Course DescriptionThe Certified SOC Analyst (CSA) program is the first step to joining asecurity operations center (SOC). It is engineered for current and aspiringTier I and Tier II SOC analysts to achieve proficiency in performing entrylevel and intermediate-level operations.CSA is a training and credentialing program that helps the candidateacquire trending and in-demand technical skills through instructionby some of the most experienced trainers in the industry. The programfocuses on creating new career opportunities through extensive,meticulous knowledge with enhanced level capabilities fordynamically contributing to a SOC team. Being an intense 3-dayprogram, it thoroughly covers the fundamentals of SOC operations,before relaying the knowledge of log management andcorrelation, SIEM deployment, advanced incident detection,and incident response. Additionally, the candidate willlearn to manage various SOC processes andcollaborate with CSIRT at the time of need.

NASCIO Representing Chief Information Office ofthe States revealed in over a year-long survey (July2016 – December 2017), “since the creation of the SOC,the security division has seen an overall 64 percentdecrease in incident response time.”As the security landscape is expanding, a SOC team offers highquality IT-security services to actively detect potential cyber threats/attacks and quickly respond to security incidents. Organizationsneed skilled SOC Analysts who can serve as the front-line defenders,warning other professionals of emerging and present cyber threats.The lab-intensive CSA program emphasizes the holistic approachto deliver elementary as well as advanced knowledge of how toidentify and validate intrusion attempts. Through this, the candidatewill learn to use SIEM solutions and predictive capabilities usingthreat intelligence. The program also introduces the practical aspectof SIEM using advanced and the most frequently used tools. Thecandidate will learn to perform enhanced threat detection using thepredictive capabilities of Threat Intelligence.”Nearly 6 in 10financial serviceproviders owna SecurityOperations Center(SOC).- EY Global InformationSecurity Survey 2018–19Recent years have witnessed the evolution of cyber risks, creating anunsafe environment for the players of various sectors.To handle these sophisticated threats, enterprises need advancedcybersecurity solutions along with traditional methods of defense.Practicing good cybersecurity hygiene and implementing anappropriate line of defense, and incorporating a security operationscenter (SOC) have become reasonable solutions. The team pursuestwenty-four-hour and “follow-the-sun” coverage for performingsecurity monitoring, security incident management, vulnerabilitymanagement, security device management, and network flowmonitoring.A SOC Analyst continuously monitors and detects potential threats,triages the alerts, and appropriatley escalates them. Without aSOC analyst, processes such as monitoring, detection, analysis, andtriaging will lose their effectiveness, ultimately negatively affectingthe organization.

Target AudienceSuggested Duration SOC Analysts (Tier I and Tier II) 3 days (9 am – 5 pm) Network and Security Administrators,Network and Security Engineers,Network Defense Analyst,NetworkDefense Technicians, NetworkSecurity Specialist, NetworkSecurity Operator, and any securityprofessional handling networksecurity operations Minimum of 24 hours Cybersecurity Analyst Entry-level cybersecurityprofessionals Anyone who wants to become a SOCAnalyst.CertificationAfter the completion of the CSA training,candidates will be ready to attempt theCertified SOC Analyst exam. Upon successfulcompletion of the exam, with a score of at least70%, the candidate will be entitled to the CSAcertificate and membership privileges. Membersare expected to adhere to recertificationrequirements through EC-Council’s ContinuingEducation Requirements.

Exam DetailsThe CSA exam is designed to test and validatea candidate’s comprehensive understanding ofthe jobs tasks required as a SOC analyst. Therebyvalidating their comprehensive understandingof a complete SOC workflow.Exam TitleCertified SOCAnalystExam Code312-39Number ofQuestions100Duration3 hoursAvailabilityEC-Council ExamPortal (pleasevisit FormatMultiple ChoicePassing Score70%Exam Eligibility RequirementThe CSA program requires a candidate to have 1 year of work experience in the Network Admin/Security domain and should be able to provide proof of the same as validated through theapplication process unless the candidate attends official training.

8 Critical Components of CSA1. 100% Compliance to NICE 2.0FrameworkCSA maps 100 percent to the NationalInitiative for Cybersecurity Education (NICE)framework under the “Protect and Defend(PR)” category for the role of Cyber DefenseAnalysis (CDA). It is designed as per the realtime job roles and responsibilities of a SOCanalyst.The CSA course trains the candidate touse various defensive measures and datacollected from multiple sources to identify,analyze, and report events that might occur orare already present in the network to protectdata, systems, and networks from threats.2. Emphasizes on End-to-End SOCworkflowCSA offers an insightful understanding ofend-to-end SOC overflow. It includes all SOCprocedures, technologies, and processes tocollect, triage, report, respond, and documentthe incident.3. Learn Incident Detection with SIEMTraining on various use cases of SIEM (SecurityInformation and Event Management)solutions to detect incidents throughsignature and anomaly-based detectiontechnologies. Candidates will learn incidentdetection on different levels - Application level,Insider level, Network level, and Host level.4. Enhanced Incident Detection withThreat IntelligenceCSA covers a module dedicated to rapidincident detection with Threat Intelligence.The module also imparts knowledge onintegrating Threat Intelligence feeds intoSIEM for enhanced threat detection.5. Elaborate Understanding of SIEMDeploymentIt covers 45 elaborated use cases which arewidely used across all the SIEM deployments.6. Promotes Hands-On LearningCSA being a practically-driven program, offershands-on experience on incident monitoring,detection, triaging, and analysis. It also coverscontainment, eradication, recovery, andreporting of the security incidents. To thatend, there are 80 tools incorporated into thetraining.7. Lab Environment Simulates a Realtime EnvironmentThere are 22 labs in total in the CSA program,which demonstrates processes aligned tothe SOC Workflow. These include, but are notrestricted to, activites such as: Modus operandi of different type ofattacks at application, network and hostlevel to understand thier IOCs Working of local and centralized loggingconcepts which demonstrates how logsare pulled from the different deviceson the network to facilitate incidentmonitoring, detection, and analysis Examples of SIEM use case developmentfor detecting application, network andhost level incidents using various SIEMtools Triaging of alerts to provide rapid incidentdetection and response Prioritization and escalation of incidentsby generating incident ticket The containment of incidents The eradication of incidents The recovery from the incidents Creating report of the incidents8. Learn More with AdditionalReference MaterialThe CSA program comes with additionalreference material, including a list of 291common and specific use cases for ArcSight,Qradar, LogRhythm, and Splunk’s SIEMdeployments.

