SlideShare une entreprise Scribd logo

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

M
Mark Simos

Overview of key best practices, antipatterns, and more for security operations (SecOps/SOC) These slides were used during Mark Simos' Tampa BSides talk on "The no BS SOC" on April 6, 2024

Technologie
1  sur  26
Télécharger pour lire hors ligne
An Ode to Cybersecurity In digital realms where secrets dwell, cyber guardians stand without fear Vigilance unyielding and purpose clear When breaches occur, they arise to analyze forensic and clues Tracing digital footprints, seeking the source Thwarting the adversary’s remorseless course. So here’s to the defenders, the silent brigade Their battle fought in the binary shade They stand as our shield, night and day. - Copilot with prompting/editing by Mark Simos
The No BS SOC Mark Simos Lead Cybersecurity Architect, Microsoft Zero Trust Architecture Co-Chair, The Open Group Author, ZeroTrustPlaybook.com aka.ms/MarksList N
Agenda – the No BS SOC • Who is this dude? Where does this come from? • Where does the SOC BS come from? • SecOps Antipatterns – Common mistakes across SOCs • What does good look like? Mission, Success Factors, & Metrics • Challenges – Continuously Changing Threats & Risk of Burnout • How is AI changing SecOps? • Story of a SOC - How SecOps Teams, Careers, and Skills Grow • Call To Action: Stay Focused on What Matters!
About the Chef Author, Zero Trust Playbook ZeroTrustPlaybook.com aka.ms/MarksList Zero Trust Architecture Co-Chair The Open Group Lead Cybersecurity Architect Microsoft Mark Simos
Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Artificial Intelligence (AI) Security Metrics Information Protection / Data Security PAWs DLP Ransomware Business Email Compromise (BEC) OT & IoT Security Firmware threats Incident Response SecOps/SOC Nation State / APTs PIM/PAM Beyond VPN / Security Service Edge (SSE) Cloud Security & CSPM/CNAPP Social Engineering Supply Chain Risk Management Botnets Dark Markets / Criminal Forums Vulnerability Management Threat Hunting / Detection Engineering Hybrid Cloud Identity is the ‘new perimeter’ CASB Firewalls & WAFs XDR + SIEM SD-WAN / Software Defined Perimeter Board Reporting / Align Security to Business Risk Governance/Risk/Compliance (GRC) Network + Identity Convergence IDaM Security Education & Awareness BYOD Security Phishing App Security & DevSecOps Lateral Movement SAF Brings Clarity to Security Enables security execution by connecting and organizing security problems, solutions, and models DDoS Insider Risk Threat Intelligence (Data & Discipline) Patch Management Machine Learning (ML) SASE Incident Management MFA SSO Endpoint Security Red/Purple Teams & Penetration Testing Copilot Defender Sentinel Purview Intune Entra
Implementation Architects & Technical Managers CIO Technical Leadership CISO Business Leadership CEO Security Strategy and Program End to End Zero Trust Architecture Business and Security Integration Implementation and Operation Technical Planning Architecture and Policy Security Strategy, Programs, and Epics Securing Digital Transformation Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Modern Security Operations (SecOps/SOC) Microsoft Cybersecurity Reference Architectures (MCRA) Engaging Business Leaders on Security Workshops available in Microsoft Unified Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.) Includes Reference Plans CISO Workshop Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Technical Capabilities Implementation > > > > > > > > > > > > > > Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
Where does the SOC BS come from? ‘Silver Bullet’Mindset Believing a single solution could magically 100% solve a complex problem ➢ Making/believing an absolute claim ➢ Waiting for a perfect solution ➢ Lack of lifecycle thinking Common BS • Too high level (not actionable) • Too low level (too technical/specific) • Vendor Biased • Outdated or Just Plain Wrong Technology-Centric Thinking Believing security is about technology instead of protecting an organization’s business assets ➢ Ignoring burnout, collaboration, training, etc. ➢ Expecting tools solve people/process problems Contain nuggets of wisdom, but they are buried in poop Adversaries have a goal and a plan. Do you? Money
At some point the adversary has to do something anomalous… You have to spot that and quickly react to it Mean Time To Acknowledge (MTTA) Mean Time To Remediate (MTTR) Mission Reduce organizational risk by limiting the attacker dwell time (how long attackers can access business assets) through rapid detection and response. Security Operations Key Cultural Elements Mission Alignment Continuous Learning Teamwork Key Cultural Elements • Mission Alignment • Continuous Learning • Teamwork Key Measurements Attacker Dwell Time – via Mean Time to Remediate (MTTR) Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Key Measurements • Attacker Dwell Time – via Mean Time to Remediate (MTTR) • Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Metrics should never be punitive Attackers have a vote too! Partner for Success SecOps requires strong relationships and processes to help architects and engineers block preventable attacks (which otherwise flood SecOps)
