SlideShare uma empresa Scribd logo

The One-Man SOC: Habits of Highly Effective Security Practitioners

Transferir como PPTX, PDF
AlienVault
AlienVault

Real advice for IT and security practitioners who find themselves alone in the SOC. Learn how to develop routines to efficiently manage your environment, avoid time-sucks, and determine what you can do by yourself and where you need help.

Tecnologia
1 de 38
Habits of Highly Effective Security Practitioners BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT THE ONE-MAN SOC
About Me • Solutions Architect @ AlienVault • Former SOC Manager/Analyst/Programmer with AT&T Managed Security Services • SIEM Enthusiast • Blog post: Open Source Intrusion Detection Tools: A Quick Overview • Blog post: MSSP – The New Acceptance • Webinars: Data Sources, Policies, and more… Practitioners Guide: The Series • Practitioners Guide to SOC • The One-Man SOC (you are watching it now!) • Help us select our next topic in this series. Tweet: @pkt_inspector Real Advice, for Real People
In this session you will learn: How to work around the limitations of a small (or one person) team Key skills to improve your efficiency Tips for establishing a daily routine Strategies to effectively prioritize daily tasks The concept of automation and when to use it Benefits of threat intelligence sharing
When you are alone in the SOC Here’s what you are missing: The Two Man Rule Double Verification Long Response Times Less Investigation Time per Incident So let’s get started “So how can I work around these limitations?”
Different Data, Same Story Know Your Audience Source: ISC2 Workforce Survey The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff. ---Ponemon Institute LLC Feb 2014
Know Your Audience Source: ISC2 Workforce Survey
Security Awareness Security Awareness is critical It is where it all starts Vigilance It’s your job to spread it Listen how often this comes up…. Know Your Environment
It’s not always about IT, but it could be.What are your users doing? • Websites they visit? - Water Cooler attacks? • What games are they playing? - Flash exploits? - Game owner hacked? Where are your users? • Where are teams located? - Why are they logging in from elsewhere? Are there business procedures that put you at risk? Remember you are not the NSA Know Your Environment
PEER You: Seen this heartbleed thing? Web Admin: Heart what? You: It’s serious, check it out. Link Web Admin: Holy !@#$ Web Admin: Okay I’m generating CSRs now for new keys. You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack. Communication MANAGER You: New vulnerability called heartbleed. It’s very serious. Manager: What is the impact? You: Anything that uses OpenSSL is potentially exposed. Manager: What uses OpenSSL? You: Everything Manager: Are we hacked? You: It’s not that simple. Manager: Why is this more serious than the last one? ✓ Mission and Risk Understood ✗ Mission and Risk Understood Know your Audience
Let’s try this again Communication You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical: 1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked 2. This vulnerability is present in a large percentage of our IT infrastructure 3. Most importantly encrypted traffic could be read by others creating high risk exposure I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now. Manager: Totally agree. Calling the meeting now and starting escalation. Save yourself time. Clearly Defined Risks Mission Stated. Call to Action created.
It Matters Perception
TECH SKILLS
The Journey Isn’t Over. Things to Learn Automation Scripting
You have all the time you need right? Automation
Why Automation? Save time of course Ad-Hoc reporting Integration • With other devices • With other groups It’s the Little Things
XKCD is Awesome When to Automate?
In this case there is no circle…maybe it’s not a cycle then? Life Cycle •Saving Time? •Serves Need? Frequency? •Development Time?Script •Schedule •Action Automatic Process
Security > Automation Stay Focused Yes, More XKCD. He just gets it.
hoe kan ik automatiseren? Time to learn a new language Learning to script will save you time How do I Automate?
Factors What is already in your environment? • Heard that before? Portability • Where else can I use this? Which Language?
Basic Shell Tools Do I Really Need to Learn Scripting? Real World Example I need to make an ACL quickly
PROCESS
Really, it is like totally important and stuff Daily • Alarm Review • Event Review • Tuning Weekly • Vulnerability Scanning • Audits The Importance of Routine What’s in your Routine?
Putting the routine to work First! • This is your logic at work Do not stop until critical or high severity are closed Investigate by taxonomy • Exploitation • Malware • Policy Alarm Review
Often. Do This. Set aside time each and every day • You’ll get a feel for it • You’ll recognize patterns Don’t believe me? Event Review
WATCH THIS VIDEO
Methods Use the alternative views Event Review
PRACTICAL: OTHER VIEWS
Yes, Again! Vulnerability Scanning • Run scans regularly • Run them in a targeted manner • Establish a remediation plan before scanning Asset Detection Profiling • Use Off Hours to detect automatic processes - and then filter them! Know Your Environment
Organization Make Groups • Organize by - Function - Location - Host Properties Use Groups for • Polices • Scanning • Event Views Your Environment
There will be a quiz at the end. Not Really. Taking Notes? Information Recording • Ticketing System • Wiki Benefits • Time Saving • Knowledge Transfer
THREAT SHARING
One Person. Many Friends. Threat Sharing Anyone? 0-day? More like yesterday. APT? Yeah you know me. Malware makes me happy. Request
THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION 35 • Diverse set of data & devices • 8,000 collection points • 140+ countries • 500,000 malware samples analyzed daily • 1500+ Event Correlation Rules • 5 Event Attack Types
Today we learned… Summary How to work around the limitations of a small (or one person) team Tips for establishing a daily routine Strategies to effectively prioritize daily tasks Benefits of Threat Intelligence sharing
Final Thought “Security is your problem, and everyone else's too.”
Now for some Q&A… Learn More about AlienVault USM Register for our Weekly Live Product Demo https://www.alienvault.com/marketing/ alienvault-usm-live-demo Download a Free 30-Day Trial http://www.alienvault.com/free-trial

