptions or implementing ransomware attacks. It serves as a crucial
milestone in incident response because it highlights the attacker’s successful infiltration
and exploitation of the target, necessitating immediate action to mitigate the impact and
restore the integrity of the compromised system.
A successful breach response requires a plan separate from standard mitigation. The
breach response process defines an effective response during a business-disrupting
security incident in which IT infrastructure is adversely impacted. First, the cross-
functional stakeholders, including corporate communications, public relations and legal,
are identified. A timeline is established to identify how each stakeholder will be involved
and how they will be notified. Second, a SecOps lead responsible for providing information
to stakeholders must be identified, and necessary details on collected information need to
be defined. The frequency of updates, methods of updates and communication processes
should be included in the plan.
Predefined plans for disclosing company information and making public announcements
are likely in place. However, policies and proper training may need to be created to
prevent disclosure of breach details beyond the breach response team. There needs to be
an understanding of privileged information and non-disclosure policies. Breach response
plans require periodic testing throughout the year, at least once without the security
operations team’s prior knowledge.
Related Elements:
Case Business Red & Purple Knowledge
Cd
Documentation Bl
Liaison F Forensics Rp
Teams Km
Management
Tools
Severity Cloud Governance, Risk Tabletop Data
St Cs Grc Tt Da
Triage Security & Compliance Exercise Analytics
Asset Enterprise Reporting Log

Am Ea It IT Operations R Ls
Management Architecture Storage
Attack Surface Endpoint Network Governance

Asm Es Ns G
Management Security Security

MITIGATION
Mi Once an incident has been validated as
malicious, mitigation strategy must be
Mitigation executed.
When an analyst has a comprehensive understanding of the ongoing activities and

potential impact of an attack on a network, their primary objective is to swiftly halt the
attacker’s current activity and develop a robust solution to secure the environment.
Mitigation plays a vital role in this process because it defines the procedures and actions
necessary to promptly contain the threat, thus minimizing potential damage to the
network. Mitigation involves a meticulous documentation of the recommended actions
that the SOC could undertake, leveraging the knowledge and expertise of the security
operations team. Temporary controls are implemented as part of the mitigation process to
immediately disrupt the attack and mitigate any further harm.
The mitigation process is not an isolated event but a crucial component of the continuous
improvement cycle within security operations. As incidents are addressed and analyzed,
proactive controls are identified based on the lessons learned from past experiences.
These proactive controls aim to enhance the organization’s overall security posture and
prevent similar incidents from occurring in the future. Insights and recommendations
for capabilities improvement are further discussed and incorporated into the continuous
improvement process. By iteratively enhancing its capabilities and refining its mitigation
strategies, the organization can better defend against evolving threats and strengthen its
overall security resilience.
Related Elements:
Change Visibility Governance, Risk Red & Purple Data

Cc Vt Grc Rp Da
Control Tuning & Compliance Teams Analytics
Case Asset Help Tabletop Log

Cd Am Hd Tt Ls
Documentation Management Desk Exercise Storage
Capability Cloud Network Machine Learning &

Ci Cs Ns R Reporting Ml
Improvement Security Security Artificial Intelligence
Process Endpoint Operational Knowledge Security

Pi Es Ots Km Soar
Improvement Security Technology Management Orchestration,
Security Tools Automation &
Response

PRE-APPROVED MITIGATION SCENARIOS
Pa This process bypasses traditional change
Pre-approved controls to enable swift remediation of
Mitigation
Scenarios cyberthreats based on the severity of the
incident and the associated risks to the
business.
A pre-approved mitigation scenario involves parameters and guidelines that allow security
analysts to take immediate action without the need for additional approvals. This approach
prioritizes speed and agility in responding to security incidents while still considering the
potential impact on the organization’s overall risk posture. By empowering analysts to
make timely decisions within established parameters, pre-approved mitigation enhances
the organization’s ability to effectively contain and mitigate cyberthreats.
The incident response team should have a documented list of pre-approved scenarios the
analysts can use to mitigate incidents. Examples of pre-approved mitigation scenarios may
include freezing a process, locking a system or quarantining a device. Another example
is to create a dynamic process to block against a specific Indicator of Compromise (IoC),
such as known bad URLs, domains or IP addresses, without requiring a security commit
invoking a change request.
Related Elements:
Change Visibility Governance Risk Red & Purple Data

Cc Vt Grc Rp Da
Control Tuning & Compliance Teams Analytics
Case Asset Help Tabletop Log

Cd Am Hd Tt Ls
Documentation Management Desk Exercise Storage
Capability Cloud Network

Ci Cs Ns R Reporting
Improvement Security Security
Process Endpoint Operational Knowledge

Pi Es Ots Km
Improvement Security Technology Management
Security Tools

CHANGE CONTROL
Cc Change control serves as the initial step in the
mitigation phase.
Change
Control
Whether mitigation is carried out manually or through automation, a well-defined change

control process is necessary to oversee, document and regulate changes made to the
environment. It is often necessary to collaborate with affiliated teams to establish a specific
time frame during which security personnel are authorized to modify the infrastructure,
ensuring prompt mitigation of critical assets.
Effective change control processes ensure alterations to the environment have minimal
impact on business productivity, and any changes are documented for rollbacks.
Administrators must identify information required for documentation and create a process
with formalized templates to ensure requests for changes are consistent. Timelines are
essential for review and rollback procedures, as these will need to be part of the change
control process. It will also be necessary to document specific details around individuals
authorized to request changes, change request processes, prerequisites and change
windows available for the modification.
Related Elements:
Pre-approved Tabletop Case Data

A Alerting Pa
Mitigation Tt
Exercise Cm
Management Da
Analytics
Case Governance Risk Knowledge Log

Cd Grc R Reporting Km Ls
Documentation & Compliance Management Storage
Tools
Red & Purple
Mi Mitigation Rp
Teams
Many security organizations see change as a threat instead of seeing

it as an opportunity to guide progress in a way that accelerates the
business while reducing risk. Change is continuous. We can’t control
everything, so we need to provide the guardrails for changes so the
business can move as fast as required to service customers.
GARETH BARUCH
Cloud Security,
Palo Alto Networks

VISIBILITY TUNING
Vt After an event and subsequent investigation,
security staff will make adjustments to the
Visibility
Tuning alerting system, known as visibility tuning.
This crucial step helps minimize false positives and low-fidelity alerts within the SOC.
During a security incident, an analyst might identify opportunities to enhance incident
detection and increase visibility through centralized log monitoring. In response, the
analyst will optimize the tuning process to improve visibility for future incidents. The
tuning process is guided by metrics collected from SOC systems and involves retiring alerts
that are outdated or ineffective.
The tuning process will identify:

• Who or what triggers visibility
• Thresholds for alert triggers
• A review process for existing alerts
It’s recommended that security staff review alerts quarterly, with a monthly review of
alert metrics.
Related Elements:
Case Pre-approved Red & Purple Case Data

Cd Pa Rp Cm Da
Documentation Mitigation Teams Management Analytics
Content Tabletop Knowledge Log

I Investigation Ce Tt Km Ls
Engineering Exercises Management Storage
Tools
Governance, Risk
Mi Mitigation Grc R Reporting
& Compliance

PROCESS IMPROVEMENT
Pi Throughout the investigation and incident
response processes, security operations staff
Process
Improvement continually identify new use cases, tools,
techniques and features that strengthen or
enhance the incident response process.
They make adjustments based on the results from previous security incidents and new
threats. When done correctly, process improvement helps security operations receive
better qualified alerts and reduce the number of false positives.
New technologies introduced to SecOps and the business may require incident response
process updates. Process improvement includes information about the individuals
responsible for updating incident process who have a foundational knowledge of incident
response. Changes are not always made on a daily basis, so process improvement needs
to define how often each process is reviewed. All improvements need to be reviewed for
accuracy and clarity and communicated with affected staff.
Related Elements:
Case Pre-approved Tabletop Case Data

Cd Pa Tt Cm Da
Documentation Mitigation Exercises Management Analytics
Governance, Risk Knowledge Log

I Investigation Grc R Reporting Km Ls
& Compliance Management Storage
Tools
Red & Purple
Mi Mitigation Rp
Teams

CAPABILITY IMPROVEMENT
Ci Prior incidents and lessons learned will drive
capability improvement to better prevent and
Capability
Improvement mitigate threats in the future.
The capability improvement process in a SOC focuses on enhancing various capabilities

after mitigation activities. These improvements encompass strengthening preventive
measures, optimizing automation quality and expanding visibility to access contextual
information or logs beyond the scope of visibility tuning.
The objective of capability improvement varies, ranging from proactively preventing

attacks to minimizing breach response time and facilitating expedited investigations.
Although continuous improvement is ideal, it may not be feasible at all times. Thus,
a monthly incident review is crucial to identify potential opportunities for enhancing
capabilities.
Related Elements:
Case Asset Enterprise Red & Purple Knowledge

Cd Am Ea Rp Km
Documentation Management Architecture Teams Management
Tools
Attack Surface Endpoint Tabletop Data
I Investigation Asm Es Tt Da
Management Security Exercises Analytics
Content Governance, Risk Log

Mi Mitigation Ce Grc R Reporting Ls
Engineering & Compliance Storage
Pre-approved Cloud Network Case

Pa Cs Ns Cm
Mitigation Security Security Management

QUALITY REVIEW
Qr Quality review is the final phase of incident
response and ensures that an analyst followed
Quality
Review the correct procedures and validated their work.
A quality review confirms consistency between the analyst on the SecOps team. During
quality review, the analyst must verify that the appropriate information is documented
at the time the incident is closed so it can be used for future training. Peer reviews are
encouraged during a quality review.
The SOC will need to document who is responsible for reviewing changes and closed cases,
and security operations staff will determine the next time processes will be reviewed.
SecOps staff create processes to define the severity of cases that require review, the
items for review, feedback that will be provided and training opportunities after reviews.
Training must be delivered to the security operations organization and stakeholders to
improve the overall efficiency and efficacy of preventing breaches.
Related Elements:
Case Red & Purple Data

Cd Rp R Reporting Da
Documentation Teams Analytics
Governance, Risk Tabletop Case Log

Grc Tt Cm Ls
& Compliance Exercises Management Storage

SECURITY PILLAR 2:
AFFILIATES
Security operations are not a silo and require several teams to function properly. The
affiliates pillar defines the people who support a SOC and perform manual functions that
cannot be done with automation. Interactions between teams must be defined so that
expectations are clearly stated. Identifying the scope of responsibility and separation of
duties will also reduce friction within an organization.
Palo Alto Networks has several teams that work directly with customer stakeholders and
operations staff, including global solutions architects, professional services consultants,
extended expertise consultants, customer success managers, service account managers
and designated engineers.
To determine teams and affiliates that are right for your business, ask the following
questions:
• What other functions of the business impact security operations?
• What other functions of the business do security operations impact?
• How will security operations work alongside these other teams?
• Who has ownership of responsibilities and what SLAs need to be documented?
• At what interval will team agreements be reviewed and updated?
38 Affiliates Pillar Elements

There are five affiliate groups: incident response, business, vulnerability, enterprise and
security. The following provides an overview:
• Incident response groups have a direct influence on processes that include
automation, alert generation and improvements on the overall workflows. Incident
response processes would be inefficient or fail without these affiliates.
• Business affiliates communicate the stakeholder requirements and ensure that they
are met.
• Vulnerability affiliates are responsible for scanning the network, highlighting
vulnerability information and challenging SecOps via obfuscation and penetration of
current defenses.
• Enterprise affiliates keep network and user operations running.
• Security affiliates are the various security elements within an environment.

In order to create a successful
SOC, simplify your security stack,
prioritize capability improvements,
automate processes and measure
progress.
• Simplify your security stack by focusing on capabilities that work
together to achieve your goals, rather than trying to implement
every available tool in the market.
• Prioritize capability improvements based on the goals of your
business to maintain focus and direction.
• Automate repetitive processes, taking into account the criticality
and impact of the threat, as well as confidence in the data.
• Demonstrate continued improvement of the services provided to
the business to build confidence in the SOC.
TANNER KOOISTRA
Security Operations,
Palo Alto Networks
SECURITY AUTOMATION
Sa Automation is critical for security success.
Security
Automation The security automation team is responsible for owning and
maintaining automation tools, identifying automation opportunities,
and implementing them within the incident response process. The
security automation function should have a good understanding of the incident response
process and ability to determine where automation can increase accuracy and reduce time
to respond holistically.
It is always necessary to consider the return on investment (ROI) before investing in

automation. When doing a ROI analysis, take special care to consider the ongoing cost of
maintenance and support. During prioritization of automation development, use cases that
can be automated at a greater frequency should be prioritized over others. For example,
if an automation opportunity would reduce ten minutes of an analyst’s time ten times
a day and would take three months to build, it should be prioritized over an automation
opportunity that would reduce an hour of an analyst’s time once a week and take two
months to build.
The security automation function should

work continually with SecOps to receive
feedback on the automations they currently A GOOD THREE-YEAR GOAL
have in place, help fix existing problems FOR AN ESTABLISHED
ORGANIZATION:
and determine areas for automation
50% of
improvement. When done correctly, security
automation can result in cost and workforce Automate
efficiencies. SOC work.
This is a good three-year goal for an
By year five, most SOC
established organization: automate 50%
teams can automate
75%
of SOC work. By year five, most SOC teams
can automate upwards of 75% of activities, upwards of of
freeing up engineers to perform threat activities
hunting.
Related Elements:
Escalation Business SOC Machine Learning &

Ep Bl Si Ml
Process Liaison Infrastructure Artificial Intelligence
Interface Tabletop Security Orchestration,

Ia
Agreement Ds DevSecOps Tt
Exercise Soar
Automation & Response
Incident Red & Purple

Id Rp Co Collaboration
Distribution Teams

CONTENT ENGINEERING
Ce Security staff use content engineering, also
known as detection engineering, to build
Content
Engineering alerts and establish alerts to forward for
investigation.
A content engineer will analyze available tools, infrastructure capabilities and current
alerts to identify opportunities for new triggers to send to analysts for further review.
At least one content engineer must understand the visibility needed for incident response,
but they also need to be independent from the incident response team to ensure self-
interest does not interfere with a review. Additionally, there must be a standardized rollout
process for each alert created.
An interface agreement between SecOps and the content engineering team needs to define
frequency of updates, the vetting process and feedback. It will identify ways staff members
request new or modified alerts. Properly configured alerts allow for prioritization of events
based on severity.
Related Elements:
Red & Purple Cloud Threat Virtual Asset Intrusion

A Alerting Rp Ct Va Ips
Teams Analysis Protection Prevention Systems
Case Threat Data Vulnerability Log

Cd Ti Dc Vm Ls
Documentation Intelligence Capture Management Storage
Tools
Capability Employee Encrypted Behavioral Machine Learning &
Ci E Et Ba Ml
Improvement Utilization Traffic Visibility Analysis Artificial Intelligence
Interface Tabletop Data Malware

In Tt Iiot Industrial IoT Da Ms
Agreement Exercises Analytics Sandbox
Incident Internet of Deception Network Access

Id Co Collaboration Iot Dt Nac
Distribution Things Techniques Control
Visibility Asset Knowledge Email Secure Access

Vt At Km Em Sase
Tuning Management Management Security Service Edge
Tools Tools
Attack Surface Analysis Layer 7 Endpoint Security
Asm An Li Epp Soar
Management Tools Inspection Security Orchestration
Automation
Business Case Operational Response
Bl
Liaison Cm
Management Ot
Technology Fw Firewall
Virtual Private
Vpn
Network
Correlation Threat Identity & Access
Ds DevSecOps Cr Tm Iam
Intelligence Management
Management Web Application
Waf
Firewall

FORENSICS
F Security operations staff perform forensics
encompassing root cause analysis and response
Forensics during a data breach.
A forensics analyst investigates BEGINNER SOAR

incidents and reviews evidence to Source: IDC, 2021
determine what happened, why it

happened and how to recover from
it. If any evidence is found, forensics
would work toward recovering lost
data from exfiltration, destruction or
ransoming.
Forensics analysts collect and

document evidence used for legal
purposes. The forensics process
is firmly outside of the incident
response team and focused solely
on identifying the root cause of an
event. It leverages several strategies,
such as malware analysis or reverse
engineering, to retrieve evidence and
complete a response. Information
gathered from an analysis is shared
with the appropriate affiliates and
necessary stakeholders.
Related Elements:
Breach Interface Business Tabletop Analysis

Br In Bl Tt An
Response Agreement Liaison Exercises Tools
Escalation Severity Red & Purple

Ep St Rp Co Collaboration
Process Triage Team

SOC INFRASTRUCTURE
Si To offer effective detection and mitigation,
security operations need the right
SOC
Infrastructure infrastructure and tools to support incident
response.
The SOC infrastructure team maintains redundancy, availability and visibility within
security infrastructure.. The infrastructure team must be prepared for unforeseen
circumstances, such as a rapid rollout of an at-home workforce during a pandemic.
Security operations staff must define an infrastructure team’s job function. Will they
be responsible for licensing, maintaining and updating tools? Will they manage the
underlying architecture (e.g., CPU, RAM, storage, cloud implementation) or will that be
handled by another team? SLAs with the team are defined to cut down on friction between
teams and to establish clear interface agreement. It is important that each member of the
team can identify their job responsibilities to ensure the correct tools and procedures are
always implemented and up-to-date.
Related Elements:
Business Security
A Alerting Bl Ds DevSecOps Sa Co Collaboration
Liaison Automation
Interface Content Red & Purple Tabletop

