Agile Security Operations: Engineering for agility in cyber defense, detection, and response
- Length: 254 pages
- Edition: 1
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2022-02-17
- ISBN-10: 1801815518
- ISBN-13: 9781801815512
- Sales Rank: #0 (See Top 100 Books)
Get to grips with security operations through incident response, the ATT&CK framework, active defense, and agile threat intelligence
Key Features
- Explore robust and predictable security operations based on measurable service performance
- Learn how to improve the security posture and work on security audits
- Discover ways to integrate agile security operations into development and operations
Book Description
Agile security operations allow organizations to survive cybersecurity incidents, deliver key insights into the security posture of an organization, and operate security as an integral part of development and operations. It is, deep down, how security has always operated at its best.
Agile Security Operations will teach you how to implement and operate an agile security operations model in your organization. The book focuses on the culture, staffing, technology, strategy, and tactical aspects of security operations. You’ll learn how to establish and build a team and transform your existing team into one that can execute agile security operations. As you progress through the chapters, you’ll be able to improve your understanding of some of the key concepts of security, align operations with the rest of the business, streamline your operations, learn how to report to senior levels in the organization, and acquire funding.
By the end of this Agile book, you’ll be ready to start implementing agile security operations, using the book as a handy reference.
What you will learn
- Get acquainted with the changing landscape of security operations
- Understand how to sense an attacker’s motives and capabilities
- Grasp key concepts of the kill chain, the ATT&CK framework, and the Cynefin framework
- Get to grips with designing and developing a defensible security architecture
- Explore detection and response engineering
- Overcome challenges in measuring the security posture
- Derive and communicate business values through security operations
- Discover ways to implement security as part of development and business operations
Who this book is for
This book is for new and established CSOC managers as well as CISO, CDO, and CIO-level decision-makers. If you work as a cybersecurity engineer or analyst, you’ll find this book useful. Intermediate-level knowledge of incident response, cybersecurity, and threat intelligence is necessary to get started with the book.
Table of Contents
- How Security Operations Are Changing
- Incident Response – A Key Capability in Security Operations
- Engineering for Incident Response
- Key Concepts in Cyber Defense
- Defensible Architecture
- Active Defense
- How Secure are You? – Measuring Security Posture
- Red, Blue and Purple Teaming
- Running and Operating Security Services
- Implementing Agile Threat Intelligence
Agile Security Operations
Contributors
About the author
About the reviewers
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Section 1: Incidence Response: The Heart of Security
Chapter 1: How Security Operations Are Changing
Why security is hard
Security operations
Cybersecurity, threats, and risk
Five types of cyber defense
Security incidents
Security solutions in search of a problem
The scope of security operations
Where security operations turn agile
Agile incident response
Agile security operations
Summary
Chapter 2: Incident Response – A Key Capability in Security Operations
Facing up to breaches
The incident response cycle
Knowing an incident – detection and analysis
Detection engineering
Repurposing
Analyzing threats
Branches and pivots – how incidents change
The kill chain model
Expanding the options for defense
Lateral movement
Agile incident response
Compromise is eternal
Incidents and compromises
Why incident response needs to be agile
Team structure for incident response
Learning from incidents – from resolution to tactics to strategy
Summary
Chapter 3: Engineering for Incident Response
From incident response to agile security operations engineering
Mapping the incident loop
Feedback – closing the incident loop
The businesslike weaknesses of attackers
A brief discussion of agile frameworks
Lean
Kanban
Scrum
Agile security operations
Key activities in agile security operations
Breach
Detect
Analyze
Contain
Eradicate
Recover
Develop context and TTPs
Updating the architecture, strategy, and risk
Detection engineering
Improvements – prevention, discovery, and prediction
Tooling – defend to respond
Passive defense
Active defense – Mitre ATT&CK and Shield
Summary
Section 2: Defensible Organizations
Chapter 4: Key Concepts in Cyber Defense
What is cyber defense?
Enduring failure
The fit of security operations
Coordination and discoordination
Coordination games
Discoordination games
A framework for uncertainty
A brief overview of the Cynefin framework
Constraints
Resolving crises
Structured analytic techniques
Is this part of the security skillset?
Summary
Chapter 5: Defensible Architecture
The definition of defensible architecture
Pareto optimizable attacks
Understanding the kill chain
Requirements of defensible architecture
Defense in depth
Implied trust in network segments
Trust in the endpoints of the architecture
Defense in depth as an evolution
The new security boundaries
Principles of the defensible architecture
Roots of trust
Identity as a root of trust
Data controls as a root of trust
Algorithmic integrity as a root of trust
Roots of trust and verifiability
Elements of the defensible architecture
Prevention
Visibility and forensic readiness
Threat modeling
Attack path modeling
Defensible architecture tradeoffs
On-premises infrastructure
Cloud
Industrial
Summary
Chapter 6: Active Defense
The role of active defense
Active defense as one of the five types of cyber defense
Compromise is eternal
Agile incident response
An approach to active defense
The agile active defense process
Understanding the adversary
People and processes
Technology
Active defense during a crisis
Active defense for eternal compromise
Assess
Adapt
The pivot or [<>]
Exapt
Transcend
Summary
Chapter 7: How Secure Are You? – Measuring Security Posture
Security as risk reduction
Measuring risk reduction
Description
Financial aspects of risks
Controls
Risk management versus enabling the business
Strategy maps – security as business value
Constructing strategy maps
Strategy map layers
Security strategy maps
Starting a security strategy
Working with the security strategy map
Financial metrics
Customer metrics
Operations metrics
Metrics for capabilities
Summary
Section 3: Advanced Agile Security Operations
Chapter 8: Red, Blue, and Purple Teaming
Red teaming and blue teaming
Why red team?
What is a red team?
What is a blue team?
Threat hunting
Hunt leads
Analytic queries
Alternative hunt leads – alert streams and detections
Implementing a threat hunting practice
Purple teaming concepts
Purple team activities
Characteristics of blue and red teams
Agile approaches to purple teaming
Purple teaming operations
Planning – sources of attack data
Planning – cadence and process
Executing the red side of purple teaming
Feedback – moving to an agile approach
Closing into threat-informed defense
Business value from purple teaming
Security baselining
Security posture improvement
Threat-informed defense
Summary
Chapter 9: Running and Operating Security Services
The essential security services
What is a service?
Service worksheets
Strategy service
Policies
Architecture
Deployment
Monitoring and alerting
Incident response
Other services
Service maturity
Maturity management
Practices – components of a service
Measuring effectiveness
Maturity models
Defining Capability
Maturity does not stand alone
Drawbacks of Maturity
Agile approaches to the six security services
Agile
DevOps cycle
Summary
Chapter 10: Implementing Agile Threat Intelligence
What threat intelligence is and isn't
A threat intelligence program
Acquiring threat intelligence
Running your own function
Using threat intelligence
Direction
Understanding risk reduction
Using past attacks as a guide
Scoping prospective groups
Business capabilities and operational context
The influence on direction
Collection and collation
The data funnel
External feeds
Feeds meeting internal logs
Interpretation
Using structured analytic techniques
Threat groups
Dissemination
Risk analysis
Alerting, hunting, and detection
Infrastructure hardening
Summary
Appendix
Principles of cybersecurity operations
Further reading
Background
Cynefin framework
Cynefin Field guide
Structured analytic techniques
Architecture
Threat modeling
Organizations
Operations
Principles for operations
SOC operations
People to follow
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your ThoughtsDonate to keep this site alive
How to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Agile Security Operations: Engineering for agility in cyber defense, detection, and response, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.
