Building a SOC - hackmiami 2018
Download as PPTX, PDF3 likes614 views
Building a SOC involves three key elements: enlisting talented people, giving them an analytics pipeline to power processes, and obtaining business buy-in. There are different types of SOCs like virtual, dedicated, and distributed models. Data sources like endpoints, networks, and identities are essential. An analytics pipeline with enrichments, correlations, and anomaly detection is important. Processes like threat modeling, responding to threats, and using playbooks guide the SOC. People fill tiers like SOC I to triage events and SOC II to correlate and respond. Feedback loops help continuously improve the SOC. Technology supports processes but processes are more important than any single technology.
Building a SOC - hackmiami 2018
- 2. What does a SOC really mean? Actual SOC https://en.wikipedia.org/wiki/Securit y_operations_center
- 3. What do they look like?
- 4. They come in different flavors too Per Gartner here are some common models ● Virtual SOC ● Dedicated SOC ● Distributed/Co-managed SOC ● Command SOC ● Multifunction SOC / network operations center (NOC) ● Fusion SOC
- 5. Who am I Old Prolexic Engineer Spent some time building SOCs for/with Splunk Co-Founded Zenedge Here to share the best advice I have on building a SOC Funny pic here
- 6. At a 50k foot view
- 7. Building a SOC is about enlisting talented people you can hire giving them a analytics pipeline that powers a process
- 9. Technology
- 13. Build VS Buy Grep/AWK/sed Graylog ELK Sumo ... Splunk _New Wave_ JASK
- 14. Data sources are your Life force ● Endpoint OSquery/OSSEC ● Network Bro/DNS ● IDs Snort/Suricata ● Identity DHCP/LDAP ● Web WAF/Proxy logs
- 15. Analytics Pipeline Reference Architecture
- 18. Anomaly Detection (Hard Mode) http://enigmater.blogspot.com/2017/03/intrusion-detection-based-on-supervised.html
- 19. Process
- 20. Threat Modeling ● What threats does my organization care about? ● What does a threat look like? ● How does the SOC block/detect the threat?
- 21. Responding to Threats 1. Preparation 2. Detection and analysis 3. Containment, eradication, recovery 4. Post-incident Activity (Lessons learned)
- 22. Example of a Playbook - POST Flood 1. Detection and analysis request origin increase (bypass cache), notice POSTs to / on logs, correlate with current threat landscape..UA’s 2. Contact customer 3. Containment, Eradication, Recovery another VCL rule 4. Share attack report 5. Post incident activity (Lessons learned) alerts when POST / , feed IPs to TIDB for layer 7 attacker not spoofed
- 23. People
- 24. Tiers SOC I eyes and ears of operations output of the SOC I is to triage an event and decide the course of action to take SOC II Mitigators correlate and respond to triaged threats detected by SOC I SOC III Specialists optimize how a SOC I and SOC II operate, Subject Matter Experts
- 25. Feedback Loop
- 26. Triage Investigation Remediation Communication Post Review Will treating each SIRT as an production incident first reduce our time exposed? Interview Customers to understand what changes need to be made, or hypothesis to test Run A/B experiments to validate and measure effectiveness of changes A B SIRT
- 27. Be a Human ● Do not over work ● Measure Efforts not Productivity ● The leader reports to his team.. The team has to be the owner
- 29. In Summary Every SOC is different and none is perfect Your customers gotta want it! processes leads technology Religiously Actionable Alerts
- 30. If all else fails get a pew pew map
- 31. Questions
- 33. Appendix
- 34. Agenda ● What really is a SOC ● Intro ● 50k foot view of any SOC ● MSSP vs Internal ● Technology ● Process ● People ● Gotchas ● Questions
Editor's Notes
- #3: Definition is lose and it means alot of things to alot of people, for example let’s explore wikipedia
- #5: https://www.gartner.com/newsroom/id/3815169 Just like mario world there are different games with slightly different changes but at the core very similar in mechanics
- #6: Know many you from Prolexic Knitting a SOC at Fastly
- #7: At a really high level the process of running any operations boils down to 3 different components that are interconnected https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-center-roadmap-35907
- #8: Here is my believe
- #9: This is a given but without business buy in no project is going anywhere, I have seen this used in every SOC presentation I have seen, although a bit commonsensical, though I would share.
- #10: Mega
- #11: Picture this your a team leader with a budget and you
- #14: So how can we pivot to the last chart? Lets talk about build versus buy
- #15: At the end of the day any platform you go with the truth is that
- #16: Lets walk through it
- #22: (NIST) Incident Handling guide
- #23: At Fastly, one of the most common threats we help our customers mitigate is DDoS attacks — specifically pesky Layer 7 floods (GET/POST) which bypass a customer’s cache and affect the origin server directly.
- #26: http://theleanstartup.com/
- #30: https://blog.rapid7.com/2016/05/03/6-lessons-i-learned-from-working-in-a-soc/ Every SOC is different and none is perfect - they are all different and it is an evolving concept as leader you must understand this and embrace change but also test it rigorously Your customers gotta want it! - goes back to business buy-in, your customers need to want it, otherwise no matter the value produced processes leads technology - a hunting process will determine what tools you need for it, but a tool will never lead you to a better hunting process, take sandboxing for example, what good is a shiny new sandbox gear if there is no investigation that the SOC performs that requires it. Religiously Actionable Alerts Document investigation knowledge