Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Assess current prevention, detection, analysis, and response capabilities.
Design your optimized state of operations.
Identify opportunities for collaboration within your security program.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.
Determine why you need a sound security operations program.
Understand Info-Tech’s threat collaboration environment.
Evaluate your current security operation’s functions and capabilities.
1.1 Understand the benefits of refining your security operations program.
1.2 Gauge your current prevention, detection, analysis, and response capabilities.
Security Operations Preliminary Maturity Assessment Tool
Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.
Establish your goals, obligations, scope, and boundaries.
Assess your current state and define a target state.
Develop and prioritize gap initiatives.
Define the cost, effort, alignment, and security benefits of each initiative.
Develop a security strategy operational roadmap.
2.1 Assess your current security goals, obligations, and scope.
2.2 Design your ideal target state.
2.3 Prioritize gap initiatives.
Information Security Strategy Requirements Gathering Tool
Security Operations Maturity Assessment Tool
Identify opportunities for collaboration.
Formalize your operational process flows.
Develop a comprehensive and actionable measurement program.
Understand the current security operations process flow.
Define the security operations stakeholders and their respective deliverables.
Formalize an internal information-sharing and collaboration plan.
3.1 Identify opportunities for collaboration.
3.2 Formalize a security operations collaboration plan.
3.3 Define operational roles and responsibilities.
3.4 Develop a comprehensive measurement program.
Security Operations RACI & Program Plan Tool
Security Operations Collaboration Plan
Security Operations Cadence Schedule Template
Security Operations Metrics Summary
“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”
Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group
This Research Is Designed For:
|
This Research Will Help You:
|
This Research Will Also Assist:
|
This Research Will Help Them
|
Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”) |
(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”) |
60% Of organizations say security operation teams have little understanding of each other’s requirements.
40% Of executives report that poor coordination leads to excessive labor and IT operational costs.
38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)
“Empower a few administrators with the best information to enable fast, automated responses.” Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: |
Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization. | ||
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis. |
Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. | Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs |
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. | Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort. |
Vulnerability Management
Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating. |
Deliverables
|
|
Threat Intelligence
Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization. |
|
|
Operations
Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations. |
|
|
Develop and Implement a Security Incident Management Program |
Incident Response
Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns. |
|
…better protect your organization with an interdependent and collaborative security operations program.
Phase 01Assess your operational requirements. |
Phase 02Optimize and further mature your security operations processes |
Phase 3aDevelop the process flow and specific interaction points between functions |
Phase 3bTest your current capabilities with a table top exercise |
Briefly assess your current prevention, detection, analysis, and response capabilities.
Highlight operational weak spots that should be addressed before progressing. |
Develop a prioritized list of security-focused operational initiatives.
Conduct a holistic analysis of your operational capabilities. |
Define the operational interaction points between security-focused operational departments.
Document the results in comprehensive operational interaction agreement. |
Test your operational processes with Info-Tech’s security operations table-top exercise. |
Effective security operations management will help you do the following:
|
ImpactShort term:
Long term:
|
A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).
Cost Structure | Cost Estimation ($) for SMB (Small and medium-sized business) |
Cost Estimation ($) for LE (Large enterprise) |
|
Security controls | Technology investment: software, hardware, facility, maintenance, etc.
Cost of process implementation: incident response, CMBD, problem management, etc. Cost of resource: salary, training, recruiting, etc. |
$0-300K/year | $200K-2M/year |
Security incidents (if no security control is in place) |
Explicit cost:
|
$15K-650K/year | $270K-11M/year |
Contact your account representative or email Workshops@InfoTech.com for more information.
Workshop Day 1 | Workshop Day 2 | Workshop Day 3 | Workshop Day 4 | Workshop Day 5 | |
Activities |
|
|
|
|
|
Deliverables |
|
|
|
All Final Deliverables |
1Assess Operational Requirements |
2Develop Maturity Initiatives |
3Define Interdependencies |
Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Estimated time to completion: 30 minutes
Discussion: Why are we pursuing this project?What are the objectives for optimizing and developing sound security operations? Stakeholders Required:
Resources Required
|
|
Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
Security operations must provide several fundamental functions:
|
At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events. |
Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.
Foundational | Operational | Strategic | ||
|
|
|
||
——Security Operations Capabilities—–› |
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
Info-Tech Best PracticeEnsure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. | ||||||
Develop and Implement a Security Incident Management Program |
The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.
People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
|
|
Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
|
|
Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
|
At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations. | |
Develop and Implement a Security Incident Management Program |
Prioritize the component most important to the development of your security operations program. |
||
Each “security capability” covers a component of the overarching “security function.” | Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) | Document any/all comments for future Info-Tech analyst discussions. |
Ad Hoc | |||
1 | Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis. | ||
2 | Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis. | ||
3 | Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed. | ||
4 | Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts. | ||
5 | Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand. | ||
Optimized |
Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.
Review the report cards for each of the respective threat collaboration environment functions.
|
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.
Frame the importance of your security operations program to Oftentimes resourcing and funding is dependent on the |
Corporate goals and objectives can be categorized into three major buckets:
|
Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!
It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.
Ask yourself:
|
The organizational scope and boundaries and can be categorized into four major buckets:
|
This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.
Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.
Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS
|
Goals & Obligations
|
PROGRAM SCOPE & BOUNDARIES
If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:
|
Program Scope & Boundaries
|
For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.
On tab 1. Goals and Obligations:
|
|
On tab 2. Scope and Boundaries:
|
|
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3. |
A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.
