The Five W's of SOC Operations Kevin Young, @IT3700
Thank you Todd Thanks to Randall Munroe https://xkcd.com/838/
Overview Introduction Five W s of SOC Operations When do I need a SOC? Readiness What exactly does the SOC do? Operational aspects Who will staff my SOC? Team & skills Where should my SOC be located? Challenges of geography We have it covered. Why would I need help from others? The supporting cast Q&A
About Me Kevin Young CISSP, GCIH, GNFA Adobe Systems Digital Marketing Business Unit, Lehi, Utah Adobe Marketing Cloud Manager, Security Operations Security Operations Center Incident Response The thoughts and opinions expressed here are my own and do not reflect those of Adobe Systems, Inc.
Our Environment Security Analytics Netflow Security Analytics IDS SOC (Monitoring & Assessment) Incident Incident Response (Handling) Syslog Archer Security Operations HIDS
My First Month
When do I need a SOC?
Organizational Maturity Do you have a clear vision and role for your SOC? What do you gain? Why do you want to change your current model? What is the expectation? Relationships Product teams External parties Vendors/Pro Serve Support requirements Use cases
Operational Maturity Information security Repeatable security processes Incident Response plan Investigation methodologies Service delivery Change control System configuration database Software load/image repository Documentation Network & architecture diagrams Storage strategy Identify key assets Contact List
Business Maturity Management support Capital Staffing Tools (hardware, upgrades, licensing, maintenence) Training (current & ongoing) On-Boarding/review process M&A
What exactly does a SOC do?
A Day in the Life of a SOC Correlate Reports HIDS/NIDS NetFlow data Logs Threat intel Investigate Escalate Contain/Mitigate Credit: Elvis Weathercock
SOC Tiers IR T2/T3 T1 Contain Containment, Recovery, Root Cause Analysis Incident Managers, Legal, PR, Customer Service Investigate Evaluation, review, analysis T2/T3 Analysts, Product Teams, SMEs Correlate Intake, Monitor, Triage, Priority T1 Analysts
Detect vs. Correlate Sweet spot of analysis RSA RSA Netflow IDS Netflow IDS
Incident Response Panic Identify/Investigate Contain Eradicate Recover Lessons Learned/Root Cause Analysis LL: Specific to team(s) RCA: Most fundamental cause (i.e. 5 Whys)
Hey Kevin, I need your metrics - Unnamed Project Manager
Metrics Tell Your Story Metric creation 1. Understand business objective 2. Establish/align the SOC goal 3. Define the metric 4. Develop a realistic way to capture the indicator
Metrics Tell Your Story Ref: Security Metrics, SANS Institute Reading Room, mitre.org, rsaconference.com blogs
but what does the SOC team do when it isn t handling an incident?
Metrics Tell Your Story Number of Investigations Reporting/Discovery Method 120 70% 100 60% 80 60 40 50% 40% 30% 20% Internal External Other 20 10% 0 2012 2013 2014 2015 0% 2012 2013 2014 2015 120% % of SIEM Events Closed 100% 80% 60% 40% 20% 0% Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Who Will Staff My SOC?
Staffing Analysts (T1-3) Subject Matter Expert (SME) Incident Responder/Coordinator Management
Analyst Skills Hard skills Soft skills Intangible skills Hard Skills? Skills Soft Skills Analyst
Analyst Hard Skills Computer & security skills Network protocols Packet analysis Scripting/Parsing IDS Architecture and product knowledge Indicators of Compromise (IOC) Mixed results in two areas Malware analysis Threat intelligence Security Operations Analyst (SA) Levels 1 through 3 Uses, implements, reviews, or evaluates a variety of sensor types detect and prevent threat actors from infiltrating information system(s) or jeopardizing delivery infrastructure. Operates and uses wide variety of technology types (IDS, Netflow, full-packet capture, SPAN ports/taps, etc.) for monitoring of product delivery infrastructure. Provides information and reports regarding impact of breaches to confidentiality, integrity, and availability of service delivery.
Malware analysis Higher level of expertise Limited talent pool Beyond reach of entry level SOC effort Forensic analysis What is the objective? What do you hope to accomplish?
Threat intelligence Difficult to do well Cost to convert intel into usable knowledge is high Staffing limitations Credit: David Bianco Pyramid of Pain
Analyst Soft Skills Creativity Teamwork Psychology Mind of an attacker Understanding of risk Passion Off-hours interest Curiosity Natural desire to learn
Subject Matter Expert (SME) Penetration testing/hunter Forensic expertise Fast or thorough Infrastructure System admin Network admin Software development
Incident Coordinator Calm under fire Leadership Communication Technical Managerial Writing skills Project management Risk analysis
Manager/Leader
Where should my SOC be located?
Physical Location Adequate workspace Reference materials War/conference room Confidential communication Close to those whom you serve
Challenges of Geography Physical location(s) Coordination Language/culture
Coverage Model Hours of coverage 8x5 24x7 Weekends US/foreign holidays Follow the sun
Coordination Collaboration/geographical handoff Virtual meeting rooms Phone bridge/conference call Ticketing system Investigation tracking Security engineering team Tuning Upgrades
We can do it alone. Why would I need help from others
SOC Limitations Deciding what not to do is as important as deciding what to do. -Steve Jobs your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should. -Dr. Ian Malcom, Jurassic Park
Necessary Expertise - Internal Product/Help Desk teams Breach investigation Response coordination User/customer notification System administration Network engineers System engineers Upstream providers Customer Service Password changes, service outages Customer communication
Necessary Expertise - Internal Public Relations SINGLE media spokesperson Limit outbound social media speculation Legal department/counsel Takedown/DMCA notices Privacy/HR issues Law enforcement interface
Necessary Expertise - External On-retainer security services from 3 rd parties Forensic investigation APT investigation Managed Security Service Providers (MSSP) http://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf
Takeaways
Organization & Operation Concept of Operations (ConOps) Incident Response Plan Playbook/Runbook Broad incident categories (DDOS, phishing attack, loss of passwords, loss of customer data, compromise of key systems)
Organization & Operation Training and development Tools Techniques Processes Change management, service management Management support Budget Firepower
SOC Development Your SOC is a journey, not a destination Rinse, lather, repeat (aka Lessons Learned, Root Cause Analysis) You will make mistakes Maintain realistic expectations
Start Now! "A good plan, violently executed now, is better than a perfect plan next week. -George S. Patton
Q&A
References SANS 504 https://www.sans.org/course/hacker-techniques-exploits-incident-handling SANS Institute Reading Room https://www.sans.org/reading-room Security Metrics: Replacing Fear, Uncertainty, and Doubt http://smile.amazon.com/gp/product/0321349989/ref=olp_product_details?ie=utf8&me= Ten Strategies of a World-Class Cybersecurity Operations Center https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan http://www.amazon.com/crafting-infosec-playbook-security-monitoring/dp/1491949406
References Building a World-Class Security Operations Center: A Roadmap https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-center-roadmap-35907 Concept of Operations http://www.mitre.org/publications/systems-engineering-guide/selifecycle-building-blocks/concept-development/concept-of-operations Pyramid of Pain http://detect-respond.blogspot.com/ Security Weekly Podcasts http://securityweekly.com/podcasts/ Krebs on Security https://krebsonsecurity.com/
References Collecting Security Metrics and What They Mean http://www.rsaconference.com/blogs/collecting-security-metrics-and-what-they-mean Blue Team Handbook: Incident Response Edition http://www.amazon.com/blue-team-handbook-condensed-responder/dp/1500734756/ The Practice of Network Security Monitoring: Understanding Incident Detection and Response http://www.amazon.com/practice-network-security-monitoring- Understanding/dp/1593275099/