The security operations centre (SOC) is the heart of a firm’s cyber defences. Here are the basic elements and processes that a SOC uses to monitor for and respond to security incidents.
A while ago I wrote a post about using Python to parse tcpdump output for domains and URLs. Recently, I started to wonder if I could take that a step further. What if the DNS requests I saw could be checked against a blacklist in real time? And what if the output was presented in a more useful format? Here’s how I got these new features working.
The life of a SOC analyst – as is the case with many other jobs – can involve a lot of repetitive tasks, including the process of writing tens of similar emails each day. But what if this could be automated, saving time and reducing the potential for error?
Part of my time at the SANS Cyber Retraining Academy covered the incident response methodology and how to identify what’s wrong and how to fix it. But theory is quite different to the real thing, so I thought it would be useful to make a cheat sheet with a few of the pointers I’ve picked up when it comes to investigating malware activity.
It’s almost a year to the day that I left my journalism job and started at the SANS Cyber Retraining Academy, and I’ve written a lot of blog posts about how much I enjoyed the experience and how valuable and life-changing it was. But now I’ve been in the industry for a few months, I thought it would be interesting to explore what it didn’t prepare me for.