In Ce Rp Tt
Agreement Engineering Team Exercise

THREAT HUNTING
Th Organizations must prepare for unforeseen
events, and threat hunting is a project-based
Threat
Hunting process ancillary to incident response,
responsible for identifying zero-day threats
and emerging attacks.
Threat hunting is a structured, agile sprint with a definitive beginning and end to gather
information for the benefit of the SecOps team. A threat hunt investigates strings known to
deliver malicious payloads. If a string is determined to be benign, it is retired or revisited at
another time.
There are three types of threat hunting: structured, tool and unstructured. Structured
threat hunting happens when analysts actively search for incidents that did not result in
an alert. Tool hunting uses machines to hunt based on algorithms and machine learning
to find anomalies that trigger an alert. Unstructured threat hunting generates data that
analysts can search to identify anomalies and is often replaced by tool hunting.
A threat hunting outcome provides feedback for capability improvements and visibility
tuning to refine alerts and reduce false positives. Analysts use threat hunting to better
detect and mitigate future threats that might not be seen yet in the wild.
Related Elements:
Red & Purple

A Alerting Rp Me Metrics Cr Correlation
Team
Case Threat Threat Intelligence

Cd Ti R Reporting Tm
Documentation Intelligence Management
Interface Tabletop Analysis Data

Ia Tt An Da
Agreement Exercise Tools Analytics
Business Case Log

Bl Co Collaboration Cm Ls
Liaison Management Storage
Threat hunting is smart people looking for things missed in all

other ways.
PETER WLODARCZYK
Senior Consultant,
Endpoint & Security Operations Services,
Palo Alto Networks

THREAT INTELLIGENCE
Ti Like threat hunting, threat intelligence is
Threat ancillary to incident response and supports
Intelligence
threat hunting when done right.
A team of threat intelligence staff utilizes real-time information feeds from human and
automated sources for background details, specifics and consequences of present and
future cyber risks, threats, vulnerabilities and attack vectors. They also provide threat
landscape reports to security teams responsible for updating the organization’s security
stack. Threat intelligence notifies threat hunters and security operations teams when new
alerts and IoCs have been identified and validated.
Using data from threat intelligence, threat hunters use the collected information to
prioritize and search for active IoCs. The content engineering team builds new alerts based
on new IoCs provided by threat intelligence. Threat intelligence increases security staff’s
ability to improve their identification and investigations of critical alerts, but it also helps
reduce console burnout.
Related Elements:
Initial Content Tabletop Threat

A Alerting In Ce Tt Tm
Research Engineering Exercise Intelligence
Management
Severity Red & Purple Deception
I Investigation St Rp Co Collaboration Dt
Triage Team Techniques
Interface Business Threat Analysis Machine Learning &

Ia Bl Th An Ml
Agreement Liaison Hunting Tools Artificial Intelligence
If you find something in a hunt, you should never find it in a hunt

again. You should create content to alert or block the threat.
ALEX KREPELKA
Lead Security Engineer,
Palo Alto Networks

BUSINESS LIAISON
Bl While security staff perform their day-to-day
job functions, a business liaison supports the
Business
Liaison team in communications with stakeholders.
The business liaison understands the business and helps identify and explain the impact
of security. This includes keeping up-to-date with new product launches and development
schedules, onboarding new branch offices and handling mergers and acquisitions where
legacy networks and applications need to be brought into the main security program.
A business liaison can also be responsible for partner, vendor and team communication
management. For example, if an organization were to switch from Google Workspace™ to
Microsoft 365™, new vulnerabilities and access points need monitoring. Additionally, new
use cases for Microsoft 365 must be implemented and other use cases that pertained to
Google Workspace could be retired.
Related Elements:
Breach Content Operational Threat

Br
Response Ce
Engineering F Forensics Ots
Technology Th
Hunting
Security
Interface Cloud Governance Risk Red & Purple Threat
Ia Cs Grc Rp Ti
Agreement Security & Compliance Team Intelligence
Asset Help Security Tabletop

Am Management Ds DevSecOps Hd Desk Sa Automation Tt Exercise
Enterprise SOC
As AppSec Ea It IT Operations Si Co Collaboration
Architecture Infrastructure
Attack Surface Endpoint Network Server

Asm Es Ns So
Management Security Security Operations

GOVERNANCE, RISK & COMPLIANCE
Grc A governance, risk and compliance (GCR)
Governance, unit, also commonly referred to as InfoSec,
Risk &
Compliance is responsible for assessing risk, ensuring
industry standard compliance policies are
followed and creating guidelines to meet
business objectives.
Compliance standards governing each organization vary based on industry. However,

common standards include PCI-DSS, HIPAA, CCPA, FINRA and GDPR. These standards
require different levels of protection, encryption and data storage. Organizations need to
communicate policies, such as GDPR, to all employees, while requirements are typically
handled by other groups. Breach disclosure requirements directly involve the security
operations team. As such, the SecOps team must communicate with the GRC team to define
escalation intervals, contacts, documentation and forensic requirements.
The GRC group governs risks and runs audits against the environment to discover non-
compliance. They notify security staff if any assets are found to be non-compliant, so that
adjustments can be made to ensure the organization meets compliance standards.
Related Elements:
Escalation Process Employee Cloud Threat

A Alerting Ep
Process Pi
Improvement E
Utilization Ct
Analysis
Breach Interface Quality Tabletop Virtual Asset

Br Ia Qr Tt Va
Response Agreement Review Exercise Protection
Change Incident Severity Vulnerability

Cc Id St C Continuity Vm
Control Distribution Triage Management
Tools
Case Initial Visibility Identity Access
Cd In Vt Co Collaboration Iam
Documentation Research Tuning Management
Capability Business Network Access

Ci Mi Mitigation Bl G Governance Nac
Improvement Liaison Control
Pre-approved Red & Purple Risk &

I Investigation Pa Rp Rc
Mitigation Team Compliance

RED & PURPLE TEAMS
Rp Aiding threat hunting and threat intelligence,
Red & Red and Purple Teams are responsible for
Purple
Teams actively searching for vulnerabilities within the
environment.
The Red Team attempts to ethically obfuscate their actions to exploit the security
operations team, finding vulnerabilities in their current practices. During this process, the
Red Team will perform penetration testing, probe for vulnerabilities that may not have
been patched or run exploits on newly found vulnerabilities. Actively attempting to exploit
vulnerabilities is one way they help improve incident response.
Blue Teams make up the staff responsible for detecting and mitigating Red Team activity.
The Blue Team determines the efficacy of currently installed security infrastructure.
Composed of members from both the Red and Blue Teams, the Purple Team has a neutral
interest in security operations success. For example, if one team is noticeably winning,
the Purple Team will help steer both the Red and Blue Teams back on course. For example,
if the Red Team is not finding an opportunity to penetrate the network, the Purple Team
provides additional guidance on targets to move the exercise forward. Conversely, if the
Red Team is gaining a significant foothold, the Purple Team may step in to recommend
detection and mitigation measures to the Blue Team, ensuring the engagement results in
an active learning experience and helps the security team build necessary skills.
Adversarial emulation is critical for effective Red and Blue teaming. The Purple Team
assists with cyberthreat intelligence, offering tactics, techniques and procedures while
improving overall cyber resilience. Replaying steps of an attacker helps security operations
better prepare and respond to current threats.
PURPLE TEAM
RED TEAM BLUE TEAM
• Facilitates Collaboration
Among Red & Blue Team
• Offensive Security • Defensive Security
• Improve Organizational
• Penetration Testing • Incident Response
Security Posture
• Vulnerability Assessment • Threat Hunting
• Test Skills of Both
• Social Engineering Red and Blue Teams • Operational Security
• Threat Intelligence

Related Elements:
Incident Asset Endpoint SOC

A Alerting Id Am Es Si
Distribution Management Security Infrastructure
Breach Initial Server

Br Response In Research As AppSec F Forensics So Operations
Change Attack Surface Governance Risk Threat

Cc Control Mi Mitigation Asm Management Grc & Compliance Th Hunting
Case Pre-approved Business Help Threat

Cd Documentation Pa Mitigation Bl Liaison Hd Desk Ti Intelligence
Capability Process Content Tabletop

Ci Improvement Pi Improvement Ce Engineering It IT Operations Tt Exercise
Quality Cloud Network

I Investigation Qr Review Cs Security Ns Security Co Collaboration
Escalation Severity Operational

Ep St Ds DevSecOps Ots
Process Triage Technology
Security
Interface Visibility Enterprise Security
Ia Vt Ea Sa
Agreement Tuning Architecture Automation

ENTERPRISE ARCHITECTURE
Ea Building enterprise architecture is critical
for protecting the environment and meeting
Enterprise
Architecture business requirements.
Enterprise architecture includes security components, connected networks, remote sites

and disaster recovery plans. Security architecture must be implemented in the design phase
of network planning and not added as an afterthought, in order to balance the security
needs with the business needs.
Enterprise architecture designs cover the type of workstations, type of workstations and
device portals used to connect to the network, along with workstation limitations. They
do not necessarily cover network configurations, but do include infrastructure that must
offer security and productivity, as well as the processes for creating and maintaining
architecture flowcharts and diagrams. As new networks are deployed, the enterprise
architecture team notifies the security operations team of the expanded attack surface.
Related Elements:
Breach Asset Internet of Data Machine Learning &

Br At Iot Da Ml
Response Management Things Analytics Artificial Intelligence
Tools
Capability Analysis Knowledge Deception Malware
Ci An Km Dt Ms
Improvement Tools Management Techniques Sandbox
Tools
Interface Case Layer 7 Email Network Access
In Cm Li Em Nac
Agreement Management Inspection Security Control
Business Correlation Operational Endpoint Secure Access

Bl Cr Ot Epp Sase
Liaison Technology Security Service Edge
Red & Purple Cloud Threat Threat Security

Rp
Team Ct
Analysis Tm
Intelligence Fw Firewall Soar
Orchestration
Management Automation
SOC Data Virtual Asset Identity & Access Response
Si Dc Va Iam
Infrastructure Capture Protection Management
Virtual Private
Vpn
Network
Tabletop Encrypted Vulnerability Intrusion
Tt Et Vm Ips
Exercises Traffic Visibility Management Prevention
Tools Systems Web Application
Waf
Firewall
Behavioral Log
Co Collaboration Iiot Industrial IoT Ba Ls
Analysis Storage
The most important question to answer when building out a security

architecture is “What are we trying to protect?” The “How?” is
secondary.
RAF VAN DER VEKEN

Global Practice Leader,
Advisory Services,
Palo Alto Networks

ATTACK SURFACE MANAGEMENT
Asm As the attack surface for the organization
Attack expands, attack surface management (ASM)
Surface
Management is critical for the detection and mitigation of
increasing risks.
ASM scans assets to find public-facing Internet Protocol (IP) addresses, detect unpatched
infrastructure and retire systems no longer in use.
The ASM team notifies the security operations team of any vulnerabilities so they can work
with either enterprise affiliates to decommission servers or security affiliates to retire
legacy systems that expose vulnerabilities.
Related Elements:
Interface Red & Purple Asset

A Alerting Ia Rp At
Agreement Team Management
Tools
Breach Business Tabletop Operational
Br Bl Tt Ot
Response Liaison Exercise Technology
Capability Content Vulnerability

Ci
Improvement Ce
Engineering Co Collaboration Vm
Management
Tools
Source: Pierre Lidome, “The SANS Guide to Evaluating Attack

Surface Management,” SANS Institute, October 26, 2020
Defined by the SANS Institute:
Attack surface management “is an emerging category of solutions that aims to help
organizations address this challenge by providing an external perspective of an
organization’s attack surface. An organization’s attack surface is made up of all internet-
accessible hardware, software, SaaS and cloud assets that are discoverable by an attacker.
In short, your attack surface is any external asset that an adversary could discover, attack
and use to gain a foothold into your environment.”
SANS lists some common use cases for adoption of an ASM solution, including:
• Identification of external gaps in visibility
• Discovery of unknown assets and shadow IT
• Attack surface risk management
• Risk-based vulnerability prioritization
• Assessment of mergers and acquisitions (M&A) and subsidiary risk

AppSec
As To provide application security, vulnerability
protection and monitoring must be included in
AppSec an organization’s cybersecurity strategy.
When new vulnerabilities are found, application security (AppSec) validates that systems
are updated and patched. Otherwise, the security team is notified that changes are
required, and SecOps will need to be notified of vulnerabilities and IoCs in order to monitor
systems.
Application security teams communicate frequently with the content engineering team
to create new alerts, advise threat intelligence of new IoCs and gather feedback from the
threat hunting team about hunts conducted on new use cases.
Related Elements:
Business Red & Purple Layer 7

A Alerting Bl Rp Co Collaboration Li
Liaison Team Inspection
Interface Tabletop Analysis Vulnerability

Ia
Agreement Ds DevSecOps Tt
Exercise An
Tools Vm
Management
Tools

HELP DESK
Hd A help desk serves as IT support when
users detect issues, either from their own
Help
Desk workstations or while using network resources.
The help desk is usually a department within the organization, but it can also be an
outsourced service. Staff for the help desk provide end-user support for corporate IT
assets.
If an end user experiences bugs in applications on their system, there may be malicious
content on their machine. If a review determines that a machine is compromised, it’s
then quarantined. Conversely, when a device is quarantined with automated mitigation or
security teams cannot access it, security operations notify the help desk, which performs
mitigation on the infected device at a limited capacity to alleviate work for security staff.
Security operations frequently open tickets with the help desk to re-image machines,
request system patching or reject unauthorized assets from joining the network. The help
desk organization communicates often with the vulnerability management team about
patches, outdated operating systems, newly authorized operating systems and supported
platforms. Interactions with the help desk provide opportunities for automation, and
having a closed-loop process between the teams ensures IT requests are handled to reduce
noise in the SOC.
Related Elements:
Interface Pre-approved Information Server
Ia Pa It So Co Collaboration
Agreement Mitigation Technology Operations
Operations
Business Red & Purple Tabletop
Mi Mitigation Bl
Liaison Rp
Team Tt
Exercise

ASSET MANAGEMENT
Am Asset management is a set of policies and
processes used to account for devices
Asset
Management connected to an organization’s network.
If security operations discover an issue with an asset, they work with the asset
management team to understand the asset, the asset responsibility and ownership. An
asset management database stores information, allowing the security operations team to
identify assets.
The asset management team is responsible for recording assets within a corporation,
helping investigate and communicating results to owners once the SecOps team performs
an investigation.
Related Elements:
Capability Initial Severity Tabletop

A Alerting Ci
Improvement In
Research St
Triage Tt
Exercise
Breach Business
Br I Investigation Mi Mitigation Bl Co Collaboration
Response Liaison
Case Interface Pre-Approved Red & Purple Vulnerability

Cd Ia Pa Rp Vm
Documentation Agreement Mitigation Team Management
Tools

DevSecOps
Ds A DevSecOps team is a collaboration of
development, security, and operations staff.
DevSecOps
The team is responsible for analyzing applications and adjusts security

rules to allow for productivity without vulnerabilities.
Whereas application security is reactive after deployment, DevSecOps is proactive and

controls security before deployments. The team is responsible for notifying security
operations of any potential false positives and then making the appropriate exceptions
so they are not inundated with false positive alerts when the application is launched.
DevSecOps also notifies security operations of any data loss prevention (DLP) concerns.
Related Elements:
Business Security Cloud Threat

A Alerting Bl
Liaison Sa
Automation Ct
Analysis
Interface Content Tabletop Vulnerability

Ia Ce Tt Vm
Agreement Engineering Exercise Management
Tools
Red & Purple
As AppSec Rp Co Collaboration
Team
Over the past few years we’ve seen a movement in cloud-native

security. Security in the DevOps world is no longer an afterthought
but a necessity for organizations. Shifting left means less issues and
vulnerabilities later in the application lifecycle.
H.S. SONG
Cloud Security,
Palo Alto Networks

INFORMATION TECHNOLOGY OPERATIONS
It Information technology operations (ITOps)
Information oversee network hardware and software used
Technology
Operations for corporate productivity.
IT manages, monitors and responds to alerts from security systems, which is similar to
security operations but has unique differences. A team overseeing infrastructure manages
servers outside the scope of the help desk, including cloud operations for technologies that
include SaaS, platform as a service (PaaS), and infrastructure as a service (IaaS). ITOps
success is measured in uptime, system availability and performance. Availability will
almost always take precedence over vulnerability patching.
ITOps communicates with security operations during network outages. They also work
with security operations when assets run vulnerable operating systems. ITOps notifies
the security operations team of new software versions and deprecated operating systems.
When a vulnerable operating system is found, notifications are sent to threat hunting
staff and content engineers until IT can decommission the software or patch the codebase.
SecOps must be involved with the timeline between a discovered vulnerability and the
remediation.
Related Elements:
Interface Help Server

Ia Hd So Co Collaboration
Agreement Desk Operations
Business Red & Purple Tabletop Internet of

