Habits of Highly Effective Security Practitioners
BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT
THE ONE-MAN SOC
About Me
• Solutions Architect @ AlienVault
• Former SOC Manager/Analyst/Programmer with AT&T Managed Security Services
• ...
In this session you will learn:
How to work around the limitations of a small (or one person) team
Key skills to improve y...
When you are alone in the SOC
Here’s what you are missing:
The Two Man Rule
Double Verification
Long Response Times
Less I...
Different Data, Same Story
Know Your Audience
Source: ISC2 Workforce Survey
The IT security function is understaffed. Seve...
Know Your Audience
Source: ISC2 Workforce Survey
Security Awareness
Security Awareness is critical
It is where it all starts
Vigilance
It’s your job to spread it
Listen ho...
It’s not always about IT, but it
could be.What are your users doing?
• Websites they visit?
- Water Cooler attacks?
• What...
PEER
You: Seen this heartbleed thing?
Web Admin: Heart what?
You: It’s serious, check it out. Link
Web Admin: Holy !@#$
We...
Let’s try this again
Communication
You: There was a vulnerability announced moments ago called heartbleed. You can find th...
It Matters
Perception
TECH SKILLS
The Journey Isn’t Over.
Things to Learn
Automation Scripting
You have all the time you need
right?
Automation
Why Automation?
Save time of course
Ad-Hoc reporting
Integration
• With other devices
• With other groups
It’s the Little ...
XKCD is Awesome
When to Automate?
In this case there is no circle…maybe it’s not a cycle then?
Life Cycle
•Saving Time?
•Serves Need?
Frequency?
•Developmen...
Security > Automation
Stay Focused
Yes, More XKCD. He just gets it.
hoe kan ik automatiseren?
Time to learn a new language
Learning to script will save you time
How do I Automate?
Factors
What is already in your environment?
• Heard that before?
Portability
• Where else can I use this?
Which Language?
Basic Shell Tools
Do I Really Need to Learn Scripting?
Real World Example
I need to make an ACL quickly
PROCESS
Really, it is like totally important and stuff
Daily
• Alarm Review
• Event Review
• Tuning
Weekly
• Vulnerability Scannin...
Putting the routine to work
First!
• This is your logic at work
Do not stop until critical or high severity are
closed
Inv...
Often. Do This.
Set aside time each and every day
• You’ll get a feel for it
• You’ll recognize patterns
Don’t believe me?...
WATCH THIS VIDEO
Methods
Use the alternative views
Event Review
PRACTICAL: OTHER VIEWS
Yes, Again!
Vulnerability Scanning
• Run scans regularly
• Run them in a targeted manner
• Establish a remediation plan be...
Organization
Make Groups
• Organize by
- Function
- Location
- Host Properties
Use Groups for
• Polices
• Scanning
• Event...
There will be a quiz at the end. Not Really.
Taking Notes?
Information Recording
• Ticketing System
• Wiki
Benefits
• Time...
THREAT SHARING
One Person. Many Friends.
Threat Sharing
Anyone?
0-day?
More like
yesterday.
APT?
Yeah you
know me.
Malware
makes me
happy...
THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION
35
• Diverse set of data &
devices
• 8,000 collection points
• 140+ coun...
Today we learned…
Summary
How to work around the limitations of a small (or one person) team
Tips for establishing a dai...
Final Thought
“Security is your problem, and everyone else's too.”
Now for some Q&A…
Learn More about AlienVault USM
Register for our Weekly Live Product Demo
https://www.alienvault.com/mar...
The One-Man SOC: Habits of Highly Effective Security Practitioners
Upcoming SlideShare
Loading in...5
×

The One-Man SOC: Habits of Highly Effective Security Practitioners

3,984

Published on

Real advice for IT and security practitioners who find themselves alone in the SOC. Learn how to develop routines to efficiently manage your environment, avoid time-sucks, and determine what you can do by yourself and where you need help.

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,984
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
186
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

