CSY201 Week 01 Intermediate

SOC work builds on foundations from Year 1:

Operating Systems & Security

Track your progress through this week's content

Opening Framing: From Theory to Practice

You've learned how systems work, how networks communicate, and how attacks unfold. Now you step into the defender's seat. Security Operations is where all that knowledge becomes action—where you watch for threats in real-time and respond when they appear.

Think of a Security Operations Center (SOC) as mission control for cybersecurity. Analysts monitor dashboards, investigate alerts, coordinate responses, and hunt for threats that automated tools miss. It's demanding, fast-paced work that requires both technical skill and clear thinking under pressure.

This course transforms you from someone who understands security to someone who practices it daily. By the end, you'll have the skills to work as a SOC analyst—one of the most in-demand roles in cybersecurity.

Key insight: Security operations isn't about preventing every attack— that's impossible. It's about detecting threats quickly, responding effectively, and continuously improving defenses.

1) What is Security Operations?

Security Operations encompasses all activities involved in defending an organization in real-time: 

Security Operations Functions:

Monitoring:
- Watch for suspicious activity 24/7
- Review alerts from security tools
- Track security metrics and trends

Detection:
- Identify potential threats
- Distinguish real attacks from false positives
- Recognize attack patterns and indicators

Response:
- Contain active threats
- Investigate incidents
- Coordinate remediation efforts

Improvement:
- Learn from incidents
- Tune detection rules
- Close security gaps

The Security Operations Cycle: 

    ┌─────────────────────────────────────────┐
    │                                         │
    ▼                                         │
┌────────┐    ┌────────┐    ┌────────┐    ┌───┴────┐
│Monitor │───>│ Detect │───>│Respond │───>│Improve │
└────────┘    └────────┘    └────────┘    └────────┘
    │                                         ▲
    │                                         │
    └─────────────────────────────────────────┘

This cycle runs continuously, 24/7/365

Why Security Operations Matters: 

Without SecOps:
- Attacks go undetected for months
- Small incidents become major breaches
- No coordinated response capability
- Lessons never learned, mistakes repeated

With mature SecOps:
- Threats detected in minutes/hours
- Rapid containment limits damage
- Coordinated, effective response
- Continuous improvement over time

Industry statistics:
- Average time to detect breach without SOC: 287 days
- Average time with mature SOC: under 24 hours
- Cost difference: millions of dollars

Key insight: Security tools alone don't protect organizations— skilled people operating those tools do. Technology enables detection; humans provide judgment.

2) The Security Operations Center (SOC)

The SOC is the organizational hub for security operations: 

SOC Components:

People:
- Analysts (Tier 1, 2, 3)
- Incident responders
- Threat hunters
- SOC manager
- Threat intelligence analysts

Process:
- Alert triage procedures
- Incident response playbooks
- Escalation procedures
- Communication protocols
- Shift handoff procedures

Technology:
- SIEM (Security Information and Event Management)
- EDR (Endpoint Detection and Response)
- SOAR (Security Orchestration and Response)
- Threat intelligence platforms
- Ticketing systems

SOC Analyst Tiers: 

Tier 1 - Alert Analyst:
- First responder for alerts
- Initial triage and classification
- Follow documented procedures
- Escalate complex issues
- High volume, fast decisions

Tier 2 - Incident Responder:
- Deep investigation of escalated alerts
- Incident containment and remediation
- Malware analysis (basic)
- Develops detection rules
- Mentors Tier 1 analysts

Tier 3 - Threat Hunter / Senior Analyst:
- Proactive threat hunting
- Advanced malware analysis
- Detection engineering
- Incident response leadership
- Process improvement

Career progression:
Tier 1 (6-12 months) → Tier 2 (1-2 years) → Tier 3 (2+ years)
                                            ↓
                                    Specialization paths:
                                    - Threat Intel
                                    - Incident Response
                                    - Detection Engineering
                                    - SOC Management

SOC Models: 

Internal SOC:
- Fully staffed by organization
- Complete control and visibility
- High cost (24/7 staffing expensive)
- Best for large enterprises

Managed SOC (MSSP):
- Outsourced to security provider
- Lower cost, faster deployment
- Less organizational context
- Good for mid-size organizations

Hybrid SOC:
- Internal team + managed services
- Balance of control and cost
- Follow-the-sun coverage
- Common model for many organizations

Virtual SOC:
- Remote/distributed team
- Cloud-based tools
- Flexible staffing
- Growing post-pandemic

Key insight: The SOC model matters less than its effectiveness. A well-run small SOC beats a poorly managed large one.

