SOCstock 2021 The Cloud-native SOC

Anton Chuvakin
Anton ChuvakinSecurity Strategy
SOCstock 2021 The Cloud-native SOC
A cloud-native SOC? Say what? Dr. Anton Chuvakin https://medium.com/anton-on-security and @anton_chuvakin Chronicle / Google Cloud Security
Inspiration: a hypothesis - if you are a cloud-native, you don’t need a SOC ... True or false?
Outline ● SOC in 2021 - a quick reminder ● Cloud-native … what does it even mean? ● SOC + cloud-native = ??? ● Changes to expect ○ Technology changes ○ Process changes ○ People changes ● What to do? More questions than answers...
SOC?
A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner First Things First: A SOC is Still … a SOC :-) SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
Reminder: Modern SOC (SOCstock 2020) Process structures around threats, not alerts Deeper testing and coverage analysis Teams are organized by skill, not rigid level Multiple visibility approaches, not just logs SOC elegantly uses third party services Automation via SOAR works as a force multiplier Threat intelligence is consumed and created Threat hunting covers cases where alerts never appear
Cloud-native?
“Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” Cloud-native = Born in the Cloud, Lives ...?
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
SOC + Cloud-native - Impact Assessment?
First … Traditional SOC Monitors Cloud, This Happens! Note: some of this is about CLOUD and some is about CLOUD-NATIVE! ● Uncommon log collection methods ● Telemetry data volumes may be high ● Alien licensing models for security tools ● Alien detection context (!) ● Lack of clarity on cloud detection use cases ● Governance sprawl ● SOC teams lacking cloud skills ● Ill-fitting tools ● Lack of input from SOCs into cloud decisions
TOOLS: Triad of Visibility + Cloud-native = ??? Logs (such as via SIEM) Still works! More logs of different types in the cloud. Network data (such as via NDR) It depends. Not for SaaS, limited for PaaS, and constrained by encryption. Endpoint data (such as via EDR) It depends. Not for SaaS or PaaS. Works for VMs and some containers. NEW: application observability New to cloud, but not fully explored for security use cases Note: Cloud or Cloud- native here?
TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS EDR NDR Logs CASB IaaS OK (*) OK (*) OK NO (*) PaaS NO Sort of OK Sort of SaaS NO NO OK OK Fortunately, SOAR works with all of them … Hi SIEMplify :-)
Detour: OK, What if I am “All SaaS”? CASB … one of the nastier Gartner acronyms … that is ... until CNAPP arrived [sorry, former colleagues] :-) “Can CASB be my SIEM?” -- Well, sort of ... “BTW, WTH is CNAPP?” -- Well, look this up, will ya?
PRACTICES: Security Meets Cloud Native Core SOC practices remain: ● Build detections (*) ● Detect threats ● Triage ● Investigate ● Remediate (*) New practices around SOC: ● CI/CD and “C-everything” ● DevOps and friends ● Faster everything ● Automated everything ● Developer-led everything ● Everything as code Note: super-simplistic view of SOC here! Note: development skills in the SOC: to code and to understand!
Some Answers: Cloud Process + Classic SOC Adapt FIRST... … Steal SECOND! CI/CD process Applications change, need good asset coverage and vulnerability context CI/CD for detections IT automation Need to integrate to not be left behind SOAR and friends, security ops automation Everything as code Absorb new context around infrastructure Detection as code
PEOPLE: SOC Skills vs Cloud Skills Classic SOC skills: ● Packet decoding ● Network IDS ● Windows security ● Linux/Unix security ● Threat intelligence ● SIEM/log analysis Cloud skills: ● Containers ● DevOps tools ● Serverless ● Infrastructure as code ● Everything as code Note: development skills in the SOC; “detection as code” means you need to code!
What to Do?
Going SOC-less for Cloud Natives? Insight: SOCless detection … … is a SOC, perhaps a modern SOC, but SOC nonetheless.
Cloud-native SOCless? ● No room full of analysts, so no physical SOC ● No analyst-only roles and so no hard tiers / levels of 1,2,3 ● “Analysts” = detection engineers ● Federated response; the best party responds (!) ● Detection team works closely with teams doing preventative security ● Detection team works closely with developers ● Pipelines from event sources to machines and/or humans, and they work well.
You say “SOCless” I say “modern SOC” SOC = detection team!
Select Lessons for On-premise Immigrants... ● NEW MONITORING SUBJECTS ○ Virtual machines [on a hypervisor you don’t own] ○ Containers ○ Functions and services ○ SaaS services ● NEW MONITORING DATA SOURCES ○ Cloud platform logs (e.g. GCP Cloud Audit Log) ○ Various other logs ○ Observability (in-app telemetry, essentially logs) ● NEW MONITORING CONTEXT ○ Account, resource group, distinguished names (sir? :-))
Select Observations on What to Expect ● Data flows vs wires; no more hardware-based security planning ● More application security monitoring (CASB, SaaS security, observability - all relate to applications) ● More “as code” (both “detection as code” and threat detection in CI/CD environments) ● More automation (SOAR links to IT automation) and higher speed ● Some on-premise approaches are worse-fit than others - and some don’t fit at all (pass hyperscape application access via an appliance on-premise)
Recommendations for Cloud-native SOC Success ● If SOC = detection team, than SOC lives on in the cloud-native world ● Modernize your SOC but preserve the mission: detection and response ● Evolve SOC to more automation to catch up with modern IT ● “DevOps” your detection engineering (Dev = content creator, Ops = analyst) ● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend ● Learn new detection context ● Mercilessly discard tools that don’t fit the cloud practices or fail to support cloud technology
1 of 26

