Cyber Security Operations

19-01-2022

Introduction

The Cyber Security Operations module provided valuable insights into the practical and theoretical aspects of cybersecurity operations. The course covered a range of essential topics such as incident handling, threat analysis, and risk assessments, focusing on developing the skills necessary for effective security operations. One of the key takeaways was the exploration of the Security Operations Center (SOC), SIEM (Security Information and Event Management) systems, and understanding the vital roles within a security operations team. This module gave me a comprehensive overview of how cybersecurity operations are conducted, how risks are assessed, and how to handle and respond to security incidents effectively.

Key Concepts Covered:

  • Incident Handling & Response: A significant focus of the module was on incident handling and response, which involves detecting, analyzing, and responding to security incidents in real time. We learned about the process of managing incidents from identification to resolution, including critical elements like escalation, containment, eradication, and recovery. I gained hands-on experience with incident response plans (IRPs) and how to respond to different types of cyber threats, such as malware infections, DDoS attacks, and unauthorized access. Understanding how to manage incidents effectively is crucial for minimizing the damage of cyberattacks and restoring normal operations.

  • Host-Based Analysis: In this area, we explored methods for detecting and analyzing threats on individual machines. Host-based analysis focuses on examining logs and system activity from endpoints, servers, and devices to identify signs of compromise. We studied tools like Sysinternals Suite, OSSEC, and Wireshark to analyze logs, system calls, and network traffic. This type of analysis is critical for investigating and diagnosing incidents that might be happening on specific devices, especially in the case of an insider threat or an attack that bypasses network defenses.

  • Threat Modelling, Analysis & Intelligence: Threat modeling and analysis are key components of any robust cybersecurity defense strategy. In this part of the module, we learned how to map out potential threats and vulnerabilities within a system to better understand the risks to an organization. The process involves identifying attack vectors, assessing the impact of potential threats, and determining mitigation strategies. We also covered threat intelligence gathering, which involves monitoring and analyzing cyber threat data from various sources to stay ahead of emerging threats. Understanding threat landscapes and adapting to new attack methods is essential for proactive cybersecurity defense.

  • Risk Assessments: Risk assessments were a core part of the module. We learned how to evaluate the potential risks that could affect an organization’s information systems and assets. A major part of the coursework involved conducting a risk assessment on a real-world system—an online booking system—where we identified the likelihood of various security threats, their potential impacts, and suggested appropriate mitigations. Risk assessments help organizations prioritize their security efforts and allocate resources effectively, ensuring that the most critical vulnerabilities are addressed first.

Key Learning and Practical Insights:

  • Understanding the SOC and SIEMs: One of the most impactful parts of the module was learning about the Security Operations Center (SOC), which is responsible for monitoring and responding to security incidents within an organization. The SIEM systems, such as Splunk and Elastic Stack, are integral to this process, providing real-time data collection, analysis, and alerting on suspicious activities. I gained a deeper understanding of how SOC teams use these tools to monitor network traffic, detect anomalies, and automate the response to potential threats.

  • Risk Assessment in Action: The assessment for the module involved conducting a risk assessment on an online booking system. This gave me practical experience in identifying threats, analyzing their potential impact, and recommending security measures to mitigate the identified risks. This exercise helped me better understand how security teams assess the vulnerabilities of systems and how different types of threats (e.g., external hacking attempts, insider threats) can affect different components of a system.

  • Real-World Application of Threat Intelligence: Throughout the module, we were introduced to the concept of threat intelligence and how it plays a critical role in preemptively identifying potential threats. By gathering and analyzing data from external threat sources such as open-source intelligence (OSINT) and threat feeds, I learned how organizations can use threat intelligence to adapt their security posture and improve their incident detection and response capabilities.

  • Cross-Disciplinary Knowledge: The module also emphasized the importance of understanding how cybersecurity integrates with broader business operations. As part of the learning process, we reviewed how incident response and risk assessments are aligned with business continuity planning and disaster recovery efforts. This knowledge is essential for ensuring that organizations not only respond to cyberattacks but also recover from them with minimal impact on business operations.

Conclusion

The Cyber Security Operations module was an eye-opening experience that provided me with a deeper understanding of the practical aspects of cybersecurity. By exploring topics such as incident handling, host-based analysis, and risk assessments, I now have a well-rounded skill set to contribute to cybersecurity teams in various roles, from incident responder to risk assessor.

The hands-on exercises and the risk assessment project provided me with real-world tools and methodologies for assessing and addressing security risks, making the concepts more tangible and actionable. The exposure to SIEM tools and the SOC environment gave me valuable insights into how large organizations manage security operations and how real-time monitoring and incident response are critical to maintaining secure systems.

This module has solidified my interest in cybersecurity, and I now feel more confident in handling security incidents, performing risk assessments, and contributing to the development of comprehensive cybersecurity strategies.

Sources:

  • None