Define your current and target state
Self-assess your current security operations capabilities and determine your intended state. |
Create your gap initiatives
Determine the operational processes that must be completed in order to achieve the target state. |
Prioritize your initiatives
Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization |
Build a Gantt chart for your upcoming initiatives
The final output will be a Gantt to action your prioritized initiatives |
Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.
Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources. |
Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs. |
Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes. |
SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value. |
There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost. |
Planning: Narrow the scope of operations to focus on protecting assets of value. |
Cross-train employees throughout different silos. Enable them to wear multiple hats. |
Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises. |
Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role. |
1. Review:
The heading in blue is the security domain, light blue is the subdomain and white is the specific control. |
2. Determine and Record:
Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier). |
3.
In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items. |
When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.
Initiatives | Consolidated Initiatives | ||
Document data classification and handling in AUP | —› | Document data classification and handling in AUP | Keep urgent or exceptional initiatives separate so they can be addressed appropriately. |
Document removable media in AUP | —› | Define and document an Acceptable Use Policy | Other similar or related initiatives can be consolidated into one item. |
Document BYOD and mobile devices in AUP | —› | ||
Document company assets in Acceptable Use Policy (AUP) | —› |
After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support. |
Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).
Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
| Info-Tech Best PracticeWhen considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category. |
| Info-Tech Best PracticeMake sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal. |
You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.
Identify easy-win tasks and high-value projects worth fighting for. | ||
Categorize the InitiativeSelect the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others. |
Assign CriteriaFor each gap initiative, evaluate it based on your previously defined parameters for each variable.
|
Overall Cost/Effort RatingAn automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first. |
CASE STUDY |
Industry: Financial Services | Source: Info-Tech Research Group |
Framework Components | |||||||||||||||||||||||||||||
Security Domains & Accompanied Initiatives
(A portion of completed domains and initiatives) |
CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains. | ||||||||||||||||||||||||||||
Current-State Assessment | Context & Leadership | Compliance, Audit & Review | Security Prevention | ||||||||||||||||||||||||||
Gap Initiatives Created | 12
Initiatives |
14
Initiatives |
45
Initiatives |
||||||||||||||||||||||||||
Gap Initiative Prioritization |
|
CSC’s defined low, medium, and high for cost and staffing are specific to the organization.
CSC then consolidated its initiatives to create less than 60 concise tasks. *Initiatives and variables have been changed or modified to maintain anonymity |
In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.
Review considerations
|
This is a living management document
|
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. | |||||||
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project. |
|
||||||
If you are not communicating, then you are not secure. |
Call 1-888-670-8889 or email workshops@infotech.com for more information.
Self-Assessment Questions
1Assess Operational Requirements | 2Develop Maturity Initiatives | 3Define Interdependencies |
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.
Define Strategic Needs and Requirements | Participate in Information Sharing | Communicate Clearly |
|
|
|
Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.
Document your security operations’ functional capabilities and operational tasks to satisfy each capability. | What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. | Identify the affiliated product, service, or output generated from the task/capability. | Determine your escalation protocol. Who are the stakeholders you will be sharing this information with? |
Capabilities
The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders. |
Tasks
The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability. |
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
|
Title: Output #1
Download Info-Tech’s Security Operations RACI Chart & Program Plan.
Security Operations Collaboration Plan
Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.
How to customize
The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:
|
Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
Security Operations RACI Chart & Program Plan
Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.
How to customize
|
Download Info-Tech’s Security Operations RACI Chart & Program Plan. |
Internal Consumers | External Consumers |
|
Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.
|
“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)
Security Operations Program Service & Product Catalog
Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.
Action/Output | Frequency | Stakeholders/Function | |||
Document the key services and outputs produced by the security operations program. For example:
|
Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. | Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
|
|||
Remember to include any target-state outputs or services identified in the maturity assessment. | Use this exercise as an opportunity to organize your security operations outputs and services. |
Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.
Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:
Collaboration includes the exchange of:
|
Collaboration can be achieved through:
|
Isolation prevents businesses from learning from each others’ mistakes and/or successes. |
Security Operations Program Cadence Schedule Template
Design your meetings around your security operations program’s outputs and capabilities
How to customize
Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:
|
Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.
(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)
Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.
Example: Align your strategic needs with that of management.
Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.
There are three types of metrics pertaining to security operations: | ||
1) Operations-focusedOperations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them. Examples include, but are not limited to:
|
2) Business-focusedThe evaluation of operational success from a business perspective. Example metrics include:
|
3) Initiative-focusedThe measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics. Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process. |
Info-Tech Best PracticeOperational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective. | Download Info-Tech’s Security Operations Metrics Summary Document. |
Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize
|
This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization. |
Self-Assessment Questions
Insights
|
Best Practices
|
|
Protect your organization with an interdependent and collaborative security operations program. |
“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.
Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.
Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.
Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.
Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.
Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.
“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.
“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.
“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.
Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.
“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.
“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.
“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.
“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.
“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.
Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.
“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.
EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.
Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.
“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.
Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.
Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.
“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.
Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.
“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.
“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.
Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.
Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.
Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.
Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.
Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.
Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.
Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.
Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.
Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.
Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.
Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.
Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.
“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.
Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.
Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.
Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.
Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.
Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.
Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.
Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.
Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.
National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.
National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.
National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.
F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.
“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.
“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.
Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.
Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.
Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.
Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.
Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.
Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.
Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.
Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.
Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.
Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.
Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.
SANS Institute. “Incident Handler's Handbook.” 2011. Web.
Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.
Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.
“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.
“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.
“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.
“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.
Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.
Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.
“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.
“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.
“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.
“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.
“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.
“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.
Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.
Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.
Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.
Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.
Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.