What Matters in Security Operations? Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
Common Security Operations (SecOps/SOC) antipatterns Common mistakes impede SecOps effectiveness and increase burnout Best practice – Develop and implement a Security Operations (SecOps/SOC) strategy focused on clear outcomes across people, process, and technology This workshop includes references to help you define and rapidly improve: • Mission and Metrics • Organizational Functions and Teams (including use cases and scenarios) • Business and Technical processes • SOC Architecture, Tooling, and Integration • Skill education and enablement • Automation Strategy • Data strategy Toolapalooza! Buying many tools without integration forces analysts into swivel chair analytics mode Shiny Object Syndrome Prioritizing “cool” advanced scenarios/tools before critical basic outcomes and controls Collection is not Detection Focusing on collecting data instead of finding and removing adversary access One tool to rule them all False belief that a single tool solves all problems (SIEM, EDR, or other) ‘Network is only source of truth’ false belief that you only need network data to detect and investigate attacks Not invented here focusing on custom solutions and queries instead of established commercial tooling Implementation without requirements
Mean Time To Remediate (MTTR) (attacker dwell time) Mean Time To Acknowledge (MTTA) Status Metric Target Current & Previous Months Dwell Time: Mean Time to Remediate (MTTR) <## hours Responsiveness: Mean Time to Acknowledge (MTTA) <## minutes Caseload: # Cases Handled by each team Tracking Automation: # of Cases processed by SOAR Tracking Detection Fidelity: % True Positive + Benign Positive >##% SecOps Platform Availability: % of uptime >##% Case Resolution: Case volume by resolution Recommended SecOps Metrics Track Trends to understand changes from • Adversaries & Threats • SecOps investments (detections, tools, process improvements, training, staffing levels, etc.) Direct organizational risk Metrics should never be punitive Attackers have a vote too! Analyst capacity (for actual caseload) Understand impact on human analysts SOAR effectiveness Detection Noisiness/Quality How reliable are tools General view of trends
Response ANALYST PRIORITY Democratization of Credential Theft Tooling (~2008) [Human Operated] ‘Big Game’ Ransomware (~2019) [Human Operated] ‘Big Game’ Ransomware (~2019) Encrypting Ransomware (~2013) Encrypting Ransomware (~2013) Evolution of threats and security analyst priorities Commodity attacks Commodity attacks Ransomware/Extortion attacks nuisance ransomware (per machine) Commodity players re-sell access to ransomware/extortion operators Commodity players re-sell access to ransomware/extortion operators Current Priorities 1 2 Advanced Attacks Advanced attacks Few/rare targets (High R&D Cost) Increasing prevalence of advanced tools Including Nation States and other ‘advanced persistent threats (APTs)’ MAJOR CHANGES 3 Ruthlessly prioritize: Every incident is important, but urgency will vary Ruthlessly prioritize: Every incident is important, but urgency will vary
The passion that drives greatness can also cause burnout Address each source of fatigue that leads to burnout and attrition Protecting the organization Doing Other People’s Jobs Doing tasks that require different skillsets Schedule time for rest, learning, & self-care Establish and integrate supporting roles Implement and maintain tools (Security Engineers) Analyze/report on defense improvements (Architects) Manage & Coordinate Incidents (Incident Management) Research attacks and other questions (Threat Intelligence) • Scan and report on vulnerabilities (Posture Management) Wasted Effort on false positives & repetitive manual tasks Improve Tooling and Processes Filter out low-quality detections (requires hunting over them) Automation & Advanced Analytics (using SOAR, UEBA, and ML/AI) Integrated Threat Intelligence to enrich, filter, and prioritize detections No recognition For hard work, skills, and contributions Exhaustion non-stop investigation and eviction of attackers Document & celebrate wins Managers burn out too! Prioritize ruthlessly What is critical vs. what to ignore!
The Role of Artificial Intelligence (AI) in SecOps Machine Learning is already revolutionizing SecOps Technology integrated into XDR and SIEM technology is enabling data analysis and anomaly detection over mountains of data Generative AI will change how SecOps works & learns Generative AI enables a natural language computer interface that simplifies usage of complex systems and speed up learning new skills Top Microsoft Security Copilot scenarios Incident response capabilities are top priority (combines Generative AI and Security-specific ML/AI capabilities)