Bl Rp Tt Iot
Liaison Team Exercise Things
SERVER OPERATIONS
So Development, implementation and
maintenance of servers is the responsibility
Server
Operations of server operations.
This team works closely with attack surface management to help remediate vulnerabilities.
While the ITOps team looks at an organization’s network, the server operations team
oversees servers both internally and externally.
Related Elements:
Interface Help Red & Purple Email

Ia Hd Rp Co Collaboration Em
Agreement Desk Team Security
Business Information Tabletop Deception Endpoint

Bl It Tt Dt Epp
Liaison Technology Exercise Techniques Security
Operations

OPERATIONAL TECHNOLOGY SECURITY
Ots Operational technology locks down ingress and
Operational egress traffic when switching between the IT
Technology
Security network and the OT network.
The operational technology (OT) security team is responsible for identifying and
understanding OT devices, internet of things (IoT) and industrial internet of things (IIoT)
connected on the network, along with managing and maintaining systems. This team
is much like a combination of an endpoint and network security team because many of
the monitored devices are unable to run an endpoint security application or traditional
firewalls. Identifying normal behavior from OT, IoT and IIoT devices is critical to maintain
security posture. This includes permissions to authorize activity from programmable logic
controllers (PLCs) or supervisory control and data acquisition (SCADA) systems, which can
be destructive to OT, IoT and IIoT processes. For example, data that comes from medical
equipment, such as MRI machines, needs to be securely stored and unreachable by certain
entities on a network.
WHAT DO YOU SEE AS THE GREATEST CYBERSECURITY THREATS

TO YOUR OT/MANUFACTURING ENVIRONMENTS TODAY?
Source: iSMG | Securing Industry 4.0 | Manage Cyber Risk in Smart Manufacturing Operations | 2022

TO WHAT DEGREE DO YOU CONSIDER YOUR ENTERPRISE TO BE A
“SMART MANUFACTURING” COMPANY TODAY?
Similar to other security affiliates, the OT security team will communicate with asset
management, enterprise architecture, threat hunting and the content engineering teams to
identify active OT threat use cases and notify the security operations team.
It’s important that the security operations team is in contact with the operational
technology team to share discovered devices, operating system vulnerabilities and
necessary security controls for protection. The SecOps team also understands expected
traffic flow for the OT network and ensures that security operations are aware of abnormal
activity.
Related Elements:
Interface Pre-approved Red & Purple

Ia Pa Rp Co Collaboration Fw Firewall
Agreement Mitigation Team
Business Tabletop Operational

Mi Mitigation Bl
Liaison Tt
Exercise Ot
Technology

NETWORK SECURITY
Ns Security of an organization’s environment requires development,
implementation and maintenance of the organization’s firewalls,
intrusion prevention systems, SASE (Secure Access Service Edge)
Network
Security and any other hardware that physically connects networks together.
Working alongside information technology operations and server
operations, the network security team improves the organization’s
security posture and visibility, with their main purpose being to manage vulnerabilities
within hardware.
Communication between teams remains a vital aspect. The network security team will
establish a communication channel with the group implementing the network security
policy, which may or may not be a separate team. Change control processes will include any
specific information required for network security updates and follow the standard change
control steps established for other changes within the business.
Related Elements:
Business Data Behavioral Malware

A Alerting Bl
Liaison Dc
Capture Ba
Analytics Ms
Sandbox
Breach Red & Purple Encrypted Traffic Deception Network Access

Br Rp Et Dt Nac
Response Team Visibility Techniques Control
Capability Server Internet of Secure Access

Ci
Improvement So
Operations Iot
Things Fw Firewall Sase
Service Edge
Interface Tabletop Layer 7 Identity & Access Virtual Private

Ia Tt Li Iam Vpn
Agreement Exercise Inspection Management Network
Operational Intrusion Web Application

Mi Mitigation Co Collaboration Ot Ips Waf
Technology Prevention Firewall
Systems
Pre-approved Cloud Threat Vulnerability Log
Pa Ct Vm Ls
Mitigation Analysis Management Storage
Tools

ENDPOINT SECURITY
Es Endpoint security is responsible for
the development, implementation and
Endpoint
Security maintenance of the endpoint security policy.
The scope of the endpoint security team involves applying profiles to the various endpoints
throughout the network, including all PCs, Macs, servers, phones, tablets and assets that
are endpoint entities on a network.
All endpoints must be monitored for malicious activity, vulnerabilities, information that
can be used for triggers and exceptions, as well as events occurring within an endpoint.
The endpoint security team is responsible for collecting behavioral information about
various endpoints, benchmarking standard behavior and identifying anomalies that trigger
security alerts. For example, if there is a machine uploading a 10 MB file with financial
information every Friday to an external server, this is a behavioral anomaly that the
endpoint security team needs to review. Even if there is a reasonable explanation for the
download, investigation is needed.
The endpoint security team works to ensure that behavioral profiles are set up properly
so that an anomaly is identified as abnormal in analyst alerts. If the anomaly is malicious,
security operations are made aware as quickly as possible.
Interface agreements are defined between the endpoint security, endpoint security policy
implementation and infrastructure deployment teams. The change control process
includes any specific information that is required for endpoint security updates but follows
the standard change control steps established for other changes within the business.
The team must communicate with the business to define endpoint technologies and
operating systems that will be authorized and address their security concerns. Regular
contact between the team and the business helps plan for any new systems that will be
incorporated into the business via technology adoption or M&A.
Related Elements:
Tabletop Vulnerability Endpoint

A Alerting Mi Mitigation Tt Vm Epp
Exercise Management Security
Tools
Breach Pre-approved Behavioral Intrusion
Br Pa Co Collaboration Ba Ips
Response Mitigation Analytics Prevention
Systems
Capability Business Data Deception Malware
Ci Bl Dc Dt Ms
Improvement Liaison Capture Techniques Sandbox
Interface Red & Purple Encrypted Traffic Email

Ia Rp Et Em
Agreement Team Visibility Security

CLOUD SECURITY
Cs Cloud security policies are necessary for
any business leveraging cloud platforms
Cloud
Security and infrastructure.
The cloud security team is responsible for the development, implementation and
maintenance of a cloud security policy and notifying SecOps of new assets and networks.
They are expected to implement security controls to various cloud assets as protection
against a compromise.
Security surrounding SASE applications and infrastructure as a security service (IaaSS)

also falls under the cloud security team responsibilities. For example, the cloud security
team is expected to reduce the likelihood of an attack against a SASE portal from
compromised credentials. This includes setting up two-factor authentication (2FA) and
security protocols, including virtual asset protection and firewalls to prevent access into
infrastructure environments. When cloud infrastructure hosts servers, virtual firewalls
must also be in place. Enterprise architecture and cloud security teams work together to
design the cloud environment and ensure it’s protected from exploits.
Communication channels are created between the cloud security team and the group that
will implement the cloud security policy, which could be the same team. Although the
change control process overseeing cloud infrastructure documents information required
for the cloud security updates, it still follows the standard change control steps established
for other changes within the business.
Related Elements:
Tabletop Virtual Asset

A Alerting Mi Mitigation Tt Va
Exercise Protection
Breach Pre-approved Vulnerability

Br Pa Co Collaboration Vm
Response Mitigation Management
Tools
Capability Business Cloud Threat Deception
Ci Bl Ct Dt
Improvement Liaison Analysis Techniques
Interface Red & Purple Layer 7 Malware

Ia Rp Li Ms
Agreement Team Inspection Sandbox

Organizations don’t work with just
one cloud provider. They work with
multiple cloud environments, so it
is important to provide consistent
security across the continuum of
environments. This enables the
proper forensic data to be captured
in ways that are useful and easily
accessible to security analysts.
BEN NICHOLSON
Cloud Security,
Palo Alto Networks
SECURITY PILLAR 3:
PEOPLE
The people pillar defines the individuals that will be managing the SOC, interfacing with
stakeholders, investigating incidents and constantly improving processes. Many enterprise
organizations face challenges hiring and retaining analysts.
A few challenges common in security teams include:

• Keeping analysts challenged and satisfied with their position
• Finding the right talent to fill security roles
• Continuously monitoring and adjusting analyst staffing to align with the SOC’s
business objectives and operational efficiency
• Enabling analysts to engage in self-development and growth activities, including
dedicated time for threat hunting and intelligence research
• Chasing false positives
The people pillar ties in with automation to reduce analyst workloads and allow them to
focus on threat hunting and incident response on accurate alerts. Organizations must find
people that can handle workloads and fit the corporate culture.
64 People Pillar Elements

Questions that must be answered when choosing staff:
• How will we find staff and train them to fulfill their roles?
• What will we do to retain them?
• How will we manage the workloads of the staff?
• How will we validate the actions of the staff for efficacy?
• How will roles and responsibilities be defined and communicated?
Support for pillars depends on the staff hired to manage infrastructure and the SOC. The
people pillar comprises two categories: enablement and growth. Enablement ensures that
staff has the knowledge, resources and confidence needed to do their work well. Growth
establishes opportunities for people to progress in their skills and defines the roles and
responsibilities of each position. Both categories benefit the organization and help with
detection and mitigation of current and new threats.

Our great people are our most
important resource. But adding more
people isn’t the answer to achieving
exceptional results. You’ve also got
to have good processes and the right
technology.
MICHAEL GREGG
Chief Information Security Officer,
North Dakota Information Technology
TRAINING
T Properly training staff within an organization
creates consistency, drives effectiveness and
Training reduces risk.
Training itself is about enablement of personnel in their respected position, growth

within an industry and is never to be left stagnant. When training is stagnant, employees
limit their understanding of the latest trends, which means they cannot perform incident
response and threat protection well.
An organization must understand requirements to onboard and help new staff get up to
speed with the goals and objectives of the security operations team. Onboarding training,
while accessible to all staff members, introduces new employees to formal documentation
around organizational infrastructure, tools, processes and communication. Impactful
onboarding programs include time for analysts to shadow existing analysts and frequently
update content to ensure accuracy. These types of programs help new employees develop
the skills, understanding and confidence needed to begin contributing much sooner than
those without.
Existing employees also require continuous education which requires organizational

support. This training needs to be developed based on a foundational knowledge base.
Organizations must be aware of the latest technologies and trends that might affect the
security operations process and analysis including updates to analysis tools, new features,
additional context or investigation methods.
Related Elements:
Career Path Case

Cp C Continuity Cm
Progression Management
Tabletop Knowledge
Tt
Exercise S Staffing Km
Management
Tools
One key hallmark of a profession (versus simply a trade) is the promotion of not only
training but true scholarship in the area of study. Accompanying that comes research
and theory that drives the profession to new heights and to greater applicability in the
workplace. This is particularly critical in cybersecurity, where practitioners have to be
able to make informed decisions at a faster rate than their opponents.
DR. JIM BORDERS, PhD

Lieutenant Colonel, USAF (RET),
Principal Intelligence Engineer,
MITRE

CONSISTENCY
C Consistency is what leads a SecOps team to
high-fidelity answers following investigations
Consistency and entails an unwavering approach.
Analysts also need to understand information they receive about a certain type of ticket and
the information needed to quantify an incident, but analysts can only be consistent when
they have robust processes and procedures in place.
Related Elements:
Career Path Knowledge

Cp
Progression P Planning S Staffing Km
Management
Tools
Risk & Case
F Facility Rc
Compliance Cm
Management

TABLETOP EXERCISE
Tt Tabletop exercises are planned events where the stakeholders for
security operations or the entire security organization walk through a
simulated security event, testing standard processes and reactions to
Tabletop
Exercise a type of incident to assess the consistency, enablement and training
of the team and its affiliates. Exercises are primarily used to ensure
security operations are prepared for a major incident and expose
inconsistencies within the incident response processes. They can include simulated
network activity or social engineering.
A tabletop should be conducted by someone who is not a stakeholder or involved in an

organization’s incident response. Involving stakeholders could result in biased or skewed
results that dampen the impact of deficiencies a stakeholder might be aware of but does not
want to address. Engaging an outside organization or internal employee is best to ensure
tabletop exercises are continually progressive.
Palo Alto Networks Tabletop Exercises are custom-built multi scenario pen and paper exercises that engage
affiliating teams and mimic a live environment
Expand Enable
Security Organizational
Awareness Collaboration
Beyond SOC
- Leverage the
interactive
nature of a
tabletop for
increased
organizational
awareness
Train like you fight—security teams need to have a sparring partner to develop new
defenses and build muscle memory. SOC teams continuously need to engage with Red
Teams (to run Purple Team exercises) and conduct adversary simulations to continuously
remain ahead of the threats.
LUCAS PIPPENGER
Active Defense Team Lead,
State of North Dakota

When developing a tabletop exercise, consider the following:
• What personnel will be involved?
• What is the appropriate degree of difficulty?
• Will this exercise be industry-specific?
• What affiliate teams will be involved?
Well-built tabletop exercises are built progressively with layers of depth, multiple answers
and multiple paths to succeed. Implementing red herrings into tabletops adds a degree
of complexity to an exercise, since it may lead SecOps down a rabbit hole and will allow
them to recognize the context that they missed themselves. Tailoring tabletops to the
organization’s industry and known attack vectors gives SecOps the opportunity to work
through a threat they may not be familiar with but could see in the future. If a tabletop
ventures outside the realm of an industry, it’s not entirely benefiting the stakeholders
involved in a meaningful way.
During execution, participants must be made aware that a tabletop is a role-playing

exercise. As such, there are no consequences for getting the wrong answer, and it’s built to
challenge participants to think outside of the box. If participants are exceeding the scope,
it is recommended that additional elements be added to increase the degree of complexity
and observe how the increased difficulty is handled.
Tabletop exercises should be conducted on a quarterly basis, or at the very least, annually.
When these exercises are conducted more regularly, processes will become more innate
to all involved. The results of each tabletop lead to the next tabletop and give a time frame
benchmark that allows participants to grow over time. Tabletops are not meant to become
routine, and thus, a particular scenario should never be repeated two times in a row.
When conducted well, tabletop exercises will keep the SecOps team vigilant and expose
inconsistencies as they arise.
Related Elements:
Incident Asset Endpoint Security

A Alerting Id Am Es Sa
Distribution Management Security Automation
Breach Initial SOC

Br In As AppSec F Forensics Si
Response Research Infrastructure
Change Attack Surface Governance Risk Server

Cc Mi Mitigation Asm Grc So
Control Management & Compliance Operations
Case Pre-approved Business Help Threat

Cd Pa Bl Hd Th
Documentation Mitigation Liaison Desk Hunting
Capability Process Content Threat

Ci Pi Ce It IT Operations Ti
Improvement Improvement Engineering Intelligence
Quality Cloud Network

I Investigation Qr Cs
Security Ns
Security T Training
Review
Escalation Severity Operational

Ep St Ds DevSecOps Ots
Process Triage Technology
Security
Interface Visibility Enterprise Red & Purple
Ia Vt Ea Rp
Agreement Tuning Architecture Team

EMPLOYEE UTILIZATION
E Roles and responsibilities combined with utilization help
organizations understand security operations’ capacity to perform
incident response activities, while balancing other tasks, to reduce
Employee
Utilization burnout and grow knowledge within the organization. Workload limits
for employees help reduce employee burnout and allow organizations
to internally grow team capabilities.
Employees need opportunities for challenges to gain experience necessary for career
progression. Providing these opportunities is beneficial for organizations as well, as
employees bring enhanced knowledge to their daily roles, leading to increased productivity.
Before content engineering, it was common to see analysts putting 100% of their time
toward monitoring the queue. With computer intervention, analysts were given the
opportunity to shift their focus to monitoring alerts, enrichment opportunities and
investigations. However, this leads to the age-old problem in the cyber industry of console
burnout. It is not uncommon to see analysts staring at the same dashboard and responding
to the same events day after day—which leads to higher employee turnover.
To help avoid burnout, analysts need opportunities to dedicate time to projects that
enhance their abilities and provide insight into the processes. Impactful projects provide
a sense of purpose, which leads to satisfaction, alleviates burnout and reduces employee
turnover.
At Palo Alto Networks, we use a 30-30-30 model:
• 30% of time is spent monitoring the queue

• 30% of time is spent doing automation or content engineering work
• 30% of time is spent threat hunting or identifying IoCs (see threat hunting in the
Affiliates section)
• 10% of time is spent on administrative work

The 30-30-30 model provides analysts an opportunity for enrichment, content
engineering and threat hunting work, which helps the SecOps team achieve higher-fidelity
alerts and answers. Project work enables analysts to grow within an organization and
develop more experience in areas they are curious about. When there is an opportunity to
move up in the organization, they have had the experience to showcase their abilities to
take the next step and are prepared to move up as desired. Employee turnover is costly,
especially in cybersecurity, and keeping analysts long-term lowers costs of hiring and
training.
Related Elements:
Governance Risk
A Alerting Grc
& Compliance Me Metrics
Content
Ce
Engineering M Mission S Staffing
There is a fallacy around tribal knowledge in that organizations get

comfortable thinking that long-time staffers are more capable of
protecting the business. In truth, this presumed “inside advantage” is
often wrong. As is often the case, when security teams are polled asking
which IT assets either represent the organizational crown jewels, those
that fall under the high category within the CIA triad or those that have
compliance considerations, most are unable to provide a timely and
accurate response.
JOE BONNELL
Founder & CEO,
Alchemy Security

