SlideShare a Scribd company logo
1 of 26
Download to read offline
Cisco Public 1© 2016 Cisco and/or its affiliates. All rights reserved.
Gaweł Mikołajczyk
gmikolaj@cisco.com Making sense out of the
Security Operations
Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved.
CONFidence 2012
https://www.youtube.com/watch?v=EBi1xlMg5XE
Cisco Public 3© 2016 Cisco and/or its affiliates. All rights reserved.
CONFidence 2016 – Network Security Treasures
https://www.youtube.com/watch?v=oc4dgpIS8B4
Cisco Public 4© 2016 Cisco and/or its affiliates. All rights reserved.
CONFidence 2016 – Real World Threat Hunting
https://www.youtube.com/watch?v=yY-ljPOVpGY
Cisco Public 5© 2016 Cisco and/or its affiliates. All rights reserved.
Four Pillars of Security Operations
§ Near real-time analytics
§ Anomaly detection
through statistical analysis
§ Zero-day threat focus
§ Deterministic Rules
§ Data Science for
behavioral analysis
§ Hadoop for scalability
and redundancy
§ Streaming analytics
focused on security
§ Event intel and focused
enrichment
§ Full packet capture
§ Access to actionable
sources of intelligence
§ Cisco intelligence
§ Customer intelligence
§ Open Source intelligence
§ Operationalization
§ Advanced expertise
§ Security research
§ Security talent shortage
AnalyticsPeople Intelligence Technology
Cisco Public 6© 2016 Cisco and/or its affiliates. All rights reserved.
• Assume the 24/7 Operations. How many people do we need?
• Core Operations and Supporting Functions
• Shift-based coverage model. How to share info an collaborate?
• Security Analysts (Tiers), Security Investigators
• Define the skills, roles, responsibilities. IT vs OT.
• Incident Response / Forensics Folks
• Incident and Change Security Engineering
• Automation / Toolset Development – Industry/Homegrown
• Threat Intelligence Expertise, Detection Engines Development, Tuning
• Data Science, Analytics Expertise
• Core System / Platform Development and Security R&D
• Non-technical Functions – Engagement / Escalations / Projects
I. People in Security Operations – Roles and responsibilities
Cisco Public 7© 2016 Cisco and/or its affiliates. All rights reserved.
Benefits:
+ Mature method of analysis
+ Covers the majority
of known threats
Challenges:
– Requires tuning
– Depends on prior knowledge
of threat behavior
– Does not address polymorphic
malware
Benefits:
+ Provides Anomaly Detection
based on both volume and
velocity of data clusters
+ Enables Trend Forecasting
Challenges:
– Produces False Positives
– Requires significant storage
and compute
– Allows for only a single variable
to be analyzed per model
Benefits:
+ Captures and stores large data
sets in its raw format (Data Lake)
+ Classifies events and creates
behavior profiles of data captured
Challenges:
– Models are generally customer
specific and use case focused
– Requires significant storage and
compute
Data Science-
Centric Analytics
(DSC)
Statistical
Rules-Based
Analytics (SRB)
Deterministic
Rules-Based
Analytics (DRB)
II Security Analytics –
Cisco Public 8© 2015 Cisco and/or its affiliates. All rights reserved.
Practical Use Case: OpenDNS Spike Rank (SPRank)
§ Detects spikes in
network traffic using
mathematical
concepts for wave
analysis
§ Often found in sound
wave analysis (like
Shazam, Pandora)
http://blogs.cisco.com/security/how-opendns-predicts-attacks-when-hacker-infrastructure-is-cheap-and-plenty#more-182559
Computer Security Incident
Response Team (CSIRT)
Threat Assessment, Incident Detection
and Response, and Incident Trending
and Analysis
Product Security Incident
Response Team (PSIRT)
Global Team Managing the Investigation and
Reporting of Vulnerability Information for
Cisco Products
Experts with Deep Security Knowledge
Deliver Threat Mitigation Procedures for
Cisco Products
Security Research and
Operations
Security Operations
Centers
Cisco Remote Managed Support and
Managed Threat Defense
III. Making use of Security Intelligence
Security Community Data
Actively work with and contribute
discovered threat intelligence
Partner Data
Exchange intelligence through private
partnerships
Vulnerability Research Team
(VRT)
Elite cyber security experts
dedicated to identifying new trends,
malware and vulnerabilities
Research and collection of
vulnerabilities on endpoints, mobile
devices, virtual systems, web and
email
Sourcefire Vulnerability Research
Cisco Public 10© 2016 Cisco and/or its affiliates. All rights reserved.
Security Intelligence – How it’s done at Cisco
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000 0110 00
1001 1101 1110011 0110011 101000 0110 00
180,000+ File Samples per Day
FireAMP™ Community
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open Source
Communities
Honeypots