Evolution of Computer Interfaces Progressively becoming more natural/native human models Direct programming Command Prompt Graphical User Interface (GUI) Generative AI Chat/Conversation Skills and learning required to become productive Ability (and speed) to accomplish advanced tasks Native Computer Native Human
Security Copilot Priority Use Cases Impact Analysis Summarize the impact of an incident to enable better reporting and planning prioritization of mitigations against future attacks. Guided Incident response Surface an ongoing incident, assess its scale, and get instructions to begin remediation based on proven tactics from real-world security incidents. Discover whether your organization is susceptible to known vulnerabilities and exploits. Prioritize risks and address vulnerabilities with guided recommendations. Reverse engineering of scripts Incident Summarization Summarize any event, incident, or threat in seconds and prepare the information in a ready-to-share, customizable report for your desired audience.
Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more Broad Enterprise View Correlated/Unified Incident View Enabling a people-centric function focused rapid remediation of realized risk Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable alerts derived from deep knowledge of assets and advanced analytics Raw Data Security & Activity Logs (Case Management Ensure consistent workflow and measurement of success (Case Management Ensure consistent workflow and measurement of success Threat Intelligence (TI) Critical security context Security Operations Capabilities Automation (SOAR) reduces analyst effort/time per incident, increasing SecOps capacity Incident Response/Recovery Assistance technical, legal, communication, and other Incident Response/Recovery Assistance technical, legal, communication, and other Managed Detection and Response Outsourced technical functions Managed Detection and Response Outsourced technical functions Security Information and Event Management (SIEM) Hunting + Investigation platform with Automation and Orchestration (including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security Data Lake) Information & Data Applications (SaaS, AI, legacy, DevOps, and other) Endpoint & Mobile Identity & Access Management OT & IoT Platform as a Service (PaaS) Infrastructure & Apps Network Extended Detection and Response (XDR) High quality detection for each asset + investigation remediation capabilities API integration Generative AI Simplifies tasks and performs advanced tasks through chat interface Analysts and Hunters Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) December 2023 – https://aka.ms/MCRA
Broad Enterprise View Correlated/Unified Incident View Microsoft Reference Architecture Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable detections from an XDR tool with deep knowledge of assets, AI/ML, UEBA, and SOAR Raw Data Security & Activity Logs (Classic SIEM (Case Management (Case Management Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise API integration Legend Consulting and Escalation Outsourcing Native Resource Monitoring Event Log Based Monitoring Investigation & Proactive Hunting Security Operations SOAR reduces analyst effort/time per incident, increasing SecOps capacity Security & Network Provide actionable security detections, raw logs, or both Microsoft Sentinel Microsoft Sentinel Machine Learning (ML) & AI Behavioral Analytics (UEBA) Security Data Lake Security Incident & Event Management (SIEM) Security Orchestration, Automation, and Remediation (SOAR) Infrastructure & Apps PaaS OT & IoT Identity & Access Management {LDAP} Endpoint & Mobile Information SOAR - Automated investigation and response (AutoIR) Microsoft Defender XDR Extended Detection and Response (XDR) Defender for Cloud Defender for Cloud Containers Servers & VMs SQL Azure app services Network traffic Defender for Endpoint Defender for Endpoint Defender for Cloud Apps Defender for Cloud Apps Defender for Office 365 Defender for Office 365 Defender for Identity Defender for Identity Entra ID Protection Entra ID Protection December 2023 – https://aka.ms/MCRA Managed Security Operations Managed Security Operations Microsoft Security Experts Microsoft Security Experts Managed XDR Managed threat hunting Managed XDR Managed threat hunting Incident response Formerly Detection response team (DART) Incident response Formerly Detection & response team (DART) Security Operations Modernization Security Operations Modernization Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Defender for IoT OT Defender for IoT & OT Applications (SaaS, AI, legacy, DevOps, and other)
