Term	Definition
	What is a SOC
CERT	Computer Emergency Response Team
CIRC	Computer Incident Response Center (or Capability)
CIRT	Computer Incident Response Team
CND	computer network defense
Constituency	A bounded set of users, sites, IT assets, networks, and organizations which are served by a SOC
CSIRC	Computer Security Incident Response Center (or Capability)
CSIRT	Computer Security Incident Response Team
CSOC	Cybersecurity Operations Center
Incident	an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.
SIEM	Security Information and Event Management
SOC	Security Operations Center A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents. Must Provide: 1. means to report suspected incidents 2. incident handling assistance 3. Share incident information to constituents and external parties
Tier 1	real-time monitoring, fielding phone calls
Tier 2	in-depth analysis

	Mission and Operations
CIO	Chief Information Officer
CISO	Chief Information Security Officer
Event	May be simply benign or can spawn an incident
Forensic analysis	determine the nature of the attack using artifacts such as hard drive images or full-session packet capture (PCAP), or malware reverse engineering on malware samples collected in support of an incident
HIPS	Host intrusion prevention system
IDS	Intrusion Detection System
IPS	Intrusion Prevention System
ISCM	Information Security Continuous Monitoring responsible for incident detection and response
ISSO	Usually involved with IT compliance and ensuring the security of specific systems
NIPS	Network intrusion prevention system
NOC	Network Operations Center
PSM	Physical security monitoring (e.g., “gates, guards, and guns”)
COTS	Commercial Off-The-Shelf
FOSS	Free or Open Source Software
	Characteristics
Characteristics of the SOC	1. Organizational relationship 2. Distribution of resources 3. Authority
Coordinating SOC	SOC mediates and facilitates CND activities between mul- tiple subordinate distinct SOCs.
Internal centralized SOC	A dedicated team of IT and cybersecurity professionals reports to a SOC manager who is responsible for overseeing the CND program.
Internal distributed SOC	One person or a small group is responsible for coordinating security operations, but the heavy lifting is carried out by individuals who are matrixed in from other organizations
MSSP	Managed security service providers (External SOC)
Security team	No dedicated team, resources are gathered (usually from within the constituency) to deal with the problem, reconstitute systems, and then stand down.

	Organizational Model

	Authority
No authority	A SOC can suggest or influence
Shared authority	Make recommendations, giving the SOC a vote but not the final say.
Full authority	SOC can direct, without seek- ing or waiting for the approval or support (is never absolute)
Reactive	Incident is either suspected or con- firmed. Actions are usually more tactical in nature—they are temporary
Proactive	Preemption of a perceived threat, before direct evi- dence of an incident is uncovered. These actions are more strategic

	Capabilities
Real-Time Analysis	Call Center, monitoring
Intel and Trending	Trending, Analysis, Response
Artifact Analysis	Artifact Handling, Malware Analysis,
SOC Tool Life-Cycle Support	Border Protection Device, Sensor Tuning, Tool Research
Audit and Insider Threat	Audit Data, Insider Threat Support and Investigation, Network Mapping, Vulnerability Scanning, Penetration Testing
Outreach	Product Assessment, Security Consulting, Training and Awareness, Media Relations

	Situational Awareness
SA	Situational Awareness Perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. (Aviation example) 1. Information: Sensor data, cyber intel, news, product vulnerabilities 2. Interpreting and processing 3. Depicting information visually

	Network
Network	assets, topology, applications, vulnerability of hosts and applications from network

	Mission

	Threat
Adversaries’	1. Capability, including skill level and resources 2. Intent and motivation 3. Probability of attack 4. access (legitimate or otherwise) 5. Impact 6. Actions: past present and projected

	Incident Tip-offs
Cyber attack life cycle	1. Recon - identifies and investi- gates targets 2. Weaponize - tools are pack- aged for delivery and execution 3. Deliver - attack tools are delivered 4. Exploit - initial attack 5. Control - direct the victim system 6. Execute - fulfilling his mission 7. Maintain - Long-term access

	Tools and Data Quality

	From Tip-offs to Ground Truth
False positives	a positive indicator is incorrect

	Detection
Intrusion detection approaches	1. Signature-based detection – has a priori knowledge of how to characterize malicious behavior 2. Anomaly detection - what normal or benign behavior looks like and alerts whenever it observes something that falls outside

	Data Quantity
Too much data	1. Signal is lost in the noise 2. Systems cannot handle the data load

	Agility (2.8)
Lack of Agility of SOC	The lack of speed and freedom of the SOC may undermine the SOC’s ability to spot and repel attacks.
APT	Advanced Persistent Threat
TTP	Tactics, Techniques, and Procedures
OODA Loop	observe–orient–decide–act If they can process this cycle quickly, observing and reacting to unfolding events more rapidly than an opponent can thereby "get inside" the opponent's decision cycle and gain the advantage.