The SOC of the Future SECS2839 Brad Taylor, CEO Proficio
AGENDA About Proficio 01 What We See 02 WWW.PROFICIO.COM Challenges 03 Recommendations 04 Proficio’s Approach 05 Q&A 06
ABOUT PROFICIO ▪ Founded in 2010 ▪ Managed Detection & Response ▪ Splunk MSSP WWW.PROFICIO.COM ▪ Hosted or Client Owned ▪ 100+ Customers Using Splunk ▪ Addressing enterprise requirements ▪ Global reach ▪ Billions of security events monitored daily
SAN DIEGO, CA USA BARCELONA, SPAIN WWW.PROFICIO.COM SINGAPORE SOC 2 TYPE 2 INDUSTRY STANDARD FRAMEWORK MODEL • 150 + CERTIFICATIONS & ACCREDITATIONS
WWW.PROFICIO.COM
THE SOC OF THE FUTURE The SOC of the future will have only two employees, a security engineer and a dog . WWW.PROFICIO.COM The engineer will be there to feed the dog. The dog will be there to bite the engineer if he/she touches the system. Adapted from Warren Bennis
WHAT DO WE SEE IN SOCs TODAY ▪ MANAGE ▪ High number of Notables per day ▪ Understaffed for SOC Threat Detection ▪ Failure to perform Asset, Policy, and Data Modeling ▪ High risk due to missing log sources or improper logging ▪ Lack of visibility into Security Gaps WWW.PROFICIO.COM ▪ DETECT ▪ Majority average only a dozen well-tuned Use Cases ▪ Lack of Investigation Playbooks ▪ Limited Integrated Threat Intelligence ▪ Limited use SOAR ▪ RESPOND ▪ Over 50% do not engage every threat identified by SOC ▪ No Automated Response ▪ Lack of tracking metrics of full lifecycle of security event through remediation
WHAT ARE YOUR OBJECTIVES AND KEY RESULTS? ▪ VISIBILITY ▪ Detect indicators early ▪ Accuracy of detection ▪ Business Context ▪ RESPONSE ORCHESTRATION WWW.PROFICIO.COM ▪ Categorized ▪ Orchestrated ▪ Triaged and ticketed ▪ Automated when possible ▪ Manual where needed ▪ BUSINESS INELLIGENCE FOR SECURITY PROGRAM ▪ Risk assessment ▪ Trends, root cause, and progress ▪ Response metrics
CHALLENGES TECHNOLOGY WWW.PROFICIO.COM SKILLS GAP THREAT LANDSCAPE
CHALLENGES - THREAT LANDSCAPE WWW.PROFICIO.COM Bigger More Diverse Increased Attacker Visibility and Response Attack Surface Sophistication ▪ Faster detection ▪ IoT ▪ AI-enabled ▪ Instant Response ▪ Cloud ▪ Adversarial Machine ▪ Quantification of risk learning ▪ Mobile ▪ Actionability ▪ Unknown Threats
CHALLENGES - SKILLS GAP ▪ Less time for ▪ Investigations ▪ Threat Hunting ▪ Incident Response ▪ Budget pressure WWW.PROFICIO.COM ▪ Staff turnover and burnout ▪ Reduced productivity ▪ Human error ▪ Under utilization of technology ▪ Less time spent on business alignment
CHALLENGES - TECHNOLOGY ▪ Technology Selection ▪ Threat detection ▪ Automation ▪ SOAR ▪ AI/ML WWW.PROFICIO.COM ▪ Technology Implementation ▪ Integration with existing point tools ▪ Technology Management ▪ Maximizing value ▪ Mapping human skills to technology ▪ Business Intelligence for Security ▪ Visibility, Risk and Security Posture ▪ Operational KPI’s ▪ Peer Comparison
RECOMMENDATIONS – THREAT LANDSCAPE WWW.PROFICIO.COM Threat Information Threat Impact Recommendations ▪ Business Context ▪ Incident history ▪ How does this threat Models ▪ Asset Categorization work? ▪ Response Plan ▪ Criticality of event Checklist ▪ Tactics, Techniques, ▪ Remediation strategies ▪ Priority of response and Procedures ▪ Threat detection ▪ What is the risk? improvements ▪ Who is the threat actor?
RECOMMENDATIONS STRATEGIES FOR ADDRESSING SKILL SHORTAGES WWW.PROFICIO.COM Reduce Need for Accelerate Hiring Change Hiring Hiring ▪ Compensation Dynamic ▪ Automate ▪ Hire more women ▪ Outsource ▪ Increase productivity ▪ Co-management ▪ Partner with universities ▪ Collaboration ▪ Move SOC ▪ Hire Vetrans ▪ Training ▪ Distributed SOC ▪ Retention programs
RECOMMENDATIONS - TECHNOLOGY WWW.PROFICIO.COM Commercial vs. People Process and Why Select Splunk for Opensource Technology SOC of the Future ▪ Time to operationalize ▪ Planning ▪ Technology ▪ Internal & External ▪ Implementation ▪ Vision resources ▪ Management ▪ Security ▪ Ecosystem ▪ Operational Tools
PROFICIO’S APPROACH ▪ Leverage what has worked ▪ Global SOCs ▪ Career paths for Analysts ▪ Log Enrichment ▪ Use Case development process Business and WWW.PROFICIO.COM ▪ SOAR Risk Alignment ▪ Business Context Modeling ▪ Future forward ▪ AI / ML Process ▪ Search People Technology ▪ Cloud ▪ Process Automation ▪ Continuous improvement ▪ Data => Insight => Change
PROFICIO’S APPROACH – THREAT INVESTIGATION 1. THREAT INFORMATION • TACTICS: Execution, Persistence, Privilege Escalation, Credential Access. The threat is categorized as CryptDOS in relationship to APIHook Browser Hijacker which is malware that is known to slow down systems and impact performance. WWW.PROFICIO.COM • TECHNIQUES: Service Execution, Hooking. • PROCEDURES: The attacker’s domain has been observed communicating with other malicious files that pose threats more serious than denial of service, like backdoor-related malware that downloads more malware. • SEVERITY: 3-Medium • RISK: 3-Medium • THREAT ACTOR: Cybercriminals – Unknown
PROFICIO’S APPROACH – THREAT INVESTIGATION 2. CLIENT INFORMATION • THREAT IMPACT: 4-High. This threat could impact heavily in your organization, based on the lack of controls and security policies • INCIDENT HISTORY : INCXXXXXXX, INCXXXXXXX, INCXXXXXXX. We can confirm these IOCs have been WWW.PROFICIO.COM first observed in your network 3 months ago. • DEVICE CORRELATION: Endpoint AV, NGFW, IDS. We have found log events related to this threat on different devices, helping us to confirm the incident and threat behavior associated. 3. RECOMMENDATIONS • We recommend you remove any CryptDOS-associated software from the identified hosts, including performance-degrading toolbars. Please Isolate the systems affected and run containment actions through you EDR Solution in order to remove any traces of potential malware. Only install toolbars and extensions from trusted sources that can be verified; installation permissions can be managed using group policies.
USE CASE DEVELOPMENT Detection Threat Actors Log Sources Business Drivers Technologies Firewall SIEM Professional Criminals Direct Financial Loss WWW.PROFICIO.COM Network Traffic Big data Analytics State Actors Reputational Damage OS Logging NIDS/NIPS Terrorists Legal and Regulatory Application Logs HIPS Obligations Hacktivists, Cyber vandals and Script Kiddies Web Application Logging Enable Business Anti-malware Database Logs Network Anomaly Detection Internal Actors Business Continuity Proxy Logs Email Protection Private Organizations Strategic and Commercial Interests Multiple Actors
SAMPLE TRIAGED ALERT SIEM Case ID Custom Asset Lookup WWW.PROFICIO.COM Zone Modeling Native Log Source Enrichment External Data Enrichment Internal Data Enrichment ITSM Details Use Case Metadata Incident Link
ACTIVE DEFENSE AUTOMATED RESPONSE IOC Security Controls Indicator of Compromise 1 1 Threat Activity Threat Activity IOA (Indicator of Attack) Perimeter Firewall(s) 2 Log Data Collection 4 Script Execution 5 Security Control Update WWW.PROFICIO.COM 3 Use Case Application Proficio Collector SIEM
HELP IT LEADERS UNDERSTAND RISK ▪ Trend Analysis ▪ Dive into Root Cause ▪ Where do we need new controls WWW.PROFICIO.COM ▪ Risk Score based on Threat Prevention and Visibility ▪ Is your SOC performing human investigations
MEASURE METRICS AND CONINUOUSLY IMPROVE SOC 30 MINUTES? Mean Time To Detect SECURITY Mean Time To Acknowledge and + 30 MINUTES? Triage WWW.PROFICIO.COM Mean Time To + 2 HOURS? OPERATIONS Contain / SECURITY Mean Time To + 8 HOURS? / EXECUTIVE Recover Mean Time to Resolve + 14 DAYS? NIST INCIDENT RESPONSE STAGES
PROFICIO’S APPROACH SOC OF THE FUTURE ARCHITECTURE SPLUNK ITSM Confirmed Events & SECOPS API Threat Intelligence Platform Use Case Repository Development Framework WWW.PROFICIO.COM External Intelligence + Business Layer Alerts/Notifications Internal Intelligence API Threat Layer Enriched Events Enriched Events Enriched Events SOAR Implementation Layer Machine Learning / AI Threat Intelligence Data Lake API API TA IR TM Client SOC Team
WWW.PROFICIO.COM QUESTIONS? BOOTH 123 WWW.PROFICIO.COM | INFO@PROFICIO.COM
Recommend
More recommend
