Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on VU23225 Investigate Windows Security Features – Lesson 04

Detailed Report on VU23225 Investigate Windows Security Features – Lesson 04

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 04” covers the concepts of Security Operations Centres (SOCs) and Security Incident and Event Management (SIEM) systems. It also introduces the SIEM tool called Splunk. The content is aimed at providing an understanding of the structure and functions of SOCs, different SOC models, and the features and operations of SIEM systems.

1. Objectives

The lesson sets out the following objectives:

  • Describe the organisational structure of a typical SOC.
  • Describe various SOC models and types.
  • Describe the features and functions of a SIEM.
  • Introduction to Splunk Data Analytics.

2. Security Operation Centre (SOC)

A SOC is a centralized unit responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents and threats.

SOC Components: People

  • Security Analysts: Monitor and analyze security events, identify threats, and escalate incidents.
  • Incident Responders: Address and contain security incidents, investigate scope and impact, and coordinate remediation.
  • SME Threat Hunters: Collect and analyze threat intelligence to identify emerging threats and vulnerabilities.
  • SOC Manager: Oversees SOC operations, sets strategic objectives, manages resources, and ensures collaboration.

SOC Components: Processes

  • Monitoring: Continuous monitoring of network traffic, systems, logs, and security events.
  • Incident Management: Structured approach to handle security incidents.
  • Threat Hunting: Proactive exploration of networks and systems to identify hidden threats.
  • Vulnerability Management: Regular assessment and remediation of vulnerabilities.
  • Reporting and Communication: Regular reporting on security incidents, threat landscape updates, and performance metrics.

SOC Components: Technology

  • SIEM System: Collects and correlates security logs and events from various sources.
  • Intrusion Detection and Prevention Systems (IDPS): Monitors network traffic for signs of malicious activity.
  • Threat Intelligence Platforms: Aggregates and analyzes threat intelligence data.
  • Endpoint Detection and Response (EDR) Tools: Provides visibility into endpoints.
  • Automation and Orchestration: Streamlines routine tasks and improves response times.

SOC Components: Infrastructure

  • Physical Infrastructure: Office space, workstations, network connectivity, servers, storage, and backup systems.
  • Security Appliances: Firewalls, IDS, network taps, and other security appliances.
  • Virtual Infrastructure: Virtualized environments and cloud-based platforms.
  • Incident Response Playbooks: Predefined procedures for handling specific types of incidents.
  • Training and Development: Regular training programs for SOC staff.

SOC Models

  • In-house SOC: Managed by the organization’s own cybersecurity professionals.
  • Co-managed SOC: Partnership between an organization and a managed security service provider (MSSP).
  • Managed SOC: All security operations are outsourced to a third-party provider.
  • Virtual SOC: Operates remotely using cloud-based tools.
  • Hybrid SOC: Combines elements of in-house and outsourced services.

3. Security Information Event Management (SIEM)

A SIEM system is crucial for monitoring, detecting, and responding to security incidents by collecting and analyzing data from various sources.

SIEM Features and Structure

  • Data Collection: Gathers data from network devices, servers, endpoints, security appliances, and applications.
  • Event Correlation: Identifies patterns and relationships among events to detect complex attack patterns.
  • Real-Time Monitoring and Alerting: Provides continuous monitoring and generates alerts for potential security incidents.
  • Threat Intelligence Integration: Incorporates external threat intelligence for enhanced detection.
  • Incident Response and Workflow Management: Facilitates incident response with tools and workflows.
  • Reporting and Compliance: Generates detailed reports on security events, incident trends, and compliance status.
  • Log Management and Retention: Efficient storage, indexing, and retention of log data.
  • Scalability and Flexibility: Handles large volumes of data and offers deployment options including on-premises, cloud-based, or hybrid models.

4. Introduction to Splunk

Splunk is a software platform for searching, analyzing, and visualizing machine-generated data from various sources.

Splunk Environment

  • Forwarders: Send data to indexers in real-time.
  • Indexers: Process incoming data and store results in indexes.
  • Search Head: GUI for users to search indexed data using Search Processing Language (SPL).

Splunk User Roles

  • Admin: Has the most capabilities, can install apps, create knowledge objects, and manage users.
  • Power: Can edit shared objects and alerts, create and share knowledge objects.
  • User: Can create and edit saved searches, run searches, and see their own knowledge objects.
  • can_delete: Allows users to delete by keyword.

Splunk Deployment Models

  • Single Instance: All components packaged into a single server.
  • Basic Deployment: Server with additional forwarders attached.
  • Multi-Instance: Increased indexing capacity with search management and index functions split across multiple machines.

Accessing Free Splunk Training

  • Splunk provides free access to 22 eLearning Micro Courses and practice labs for students.
  • Additional resources and tutorials are available on platforms like Coursera.

Conclusion

The document provides a detailed overview of SOCs, their components, and different models. It also explains the features and structure of SIEM systems, with an introduction to Splunk, a popular SIEM tool. This information is crucial for understanding the setup, functions, and tools involved in effective cybersecurity operations.

 

Scroll to Top