Professional Documents
Culture Documents
Interfaces Pillar - Security Operations Fundamentals
Interfaces Pillar - Security Operations Fundamentals
Interfaces
Pillar
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 2/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Interfaces should
Security Operations be clearly defined so that expectations between the
Fundamentals
different teams are known. Each team will have different goals and
motivations that can help with team interactions. Identifying the scope of
each teams responsibility and separation of duties helps to reduce friction
within an organization. The Interfaces are how processes connect to
external functions or departments to help achieve security operation goals.
You should understand the needs, goals, and business mission of other departments to
eliminate friction between their teams and the Security Operations team. Some of the
various department goals that can put other departments in conflict with the SecOps team is
not following the initial agreements that were initially agreed upon.
Click the tabs to learn about the function's or team's goals and motivations.
Elements 1
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 3/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Elements 2
Elements 3
Elements 4
Elements 5
Elements 6
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 4/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Enterprise Architecture
The enterprise architecture team is responsible for understanding, developing, and maintaining
both the physical and virtual network designs to meet the business requirements. The team
ensures that security is implemented in the design phase and not added as an afterthought. It
also creates and maintains the architecture flowcharts and diagrams. The goal of the enterprise
architecture team is to balance and meet the needs of both security and the business.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 5/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Security
The Operations
governance, Fundamentals
risk, and compliance (GRC) function is responsible for creating the guidelines
to meet business objectives, manage risk, and meet compliance requirements. Common
compliance standards include PCI-DSS, HIPAA, and GDPR, and require different levels of
protection, encryption, and data storage. Those requirements are typically handled by other
groups. However, the breach disclosure requirements directly involve the Security Operations
team. The SecOps team must interface with the GRC team to define escalation intervals,
contacts, documentation, and forensic requirements.
Business Liaison
A growing trend is for security organizations to hire business liaisons. This role is to tie in to the
different aspects of the business and help identify and explain the impact of security. This
includes keeping up-to-date with new product launches and development schedules,
onboarding new branch offices, and handling mergers and acquisitions where legacy networks
and applications need to be brought in to the main security program. This role can also be
responsible for partner, vendor, and team interface management.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 6/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Help Desk
The help desk provides end-user support for corporate IT assets. The Security Operations
team frequently open tickets with this team to reimage machines, request system patching,
or reject assets joining the network without the proper OS and app version levels. The help
desk organization should interface often with the vulnerability management team for tasks
such as patches, outdated operating systems, accepted new operating systems, and new
supported platforms. Interaction with the vulnerability management team can result in the
development of automated tasks. A closed-loop process between the teams should exist to
ensure follow-through on IT requests.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 7/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
DevOps
SecOps Engineering
The responsibilities of the team must be clearly defined. SLAs with the team should be
defined to reduce potential friction between teams and to establish a clear communication
plan. See the two questions you should ask.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 8/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
The endpoint security team is responsible for developing, implementing, and maintaining
the endpoint security policy. The scope of the team’s responsibilities may extend into tool
selection, implementation, and maintenance, including endpoint protection platform (EPP)
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 9/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
and endpoint detection and response (EDR) capabilities. An interface should be defined
between the endpoint security team, the team implementing the endpoint security policy,
and theOperations
Security infrastructure team deploying the technology within change control processes. The
Fundamentals
change control process should include any specific information that is required for endpoint
security updates and should follow the standard change control steps established for other
changes within the business.
The endpoint security team must interface with the business to define which endpoint
technologies and operating systems will be allowed and to address security concerns about
them. The practice of interfacing directly with the SecOps is also fast becoming standard
because the endpoint telemetry collected from EDR is a beneficial source of information for
security alert triage and incident investigation.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 10/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Threat
Securityhunting
Operationsis often thought of as a function of the Security Operations
Fundamentals
team. However, because it is separate from identify, investigate, and
mitigate, it is distinct from the analyst activities and is included as an
interface. Content engineering is the function that builds alerting profiles
that identify the alerts that will be forwarded for investigation.
Threat Hunting
Hunting allows you to dig into the data to find situations that the machines and automation
may have missed. Threat hunting can be structured or unstructured. Structured hunts
begin with a single piece of intelligence. Then a hypothesis is formed, and then the hunt to
find the threat in the network begins. Formalized structured hunts tend to be more useful
to an organization than unstructured efforts.
Content Engineering
The content engineer and the Security Operations team need to be tightly interfaced and
feedback needs to continuously flow. An interface agreement between the teams needs to
be created to identify how often content updates will be made, how they will be vetted,
and the feedback process. It should identify how the Security Operations team and threat
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 11/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
hunting team make requests for new alerts or modifications to existing alerts. Properly
configured alerts will allow the Security Operations team to focus on important alerts that
require Operations
Security further investigation.
Fundamentals
Security Automation
Forensics and telemetry provide the data needed to perform the different
types of investigation from severity triage to detailed analysis and hunting.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 13/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Telemetry
Every security team must use both telemetry and forensics. Telemetry from network and
endpoint activity and from cloud configurations will provide readily available information
necessary to triage and investigate the majority of alerts and incidents. Forensic data
supplements telemetry and provides the information needed to conclude the small number
of high-priority or difficult incident investigations that often lead to breach identification.
Should a breach be validated, all data and results will be required by government and
regulatory bodies.
The following are the details about the types of data that are collected.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 14/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Forensic (Raw)
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 15/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Security Operations
The threat Fundamentals
intelligence team uses real-time The red team simulates advanced
information feeds from human and persistent threats (APTs) and will attempt
automated sources about the background, to hide and slow-play their attacks to avoid
details, specifics, and consequences of detection by SecOps analysts. Purple
present and future cyber risks, threats, teams work with both the red and SecOps
vulnerabilities, and attacks. They are teams to help improve operations. They
responsible for validating threats and then provide information to the red team about
working with the Security Operations team gaps in an analyst’s focus areas and guide
to provide IoCs for the analysts and to the SecOps team toward approaches to
update controls. The Threat Intelligence identify red team efforts. Red and purple
Team delivers threat landscape reports at team exercises should have an allotted
agreed-upon intervals to security teams time limit, and the results should be given
that are responsible for updating the as feedback to the SecOps to improve
security stack based on their findings. capabilities, add processes and procedures,
and add controls before an actual APT
gains hold of the network.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 16/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
It Security
is responsible for identifying and escalating vulnerabilities in an
Operations Fundamentals
organization’s assets, including hardware and software. The vulnerability
management team uses vulnerability scanning technology and other tools
to discover vulnerabilities.
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 17/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
Which team can Erik turn to for Activity gathered by Erik and the
assistance for operational changes to SecOps team electronically and in real-
cloud technology? time from a given source is called?
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 18/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 19/20
6/26/24, 2:33 PM Interfaces Pillar - Security Operations Fundamentals
https://beacon.paloaltonetworks.com/uploads/resource_courses/targets/4756951/original/index.html?_courseId=1671031#/page/647669aff166fa169d45adc9 20/20