Blog

Course project descriiption Individual Final Project Vandelay Industries has an

Course project descriiption Individual Final Project Vandelay Industries has an in-house security operations center (SOC). This SOC functions as the first line of triage for network monitoring, alerting, and security incidents. Currently, it is in disarray as there are no policies, procedures, runbooks etc. in place. SOC employees are also constantly complaining about the technology they use as being ineffective, ancient, and constantly down for maintenance. Your job is to fix this extremely important security team at the firm.  Current staffing on paper is below. All staff are full-time and work business hours only.  * One SOC manager. * Four “Level One” SOC analysts that triage alerts. * Two senior or “Level Two” SOC analysts who take care of escalated alerts. * One incident response manager who works business hours. This position covers managing network incidents in addition to security incidents.  * Two “Level Three” incident responders that handle escalated alerts from the senior analysts which have been declared an incident requiring investigation and/or follow-up. In their downtime, they do a combination of various other duties such as threat hunting and cyber threat intelligence. Nothing official, however.   Current technology: * A clunky old ELK stack (Elasticsearch, Logstash, Kibana) that acts as indexing, log aggregation, and a web-based front end respectively. This collects a minimal amount of logs from Vandelay systems. There is no standard or oversight here on what is flowing into these systems.  * A ticketing system, ServiceNow, which SOC analysts share with desktop support and other IT teams.  * Symantec Endpoint Protection (SEP) for antivirus.  You are being asked to: 1. Restructure the SOC how you see fit to include changes to roles, staffing enhancements, technology enhancements/changes etc.  2. Write the overall Incident Response Policy which includes specific elements for the SOC analysts and incident responders. The entire SOC should follow this policy. Conduct research regarding what best-practices a SOC should be employing and what elements a policy like this should have.      a. This is NOT the overall information security policy which is a separate document. This is policy that governs the SOC/IR functions only.  Think about: * Analysts should be consistent in how they respond to alerts. So, what needs to be in place to ensure this happens? * Incident responders should be consistent in how they respond to incidents. So. what needs to be in place to ensure this happens? * Analysts and incident responders need a robust toolset in order to detect and respond to security alerts and incidents.  * The policy should follow industry recognized best-practices. This means you need to do your research as I’m well aware of what it takes to run both a SOC and an IR Team, having done both myself.  * Don’t worry about budget, but do keep in mind that it is not unlimited. Vandelay is a mid-sized firm at 2,500 employees so this means they don’t have the budget that, let’s say, Bank of America would have at 230,000 employees and a global footprint. So, what this means for you is make choices that would make sense in light of these facts.   Deliverables: * The (1) first part of your document should cover #1 above on how you’re designing the team, what changes you’re making, along with the justifications and thought process behind those changes.  * The (2) second part of your document should cover #2 above and be the SOC/IR policy itself. Keep in mind that this is policy which means it’s NOT: 1) a step-by-step instructional guide, 2) a playbook, 3) an implementation guide, or 4) a procedural document. Now, there’s nothing saying you can’t also include one or more of these or simply call them out within the policy itself that employees should refer to those separate documents when appropriate.  Format requirements: 1. APA 7th edition format on all submissions 2. Title page with your name, class, and assignment 3. Part #1 should be double-spaced and formatted like a regular paper. 4. Part #2 is the policy which should be single spaced and look like a policy. Please use Microsoft Word. 5. References page. 6. Be advised, DO NOT plagiarize. Each submission will be checked for plagiarism. Write things in your own words and back it up with a scholarly source. 7. Scholarly sources = Well-respected technical and peer reviewed sources.