Visibility Pillar - Security Operations Fundamentals

6/26/24, 2:33 PM Visibility Pillar - Security Operations Fundamentals
 Security Operations Fundamentals
Visibility
Pillar
The Visibility pillar enables the SecOps team to use tools and
technology to capture network traffic, limit access to certain
URL’s determine which applications are being used by end
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aef166fa169d45ab50 1/13
users, and to detect and prevent the accidental or malicious

 release of proprietary
Security Operations Fundamentalsor sensitive information.
Before Erik can provide a detailed analysis of the threat,

he will need to gather all of the necessary information to
make a well-informed decision. Network visibility is
needed for Erik to gather information about the
network’s status, the traffic passing through the
network, and the conditions on which traffic is allowed
to pass through. Without network visibility, Erik may
miss important data that could lead to a real threat
being treated as a false positive or missed altogether.
The better visibility Erik has into every aspect of the
company’s network, the better he and the SecOps team
can make an informed decision.

Elements in the Visibility Pillar
The concept of visibility in Security Operations refers to intelligence and

awareness. How can you make decisions if you are not aware of what is
taking place in your network? How can you take actions if you don't have
knowledge or intelligence to act on?
In Security Operations, network visibility is needed for information about

the network’s status, about the traffic passing through it, and the
conditions on which traffic is allowed to pass through. Visibility enables us
to perceive slightly ahead to help anticipate, prepare, and react to changes.
The following elements are in the Visibility pillar.
Network Traffic Capture; Endpoint Data Capture
Network traffic capture is the interception and logging of traffic traversing

your network appliances. Endpoint data capture is the collection of
information generated on or visible to endpoint devices.
Click each tab to learn about the two elements that capture data.
Network Traffic Capture
Network traffic can be captured by firewalls, IDS/IPS, proxies, routers, switches, and
standalone traffic capture technologies. Logging your network traffic provides the Security
Operations organization with the visibility to view traffic for the purpose of doing detailed
analysis and advanced investigations. Analysts should have access to raw traffic logs when
specific traffic is associated with an alert or when a staff member makes a query.
Endpoint Data Capture
Cloud Computing
Cloud computing delivers services or applications, on-demand, to achieve

increased scalability, transparency, security, monitoring, and management.
In cloud computing, services are delivered using either a private, public, or

hybrid cloud.
The use of cloud computing requires a cybersecurity

policy enforcement point to apply enterprise security
policies for cloud-based resources. The types of
security policy enforcement can include single sign-on,
authentication and authorization, device profiling, and
step-up authentication challenges.
Log collection will be most heavily used by the SecOps.

Log collection provides both in-depth forensic data and
correlated event data to the SecOps to ensure that
security analysts can analyze incidents without
becoming overwhelmed with noise. The visibility
required from these logs should be defined based on
what the SecOps team requires for proper investigation
and on the access level that analysts will have. The
SecOps also needs to understand which types of alerts
will be generated by the cloud security capabilities.
Those alerts should be worked into the incident

response plan.
Application Monitoring; SSL Decryption; URL

Filtering
Application monitoring provides the ability to determine and log the

specific application used in a session. SSL decryption technology provides
visibility into HTTPS traffic, which is then logged in a readable format. URL
filtering gives security organizations the control to track and restrict access
to specific URLs and URL categories.
Click the arrow to learn more about each element.
Application Monitoring
By monitoring applications, the SecOps team can gain additional context about specific
applications that were used when an event was triggered. It goes beyond port identification
 Security
and Operations
recognizes theFundamentals
application used, which can lead credence to proving an IoC was enacted
or that the event triggered was a false positive.
Data Loss Prevention
Data loss prevention (DLP) is a cybersecurity control to detect and prevent

the accidental or malicious release of proprietary or sensitive information.
The controls for DLP are often defined by GRC and

managed by the network, endpoint, and cloud security
teams. A DLP system helps prevent data exfiltration
and makes the notification of attempts to send
proprietary or sensitive information to the SecOps. The
SecOps then uses these notifications to look for a

potential incident or APT in the network.
Threat Intelligence Platform; Vulnerability

