SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
•Transferir como PPTX, PDF•
1 gostou•288 visualizações
Modern SOC Trends by Anton Chuvakin (2020)
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Semelhante a SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Semelhante a SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends (20)
Mais de Anton Chuvakin
Mais de Anton Chuvakin (19)
Último
Último (20)
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
- 1. Groovy SOC Tunes SOC Chronicles: What Has Changed and What Has Stayed the Same? Dr. Anton Chuvakin Google Cloud Security / Chronicle; ex-Gartner @anton_chuvakin medium.com/anton-on-security
- 2. Who am I?
- 3. Outline ● SOC refresher for 2020 ● WHY | WHAT | HOW ○ Why MODERN SOC? ○ What modern SOC is? ○ What modern SOC isn’t? ○ How to evolve your SOC to this? ● What to expect next? ○ Ah, and “Is SOC dead?” :-)
- 4. “A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities.” -- Gartner SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too. What is a SOC?
- 5. Why Modern SOC? Force 1: Expanding attack surface More things to secure... Force 2: Security talent shortage More things to secure than people... Force 3: Too many alerts from too many tools More things to secure that all scream for attention… (source)
- 6. Modern SOC ● Teams is organized by skill, not rigid level ● Process structures around threats, not alerts ● Threat hunting covers for cases where alerts never appear ● Multiple visibility approaches, not just logs ● Automation via SOAR works as a force multiplier ● Deeper testing and coverage analysis ● Threat intelligence is consumed and created ● Elegantly uses third party services
- 7. NOT Modern SOC ● Inspired by IT helpdesk philosophy ● Treats incidents as rare and abnormal ● Focuses on alert pipeline, and pairs alerts to analysts ● Centered on a SIEM (SOC = SIEM analyst team) ● Has walls between alert handlers and alert tuners ● Threat intelligence is sometimes consumed ● Shallow metrics on handling time
- 8. Highlights of Modern SOC: People
- 9. Highlights of Modern SOC: Tools ● Logs (such as via SIEM) ● Network data (such as via NDR) ● Endpoint data (such as via EDR) Other data (deception, RASP, etc)
- 10. Highlights of Modern SOC: Processes
- 11. Highlights of Modern SOC: Detection Engineering ● Detection content versioning ● Proper “QA” for detection content” ● Content (code) reuse and modularity ● Cross-vendor and cross-tool content ● Metrics, coverage and improvement P.S. This is not about programming as such
- 12. Highlights of Modern SOC: “Help” “Every modern SOC is a hybrid SOC” -- Anton Chuvakin [source] THIS OUTSOURCES WELL - Deeper malware analysis - Threat intelligence - SIEM, EDR and other tool management and tuning - SOC tool tuning and use case analysis - Managed threat hunting THIS OUTSOURCES BADLY - Remediation of threats - Full cycle of incident response - Insider threat detection - Business- and application-specific threat detection THIS DOES NOT OUTSOURCES AT ALL - Accountability for security success - Governance of security program
- 13. Recommendations ● Sure, handle alerts, but be aware that this is not your entire world ● Make analysts and engineers friends; no walls in SOC ● Hire skills, not levels ● Automate routines, and keep fuzzy tasks for people (hunt) ● Prepare to trust 3rd parties with some tasks ● Keep your SIEM, but be aware that SOC visibility is broader than logs ● Ah, and read https://medium.com/anton-on-security :-)
- 14. Intermission: Is SOC Dead? ● SOC as a CROWDED ROOM may be dead… ● SOC as a detection and response team is NOT dead. ● Can it ever be dead? Well, now, this is a topic for another time …