Recomendados

Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and designSatya Harish
 
SOC Chip Basics
SOC Chip BasicsSOC Chip Basics
SOC Chip BasicsA B Shinde
 
SOC Processors Used in SOC
SOC Processors Used in SOCSOC Processors Used in SOC
SOC Processors Used in SOCA B Shinde
 
Soc fundraising presentation
Soc fundraising presentationSoc fundraising presentation
Soc fundraising presentationMyVitaleCards
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Semiconductor Hubs for Research & Innovation
Semiconductor Hubs for Research & InnovationSemiconductor Hubs for Research & Innovation
Semiconductor Hubs for Research & InnovationZinnov
 

Recomendados

Soc architecture and design
Soc architecture and designSoc architecture and design
Soc architecture and designSatya Harish
 
SOC Chip Basics
SOC Chip BasicsSOC Chip Basics
SOC Chip BasicsA B Shinde
 
SOC Processors Used in SOC
SOC Processors Used in SOCSOC Processors Used in SOC
SOC Processors Used in SOCA B Shinde
 
Soc fundraising presentation
Soc fundraising presentationSoc fundraising presentation
Soc fundraising presentationMyVitaleCards
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Developers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusDevelopers are from Mars, Security guys are from Venus
Developers are from Mars, Security guys are from VenusXavier Mertens
 
Semiconductor Hubs for Research & Innovation
Semiconductor Hubs for Research & InnovationSemiconductor Hubs for Research & Innovation
Semiconductor Hubs for Research & InnovationZinnov
 
Power
PowerPower
PowerVarun Bansal
 
System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architecturesA B Shinde
 
Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)A B Shinde
 
How to Make Effective Presentation
How to Make Effective PresentationHow to Make Effective Presentation
How to Make Effective PresentationA B Shinde
 
Processors used in System on chip
Processors used in System on chip Processors used in System on chip
Processors used in System on chip A B Shinde
 
xilinx fpga problems
xilinx fpga problemsxilinx fpga problems
xilinx fpga problemsAnish Gupta
 
System on chip buses
System on chip busesSystem on chip buses
System on chip busesA B Shinde
 
SOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC ToolsSOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC ToolsA B Shinde
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?Arm
 
Processors selection
Processors selectionProcessors selection
Processors selectionPradeep Shankhwar
 
SOC Application Studies: Image Compression
SOC Application Studies: Image CompressionSOC Application Studies: Image Compression
SOC Application Studies: Image CompressionA B Shinde
 
SOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnectSOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnectA B Shinde
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the CloudBrian Honan
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC System Design Approach
SOC System Design ApproachSOC System Design Approach
SOC System Design ApproachA B Shinde
 
Image processing fundamentals
Image processing fundamentalsImage processing fundamentals
Image processing fundamentalsA B Shinde
 
Presentation skills
Presentation skillsPresentation skills
Presentation skillsNanda Palit
 
Effective presentation skills
Effective presentation skillsEffective presentation skills
Effective presentation skillsAshish Srivastava
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 

Mais conteúdo relacionado

Destaque

System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architecturesA B Shinde
 
Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)A B Shinde
 
How to Make Effective Presentation
How to Make Effective PresentationHow to Make Effective Presentation
How to Make Effective PresentationA B Shinde
 
Processors used in System on chip
Processors used in System on chip Processors used in System on chip
Processors used in System on chip A B Shinde
 
xilinx fpga problems
xilinx fpga problemsxilinx fpga problems
xilinx fpga problemsAnish Gupta
 
System on chip buses
System on chip busesSystem on chip buses
System on chip busesA B Shinde
 
SOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC ToolsSOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC ToolsA B Shinde
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAlienVault
 
So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?Arm
 
SOC Application Studies: Image Compression
SOC Application Studies: Image CompressionSOC Application Studies: Image Compression
SOC Application Studies: Image CompressionA B Shinde
 
SOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnectSOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnectA B Shinde
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the CloudBrian Honan
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsAnton Chuvakin
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC System Design Approach
SOC System Design ApproachSOC System Design Approach
SOC System Design ApproachA B Shinde
 
Image processing fundamentals
Image processing fundamentalsImage processing fundamentals
Image processing fundamentalsA B Shinde
 
Presentation skills
Presentation skillsPresentation skills
Presentation skillsNanda Palit
 
Effective presentation skills
Effective presentation skillsEffective presentation skills
Effective presentation skillsAshish Srivastava
 

Destaque (20)

Power
PowerPower
Power
 
System on chip architectures
System on chip architecturesSystem on chip architectures
System on chip architectures
 
Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)Spartan-II FPGA (xc2s30)
Spartan-II FPGA (xc2s30)
 
How to Make Effective Presentation
How to Make Effective PresentationHow to Make Effective Presentation
How to Make Effective Presentation
 
Processors used in System on chip
Processors used in System on chip Processors used in System on chip
Processors used in System on chip
 
xilinx fpga problems
xilinx fpga problemsxilinx fpga problems
xilinx fpga problems
 
System on chip buses
System on chip busesSystem on chip buses
System on chip buses
 
SOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC ToolsSOC Peripheral Components & SOC Tools
SOC Peripheral Components & SOC Tools
 
Advanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source SecurityAdvanced OSSEC Training: Integration Strategies for Open Source Security
Advanced OSSEC Training: Integration Strategies for Open Source Security
 
So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?So you think developing an SoC needs to be complex or expensive?
So you think developing an SoC needs to be complex or expensive?
 
Processors selection
Processors selectionProcessors selection
Processors selection
 
SOC Application Studies: Image Compression
SOC Application Studies: Image CompressionSOC Application Studies: Image Compression
SOC Application Studies: Image Compression
 
SOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnectSOC Interconnects: AMBA & CoreConnect
SOC Interconnects: AMBA & CoreConnect
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
Implementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and LessonsImplementing and Running SIEM: Approaches and Lessons
Implementing and Running SIEM: Approaches and Lessons
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
SOC System Design Approach
SOC System Design ApproachSOC System Design Approach
SOC System Design Approach
 
Image processing fundamentals
Image processing fundamentalsImage processing fundamentals
Image processing fundamentals
 
Presentation skills
Presentation skillsPresentation skills
Presentation skills
 
Effective presentation skills
Effective presentation skillsEffective presentation skills
Effective presentation skills
 

Mais de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 

Mais de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 

Último

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Último (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

