Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
3. Motivation Behind Attacks Based on Stats
- March 2018
Cyber Crime & Cyber Espionage mostly motivates
hackers to launch attacks against targeted organisations
5. – Gartner
“A security operations center (SOC) can be defined
both as a team, often operating in shifts around the
clock, and a facility dedicated to and organized to
prevent, detect, assess and respond to cybersecurity
threats and incidents, and to fulfill and assess
regulatory compliance.”
What is SOC?
10. People-Centric SOC
Define vision for the
team. Evaluate budgetary
/ resource concerns
First line of monitoring.
Eys-on-Glass monitoring.
Basic analysis, following
SOPs / playbooks
Actively look for loop
holes in network / system
/ configuration
Actively looking for threat
information and correlate
it with assets belong to
the organisation
Look deeper in to security
incidents. Assist in
investigating cyber
crimes
Remediate security
incidents ASAP based on
analysis performed by
security analyst
Actively dive-in to SIEM
data to look for
suspicipous activities
especially unknown
threat / zeroday
Configure, fine-
tune and maintain
SIEM solution
Second line of
monitoring.
Having more
experienced on
security analysis
Coordinate with all
team members.
Define and
document
process. Run the
operations
11. People-Centric SOC
“People-Centric SOC
introduce painful issue
to organisation”
“Don’t you think it is
inhuman to let people
watch the screen for 8
hours especially in the
middle-of night”?
“It is industry 4.0 era”
13. Use Case: Improving MTTD-
MTTR
Define vision for the
team. Evaluate budgetary
/ resource concerns
First line of monitoring.
Eys-on-Glass monitoring.
Basic analysis, following
SOPs / playbooks
Actively look for loop
holes in network / system
/ configuration
Actively looking for threat
information and correlate
it with assets belong to
the organisation
Look deeper in to security
incidents. Assist in
investigating cyber
crimes
Remediate security
incidents ASAP based on
analysis performed by
security analyst
Actively dive-in to SIEM
data to look for
suspicipous activities
especially unknown
threat / zeroday
Configure, fine-
tune and maintain
SIEM solution
Second line of
monitoring.
Having more
experienced on
security analysis
Coordinate with all
team members.
Define and
document
process. Run the
operations
15. SOAR
Next-Gen SOC utilise SOAR (Security Orchestration Automation and Response)
to perform actionable insights and interaction with another component in the
network
16. Use Case: Vulnerability
Management System
Define vision for the
team. Evaluate budgetary
/ resource concerns
First line of monitoring.
Eys-on-Glass monitoring.
Basic analysis, following
SOPs / playbooks
Actively look for loop
holes in network / system
/ configuration
Actively looking for threat
information and correlate
it with assets belong to
the organisation
Look deeper in to security
incidents. Assist in
investigating cyber
crimes
Remediate security
incidents ASAP based on
analysis performed by
security analyst
Actively dive-in to SIEM
data to look for
suspicipous activities
especially unknown
threat / zeroday
Configure, fine-
tune and maintain
SIEM solution
Second line of
monitoring.
Having more
experienced on
security analysis
Coordinate with all
team members.
Define and
document
process. Run the
operations
17. Solution: Bigdata and AI
Next-Gen SOC pushes forward the
limits of a tri-dimensional
paradigm. It needs to increase the
detection surface and decision
velocity, decrease reaction time
by utilising bigdata analytics
combined with AI technology
“Potensi serangan DDoS terhadap website
IDNIC (Indonesia Network Information
Center) dengan URL
https://www.idnic.id (203.119.13.145) pada
tanggal 29 November 2018”.
18. Analytics in Next-Gen Security Operation
Center
Next-Gen SOC preventing breaches from happening,
by leveraging big data and supercomputing capabilities
19. Summary
• No, Next-Gen SOC doesn’t intend to replace Human with
Machine
• Rarity of Human in IT Security forces us to be more creative
within Industry 4.0 era
• People role “improved” i.e Trainer for the Machine, Analysing
only high classified unknown-complex threat, Data scientist, …
• Convert your facility from Traditional to Next-Gen need proper
plan: Map according to your organisation requirement, focus
on what is the most pain point, improve them with machine
Cyber kill chain merupakan model yang dipopulerkan oleh lockheed martin dan menunjukan bagaimana fase real targeted cyber attack terjadi. Apabila satu dari fase tersebut terputus maka targeted attack dapat digagalkan. Ini adalah salah satu objektivitas kebutuhan SOC.
Berikan story kenapa suatu organisasi butuh SOC. Ceritakan sedikit mengenai konsep cyber killchain lockheed martin.