This chapter focused on the technology and services associated with most modern SOC environments. The chapter provided an overview of best practices for data collection that covered different data sources, such as syslogs, network telemetry, and packet capturing. The chapter then reviewed how data is processed so that it can be used for security analysis. We included different techniques that can also complement captured data, such as using data enrichment. The next topic covered was vulnerability management, following steps from the SANS Vulnerability Management Model. The chapter concluded with some operation recommendations, such as how to handle case management and collaboration between teams.
Now that you have a good idea about the technologies and services found in a SOC, it is time to look at how these can work together. Next up is Chapter 3, “Assessing Security Operations Capabilities,” which focuses on assessing SOC operational capabilities.