3) Security Data Sources

SOC analysts work with data from across the organization: 

Network Data:
- Firewall logs (allowed/denied connections)
- IDS/IPS alerts (detected attacks)
- NetFlow (connection metadata)
- DNS logs (domain queries)
- Proxy logs (web access)
- Packet captures (full traffic)

Endpoint Data:
- Windows Event Logs (authentication, process, etc.)
- Sysmon (detailed system activity)
- EDR telemetry (process, file, network activity)
- Antivirus logs (detections, quarantine)
- Application logs

Identity Data:
- Active Directory logs (authentication, changes)
- VPN logs (remote access)
- SSO/MFA logs (authentication events)
- Privileged access logs

Cloud Data:
- Cloud provider logs (AWS CloudTrail, Azure Activity)
- SaaS application logs (O365, Google Workspace)
- Container/Kubernetes logs
- Serverless function logs

Application Data:
- Web server logs (access, errors)
- Database logs (queries, authentication)
- Custom application logs

Log Volume Reality: 

Typical enterprise generates:
- Firewall: 10-100 million events/day
- Windows events: 1-10 million events/day per DC
- DNS: 50-500 million queries/day
- Proxy: 10-100 million requests/day

Total: Billions of events per day

Challenge: Find the 10-100 that matter

This is why we need:
- Aggregation (collect in one place)
- Normalization (common format)
- Correlation (connect related events)
- Alerting (surface important events)
- Retention (keep for investigation)

Key insight: More data isn't always better. The skill is knowing which data sources matter for which threats, and how to find signals in the noise.

4) The Detection Pyramid

Not all indicators are equal. The Pyramid of Pain shows why: 

                    △
                   /T\        TTP (Tactics, Techniques, Procedures)
                  /T T\       - How attackers operate
                 /-----\      - Hardest to change
                / Tools \     - Most valuable detection
               /---------\
              / Artifacts  \  Network/Host Artifacts
             /---------------\ - Registry keys, file paths
            /   Domain Names   \ - Useful but changeable
           /---------------------\
          /     IP Addresses       \  - Easy for attackers to change
         /---------------------------\
        /        Hash Values           \ - Trivial to change
       /-----------------------------------\

Bottom of pyramid:
- Easy to detect
- Easy for attacker to change
- Low long-term value

Top of pyramid:
- Hard to detect
- Hard for attacker to change
- High long-term value

Detection Examples by Level: 

Hash Values (trivial):
- Block known malware hash
- Attacker recompiles, new hash
- Detection value: hours

IP Addresses (easy):
- Block known C2 IP
- Attacker switches servers
- Detection value: days

Domain Names (simple):
- Block malicious domain
- Attacker registers new domain
- Detection value: days-weeks

Artifacts (annoying):
- Detect specific registry key
- Attacker modifies tool
- Detection value: weeks-months

Tools (challenging):
- Detect Mimikatz behavior
- Attacker uses different tool
- Detection value: months

TTPs (tough):
- Detect credential dumping technique
- Attacker must change approach
- Detection value: long-term

Detection Strategy: 

Layered approach:
1. Use IOCs (hashes, IPs, domains) for known threats
   - Fast to implement
   - Catches commodity attacks
   - Low false positives

2. Use behavioral rules for techniques
   - More complex to build
   - Catches novel attacks
   - May have false positives

3. Hunt for TTPs manually
   - Most resource intensive
   - Catches advanced threats
   - Requires skilled analysts

Balance depends on:
- Team maturity
- Threat landscape
- Available resources

Key insight: Investing in behavioral detection (TTPs) provides lasting value. Hash-based detection is necessary but insufficient.

5) Day in the Life of a SOC Analyst

What does SOC work actually look like? 

Shift Start (Example: 7:00 AM):
- Review shift handoff notes
- Check overnight incidents
- Review open tickets
- Scan threat intel feeds
- Check dashboard for anomalies

Morning:
- Triage incoming alerts (queue of 50-200)
- Investigate suspicious alerts
- Escalate confirmed incidents
- Document findings in tickets
- Tune noisy rules

Afternoon:
- Continue alert triage
- Deep dive on escalated incidents
- Attend team standup
- Review new threat intel
- Work on detection improvements

Shift End:
- Clear or escalate remaining alerts
- Update tickets with status
- Prepare handoff notes
- Brief incoming analyst

Alert Triage Reality: 

Typical alert breakdown:
- True Positive: 5-10% (real threats)
- Benign True Positive: 10-20% (real but authorized)
- False Positive: 70-85% (incorrect alerts)

Analyst goal:
Find the 5-10% that matter among hundreds of alerts

Time per alert:
- Quick triage: 1-2 minutes
- Initial investigation: 5-15 minutes
- Deep investigation: 30-60+ minutes

