Associate SOC analyst training and exam

Associate SOC analyst offers a comprehensive 3-day training that immerses you into the processes, data flows and capabilities of a SOC along with hands on, real-world tasks of a tier 1 analyst.

Throughout the course you’ll work with SIEM, ITSM and a SOC ticketing system, the key toolset of the SOC analyst. You’ll practice attacker techniques and vulnerabilities evaluation and identify companies’ critical assets and key IT systems that you are assigned to monitor and protect. You will monitor, analyse and prioritise SIEM alerts and perform triage and effective decision making to confirm and declare if a security incident is taking place. You’ll use the ticketing system to report and present your findings, and manage an incident from preparation to post-incident analysis.

One of the most important takeaways from this course is understanding the "analyst mindset": this training will trigger your curiosity, activate your analytical brain and have you work together with your SOC mates, clients and incident responders. We’ll dive deep into the analytical process and offer you a set of hypotheses with "if-then" scenario’s, what to look for and where to find "go-to" resources to support your investigations. You’ll learn how to deal with the huge number of logs, alerts and events in a SOC, which can be overwhelming if not treated correctly.

The course delivers a simulated SOC environment including a virtualised ITSM, SOC ticketing system and SIEM, fully set up to work together which will create an immersive experience and re-create your workplace environment as closely as possible.

Included in your training:

• 3 days, instructor led training
• Official course materials
• Access to SECO-Institute’s virtual SOC
• Exam voucher
• Digital certification badge when you pass your exam

By the end of this course, participants will:

• understand and practice the mindset of the SOC analyst, the analytical process and the collaboration skills required to successfully operate in a SOC team;
• have gained hands on experience with SIEM, ITSM and a SOC ticketing system, the key toolset of the associate SOC analyst;
• have gained hands on experience in threat analysis, reporting, escalation and have managed an incident from preparation to post-incident analysis;
• have practiced attacker techniques and vulnerabilities evaluation. They’ll have a solid understanding of and practical experience with applying the Pyramid of Pain, Cyber Kill Chain and the MITRE ATT&CK framework in investigations;
• be able to identify companies’ critical assets and key IT systems that they are assigned to monitor and protect;
• have a fundamental understanding of use cases for security monitoring;
• understand the processes of threat intelligence, threat hunting and incident response, their differences and how they interconnect.

DAY 1

Module 1. The SOC and the associate SOC analyst

This module introduces students into the processes, data flows and capabilities of a Security Operations Center, the services that a SOC delivers, what technologies are deployed and how they interconnect. It then describes the different roles, responsibilities and tasks within the SOC, from Tier 1 up to management. From thereon, the module dives deep into the tier 1 analyst role, the associated tasks and KSA matrix (Knowledge, Skills, Abilities) that are required, key tools and resources, major challenges and pitfalls for an associate analyst, and how all of the above are addressed in the training

1.1. Introduction to the Security Operations Center

• Objectives
• SOC - Services and technology
• SOC - Maturity model
• Roles within the SOC, associated escalation process, career paths

1.2. Core tasks and skillset of the associate analyst, it is all about:

• Understanding attacker techniques and vulnerabilities
• Identifying critical company assets and key systems
• Knowing where and how to collect data and logs
• Adopting the analyst mindset: analytical process and decision making
• How to report your findings, collaborate and escalate

1.3. Key toolset of the associate SOC analyst (intro)

• ITSM
• SOC ticketing system
• SIEM (Elastic and Splunk)
• Mindset of the SOC analyst

1.4. Key data-sources initiating investigations

• SIEM alerts
• IDS alerts, firewalls, network traffic logs, endpoints
• Reported from users

1.5. Key data-sources supporting investigations

• Vulnerability management
• Threat intelligence
• Malware analysis

Module 2. Key toolset of the associate SOC analyst

This hands on module introduces students to SIEM, ITSM and SOC ticketing systems and how they work together. They will understand the different SIEM technologies and data processing models, focusing on Elastic and Splunk, the most popular SIEM products in the market nowadays. Students will experience the analyst feeling when working with different team members and transitioning from the ITSM to the rest of the tools in order to deliver a high quality service. Throughout this module, students will work on a business case, where they are assigned to process some tasks within a virtual SOC via a ticketing system. They will be introduced to the mindset of the security analyst and the analytical, step by step process of an investigation.

