uilding and Leading Security

MGT551: B GSOM
Security Operations

Operations Centers
Manager
giac.org/gsom

5 30 Laptop Managers must show alignment to the business and demonstrate real value – a
Required
Day Program CPEs challenge when the threats are constantly changing and sometimes unseen.
Managing a security operations center (SOC) requires a unique combination of
You Will Be Able To technical knowledge, management skills, and leadership ability. MGT551 bridges
• Collect the most important logs and network data gaps by giving students the technical means to build an effective defense and
• Build, train, and empower a diverse team the management tools to build an effective team. Common questions SOC
• Create playbooks and manage detection use cases leaders face are:
• Use threat intelligence to focus your budget and • How do we know our security teams are aligned to the unique threats
detection efforts facing our organization?
• Utilize threat hunting and active defense strategies
• How do we get consistent results and prove that we can identify and
• Implement efficient alert triage and investigation
workflow respond to threats in time to minimize business impact?
• Implement effective incident response planning and • How can we build an empowering, learning environment where analysts can
execution be creative and solve problems while focusing on the mission at hand?
• Choose metrics and a long-term strategy to improve
the SOC Whether you are looking to build a new SOC or take your current team to the
• Implement team member training, retention, and next level, MGT551 will super-charge your people, tools, and processes. Each
prevention of burnout section of MGT551 is packed with hands-on labs and introductions to some
• Understand SOC assessment through capacity planning, of the industry’s best free and open source tools, and each day concludes
purple team testing, and adversary emulation
with Cyber42 SOC leadership simulation exercises. Students will learn how
to combine SOC staff, processes, and technology in a way that promotes
measurable results and covers all manner of infrastructure and business
processes. Most importantly, students will learn how to keep the SOC growing,
evolving, and improving over time.
“There are so many [organizations]
that seem to be trying to reinvent the Business Takeaways
wheel. All they need to do is invest in • Strategies for aligning cyber defense to organizational goals
this course for real-world, actionable • Tools and techniques for validating security tools and processes
information that can put them on a • Methodologies for recruiting, hiring, training, and retaining talented defenders
solid path toward building, staffing, and effective management and leadership techniques for technical teams
and leading their own SOC.” • Practical approaches to optimizing security operations that can be applied
—Brandi Loveday-Chesley immediately

Hands-On Training
While this course is focused on management and leadership, it is by no means
limited to non-technical processes and theory. The course uses the Cyber42
“I would recommend this course to interactive leadership simulation game to put you in real-world scenarios that
anyone running a security operations spur discussion and critical thinking of situations that you will encounter at
team. I’d further recommend it to more work. Throughout the five days of instruction, students will work on fifteen
hands-on exercises covering everything from playbook implementation to
experienced analysts so they can begin
use case database creation, attack and detection capability prioritization
to see the bigger picture.”
and visualization, and purple team planning, threat hunting, and reporting.
—Robert Wilson, University of South Carolina Attendees will leave with a framework for understanding where their SOC should
be focusing its efforts, how to track and organize defensive capabilities, and
how to drive, verify, and communicate SOC improvements.

