This chapter covers
- Differentiating between logging and monitoring, applying our three concepts of cybersecurity
- Working through some real-life security incidents, learning how to apply the observe, orient, detect, and act (OODA) loop and the three concepts to incidents
- The different external intelligence data feeds we can use, how they work, and how they can be both beneficial and detrimental to our security capability
Visibility of security events gives defenders a head start on addressing security incidents and is the difference between reading the news or being on the news. Our security operations capability is the best view we have of how effective our IT (development, spend, and strategy) is and feeds into our business strategy to show us where we should be investing more in technology.
Managing risk is about making informed decisions, and for that, we need actionable data, which is what a good security operations capability should provide. Let’s look at how we achieve this.