Deep or External Specialties • Smaller organizations • Large organization earlier in maturity/growth Larger organizations (later in maturity/growth) Evolution and Sources of SecOps Roles As Security Operations Grows and Matures Incident Response Investigation (Tier 2) – High Complexity Detections Triage (Tier 1) – High Volume Detections Threat Hunting & Detection Engineering (Tier 3) Threat Hunting Detection Engineering Purple & Red Teaming Penetration Testing Digital Forensics Reverse Engineering Incident Management Automation & data science as dedicated roles or shared service(s) Intelligence Professionals Threat Intelligence SecOps Management Insider Risk investigation capabilities are often incubated in security operations teams
Growth Path of Security Operations typical stages as the team grows and matures Part Time Part time analyst duties Small Dedicated Team with Single Manager Medium Multiple SOC Managers Large 24x7 coverage Dedicated specialized teams Not all organizations need (or can afford) a large team Partnership with IT Operations and other teams is critical for any size team
Building a SecOps team – Stage 1 Part-time staffing Core Functions Tooling Detection response by part-time analysts Often seen in small organizations or early stages of building a capability Sometimes staffed by non-security teams (IT Operations, Support, etc.) Triage Investigation IR from single alert queue Basic Hunting 24x7 On Call XDR (Endpoint/Email/Identity + Automation) Case management Security Information and Event Management (SIEM) Enforce detection quality XDR is ideal for starting out (vs. SIEM) Simpler to install & use (less time/expertise) Produces results immediately Includes automation (SOAR) for common tasks Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Many Security Operations teams started out with SIEM because it was the only technology available at the time. Insider Risk investigation capabilities are often incubated in security operations teams
Building a SecOps team – Stage 2 Full-time staff (small team) Core Functions Tooling Advanced/Support Functions Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts IR from single alert queue Enforce detection quality XDR (All Assets + Automation) Case management Security Information & Event Management (SIEM) Triage Investigation Hunting Full time analysts performing specific roles Basic Hunting 24x7 On Call BI/Reporting Tools (Major) Incident Management Threat Intelligence Business Intelligence/Reporting On-call rotation for 24x7 coverage Basic hunting keeps noise out of triage queue without missing attacks. (e.g. senior analysts reviewing low fidelity detections once a day) Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Advanced Hunting Advanced tooling increases process maturity as team grows XDR Extends to all assets
Core Functions Tooling Advanced/Support Functions XDR (All Assets) Case management Security Information & Event Management (SIEM) BI/Reporting Tools Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Building a SecOps team – Step 3 Full-time staff (medium team) IR from single alert queue Basic Hunting Enforce detection quality 24x7 On Call or On Shift Triage Full time teams focused on different functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting Investigation Hunting Triage often extends to multiple shifts. On-call rotation for managers, investigation, hunting Define inter-team processes, metrics, tooling Build advanced/support functions for multi-team operations Advanced Hunting Increasing focus on advanced SOAR automation/orchestration, advanced hunting, and Detection Engineering Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts
Building a SecOps team – Step 4 Full-time staff (large team on shifts) Triage Investigation 24x7 Global Operations Hunting Core Functions Tooling Advanced/Support Functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting IR from single alert queue Advanced Hunting Enforce detection quality 24x7 On Shift XDR (All Assets + Automation) Case management BI/Reporting Tools Dedicate BI function enables continuous improvement Complex operations require sophisticated inter-team processes, metrics, tooling, & advanced/support functions 24x7 Triage Coverage Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Security Information & Event Management (SIEM) Advanced SOAR and Analytics (AI/ML, UEBA, etc.)
Stay Focused on what matters! Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
Resources. Questions? aka.ms/MarksList Mark’s List ...of Cybersecurity Resources frequently sent to customers and colleagues. ZeroTrustPlaybook.com For all roles - Simple language and description of concepts that everyone from the board room to technologists need to understand ▪ Zero trust overview Security for the modern world we are in ▪ Playbook introduction Methodology to get there and do it well aka.ms/SAF Security Adoption Framework (SAF) - Guides Zero Trust security modernization and business alignment using recommended initiatives