Course OutlineModule 1Security Operations and ManagementModule 2Understanding Cyber Threats, IoCs, and AttackMethodologyModule 3Incidents, Events, and LoggingModule 4Incident Detection with Security Information andEvent Management (SIEM)Module 5Enhanced Incident Detection with ThreatIntelligenceModule 6Incident Response

Learning Objectives of CSA»»Gain Knowledge of SOC processes, procedures, technologies, and workflows.»»Gain basic understanding and in-depth knowledge of security threats, attacks,vulnerabilities, attacker’s behaviors, cyber kill chain, etc.»»Able to recognize attacker tools, tactics, and procedures to identify indicators ofcompromise (IOCs) that can be utilized during active and future investigations.»»Able to monitor and analyze logs and alerts from a variety of different technologies acrossmultiple platforms (IDS/IPS, end-point protection, servers and workstations).»»Gain knowledge of Centralized Log Management (CLM) process.»»Able to perform Security events and log collection, monitoring, and analysis.»»Gain experience and extensive knowledge of Security Information and EventManagement.»»Gain knowledge on administering SIEM solutions (Splunk/AlienVault/OSSIM/ELK).»»Understand the architecture, implementation and fine tuning of SIEM solutions (Splunk/AlienVault/OSSIM/ELK).»»Gain hands-on experience on SIEM use case development process.»»Able to develop threat cases (correlation rules), create reports, etc.»»Learn use cases that are widely used across the SIEM deployment.»»Plan, organize, and perform threat monitoring and analysis in the enterprise.»»Able to monitor emerging threat patterns and perform security threat analysis.»»Gain hands-on experience in alert triaging process.»»Able to escalate incidents to appropriate teams for additional assistance.»»Able to use a Service Desk ticketing system.»»Able to prepare briefings and reports of analysis methodology and results.»»Gain knowledge of integrating threat intelligence into SIEM for enhanced incidentdetection and response.»»Able to make use of varied, disparate, constantly changing threat information.»»Gain knowledge of Incident Response Process.»»Gain understating of SOC and IRT collaboration for better incident response.

Testimonials:”I strongly feel that this programprovides necessary skills for a SOCAnalyst job role at level L1 and L2. I alsobelieve this program will help us inupskilling our SOC team. This coursecertainly benefits Network SecurityAdmins/Other Network Sec Job rolesand equips them with the knowledgeto become a SOC Analyst.The program provides an In depthtraining of SOC skills and tools and isalso beneficial to all aspects of securityprogram (GRC, IAM), and people inhelp desk and networking teams.- Dan Bowden,CISO, Sentara Healthcare, USA”This program provides the necessaryacademic background providenecessary skill set for a SOC Analystjob role at level L1 and L2. A virtualenvironment with various scenarioswith playbook & runbooks examplesfurther enhances practical skills. Theprogram will benefit our SOC teamand act as valuable reference material.According to me, the major strength ofthis program is the academic researchconducted behind the creation of thisprogram. The Digital Forensic team,Resilience, Incident Response andThreat Intelligence teams can alsogreatly benefit from this program.- Dawie Wentzel,Head of Cyber Forensics,Absa Group, South Africa”I see this as the first structuredprogramme devoted to the skillsrequired for a SOC Analyst withspecific focus on the job requirements.This is a well designed course andwould benefit the SOC professionals/aspirants in acquiring the overallunderstanding of the skills required.As a subset of the skills required in theSOC Analyst job, this program will alsobenefit other Network Security relatedjob roles.- Prabir Panda,Enterprise Architect Security,Election Commission of India”I see this program as a logical stepan Analyst could use to progress tothe next/a higher level certification,or open the opportunity to movelaterally to new certifications. A majorstrength I see is the program covers allareas/skills for individuals in sufficientdepth to successfully operate as SOCAnalysts, and/or use the program asa launchpad to develop as a securityprofessional. I am confident that thisprogram will provide the skill setnecessary for L1/L2 SOC Analysts.- Miki Calero,Founder,Urbis Global LLC (Ex-US Army)


The CSA program requires a candidate to have 1 year of work experience in the Network Admin/ Security domain and should be able to provide proof of the same as validated through the application process unless the candidate attends official training. . LogRhythm, and Splunk’s SIEM depl