Sourcefire AEGIS™ Program
Private and Public Threat Feeds
Dynamic Analysis
1.6 million
global sensors
100 TB
of data received per day
150 million+
deployed endpoints
600+
engineers, technicians,
and researchers
35%
worldwide email traffic
13 billion
web requests
24x7x365
operations
40+
languages
101000 0110 00 0111000 111010011 101 1100001 110
1100001110001110 1001 1101 1110011 0110011 101000
1001 1101 1110011 0110011 101000 0110 00Cisco®
Talos
Email Endpoints Web Networks IPS Devices
WWW
Cisco Collective
Security Intelligence
Cisco Public 11© 2016 Cisco and/or its affiliates. All rights reserved.
IV. Technology
Passive
Tap
Internal Events
Sensor
Machine / App Exhaust
Cisco Products
Third Party Products
Event
Entity
Intelligence
Cisco ISE
LDAP / Active Directory
Custom / External
Cisco TIP / Talos
Passive
Tap Extract
Features
Connect Events
and Entities
Analyze
Features
Machine
Learning
Send Notices
Parse and
Normalize
Automated
Hunts
Identify
Anomalous
Statistical
Analysis
Deterministic
Analysis
Compress
Import
Export
Archive
Search
Storage
View
Ingest
Sensors at
Point-of-Presence
Distributed
Data Functions Analytic Functions
Storage, Ingest, Analytics
Centralized DCAP
Telemetry/Intel
Cisco Public 12© 2016 Cisco and/or its affiliates. All rights reserved.
Threat
Intelligence
Feeds
Enrichment
Data
Proposed Security Operations Flow Framework
Full packet capture
Protocol metadata
Third-party applications
Machine exhaust (logs)
Unstructured telemetry
Other streaming telemetry
Parse +
Format
Enrich Alert
Log Mining and
Analytics
Big Data
Exploration,
Predictive
Modelling
Network
Packet Mining
and PCAP
Reconstruction
Applications + Analyst Tools
Cisco Public 13© 2016 Cisco and/or its affiliates. All rights reserved.
V. Security Operations Center – Design / Facility
DEDICATED
CUSTOMER SEGMENT
Administrative
Consoles
PORTAL
TICKETING
COMMON SERVICES
Threat Intelligence
Dedicated Customer Portal
Alerting/Ticketing System
Investigator
Portal
Authentication
Services
24/7
ACCESS
CUSTOMER
SOC
Secure Connection
(HTTPS/SSH/IPSec)
VPN
INTERNET
VPN
ENTERPRISE PREMISE SOC DATA CENTER
FIREWALL
FIREWALL
Collection,
Storage,
Analysis
Cisco Public 14© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Public 15© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Public 16© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco Public 19© 2016 Cisco and/or its affiliates. All rights reserved.
Good, now – start building a Playbook
playbook |ˈplāˌbŏk|
noun
A prescriptive collection of repeatable queries (reports) against security event
data sources that lead to incident detection and response.
Cisco Public 20© 2016 Cisco and/or its affiliates. All rights reserved.
Develop a Hot Threats Dashboard
http://blogs.cisco.com/security/implementing-a-hot-threat-dashboard
Cisco Public 21© 2016 Cisco and/or its affiliates. All rights reserved.
A SOC Example of Two-Week Timeframe
~19,000 events/day to ~8,000
events/day to ~120 suspicious
events/day to ~5 prioritized
events/ day
Post-investigation tickets
Actionable by client
71
269,808 Security Events
Unique events,
prioritization,
correlation
113,713
High fidelity events,
triage activities
Analyst -> Investigator
1710
207,99261,816
Threat intel
sourced
Telemetry
generated
Telemetry Ingested by DCAP
Intelligence
People
Analytics
Cisco Public 22© 2016 Cisco and/or its affiliates. All rights reserved.
Metrics: How do we know you’re working?
Period
Ending
SI Events Device
Sourced
Events
Total
Security
Events
High Fidelity
Events
Investigated
Post
Investigation
Tickets Created
2/13 93,967 1,408 95,375 2,142 3
2/20 249,592 5,171 254,763 119 2
Cisco Public 23© 2016 Cisco and/or its affiliates. All rights reserved.
Reporting – Example Summary of Threats
Cisco Public 24© 2016 Cisco and/or its affiliates. All rights reserved.
Reporting – Example Pro-Active Threat Hunting
• Top events fired per event source
• Top malicious domain
• Total infected hosts
• Top malware type/family
• Highest areas of infection (lab, DC,
DMZ, etc.)
• Infections by theatre
Present Even More Reasons for Your Existence!
• Infection by role/org (sales,
engineering, marketing, etc.)
• Event rates and collection stats (total
volume of alarms, then
• Alarms by source, index/filesize
avg/day)
• Unique user counts avg/day
• Total attacks blocked
• Top infections by event source (event
source detection ranking)
Cisco Public 27© 2016 Cisco and/or its affiliates. All rights reserved.
SOC = Tell A Story of Continuous Protection
Cisco Public 28
„ If you think technology can solve your
security problems, then you don't
understand the problems and you don't
understand the technology. ”
Bruce Schneier
Security Guru
Thank you.
gmikolaj@cisco.com