Recommandé

Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 

Recommandé

Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...
Next Generation Defense in Depth Model - Tari Schreider, CCISO, Chief Cybers...EC-Council
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyFidelis Cybersecurity
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Trupti Shiralkar, CISSP
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 

Contenu connexe

Tendances

SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access managementPiyush Jain
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation TrainingBryan Len
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 

Tendances (20)

SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Cyber Threat Simulation Training
Cyber Threat Simulation TrainingCyber Threat Simulation Training
Cyber Threat Simulation Training
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 

Similaire à Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecuritySecuraa
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideroongrus
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 

Similaire à Tampa BSides - The No BS SOC (slides from April 6, 2024 talk) (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 

Dernier

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Dernier (20)

Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

  • 1. An Ode to Cybersecurity In digital realms where secrets dwell, cyber guardians stand without fear Vigilance unyielding and purpose clear When breaches occur, they arise to analyze forensic and clues Tracing digital footprints, seeking the source Thwarting the adversary’s remorseless course. So here’s to the defenders, the silent brigade Their battle fought in the binary shade They stand as our shield, night and day. - Copilot with prompting/editing by Mark Simos
  • 2. The No BS SOC Mark Simos Lead Cybersecurity Architect, Microsoft Zero Trust Architecture Co-Chair, The Open Group Author, ZeroTrustPlaybook.com aka.ms/MarksList N
  • 3. Agenda – the No BS SOC • Who is this dude? Where does this come from? • Where does the SOC BS come from? • SecOps Antipatterns – Common mistakes across SOCs • What does good look like? Mission, Success Factors, & Metrics • Challenges – Continuously Changing Threats & Risk of Burnout • How is AI changing SecOps? • Story of a SOC - How SecOps Teams, Careers, and Skills Grow • Call To Action: Stay Focused on What Matters!
  • 4. About the Chef Author, Zero Trust Playbook ZeroTrustPlaybook.com aka.ms/MarksList Zero Trust Architecture Co-Chair The Open Group Lead Cybersecurity Architect Microsoft Mark Simos
  • 5. Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Artificial Intelligence (AI) Security Metrics Information Protection / Data Security PAWs DLP Ransomware Business Email Compromise (BEC) OT & IoT Security Firmware threats Incident Response SecOps/SOC Nation State / APTs PIM/PAM Beyond VPN / Security Service Edge (SSE) Cloud Security & CSPM/CNAPP Social Engineering Supply Chain Risk Management Botnets Dark Markets / Criminal Forums Vulnerability Management Threat Hunting / Detection Engineering Hybrid Cloud Identity is the ‘new perimeter’ CASB Firewalls & WAFs XDR + SIEM SD-WAN / Software Defined Perimeter Board Reporting / Align Security to Business Risk Governance/Risk/Compliance (GRC) Network + Identity Convergence IDaM Security Education & Awareness BYOD Security Phishing App Security & DevSecOps Lateral Movement SAF Brings Clarity to Security Enables security execution by connecting and organizing security problems, solutions, and models DDoS Insider Risk Threat Intelligence (Data & Discipline) Patch Management Machine Learning (ML) SASE Incident Management MFA SSO Endpoint Security Red/Purple Teams & Penetration Testing Copilot Defender Sentinel Purview Intune Entra
  • 6. Implementation Architects & Technical Managers CIO Technical Leadership CISO Business Leadership CEO Security Strategy and Program End to End Zero Trust Architecture Business and Security Integration Implementation and Operation Technical Planning Architecture and Policy Security Strategy, Programs, and Epics Securing Digital Transformation Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Modern Security Operations (SecOps/SOC) Microsoft Cybersecurity Reference Architectures (MCRA) Engaging Business Leaders on Security Workshops available in Microsoft Unified Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.) Includes Reference Plans CISO Workshop Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Technical Capabilities Implementation > > > > > > > > > > > > > > Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
  • 7. Where does the SOC BS come from? ‘Silver Bullet’Mindset Believing a single solution could magically 100% solve a complex problem ➢ Making/believing an absolute claim ➢ Waiting for a perfect solution ➢ Lack of lifecycle thinking Common BS • Too high level (not actionable) • Too low level (too technical/specific) • Vendor Biased • Outdated or Just Plain Wrong Technology-Centric Thinking Believing security is about technology instead of protecting an organization’s business assets ➢ Ignoring burnout, collaboration, training, etc. ➢ Expecting tools solve people/process problems Contain nuggets of wisdom, but they are buried in poop Adversaries have a goal and a plan. Do you? Money
