https://www.cisa.gov/resources-tools/resources/free-cybersecurity-services-and-tools 

Tools for protecting business operations

Previously, you were introduced to several technical skills that security analysts need to develop. You were also introduced to some tools entry-level security analysts may have in their toolkit. In this reading, you’ll learn more about how technical skills and tools help security analysts mitigate risks.

An entry-level analyst’s toolkit

Every organization may provide a different toolkit, depending on its security needs. As a future analyst, it’s important that you are familiar with industry standard tools and can demonstrate your ability to learn how to use similar tools in a potential workplace. 

Security information and event management (SIEM) tools

A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. A log is a record of events that occur within an organization’s systems. Depending on the amount of data you’re working with, it could take hours or days to filter through log data on your own. SIEM tools reduce the amount of data an analyst must review by providing alerts for specific types of threats, risks, and vulnerabilities.

SIEM tools provide a series of dashboards that visually organize data into categories, allowing users to select the data they wish to analyze. Different SIEM tools have different dashboard types that display the information you have access to. 

SIEM tools also come with different hosting options, including on-premise and cloud. Organizations may choose one hosting option over another based on a security team member’s expertise. For example, because a cloud-hosted version tends to be easier to set up, use, and maintain than an on-premise version, a less experienced security team may choose this option for their organization.

Network protocol analyzers (packet sniffers)

A network protocol analyzer, also known as a packet sniffer, is a tool designed to capture and analyze data traffic in a network. This means that the tool keeps a record of all the data that a computer within an organization's network encounters. Later in the program, you’ll have an opportunity to practice using some common network protocol analyzer (packet sniffer) tools. 

Playbooks

A playbook is a manual that provides details about any operational action, such as how to respond to a security incident. Organizations usually have multiple playbooks documenting processes and procedures for their teams to follow. Playbooks vary from one organization to the next, but they all have a similar purpose: To guide analysts through a series of steps to complete specific security-related tasks. 

For example, consider the following scenario: You are working as a security analyst for an incident response firm. You are given a case involving a small medical practice that has suffered a security breach. Your job is to help with the forensic investigation and provide evidence to a cybersecurity insurance company. They will then use your investigative findings to determine whether the medical practice will receive their insurance payout. 

In this scenario, playbooks would outline the specific actions you need to take to conduct the investigation. Playbooks also help ensure that you are following proper protocols and procedures. When working on a forensic case, there are two playbooks you might follow:

• The first type of playbook you might consult is called the chain of custody playbook. Chain of custody is the process of documenting evidence possession and control during an incident lifecycle. As a security analyst involved in a forensic analysis, you will work with the computer data that was breached. You and the forensic team will also need to document who, what, where, and why you have the collected evidence. The evidence is your responsibility while it is in your possession. Evidence must be kept safe and tracked. Every time evidence is moved, it should be reported. This allows all parties involved to know exactly where the evidence is at all times.

• The second playbook your team might use is called the protecting and preserving evidence playbook. Protecting and preserving evidence is the process of properly working with fragile and volatile digital evidence. As a security analyst, understanding what fragile and volatile digital evidence is, along with why there is a procedure, is critical. As you follow this playbook, you will consult the order of volatility, which is a sequence outlining the order of data that must be preserved from first to last. It prioritizes volatile data, which is data that may be lost if the device in question powers off, regardless of the reason. While conducting an investigation, improper management of digital evidence can compromise and alter that evidence. When evidence is improperly managed during an investigation, it can no longer be used. For this reason, the first priority in any investigation is to properly preserve the data. You can preserve the data by making copies and conducting your investigation using those copies.

Key takeaways

In this reading, you learned about a few tools a security analyst may have in their toolkit, depending on where they work. You also explored two important types of playbooks: chain of custody and protecting and preserving evidence. However, these are only two procedures that occur at the beginning of a forensic investigation. If forensic investigations interest you, you are encouraged to further explore this career path or security practice. In the process, you may learn about forensic tools that you want to add to your toolkit. While all of the forensic components that make up an investigation will not be covered in this certificate program, some forensic concepts will be discussed in later courses.

Resources for more information

The Google Cybersecurity Action Team's Threat Horizon Report provides strategic intelligence for dealing with threats to cloud enterprise.

The Cybersecurity & Infrastructure Security Agency (CISA) has a list of Free Cybersecurity Services and Tools. Review the list to learn more about open-source cybersecurity tools.

Here are the key takeaways and summaries from the reading:

1. SIEM Tools
   SIEM (Security Information and Event Management) tools collect and analyze log data to monitor critical activities within an organization. They provide alerts for specific threats, vulnerabilities, and risks, making it easier for security analysts to manage large volumes of data. SIEM tools offer visual dashboards to help organize and filter data for analysis and come with different hosting options, such as on-premise or cloud-based.

2. Network Protocol Analyzers (Packet Sniffers)
   Network protocol analyzers, or packet sniffers, capture and analyze data traffic in a network. These tools track the data encountered by computers within the organization, enabling security professionals to monitor network traffic for potential threats or anomalies.

3. Playbooks
   Playbooks are operational manuals that provide detailed instructions on handling specific security incidents. They help ensure that security professionals follow proper procedures during tasks such as forensic investigations. Two common types of playbooks include:

   • Chain of Custody Playbook: Focuses on documenting the possession and control of evidence throughout an incident.

   • Protecting and Preserving Evidence Playbook: Guides the process of preserving fragile digital evidence, prioritizing volatile data that could be lost if a device powers off.

4. Forensic Investigations
   Forensic investigations involve specific procedures to manage and preserve digital evidence. Playbooks ensure the evidence is handled appropriately and maintained for analysis. Improper evidence handling can compromise investigations, so preserving data is crucial.

5. Resources

   • The Google Cybersecurity Action Team’s Threat Horizon Report provides strategic intelligence on cloud enterprise threats.

   • The Cybersecurity & Infrastructure Security Agency (CISA) offers a list of free cybersecurity tools and services, including open-source options.

This section introduces key tools and concepts for security analysts, with a focus on using SIEM tools, packet sniffers, and playbooks to manage security incidents and forensic investigations.

Glossary terms from module 3

Terms and definitions from Course 1, Module 3

Asset: An item perceived as having value to an organization 

Availability: The idea that data is accessible to those who are authorized to access it

Compliance: The process of adhering to internal standards and external regulations

Confidentiality: The idea that only authorized users can access specific assets or data

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

Hacktivist: A person who uses hacking to achieve a political goal

Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients' health information

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Privacy protection: The act of safeguarding personal information from unauthorized use

Protected health information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual

Security architecture: A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct security efforts of an organization

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines