Security Operation Centers (SOCs) are the front line for incident detection, response, and escalation for organizations. Few security teams evaluate their SOC's tools, techniques and procedures (TTPs) are working to their expected SOC response - even fewer on live networks with their CISO's approval.
This HOWTO talk for security teams will cover a crawl/walk/run approach to build and execute live fire incidents to target your SOC's TTP abilities to detect, respond, and escalate. Techniques, lessons learned, and WAR stories will be discussed to how to select your exercises, determine expected outcomes, methods to measure results, coordinate for CISO sign off, and how to report lessons learned to improve your SOC's TTP response.