The One-Man SOC: Habits of Highly Effective Security Practitioners

  • 2,591 views
Uploaded on

Real advice for IT and security practitioners who find themselves alone in the SOC. Learn how to develop routines to efficiently manage your environment, avoid time-sucks, and determine what you can …

Real advice for IT and security practitioners who find themselves alone in the SOC. Learn how to develop routines to efficiently manage your environment, avoid time-sucks, and determine what you can do by yourself and where you need help.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,591
On Slideshare
0
From Embeds
0
Number of Embeds
4

Actions

Shares
Downloads
102
Comments
0
Likes
4

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Habits of Highly Effective Security Practitioners BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT THE ONE-MAN SOC
  • 2. About Me • Solutions Architect @ AlienVault • Former SOC Manager/Analyst/Programmer with AT&T Managed Security Services • SIEM Enthusiast • Blog post: Open Source Intrusion Detection Tools: A Quick Overview • Blog post: MSSP – The New Acceptance • Webinars: Data Sources, Policies, and more… Practitioners Guide: The Series • Practitioners Guide to SOC • The One-Man SOC (you are watching it now!) • Help us select our next topic in this series. Tweet: @pkt_inspector Real Advice, for Real People
  • 3. In this session you will learn: How to work around the limitations of a small (or one person) team Key skills to improve your efficiency Tips for establishing a daily routine Strategies to effectively prioritize daily tasks The concept of automation and when to use it Benefits of threat intelligence sharing
  • 4. When you are alone in the SOC Here’s what you are missing: The Two Man Rule Double Verification Long Response Times Less Investigation Time per Incident So let’s get started “So how can I work around these limitations?”
  • 5. Different Data, Same Story Know Your Audience Source: ISC2 Workforce Survey The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff. ---Ponemon Institute LLC Feb 2014
  • 6. Know Your Audience Source: ISC2 Workforce Survey
  • 7. Security Awareness Security Awareness is critical It is where it all starts Vigilance It’s your job to spread it Listen how often this comes up…. Know Your Environment
  • 8. It’s not always about IT, but it could be.What are your users doing? • Websites they visit? - Water Cooler attacks? • What games are they playing? - Flash exploits? - Game owner hacked? Where are your users? • Where are teams located? - Why are they logging in from elsewhere? Are there business procedures that put you at risk? Remember you are not the NSA Know Your Environment
  • 9. PEER You: Seen this heartbleed thing? Web Admin: Heart what? You: It’s serious, check it out. Link Web Admin: Holy !@#$ Web Admin: Okay I’m generating CSRs now for new keys. You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack. Communication MANAGER You: New vulnerability called heartbleed. It’s very serious. Manager: What is the impact? You: Anything that uses OpenSSL is potentially exposed. Manager: What uses OpenSSL? You: Everything Manager: Are we hacked? You: It’s not that simple. Manager: Why is this more serious than the last one? ✓ Mission and Risk Understood ✗ Mission and Risk Understood Know your Audience
  • 10. Let’s try this again Communication You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical: 1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked 2. This vulnerability is present in a large percentage of our IT infrastructure 3. Most importantly encrypted traffic could be read by others creating high risk exposure I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now. Manager: Totally agree. Calling the meeting now and starting escalation. Save yourself time. Clearly Defined Risks Mission Stated. Call to Action created.
  • 11. It Matters Perception
  • 12. TECH SKILLS
  • 13. The Journey Isn’t Over. Things to Learn Automation Scripting
  • 14. You have all the time you need right? Automation
  • 15. Why Automation? Save time of course Ad-Hoc reporting Integration • With other devices • With other groups It’s the Little Things
  • 16. XKCD is Awesome When to Automate?
  • 17. In this case there is no circle…maybe it’s not a cycle then? Life Cycle •Saving Time? •Serves Need? Frequency? •Development Time?Script •Schedule •Action Automatic Process
  • 18. Security > Automation Stay Focused Yes, More XKCD. He just gets it.
  • 19. hoe kan ik automatiseren? Time to learn a new language Learning to script will save you time How do I Automate?
  • 20. Factors What is already in your environment? • Heard that before? Portability • Where else can I use this? Which Language?
  • 21. Basic Shell Tools Do I Really Need to Learn Scripting? Real World Example I need to make an ACL quickly
  • 22. PROCESS
  • 23. Really, it is like totally important and stuff Daily • Alarm Review • Event Review • Tuning Weekly • Vulnerability Scanning • Audits The Importance of Routine What’s in your Routine?
  • 24. Putting the routine to work First! • This is your logic at work Do not stop until critical or high severity are closed Investigate by taxonomy • Exploitation • Malware • Policy Alarm Review
  • 25. Often. Do This. Set aside time each and every day • You’ll get a feel for it • You’ll recognize patterns Don’t believe me? Event Review
  • 26. WATCH THIS VIDEO
  • 27. Methods Use the alternative views Event Review
  • 28. PRACTICAL: OTHER VIEWS
  • 29. Yes, Again! Vulnerability Scanning • Run scans regularly • Run them in a targeted manner • Establish a remediation plan before scanning Asset Detection Profiling • Use Off Hours to detect automatic processes - and then filter them! Know Your Environment
  • 30. Organization Make Groups • Organize by - Function - Location - Host Properties Use Groups for • Polices • Scanning • Event Views Your Environment
  • 31. There will be a quiz at the end. Not Really. Taking Notes? Information Recording • Ticketing System • Wiki Benefits • Time Saving • Knowledge Transfer
  • 32. THREAT SHARING
  • 33. One Person. Many Friends. Threat Sharing Anyone? 0-day? More like yesterday. APT? Yeah you know me. Malware makes me happy. Request
  • 34. THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION 35 • Diverse set of data & devices • 8,000 collection points • 140+ countries • 500,000 malware samples analyzed daily • 1500+ Event Correlation Rules • 5 Event Attack Types
  • 35. Today we learned… Summary How to work around the limitations of a small (or one person) team Tips for establishing a daily routine Strategies to effectively prioritize daily tasks Benefits of Threat Intelligence sharing
  • 36. Final Thought “Security is your problem, and everyone else's too.”
  • 37. Now for some Q&A… Learn More about AlienVault USM Register for our Weekly Live Product Demo https://www.alienvault.com/marketing/ alienvault-usm-live-demo Download a Free 30-Day Trial http://www.alienvault.com/free-trial