The One-Man SOC: Habits of Highly Effective Security Practitioners

  • 1. Habits of Highly Effective Security Practitioners BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT THE ONE-MAN SOC
  • 2. About Me • Solutions Architect @ AlienVault • Former SOC Manager/Analyst/Programmer with AT&T Managed Security Services • SIEM Enthusiast • Blog post: Open Source Intrusion Detection Tools: A Quick Overview • Blog post: MSSP – The New Acceptance • Webinars: Data Sources, Policies, and more… Practitioners Guide: The Series • Practitioners Guide to SOC • The One-Man SOC (you are watching it now!) • Help us select our next topic in this series. Tweet: @pkt_inspector Real Advice, for Real People
  • 3.
  • 4. In this session you will learn: How to work around the limitations of a small (or one person) team Key skills to improve your efficiency Tips for establishing a daily routine Strategies to effectively prioritize daily tasks The concept of automation and when to use it Benefits of threat intelligence sharing
  • 5. When you are alone in the SOC Here’s what you are missing: The Two Man Rule Double Verification Long Response Times Less Investigation Time per Incident So let’s get started “So how can I work around these limitations?”
  • 6. Different Data, Same Story Know Your Audience Source: ISC2 Workforce Survey The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff. ---Ponemon Institute LLC Feb 2014
  • 7. Know Your Audience Source: ISC2 Workforce Survey
  • 8. Security Awareness Security Awareness is critical It is where it all starts Vigilance It’s your job to spread it Listen how often this comes up…. Know Your Environment
  • 9. It’s not always about IT, but it could be.What are your users doing? • Websites they visit? - Water Cooler attacks? • What games are they playing? - Flash exploits? - Game owner hacked? Where are your users? • Where are teams located? - Why are they logging in from elsewhere? Are there business procedures that put you at risk? Remember you are not the NSA Know Your Environment
  • 10. PEER You: Seen this heartbleed thing? Web Admin: Heart what? You: It’s serious, check it out. Link Web Admin: Holy !@#$ Web Admin: Okay I’m generating CSRs now for new keys. You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack. Communication MANAGER You: New vulnerability called heartbleed. It’s very serious. Manager: What is the impact? You: Anything that uses OpenSSL is potentially exposed. Manager: What uses OpenSSL? You: Everything Manager: Are we hacked? You: It’s not that simple. Manager: Why is this more serious than the last one? ✓ Mission and Risk Understood ✗ Mission and Risk Understood Know your Audience
  • 11. Let’s try this again Communication You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical: 1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked 2. This vulnerability is present in a large percentage of our IT infrastructure 3. Most importantly encrypted traffic could be read by others creating high risk exposure I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now. Manager: Totally agree. Calling the meeting now and starting escalation. Save yourself time. Clearly Defined Risks Mission Stated. Call to Action created.
  • 14. The Journey Isn’t Over. Things to Learn Automation Scripting
  • 15. You have all the time you need right? Automation
  • 16. Why Automation? Save time of course Ad-Hoc reporting Integration • With other devices • With other groups It’s the Little Things
  • 17. XKCD is Awesome When to Automate?
  • 18. In this case there is no circle…maybe it’s not a cycle then? Life Cycle •Saving Time? •Serves Need? Frequency? •Development Time?Script •Schedule •Action Automatic Process
  • 19. Security > Automation Stay Focused Yes, More XKCD. He just gets it.
  • 20. hoe kan ik automatiseren? Time to learn a new language Learning to script will save you time How do I Automate?
  • 21. Factors What is already in your environment? • Heard that before? Portability • Where else can I use this? Which Language?
  • 22. Basic Shell Tools Do I Really Need to Learn Scripting? Real World Example I need to make an ACL quickly
  • 24. Really, it is like totally important and stuff Daily • Alarm Review • Event Review • Tuning Weekly • Vulnerability Scanning • Audits The Importance of Routine What’s in your Routine?
  • 25. Putting the routine to work First! • This is your logic at work Do not stop until critical or high severity are closed Investigate by taxonomy • Exploitation • Malware • Policy Alarm Review
  • 26. Often. Do This. Set aside time each and every day • You’ll get a feel for it • You’ll recognize patterns Don’t believe me? Event Review
  • 28. Methods Use the alternative views Event Review
  • 30. Yes, Again! Vulnerability Scanning • Run scans regularly • Run them in a targeted manner • Establish a remediation plan before scanning Asset Detection Profiling • Use Off Hours to detect automatic processes - and then filter them! Know Your Environment
  • 31. Organization Make Groups • Organize by - Function - Location - Host Properties Use Groups for • Polices • Scanning • Event Views Your Environment
  • 32. There will be a quiz at the end. Not Really. Taking Notes? Information Recording • Ticketing System • Wiki Benefits • Time Saving • Knowledge Transfer
  • 34. One Person. Many Friends. Threat Sharing Anyone? 0-day? More like yesterday. APT? Yeah you know me. Malware makes me happy. Request
  • 35. THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION 35 • Diverse set of data & devices • 8,000 collection points • 140+ countries • 500,000 malware samples analyzed daily • 1500+ Event Correlation Rules • 5 Event Attack Types
  • 36. Today we learned… Summary How to work around the limitations of a small (or one person) team Tips for establishing a daily routine Strategies to effectively prioritize daily tasks Benefits of Threat Intelligence sharing
  • 37. Final Thought “Security is your problem, and everyone else's too.”
  • 38. Now for some Q&A… Learn More about AlienVault USM Register for our Weekly Live Product Demo https://www.alienvault.com/marketing/ alienvault-usm-live-demo Download a Free 30-Day Trial http://www.alienvault.com/free-trial