Management Tools; Analysis Tools
Enhancing cybersecurity protection requires a multifaceted approach. By

integrating threat intelligence platforms, vulnerability management tools,
and advanced analysis techniques, Security Operations teams can
effectively address and mitigate risks.
 Security Operations Fundamentals Analysis Tools

Vulnerability
Threat Intelligence
Management Tools
Platform
Asset Management; Knowledge Management; Case

Management
Achieving optimal Security Operations efficiency hinges on the integration

of asset management, knowledge management, and case management.
These three elements work in harmony to streamline SecOps processes
and enhance collaboration, bolstering overall security efforts.
Click each tab for more information about each.
 Asset Management

 Knowledge Management
 Case Management
Let's Help Erik!
The CEO of Pumpice has asked Erik and the team to send a status report
to the entire organization regarding current security incidents and their
statuses. Luckily, the team has this information ready to communicate to

the organization.
What tool or technology can Erik and What tool or technology can Erik and
the SecOps team use to provide the SecOps team use to detect and
visibility into HTTPS traffic to find IOCs prevent accidental or malicious release
or high-fidelity indicators? of proprietary or sensitive information?
Application Monitoring Vulnerability management
 SSL Decryption URL Filtering
URL Filtering SSL Decryption
Data Loss Prevention  Data Loss Prevention (DLP)
Submit  Show Feedback Submit  Show Feedback

What management method did the
SecOps team utilize to collect
information on security incidents and
their statuses?
 Case management
Knowledge management
Asset management
Threat management
Submit  Show Feedback
 Interfaces Pillar 7 of 8 Technology Pillar 

Visibility Pillar - Security Operations Fundamentals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Visibility Pillar - Security Operations Fundamentals

Uploaded by

Copyright:

Available Formats

6/26/24, 2:33 PM Visibility Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

users, and to detect and prevent the accidental or malicious

Before Erik can provide a detailed analysis of the threat,

 Security Operations Fundamentals

The concept of visibility in Security Operations refers to intelligence and

In Security Operations, network visibility is needed for information about

The following elements are in the Visibility pillar.

 Security Operations Fundamentals

Network Traffic Capture; Endpoint Data Capture

Network traffic capture is the interception and logging of traffic traversing

information generated on or visible to endpoint devices.

 Security Operations Fundamentals

Network Traffic Capture

Endpoint Data Capture

Cloud computing delivers services or applications, on-demand, to achieve

In cloud computing, services are delivered using either a private, public, or

The use of cloud computing requires a cybersecurity

Log collection will be most heavily used by the SecOps.

Those alerts should be worked into the incident

Application Monitoring; SSL Decryption; URL

Application monitoring provides the ability to determine and log the

Click the arrow to learn more about each element.

Data Loss Prevention

Data loss prevention (DLP) is a cybersecurity control to detect and prevent

The controls for DLP are often defined by GRC and

SecOps then uses these notifications to look for a

Threat Intelligence Platform; Vulnerability

Enhancing cybersecurity protection requires a multifaceted approach. By

 Security Operations Fundamentals Analysis Tools

Asset Management; Knowledge Management; Case

Achieving optimal Security Operations efficiency hinges on the integration

Click each tab for more information about each.

 Security Operations Fundamentals

​Let's Help Erik!​

statuses. Luckily, the team has this information ready to communicate to

Application Monitoring Vulnerability management

 SSL Decryption URL Filtering

URL Filtering SSL Decryption

Data Loss Prevention  Data Loss Prevention (DLP)

Submit  Show Feedback Submit  Show Feedback

 Security Operations Fundamentals

Submit  Show Feedback

 Interfaces Pillar 7 of 8 Technology Pillar 

You might also like

Let's Help Erik!