11 Strategies of a World-Class Cybersecurity Operations Center Kathryn Knerler, Ingrid Parker, Carson Zimmerman©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Produced in conjunction with MITRE Strategic Communications Print ISBN: 979-8-9856450-4-0 eBook ISBN: 979-8-9856450-7-1 The views, opinions, and/or findings contained in this book are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation. This book discusses observations and ideas, and The MITRE Corporation expressly disclaims any warranty of any kind. Although products are discussed in this book, nothing in this book should be construed as an endorsement of any kind. Any materials used are intended as available examples and sources, and references do not construe recommendations for purchase or use of any associated products and services. The trademarks used herein belong to their respective holders. Approved for public release, distribution unlimited. Case Number 21-3946. The MITRE Corporation 202 Burlington Road ● Bedford, MA 01730-1420 7515 Colshire Drive ● McLean, VA 22102-7539 www.mitre.org Send feedback or question on this book to: media@mitre.org About the Authors | vAbout MITRE Protecting the digital enterprise against sophisticated cyber adversaries requires strategy, timely information, and 24/7 vigilance. As a not-for-profit company pioneering in the public interest, MITRE works in partnership with an innovation ecosystem of government, private sector, and academia to secure cyber systems. In our 60+ years of catalyzing change through partnership, we never lose sight of the human factor behind every complex system and innovative solution. MITRE draws from a wealth of deep technical expertise to address the ever-evolving challenges in cybersecurity. Why? We know that working in partnership to protect organizations is crucial to national security, critical infrastructure, economic stability, and personal privacy. The guidance we share with the cybersecurity community continues to advance the field’s science and practice. Operating without commercial conflicts of interest, we’re working to arm a worldwide community of cyber defenders with vital information to thwart network intruders. As part of our cybersecurity research in the public interest, MITRE has a long history of developing standards and tools used by the broad cybersecurity community, such as STIX™, TAXII™, and CVE®. Our MITRE ATT&CK® framework, which provides a free online knowledge base of cyber adversary behavior, is used worldwide. Our expert staff continues to partner and collaborate on many cybersecurity resources and innovations. The 11 Strategies of a World-Class Cybersecurity Operations Center is a practical guide to enhancing digital defense for SOC operators—and an embodiment of MITRE’s mission of solving problems for a safer world. About the Authors This book was a fully collaborative effort among the three primary authors. The order of names on the front is alphabetical and does not reflect a difference in level of contribution. Carson Zimmerman was the author of the first edition of this book, Ten Strategies of a World-Class Cybersecurity Operations Center. Throughout both versions of the book, many additional colleagues contributed their time, expertise, and advice. Please see the acknowledgements for the full list of those names.vi | 11 Strategies of a World-Class Cybersecurity Operations Center Kathryn Knerler Kathryn has decades of experience in cybersecurity. Her experience includes cyber analysis, incident response, and network security architecture. She is a Department Manager and Senior Principal Cybersecurity Architect in MITRE Labs’ Cyber Solutions Innovation Center. She specializes in cyber threat intelligence and advising executives in operationalizing threat defense strategies. Prior to MITRE, she advanced from incident responder to Program