OnDemand & vLive - Get a GIAC Cert Attempt Included or $350 Off thru 10/31

MGT517: Managing Security Operations: Detection, Response, and Intelligence

MGT517 is crucial to understanding how to improve an organizations security posture.

Jeff McGraw, Penske

MGT517 is simply outstanding! It pulls together best practice, standards, procedures and materials framework to establish and manage a world-class security operational SOC.

Michael Carter, CPB

Managing Security Operations entails the design, build, operation and ongoing growth of all facets of the security capability of the organization. An effective SOC has many moving parts and must be designed with the ability to adjust and work within the constraints of the organization. To run a successful SOC, managers need to provide tactical and strategic direction and inform staff of the changing threat environment as well as provide guidance and training for employees. This course covers design, deployment and operation of the security program to empower leadership through technical excellence.

The course covers the functional areas: Communications, Network Security Monitoring, Threat Intelligence, Incident Response, Forensics, and Self-Assessment. We discuss establishing Security Operations governance for:

  • Business alignment and ongoing adjustment of capabilities and objectives
  • Designing the SOC and the associated objectives of functional areas
  • Software and hardware technology required for performance of functions
  • Knowledge, Skills and Abilities of staff roles as well as hiring and cultivating staff
  • and execution of ongoing operations.

You will walk out of this course armed with a roadmap to design, build and operate an effective SOC tailored to the needs of your organization.

Course Content Overlap Notice:

Please note that course material for MGT517 and MGT535 overlaps. Days 4 and 5 of MGT517 contain material that is covered in MGT535. We recommend MGT517 for those interested in managing security operations overall in addition to incident response. MGT535 only covers managing incident response.

Course Syllabus


We will focus on how to align and deploy a Security Operations Center. This day lays the foundational aspects of the SOC by discussing the functional areas that form the basis of the build and operate days that follow.

The first issue to address is how the SOC will serve the business. To understand what is to be built, we explore the business drivers for SOCs. Each company has its own circumstances and needs, but there are common drivers for setting out to build a SOC.

From business alignment, systems analysis performed shows all the things that need to be done. This is an elaborate and substantial effort to undertake. Knowing what components are available and how the pieces fit together is critical. This analysis will be followed with design and build on day 2.

  • SOC Justification
  • Functional Metrics
  • Budget Development
  • Proposal Document

CPE/CMU Credits: 6

  • SOC Fundamentals
  • SOC Components
  • Sizing and Scoping
  • SOC Program

Once a clear picture of what should be done to secure the organization is produced from analysis of what the needs are, and what resources are available, we set out to build the SOC. The build out starts with an operating plan decided on by the key stake holders from the organization.

The interactions, inputs, outputs, and actions within each of the process components are identified. Each functional area needs specific hardware and software to accomplish each process, so alternatives are discussed for all of these. Open source, inexpensive, and enterprise level solutions are presented for each need. We will discuss the available solutions in-depth, and helps to focus the budget available on the necessary tools.

The output of this day is a sense of all the procurement necessary for building out a SOC.

  • Steering Committee
  • Command Center and Incident Response Interaction
  • Technology Matrix

CPE/CMU Credits: 6

  • Governance Structure
  • Process Engineering
  • Technical Components

Designing and building a SOC are considered projects. Operation is an ongoing and perpetual effort. If the design and build of the system is insufficient or short sighted, then operating the system will be difficult and inefficient.

The overriding challenge of management is discussed in terms of organizational dimensions. The analytical processes of "Analysis of Competing Hypothesis", "Kill Chain", and "Diamond Model", are discussed to provide a context of the analytical currency of the SOC.

We will evaluate the staffing structure, how to hire and how to keep those staff continually trained and updated. A schedule of meetings, specific metrics to report, and specific metrics to use to measure the relationship within the functional areas of the SOC are shown.

Specific processes and the data relationships when performing the processes are discussed to depict the standard operating procedures that the SOC must perform.

  • Staff Composition
  • Metrics Proposal
  • Standard Operating Procedures

CPE/CMU Credits: 6

  • People and Processes
  • Measurements and Metrics
  • Process Development

Further detail on incident response is developed to show the operation of the SOC. Since the response component is the action of defense, the operation of the incident response team is addressed in great detail.