CAREER PATH PROGRESSION
Cp Career path progression is an area often
Career overlooked in many businesses, not only in
Path
Progression security operations centers.
It is important to have well-defined positions within an organization. A position needs

to be clearly defined and explain the experience, knowledge and training that is expected.
Role definitions allow employees to understand requirements and expectations of the role,
identify positions for internal mobility and recognize skills they need to develop to reach
that position. Similar to employee utilization, career path progression increases employee
retention.
The skills required for career path progression are not limited to technical skills;
employees must also develop soft skills required to advance, such as positively influencing
peers, leading projects well and taking initiative. Soft skills also need to be defined for
positions so employees know where they can practice developing these skills.
When an employee is interested in moving to another role within the organization, the
first step is having a conversation with their manager. Managers should make it known
they are open to these conversations, and it is their responsibility to give team members
opportunities to develop, so when an opportunity arises their team can take advantage of
it. It is the employee’s responsibility for initiating the conversation if there is a motive to
advance and ask for feedback or areas the manager sees they need to further develop in
order to be successful in a new position.
Related Elements:
Cn Consistency Co Collaboration R Reporting
T Training Me Metrics S Staffing
Building great teams may be the most crucial element of a security program. In most
SOCs, it’s perhaps inevitable that attrition will be a problem, as the job can burn
analysts out while the skills they learn enable them to find more engaging work.
Great organizations find ways to automate the transactional security activities, to
free up their analysts to work on the things that excite them and matter more to the
organization.
BRETT WAHLEN
Amazon Prime Video

SECURITY PILLAR 4:
BUSINESS
The business pillar defines the purpose of the SecOps team to the organization. In every
organization, a budget is required to fund and maintain its cybersecurity and security
operations as well as unique business requirements. A SOC should bring more cost-
savings benefits than the consequences of a compromise, while also meeting your business
requirements for security and data integrity. The organization and SOC leaders must define
the SOC functionality objectives to bring benefits to the business.
Business questions that should be answered before building a SOC:

• What’s the strategy to detect, contain, mitigate and remediate threats?
• What’s the tactical plan to implement effective security?
• How will security operations be managed?
• Who is needed to perform security functions?
• Where will security operations be carried out?
• What will it cost to perform security operations?
• How will the business know security is working effectively?
• How will the business track security activity and get updates?
• How will communication of security be handled with the rest of the business?
74 Business Pillar Elements

The business pillar consists of five categories:
mission, financial, executive visibility,
continuity and GRC.
The mission is foundational to the security operations team and critical for driving SecOps
goals and objectives. Financial elements encompass the budget and planning elements
and establish an understanding for SecOps’ requests for funding to meet their mission.
Executive visibility provides a means of conveying success to various stakeholders and
organizational leadership. Continuity ensures security operations run smoothly and stay
consistent with the mission. GRC audits an organization’s risk and establishes boundaries
for security operations around regulatory compliances and policies the business must
adhere to.

Fifty locks on a door makes a really
shi#ty door. If your security keeps the
business from doing what it needs to
do, you wrecked the door.
DAWN-MARIE HUTCHINSON
OnePharma Information Security Officer,
GSK
MISSION
M Mission is the foundational element of an
entire security operations team. The mission
Mission statement serves as the SOC’s objective and
defines SecOps team job functions, how they do
it and why they do it.
The mission statement also defines the purpose of security operations for the organization
and what the organization can expect from SecOps. The security operations team develops
the mission statement as a long-term driving goal established for security operations. The
statement drives and showcases successes within security operations by demonstrating
how the team is continually working toward or meeting the objectives.
When a security operations team is first established, the mission statement is the first
item defined and serves as the overarching goal that SecOps is looking to progress towards
and achieve. The mission statement drives the goals of the security operations team and
business objectives.
Related Elements:
Severity Employee
St
Triage E
Utilization B Budget Fa Facility P Planning
Palo Alto Networks Security Operations Center Mission Statement:
Defend our information and technology resources, intellectual property and

ability to operate by disrupting our adversary’s ability to conduct their operations
and achieve their desired outcomes.
A concrete action-oriented mission statement is foundational for a SOC’s culture. It

should clearly guide a SOC’s everyday decisions, communicate the purpose of the SOC to
stakeholders and serve as a measurable benchmark to showcase success.
STUART SAVAGE
Endpoint and Security Operations,
Palo Alto Networks

BUDGET
B A financial plan for running a SOC begins with
an agreement on the SOC’s mission. Then,
Budget the technology, staff, facility, training and
additional needs to achieve that mission are
identified, and a budget is established to meet
the minimum requirements of the team.
A critical budgeting mistake is deciding on a budget first, a top-down approach, which

results in frustration between capabilities and expectations from the business. A plan
that aligns with the mission must first be decided, budgeted and presented to executive
staffing. If the approved budget is not what was asked for, the security operations team can
quantifiably show what exactly will be compromised.
When a budget is granted, it will be allocated directly back to the plan. If the budget is lower
than proposed, the SecOps team will need to begin compromising to get the best plan with
the budget available.
Budget will need to address capital expenditure (CapEx) versus operating expenditure
(OpEx), as well as initial start-up expenses versus continued operations expenses.
Outside of staffing expenses, there are many recurring software expenses such as licensed
software, as opposed to tangible assets. A business-savvy budgeting resource can help
navigate these expenses and the business expectations.
Related Elements:
Severity
St
Triage Fa Facility M Mission P Planning

PLANNING
P Planning identifies and documents the main
business drivers within a SOC’s processes,
Planning affiliates, people, business, visibility and
technologies.
Proper planning encompasses every element of the security operations team and guides
the security organization towards achieving its goals. A plan includes details of the SOC’s
main business drivers, vision, strategy, service scope, deliverables, responsibilities,
accountability, operational hours, stakeholders and statement of success.
Planning is done with a three-year vision, which ensures the continuation of operations,
even in times of rotating executives that may have execution variances, to provide the
expected value to the business. Developing an investment strategy is also part of planning,
and includes technology purchases, automation goals and staffing investments. Aligning
the investment strategy tightly to the business priorities is important. For example, if there
is a large M&A strategy or digital transformation to the cloud, the investment plan will
support those initiatives.
Establishing strong plans also equips the security operations team with necessary details
to request budget needed, as they can show how the funds will be allocated. Without a plan,
it is hard to ask for the proper budget and show how the funds will help security operations
align with its mission for the business.
Related Elements:
Severity
St
Triage B Budget M Mission
Cn Consistency Fa Facility S Staffing
Smaller security operations organizations face the same challenges

as large SOCs, at a smaller scale with fewer resources. Focus on
priorities and planning is key.
ALEX WOOD
Vice President,
Information Security/Chief Information Security Officer,
Pulte Group, Inc

METRICS
Me Metrics are the quantifiable measurements
used to showcase the efficiency of a security
Metrics operations center.
Some foundational metrics are no longer used, including events per analyst hour (EPAH)
and mean time to resolution (MTTR). Both metrics have merit in providing an overarching
understanding if there are more events then there are analysts to resolve. However, neither
metric is good at judging the success of security operations or effectiveness of an analyst
because they incentivize the wrong behavior.
Caution must be taken when measuring team member performance. Ranking top
performers by number of incidents handled can skew results and may lead to analysts
“cherry-picking” incidents that they can quickly resolve. Other metrics can showcase the
value of security operations and a drive toward being better.
There are three types of metrics:

• Business
• Operational
• Capability
Business-level metrics are a primary tool to measure against goals outlined by the
organization, showcasing the return on investment (ROI) and where further investment is
required. Operational metrics are used to measure against the SecOps team and supporting
teams, determining the actual effectiveness of team members, processes and procedures
being used. Capability metrics ensure technology is performing as expected, and the
visibility needed is continually implemented through continuous improvements.
Related Elements:
Severity Career Path

St
Triage Cp
Progression R Reporting
Threat Employee Log

Th E Ls
Hunting Utilization Storage
Metrics that matter provide confidence and drive change.
DUSTIN GRAY
Consulting Services Manager,
Palo Alto Networks

REPORTING
R Reporting offers visibility into the effectiveness
of the security operations team using metrics.
Reporting
Additionally, reporting quantifies activity and demonstrates the value

the security operations team is providing to the business or client
organizations, in the case of a managed security service provider (MSSP). Reports are
typically generated daily, weekly and monthly and may vary in detail, depending on the
stakeholder reviewing them. They are also generated in the case of a high-severity incident
to help gather further context on the incident.
Reports collect data to show how well security operations are performing and where
deficiencies lie. The outcome of reporting will not necessarily drive changes in behavior;
reporting is meant to track current activity. Deficiencies are highlighted to help SecOps
teams identify where additional budget, headcount, technologies or improvements can be
made.
Daily reports include open incidents with details centered on daily activity. Weekly reports
identify security trends to initiate threat-hunting activities, which include the number
of cases opened and closed and conclusions of the tickets (e.g., malicious, benign, false
positives). The organization’s chosen reporting solution includes information such as the
number of security use cases triggered and their severity and number of hours distributed
throughout the day.
Monthly reports focus on the overall effectiveness of the SecOps function. These reports
cover topics such as how long events sit in queue before being triaged, whether staffing
in the SOC is sufficient for quick analysis and mitigation, the efficacy of rules to manage
emergencies and alert accuracy versus false positives.
Related Elements:
Capability Incident Process Threat

A Alerting Ci
Improvement Id
Distribution Pi
Improvement Th
Hunting
Breach Initial Quality Career Path

Br I Investigation In Qr Cp
Response Research Review Progression
Change Escalation Severity

Cc Ep Mi Mitigation St Me Metrics
Control Process Triage
Case Interface Pre-approved Visibility Log

Cd Ia Pa Vt Ls
Documentation Agreement Mitigation Tuning Storage

CONTINUITY
C Maintaining continuity results in consistency
and ensures that no matter what goes wrong,
Continuity security operations will continue to support
organizational productivity.
Organizations have contingency plans in place to ensure continuity moving forward. If a

facility is no longer available, a high-achieving analyst is out sick, or a chief information
security officer (CISO) goes on vacation, a SOC must know how to continue operations
appropriately.
This also relates to facility changes and shift handovers where the security operations team
needs to ensure continuity 24/7/365. If a key component to operating a SOC is lost, such as
a log source or alert engine, an organization needs to have a plan to navigate the disaster
and continue operating smoothly. Guidelines on surviving unforeseen catastrophes, such
as a loss in data center connectivity, are often laid out in a disaster recovery plan. Disaster
recovery practices are given to key personnel every year to ensure they are aware of what
must be done in the event of a disaster.
Related Elements:
Severity
St T Training Rc Risk & Compliance
Triage
Governance, Risk Case

Grc
& Compliance G Governance Cm
Management

FACILITY
Fa Facilities pertain to an organization’s plans
to house their SOC.
Facility
A facility plan also refers to the workstations and equipment needed

for employees to connect with infrastructure. With the onset of the
COVID-19 pandemic, many security operations switched from a fully in-person setting to a
fully remote setting.
When deciding on a facility, it is important that the SOC has its own separate space for
the SecOps team to view events without outside entities peering over their shoulder
and looking at the incidents or vulnerabilities within an organization. Only authorized
personnel can enter the SOC. Many companies are moving toward cyber-defense centers,
or SOC fusion centers, where there is more than just the SecOps team sitting in one room.
Fusion centers can help immensely with communication between teams.
If a breach does occur, a SecOps team will need access to a “war room,” which is segregated
from the main rooms, to handle an incident until it has been resolved. The war room is
where critical staff come together to determine the plan for mitigation, containment and
eradication of a threat. It’s important to have an operations plan if a facility becomes
unavailable.
Related Elements:
Severity
St
Triage B Budget P Planning
Cn Consistency M Mission S Staffing
A well-planned space for security operations builds confidence from

the business and from customers. Giving tours of your SOC to those
you provide services to allows them to gain a greater understanding
of your capabilities and creates a forum to answer questions about
the SOC’s capabilities.
WIKUS SAAIMAN
Director,
Information Security,
CITEC

STAFFING
S With the rapid growth of the global
cybersecurity workforce, demand for
Staffing cybersecurity workers is growing even faster.
Staffing cybersecurity roles remains one of the biggest challenges in the technology
industry, and trying to hire security operations staff introduces additional layers of
complexity. Roles of a SOC can include Tier 1 analysts, Tier 2 analysts, Tier 3 analysts,
threat intelligence and hunting specialists, depending on the size of the organization.
Staffing a SOC includes recruiting, screening and selecting analysts and other personnel.
“The cybersecurity workforce is growing rapidly—with

an estimated size of the global cybersecurity workforce close
to 5 million people—the highest ever recorded. Demand for
cybersecurity workers is growing even faster—with an estimated
gap of almost 3.5 million workers.”
Source: ISC2-Cybersecurity-Workforce-Study, 2o22
MOST UNDERSTAFFED AREAS OF SECURITY OPERATIONS
* similar to Tier 2 analysts but

more experienced and focused
on difficult/critical issues.
Source: ESG – SOC Modernization and the Role of XDR, 2022

Our Approach to Establishing a SOC
At Palo Alto Networks, our SOC story is highly optimized in that we actively chose
to break away from the traditional four-tier SOC approach, ranging from Tier 1
analysts who monitor, prioritize and investigate SIEM alerts to Tier 4 SOC managers
responsible for recruitment, security strategy and reporting to management. Taking
more of a hybrid approach, the Palo Alto Networks SOC team follows this general
philosophy:
• Staff the SOC so 80% of staff have previous SOC experience
• Cross-train the SOC team in all domains, including alert triage, incident
response, threat hunting, automation and others
• Provide a well-funded annual training budget for all analysts
Our rationale is that we can:

• Maintain a nimble team, that is able to pivot between responsibilities (and tiers)
• Support business continuity
• Provide a more engaging atmosphere and reduce staff burnout
• Promote an environment of continuous learning
• Provide greater coverage with less staff by relying on the right technology to get
the job done
• Maintain a work/life balance while giving SOC engineers a feeling of positive
control of their destinies
Source: Cortex by Palo Alto Networks | Planning the Government SOC | White Paper | 2022
Considerations must be made for the staffing model chosen (e.g., 24x7, 8x5, co-sourcing).
On-call staffing requirements must be defined for critical incidents as well as after hours
support requirements, which will drive the number of full-time employees required to meet
the objectives of the team. In-sourcing resources (e.g., analyst as a service) is a staffing
option that may alleviate the strain for organizations experiencing hiring difficulties.
Proper staffing of a security organization ensures there are the right people in place to
meet the mission and objectives of the SOC. Using metrics, security operations ensure that
there are enough staff on each shift to cover spikes in events.
Organizations need to have established relationships with contracting companies to address

additional short-notice staffing needs so they are able to onboard new staff quickly.
Related Elements:
Severity Career Path

St
Triage Cp
Progression T Training P Planning
Employee
Cn Consistency E
Utilization Fa Facility

COLLABORATION
Co Collaboration refers to how a security
operations team communicates internally with
Collaboration each other and externally with units outside of
the SOC.
As more SOCs move to remote environments, it is paramount that collaboration is

prioritized and collaboration expectations are understood by all stakeholders.
A set of tools is required to facilitate communication and collaboration within and

around the security operations organization. This tool set can include features around
ticketing, war room collaboration, shift turnover and process documentation, and may
contain the entirety of the incident response documentation for every event. It can also
include communication features, such as email distribution lists, shared inboxes, instant
messaging and video conferencing tools.
Collaboration tools often incorporate other tools and are at high risk of feature duplication.
The SecOps team must define the primary tool(s) to be utilized and the information to
be captured, which will be the single source of truth to avoid duplication of information
and potential inaccuracies. Access typically extends beyond the security operations
organization, especially in the case of war rooms, so access control must be addressed for
the chosen tools.
Related Elements:
Severity Content Operational Threat

St
Triage Ce
Engineering F Forensics Ots
Technology Th
Hunting
Security
Asset Cloud Governance Risk Red & Purple Threat
Am Cs Grc Rp Ti
Management Security & Compliance Team Intelligence
Help Security Career Path

As AppSec Ds DevSecOps Hd Sa Cp
Desk Automation Progression
Attack Surface Enterprise SOC

Asm Ea It IT Operations Si
Management Architecture Infrastructure
Business Endpoint Network Server

Bl Es Ns So
Liaison Security Security Operations

GOVERNANCE
G Governance oversees the way information is
handled within a security operations team to
Governance ensure that the organization stays compliant
with various regulatory standards.
The responsibilities, policies and compliance items that affect security operations must
be defined and strictly adhered to; otherwise, the organization could face costly fines for
violations.
Governance policies measure security operations performance against the mission

statement. It defines the rules and processes put in place to ensure proper operation of
the organization. Governance can include principles, mandates, standards, enforcement
criteria and SLAs. Additionally, it will define how the SecOps team will be managed and who
is responsible for ensuring the team is meeting the mission of the business.
Related Elements:
Breach Governance Risk Risk & Knowledge

Br Grc Rc Km
Response & Compliance Compliance Management
Tools
Severity Case
St
Triage C Continuity Cm
Management
Governance, at its best, enables teams to make decisions effectively

and removes bureaucratic red tape. Conversely, poor governance stifles
innovation, erodes trust and forces too many decisions to be made by
senior leadership, distracting them from the strategic roadmap.
FRED THIELE
Transport for New South Wales