The One-Man SOC: Habits of Highly Effective Security Practitioners

  1. 1. Habits of Highly Effective Security Practitioners BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT THE ONE-MAN SOC
  2. 2. About Me • Solutions Architect @ AlienVault • Former SOC Manager/Analyst/Programmer with AT&T Managed Security Services • SIEM Enthusiast • Blog post: Open Source Intrusion Detection Tools: A Quick Overview • Blog post: MSSP – The New Acceptance • Webinars: Data Sources, Policies, and more… Practitioners Guide: The Series • Practitioners Guide to SOC • The One-Man SOC (you are watching it now!) • Help us select our next topic in this series. Tweet: @pkt_inspector Real Advice, for Real People
  3. 3. In this session you will learn: How to work around the limitations of a small (or one person) team Key skills to improve your efficiency Tips for establishing a daily routine Strategies to effectively prioritize daily tasks The concept of automation and when to use it Benefits of threat intelligence sharing
  4. 4. When you are alone in the SOC Here’s what you are missing: The Two Man Rule Double Verification Long Response Times Less Investigation Time per Incident So let’s get started “So how can I work around these limitations?”
  5. 5. Different Data, Same Story Know Your Audience Source: ISC2 Workforce Survey The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff. ---Ponemon Institute LLC Feb 2014
  6. 6. Know Your Audience Source: ISC2 Workforce Survey
  7. 7. Security Awareness Security Awareness is critical It is where it all starts Vigilance It’s your job to spread it Listen how often this comes up…. Know Your Environment
  8. 8. It’s not always about IT, but it could be.What are your users doing? • Websites they visit? - Water Cooler attacks? • What games are they playing? - Flash exploits? - Game owner hacked? Where are your users? • Where are teams located? - Why are they logging in from elsewhere? Are there business procedures that put you at risk? Remember you are not the NSA Know Your Environment
  9. 9. PEER You: Seen this heartbleed thing? Web Admin: Heart what? You: It’s serious, check it out. Link Web Admin: Holy !@#$ Web Admin: Okay I’m generating CSRs now for new keys. You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack. Communication MANAGER You: New vulnerability called heartbleed. It’s very serious. Manager: What is the impact? You: Anything that uses OpenSSL is potentially exposed. Manager: What uses OpenSSL? You: Everything Manager: Are we hacked? You: It’s not that simple. Manager: Why is this more serious than the last one? ✓ Mission and Risk Understood ✗ Mission and Risk Understood Know your Audience
  10. 10. Let’s try this again Communication You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical: 1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked 2. This vulnerability is present in a large percentage of our IT infrastructure 3. Most importantly encrypted traffic could be read by others creating high risk exposure I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now. Manager: Totally agree. Calling the meeting now and starting escalation. Save yourself time. Clearly Defined Risks Mission Stated. Call to Action created.
  11. 11. It Matters Perception
  12. 12. TECH SKILLS
  13. 13. The Journey Isn’t Over. Things to Learn Automation Scripting
  14. 14. You have all the time you need right? Automation
  15. 15. Why Automation? Save time of course Ad-Hoc reporting Integration • With other devices • With other groups It’s the Little Things
  16. 16. XKCD is Awesome When to Automate?
  17. 17. In this case there is no circle…maybe it’s not a cycle then? Life Cycle •Saving Time? •Serves Need? Frequency? •Development Time?Script •Schedule •Action Automatic Process
  18. 18. Security > Automation Stay Focused Yes, More XKCD. He just gets it.
  19. 19. hoe kan ik automatiseren? Time to learn a new language Learning to script will save you time How do I Automate?
  20. 20. Factors What is already in your environment? • Heard that before? Portability • Where else can I use this? Which Language?
  21. 21. Basic Shell Tools Do I Really Need to Learn Scripting? Real World Example I need to make an ACL quickly
  22. 22. PROCESS
  23. 23. Really, it is like totally important and stuff Daily • Alarm Review • Event Review • Tuning Weekly • Vulnerability Scanning • Audits The Importance of Routine What’s in your Routine?
  24. 24. Putting the routine to work First! • This is your logic at work Do not stop until critical or high severity are closed Investigate by taxonomy • Exploitation • Malware • Policy Alarm Review
  25. 25. Often. Do This. Set aside time each and every day • You’ll get a feel for it • You’ll recognize patterns Don’t believe me? Event Review
  26. 26. WATCH THIS VIDEO
  27. 27. Methods Use the alternative views Event Review
  28. 28. PRACTICAL: OTHER VIEWS
  29. 29. Yes, Again! Vulnerability Scanning • Run scans regularly • Run them in a targeted manner • Establish a remediation plan before scanning Asset Detection Profiling • Use Off Hours to detect automatic processes - and then filter them! Know Your Environment
  30. 30. Organization Make Groups • Organize by - Function - Location - Host Properties Use Groups for • Polices • Scanning • Event Views Your Environment
  31. 31. There will be a quiz at the end. Not Really. Taking Notes? Information Recording • Ticketing System • Wiki Benefits • Time Saving • Knowledge Transfer
  32. 32. THREAT SHARING
  33. 33. One Person. Many Friends. Threat Sharing Anyone? 0-day? More like yesterday. APT? Yeah you know me. Malware makes me happy. Request
  34. 34. THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION 35 • Diverse set of data & devices • 8,000 collection points • 140+ countries • 500,000 malware samples analyzed daily • 1500+ Event Correlation Rules • 5 Event Attack Types
  35. 35. Today we learned… Summary How to work around the limitations of a small (or one person) team Tips for establishing a daily routine Strategies to effectively prioritize daily tasks Benefits of Threat Intelligence sharing
  36. 36. Final Thought “Security is your problem, and everyone else's too.”
  37. 37. Now for some Q&A… Learn More about AlienVault USM Register for our Weekly Live Product Demo https://www.alienvault.com/marketing/ alienvault-usm-live-demo Download a Free 30-Day Trial http://www.alienvault.com/free-trial
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×