You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Security Operations (SecOps) encompasses the people, processes, and technologies that detect, analyse, and respond to security threats in real time. The Security Operations Center (SOC) is the nerve centre of an organisation's cyber defence.
A SOC is a team of security professionals who monitor and defend against threats 24/7:
| Role | Responsibility |
|---|---|
| SOC Analyst (Tier 1) | Triage alerts, initial investigation, escalate if needed |
| SOC Analyst (Tier 2) | Deep-dive investigation, correlate events, determine impact |
| SOC Analyst (Tier 3) | Advanced threat hunting, malware analysis, forensics |
| SOC Manager | Oversee operations, manage team, report to leadership |
| Threat Intelligence Analyst | Research emerging threats, provide context to SOC |
| Incident Responder | Lead incident containment and remediation |
| Metric | Definition |
|---|---|
| MTTD | Mean Time to Detect — how quickly a threat is identified |
| MTTR | Mean Time to Respond — how quickly a threat is contained |
| MTTC | Mean Time to Contain — how quickly the blast radius is limited |
| False Positive Rate | Percentage of alerts that are not actual threats |
| Alert Volume | Number of alerts generated per day/week |
SIEM is the core technology of most SOCs — it aggregates, correlates, and analyses security events:
Log Sources SIEM Platform Outputs
┌──────────┐ ┌──────────────┐ ┌──────────┐
│ Firewalls │──┐ │ Normalise │ │ Alerts │
│ Servers │──┤ Collect │ Correlate │──────────▶│ Reports │
│ Apps │──┼────────────▶│ Analyse │ │ Dashbds │
│ Endpoints │──┤ │ Store │ │ Tickets │
│ Cloud │──┘ └──────────────┘ └──────────┘
| Capability | Description |
|---|---|
| Log aggregation | Collect logs from all sources in a central location |
| Normalisation | Convert logs to a common format for analysis |
| Correlation | Link related events across different sources |
| Alerting | Generate alerts when rules or thresholds are triggered |
| Dashboards | Visualise security posture and trends |
| Retention | Store logs for compliance and forensic analysis |
| Threat intelligence | Enrich alerts with external threat data |
| Platform | Notes |
|---|---|
| Splunk | Industry leader, powerful search language (SPL) |
| Microsoft Sentinel | Cloud-native SIEM on Azure |
| Elastic Security | Open-source based on Elasticsearch |
| IBM QRadar | Enterprise SIEM with AI capabilities |
| Google Chronicle | Cloud-native, leverages Google infrastructure |
| Wazuh | Open-source SIEM and XDR |
Incident response (IR) is the structured process for handling security incidents:
┌──────────────┐ ┌──────────────────┐ ┌──────────────────────┐ ┌──────────────────┐
│ 1. Preparation│───▶│ 2. Detection & │───▶│ 3. Containment, │───▶│ 4. Post-Incident │
│ │ │ Analysis │ │ Eradication & │ │ Activity │
│ │ │ │ │ Recovery │ │ │
└──────────────┘ └──────────────────┘ └──────────────────────┘ └──────────────────┘
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.