RISK & COMPLIANCE
Rc Mitigating risk requires balancing costs and
compliance. Risk and compliance is a process of
Risk &
Compliance determining acceptable risks for the business
and helping stakeholders understand them.
Compliance sets the foundation for what acceptable risk looks like. It can be measured
using data integrity, protected end-user information and adherence to standards across
the world. Organizations need to ensure they are compliant with all relevant policies and
understand the risks associated with being non-compliant. Risk and compliance cannot
be successful unless an organization is using auditing standards. Audits check for any
gaps in compliance, infrastructure and processes, and help security operations bring
their systems to compliance.
Related Elements:
Severity Governance Risk

St
Triage Grc
& Compliance Co Consistency C Continuity G Governance
With GDPR and now CCPA, businesses are having to rethink their SOC
strategies. Many data privacy laws include notification requirements
or private rights of action. It’s no longer enough to recognize you
have been breached. Businesses must understand—within the defined
notification periods—the “what” and the “how” required by the GRC
teams in order to work with regulatory bodies, including within any
defined notification periods.
HELMUT REISINGER
CEO for Europe,
Middle East and Africa,
Palo Alto Networks

SECURITY PILLAR 5:
VISIBILITY
The visibility pillar defines access controls and information necessary for the SOC to
monitor threats in the environment. This includes security and systems data, as well
as knowledge management content and communications between infrastructure tools.
Some capabilities are used purely as sensors to identify risks to the environment. The SOC
consumes and processes sensor data to generate alerts and identify incidents for threat
mitigation.
To give a SOC visibility, ask these questions:

• What primary security data is needed?
• What contextual data is needed?
• How often does this data need to be refreshed?
• What knowledge base information needs to be accessed?
• How will the security operations team see activity in the SOC?
• How will external teams see activity in the SOC?
• How will data integrity be monitored?
• How will new sensor data be brought into the SOC’s visibility?
For effective data protection, an organization’s SecOps staff must be aware of all elements
of the environment and receive the right data from various tools and cybersecurity
infrastructure. If an event didn’t log, it didn’t happen.
There are five components to visibility: enrichment, deep packet inspection, cloud traffic
inspection, packet capture and operational technologies. When executed well, each of
these components establishes a foundation for SecOps to have the proper visibility into the
network and organization.
Most SOCs have too many tools due to
an “I need one of everything, best of
breed” mentality, and the tools they
do have are poorly implemented.
It is important to not only choose the

right technologies but to fully utilize
all of the features available in them.
This cuts down the need for a bunch
of tools that don’t work together and
duplicate functionality.
ROBERT DODSON
Palo Alto Networks
CORRELATION
Cr Correlation is simply correlating two or more events together to
quantify something malicious. A single event may look benign or
normal; however, multiple events within a certain amount of time
Correlation may indicate an attack. In the industry right now, there is a switch
from manual correlation to automated correlation where ML and AI
are infused into the process and help detect potentially malicious
incidents. A SecOps team should identify what correlations should be in place and create
those alert strings to help security operations identify potential incidents. This work
should be conducted in conjunction with the content engineering function to implement
them properly.
Related Elements:
Case Operational Endpoint Secure Access

A Alerting Cm
Management Ot
Technology Epp
Security Sase
Service Edge
Content Cloud Threat Threat Security

Ce
Engineering Ct
Analysis Tm
Intelligence Fw Firewall Soar
Orchestration
Management Automation
Enterprise Data Virtual Asset Identity & Access Response
Ea Dc Va Iam
Architecture Capture Protection Management
Virtual Private
Vpn
Network
Threat Encrypted Vulnerability Intrusion
Th Et Vm Ips
Hunting Traffic Visibility Management Prevention
Tools Systems Web Application
Waf
Firewall
Behavioral Log
Me Metrics Iiot Industrial IoT Ba Ls
Analysis Storage
Internet of Data Machine Learning &

R Reporting Iot
Things Da
Analytics Ml
Artificial Intelligence
Asset Knowledge Deception Malware

At Km Dt Ms
Management Management Techniques Sandbox
Tools Tools
Analysis Layer 7 Email Network Access
An Li Em Nac
Tools Inspection Security Control
Analysts need all of the relevant information about the incident and
associated context available at their fingertips. Time spent tracking
down this information is time not spent responding to the attack.
MARCEL HOFFMANN
Former SOC Manager,
Hewlett Packard Enterprise

CASE MANAGEMENT
Cm To create visibility into incident workflows,
case management entails showing an analyst
Case
Management data, artifacts and notes on procedures and
processes. A case management tool provides
information on the way an incident was
handled and how it occurred.
Case management requires a significant data retention policy. Specific cases are referenced
for future training material as new employees are onboarded. A case management system
tracks users involved in the case, the time spent on a case, the amount of time the case was
idle, and idle time between phases. These metrics provide a security operations manager or
director with visibility statistics.
Security operations teams need a clear protocol for documenting and escalating incidents.
Case management is a collaborative process that involves documenting, monitoring,
tracking and notifying the entire organization of each security incident and its current
status. The minimum set of data points captured in a case, and the tool selected, must be
sufficient for a new analyst to take over the incident with only what is available in case
documentation. Often, organizations will use multiple tools, including ticketing, SOAR
and email for case management. Using more than one tool is ill-advised because data
continuity is severed and incident handling efficiency takes a hit.
Access controls are also necessary in case management to determine who has access to
the data and tools, how cases will be documented in a consistent manner and how teams
will collaborate to close out incidents. A case management system must be encrypted,
with strict access controls enforced due to the highly sensitive data that it will contain.
Case management software will provide visibility into the SecOps process by allowing for
collaboration with peers and including additional analysts on a case if needed.
Related Elements:
Quality
A Alerting Qr T Training Cr Correlation
Review
Change Severity Knowledge

Cc St C Continuity Km
Control Triage Management
Tools
Case Visibility Data
Cd Vt G Governance Da
Documentation Tuning Analytics
Capability Content Security

Ci Ce Me Metrics Soar
Improvement Engineering Orchestration
Automation
Incident Enterprise Response
Id Ea R Reporting
Distribution Architecture
Process Threat
Pi Th
Improvement Hunting
92 Visibility Pillar Elements

THREAT INTELLIGENCE MANAGEMENT
Tm Every day, new threats are introduced to
Threat the cybersecurity landscape. Threat
Intelligence
Management intelligence is a process, typically supported by
a platform, that allows security operations to
explore current trends and potential zero-day
knowledge.
Threat intelligence often combines visualization to help analysts better understand the
attack landscape. Threat intelligence management helps identify and quickly attribute a
specific APT (Advanced Persistent Threat), hacker group or attack pattern to the malicious
events security operations have observed.
Threat intelligence usually comes in the form of Indicators of Compromise. IoCs are
the specific data points or strings of data that can be attributed to the type of an attack.
Quality tactical threat intelligence will always show the IoC and the ways it evolved, giving
SecOps context to validate the IoC importance. Analysts should search the network to
see if the IoC is of interest to the security operations team and their organization. IoCs
can also be applied to OT environments. Operational threat intelligence assists security
operations and content engineering to identify new tactics, techniques and procedures
that are aimed at their operational technology. The team or person responsible for
content engineering should tune and create detection rules around all threat intelligence
discovery. Additionally, content engineering can use the information gathered from threat
intelligence platform IoCs to build a use case, or use cases, with the IP addresses, URLs,
DNS entries, known threat actors and correlations between them.
Related Elements:
Severity Threat Machine Learning &
A Alerting St Th R Reporting Ml
Triage Hunting Artificial Intelligence
Content Threat
I Investigation Ce Ti Cr Correlation
Engineering Intelligence
Initial Enterprise Data

In Ea Me Metrics Da
Analytics
Research Architecture
A dedicated team handling threat intelligence is not a requirement,

but the function is critical to the success of a SOC. Without it, you can
only protect against yesterday’s threats.
DARREN LAWLESS
Senior Manager,
Threat Monitoring,
IBM Security

VULNERABILITY MANAGEMENT TOOLS
Vm Effective cybersecurity and data protection is proactive, and vulnerability
management tools identify issues before they become critical data
Vulnerability breaches. They enhance the incident response process by enriching data
Management
Tools and determining if an attack vector is valid against a system. Vulnerability
scanners identify potential weaknesses throughout systems, networks
and applications that feed into a vulnerability management system.
Attack surface management tools monitor external-facing public IP addresses, servers

and internal operating systems for known vulnerabilities. When threat intelligence feeds
announce new vulnerabilities and attack vectors, operating systems should be scanned
immediately. SecOps teams leverage this information to help direct threat hunting efforts
and create content engineering on vulnerable areas. Vulnerabilities are communicated to
the affiliating teams to aid in vulnerability remediation or patching.
To have effective vulnerability management, it’s critical that security operations have
proper asset management in place.
Related Elements:
Cloud Data
A Alerting Cs Me Metrics Da
Security Analytics
Initial Machine Learning &

In Ds DevSecOps R Reporting Ml
Research Artificial Intelligence
Asset Enterprise Asset

Am Ea At Management
Management Architecture
Tools
Endpoint
As AppSec Es Cr Correlation
Security
Attack Surface Governance, Risk Operational

Asm Grc Ot
Management & Compliance Technology
Content Network
Ce Ns
Engineering Security

ASSET MANAGEMENT TOOLS
At To ensure every asset is accounted for, a centralized asset management
database contains information about all resources on a particular
Asset network for SecOps to reference during investigations. An asset
Management
Tools management system contains information about each asset, asset
responsibilities and asset owners. Asset management gives security
operations the immediate ability to gather critical information about a
device. Making asset management available to analysts during an investigation helps with
incident response and mitigation of events.
Every organization adds and retires network resources throughout the year. Asset
management is a continual lifecycle process and must be kept up-to-date. To ensure
proper asset management, someone within security operations takes responsibility
for maintaining the database. Proper asset management is often missing from SOCs.
Prioritizing asset management will help organizations improve their automation
processes.
Related Elements:
Attack Surface Data

A Alerting Asm Me Metrics Cr Correlation Da
Management Analytics
Content Vulnerability Endpoint

I Investigation Ce R Reporting Vm Epp
Engineering Management Security
Tools
Enterprise
As AppSec Ea
Architecture

ANALYSIS TOOLS
An Analysis tools provide analysts additional
context and support on the system through
Analysis
Tools the research process. They include advanced
techniques, devices and algorithms that
provide the ability to detect evidence of security
compromise within large volumes of data.
Because most enterprise networks have thousands of digital assets, analysis tools are built
to consume terabytes of data, which is impossible for personnel to manually parse.
Processes are defined around the ways an analyst will determine whether an alert is
malicious, and the chosen analysis tools assist or automate this process. These tools also
provide access to gather context about the given event. Ownership, budget and support for
the tools need to be defined.
Analysis tools are often based on ML, deep learning and AI that provide either stand-alone,
embedded or add-on functionality to detect evidence of a security compromise. Security
analytics can be performed on data that is either stored at rest or collected in motion, even at
light speed on a massive network. This is a capability that can be obtained by SecOps teams in
a variety of different ways, with most security products and services including some sort of
security analytics function.
Related Elements:
A Alerting As AppSec F Forensics Me Metrics Cr Correlation
Content Threat Data

I Investigation Ce Th R Reporting Da
Engineering Hunting Analytics
Initial Enterprise Threat

In Ea Ti
Research Architecture Intelligence
Severity
St
Triage

KNOWLEDGE MANAGEMENT TOOLS
Km Knowledge management is a central database
Knowledge containing documentation on the ways SecOps
Management
Tools operates and communicates with other staff.
The knowledge base can either be elaborate or as simple as a wiki. It contains the
operations, administration and maintenance of the security operations platforms and the
team’s processes. Since information in knowledge management systems ages quickly, the
team must review and update content frequently, especially when zero-day attacks are
released and discovered. A properly kept knowledge management system speeds up new-
hire training and is key to providing consistent security to the organization. The security
operations team must work with IT teams to source the knowledge base tool and identify
ownership for the underlying system (e.g., CPU, RAM, and storage).
Related Elements:
Interface Severity
A Alerting Ia
Agreement St
Triage T Training Cr Correlation
Breach Incident Visibility Case

Br
Response Id
Distribution Vt
Tuning G Governance Cm
Management
Change Initial Content Data

Cc
Control In
Research Ce
Engineering Me Metrics Da
Analytics
Case Enterprise
Cd Mi Mitigation Ea R Reporting
Documentation Architecture
Capability Pre-approved
Ci Pa
Improvement Mitigation
Escalation Process
Ep Pi
Process Improvement

ENCRYPTED TRAFFIC VISIBILITY
Et Encrypted traffic visibility is critical to reduce
Encrypted security blind spots. Secure sockets layer (SSL)
Traffic
Visibility decryption identifies inbound and outbound
threats.
Any traffic that leaves the network and is not protected by an employee privacy act should
be decrypted and investigated. Most firms indicate at least 80% of traffic is encrypted,
so it must be logged.
Security operations review egress network traffic to ensure patterns are normal, check
for secure connections with servers and determine the validity of a packet. (Packets are
a small segment of a full message of data carried over a computer network.) SSL tunnels
that perform deep packet inspection are another popular visibility technology. Otherwise,
traffic should pass through Layer 7 inspection. To help with visibility, virtual private
network (VPN) tunnel traffic is analyzed before it reaches the intended target.
Related Elements:
Behavioral Malware
A Alerting Me Metrics Ba
Analytics Ms
Sandbox
Content Data Network Access

Ce
Engineering R Reporting Da
Analytics Nac
Control
Cloud Virtual Private

Cs
Security Cr Correlation Fw Firewall Vpn
Network
Enterprise Data Intrusion Web App

Ea Dc Ips Waf
Architecture Capture Prevention Firewall
Systems
Network
Ns
Security
Decrypting traffic without permission and appropriate policy

can create real risk in many organizations. Because of the strict
international privacy requirements and laws regulating computer
use, decrypting traffic carries special risks of legal claims, like
unlawful interception and computer invasion of privacy.
GERRY STEGMAIER
Attorney,
Reed Smith

LAYER 7 INSPECTION
Li Deep packet inspection is done at the
application layer, also known as layer 7
Layer 7
Inspection of the OSI model.
Traditional firewalls, routers and switches look at Layers 1–4, but layer 7 inspection looks
at the data within a packet of an application and ensures that the packet is absent of any
malicious content.
Layer 7 inspection includes data loss prevention (DLP), application identification, URL
filtering, DNS security, IPS, antimalware, antispyware and antivirus. DLP ensures that no
sensitive data leaves the network that shouldn’t. For example, strings that look like social
security numbers or credit card numbers should be detected. While this is not the primary
responsibility for SecOps teams, it’s good to be aware of it, since it could be an indicator
of malicious activity on the network. AppID validates malicious intent by mapping against
the application to gather additional context. The context is used to cross-reference and
understand if something is malicious so that action can be taken to control the behavior.
URL filtering helps identify malicious domains or unknown domains. Some URL filters
provide additional context to explain whether a domain is a high, medium or low risk and
categorizes threat level. DNS security will be signature- or technique-based. Techniques
for DNS security include sinkholing, where edge security plays the meddler-in-the-middle
that protects a network by sending back a spoofed address to figure out which host is
infected. Sinkholing also helps identify which endpoint is being infected. DNS resolves the
DNS name and sends back the bad address to identify the infected endpoint. A signature-
based DNS technique involves the random generation of DNS names. Antispyware,
antimalware and antivirus software is helpful for both inspecting well-known headers
and characteristics of packets that indicate malicious activity was found, then stopping
the traffic at the network layer. This software gives security operations the visibility into
activity on the network that has not been detected at the endpoint.
Related Elements:
Behavioral Intrusion
A Alerting Me Metrics Ba
Analytics Ips
Prevention Systems
Data Network Access

As AppSec R Reporting Da
Analytics Nac
Control
Content Web App

Ce
Engineering Cr Correlation Fw Firewall Waf
Firewall
Operational Identity Access

Ds DevSecOps Ot
Technology Iam
Management
Enterprise
Ea
Architecture
Network
Ns
Security

Data Loss Prevention
AppID
URL Filtering
DNS Security
Antimalware
Antispyware
Antivirus
DNS security is an important function in the firewall to detect

command and control activity as a result of a network compromise.
This detection capability and the configurable policy actions, such as
block or sinkhole, allow the SOC team to quickly identify and contain
threats on the network.
JOHN ZAHAROPOULOS
Palo Alto Networks

VIRTUAL ASSET PROTECTION
Va Organization assets can also be virtual
Virtual (e.g., corporate applications) and require
Asset
Protection visibility for preventive protection.
The cloud security team ensures that each virtual asset has the correct protection
implemented once security operations have notified them of compliance issues.
It’s critical that each phase of the build process for virtual assets is monitored. This
includes scanning for vulnerabilities in the code development, infrastructure as code,
development workstation, and code repositories each step of the way. “Shift left security”
is the latest standard for virtual asset protection, where code is proactively scanned for
vulnerabilities before being deployed to production.
Related Elements:
Cloud Data
A Alerting Cs
Security Me Metrics Cr Correlation Da
Analytics
Initial Enterprise Cloud Threat

In
Research Ea
Architecture R Reporting Ct
Analysis Fw Firewall
Content Governance, Risk