  • 8. At some point the adversary has to do something anomalous… You have to spot that and quickly react to it Mean Time To Acknowledge (MTTA) Mean Time To Remediate (MTTR) Mission Reduce organizational risk by limiting the attacker dwell time (how long attackers can access business assets) through rapid detection and response. Security Operations Key Cultural Elements Mission Alignment Continuous Learning Teamwork Key Cultural Elements • Mission Alignment • Continuous Learning • Teamwork Key Measurements Attacker Dwell Time – via Mean Time to Remediate (MTTR) Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Key Measurements • Attacker Dwell Time – via Mean Time to Remediate (MTTR) • Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Metrics should never be punitive Attackers have a vote too! Partner for Success SecOps requires strong relationships and processes to help architects and engineers block preventable attacks (which otherwise flood SecOps)
  • 9. What Matters in Security Operations? Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
  • 10. Common Security Operations (SecOps/SOC) antipatterns Common mistakes impede SecOps effectiveness and increase burnout Best practice – Develop and implement a Security Operations (SecOps/SOC) strategy focused on clear outcomes across people, process, and technology This workshop includes references to help you define and rapidly improve: • Mission and Metrics • Organizational Functions and Teams (including use cases and scenarios) • Business and Technical processes • SOC Architecture, Tooling, and Integration • Skill education and enablement • Automation Strategy • Data strategy Toolapalooza! Buying many tools without integration forces analysts into swivel chair analytics mode Shiny Object Syndrome Prioritizing “cool” advanced scenarios/tools before critical basic outcomes and controls Collection is not Detection Focusing on collecting data instead of finding and removing adversary access One tool to rule them all False belief that a single tool solves all problems (SIEM, EDR, or other) ‘Network is only source of truth’ false belief that you only need network data to detect and investigate attacks Not invented here focusing on custom solutions and queries instead of established commercial tooling Implementation without requirements
  • 11. Mean Time To Remediate (MTTR) (attacker dwell time) Mean Time To Acknowledge (MTTA) Status Metric Target Current & Previous Months Dwell Time: Mean Time to Remediate (MTTR) <## hours Responsiveness: Mean Time to Acknowledge (MTTA) <## minutes Caseload: # Cases Handled by each team Tracking Automation: # of Cases processed by SOAR Tracking Detection Fidelity: % True Positive + Benign Positive >##% SecOps Platform Availability: % of uptime >##% Case Resolution: Case volume by resolution Recommended SecOps Metrics Track Trends to understand changes from • Adversaries & Threats • SecOps investments (detections, tools, process improvements, training, staffing levels, etc.) Direct organizational risk Metrics should never be punitive Attackers have a vote too! Analyst capacity (for actual caseload) Understand impact on human analysts SOAR effectiveness Detection Noisiness/Quality How reliable are tools General view of trends
  • 12. Response ANALYST PRIORITY Democratization of Credential Theft Tooling (~2008) [Human Operated] ‘Big Game’ Ransomware (~2019) [Human Operated] ‘Big Game’ Ransomware (~2019) Encrypting Ransomware (~2013) Encrypting Ransomware (~2013) Evolution of threats and security analyst priorities Commodity attacks Commodity attacks Ransomware/Extortion attacks nuisance ransomware (per machine) Commodity players re-sell access to ransomware/extortion operators Commodity players re-sell access to ransomware/extortion operators Current Priorities 1 2 Advanced Attacks Advanced attacks Few/rare targets (High R&D Cost) Increasing prevalence of advanced tools Including Nation States and other ‘advanced persistent threats (APTs)’ MAJOR CHANGES 3 Ruthlessly prioritize: Every incident is important, but urgency will vary Ruthlessly prioritize: Every incident is important, but urgency will vary
  • 13. The passion that drives greatness can also cause burnout Address each source of fatigue that leads to burnout and attrition Protecting the organization Doing Other People’s Jobs Doing tasks that require different skillsets Schedule time for rest, learning, & self-care Establish and integrate supporting roles Implement and maintain tools (Security Engineers) Analyze/report on defense improvements (Architects) Manage & Coordinate Incidents (Incident Management) Research attacks and other questions (Threat Intelligence) • Scan and report on vulnerabilities (Posture Management) Wasted Effort on false positives & repetitive manual tasks Improve Tooling and Processes Filter out low-quality detections (requires hunting over them) Automation & Advanced Analytics (using SOAR, UEBA, and ML/AI) Integrated Threat Intelligence to enrich, filter, and prioritize detections No recognition For hard work, skills, and contributions Exhaustion non-stop investigation and eviction of attackers Document & celebrate wins Managers burn out too! Prioritize ruthlessly What is critical vs. what to ignore!
