The Five W's of SOC Operations. Kevin

Size: px

Start display at page:

Download "The Five W's of SOC Operations. Kevin Young, @IT3700"

Lorena Ray
8 years ago
Views:

2 The Five W's of SOC Operations Kevin

3 Thank you Todd Thanks to Randall Munroe

4 Overview Introduction Five W s of SOC Operations When do I need a SOC? Readiness What exactly does the SOC do? Operational aspects Who will staff my SOC? Team & skills Where should my SOC be located? Challenges of geography We have it covered. Why would I need help from others? The supporting cast Q&A

Operational aspects Who will staff my SOC?

Operations Security Operations Center Incident Response The thoughts and

5 About Me Kevin Young CISSP, GCIH, GNFA Adobe Systems Digital Marketing Business Unit, Lehi, Utah Adobe Marketing Cloud Manager, Security Operations Security Operations Center Incident Response The thoughts and opinions expressed here are my own and do not reflect those of Adobe Systems, Inc.

6 Our Environment Security Analytics Netflow Security Analytics IDS SOC (Monitoring & Assessment) Incident Incident Response (Handling) Syslog Archer Security Operations HIDS

7 My First Month

8 When do I need a SOC?

9 Organizational Maturity Do you have a clear vision and role for your SOC? What do you gain? Why do you want to change your current model? What is the expectation? Relationships Product teams External parties Vendors/Pro Serve Support requirements Use cases

10 Operational Maturity Information security Repeatable security processes Incident Response plan Investigation methodologies Service delivery Change control System configuration database Software load/image repository Documentation Network & architecture diagrams Storage strategy Identify key assets Contact List

control System configuration database Software load/image repository

11 Business Maturity Management support Capital Staffing Tools (hardware, upgrades, licensing, maintenence) Training (current & ongoing) On-Boarding/review process M&A

12 What exactly does a SOC do?

13 A Day in the Life of a SOC Correlate Reports HIDS/NIDS NetFlow data Logs Threat intel Investigate Escalate Contain/Mitigate Credit: Elvis Weathercock

14 SOC Tiers IR T2/T3 T1 Contain Containment, Recovery, Root Cause Analysis Incident Managers, Legal, PR, Customer Service Investigate Evaluation, review, analysis T2/T3 Analysts, Product Teams, SMEs Correlate Intake, Monitor, Triage, Priority T1 Analysts

Investigate Evaluation, review, analysis T2/T3 Analysts,

15 Detect vs. Correlate Sweet spot of analysis RSA RSA Netflow IDS Netflow IDS

16 Incident Response Panic Identify/Investigate Contain Eradicate Recover Lessons Learned/Root Cause Analysis LL: Specific to team(s) RCA: Most fundamental cause (i.e. 5 Whys)

17 Hey Kevin, I need your metrics - Unnamed Project Manager

18 Metrics Tell Your Story Metric creation 1. Understand business objective 2. Establish/align the SOC goal 3. Define the metric 4. Develop a realistic way to capture the indicator

19 Metrics Tell Your Story Ref: Security Metrics, SANS Institute Reading Room, mitre.org, rsaconference.com blogs

20 but what does the SOC team do when it isn t handling an incident?

21 Metrics Tell Your Story Number of Investigations Reporting/Discovery Method % % % 40% 30% 20% Internal External Other 20 10% % % % of SIEM Events Closed 100% 80% 60% 40% 20% 0% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

22 Who Will Staff My SOC?

23 Staffing Analysts (T1-3) Subject Matter Expert (SME) Incident Responder/Coordinator Management

24 Analyst Skills Hard skills Soft skills Intangible skills Hard Skills? Skills Soft Skills Analyst

Analyst Hard Skills Computer & security skills Network protocols Packet analysis Scripting/Parsing IDS Architecture and product knowledge Indicators of Compromise (IOC) Mixed results in two areas

25 Analyst Hard Skills Computer & security skills Network protocols Packet analysis Scripting/Parsing IDS Architecture and product knowledge Indicators of Compromise (IOC) Mixed results in two areas Malware analysis Threat intelligence Security Operations Analyst (SA) Levels 1 through 3 Uses, implements, reviews, or evaluates a variety of sensor types detect and prevent threat actors from infiltrating information system(s) or jeopardizing delivery infrastructure. Operates and uses wide variety of technology types (IDS, Netflow, full-packet capture, SPAN ports/taps, etc.) for monitoring of product delivery infrastructure. Provides information and reports regarding impact of breaches to confidentiality, integrity, and availability of service delivery.

26 Malware analysis Higher level of expertise Limited talent pool Beyond reach of entry level SOC effort Forensic analysis What is the objective? What do you hope to accomplish?

27 Threat intelligence Difficult to do well Cost to convert intel into usable knowledge is high Staffing limitations Credit: David Bianco Pyramid of Pain

28 Analyst Soft Skills Creativity Teamwork Psychology Mind of an attacker Understanding of risk Passion Off-hours interest Curiosity Natural desire to learn

29 Subject Matter Expert (SME) Penetration testing/hunter Forensic expertise Fast or thorough Infrastructure System admin Network admin Software development

30 Incident Coordinator Calm under fire Leadership Communication Technical Managerial Writing skills Project management Risk analysis

31 Manager/Leader

32 Where should my SOC be located?

33 Physical Location Adequate workspace Reference materials War/conference room Confidential communication Close to those whom you serve

34 Challenges of Geography Physical location(s) Coordination Language/culture

35 Coverage Model Hours of coverage 8x5 24x7 Weekends US/foreign holidays Follow the sun

36 Coordination Collaboration/geographical handoff Virtual meeting rooms Phone bridge/conference call Ticketing system Investigation tracking Security engineering team Tuning Upgrades

37 We can do it alone. Why would I need help from others

38 SOC Limitations Deciding what not to do is as important as deciding what to do. -Steve Jobs your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should. -Dr. Ian Malcom, Jurassic Park

39 Necessary Expertise - Internal Product/Help Desk teams Breach investigation Response coordination User/customer notification System administration Network engineers System engineers Upstream providers Customer Service Password changes, service outages Customer communication

media speculation Legal department/counsel

40 Necessary Expertise - Internal Public Relations SINGLE media spokesperson Limit outbound social media speculation Legal department/counsel Takedown/DMCA notices Privacy/HR issues Law enforcement interface

41 Necessary Expertise - External On-retainer security services from 3 rd parties Forensic investigation APT investigation Managed Security Service Providers (MSSP)

42 Takeaways

43 Organization & Operation Concept of Operations (ConOps) Incident Response Plan Playbook/Runbook Broad incident categories (DDOS, phishing attack, loss of passwords, loss of customer data, compromise of key systems)

44 Organization & Operation Training and development Tools Techniques Processes Change management, service management Management support Budget Firepower

45 SOC Development Your SOC is a journey, not a destination Rinse, lather, repeat (aka Lessons Learned, Root Cause Analysis) You will make mistakes Maintain realistic expectations

46 Start Now! "A good plan, violently executed now, is better than a perfect plan next week. -George S. Patton

47 Q&A

48 References SANS SANS Institute Reading Room Security Metrics: Replacing Fear, Uncertainty, and Doubt Ten Strategies of a World-Class Cybersecurity Operations Center Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan

49 References Building a World-Class Security Operations Center: A Roadmap Concept of Operations Pyramid of Pain Security Weekly Podcasts Krebs on Security

50 References Collecting Security Metrics and What They Mean Blue Team Handbook: Incident Response Edition The Practice of Network Security Monitoring: Understanding Incident Detection and Response Understanding/dp/ /

Intelligence Driven Security

Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings