6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

Interfaces
Pillar

Security operations is not a silo and needs to work with many

other functions or teams. Each interaction with another team is
described as an interface. The Interfaces pillar defines which
functions need to take place to help achieve the stated goals,
and how the SecOps will interface with other teams within the
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 1/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

organization by identifying the scope of each team’s

 responsibilities and the separation of each team’s duties.
Security Operations Fundamentals

As Erik is investigating the alert generated by the

network device, he partners with the Threat Intelligence
Team to identify the potential risks this threat may pose
to the organization. Erik also interfaces with the Help
Desk, Network Security Team, and Endpoint Security
Teams to determine the extent the threat has infiltrated
the network.

Elements in the Interfaces Pillar

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 2/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Interfaces should
Security Operations be clearly defined so that expectations between the
Fundamentals
different teams are known. Each team will have different goals and
motivations that can help with team interactions. Identifying the scope of
each teams responsibility and separation of duties helps to reduce friction
within an organization. The Interfaces are how processes connect to
external functions or departments to help achieve security operation goals.

The Need for Agreements

You should understand the needs, goals, and business mission of other departments to
eliminate friction between their teams and the Security Operations team. Some of the
various department goals that can put other departments in conflict with the SecOps team is
not following the initial agreements that were initially agreed upon.

Click the tabs to learn about the function's or team's goals and motivations.

Elements 1

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 3/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

Help Desk - Close tickets quickly

IT Operations - Availability and performance of IT infrastructure
DevOps - Develop, implement, and maintain applications; release bug-free features quickly

Elements 2

Elements 3

Elements 4

Elements 5

Elements 6

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 4/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

Enterprise Architecture; Governance, Risk, and

Compliance; Business Liaison

Fostering a unified approach to security, Enterprise Architecture,

Governance, Risk, and Compliance, and Business Liaison teams
collaboratively enhance the effectiveness of Security Operations.

Enterprise Architecture

The enterprise architecture team is responsible for understanding, developing, and maintaining
both the physical and virtual network designs to meet the business requirements. The team
ensures that security is implemented in the design phase and not added as an afterthought. It
also creates and maintains the architecture flowcharts and diagrams. The goal of the enterprise
architecture team is to balance and meet the needs of both security and the business.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 5/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

Governance, Risk, and Compliance

 Security
The Operations
governance, Fundamentals
risk, and compliance (GRC) function is responsible for creating the guidelines
to meet business objectives, manage risk, and meet compliance requirements. Common
compliance standards include PCI-DSS, HIPAA, and GDPR, and require different levels of
protection, encryption, and data storage. Those requirements are typically handled by other
groups. However, the breach disclosure requirements directly involve the Security Operations
team. The SecOps team must interface with the GRC team to define escalation intervals,
contacts, documentation, and forensic requirements.

Business Liaison

A growing trend is for security organizations to hire business liaisons. This role is to tie in to the
different aspects of the business and help identify and explain the impact of security. This
includes keeping up-to-date with new product launches and development schedules,
onboarding new branch offices, and handling mergers and acquisitions where legacy networks
and applications need to be brought in to the main security program. This role can also be
responsible for partner, vendor, and team interface management.

Help Desk; Information Technology Operations;

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 6/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

DevOps; Operational Technology Team

 Security Operations Fundamentals

Teams such as the help desk, information technology operations, DevOps,

and the operational technology team, work together to ensure that the
organization is protected from all angles.

Click the tabs to learn about each function or team.

Help Desk

The help desk provides end-user support for corporate IT assets. The Security Operations
team frequently open tickets with this team to reimage machines, request system patching,
or reject assets joining the network without the proper OS and app version levels. The help
desk organization should interface often with the vulnerability management team for tasks
such as patches, outdated operating systems, accepted new operating systems, and new
supported platforms. Interaction with the vulnerability management team can result in the
development of automated tasks. A closed-loop process between the teams should exist to
ensure follow-through on IT requests.

Information Technology Operations

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 7/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

DevOps

 Security Operations Fundamentals

Operational Technology Team

SecOps Engineering

The SecOps engineering team is responsible for the implementation and

ongoing maintenance of the Security Operation team’s tools, including the
SIEM and analysis tools.

The responsibilities of the team must be clearly defined. SLAs with the team should be
defined to reduce potential friction between teams and to establish a clear communication
plan. See the two questions you should ask.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 8/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

Endpoint Team; Networks Team; Cloud Security

Team

To strengthening cybersecurity collaboration, the SecOps Team Interfaces

with Endpoint, Network, and Cloud Security Teams.

Click the tabs to learn about each team's responsibilities.

Endpoint Security Team

The endpoint security team is responsible for developing, implementing, and maintaining
the endpoint security policy. The scope of the team’s responsibilities may extend into tool
selection, implementation, and maintenance, including endpoint protection platform (EPP)
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 9/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

and endpoint detection and response (EDR) capabilities. An interface should be defined
between the endpoint security team, the team implementing the endpoint security policy,
 and theOperations
Security infrastructure team deploying the technology within change control processes. The
Fundamentals
change control process should include any specific information that is required for endpoint
security updates and should follow the standard change control steps established for other
changes within the business.

The endpoint security team must interface with the business to define which endpoint
technologies and operating systems will be allowed and to address security concerns about
them. The practice of interfacing directly with the SecOps is also fast becoming standard
because the endpoint telemetry collected from EDR is a beneficial source of information for
security alert triage and incident investigation.

Network Security Team

Cloud Security Team

Threat Hunting; Content Engineering

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 10/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Threat
Securityhunting
Operationsis often thought of as a function of the Security Operations
Fundamentals
team. However, because it is separate from identify, investigate, and
mitigate, it is distinct from the analyst activities and is included as an
interface. Content engineering is the function that builds alerting profiles
that identify the alerts that will be forwarded for investigation.

​Threat Hunting​

Hunting allows you to dig into the data to find situations that the machines and automation
may have missed. Threat hunting can be structured or unstructured. Structured hunts
begin with a single piece of intelligence. Then a hypothesis is formed, and then the hunt to
find the threat in the network begins. Formalized structured hunts tend to be more useful
to an organization than unstructured efforts.

Content Engineering

The content engineer and the Security Operations team need to be tightly interfaced and
feedback needs to continuously flow. An interface agreement between the teams needs to
be created to identify how often content updates will be made, how they will be vetted,
and the feedback process. It should identify how the Security Operations team and threat

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 11/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

hunting team make requests for new alerts or modifications to existing alerts. Properly
configured alerts will allow the Security Operations team to focus on important alerts that
 require Operations
Security further investigation.
Fundamentals

Security Automation

Automation helps ensure consistency through machine-driven responses

to security issues. A security automation function will own and maintain
these automation tools.

Security automation must be integrated with the

Security Operations team to maintain the automation
playbooks. The security automation team is also
responsible for implementing new automation
technology and playbooks in response to new
workflows and processes defined by the Security
Operations team. The requirements and eventual
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 12/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

vetting of the solution should be the responsibility of

the Security Operations teams. When security
 Security Operations Fundamentals
automation is vetted, consider the time savings,
accuracy, and usefulness of the automation. Always
consider the return on investment and the ongoing cost
of maintenance and support before investing in
automation.

Forensics & Telemetry

Forensics and telemetry provide the data needed to perform the different
types of investigation from severity triage to detailed analysis and hunting.

Click the tabs to learn about telemetry and forensics.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 13/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Telemetry

 Security Operations Fundamentals

 Forensics

Types of Collected Data

Every security team must use both telemetry and forensics. Telemetry from network and
endpoint activity and from cloud configurations will provide readily available information
necessary to triage and investigate the majority of alerts and incidents. Forensic data
supplements telemetry and provides the information needed to conclude the small number
of high-priority or difficult incident investigations that often lead to breach identification.
Should a breach be validated, all data and results will be required by government and
regulatory bodies.

The following are the details about the types of data that are collected.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 14/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

Alert Event Log Telemetry

 Security Operations Fundamentals

Forensic (Raw)

Threat Intelligence Team; Red & Purple Teams

Threat intelligence function identifies potential risks to the organization

that was not observed in the network. Red and purple teams provide
penetration testing to simulate threats to the organization and provide
feedback for improvements to the Security Operations organization.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 15/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

Threat Intelligence Team Red and Purple Teams

 Security Operations
The threat Fundamentals
intelligence team uses real-time The red team simulates advanced
information feeds from human and persistent threats (APTs) and will attempt
automated sources about the background, to hide and slow-play their attacks to avoid
details, specifics, and consequences of detection by SecOps analysts. Purple
present and future cyber risks, threats, teams work with both the red and SecOps
vulnerabilities, and attacks. They are teams to help improve operations. They
responsible for validating threats and then provide information to the red team about
working with the Security Operations team gaps in an analyst’s focus areas and guide
to provide IoCs for the analysts and to the SecOps team toward approaches to
update controls. The Threat Intelligence identify red team efforts. Red and purple
Team delivers threat landscape reports at team exercises should have an allotted
agreed-upon intervals to security teams time limit, and the results should be given
that are responsible for updating the as feedback to the SecOps to improve
security stack based on their findings. capabilities, add processes and procedures,
and add controls before an actual APT
gains hold of the network.

Vulnerability Management Team

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 16/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 It Security
is responsible for identifying and escalating vulnerabilities in an
Operations Fundamentals
organization’s assets, including hardware and software. The vulnerability
management team uses vulnerability scanning technology and other tools
to discover vulnerabilities.

The SecOps and vulnerability management teams need

an interface to define the visibility and access required
by the Security Operations team and to update each
other about new observations such as possible malware
or newly announced vulnerabilities. After a new
vulnerability is announced, the vulnerability
management team will work with the Security
Operations team to implement controls to prevent
attacks while the patching process is executed. The
Security Operations team needs to stay updated about
these new controls so that it can properly address any
alerts that reach the SecOps.

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 17/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

 Security Operations Fundamentals

​Let's Help Erik!​

Erik needs to make operational changes to cloud technology such as SaaS,

PaaS, or IaaS.

Which team can Erik turn to for Activity gathered by Erik and the
assistance for operational changes to SecOps team electronically and in real-
cloud technology? time from a given source is called?

Help Desk Team  Telemetry

 DevOps Team Log

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 18/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

Operational Technology Team Forensic (raw)

Information Technology Alert

 Security Operations Fundamentals
Operations Team

Submit  Show Feedback

Show Answer  Show Feedback

Erik's SecOps team is divided into

groups with different functions. Which
three teams are responsible for the
development, implementation, and
maintenance of security policies?

Endpoint Security, Network

Security, and Cloud Security

Enterprise Security, Endpoint

 Security, and Cloud Security

HelpDesk Security, Operational

Security, and Information
Technology Security

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 19/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals

Telemetry Security, Forensics

Security, and Threat Intelligence
 Security Operations Fundamentals
Security

Show Answer  Show Feedback

 Processes Pillar 6 of 8 Visibility Pillar 

https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 20/20