Ce Grc
Engineering & Compliance

CLOUD THREAT ANALYSIS
Ct Cloud threat analysis is a proactive approach that
Cloud involves continuous scanning and monitoring of
Threat
Analysis the cloud environment to identify and respond to
potential security risks.
It includes the diligent examination of virtual machines and assets within the cloud
infrastructure to detect and mitigate the presence of malware and vulnerabilities. This
analysis extends to popular cloud file spaces like Google Drive, Dropbox, or OneDrive,
where the contents stored within are thoroughly inspected to identify any viruses or
malicious code that may pose a threat. By promptly identifying and remediating these
risks, cloud threat analysis ensures the integrity and security of the cloud environment.
In addition to providing malware analysis, cloud threat analysis encompasses the

evaluation of vulnerabilities. This process involves confirming the presence of
vulnerabilities and conducting in-depth research on the controls that prevent them
from being exploited. By understanding the risks associated with specific vulnerabilities
and prioritizing remediation efforts, organizations can effectively manage and mitigate
potential security threats. This proactive approach to threat analysis helps organizations
stay one step ahead of potential attacks and ensures a more secure and resilient cloud
infrastructure.
Related Elements:
Enterprise Data
A Alerting Ea
Architecture Me Metrics Cr Correlation Da
Analytics
Content Governance, Risk Virtual Asset Malware

Ce
Engineering Grc
& Compliance R Reporting Va
Protection Ms
Sandbox
Cloud Network
Cs Ns
Security Security
Ds DevSecOps
FOR A DEVELOPER, MIGRATING TO THE CLOUD IS AN OPPORTUNITY TO ADOPT

DevOps AND ACCELERATE THE APPLICATION DEVELOPMENT

DATA CAPTURE
Dc Visibility into network traffic and associated
metadata is used to understand network-based
Data
Capture anomalies.
When traffic anomalies are discovered, it is crucial to comprehend whether and how
they could be a potential sign of a network security compromise within the system.
Understanding these traffic patterns through data capture helps to determine the severity
of a potential incident and to identify any tampering that might have transpired.
Data capture within a SOC generally falls into three predominant categories:
• Packet Capture (PCAP): Although PCAPs are a costly solution, security operations
frequently maintain them for periods of days to a week.
• Intrusion Prevention System/Intrusion Detection System (IPS/IDS) Data/Alerts:
This type of data comes with moderate cost implications. It is usually kept for about
half a year, a duration found to be sufficient in most scenarios for data analysis and
anomaly detection.
• Network Flow Logs/IPFIX: These logs are relatively inexpensive and are often used by
organizations to identify deviations from normal network traffic patterns, providing
crucial insights into network behavior.
Related Elements:
Behavioral
A Alerting Me Metrics Ba Fw Firewall
Analytics
Content Data Intrusion Prevention

Ce
Engineering R Reporting Da
Analytics Ips
Systems
Enterprise Email Web App

Ea
Architecture Cr Correlation Em
Security Waf
Firewall
Endpoint Encrypted Traffic Endpoint

Es Et Epp
Security Visibility Security
Network
Ns
Security

OPERATIONAL TECHNOLOGY
Ot Any programmable device that can monitor,
control or regulate industrial equipment is a
Operational
Technology component in operational technologies.
It’s important to ensure security operations have visibility into all technology devices.
Operational technologies can be found in industrial centers, energy systems and smart
cities, but are most prevalent in the medical industry, mainly as a growing presence in
hospitals. Medical devices with OT include MRI scanners, X-ray machines and insulin
pumps.
With medicine being the biggest industry leveraging OT devices, its important security
operations invest in gaining high visibility into them since attacks targeting these
devices could mean life or death. Security operations must benchmark normal traffic,
conduct behavioral analysis on devices and understand the ways devices are attached and
communicate across the network.
OT threats are frequently state-sponsored actors targeting government entities and have
real-world physical consequences. Operational technologies include industrial control
systems (ICS), programmable logic controllers (PLC), discrete process control systems
(DPC) and supervisory control and data acquisition systems (SCADA). Each of these
technologies can be responsible for monitoring major systems or devices. Examples of
well-known OT attacks are the Iranian centrifuge attack, Colonial Pipeline attack, and the
Ukraine power plant attack.
Related Elements:
Enterprise Internet of Data
A Alerting Ea
Architecture Me Metrics Iot
Things Da
Analytics
Attack Surface Network Layer 7

Asm Ns R Reporting Li Fw Firewall
Management Security Inspection
Content Operational Vulnerability

Ce
Engineering Ots
Technology Cr Correlation Vm
Management
Security Tools

INTERNET OF THINGS
Iot IoT refers to the network of physical objects
(“things”) that are embedded with sensors,
Internet of
Things software and other technologies to connect and
exchange data with other devices and systems
over the internet.
IoT is often associated with consumer devices, smart homes, wearables and other
applications that leverage data from sensors and devices for improved convenience,
efficiency and control. IoT brings connectivity and intelligence to objects that weren’t
previously connected to the internet. For security operations, it is important to account for
all endpoints on a network that includes IoT, perform behavioral analysis to benchmark
normal activity and continually monitor them to ensure no malicious activity is running
in the background of any device. Once an attacker gains a foothold, they may take their
time to discover the network and identify high-value targets before executing an attack to
ensure they reach their objective.
IoT devices are often easier targets for attackers because many organizations do not have
good visibility or understanding of normal activity. Therefore, an attacker can infiltrate an
organization, complete a discovery and not trigger alerts.
Related Elements:
Information Data
A Alerting It
Technology R Reporting Da
Analytics
Operations
Content Network
Ce Ns Cr Correlation Fw Firewall
Engineering Security
Enterprise Operational Intrusion

Ea
Architecture Me Metrics Ot
Technology Ips
Prevention
Systems
IoT and IIoT systems tend to be deficient in key security protections found in more robust
systems. This includes patch management, process isolation, access control and exploit
mitigation technologies. It is vital for a SOC to help fill in these gaps by monitoring for
abuse and misuse of these systems. This is especially important as IoT and IIoT adoption
continues to grow at a record pace, with billions of devices anticipated to come online
over the next few years.
ANDREW ROTHS
Senior Principal Security Engineer,
Internet of Secure Things (ioXt), Board of Directors,
Amazon

INDUSTRIAL INTERNET OF THINGS
Iiot Industrial internet of things (IIoT) is the
Industrial integration of IoT (internet of things)
Internet of
Things devices and technologies with traditional OT
infrastructure.
IIoT devices typically constitute a group of technologies that extend from traditional
internet of things into industrial sectors and are responsible for collecting and
transmitting data for machinery. IIoT technologies include robotics, sensors, medical
devices and programmed processes. They are often responsible for supporting nuclear,
power, water or manufacturing systems.
Visibility into IIoT devices identifies programming languages, PLC controllers running
outdated software and the number of devices on a network. Additionally, behavioral
analytics help SecOps understand normal behaviors on an IIoT device to identify malicious
behavior if and when it appears.
In larger organizations using programmed robots to build products, a malicious command

could cost an organization millions of dollars due to downtime and damage. Many PLC
controllers run an older version of Windows, which is highly vulnerable to attacks and
malicious control.
Related Elements:
Enterprise Data
A Alerting Ea
Architecture R Reporting Da
Analytics
Content
Ce
Engineering Me Metrics Cr Correlation

SECURITY PILLAR 6:
TECHNOLOGY
The technology pillar defines infrastructure that provides SOC visibility into operations and
data to monitor for threats. It’s important to note that each infrastructure element should
be thought of as a collection of tools that work together to monitor the environment.
Technologies and capabilities change rapidly, so these are the most fluid elements of a
security operations team.
Numerous security tools are offered individually and act as silos, leading to a variety of
issues, including extensive vendor management, limited features, duplicate functionality
and occasional end-user degradation. The industry is seeing a shift away from siloed tools
and toward platforms that provide capabilities needed in the SOC without installation and
maintenance of individual tools. How will data integrity be monitored?
When choosing technology for your environment, answer the following questions:
• What security capabilities are required to mitigate risk in the environment?
• What technology will be used to provide security capabilities?
• Who will be responsible for the licensing, implementation and maintenance
of the technology?
• How will technology and content updates be requested and performed?
• What updates will be carried out automatically and at what interval?
• How will the SOC interact with owners of the technology to secure the environment?

Every enterprise has some version of
technology used to generate revenue
and support productivity.
Technology consists of nine categories: alert identification, endpoint security protection

(ESP), email security, firewall, malware sandbox, deception techniques, identity assurance,
remote access, and security orchestration, automation and response (SOAR). These
technologies are needed for security operations to achieve the visibility necessary to gather
the appropriate information essential for a SecOps team to do its job.
108 Technology Pillar Elements

Most customers can tell me every
tool they have in their SOC but cannot
tell me how they use those tools to
achieve better security.
JOHN TELAN
Palo Alto Networks
LOG STORAGE
Ls An organization’s security operations need a
location to store the massive amount of event
Log
Storage data generated from network resources.
Log storage is a centralized repository where logs are collected. Not all logs are created equal.
Some are important to the security operations team process and critical for monitoring the
environment. Others are required by the GRC team for compliance purposes.
Logs provide analysts with the most relevant information for review and incident response.
An effective endpoint detection and response solution helps collect and send over the most
critical logs. These logs are usually stored hot, or short term, for anywhere from one to three
months, depending on compliance needs. During this time, logs are actively searched using
machine learning to put together events and identify actionable events that trigger alerts.
Some logs will be required for compliance and must be stored cold, or long term, in case
a forensic case is ever needed. Guidance on logs that must be stored comes from the GRC
department and may not always be relevant to a SecOps process. These logs may also
contain compliance data, which is often helpful for identifying potential risk and compliance
violations. The GRC team communicates these concerns to content engineering and ensures
logs that do not fit within the compliance structure are not stored. For example, HIPAA or
GDPR may affect log storage duration and information contained in that storage.

Having the right continuity in log storage is critical. The organization must have log
backups in multiple locations so they are not easily lost in the event of a disaster. Many
SOCs put log storage in the cloud, so the cloud vendor is responsible for disaster recovery.
In this case, the SOC must still be aware of the vendor’s disaster recovery plan as it applies
to SecOps.
Related Elements:
Visibility Data
A Alerting I Investigation Mi Mitigation Vt Da
Tuning Analytics
Breach Escalation Pre-approved Threat

Br Ep Pa Th
Response Process Mitigation Hunting
Change Interface Process

Cc Ia Pi Me Metrics
Control Agreement Improvement
Case Incident Quality

Cd
Documentation Id
Distribution Qr
Review R Reporting
Capability Initial Severity

Ci
Improvement In
Research St
Triage Cr Correlation

A security analytics environment
requires proper curation. If you
constantly toss events into your data
lake, you end up with a data canyon.
You need to constantly evaluate
which bits of your event stream
should make it into your analytics
environment and how you will
navigate the corpus you’re building.
JEREMY KELLY
Director of Secure Data Engineering,
E*TRADE
SECURITY ORCHESTRATION AUTOMATION RESPONSE
Soar A good SOAR tool enables organizations to
Security
Orchestration collect monitoring data from a variety of
Automation
Response sources and serves as a single source of truth
for the SecOps team.
SOAR products have the capability of acting as a SecOps dashboard, collaboration medium,
evidence repository, audit and enrichment technology. Because it’s used as a single source
of truth, a SOAR tool helps a SecOps team streamline an analyst’s processes and improve
consistency. Many organizations leverage the automation aspect of SOAR but neglect the
orchestration and response capabilities that make the SOAR product critical to a security
operations team’s success.
SOAR orchestrates security technologies and integrates security tools to enhance the
incident response process. A SOAR product can collect and organize all artifacts needed for
an analyst, reducing the time needed to pivot between technologies.
SecOps teams need a foundational process for identification, investigation, mitigation

and continuous improvement to build into automation and get the most out of their SOAR
product. The goal of any organization is to leverage automation to remediate incidents
faster. Therefore, an organization needs to work toward automating the entirety of the
identification lifecycle, providing enough context and information for the identification
phase and having scripted responses to common mitigation types. What a SOAR product
can accomplish in one minute, it may take an analyst hours to complete manually.
Therefore, utilizing SOAR can significantly increase the quality and efficiency of an
analyst’s investigation.
Related Elements:
Initial Security Machine Learning &

A Alerting In Sa Cr Correlation Ml
Research Automation Artificial Intelligence
Escalation Case Data

Ep
Process Mi Mitigation Cm
Management Da
Analytics
Since inheriting legacy applications from acquisitions can add risk, collaboration
between DevOps and security teams is essential. When these applications cannot be
quickly deprecated, the DevOps teams can implement automation wherever possible to
reduce this risk. These teams will continue to collaborate as they move into a DevOps
mindset in which security is built into the workflow.
CLINT RUOHO
Lead Acquisition Product Security Engineer,
Salesforce

DATA ANALYTICS
Da Data analytics assist a SecOps team in
understanding the environment.
Data
Analytics
Data analytics refers to the process of examining and analyzing large

sets of data to uncover meaningful patterns, insights and trends. Data
analytics is inclusive rather than selective and rarely collects the contents of an item.
Examples of network analytics are session and packet headers, rather than packet content.
Endpoint analytics include process execution details, file and memory reads and writes, but
not their content. Data analytics are consistently recorded, making them more useful than
a log that collects prescribed information only when triggered by a specific event. They are
also more accessible than forensics due to the wider coverage area and speed of collection.
Data analytics from network and endpoint activity and cloud configurations provide
readily available information necessary to triage and investigate the majority of alerts and
incidents.
Related Elements:
Cloud Threat Vulnerability Machine Learning &

A Alerting Mi Mitigation Ct Vm Ml
Analysis Management Artificial Intelligence
Tools
Breach Pre-approved Data Behavioral Malware
Br Pa Dc Ba Ms
Response Mitigation Capture Analysis Sandbox
Change Process Encrypted Deception Network Access

Cc Pi Et Dt Nac
Control Improvement Traffic Visibility Techniques Control
Case Quality Email Secure Access

Cd Qr Iiot Industrial IoT Em Sase
Documentation Review Security Service Edge
Capability Severity Internet of Endpoint Security

Ci St Iot Epp Soar
Improvement Triage Things Security Orchestration
Automation
Visibility Knowledge Response
I Investigation Vt Km Fw Firewall
Tuning Management
Tools Virtual Private
Vpn
Network
Escalation Asset Layer 7 Identity & Access
Ep At Li Iam
Process Management Inspection Management
Tools Web Application
Waf
Firewall
Interface Analysis Operational Intrusion
Ia An Ot Ips
Agreement Tools Technology Prevention
Systems
Incident Case Threat Log
Id Cm Tm Ls
Distribution Management Intelligence Storage
Management
Initial Virtual Asset
In Cr Correlation Va
Research Protection

MACHINE LEARNING & ARTIFICIAL INTELLIGENCE
MI AI and ML are deeply intertwined, with
Machine
Learning & ML serving as a crucial foundation for AI
Artificial
Intelligence advancements.
Ongoing monitoring of this space is paramount, especially as leading companies like Palo
Alto Networks continue to push the boundaries of AI in the cybersecurity domain. These
innovations hold immense potential for generating groundbreaking advancements in
cyber-defense, making it essential to stay abreast of the latest developments and harness
the power of AI to drive innovation and enhance security measures.
Related Elements:
Security Threat Endpoint

A Alerting Sa Tm Epp
Automation Intelligence Security
Management
Escalation Threat Vulnerability Malware
Ep Ti Vm Ms
Process Intelligence Management Sandbox
Tools
Initial Case Behavioral Security
In Cm Ba Soar
Research Management Analytics Orchestration,
Automation &
Data Response
Mi Mitigation Cr Correlation Da
Analytics
IMPORTANCE OF AI/ML FOR SD-WAN REASONS AI/ML IS IMPORTANT FOR SD-WAN

BEHAVIORAL ANALYSIS
Ba Anomalies in user or system behavior may be indicative of an
attack. Security operations use endpoint security, network security,
user activity, operational technology and cloud traffic patterns for
Behavioral
Analysis behavioral analysis. Known behavioral indicators of compromise will
show when an end user’s behavior has changed. Feeding ML with clean,
quality data will ensure it will detect normal behavioral patterns rather
than return a false positive.
Behavioral analytics leverage various methods, including identity-based, traffic-based and

file-based analysis, to identify and flag anomalies from established baselines.
Related Elements:
Data Data Machine Learning &

A Alerting Dc Da Ml
Capture Analytics Artificial Intelligence
Endpoint Encrypted Traffic Endpoint Malware

Es Et Epp Ms
Security Visibility Security Sandbox
Layer 7 Identity Access

Cr Correlation Li Iam
Inspection Management
Adversaries are very good at staying under the radar once they have
infiltrated an organization. Behavioral analytics helps uncover these
hard-to-detect attacks and lateral movement.
WILLIAM SYKES
Global Enablement Architect,
Palo Alto Networks