SOCstock 2021 The Cloud-native SOC

Download to read offline
Technology

The Cloud-native SOC vision from SOCStock 2021 conference by Dr. Anton Chuvakin (v0.9 public)

Anton Chuvakin
Anton ChuvakinSecurity Strategy

Recommended

Effective Security Operation Center - present by Reza Adineh by
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
434 views18 slides
Building Security Operation Center by
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
28.7K views37 slides
Next-Gen security operation center by
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
1.3K views20 slides
SIEM Primer: by
SIEM Primer:SIEM Primer:
SIEM Primer:Anton Chuvakin
4.7K views28 slides
INCIDENT RESPONSE NIST IMPLEMENTATION by
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
5.5K views27 slides
Building a Next-Generation Security Operations Center (SOC) by
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
5.1K views22 slides

More Related Content

What's hot

IBM Qradar by
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
3K views31 slides
Strategy considerations for building a security operations center by
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
1.9K views16 slides
Security operation center by
Security operation centerSecurity operation center
Security operation centerMuthuKumaran267
469 views9 slides
McAfee SIEM solution by
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
4K views64 slides
Security Information and Event Management (SIEM) by
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
43K views41 slides
Security operation center (SOC) by
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
1.3K views17 slides

What's hot(20)

IBM Qradar by Coenraad Smith
IBM QradarIBM Qradar
IBM Qradar
Coenraad Smith3K views
Strategy considerations for building a security operations center by CMR WORLD TECH
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
CMR WORLD TECH1.9K views
Security operation center by MuthuKumaran267
Security operation centerSecurity operation center
Security operation center
MuthuKumaran267469 views
McAfee SIEM solution by hashnees
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees4K views
Security Information and Event Management (SIEM) by k33a
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a43K views
Security operation center (SOC) by Ahmed Ayman
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman1.3K views
Next Generation War: EDR vs RED TEAM by BGA Cyber Security
Next Generation War: EDR vs RED TEAMNext Generation War: EDR vs RED TEAM
Next Generation War: EDR vs RED TEAM
BGA Cyber Security1.5K views
SOC and SIEM.pptx by SandeshUprety4
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety41K views
From SIEM to SOC: Crossing the Cybersecurity Chasm by Priyanka Aash
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash1.1K views
Threat Hunting by Splunk
Threat HuntingThreat Hunting
Threat Hunting
Splunk4.3K views
Optimizing Security Operations: 5 Keys to Success by Sirius
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius3.3K views
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC) by Vijilan IT Security solutions
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
Vijilan IT Security solutions198 views
SOC Architecture - Building the NextGen SOC by Priyanka Aash
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash4.6K views
Defend Your Data Now with the MITRE ATT&CK Framework by Tripwire
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
Tripwire938 views
Building A Security Operations Center by Siemplify
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
Siemplify1.5K views
Insight into SOAR by DNIF
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF622 views
EDR vs SIEM - The fight is on by Justin Henderson
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson7.3K views
Threat hunting - Every day is hunting season by Ben Boyd
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd320 views
Building the Security Operations and SIEM Use CAse by Don Murdoch GSE CyberGuardian CISSP
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
Don Murdoch GSE CyberGuardian CISSP511 views
Cloud Security Architecture.pptx by Moshe Ferber
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber603 views

