Domain 5 of 6 · Chapter 6 of 6

Security Operations Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.

Included in this chapter:

  • The SOC and the SIEM pipeline
  • From alert to action: SOAR and intelligent monitoring
  • The NIST SP 800-61 incident-response lifecycle
  • Continuous monitoring and vulnerability assessment ops
  • Exam-pattern recognition

SOC tooling and process boundaries at a glance

CapabilityWhat it doesKey standard / artifactWhere the boundary is
SIEMAggregates and correlates logs across sources into alertsNIST SP 800-92 (log management)Detection; not the restore-service process
SOARRuns playbooks to automate enrichment and first responseVendor playbooksAutomates response; analyst still judges ambiguous cases
Incident responseWorks the SP 800-61 phases to contain and recoverNIST SP 800-61Technical IR; ITIL incident mgmt does the formal workflow
Continuous monitoringMaintains ongoing awareness of threats and control stateNIST SP 800-137 (ISCM)Ongoing, not the point-in-time assessment
Vulnerability assessmentFinds and prioritizes weaknesses on a scheduleScan cadence + risk ratingIdentifies flaws; penetration testing exploits them

Decision tree

What does the stem ask?map verb to ownerSIEMaggregate + correlateSOARplaybook responseConfirmed incident?SP 800-61Continuousmonitoring (800-137)Attacker still in?deny access firstContainmentEradicationRecoveryRestore + close = ITIL incident mgmtsee operational-controls-standardsdetect across sourcesautomateincidentongoing awarenessyesyes: containno

Cheat sheet

  • The SOC is the team; the SIEM is its main tool
  • A SIEM aggregates, then correlates; correlation is what detects
  • SOAR acts on alerts; the SIEM only detects them
  • Gate risky SOAR containment behind approval
  • IDS detects, IPS prevents
  • Signature detection misses novel attacks; behavioral catches the unknown
  • A honeypot turns any interaction into a high-confidence alert
  • In the cloud, feed control-plane API logs to the SIEM
  • Run incidents on the four NIST SP 800-61 phases
  • Preparation is the highest-payoff incident-response phase
  • Contain before you eradicate, eradicate before you recover
  • SP 800-61 eradication is narrower than ITIL problem management
  • Post-incident review feeds lessons back into preparation
  • Continuous monitoring keeps the security picture current
  • Ephemeral cloud resources force continuous monitoring over periodic scans
  • A vulnerability assessment finds weaknesses; a pen test exploits them
  • Vulnerability scanning is scoped by shared responsibility
  • Match each operations activity to its NIST standard
  • Detection belongs to security operations; restoring service is the ITIL process
  • Synchronized, centralized logs are the precondition for correlation
  • CVSS base scores must be enriched with environmental and threat context to prioritize
  • A complete asset inventory is the precondition for patch and vulnerability coverage
  • Drive SIEM log selection by use cases and risk, not by ingesting everything
  • CSPM continuously compares cloud config to a baseline and flags drift
  • CSPM assesses configuration posture; CWPP protects workloads at runtime

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-92, Guide to Computer Security Log Management Whitepaper
  2. NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide Whitepaper
  3. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Whitepaper