More Related Content

What's hot

The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityRapid7
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response TeamBGA Cyber Security
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPriyanka Aash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Decisions
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrimeDejan Jeremic
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesANSItunCERT
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021Adrian Sanabria
 

What's hot (19)

The Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization SecurityThe Dynamic Nature of Virtualization Security
The Dynamic Nature of Virtualization Security
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
 
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
8 Ocak 2015 SOME Etkinligi - BGA Cyber Security Incident Response Team
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
 
Ivan dragas get ahead of cybercrime
Ivan dragas   get ahead of cybercrimeIvan dragas   get ahead of cybercrime
Ivan dragas get ahead of cybercrime
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 -  SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Présentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence servicesPrésentation kaspersky threat intelligence services
Présentation kaspersky threat intelligence services
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11Using a Network Model to Address SANS Critical Controls 10 and 11
Using a Network Model to Address SANS Critical Controls 10 and 11
 
The state of endpoint defense in 2021
The state of endpoint defense in 2021The state of endpoint defense in 2021
The state of endpoint defense in 2021
 

Viewers also liked

[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...PROIDEA
 
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban -  Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban -  Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...PROIDEA
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin -  SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin -  SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...PROIDEA
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...PROIDEA
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]PROIDEA
 
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...PROIDEA
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadPROIDEA
 
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...PROIDEA
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...PROIDEA
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst PROIDEA
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...PROIDEA
 
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 -  Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 -  Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...PROIDEA
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...PROIDEA
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler -  ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler -  ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...PROIDEA
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)PROIDEA
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...PROIDEA
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)PROIDEA
 

Viewers also liked (17)

[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
[CONFidence 2016] Jakub Kałużny, Mateusz Olejarka - Big problems with big dat...
 
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban -  Demystifying Android's Bluetooth Low ...MCE^3 - Dariusz Seweryn, Paweł Urban -  Demystifying Android's Bluetooth Low ...
MCE^3 - Dariusz Seweryn, Paweł Urban - Demystifying Android's Bluetooth Low ...
 
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin -  SAP, dos, dos, race condi...[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin -  SAP, dos, dos, race condi...
[CONFidence 2016] Dmitry Chastuhin, Dmitry Yudin - SAP, dos, dos, race condi...
 
