Tooling – defend to respond
The agile security operations process strongly influences the tools that are deployed and how they are deployed. In this section, I will briefly discuss some of the tooling for passive and active defense.
Passive defense
Passive defense tooling focuses on either blocking attackers through defenses such as access control, firewalls, and system hardening, as well as the tooling that organizations can deploy to detect an attack has occurred and analyze it. Similarly, if you wish to contain incidents, you will need passive defense tools.
The SOC nuclear triad
The security researcher Anton Chuvakin maintains that a nuclear triad of SOC tooling exists, consisting of Security Incident Event Monitoring (which, in this model, would include logging), Enterprise Detection and Response, and a capability for network detection and forensics. This is still a good model to go on: https://blogs.gartner.com/anton-chuvakin/2015/08/04/your-soc-nuclear-triad...