ENDPOINT SECURITY
Epp Endpoint security security is responsible
for the development, implementation and
Endpoint
Security maintenance of the endpoint security policy.
The scope of endpoint security involves applying profiles to the various endpoints
throughout the network, including all PCs, Macs, servers, phones, tablets and assets.
Endpoint security is responsible for scanning, looking for malicious activity, vulnerabilities
and information that can be used to create profile exceptions that meet the needs of the
organization or restrict malicious activity. The endpoint security team is also responsible
for collecting behavioral information about the various endpoints to determine what is
standard behavior. They can then help security operations understand what abnormal
behavior is and what should constitute an investigable alert. For example, imagine there is
a machine that is uploading a 10 MB file every Friday to a server for financial information.
All of a sudden, it is now downloading all of the information and SVPing it elsewhere.
This would be a behavioral anomaly that the endpoint security team would want to call
out because it deviates from the normal behavior. Even if there is a perfectly reasonable
explanation for the download, this anomaly should still be identified. The endpoint team
should work to ensure these behavioral profiles are set properly to begin with so this
anomaly is identified as abnormal to the security operations team. If the anomaly happens
to be malicious, SecOps should be aware of it as quickly as possible.
Interface agreements should be defined between the endpoint security team, the team
implementing the endpoint security policy and the infrastructure team deploying the
technology. The change control process should include any specific information that is
required for endpoint security updates but should follow the standard change control
steps established for other changes within the business. The endpoint security team must
communicate with the business to define what endpoint technologies and operating systems
will be allowed in the business and to address security concerns around them. The team
and the organization should be in regular contact to plan for any new systems that will be
incorporated into the business through technology adoption or through M&A activity.
Related Elements:
Behavioral Intrusion
A Alerting Cr Correlation Ba Ips
Analytics Prevention
Systems
Endpoint Data Data Malware
Es Dc Da Ms
Security Capture Analytics Sandbox
Server Layer 7 Identity Access Virtual Private

So Li Iam Vpn
Operations Inspection Management Network

INTRUSION PREVENTION SYSTEMS
Ips Other tools used to gain visibility into network
Intrusion activity are intrusion prevention systems (IPS),
Prevention
Systems intrusion detection systems (IDS) and DNS
sinkholing.
These features may be integrated with a firewall or standalone tools. An IDS is considered a
reactive control that generates alerts based on rules configured in the system, whereas an
IPS is focused on prevention and mitigates or blocks malicious behavior. DNS sinkholing is
used to allow or sinkhole known malicious traffic and trigger alerts for analyst review.
Agreements must be established between the group that maintains the IDS/IPS/DNS
sinkholing technologies and the SOC, to define workflows for operating system upgrades,
outages and patching. Protocols for change requests between the business and the SOC
must also be defined. The SOC needs to be aware of basic architecture and configuration
settings, such as coverage if systems are configured to fail open. As with firewalls,
additional logging may need to be turned on to generate the context needed by the SecOps
team to perform investigations.
Related Elements:
Internet of
A Alerting Cr Correlation Iot Fw Firewall
Things
Endpoint Data Data Web App

Es Dc Da Waf
Security Capture Analytics Firewall
Network Encrypted Traffic Endpoint

Ns Et Epp
Security Visibility Security
Intrusion Detection System (IDS)
An intrusion detection system (IDS) is a network security technology built for

detecting vulnerabilities, malware and misconfigurations.
Intrusion Prevention System (IPS)
An intrusion prevention system (IPS) is a network security technology that

examines network traffic flows to detect and prevent malicious threats.

EMAIL SECURITY
Em Organizations face significant threats from
email vectors, making it crucial to prioritize
Email
Security email security.
Threats using email, such as phishing, are the most common attack vectors. Without
proper email security measures in place, organizations must rely solely on employees to
detect email-based threats. However, effective email security plays a vital role in detecting
and preventing malicious email content from infecting targeted recipients, providing
protection from phishing scams and other attacks. It uses cryptography to support
confidentiality, digital signatures, sender authentication and integrity control.
Phishing attacks, which are among the most common email attacks, deceive recipients
with fraudulent messages that closely resemble legitimate sources. Attackers use various
strategies to gain unauthorized access via email including phishing, spear-phishing, social
engineering and whaling.
The goal of these attacks is to trick users into disclosing sensitive information or
performing unauthorized actions. Additionally, attackers may exploit attachments and
downloads to compromise endpoints or exploit user access, particularly in encryption-
based attacks. Therefore, implementing robust email security measures is essential to
safeguard organizations from these evolving email threats.
Email security validates hyperlinks and files against hashes to determine if they are
malicious. It also validates email headers along with embedded text to determine whether
the message is a known phishing scam. Information from email security systems is
provided to security operations so that they can investigate credential loss issues.
Email security is an area with a great opportunity for automation of use cases. It’s vital
to implement best practices for email security, which include Sender Policy Framework
(SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication,
Reporting, and Conformance (DMARC). SPF helps verify that incoming emails are sent
from authorized servers, DKIM adds a digital signature to emails to ensure their integrity,
and DMARC enables domain owners to specify email handling policies, such as quarantine
or reject, for suspicious emails.
Related Elements:
Data Data Malware

A Alerting Cr Correlation Dc Da Ms
Capture Analytics Sandbox

FIREWALL
Fw Essential in every network, firewalls separate
networks and enforce restrictions for
Firewall communications between them.
Firewalls can be physical devices or virtual solutions to protect assets in the cloud. Their
capabilities vary and can include URL filtering, IPS/IDS, antivirus, SSL decryption, VPNs,
DLP and AppID, among other features, to consolidate functionalities into a single tool.
Firewalls can be set up to monitor boundary traffic in addition to lateral traffic and are used
for network segmentation to further lock down an organization’s critical assets. They are a
key tool for the team to gain visibility into network traffic through logs and alerts received
from different points in the environment.
The security operations team defines what information they require from the firewall,
including additional context for investigation of alerts. Many firewalls are not configured
out of the box to provide this context, so the SecOps team may have to drive that
requirement with the network security team. Although firewalls provide the visibility that
analysts need, they can also be a burden to the analysts if not continuously updated with
new policies or if not tuned properly.
Related Elements:
Data Operational Machine Learning &

A Alerting Dc Ot Ml
Capture Technology Artificial Intelligence
Network Encrypted Traffic Virtual Asset Malware

Ns Et Va Ms
Security Visibility Protection Sandbox
Operational Internet of Data Virtual Private

Ots Iot Da Vpn
Technology Things Analytics Network
Security
Layer 7 Intrusion Web App
Cr Correlation Li Ips Waf
Inspection Prevention Firewall
Systems
We have to look at firewalls differently as 5G services come into the

picture. Port and protocol controls aren’t enough to protect our life-
critical and business-critical services. Security operations teams need
to quickly correlate the source of the threat, the device which is infected
and the applications being used. Lives depend on it.
DAVE DUKINFIELD
Global Solutions Architect,
5G Services,
Palo Alto Networks

WEB APPLICATION FIREWALL
Waf A web application firewall (WAF) is a
Web security control that protects web-based
Application
Firewall applications from well-known Hypertext
Transfer Protocol (HTTP) exploits.
Administrators craft policy controls on the WAF for a specific application hosted on
a web server. The rules in a WAF are more granular for the specific server than for
firewall, IDS and IPS controls. They are placed inline with the client/server Hypertext
Transfer Protocol Secure (HTTPS) conversation and have similar functions as a
proxy with built-in security. Granular control allows security operations to create
the right prevention policies that stop known web application attack vectors.
Related Elements:
Encrypted Traffic Data Intrusion

A Alerting Cr Correlation Et Da Ips
Visibility Analytics Prevention
Systems
Network Data Layer 7
Ns Dc Li Fw Firewall
Security Capture Inspection

MALWARE SANDBOX
Ms A malware sandbox is used as a safe place to
simulate an end user’s environment to test
Malware
Sandbox unknown binaries that may contain viruses or
other types of malicious code.
A security team can “detonate” malicious files to observe their behavior and impact to
systems and networks without impacting the production environment. Malware sandbox
features include malicious file analysis, API call tracing and memory analysis, along with
other advanced capabilities.
The combination of malware sandboxing and AI is revolutionizing the identification of

attackers in cybersecurity. AI-powered malware sandboxing allows security professionals
to analyze the behavior of malicious software in a controlled environment, swiftly
detecting and identifying new and sophisticated attack techniques. AI algorithms help
detect anomalies and malicious actions enabling proactive identification of emerging
threats and zero-day vulnerabilities. This approach offers continuous learning and
adaptation, empowering security teams to stay ahead of attackers by refining their
detection capabilities based on the insights gained from AI-powered analysis. By
leveraging the synergy of malware sandboxing and AI, organizations can bolster their
defenses and effectively mitigate the evolving landscape of cyberthreats.
Related Elements:
Data Intrusion Prevention

A Alerting Cr Correlation Da Ips
Analytics Systems
Cloud Cloud Threat Email Machine Learning &

Cs Ct Em Ml
Security Analysis Security Artificial Intelligence
Endpoint Encrypted Traffic Endpoint Secure Access

Es Et Epp Sase
Security Visibility Security Service Edge
Network Behavioral
Ns Ba Fw Firewall
Security Analytics
In malware sandboxing, we get to use terms like “detonate” and “blast

radius.” These are not the terms you want to hear used outside of your
sandbox.
ERIC HALLER
Vice President,
Palo Alto Networks

DECEPTION TECHNIQUES
Dt Deception techniques are active defense
mechanisms used against attackers for
Deception
Techniques mitigation and containment.
Deception techniques are set up as traps (e.g., honeypots and honeytokens) that slow down
intrusions and give SecOps more opportunities to detect threats before they become a
critical event. These techniques are used to lure attackers and understand their targets and
exploited vulnerabilities.
Current deception technologies have evolved since the early honeypots. Authentic decoys
such as file servers, web servers, dev workstations, industrial control systems and OT are
created to mimic different machine types in the actual production environment. Pointers
are used in the environment to draw in attackers with real protocol and authentication
simulation. Entire subnets can also be created to draw attackers away and are particularly
useful in diverting attacker traffic away from critical environments. Deception techniques
tie up an attacker’s connection resources and allow observation and understanding of their
tactics, techniques and procedures.
Related Elements:
Endpoint Server
A Alerting Es So Cr Correlation
Security Operations
Cloud Network Threat Data

Cs Ns Ti Da
Security Security Intelligence Analytics

IDENTITY & ACCESS MANAGEMENT
Iam IAM is a set of processes, policies, and tools for
Identity & controlling user access to critical information
Access
Management within an organization.
Identity and access management (IAM) controls assist the SOC in reducing the amount
of stolen credentials when paired with multifactor authentication (MFA). Users must
be educated on phishing and social engineering used to bypass MFA systems. The team
managing IAM implements the least privilege policies defined by the GRC team.
Related Elements:
Data Virtual Private

A Alerting Cr Correlation Da Vpn
Analytics Network
Governance, Risk Layer 7 Endpoint

Grc Li Epp
& Compliance Inspection Security
Network Behavioral Network Access

Ns Ba Nac
Security Analytics Control
NETWORK ACCESS CONTROL

Nac Network Access Controls (NAC) are designed
Network to restrict access to a network and ensure
Access
Control devices connected to a network meet security
compliance requirements.
Establishing a network that only allows authorized devices to connect will reduce the
number of potentially unpatched or compromised systems connected to a network. They
reduce the number of endpoints without visibility and any devices without endpoint
security installed so the SOC can mitigate threats against these unauthorized devices. Since
MAC addresses can be changed, network access controls are not a silver bullet and need to
be used alongside other security and threat detection tools.
Related Elements:
Network Encrypted Data

A Alerting Ns Et Da
Security Traffic Visibility Analytics
Governance, Risk Layer 7 Identity Access

Grc Cr Correlation Li Iam
& Compliance Inspection Management

VIRTUAL PRIVATE NETWORK
Vpn A virtual private network (VPN) allows remote
Virtual users to securely participate on the corporate
Private
Network network from an external location.
VPNs are now common as a result of increased work from home and travel for business.
Depending on the client’s needs, there are two different types of VPNs. For individual
users, there is a client VPN that connects to a VPN portal. For multiple users connecting to
a particular location, there are site-to-site VPNs that require VPN concentrators at each
location. Traffic on VPNs requires special security policies because it’s considered part of
the trusted network. Connections on a VPN should be subject to the same firewall and IDS/
IPS controls used for external traffic. Security operations require visibility into this traffic
to monitor for remote user and application anomalies.
VPN tunnel types include Generic Routing Encapsulation (GRE), IPSec and SSL. Special
considerations are taken to decide which VPN to use. Not all VPNs are at the service edge
or at the firewall. VPN concentrators will also be used to establish a secure connection
between VPN nodes.
Related Elements:
Network Encrypted Endpoint Identity Access

A Alerting Ns Et Epp Iam
Security Traffic Visibility Security Management
Enterprise Data
Ea Cr Correlation Da Fw Firewall
Architecture Analytics

SECURE ACCESS SERVICE EDGE
Sase SASE can help security operations control
Secure
Access users, data and devices on the network while
Service
Edge providing an organization with increased
performance and access speed. It also plays an
important role in the 5G environment, enabling
a more secure 5G infrastructure rollout and
mobile device management.
Hybrid Options to Connect Continuous Monitoring Integration with XDR Solutions

On-Premises and Cloud Solutions and Visibility for Threat Detection and Response
Fully Unified Management Integration with Endpoint Agents
Ease and Speed of Deployment
Via a Single Console for Telemetry and Traffic Redirection
Strong APIs to Integrate Data
Best-of-Breed Solutions with Other Solutions All Functions from a Single Vendor
Integrate with Existing Network Strong SLAs with Penalties Support for Agentless Options
Security Solutions for Downtime or Latency
Role-Based Access Control to
Transparent User Experience
Support Multiple IP Personas
Faster Network or Security Improved User Experience Reduced Network

Problem Resolution Regardless of Location Solution Costs
Reduced Security Solution Reduction in Overall
Less Branch Downtime
Costs Operational Complexity
Ease of Management Reduced Security Reduced Staff Turnover

Operational Costs
Better Alignment of Network and Faster Provisioning of New
Security Policies Users, Offices and Applications
Reduced Network
Fewer Security Incidents
Operational Costs

Secure access service edge (SASE) merges SD-WAN and VPN technologies with network
security services, such as zero trust network access, firewall as a service and cloud access
security broker (CASB), into a single cloud security service solution. SASE inspects traffic
from user devices and controls device access on the network at the service edge. It provides
visibility into devices accessing the network and the traffic generated by those devices.
Related Elements:
Malware
A Alerting Cr Correlation Ms
Sandbox
Network Data
Ns Da
Security Analytics
Source: Palo Alto Networks - Secure Access Service Edge for Manufacturing | White Paper

Pi
Process
Improvement
Am Bl
Asset Business
Management Liaison
It Ep Pa
St Information
Technology
Operations
Escalation
Process
Pre-approved
Mitigation
Scenarios
B Me
Severity
Triage
Va
Virtual
Asset
Budget Protection Metrics
Iam Vpn Dc
Km
Soar
Identity & Virtual
Access Private Data
Management Network Capture
Iot
Epp
Knowledge
Management
Tools Internet of
Things
Th Security
Endpoint
Security
Orchestration
Ia
Automation
Threat
Hunting Interface
Agreement
Response
Finalizing Pillar Strategies

Once the questions for each security pillar have been answered, the
organization has a good foundation to build a SOC and implementation
teams. The main objective for a SOC is to monitor an environment to
identify, investigate, mitigate and continually improve.
128 Finalizing Pillar Strategies

APPENDICES
Appendix A: Metrics That Matter
When determining good metrics for your business, always keep in mind the mission of the
SOC and the value it provides. The business wants confidence that it can prevent attacks
and if/when a breach does occur, it can handle it quickly to limit negative impact. Good
metrics provide insight into business confidence that it can mitigate attacks. There are two
types of confidence to focus on: configuration confidence and operational confidence.
Configuration confidence is knowing that your technology is properly configured to

prevent an attack, you can automatically remediate it or the proper intelligence can be
gathered for analysis by a human.
Sample questions to determine configuration confidence:

• Are security controls running? Oftentimes, a “temporary” change is made to controls
and inadvertently left in place. For example, a developer may need a specific port to be
opened to perform a test, and that port remains open, providing an access point for an
attack.
• How many changes are occurring outside of the change control policy? The change
control policy should be followed for every change without any exceptions. Any
deviation from the defined process should be noted because it is relevant to the
business’s confidence in the configuration of security controls.
• Are the technologies in place configured according to best practice? Once a
technology at an organization can be in place, it is rarely a “set it and forget it”
situation. Care must be taken to continually evaluate the configuration against best
practices. If the measurement of controls against best practices is low, this can drive a
plan to increase adherence. If metrics drop, then it is necessary to look into why this is
happening.
• What percent of features and capabilities are being utilized? The plethora of security
technologies is overwhelming for security operations. Many of these technologies
are poorly utilized, resulting in the business failing to understand the actual coverage
in place. As a result, [dept or role that purchases] may purchase duplicate features,
exacerbating the issue of too many technologies. Measuring the percentage of feature
use provides the business with a simple understanding of actual value being provided
by tools versus perceived value. For example, what percent of traffic flow is visible to
analysts? Estimates state that 70–80% of traffic is encrypted. The business should
know how much traffic is being analyzed in a SOC and whether SSL decryption
technology is being used.
130 Appendices
In addition to configuration confidence, businesses should have operational confidence,
which is knowing that the right people and processes are in place to handle a breach if/
when it occurs.
Sample questions to determine operational confidence:

