4. They come in different flavors too
Per Gartner here are some common models
● Virtual SOC
● Dedicated SOC
● Distributed/Co-managed SOC
● Command SOC
● Multifunction SOC / network operations center (NOC)
● Fusion SOC
5. Who am I
Old Prolexic Engineer
Spent some time building SOCs for/with Splunk
Co-Founded Zenedge
Here to share the best advice I have on building
a SOC
Funny pic here
20. Threat Modeling
● What threats does my organization care about?
● What does a threat look like?
● How does the SOC block/detect the threat?
21. Responding to Threats
1. Preparation
2. Detection and analysis
3. Containment, eradication, recovery
4. Post-incident Activity (Lessons learned)
22. Example of a Playbook - POST Flood
1. Detection and analysis request origin increase (bypass cache), notice POSTs
to / on logs, correlate with current threat landscape..UA’s
2. Contact customer
3. Containment, Eradication, Recovery another VCL rule
4. Share attack report
5. Post incident activity (Lessons learned) alerts when POST / , feed IPs to TIDB
for layer 7 attacker not spoofed
24. Tiers
SOC I eyes and ears of operations
output of the SOC I is to triage an event and decide the course of action to take
SOC II Mitigators
correlate and respond to triaged threats detected by SOC I
SOC III Specialists
optimize how a SOC I and SOC II operate, Subject Matter Experts
26. Triage
Investigation
Remediation
Communication
Post Review
Will treating each SIRT
as an production
incident first reduce our
time exposed?
Interview Customers to understand
what changes need to be made, or
hypothesis to test
Run A/B experiments to validate and
measure effectiveness of changes
A
B
SIRT
27. Be a Human
● Do not over work
● Measure Efforts not Productivity
● The leader reports to his team.. The team has to be the owner
28.
29. In Summary
Every SOC is different and none is perfect
Your customers gotta want it!
processes leads technology
Religiously Actionable Alerts
34. Agenda
● What really is a SOC
● Intro
● 50k foot view of any SOC
● MSSP vs Internal
● Technology
● Process
● People
● Gotchas
● Questions
Editor's Notes
Definition is lose and it means alot of things to alot of people, for example let’s explore wikipedia
https://www.gartner.com/newsroom/id/3815169
Just like mario world there are different games with slightly different changes but at the core very similar in mechanics
Know many you from Prolexic Knitting a SOC at Fastly
At a really high level the process of running any operations boils down to 3 different components that are interconnected
https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-center-roadmap-35907
Here is my believe
This is a given but without business buy in no project is going anywhere, I have seen this used in every SOC presentation I have seen, although a bit commonsensical, though I would share.
Mega
Picture this your a team leader with a budget and you
So how can we pivot to the last chart? Lets talk about build versus buy
At the end of the day any platform you go with the truth is that
Lets walk through it
(NIST) Incident Handling guide
At Fastly, one of the most common threats we help our customers mitigate is DDoS attacks — specifically pesky Layer 7 floods (GET/POST) which bypass a customer’s cache and affect the origin server directly.
http://theleanstartup.com/
https://blog.rapid7.com/2016/05/03/6-lessons-i-learned-from-working-in-a-soc/
Every SOC is different and none is perfect - they are all different and it is an evolving concept as leader you must understand this and embrace change but also test it rigorously
Your customers gotta want it! - goes back to business buy-in, your customers need to want it, otherwise no matter the value produced
processes leads technology - a hunting process will determine what tools you need for it, but a tool will never lead you to a better hunting process, take sandboxing for example, what good is a shiny new sandbox gear if there is no investigation that the SOC performs that requires it.
Religiously Actionable Alerts
Document investigation knowledge