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
[CONFidence 2016]: Alex Plaskett, Georgi Geshev - QNX: 99 Problems but a Micr...
 
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz][4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
[4developers2016] - Medytacja dla programistów [Krzysztof Muchewicz]
 
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
[4developers2016] - Nowe wyzwania w tworzeniu Universal Windows Application n...
 
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomadAtmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
Atmosphere 2016 - Diptanu Choudhury - Taming the public clouds with nomad
 
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
[CONFidence 2016] Abraham Aranguren, Fabian Fäßler - Smart Sheriff, Dumb Idea...
 
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
[CONFidence 2016] Marcin Kaczmarek - Security and forensic projects based on ...
 
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst [CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
[CONFidence 2016] Jacek Grymuza - From a life of SOC Analyst
 
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
Nawyki kognitywne zwiększające efektywność i skuteczność programisty (Artur K...
 
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 -  Kamil Szymanski - Creating Jenkins pipelines with groovy-b...Atmosphere 2016 -  Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
Atmosphere 2016 - Kamil Szymanski - Creating Jenkins pipelines with groovy-b...
 
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
Atmosphere 2016 - Janusz Dabrowski - DX & Digital Performance Platform - crit...
 
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler -  ZMON: Zalando's OS approach to monitoring in...Atmosphere 2016 - Jan Mussler -  ZMON: Zalando's OS approach to monitoring in...
Atmosphere 2016 - Jan Mussler - ZMON: Zalando's OS approach to monitoring in...
 
[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)[4developers2016] PHP 7 (Michał Pipa)
[4developers2016] PHP 7 (Michał Pipa)
 
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
[4developers2016] Dlaczego stalkuje userów i ty też powinieneś zacząć. (Grzeg...
 
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
[4developers2016] - Nie rób makiet. Nadawaj im znaczenie (Łukasz Tyrała)
 

Similar to [CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operations

Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Keith Kraus
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA Cyber Security
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 

Similar to [CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operations (20)

Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Splunk for Security Breakout Session
Splunk for Security Breakout SessionSplunk for Security Breakout Session
Splunk for Security Breakout Session
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Splunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout SessionSplunk for Enterprise Security featuring UBA Breakout Session
Splunk for Enterprise Security featuring UBA Breakout Session
 
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
Streaming Cyber Security into Graph: Accelerating Data into DataStax Graph an...
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...BGA SOME/SOC Etkinliği - Tehdit  Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
BGA SOME/SOC Etkinliği - Tehdit Odaklı Güvenlik Mimarisinde Sourcefire Yakla...
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics Splunk for Enterprise Security Featuring User Behavior Analytics
Splunk for Enterprise Security Featuring User Behavior Analytics
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior AnalyticsSplunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 

Recently uploaded

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Recently uploaded (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

[CONFidence 2016] Gaweł Mikołajczyk - Making sense out of the Security Operations

