Week 4

Question 1

Security Operations Maturity Model (SOMM)

Answer 1

A means of measuring the effectiveness of your security operations program and of maturing its capabilities, thus improving your resilience to cyber threats.

Question 2

Mean Time To Respond (MTTR)

Answer 2

The average time it takes to respond and ultimately resolve an incident that is detected.

Investigate,
Neutralize,
Recover;

Question 3

Mean Time To Detect (MTTD)

Answer 3

The average time it takes to recognize the presence of a threat that requires further analysis and response efforts.

Collect,
Discover,
Qualify;

Question 4

MTTD and MTTR Sub-categories

Answer 4

• Time to Qualify (TTQ)
• Time to Investigate (TTI)
• Time to Triage (TTT)
• Time to Detect (TTD)
• Time to Respond (TTR)

Question 5

Threat Lifecycle Management (TLM)

Answer 5

Refers to the recommended workflow on the LogRhythm platform for minimizing SOC’s MTTD and MTTR. The TLM workflow is organized around the following six different stages of detection and response:

1. Collect
2. Discover
3. Qualify
4. Investigate
5. Neutralize (referred to as Mitigation)
6. Recover

Question 6

Security Event and Alarm Data

Answer 6

Most organizations have an array of security products to prevent a wide range of attacks from being successful. However, in some cases, these technologies can only warn that an attack may be in process or has already occurred. In these cases, __________________ are generated.

Question 7

Log and Machine Data

Answer 7

Can provide deeper visibility into an IT environment — recording on a per user, per system, per application basis — who did what, when, and where. This rich set of data can support more effective and rapid investigations of suspected attacks. The ability to comprehend what is normal within the IT environment is also within this dataset — enabling automated machine analytics to detect behavioural anomalies that might indicate a more advanced attack is in progress.

Question 8

Forensic Sensor Data

Answer 8

Can provide even deeper and broader visibility. F
Can fill visibility gaps when logs aren’t available or where the level of forensic detail is insufficient.

There are two primary types of forensic sensors that might be employed:

• Network forensic sensors that capture packets and flows.
• Endpoint forensic sensors that can record with high fidelity all activity occurring on the monitored system.

Question 9

Discover

Answer 9

Once organizations establish visibility, they now stand a chance at detecting and responding to threats.

________ of potential threats is accomplished through a blend of search and machine analytics.

Question 10

Search Analytics

Answer 10

This type of a________ is performed by people and enabled by software. It includes things such as targeted hunting of threats by monitoring dashboards and leveraging search capabilities. It also includes reviewing reports to identify known exceptions. Search _________s is people-intensive. Thus, while effective, it cannot be the sole (or even primary) method of _________ most organizations should employ.

Question 11

Machine Analytics

Answer 11

This type of analytics is performed by software using machine learning (ML) and other automated analysis techniques where outputs can be efficiently leveraged by people.

It is the future of a modern and efficient threat discovery capability. The goal of using machine analytics should be to help organizations realize a “risk-based monitoring” strategy through the automatic identification and prioritization of attacks and threats.

This is critical for both detecting advanced threats via data science-driven approaches, as well as helping organizations orient precious human cognitive cycles to the areas of highest risk to the business.

Question 12

Qualify

Answer 12

Threats must be rapidly qualified to assess the potential impact on the business and the urgency of additional investigation and response efforts.

The qualification process is manual and time-intensive, while also being very time-sensitive.

An inefficient qualification process increases the level of human investment needed to evaluate all threat indicators (e.g., alarms), but an efficient process allows organizations to analyze more indicators with less staff.

Question 13

Investigate

Answer 13

Once threats have been qualified, they need to be fully i_________ to conclusively determine whether a security incident has occurred or is in progress.

This begins with conducting a deep __________ using all the collected evidence to understand the risk presented by the threat and its scope.

Rapid access to forensic data and intelligence on the threat is paramount. Automation of routine investigatory tasks and tools that facilitate cross-organizational collaboration is ideal for optimally reducing MTTR.

Ideally, a secure facility for keeping track of all active and past investigations is available. This can help ensure that forensic evidence is well-organized and available to collaborators.

It can also provide an account of who did what in support of investigation and response activities to measure organizational effectiveness and hold parties responsible for the tasks they own in the investigation.

Question 14

Neutralize

Answer 14

When an incident is qualified, organizations must implement mitigations to reduce and eventually eliminate risk to the business.

For some threats, such as ransomware or compromised privileged users, every second counts.

To maximally reduce MTTR, easily accessible and updated incident response processes and playbooks, coupled with automation, are critically important.

Similar to the Investigate stage, facilities that enable cross-organizational (e.g., IT, legal, HR) information sharing and collaboration are also important.

Question 15

Recover

Answer 15

Once the incident has been neutralized and the risk to the business is under control, full recovery efforts can commence. These efforts are less time-critical, and they can take days or weeks depending on the scope of the incident.

To recover effectively and on a timely basis, it is imperative that an organization’s security team has access to all forensic information surrounding the investigation and incident response process.

This includes ensuring that any changes made during incident response are tracked, audit trail information is captured, and the affected systems are updated and brought back online. Many recovery-related processes can benefit from automation.

In addition, the recovery process should ideally include putting measures in place that leverage the gathered threat intelligence to detect if the threat returns or left behind a back door.

Question 16

Global Administrators

Answer 16

Have permission to view and manage all LogRhythm components and log source data.

Question 17

Restricted Administrators

Answer 17

Can view and manage only the specific components and log source data to which they have been assigned permission by a LogRhythm Administrator. They can receive permission for both individual log sources and Entities and other component-level access assigned by Role-Based Access.

• Individual log sources can include the log data sent from specific servers, applications, or devices.
• Entities are logical groupings of log sources and/or components within a deployment. They are defined by LogRhythm Administrators.

Question 18

Global Analysts

Answer 18

Have permission to view data from any log source.

Question 19

Restricted Analysts

Answer 19

Can view only the data of the individual log sources and/or Entities (as outlined in the Restricted Administrator profile description) to which they have been assigned permission.

Their permissions are managed on a granular level by LogRhythm Administrators.

Question 20

Notification Only

Answer 20

Can be created for users who only need to receive notifications from the Alarm or Reporting engine but are restricted from direct access to the console.

They do not have a login and password.

Question 21

Alarms Widget

Answer 21

Includes data related to all alarms, alarm notifications, and alarm histories generated by the LogRhythm Alarming and Response Manager (ARM) and the LogRhythm Notification Service

Question 22

Events Widget

Answer 22

Includes log data that qualified as an Event.

Question 23

Platform Manager Database (EMDB) Widget

Answer 23

Includes all configuration information.

Question 24

Case Management Database Widget

Answer 24

Includes data for all cases as well as most of the associated evidence

Question 25

Node-Link Graph Widget

Answer 25

Allows you to visualize relationships, patterns, and abnormalities present in log data.

These relationships include but are not limited to, network traffic between a source and destination host, and authentication between an origin user and a destination host.