Similar to SOCstock 2021 The Cloud-native SOC

Serverless security - how to protect what you don't see? by
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
248 views22 slides
apidays LIVE Paris - Serverless security: how to protect what you don't see? ... by
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
66 views28 slides
Digital Forensics and Incident Response in The Cloud by
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
186 views50 slides
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013] by
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
2.1K views45 slides
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security by
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecuritySymantec
2.6K views22 slides
IANS information security forum 2019 summary by
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
44 views9 slides

Similar to SOCstock 2021 The Cloud-native SOC (20)

Serverless security - how to protect what you don't see? by Sqreen
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
Sqreen248 views
apidays LIVE Paris - Serverless security: how to protect what you don't see? ... by apidays
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays66 views
Digital Forensics and Incident Response in The Cloud by Velocidex Enterprises
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises186 views
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013] by Websec México, S.C.
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Websec México, S.C.2.1K views
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security by Symantec
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Symantec2.6K views
IANS information security forum 2019 summary by Karun Chennuri
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
Karun Chennuri44 views
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017) by Codit
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Codit476 views
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard by NETWAYS
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony GoddardOSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
NETWAYS116 views
BruCON 2015 - Pentesting ICS 101 by Wavestone
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
Wavestone5.1K views
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by Anton Chuvakin
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin286 views
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture by CloudVillage
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage5.5K views
Using Splunk/ELK for auditing AWS/GCP/Azure security posture by Jose Hernandez
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez215 views
DevSecOps: What Why and How : Blackhat 2019 by NotSoSecure Global Services
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
NotSoSecure Global Services6.1K views
Understanding the Cloud by www.datatrak.com
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
www.datatrak.com1.9K views
An introduction to SOC (Security Operation Center) by Ahmad Haghighi
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi22.5K views
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016 by Amazon Web Services
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Amazon Web Services2.2K views
Integracia security do ci cd pipelines by Juraj Hantak
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelines
Juraj Hantak158 views
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari by Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Demi Ben-Ari67 views
Future Prediction: Network Intrusion Detection System in the cloud by Sedthakit Prasanphanich
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
Sedthakit Prasanphanich2.6K views
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016 by Shannon Lietz
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
Shannon Lietz955 views

More from Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
33 views22 slides
SOC Lessons from DevOps and SRE by Anton Chuvakin by
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
265 views18 slides
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
139 views10 slides
20 Years of SIEM - SANS Webinar 2022 by
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
283 views21 slides
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
393 views25 slides
Modern SOC Trends 2020 by
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
756 views12 slides

More from Anton Chuvakin(20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by Anton Chuvakin
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin33 views
SOC Lessons from DevOps and SRE by Anton Chuvakin by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin265 views
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by Anton Chuvakin
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin139 views
20 Years of SIEM - SANS Webinar 2022 by Anton Chuvakin
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin283 views
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin393 views
Modern SOC Trends 2020 by Anton Chuvakin
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin756 views
Anton's 2020 SIEM Best and Worst Practices - in Brief by Anton Chuvakin
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin340 views
Generic siem how_2017 by Anton Chuvakin
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
Anton Chuvakin1K views
Tips on SIEM Ops 2015 by Anton Chuvakin
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin365 views
Five SIEM Futures (2012) by Anton Chuvakin
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin609 views
RSA 2016 Security Analytics Presentation by Anton Chuvakin
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin497 views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin10K views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin14K views
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin3.4K views
Log management and compliance: What's the real story? by Dr. Anton Chuvakin by Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin1.5K views
On Content-Aware SIEM by Dr. Anton Chuvakin by Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin1.7K views
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin by Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin2.6K views
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin by Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin1.2K views
How to Gain Visibility and Control: Compliance Mandates, Security Threats and... by Anton Chuvakin
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin934 views
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec... by Anton Chuvakin
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Anton Chuvakin995 views