• Watch a preview of this course

SECTION 1: SOC Design and Operational Planning SECTION 2: SOC Telemetry and Analysis Who Should Attend
MGT551 starts with the critical elements necessary to build Section 2 of MGT551 focuses on expanding our This course is intended for those
your Security Operations Center: understanding your enemies, understanding of attacker tactics, techniques, and who are looking to build a Security
planning your requirements, making a physical space, building procedures and how we might identify them in our Operations Center for the first time or
your team, and deploying a core toolset. Throughout this course environment. We will discuss defensive theory and improve the one their organization is
section, students will learn how to build a strong foundation mental models that can guide our assessment and already running.
upon which an SOC can operate, focusing first on the most planning efforts, data collection and monitoring Ideal student job roles for this course
important users and data, and tailoring defense plans to threats priorities, and cyber threat intelligence collection. We include:
most likely to impact your organization. Through workflow will also cover more specialized security monitoring
optimization, information organization, and data collection, use cases like DevOps, supply chain, insider threat, • Security Operations Center managers
you will learn how to ensure that your security operations and business e-mail compromise. Exercises include or leads
will hit the ground running as efficiently as possible while using the MITRE ATT&CK framework to plan security • Security directors
protecting privileged SOC users and data. Exercises show how data collection and writing solid threat intelligence
• New Security Operations team
to implement these concepts through threat group and asset requirements for relevant, timely information that
members
profiling, mapping likely attack paths into your environment, answers your most pressing defensive questions.
and implementing use cases repeatable playbooks to identify TOPICS: Cyber Defense Theory and Mental Models; • Lead/senior SOC analysts
the threats and attack vectors you have identified. Prevention and the Future of Security; SOC Data • Technical CISOs and security
TOPICS: Introduction; SOC Functions; SOC Planning; Team Collection; Other Monitoring Use Case; Using MITRE directors
Creation, Hiring, and Training; Building the SOC; SOC Tools and ATT&CK to Plan Collection; Cyber Threat Intelligence;
NICE Framework Work Roles:
Technology; SOC Enclave and Networking Practical Collection Concerns
• Information Security Manager:
OV-MGT-001
SECTION 3: Attack Detection, Hunting, and Triage SECTION 4: Incident Response
Section 3 of MGT551 is all about improving detections. We From toolsets to proven frameworks to tips and tricks • Cyber Policy and Strategy Planner:
OV-SPP-002
begin with effective triage and analysis and then move to more learned in countless real-world scenarios, section
effective alerting mechanisms, starting with the fundamentals four covers the full response cycle, from preparation • Executive Cyber Leadership:
of analytic design. We will discuss detection engineering as a to identification to containment, eradication, and OV-EXL-001
core SOC discipline to be planned, tracked, and measured. You recovery, for operations managers. The fourth • Program Manager: OV-PMA-001
will learn a repeatable, data-driven approach to SOC capacity section of MGT551 begins with the fundamentals of
planning and apply that process in a hands-on exercise using investigation: effective triage, investigative mindset, • Cyber Defense Incident Responder:
custom tools that you can take back to your own environment. and tools for avoiding bias. Then the focus turns PR-CIR-001
We will also cover the different types of proactive threat to preparing your environment to be defended by • OT SOC Operator
hunting, see a structured approach that results in measurable deploying security controls, identifying high-value
improvements to your detection capability, and apply that assets and users, and designing playbooks to guide
approach in a hands-on threat hunting lab. Finally, we will look your response efforts. Finally, we will review best of
at active defense concepts and their role in a mature security breed incident response tools and free frameworks
operations capability. Taking the tools, processes, and concepts to guide your planning. Lab exercises in section four
from section 3 of MGT551 back to your SOC will ensure that no include incident response playbook design using GSOM
(virtual) stone in your environment remains unturned. the free RE&CT framework, investigation review and Security Operations
quality control, and tabletop exercise development. Manager
TOPICS: Efficient Alert Triage; Capacity Planning; Detection giac.org/gsom
Engineering; Analytic and Analysis Frameworks and Tools; Threat TOPICS: Incident Response (IR) Planning;
Hunting; Active Defense Preparation; Identification, Containment, and
GIAC Security Operations
Eradication; Recovery and Post-Incident; Incident Manager
Response in the Cloud; Dealing with a Breach; IR
Tools; Continuous Improvement The GSOM certification validates
a professional’s ability to run an
effective security operations center.
SECTION 5: Metrics, Automation, and Continuous Improvement GSOM-certified professionals are
The fifth and final section of MGT551 is all about measuring and improving security operations. We focus well-versed in the management skills
on three areas: developing and improving people, measuring SOC performance, and continuous validation and process frameworks needed to
through assessment and adversary emulation. We will also cover some of the more challenging elements strategically operate and improve a
of managing people in a dynamic and often high-pressure environment: building the right culture, SOC and its team.
addressing damaging behaviors, and handling common pitfalls of daily operations. By demonstrating • Designing, planning, and managing
value through structured testing and fostering a culture of learning, collaboration, and continuous an effective SOC program
improvement, we can ensure long term growth and success. In section five, you ll receive the tools,
• Prioritization and collection of logs,
techniques, and insights to do just that. Hands-on exercises will include building skills self-assessments
development of alert use cases, and
and training plans for your analysts, designing SOC metrics, and continuous assessment and validation.
response playbook generation
TOPICS: Staff Retention and Mitigation of Burnout; Metrics, Goals, and Effective Execution; Measurement
• Selecting metrics, analytics, and
and Prioritization Issues; Strategic Planning and Communications; Analytic Testing and Adversary
long-term strategy to assess and
Emulation; Automation and Analyst Engagement continuously improve SOC operations