Security Operations

Code:

CC4081

Acronym:

CC4081

Level:

400

Keywords
Classification	Keyword
OFICIAL	Computer Science

Instance: 2022/2023 - 1S

Active?	Yes
Responsible unit:	Department of Computer Science
Course/CS Responsible:	Master in Information Security

Cycles of Study/Courses

Acronym	No. of Students	Study Plan	Curricular Years	Credits UCN	Credits ECTS	Contact hours	Total Time
M:SI	25	Study plan since 2020/2021	1	-	6	42	162

Teaching language

Suitable for English-speaking students

Objectives

Security operations are unavoidable in any mid- to large-sized organization, either through internal security operations centers or through outsourcing, and this course covers the specifics of how security operations centers work. The students are expected to acquire a thorough understanding of the major organizational aspects of an operations center, of the information system architectures used currently in security operations centers, and of challenges and future approaches for security operations centers.

Learning outcomes and competences

At the end of this course the student should be able to 1) understand the organizational structure of a security operations center and be familiarized with the different security strategies that can be implemented; 2) define an information systems architecture for the security operations center of a given organization and be aware of the different options for the components of such an architecture; 3) take in new concepts and advanced topics that constantly emerge in the area of operations security.

Working method

Presencial

Pre-requirements (prior knowledge) and co-requirements (common knowledge)

Basic knowledge of cybersecurity or of computer network management.

Program

1. Organizational structure of security operations: the security operations center (SOC), SOC objectives, positioning within an organization, comparison with other operation centers, types of SOC, functions, human resources, performance metrics. Operation security strategies: attacker tactics, techniques, and procedures (TTP), incident response, asset prioritization.

 

2. Information system architecture of a SOC: components and interactions; intrusion detection system, service and application usage log collection, OSINT open source information, vulnerability scanning, SIEM event correlation, IntelMQ-like event processing, MISP-like information sharing. Incident response ticketing; relation with active defense systems (firewall, scrubbing); honeypots.

 

3. Advanced topics in security operations: selection of data and choice of sensor location, securing SOC components, security operations automation in the context of Agile and devops, intelligence and wise sharing of information, honeypot robustness, attribution, potential and limitations of the use of artificial intelligence in security operations, objectives and differentiating aspects of blue-team CTF challenges.

Mandatory literature

Nathans, D.; Designing and Building a Security Operations Center (1st ed.). Syngress Publishing. , 2014. ISBN: ISBN 978-0-128-00899-7
Zimmerman, C; Ten Strategies of a World-Class Cybersecurity Operations Center. MITRE Corporation. , 2014. ISBN: ISBN 978-0-692-24310-7

Teaching methods and learning activities

The teaching methodology is based on 1) discussion of the organizational and architectonical concepts of a SOC, as well as advanced topics in operations security using scientific papers, case studies, and searching the Internet for information; 2) specification, development, test, and performance characterization of SOC components and parts of the SOC architecture using the technologies and concepts discussed in the course.

Evaluation Type

Distributed evaluation without final exam

Assessment Components

designation	Weight (%)
Teste	50,00
Trabalho laboratorial	50,00
Total:	100,00

Amount of time allocated to each course unit

designation	Time (hours)
Estudo autónomo	40,00
Frequência das aulas	56,00
Trabalho laboratorial	66,00
Total:	162,00

Eligibility for exams

T: test
TL: lab work

T >= 10,0 and TL >= 8,0

Calculation formula of final grade

T: test
TL: lab work

CF = 0,5*T + 0,5*TL; if ( T < 10,0 or TL < 8,0 ) then CF =MIN(CF, 9.0)

Internship work/project

Tutorials and practical class project in the area of security operations centers.