  • 1. Cisco Public 1© 2016 Cisco and/or its affiliates. All rights reserved. Gaweł Mikołajczyk gmikolaj@cisco.com Making sense out of the Security Operations
  • 2. Cisco Public 2© 2016 Cisco and/or its affiliates. All rights reserved. CONFidence 2012 https://www.youtube.com/watch?v=EBi1xlMg5XE
  • 3. Cisco Public 3© 2016 Cisco and/or its affiliates. All rights reserved. CONFidence 2016 – Network Security Treasures https://www.youtube.com/watch?v=oc4dgpIS8B4
  • 4. Cisco Public 4© 2016 Cisco and/or its affiliates. All rights reserved. CONFidence 2016 – Real World Threat Hunting https://www.youtube.com/watch?v=yY-ljPOVpGY
  • 5. Cisco Public 5© 2016 Cisco and/or its affiliates. All rights reserved. Four Pillars of Security Operations § Near real-time analytics § Anomaly detection through statistical analysis § Zero-day threat focus § Deterministic Rules § Data Science for behavioral analysis § Hadoop for scalability and redundancy § Streaming analytics focused on security § Event intel and focused enrichment § Full packet capture § Access to actionable sources of intelligence § Cisco intelligence § Customer intelligence § Open Source intelligence § Operationalization § Advanced expertise § Security research § Security talent shortage AnalyticsPeople Intelligence Technology
  • 6. Cisco Public 6© 2016 Cisco and/or its affiliates. All rights reserved. • Assume the 24/7 Operations. How many people do we need? • Core Operations and Supporting Functions • Shift-based coverage model. How to share info an collaborate? • Security Analysts (Tiers), Security Investigators • Define the skills, roles, responsibilities. IT vs OT. • Incident Response / Forensics Folks • Incident and Change Security Engineering • Automation / Toolset Development – Industry/Homegrown • Threat Intelligence Expertise, Detection Engines Development, Tuning • Data Science, Analytics Expertise • Core System / Platform Development and Security R&D • Non-technical Functions – Engagement / Escalations / Projects I. People in Security Operations – Roles and responsibilities
  • 7. Cisco Public 7© 2016 Cisco and/or its affiliates. All rights reserved. Benefits: + Mature method of analysis + Covers the majority of known threats Challenges: – Requires tuning – Depends on prior knowledge of threat behavior – Does not address polymorphic malware Benefits: + Provides Anomaly Detection based on both volume and velocity of data clusters + Enables Trend Forecasting Challenges: – Produces False Positives – Requires significant storage and compute – Allows for only a single variable to be analyzed per model Benefits: + Captures and stores large data sets in its raw format (Data Lake) + Classifies events and creates behavior profiles of data captured Challenges: – Models are generally customer specific and use case focused – Requires significant storage and compute Data Science- Centric Analytics (DSC) Statistical Rules-Based Analytics (SRB) Deterministic Rules-Based Analytics (DRB) II Security Analytics –
  • 8. Cisco Public 8© 2015 Cisco and/or its affiliates. All rights reserved. Practical Use Case: OpenDNS Spike Rank (SPRank) § Detects spikes in network traffic using mathematical concepts for wave analysis § Often found in sound wave analysis (like Shazam, Pandora) http://blogs.cisco.com/security/how-opendns-predicts-attacks-when-hacker-infrastructure-is-cheap-and-plenty#more-182559
  • 9. Computer Security Incident Response Team (CSIRT) Threat Assessment, Incident Detection and Response, and Incident Trending and Analysis Product Security Incident Response Team (PSIRT) Global Team Managing the Investigation and Reporting of Vulnerability Information for Cisco Products Experts with Deep Security Knowledge Deliver Threat Mitigation Procedures for Cisco Products Security Research and Operations Security Operations Centers Cisco Remote Managed Support and Managed Threat Defense III. Making use of Security Intelligence Security Community Data Actively work with and contribute discovered threat intelligence Partner Data Exchange intelligence through private partnerships Vulnerability Research Team (VRT) Elite cyber security experts dedicated to identifying new trends, malware and vulnerabilities Research and collection of vulnerabilities on endpoints, mobile devices, virtual systems, web and email Sourcefire Vulnerability Research