2.1. Introduction to SECO’s virtual SOC

• ITSM
• SOC ticketing system
• SIEM (Elastic and Splunk)
• Mindset of the SOC analyst
• Hands on - Exercise using all of the above

DAY 2

Module 3. Log collection, use cases, threat detection and monitoring

This module delivers the theory behind log monitoring and security monitoring systems along with hands-on exercises in security logging and analysing log collections. The module offers an introduction to attacker techniques and vulnerability finding, critical assets and key systems identification. Students will learn where and how to collect data (SIEM alerts, IDS alerts, firewalls, network traffic logs, endpoints, WAF, etc), how to investigate and detect threats based on a large realistic dataset and how use cases are applied to monitor the use of attack techniques. A large portion of the module is again spent on guiding students step by step through the analytical process, what to look for when analysing log collections and key data sources that will support their investigations.

3.1. The mindset of a security analyst - in depth
3.2. Introduction to attacker techniques and processes
3.3. Data collection:

• SIEM alerts
• IDS alerts
• Firewalls
• Network traffic logs
• Others

3.4. Logs and log collection
3.5. Critical and key IT systems and their logs (exercise)
3.6. ITSM and SIEM (hands on)
3.7. Event analysis, correlation and attack techniques (hands on)
3.8. Alerting, reporting and dashboarding (hands on)
3.9. Security monitoring use cases, MaGMA, MaGMA UCF

DAY 3

Module 4. Threat analysis in-depth, fundamentals of threat intelligence and threat hunting, incident response

Module 4 starts with a high- level introduction of the threat intelligence process and how it is applied to obtain situational awareness. It then dives deeper into the Pyramid of Pain and MITRE ATT&CK framework for threat hunting and threat analysis purposes. Next up we’ll dive deep into threat analysis and investigations, moving from event-analysis to threat analysis and bringing the analyst mindset covered throughout the course into a hands-on practice. Students will finalise understanding the incident declaration and escalation procedure as well as the overall incident response model and process. During the hands-on practice, students get to analyse a dataset to find indications of threats and work together on a business where they manage an incident from preparation to post-incident analysis. The hands-on section prepares students for a complex homework assignment they will complete after this module and that will be a part of their exam.

4.1. Introduction to threat intelligence, situational awareness and attribution

4.2. Pyramid of Pain and MITRE ATT&CK framework

4.3. Threat hunting introduction

4.4. Threat analysis in-depth

4.5. Detection continuous improvement and intelligence feedback

4.6. Incident response model and process

4.7. Hands on threat analysis exercise and incident response business case

4.8. Homework assignment and exam preparation

EXAM

This training prepares for the associate SOC analyst certification from SECO-Institute. To obtain and claim your certification, you must successfully take 2 exams:

1. Practical exam: homework assignment in SECO’s virtual SOC
The hands-on section on the last day of training prepares you for a complex, hands on homework assignment in SECO’s virtual SOC that will be part of your exam and certification. You must finalise your assignment before you can schedule your exam.

2. Theory exam
Language: English
Delivered: online via a certified proctor
Questions: 40 multiple choice
Time: 60 minutes

Koen Maris is partner at PwC Luxembourg, leading the Cyber Security practice with more than 20 years of experience in information/cyber security in cross industry environments. Koen is specialised in Secure Operations Centers, incident response and awareness raising at all levels of an organisation. He has experience with Distributed Ledger Technology, IoT, OT/IT security, threat intelligence and forensics. Koen has a strong technical background and operational experience in cyber security as well as strong competencies in security architecture, solution design, programme management, business development.