  • 14. The Role of Artificial Intelligence (AI) in SecOps Machine Learning is already revolutionizing SecOps Technology integrated into XDR and SIEM technology is enabling data analysis and anomaly detection over mountains of data Generative AI will change how SecOps works & learns Generative AI enables a natural language computer interface that simplifies usage of complex systems and speed up learning new skills Top Microsoft Security Copilot scenarios Incident response capabilities are top priority (combines Generative AI and Security-specific ML/AI capabilities)
  • 15. Evolution of Computer Interfaces Progressively becoming more natural/native human models Direct programming Command Prompt Graphical User Interface (GUI) Generative AI Chat/Conversation Skills and learning required to become productive Ability (and speed) to accomplish advanced tasks Native Computer Native Human
  • 16. Security Copilot Priority Use Cases Impact Analysis Summarize the impact of an incident to enable better reporting and planning prioritization of mitigations against future attacks. Guided Incident response Surface an ongoing incident, assess its scale, and get instructions to begin remediation based on proven tactics from real-world security incidents. Discover whether your organization is susceptible to known vulnerabilities and exploits. Prioritize risks and address vulnerabilities with guided recommendations. Reverse engineering of scripts Incident Summarization Summarize any event, incident, or threat in seconds and prepare the information in a ready-to-share, customizable report for your desired audience.
  • 17. Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more Broad Enterprise View Correlated/Unified Incident View Enabling a people-centric function focused rapid remediation of realized risk Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable alerts derived from deep knowledge of assets and advanced analytics Raw Data Security & Activity Logs (Case Management Ensure consistent workflow and measurement of success (Case Management Ensure consistent workflow and measurement of success Threat Intelligence (TI) Critical security context Security Operations Capabilities Automation (SOAR) reduces analyst effort/time per incident, increasing SecOps capacity Incident Response/Recovery Assistance technical, legal, communication, and other Incident Response/Recovery Assistance technical, legal, communication, and other Managed Detection and Response Outsourced technical functions Managed Detection and Response Outsourced technical functions Security Information and Event Management (SIEM) Hunting + Investigation platform with Automation and Orchestration (including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security Data Lake) Information & Data Applications (SaaS, AI, legacy, DevOps, and other) Endpoint & Mobile Identity & Access Management OT & IoT Platform as a Service (PaaS) Infrastructure & Apps Network Extended Detection and Response (XDR) High quality detection for each asset + investigation remediation capabilities API integration Generative AI Simplifies tasks and performs advanced tasks through chat interface Analysts and Hunters Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) December 2023 – https://aka.ms/MCRA
  • 18. Broad Enterprise View Correlated/Unified Incident View Microsoft Reference Architecture Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable detections from an XDR tool with deep knowledge of assets, AI/ML, UEBA, and SOAR Raw Data Security & Activity Logs (Classic SIEM (Case Management (Case Management Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise API integration Legend Consulting and Escalation Outsourcing Native Resource Monitoring Event Log Based Monitoring Investigation & Proactive Hunting Security Operations SOAR reduces analyst effort/time per incident, increasing SecOps capacity Security & Network Provide actionable security detections, raw logs, or both Microsoft Sentinel Microsoft Sentinel Machine Learning (ML) & AI Behavioral Analytics (UEBA) Security Data Lake Security Incident & Event Management (SIEM) Security Orchestration, Automation, and Remediation (SOAR) Infrastructure & Apps PaaS OT & IoT Identity & Access Management {LDAP} Endpoint & Mobile Information SOAR - Automated investigation and response (AutoIR) Microsoft Defender XDR Extended Detection and Response (XDR) Defender for Cloud Defender for Cloud Containers Servers & VMs SQL Azure app services Network traffic Defender for Endpoint Defender for Endpoint Defender for Cloud Apps Defender for Cloud Apps Defender for Office 365 Defender for Office 365 Defender for Identity Defender for Identity Entra ID Protection Entra ID Protection December 2023 – https://aka.ms/MCRA Managed Security Operations Managed Security Operations Microsoft Security Experts Microsoft Security Experts Managed XDR Managed threat hunting Managed XDR Managed threat hunting Incident response Formerly Detection response team (DART) Incident response Formerly Detection & response team (DART) Security Operations Modernization Security Operations Modernization Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Defender for IoT OT Defender for IoT & OT Applications (SaaS, AI, legacy, DevOps, and other)