Recently uploaded

Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
30 views35 slides
Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
298 views92 slides
Scaling Knowledge Graph Architectures with AI by
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AIEnterprise Knowledge
28 views15 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
11 views15 slides
Melek BEN MAHMOUD.pdf by
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdfMelekBenMahmoud
14 views1 slide
6g - REPORT.pdf by
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdfLiveplex
10 views23 slides

Recently uploaded(20)

Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum30 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil298 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge28 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 views
Melek BEN MAHMOUD.pdf by MelekBenMahmoud
Melek BEN MAHMOUD.pdfMelek BEN MAHMOUD.pdf
Melek BEN MAHMOUD.pdf
MelekBenMahmoud14 views
6g - REPORT.pdf by Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson66 views
Report 2030 Digital Decade by Massimo Talia
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital Decade
Massimo Talia15 views
Lilypad @ Labweek, Istanbul, 2023.pdf by Ally339821
Lilypad @ Labweek, Istanbul, 2023.pdfLilypad @ Labweek, Istanbul, 2023.pdf
Lilypad @ Labweek, Istanbul, 2023.pdf
Ally3398219 views
Tunable Laser (1).pptx by Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood24 views
Special_edition_innovator_2023.pdf by WillDavies22
Special_edition_innovator_2023.pdfSpecial_edition_innovator_2023.pdf
Special_edition_innovator_2023.pdf
WillDavies2217 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views
STPI OctaNE CoE Brochure.pdf by madhurjyapb
STPI OctaNE CoE Brochure.pdfSTPI OctaNE CoE Brochure.pdf
STPI OctaNE CoE Brochure.pdf
madhurjyapb13 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining41 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya79 views
Spesifikasi Lengkap ASUS Vivobook Go 14 by Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang37 views
Vertical User Stories by Moisés Armani Ramírez
Vertical User StoriesVertical User Stories
Vertical User Stories
Moisés Armani Ramírez12 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada126 views
ChatGPT and AI for Web Developers by Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman187 views

