SOC Analyst Live Workshop

Course Overview

Is your organization looking for a quick and effective way to onboard new security analysts, engineers, and architects? Do your Security Operations Center (SOC) managers need additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC? SEC450 is an accelerated on-ramp for new cyber defense team members and SOC managers. This course introduces students to the tools common to a defender’s work environment, and packs in all the essential explanations of tools, processes, and data flow that every blue team member needs to know. Students will learn the stages of security operations: how data is collected, where it is collected, and how threats are identified within that data. The class dives deep into tactics for triage and investigation of events that are identified as malicious, as well as how to avoid common mistakes and perform continual high-quality analysis. Students will learn the inner workings of the most popular protocols, and how to identify weaponized files as well as attacks within the hosts and data on their network. The course employs practical, hands-on instruction using a simulated SOC environment with a real, fully-integrated toolset that includes:

• Security Information and Event Management (SIEM)
• An incident tracking and management system
• A threat intelligence platform
• Packet capture and analysis
• Automation tools

While cyber defense can be a challenging and engaging career, many SOCs are negatively affected by turnover. To preemptively tackle this problem, this course also presents research-backed information on preventing burnout and how to keep engagement high through continuous growth, automation, and false positive reduction. Students will finish the course with a full-scope view of how collection and detection work, how SOC tools are used and fit together, and how to keep their SOC up and running over the long term.

Prerequisites

A basic understanding of TCP/IP and general operating system fundamentals is needed for this course. Being Used to the Linux command-line, network security monitoring, and SIEM solutions is a bonus. Some basic entry-level security concepts are assumed.

Who Should Attend SEC450?

This course is intended for those who are early in their career or new to working in a SOC environment, including:

• Security Analysts
• Incident Investigators
• Security Engineers and Architects
• Technical Security Managers
• SOC Managers looking to gain additional technical perspective on how to improve analysis quality, reduce turnover, and run an efficient SOC
• Anyone looking to start their career on the blue team

Content Overview

1. Blue Team Tools and Operations.
2. Understanding Your Network.
3. Understanding Endpoints, Logs, and Files.
4. Triage and Analysis.
5. Continuous Improvement, Analytics, and Automation.
6. Capture the Flag.

Course Exercises

• TheHive Incident Management System.
• MISP Threat Intelligence Platform.
• SIEM with the Elastic Stack.
• Exploring DNS.
• HTTP and HTTPS Analysis.
• SMTP and Email Analysis.
• Interpreting Windows Logs.
• Log Enrichment and Visualization.
• Malicious File Identification.
• Alert Triage and Prioritization.
• Structured Analytical Challenge.
• Collecting and Documenting Incident Information.
• Alert Tuning.
• Security Automation.
• Incident Containment.

Your Instructor