  • 19. Deep or External Specialties • Smaller organizations • Large organization earlier in maturity/growth Larger organizations (later in maturity/growth) Evolution and Sources of SecOps Roles As Security Operations Grows and Matures Incident Response Investigation (Tier 2) – High Complexity Detections Triage (Tier 1) – High Volume Detections Threat Hunting & Detection Engineering (Tier 3) Threat Hunting Detection Engineering Purple & Red Teaming Penetration Testing Digital Forensics Reverse Engineering Incident Management Automation & data science as dedicated roles or shared service(s) Intelligence Professionals Threat Intelligence SecOps Management Insider Risk investigation capabilities are often incubated in security operations teams
  • 20. Growth Path of Security Operations typical stages as the team grows and matures Part Time Part time analyst duties Small Dedicated Team with Single Manager Medium Multiple SOC Managers Large 24x7 coverage Dedicated specialized teams Not all organizations need (or can afford) a large team Partnership with IT Operations and other teams is critical for any size team
  • 21. Building a SecOps team – Stage 1 Part-time staffing Core Functions Tooling Detection response by part-time analysts Often seen in small organizations or early stages of building a capability Sometimes staffed by non-security teams (IT Operations, Support, etc.) Triage Investigation IR from single alert queue Basic Hunting 24x7 On Call XDR (Endpoint/Email/Identity + Automation) Case management Security Information and Event Management (SIEM) Enforce detection quality XDR is ideal for starting out (vs. SIEM) Simpler to install & use (less time/expertise) Produces results immediately Includes automation (SOAR) for common tasks Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Many Security Operations teams started out with SIEM because it was the only technology available at the time. Insider Risk investigation capabilities are often incubated in security operations teams
  • 22. Building a SecOps team – Stage 2 Full-time staff (small team) Core Functions Tooling Advanced/Support Functions Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts IR from single alert queue Enforce detection quality XDR (All Assets + Automation) Case management Security Information & Event Management (SIEM) Triage Investigation Hunting Full time analysts performing specific roles Basic Hunting 24x7 On Call BI/Reporting Tools (Major) Incident Management Threat Intelligence Business Intelligence/Reporting On-call rotation for 24x7 coverage Basic hunting keeps noise out of triage queue without missing attacks. (e.g. senior analysts reviewing low fidelity detections once a day) Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Advanced Hunting Advanced tooling increases process maturity as team grows XDR Extends to all assets
  • 23. Core Functions Tooling Advanced/Support Functions XDR (All Assets) Case management Security Information & Event Management (SIEM) BI/Reporting Tools Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Building a SecOps team – Step 3 Full-time staff (medium team) IR from single alert queue Basic Hunting Enforce detection quality 24x7 On Call or On Shift Triage Full time teams focused on different functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting Investigation Hunting Triage often extends to multiple shifts. On-call rotation for managers, investigation, hunting Define inter-team processes, metrics, tooling Build advanced/support functions for multi-team operations Advanced Hunting Increasing focus on advanced SOAR automation/orchestration, advanced hunting, and Detection Engineering Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts
  • 24. Building a SecOps team – Step 4 Full-time staff (large team on shifts) Triage Investigation 24x7 Global Operations Hunting Core Functions Tooling Advanced/Support Functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting IR from single alert queue Advanced Hunting Enforce detection quality 24x7 On Shift XDR (All Assets + Automation) Case management BI/Reporting Tools Dedicate BI function enables continuous improvement Complex operations require sophisticated inter-team processes, metrics, tooling, & advanced/support functions 24x7 Triage Coverage Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Security Information & Event Management (SIEM) Advanced SOAR and Analytics (AI/ML, UEBA, etc.)
  • 25. Stay Focused on what matters! Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
  • 26. Resources. Questions? aka.ms/MarksList Mark’s List ...of Cybersecurity Resources frequently sent to customers and colleagues. ZeroTrustPlaybook.com For all roles - Simple language and description of concepts that everyone from the board room to technologists need to understand ▪ Zero trust overview Security for the modern world we are in ▪ Playbook introduction Methodology to get there and do it well aka.ms/SAF Security Adoption Framework (SAF) - Guides Zero Trust security modernization and business alignment using recommended initiatives