Volume:
- Tier 1 might handle 50-100 alerts per shift
- Quality matters more than quantity

Common Challenges: 

Alert fatigue:
- Too many alerts, most false positives
- Important alerts get missed
- Solution: Better tuning, prioritization

Context switching:
- Constantly jumping between alerts
- Hard to focus on deep investigation
- Solution: Dedicated investigation time

Tool sprawl:
- Multiple consoles to check
- Data in different formats
- Solution: SIEM/SOAR integration

Knowledge gaps:
- New attack techniques emerge
- Environment constantly changing
- Solution: Continuous learning, documentation

Key insight: SOC work is mentally demanding. Success requires both technical skill and the discipline to follow process even when tired or overwhelmed.

Real-World Context: SOC in Action

Security operations responds to real threats daily:

Ransomware Response: When ransomware hits, the SOC coordinates the response—identifying patient zero, determining scope, containing spread, and supporting recovery. Speed matters: every minute of delay means more systems encrypted.

Phishing Campaigns: Users report suspicious emails. The SOC analyzes them, identifies malicious links or attachments, searches for other recipients, and blocks the threat across the organization—often within minutes of the first report.

Active Intrusion: An alert fires showing suspicious PowerShell activity. The SOC investigates, finds evidence of an attacker moving laterally, and coordinates with IT to isolate affected systems while preserving evidence.

MITRE ATT&CK Relevance:

  • All Tactics: SOC must detect across the full attack lifecycle
  • D3FEND: Defensive techniques mapped to ATT&CK
  • Detection Coverage: Measure which techniques you can detect

Key insight: SOC analysts are the human element in defense. Automated tools detect patterns; analysts provide judgment and coordination that tools cannot.

Guided Lab: Exploring Security Data

Let's explore the types of security data a SOC analyst works with.

Step 1: Examine Windows Security Logs

# On Windows, open Event Viewer
eventvwr.msc

# Navigate to:
# Windows Logs → Security

# Key Event IDs to know:
# 4624 - Successful logon
# 4625 - Failed logon
# 4648 - Explicit credential logon
# 4672 - Special privileges assigned
# 4688 - Process creation
# 4720 - User account created
# 4732 - Member added to security group

# Find a 4624 event and examine:
# - Account Name
# - Logon Type (2=interactive, 3=network, 10=remote)
# - Source IP address

Step 2: Examine Linux Auth Logs

# On Linux
sudo cat /var/log/auth.log | tail -50

# Or for Red Hat/CentOS
sudo cat /var/log/secure | tail -50

# Look for:
# - SSH login attempts
# - sudo usage
# - Failed authentications

# Extract failed SSH attempts
grep "Failed password" /var/log/auth.log

# Extract successful logins
grep "Accepted" /var/log/auth.log

Step 3: Examine Firewall Logs

# If UFW is enabled
sudo cat /var/log/ufw.log | tail -30

# Look for:
# - Blocked connections (what's being denied?)
# - Source IPs (who's trying to connect?)
# - Destination ports (what services are targeted?)

# Count blocked connections by source IP
grep "BLOCK" /var/log/ufw.log | \
  grep -oE "SRC=[0-9.]+" | sort | uniq -c | sort -rn | head

Step 4: Examine Web Server Logs

# Apache access log
sudo cat /var/log/apache2/access.log | tail -30

# Nginx access log
sudo cat /var/log/nginx/access.log | tail -30

# Log format (Common Log Format):
# IP - - [timestamp] "METHOD /path HTTP/1.1" status size

# Find 404 errors (reconnaissance?)
grep '" 404 ' /var/log/apache2/access.log

# Find POST requests (potential attacks?)
grep '"POST ' /var/log/apache2/access.log

Step 5: Correlate Events

# Scenario: Investigate a suspicious IP
# 1. Check if IP hit the web server
grep "192.168.1.100" /var/log/apache2/access.log

# 2. Check if IP was blocked by firewall
grep "192.168.1.100" /var/log/ufw.log

# 3. Check if IP authenticated
grep "192.168.1.100" /var/log/auth.log

# This manual correlation is what SIEM automates!

Step 6: Reflection (mandatory)

  1. What security-relevant information did you find in each log type?
  2. How would you detect a brute force attack using these logs?
  3. Why is correlating data across sources important?
  4. What challenges would you face doing this manually at scale?

Week 1 Outcome Check

By the end of this week, you should be able to:

  • Explain what security operations is and why it matters
  • Describe the structure and functions of a SOC
  • Identify key security data sources
  • Understand the Pyramid of Pain and detection value
  • Describe a typical day in SOC operations
  • Navigate basic security logs on Windows and Linux

Next week: SOC Fundamentals and Frameworks—understanding the structures and processes that make SOCs effective.