A consideration of cloud based systems shows a special case of incident response. The preparation of response capability in the cloud is insufficient, because the contractual negotiations of the service rarely address incident response adequately. We discuss appropriate preparation and response action within cloud services.

User training and awareness is developed as a basis for corrective action when incident response is required.

  • Cloud Service Provider
  • Workflow development
  • Report Template Development
  • Develop Training Program

CPE/CMU Credits: 6

  • The Cloud
  • Incident Response Process
  • Creating Incident Requirements
  • Training, Education, and Awareness

Continuing the operation of Incident Response, we discuss the staffing requirements in detail. Common caveats of operation of IR are discussed, and development of table top exercises to mitigate those caveats are practiced.

Communication requirements are laid out and incident tracking methods are discussed. How to make the most success from a response and damage control task is shown.

Tools for estimating and tracking cost associated with incidents are shown. Overall recommendations for how to interface with law enforcement are presented.

The final topic addressed is the development of appropriate response techniques for APT style actors. Strategies for quickly differentiating APT style compromise using threat intelligence, sufficient scope identification, and eradication of the current wave of compromise are discussed.

  • Tabletop Exercise
  • IR Pitch
  • Incident Cost
  • Legal POCs
  • APT Response

CPE/CMU Credits: 6

  • Staffing Considerations
  • Setting Up Operations
  • Managing Daily Operations
  • Cost Considerations
  • Legal and Regulatory Issues
  • Advanced Threat Response

Additional Information

Students need to bring a computer to class with Microsoft Office 2010 (or later) installed on it. The ability to open Microsoft Excel files is a must. Students may choose to bring a computer with another spreadsheet program installed on it, however the tools provided in class have only been thoroughly tested with Microsoft Office products, and certain functionality in the tools will not work properly with other spreadsheet programs. Therefore it is recommended that students bring a copy of Microsoft Office 2010 or later installed on their machine.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Information security managers
  • SOC Managers, Analysts & Engineers
  • Information security architects
  • IT managers
  • Operations managers
  • Risk management professionals
  • IT/system administration/network administration professionals
  • IT auditors
  • Business continuity and disaster recovery staff

No specific prerequisites exist for the class. However, it is presumed the attendee has knowledge of information assurance and management principles. The class briefly addresses basics of each but focuses on the application of those principles to accomplish security operations. Detailed technical knowledge is not necessary, but is helpful when attempting to decide the best course of action.

  • Course material with detailed notes
  • Electronic versions of diagrams depicting the relationships and data flow
  • MP3 audio files of a recording of the course
  • Design security operations to address all needed functions for the organization
  • Select technologies needed to implement the functions for SOC
  • Maintain appropriate business alignment with the security capability and the organization
  • Develop and streamline security operations processes
  • Mature capability
  • Collect data for metrics and report meaningful metrics to the business as well as maintaining internal SOC performance metrics
  • Hire appropriate SOC staff and keep existing SOC staff up to date

Author Statement

The inclusion of all functional areas of security operations is intended to develop a standardized program for an organization and express all necessary capabilities. Admittedly ambitious, the intention of the class is to provide a unified picture of coordination among teams with different skillsets to help the business prevent loss due to poor security practices. I have encountered detrimental compartmentalization in most organizations. There is a tendency for a specialist to look only at her piece of the problem, without understanding the larger scope of information security within an organization. Organizations are likely to perceive a security operations center as a tool, and not the unification of people, processes, and technologies.

This course provides a comprehensive picture of what a Cyber Security Operations Center (CSOC or SOC) is. Discussion on the technology needed to run a SOC are handled in a vendor agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. Staff roles needed are enumerated. Informing and training staff through internal training and information sharing is addressed. The interaction between functional areas and data exchanged is detailed.

After attending this class, the participant will have a roadmap for what needs to be done in the organization seeking to implement security operations.

- Christopher Crowley

1 Training Result

*Course contents may vary depending upon location, see specific event description for details.