Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SOC Architecture - Building the NextGen SOC

3,225 views

Published on

Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SOC Architecture - Building the NextGen SOC

  1. 1. Building the NextGen SOC Shomiron DAS GUPTA (GCIA) Founder, CEO NETMONASTERY Inc. #SACON
  2. 2. Agenda ■ Why are APTs difficult to detect ■ Revisit the cyber kill chain ■ Process orient detection ■ NextGen SOC process ■ Building your threat mind map ■ Implement and measure your SOC #SACON
  3. 3. Why are we failing to pick them ■ Made to order ■ Exploit trust relationships ■ Multi stage deployments #SACON
  4. 4. The Cyber Kill Chain ■ Reconnaissance ■ Weaponize ■ Delivery ■ Exploitation ■ Installation ■ Command and Control ■ Actions on objectives #SACON
  5. 5. So which are the phases you should track to detect Advanced Persistent Threats? #SACON
  6. 6. The Cyber Kill Chain ■ Reconnaissance ■ Weaponize ■ Delivery ■ Exploitation ■ Installation ■ Command and Control ■ Actions on objectives #SACON
  7. 7. So, what are you looking for? Indicators Of Compromise or Attempt To Compromise #SACON
  8. 8. Tackle Detection with Process #SACON
  9. 9. Process Orient Detection ■ Visualize your engagement with threats ■ Identify detection phases ■ Build a list of primary issues ■ Create use cases ■ Connect use cases for multi phase threats ■ Burn the context layer in to your SIEM for detection #SACON
  10. 10. Concerns from the Old SOC ■ Lack of focus on detection ■ Push required to build new rules ■ Rules get out dated before you go production ■ Continuous improvement doesn’t exist ■ Lack of active pursuit #SACON
  11. 11. ASOC One such option Hunter • Looking for threats • Multiple toolkits • No boundaries - laterals • Finding loopholes • Building content • Writing process • Handover and review Process SOC Ops • Understand threats • React - FP Filtering • Respond • Resolve • Metrics & Improvement • Case retirement #SACON
  12. 12. THREAT MAP PLAY BOOK USE CASES
  13. 13. What does it take? ■ Approach
 IOC or ATC ■ Anticipation
 High Probability Threats ■ Active Playbook
 Build - Review - Improve #SACON
  14. 14. WORKSHOP BUILDING YOUR OWN PLAYBOOK
  15. 15. Implement and Measure ■ Watch for primary issues not events ■ Connect multi phase threats automatically with tools ■ Selectively implement incident management ■ Look out for threat trends ■ Cyclically iterate and improve every week #SACON
  16. 16. Shomiron DAS GUPTA shomiron@netmonastery.com +91 9820336050 Thank You! #SACON

×