• How many events are analysts handling per hour? The response to this is a metric
known as events per analyst hour (EPAH). A reasonable EPAH is 8–13. If the EPAH is
too high, such as 100, then this indicates that analysts are overwhelmed. They will
rush investigations, ignore events and not be set up to properly protect the business.
Also, it is important to measure per hour, not per day, because an analyst’s tasks
should shift throughout the day and shift lengths can vary, causing this number to
skew. This metric should be used to show the effectiveness of the SOC rather than to
compare employees.
• Are there repeat incidents flowing into the SOC? If threats are properly investigated,
then the outcome should feed back into security controls, and they should be
centralized to eliminate updates forcing disparate platforms to fall out of sync. Repeat
incidents flowing into a SOC indicate a failure in this feedback and sync of controls.
• Is the SOC handling alerts for known threats? This also indicates a failure in security
controls because all known threats should be blocked prior to affecting the business
and being investigated by the SOC.
• How often are there deviations from SOC procedures? This metric indicates the need
for employee training on procedures or the need to update out-of-date procedures.
Metrics shared with the C-suite should focus on the confidence that the business
is properly set up to prevent or contain a breach. Additionally, CXOs will require
occasional briefings on vulnerabilities and threats making headlines.
Metrics are used to improve protections and provide confidence to the business that the
SOC is executing on its mission. However, their frequent misuse can make some reluctant
to use meaningful metrics. They may be misleading because they are too high-level and
require additional, time-consuming backup details to explain. Sometimes, they can be
interpreted as failures if they are not 100% accurate or are not gathered to eliminate a
possible paper trail that could be used by auditors. Organizations should make sure that
the metrics provided are valued, can drive business decisions and are not derailed by these
fears.
Appendices 131
Appendix B: Successful Threat Hunting
The success of a threat-hunting team is driven by the following requirements:

Committed time—Most organizations cannot afford dedicated hunting staff but need to
allot time for hunting. This can be a few hours per day or during the week, or it can be a
dedicated person for a specific time period. Hunts are goal-oriented sprints that last no
longer than two weeks. If the two weeks are exhausted without progress, then hunters
must move on.
Process-driven, agile methodology—Hunting should be process-driven but follow an

agile methodology. Threat hunting can lead down many rabbit holes requiring agility, but
there should be a formal process in place to guide the hunt and pull back from the rabbit
holes as needed.
Clean and structured data—Most often, threat hunting is performed in a data lake.
Efficiency depends on the consistency and structure of the data. This can be done via
auto-tagging using next-generation firewalls or centralized log monitoring systems. The
data must be flexible for the many ways you want to use it. Additionally, hunters need to
understand the automated processes, alerts and behavior analysis already performed on
data to avoid duplicating efforts. Also necessary is access to appropriate tools for hunting,
including query access to a data lake, APIs and threat visualizations.
A piece of intelligence—Each hunt should start with a piece of intelligence and a

hypothesis. This could be a new vulnerability or threat that should be investigated to see if
it impacts the organization, an unusual behavior or a follow-up on a malware outbreak to
make sure it has been fully remediated.
Lessons and feedback—The end of the hunt results in documentation being shared with
the SOC, information about hunt activity and lessons learned from the hunt. If a conclusion
was reached, then updated prevention is fed back into controls to prevent future incidents
of this type. The hunt may also end when the two-week hunt period is exhausted without a
conclusion. Note that this still requires documentation about what was done.
One item to note about hunting: Hunt teams run into configuration issues when they are
blindly looking at data. A strong hunt team will specifically look for a particular kind of
breach and will not run into configuration issues. If configuration errors are all that are
found, then it is worth reevaluating the structure and cost of the hunt program and see if
there are less expensive ways to identify these types of configuration errors.
132 Appendices
Appendix C: Communication Motivations
Each function of the business that communicates with the SOC will have goals and
motivations distinct from those of the SOC. This creates frustration between groups that
are trying to achieve different objectives. By understanding the motivations of different
functions, the SecOps team can better align requests and communications for better results
for the business.
Appendix D: Communication Agreement Template
A communication agreement should include information such as version history, author,

reviser, approvers of current version, process owners, the document’s official location
and revision control. A few more items to include in an agreement between the business
and the SOC:
• Introduction of the teams involved and their relationship
• Purpose of the agreement, the intention of the documents, and whether it’s a living
document
• Scope defines the extent of operation for this agreement, in-scope services
technology, tools and capabilities included and the extent they will be affected.
Out-of-scope services should be excluded from this agreement.
• Tools used for incident management
• Collaboration tools, ticketing mechanisms and case management
• Incident management processes, points of contact, types of incidents, specifics
included both inside and outside of the process that may require foregoing some
of the outlined process tasks, input to create an incident and results from incident
management
• Incident management roles and responsibilities, what role(s) owns which function(s)
during an incident
• Who are the end user, analyst, incident manager, engineer and SOC manager
• Incident management flow charts, including the process flow of an incident between
the teams
• Incident minimum dataset, including the minimum data required for the team(s) to
accomplish incident management
• Data collected, including ticket number, date and time, location, user(s) affected, IP
address, MAC address and description of problem
• Severity matrix, which includes the severity types, SLAs required by each of the
severity types, business impact, the time to acknowledge, the time to respond,
escalation requirements, escalation contacts, the proper path to engage the escalation
contacts, any exceptions, consequences and approvals needed
• Acronyms and definitions found in the document
Appendices 133
Appendix E: Defining Security Orchestration
Organizations can connect disparate security technologies through standardized and

automatable workflows, enabling security teams to effectively carry out incident response
and security operations.
Security orchestration is separated into three categories: security technologies, workflows

and security teams. Here is a brief overview of all three.
Security Technologies
SOAR tools integrate with all the other security tools (and many non-security tools) that
an organization uses to provide teams with a central console to coordinate and activate
all these tools. These integrations enable inter-product conversations, data transfer and
remote execution of commands.
These product integrations are possible through a range of mechanisms, such as

Representational State Transfer (REST) APIs, SOAP APIs, SSH, Structured Query Language
(SQL) and HTTPS. The connective mechanism will depend on the types of products being
integrated, which will in turn influence the depth and fidelity of data transfer that’s
allowed between the two products.
In addition to SOAR tools, extended security intelligence and automation management

(XSIAM) takes granular data for use with ML so that detection and remediation of incidents
can be automated. ML with XSIAM data collection correlates alerts, detects emerging and
complex threats and uses native threat intelligence to protect an organization’s attack
surface.
Workflows and Playbooks
Playbooks, also known as runbooks, are task-based graphical workflows that help visualize
processes across security products. These playbooks can be fully automated, manual or
anywhere in between.
Here are some building blocks that compose playbooks:

• Automated playbook: Automated playbooks are visual abstractions for a piece of code
(an “automation”) running in the background. Users can either select from pre-
existing automation codes (most security orchestration tools will come with an out-
of-the-box list) or code their own automations.
• Playbook trigger: If a playbook is meant to automatically execute within a security
orchestration tool, it needs a trigger point. This trigger point can be any condition
that, when met, results in the start of the playbook. For example, whenever a phishing
email is ingested from a mailbox into the security orchestration tool, a phishing
response playbook is triggered and begins its execution.
134 Appendices
• Conditional task: Through conditional tasks, security orchestration playbooks can
check the value of any incident-related artifact and execute different branches based
on the result. For example, a conditional action can check the severity of an alert and
execute different sets of actions depending on whether the severity is high, medium
or low.
Security Teams
Here are a few ways in which SOAR playbooks can work in collaboration with human
teams for combined SecOps and incident response:
• Manual tasks: When an action is too unique, nuanced or infrequent to be automated,
security orchestration playbooks can have manual tasks that act as directives for the
SOC analyst handling the respective incident.
• Task approval: Even if some actions are prime candidates for automation, they might
be too sensitive to carry out without having a human verify their need and relevance.
In such cases, automated actions can have built-in task approvals. These actions will
wait for the relevant SOC analyst’s approval before beginning execution.
• End-user engagement: If a SOAR tool has rich integrations with email tools, these
integrations can be used to engage SOC analysts in addition to end users within the
organization and improve overall process flow.
• Phishing enrichment and response: SOAR playbooks can ingest alerts from email
inboxes and coordinate actions across threat intelligence tools, sandboxes, EDR
solutions and more for repeatable and accurate response.
• Threat hunting: Threat hunting playbooks can be scheduled to run at predetermined

intervals, rapidly scanning for threats in the environment after ingesting external
threat feeds or following up on existing incidents.
• IoC enrichment: These playbooks can automate enrichment of indicators by querying

different threat intelligence tools for context and presenting the results to analysts,
freeing up time for proactive investigation.
• Incident severity assignment: Automatically assign severity to incidents by checking

parameters relevant to the organization. By reconciling threat scores with other
products, checking indicator scores and verifying the criticality of affected endpoints
and users, these playbooks ensure that analysts see the incidents that need to be seen.
• Cloud security orchestration: Coordinate response across cloud and on-premises

environments. For instance, a playbook can execute after ingesting a cloud security
alert and respond by blocking malicious IoCs on cloud appliances as well as on
firewalls that are on-premises.
Appendices 135
Appendix F: Modular Incident Response Plan
The modular incident response plan calls out each distinct process and defines what the
SOC should be doing as a part of identification, investigation, mitigation and continuous
improvement on every incident. A clearly defined incident response plan will serve as a
strong foundation for automation by achieving consistency among analysts’ responses
(See figure on page 138).
136 Appendices
Appendix G: Percentage of High vs. Medium
vs. Low Severity Incidents Being Handled
Appendix H: Top 5 Most Common Interfacing Teams

by Number of Interactions per Month
Appendices 137
Appendix I: Average Time to Resolve in Minutes
Appendix J: Incident Type Distribution Over the Past 3 Months
138 Appendices
Appendix K: Technology True Positive / False Positive Rate
Cloud Email Endpoint Next- OS Security

Security Security Generation
Firewall
Appendices 139
ABOUT PALO ALTO NETWORKS
Palo Alto Networks is the world’s cybersecurity leader. We innovate to outpace
cyberthreats, so organizations can embrace technology with confidence. We provide
next-generation cybersecurity to thousands of customers globally, across all sectors.
Our best-in-class cybersecurity platforms and services are backed by industry-leading
threat intelligence and strengthened by state-of-the-art automation. Whether deploying
our products to enable the Zero Trust Enterprise, responding to a security incident, or
partnering to deliver better security outcomes through a world-class partner ecosystem,
we’re committed to helping ensure each day is safer than the one before. It’s what makes
us the cybersecurity partner of choice.
www.paloaltonetworks.com
About the Authors
JOHN CAIMANO,
Senior Director, Practice Management,
Palo Alto Networks
John Caimano is a visionary Senior Director of Services & Support

Practice Management at Palo Alto Networks. He leads a team of
professionals focused on delivering innovative solutions that enable
customers to secure their organizations successfully. His leadership
style is both passionate and dynamic, committed to driving positive changes in people,
processes and technology. With over 20 years of experience in the security industry, John is
a recognized expert in his field. He is dedicated to sharing his knowledge and expertise, and
his acclaimed work, Elements of Security Operations, has become an essential resource for
security professionals worldwide.
AUSTIN ROBERTSON,
Global Practice Leader, Security Operations,
Palo Alto Networks
Austin Robertson is an expert in the field of Security Operations and

serves as the Global Practice Lead at Palo Alto Networks. With a wealth
of practical experience and a comprehensive understanding of cutting-
edge security technologies, Austin is dedicated to developing and
delivering service offerings that empower organizations to overcome their most pressing
SecOps challenges. His innovative solutions have consistently enabled clients to build,
enhance and modernize their security operations centers, providing them with a robust
and proactive defense against evolving cyberthreats. With his expertise and passion for
security, Austin is committed to helping organizations achieve unparalleled protection and
resilience in today’s dynamic threat landscape.
140 About Palo Alto Networks

EDITOR
TANNER KOOISTRA
Palo Alto Networks
CONTRIBUTORS
KRISTY MCKINLEY ROBERT DODSON

Services Marketing Leader, Global Solution Architect, Cortex,
Palo Alto Networks Palo Alto Networks
BEN NICHOLSON SAMUEL ROSSIER

Global Practice Leader, Prisma Cloud, Extended Expertise Consultant,
BRIAN CLEMSON SCOTT COLEMAN

Global Solution Architect, Cortex XSOAR, Global Solution Architect, Cortex XSIAM,
GARETH BARUCH STUART SAVAGE

Global Solution Architect, Prisma Cloud, Global Solution Architect, Endpoint and
Palo Alto Networks Security Operations, Palo Alto Networks
JOHN TELAN WILLIAM SYKES

Global Practice Leader, Cortex, Global Enablement Architect, Cortex,
JOHN ZAHAROPOULOS, H.S. SONG

Global Solution Architect, Core CDSS & Global Solutions Architect, Prisma Cloud,
Optimizations, Palo Alto Networks Palo Alto Networks
PETER WLODARCZYK VIEWSTREAM

Senior Consultant, Endpoint and Security Design & Composition
Operations, Palo Alto Networks
Elements of Effective Security Operations
© March 2023
Disclaimer
This guide is written as a general guide only. It should not be relied upon as a substitute for specific professional
advice. Professional advice should always be sought before taking any action based on the information provided.
Every effort has been made to ensure that the information in this guide is correct at the time of publication. The
views expressed in this guide are those of the authors. The publishers and authors do not accept responsibility for
any errors or omissions contained herein. It is your responsibility to verify any information contained in the guide
before relying upon it.
About Palo Alto Networks 141

Whether you operate a sophisticated SOC or a nimble team
of security experts, the Elements of Security Operations
provides an essential guide for creating a strong foundation of
capabilities, best practices and innovative techniques on your
journey to the modern SOC.
This book helps you create your own SOC strategy by breaking
down the elements of security operations—and clearly
identifying the building blocks necessary for a security
organization to meet the goals of the business. These building
blocks go beyond just people, processes and technology by
expanding into the business requirements, the visibility that is
required to defend the business and the affiliate organizations
needed for collaboration to achieve the mission of the security
organization.
Cn
By understanding these elements, you can improve upon
existing functions and develop those that are lacking, creating
Consistency
both opportunities and advantages for the SOC that end in
desired results for the business. Fa Li
Layer 7
Facility Inspection
Br Nac Sase
G Breach
Response
Network
Access
Control
Secure
Access
Server
Edge
Soar Governance
I
Security Ct
Orchestration
Automation Cloud
Response
Threat
Analysis
Investigation
Ea Asm As
Et
M
Attack
Enterprise Surface
Architecture Management AppSec
Encrypted E
Traffic
Visibility Employee
Utilization
Hd
Ce
Help
Desk
Ia
Content
Engineering Interface Mission
Agreement

Elements of Soc

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Elements of Soc

Uploaded by

Copyright:

Available Formats

ELEMENTS

Security Operations Definition 12

Security Operations Delivery Options 14

An Overview of Elements of Security Operations 15

Processes Pillar Elements 20

Affiliates Pillar Elements 38

People Pillar Elements 64

Business Pillar Elements 74

Visibility Pillar Elements 89

Technology Pillar Elements 107

About Palo Alto Networks 140

Modern security threats are evolving

MOST COMMONLY REALIZED BENEFITS FROM SECOPS PROCESS AUTOMATION

Improved threat detection Improved mean time

Improved incident Quicker isolation

Source: ESG – SOC Modernization and the Role of XDR, 2022

Niall Browne, CISO, Palo Alto Networks

2. Effective access to tools for quick investigations

3. Reduced time for threat containment

Businesses require continuous improvement in

Generative AI is about to revolutionize the SOC, ushering in a new era of cybersecurity

Generative AI will serve as a dedicated assistant to analysts, working together to swiftly

Therefore, the four main functions of security operations are:

2. Investigate – Investigate the root cause and impact of the incident

3. Mitigate – Recommend mitigation options to isolate and remove a threat

4. Continuous Improvement – Constantly adapt to process, visibility and

12 Security Operations Definition

EXPLANATION OF SOC TERMS

Threat: A cyberattack that could cause damage to an organization.

Incident: An alert or series of alerts that require an investigation or remediation.

Endpoint: A device or application connecting to the internal environment. It can be a point

Security Operations Definition 13

Organizations use various delivery

Outsourced security operations, or SOC as a service, provides access to experts, advanced

14 Security Operations Delivery Options

AN OVERVIEW OF ELEMENTS OF SECURITY OPERATIONS

An Overview of Elements of Security Operations 15

An Overview of Elements of Security Operations 17

PROCESSES AFFILIATES PEOPLE B

18 An Overview of Elements of Security Operations

p G Rc Iot Iiot Vpn Sase

OPLE BUSINESS VISIBILITY TECHNOLOGY

An Overview of Elements of Security Operations 19

When determining your processes, ask the following questions:

Process elements effectively protect digital assets and business data.

20 Processes Pillar Elements

Change Governance Risk Case Virtual Asset Machine Learning &

Case Network Correlation Vulnerability Malware

Initial SOC Data Data Secure Access

Asset Threat Encrypted Deception Security

DevSecOps Asset Operational Intrusion

22 Processes Pillar Elements

Case documentation serves as a comprehensive record of incident response activities,

Escalation Pre-approved Content

Breach Interface Process Governance, Risk Case

Change Incident Quality Red & Purple Knowledge

Capability Initial Severity Threat Data

Visibility Tabletop Log

If you can document the steps to do an investigation or perform

Processes Pillar Elements 23

Governance, Risk Vulnerability Security

Severity Threat Knowledge Log

24 Processes Pillar Elements

Processes Pillar Elements 25