دوره SEC 511
در پیاده سازی مراکز عملیات امنیت زیرساخت ها و آماده سازی آنها یکی از مراحل حیاتی است. در این دوره می آموزیم که یک معماری قابل دفاع و مورد نیاز یک مرکز عملیات امنیت ) (SOCچگونه است و چه سنسورهایی باید لحاظ شود و چه تجهیزاتی باید در چه محل هایی بکار رود . همچنین می آموزیم چطور به صورت موثر در سطح شبکه و در سطح نقات پایانی کلاینت و سرور پایش را به نحو موثر انجام دهیم. یاد می گیریم چگونه ترافیک های مختلف را تحلیل کرده و آر تی فکت ها را از نقاط پایانی استخراج کنیم و در نهایت این که چطور بد افزار ها را از ترافیک های رمز شده بیرون بکشیم و روش های اتوماتیک کردن پایش امنیت را می آموزیم.

پیشنیاز های دوره
مخاطبین دوره
SEC 504
تسلط بالا بر مفاهیم TCP/IP و لایه های شبکه
- کارشناسان امنیت
- کارشناسان واحد پاسخگویی به حوادث
- کارشناسان واحد مرکز عملیات امنیت
سرفصل دوره
- Traditional Security Architecture
- Perimeter-focused
- Addressed Layer 3/4
- Centralized Information Systems
- Prevention-Oriented
- Device-driven
- Traditional Attack Techniques
- Modern Security Architecture Principles
- Detection-oriented
- Post-Exploitation-focused
- Decentralized Information Systems/Data
- Risk-informed
- Layer 7 Aware
- Security Operations Centers
- Network Security Monitoring
- Continuous Security Monitoring
- Modern Attack Techniques
- Adversarial Dominance
- Frameworks and Enterprise Security Architecture
- Enterprise Security Architecture
- Security Frameworks
- Security Architecture – Key Techniques/Practices
- Threat Vector Analysis
- Data Exfiltration Analysis
- Detection Dominant Design
- Intrusion Kill Chain
- Visibility Analysis
- Data Visualization
- Lateral Movement Analysis
- Data Ingress/Egress Mapping
- Internal Segmentation
- Network Security Monitoring
- Continuous Security Monitoring
- Security Operations Center (SOC)
- Purpose of a SOC
- Key SOC roles
- Relationship to Defensible Security Architecture
SOCs/Security Architecture – Key Infrastructure Devices
Traditional and Next- Generation Firewalls, and NIPS
Web Application Firewall
Malware Detonation Devices
HTTP Proxies, Web Content Filtering, and SSL/TLS Decryption
SIEMs, NIDS, Packet Captures, and DLP
Honeypots/Honeynets
Network Infrastructure – Routers, Switches, DHCP, DNS
Mobile Devices and Wireless Access Points
Threat Intelligence
Segmented Internal Networks
Routers
Internal SI Firewalls
VLANs
Detecting the Pivot
DNS architecture
Encrypted DNS including DNS over HTTPS (DoH) and DNS over TLS (DoT)
Defensible Network Security Architecture Principles Applied
Internal Segmentation
Threat Vector Analysis
Data Exfiltration Analysis
Detection Dominant Design
Zero Trust Model (Kindervag)
Intrusion Kill Chain
Visibility Analysis
Data Visualization
Lateral Movement Analysis
Data Ingress/Egress Mapping
Continuous Monitoring Overview
Defined
Network Security Monitoring (NSM)
Continuous Security Monitoring (CSM)
Continuous Monitoring and the 20 Critical Security Controls
Network Security Monitoring (NSM)
Evolution of NSM
The NSM Toolbox
NIDS Design
Analysis Methodology
Understanding Data Sources
Full Packet Capture
Extracted Data
String Data
Flow Data
Transaction Data
Statistical Data
Alert Data
Tagged Data
Correlated Data
Cloud NSM
Practical NSM Issues
Cornerstone NSM
Service-Side and Client-Side Exploits
Identifying High-Entropy Strings
Tracking EXE Transfers
Identifying Command and Control (C2) Traffic
Tracking User Agents
C2 via HTTPS
Tracking Encryption Certificates
Security Architecture – Endpoint Protection
Anti-Malware
Host-based Firewall, Host-based IDS/IPS
Application Control, Application Virtualization
Privileged Accounts, Authentication, Monitoring, and UAC
Virtual Desktop Infrastructure
Browser Security
EMET and Defender Exploit Guard
Patching
Process
To Test or Not to Test
Microsoft
Third-Party
- Overview
- Continuous Security Monitoring (CSM) vs. Continuous Diagnostics and Mitigation (CDM) vs. Information Security Continuous Monitoring (ISCM)
- Cyberscope and SCAP
- Industry Best Practices
- Continuous Monitoring and the 20 CIS Critical Security Controls
- Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions
- Winning CSM Techniques
- Maintaining Situational Awareness
- Host, Port, and Service Discovery
- Vulnerability Scanning
- Monitoring Patching
- Monitoring Applications
Monitoring Service Logs
- Detecting Malware via DNS logs
- Monitoring Change to Devices and Appliances
- Leveraging Proxy and Firewall Data
- Configuring Centralized Windows Event Log Collection
Monitoring Critical Windows Events
- Hands-on: Detecting Malware via Windows Event Logs
- Scripting and Automation
- Importance of Automation
- PowerShell
- DeepBlueCLI
- Hands-on: Detecting Malicious Registry Run Keys with PowerShell