  • 10. Cisco Public 10© 2016 Cisco and/or its affiliates. All rights reserved. Security Intelligence – How it’s done at Cisco 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 1001 1101 1110011 0110011 101000 0110 00 180,000+ File Samples per Day FireAMP™ Community Advanced Microsoft and Industry Disclosures Snort and ClamAV Open Source Communities Honeypots Sourcefire AEGIS™ Program Private and Public Threat Feeds Dynamic Analysis 1.6 million global sensors 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages 101000 0110 00 0111000 111010011 101 1100001 110 1100001110001110 1001 1101 1110011 0110011 101000 1001 1101 1110011 0110011 101000 0110 00Cisco® Talos Email Endpoints Web Networks IPS Devices WWW Cisco Collective Security Intelligence
  • 11. Cisco Public 11© 2016 Cisco and/or its affiliates. All rights reserved. IV. Technology Passive Tap Internal Events Sensor Machine / App Exhaust Cisco Products Third Party Products Event Entity Intelligence Cisco ISE LDAP / Active Directory Custom / External Cisco TIP / Talos Passive Tap Extract Features Connect Events and Entities Analyze Features Machine Learning Send Notices Parse and Normalize Automated Hunts Identify Anomalous Statistical Analysis Deterministic Analysis Compress Import Export Archive Search Storage View Ingest Sensors at Point-of-Presence Distributed Data Functions Analytic Functions Storage, Ingest, Analytics Centralized DCAP Telemetry/Intel
  • 12. Cisco Public 12© 2016 Cisco and/or its affiliates. All rights reserved. Threat Intelligence Feeds Enrichment Data Proposed Security Operations Flow Framework Full packet capture Protocol metadata Third-party applications Machine exhaust (logs) Unstructured telemetry Other streaming telemetry Parse + Format Enrich Alert Log Mining and Analytics Big Data Exploration, Predictive Modelling Network Packet Mining and PCAP Reconstruction Applications + Analyst Tools
  • 13. Cisco Public 13© 2016 Cisco and/or its affiliates. All rights reserved. V. Security Operations Center – Design / Facility DEDICATED CUSTOMER SEGMENT Administrative Consoles PORTAL TICKETING COMMON SERVICES Threat Intelligence Dedicated Customer Portal Alerting/Ticketing System Investigator Portal Authentication Services 24/7 ACCESS CUSTOMER SOC Secure Connection (HTTPS/SSH/IPSec) VPN INTERNET VPN ENTERPRISE PREMISE SOC DATA CENTER FIREWALL FIREWALL Collection, Storage, Analysis
  • 14. Cisco Public 14© 2016 Cisco and/or its affiliates. All rights reserved.
  • 15. Cisco Public 15© 2016 Cisco and/or its affiliates. All rights reserved.
  • 16. Cisco Public 16© 2016 Cisco and/or its affiliates. All rights reserved.
  • 17. Cisco Public 19© 2016 Cisco and/or its affiliates. All rights reserved. Good, now – start building a Playbook playbook |ˈplāˌbŏk| noun A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response.
  • 18. Cisco Public 20© 2016 Cisco and/or its affiliates. All rights reserved. Develop a Hot Threats Dashboard http://blogs.cisco.com/security/implementing-a-hot-threat-dashboard
  • 19. Cisco Public 21© 2016 Cisco and/or its affiliates. All rights reserved. A SOC Example of Two-Week Timeframe ~19,000 events/day to ~8,000 events/day to ~120 suspicious events/day to ~5 prioritized events/ day Post-investigation tickets Actionable by client 71 269,808 Security Events Unique events, prioritization, correlation 113,713 High fidelity events, triage activities Analyst -> Investigator 1710 207,99261,816 Threat intel sourced Telemetry generated Telemetry Ingested by DCAP Intelligence People Analytics
  • 20. Cisco Public 22© 2016 Cisco and/or its affiliates. All rights reserved. Metrics: How do we know you’re working? Period Ending SI Events Device Sourced Events Total Security Events High Fidelity Events Investigated Post Investigation Tickets Created 2/13 93,967 1,408 95,375 2,142 3 2/20 249,592 5,171 254,763 119 2
  • 21. Cisco Public 23© 2016 Cisco and/or its affiliates. All rights reserved. Reporting – Example Summary of Threats
  • 22. Cisco Public 24© 2016 Cisco and/or its affiliates. All rights reserved. Reporting – Example Pro-Active Threat Hunting
  • 23. • Top events fired per event source • Top malicious domain • Total infected hosts • Top malware type/family • Highest areas of infection (lab, DC, DMZ, etc.) • Infections by theatre Present Even More Reasons for Your Existence! • Infection by role/org (sales, engineering, marketing, etc.) • Event rates and collection stats (total volume of alarms, then • Alarms by source, index/filesize avg/day) • Unique user counts avg/day • Total attacks blocked • Top infections by event source (event source detection ranking)
  • 24. Cisco Public 27© 2016 Cisco and/or its affiliates. All rights reserved. SOC = Tell A Story of Continuous Protection
  • 25. Cisco Public 28 „ If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. ” Bruce Schneier Security Guru