1 Security Operations Center Joseph Muniz Gary McIntyre Nadhem AlFardan Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA. ii Security Operations Center Security Operations Center Joseph Muniz, Gary McIntyre, Nadhem AlFardan Copyright 2016 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA. All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review.
2 Printed in the United States of America First Printing November 2015. Library of Congress Control Number: 2015950793. ISBN-13: 978-0-13-405201-4. ISBN-10: 0-13-405201-3. Warning and Disclaimer This book is designed to provide information about building and running a Security Operations Center (SOC). Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an as is basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it.
3 The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at or (800) 382-3419.
4 For government sales inquiries, please contact For questions about sales outside the , please contact iii Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at Please make sure to include the book title and ISBN in your message.
5 We greatly appreciate your assistance. Publisher: Paul Boger Associate Publisher: Dave Dusthimer Business Operation Manager, Cisco Press: Jan Cornelssen Acquisitions Editor: Denise Lincoln Managing Editor: Sandra Schroeder Senior Development Editor: Christopher Cleveland Senior Project Editor: Tonya Simpson Copy Editor: Keith Cline Technical Editors: Dr. Fred Mpala, Matthew Waters Editorial Assistant: Vanessa Evans Cover Designer: Mark Shirar Composition: codeMantra Indexer: WordWise Publishing Services Proofreader: Sarah Kearns iv Security Operations Center About the Authors Joseph Muniz is a consultant at Cisco Systems and Security researcher.
6 Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for Security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects, ranging from Fortune 500 corporations to large federal networks. Joseph is the author of and contributor to several books and is a speaker for popular Security conferences. Check out his blog, , which showcases the latest Security events, research, and technologies.
7 Gary McIntyre is a seasoned information Security professional focusing on the development and operation of large-scale information Security programs. As an architect, manager, and consultant, he has worked with a wide range of public and private sector organizations around the world to design, build, and maintain small to large Security Operations teams. He currently holds a Masters degree from the University of Toronto and has also been a long-time (ISC)2 instructor. Dr. Nadhem AlFardan has more than 15 years of experience in the area of information Security and holds a in Information Security from Royal Holloway, University of London.
8 Nadhem is a senior Security solution architect working for Cisco Systems. Before joining Cisco, he worked for Schlumbeger and HSBC. Nadhem is CISSP certified and is an ISO 27001 lead auditor. He is also CCIE Security certified. In his research, Nadhem published a number of papers in prestige conferences, such as IEEE. S&P and USENIX Security , mainly around cryptoanalysis topics. His work involved him working with organizations such as Google, Microsoft, Cisco, Mozilla, OpenSSL, and many others, mainly to help them assess and fix major findings in the Transport Layer Security /Secure Sockets Layer (TLS/SSL) protocol.
9 His work is referenced in a number of IETF standards. v About the Technical Reviewers Dr. Fred Mpala is a Security professional with broad experience in Security and risk management. Matthew Waters is a seasoned Security professional and chief information Security officer within the financial sector, specializing in large-scale transformation programs. vi Security Operations Center Dedications Joseph Muniz: I would like to give a huge thank you to my friends and family for sup- porting me for this and my other crazy projects. This book goes out to Irene Muniz, Ray Muniz, Alex Muniz, Raylin Muniz, Ning Xu, my friends at Cisco, and the many other great people in my life.
10 Gary McIntyre: For Candice and Winston, who paid the highest price to see this through. vii Acknowledgments Joseph Muniz: I will start by thanking Gary McIntyre and Nadhem AlFardan for including me on this project. I really enjoyed collaborating on the material and hope that they do not mind my input. If they do, it is probably too late by now anyway. I had help with validating my content and would like to recognize Jeff Williams and Aamir Lakhani. Jeff is the NetFlow ninja and assisted with reviewing my Lancope contributions. Aamir is my good friend and co-authored two books with me prior to this project.