SOCstock 2021 The Cloud-native SOC

  • 2. A cloud-native SOC? Say what? Dr. Anton Chuvakin https://medium.com/anton-on-security and @anton_chuvakin Chronicle / Google Cloud Security
  • 3. Inspiration: a hypothesis - if you are a cloud-native, you don’t need a SOC ... True or false?
  • 4. Outline ● SOC in 2021 - a quick reminder ● Cloud-native … what does it even mean? ● SOC + cloud-native = ??? ● Changes to expect ○ Technology changes ○ Process changes ○ People changes ● What to do? More questions than answers...
  • 6. A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner First Things First: A SOC is Still … a SOC :-) SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
  • 7. Reminder: Modern SOC (SOCstock 2020) Process structures around threats, not alerts Deeper testing and coverage analysis Teams are organized by skill, not rigid level Multiple visibility approaches, not just logs SOC elegantly uses third party services Automation via SOAR works as a force multiplier Threat intelligence is consumed and created Threat hunting covers cases where alerts never appear
  • 9. “Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” Cloud-native = Born in the Cloud, Lives ...?
  • 12. SOC + Cloud-native - Impact Assessment?
  • 13. First … Traditional SOC Monitors Cloud, This Happens! Note: some of this is about CLOUD and some is about CLOUD-NATIVE! ● Uncommon log collection methods ● Telemetry data volumes may be high ● Alien licensing models for security tools ● Alien detection context (!) ● Lack of clarity on cloud detection use cases ● Governance sprawl ● SOC teams lacking cloud skills ● Ill-fitting tools ● Lack of input from SOCs into cloud decisions
  • 14. TOOLS: Triad of Visibility + Cloud-native = ??? Logs (such as via SIEM) Still works! More logs of different types in the cloud. Network data (such as via NDR) It depends. Not for SaaS, limited for PaaS, and constrained by encryption. Endpoint data (such as via EDR) It depends. Not for SaaS or PaaS. Works for VMs and some containers. NEW: application observability New to cloud, but not fully explored for security use cases Note: Cloud or Cloud- native here?
  • 15. TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS EDR NDR Logs CASB IaaS OK (*) OK (*) OK NO (*) PaaS NO Sort of OK Sort of SaaS NO NO OK OK Fortunately, SOAR works with all of them … Hi SIEMplify :-)
  • 16. Detour: OK, What if I am “All SaaS”? CASB … one of the nastier Gartner acronyms … that is ... until CNAPP arrived [sorry, former colleagues] :-) “Can CASB be my SIEM?” -- Well, sort of ... “BTW, WTH is CNAPP?” -- Well, look this up, will ya?
  • 17. PRACTICES: Security Meets Cloud Native Core SOC practices remain: ● Build detections (*) ● Detect threats ● Triage ● Investigate ● Remediate (*) New practices around SOC: ● CI/CD and “C-everything” ● DevOps and friends ● Faster everything ● Automated everything ● Developer-led everything ● Everything as code Note: super-simplistic view of SOC here! Note: development skills in the SOC: to code and to understand!
  • 18. Some Answers: Cloud Process + Classic SOC Adapt FIRST... … Steal SECOND! CI/CD process Applications change, need good asset coverage and vulnerability context CI/CD for detections IT automation Need to integrate to not be left behind SOAR and friends, security ops automation Everything as code Absorb new context around infrastructure Detection as code
  • 19. PEOPLE: SOC Skills vs Cloud Skills Classic SOC skills: ● Packet decoding ● Network IDS ● Windows security ● Linux/Unix security ● Threat intelligence ● SIEM/log analysis Cloud skills: ● Containers ● DevOps tools ● Serverless ● Infrastructure as code ● Everything as code Note: development skills in the SOC; “detection as code” means you need to code!
  • 21. Going SOC-less for Cloud Natives? Insight: SOCless detection … … is a SOC, perhaps a modern SOC, but SOC nonetheless.
  • 22. Cloud-native SOCless? ● No room full of analysts, so no physical SOC ● No analyst-only roles and so no hard tiers / levels of 1,2,3 ● “Analysts” = detection engineers ● Federated response; the best party responds (!) ● Detection team works closely with teams doing preventative security ● Detection team works closely with developers ● Pipelines from event sources to machines and/or humans, and they work well.
  • 23. You say “SOCless” I say “modern SOC” SOC = detection team!
  • 24. Select Lessons for On-premise Immigrants... ● NEW MONITORING SUBJECTS ○ Virtual machines [on a hypervisor you don’t own] ○ Containers ○ Functions and services ○ SaaS services ● NEW MONITORING DATA SOURCES ○ Cloud platform logs (e.g. GCP Cloud Audit Log) ○ Various other logs ○ Observability (in-app telemetry, essentially logs) ● NEW MONITORING CONTEXT ○ Account, resource group, distinguished names (sir? :-))
  • 25. Select Observations on What to Expect ● Data flows vs wires; no more hardware-based security planning ● More application security monitoring (CASB, SaaS security, observability - all relate to applications) ● More “as code” (both “detection as code” and threat detection in CI/CD environments) ● More automation (SOAR links to IT automation) and higher speed ● Some on-premise approaches are worse-fit than others - and some don’t fit at all (pass hyperscape application access via an appliance on-premise)
  • 26. Recommendations for Cloud-native SOC Success ● If SOC = detection team, than SOC lives on in the cloud-native world ● Modernize your SOC but preserve the mission: detection and response ● Evolve SOC to more automation to catch up with modern IT ● “DevOps” your detection engineering (Dev = content creator, Ops = analyst) ● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend ● Learn new detection context ● Mercilessly discard tools that don’t fit the cloud practices or fail to support cloud technology