📚 Building on Prior Knowledge

SOC work builds on foundations from Year 1:

  • CSY102 (Operating Systems): Process, service, and log fundamentals power triage.
  • CSY104 (Networking): Protocol behavior and ports explain alert context.
  • CSY101 Week 01 (Risk + Ethics): Incident handling requires clear risk framing and professional conduct.

🎯 Hands-On Labs (Free & Essential)

Get hands-on with SOC workflows before moving to reading resources.

🎮 TryHackMe: Intro to SOC

What you'll do: Walk through SOC concepts, alert triage, and analyst roles.
Why it matters: This is the real-world context for everything in CSY201.
Time estimate: 1-1.5 hours

Start TryHackMe Intro to SOC →

🎮 TryHackMe: Security Operations

What you'll do: Explore SOC tooling, detection concepts, and response basics.
Why it matters: Builds the vocabulary and practical mindset for SOC work.
Time estimate: 1.5-2 hours

Start TryHackMe Security Operations →

🏁 PicoCTF Practice: Forensics (SOC Basics)

What you'll do: Solve beginner forensics challenges to build investigation habits.
Why it matters: SOC analysts rely on evidence and artifact review.
Time estimate: 1-2 hours

Start PicoCTF Forensics →

💡 Lab Tip: Pay attention to alert noise vs signal. Learning triage is the fastest SOC skill boost.

🛡️ Advanced OS Security: Kernel Trust Boundaries

SOC work depends on understanding where attackers cross trust boundaries. The most important boundary is the kernel: once it is compromised, everything above it can be subverted. 

Kernel defense layers:
- Privilege rings (ring 0 vs ring 3)
- System call filtering (seccomp / syscall policies)
- Kernel module signing and driver attestation
- Memory protections (NX/DEP, SMEP/SMAP)

📚 Building on CSY102: OS architecture fundamentals + CSY101 Week-13 threat modeling of the OS attack surface.

Resources

Complete the required resources to build your foundation.

Lab: Security Log Analysis

Goal: Analyze security logs to identify suspicious activity and practice the investigative mindset of a SOC analyst.

Part 1: Windows Event Log Analysis

  1. On a Windows system, export Security logs for the past 24 hours
  2. Find and document:
    • All successful logons (4624) - who logged in?
    • Any failed logons (4625) - potential brute force?
    • Any new accounts created (4720)
    • Any privilege escalation events (4672)
  3. Create a timeline of authentication activity

Part 2: Linux Log Analysis

  1. On a Linux system, analyze auth.log or secure log
  2. Find and document:
    • All SSH login attempts (successful and failed)
    • All sudo commands executed
    • Any suspicious patterns
  3. Identify the top 5 source IPs attempting access

Part 3: Investigation Scenario

You receive a report that a user account may be compromised.

  1. What logs would you check first?
  2. What would you look for in each log?
  3. How would you determine if the account is compromised?
  4. Document your investigation plan

Deliverable (submit):

  • Windows event log summary with key findings
  • Linux log summary with key findings
  • Investigation plan for the compromised account scenario
  • One paragraph: What did this exercise teach you about log analysis?

Checkpoint Questions

  1. What are the four main functions of security operations?
  2. What is the difference between Tier 1, Tier 2, and Tier 3 SOC analysts?
  3. What is the Pyramid of Pain and why does it matter for detection?
  4. What Windows Event ID indicates a successful logon?
  5. Why is behavioral detection more valuable than hash-based detection?
  6. What percentage of alerts are typically false positives in a SOC?

Week 01 Quiz

Test your understanding of security operations, SOC roles, and detection fundamentals.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Weekly Reflection

Reflection Prompt (200-300 words):

This week introduced you to security operations—the practice of defending organizations in real-time. You learned about SOC structure, data sources, and what analysts actually do day-to-day.

Reflect on these questions:

  • How does the SOC analyst role differ from what you imagined before this course? What surprised you?
  • The Pyramid of Pain suggests investing in behavioral detection. Why do many organizations still rely heavily on hash-based detection?
  • Consider the challenge of alert fatigue. How would you stay effective when most alerts are false positives?
  • Which aspect of SOC work appeals to you most? Which concerns you?

A strong reflection will honestly assess your interest in SOC work and identify areas you want to develop further.

Verified Resources & Videos

Security operations is where cybersecurity becomes real. The skills you build in this course—monitoring, detection, investigation, response—are immediately applicable to SOC analyst roles. Next week: the frameworks and processes that make SOCs effective.

← Course Overview Next: Week 02 →