Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
•Download as PPTX, PDF•
1 like•159 views
Hey SOC, Look LEFT! by Dr Anton Chuvakin - RSA 2023 Google Cloud booth presentation about SOC success prerequisites.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Similar to Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth (20)
More from Anton Chuvakin
More from Anton Chuvakin (20)
Recently uploaded
Recently uploaded (20)
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
- 1. Mandiant | April 2023 Dr. Anton Chuvakin Office of the CISO, Google Cloud
- 2. Outline Proactive… Are you bored already? Left of SOC? What is there? Three Pillars for SOC Success… That Are NOT in the SOC!
- 3. SOC Deals with Alerts Detections Responses But what is to the LEFT of it?
- 4. Their Left vs Our Left: Stages of the Software Supply Code Build Run Test Scan Deploy Base images Cloud Build Code Policy as Code Image metadata Kubernetes Container Registry Vulnerability Scanning Deploy time policy chokepoint Structured, centralized image knowledge base Centralized, locked down CI/CD pipeline/process
- 5. What Happens BEFORE The Alert? Telemetry sources ● Telemetry data sources: what to log, how to collect, etc ● What context to use for enrichment Intelligence ● Threats in general and your threats ● Threat ranking and relevance Assets / attack surface ● Assets and attack surface ● What do we have on-premise and in the cloud Testing the content and coverage ● Right detection coverage ● Testing and simulation
- 6. Testing Does it actually work? Threats What are we protecting from? 3 Keys to SOC Success Outside the SOC Assets What are we protecting? Detection content is created to cover threats against assets based on intelligence
- 7. The favorites are ● Reliable asset / attack surface inventory ● Reliable telemetry sources ● Current threat awareness ● Well-tested detection content Things that happen to the left of SOC matter a lot! You can’t “10X the SOC” by never leaving it Why Look Left for a SOC?
- 8. thank you
- 9. TL:DR : Shifting Left Keep up with dynamic env. Shift left and shield “right” Test early, defend early Security should be a shared responsibility and pervasive throughout the development, deployment, and operational life-cycles. Security controls should be implemented closer to the data, business logic, and much earlier in the development process.
- 10. Tuning ● Alert enrichment ● Extra context collection ● Alert triage ● Escalation to IR ● Automation and action Security Information and Event Management (SIEM) ● Log collection ● Context collection (identity, asset, threat intel) ● Other telemetry collection (EDR, NDR, etc) Detection rules / content Left of Stem Questions: What to collect (logs/context? How to collect? How to architect collection? What to filter? Right of Stem Questions: What is alert triage process? What additional context to collect? When to escalate? What automation will run? What will go to humans?
Editor's Notes
- RSA 7-8 min preso: go ogle / ASO, Google, SRE lessons for SOC, pick 1 (toil) ||| proactive/reactive, shift left to before the boom D&R [proactive SOC - BS or not?], look to the left! from a detection, ASM, BAS, rule before rule triggers! left from the detection! TI? Hey SOC, look to the left? SIEM in stereo! left and right https://medium.com/anton-on-security/left-of-siem-right-of-siem-get-it-right-4b07c54cf062 not triage and TH but assets -- Security operations has traditionally been reactive in nature - focusing efforts on early detection and response to attacks that have bypassed the organization's defenses. We believe modern security operations must evolve to be more proactive - this requires deep understanding of the adversary activity that is relevant for your organization, visibility into your potential exposure and the ability to integrate proactive remediation into your security operations processes. proactive/reactive, shift left to before the boom D&R [proactive SOC - BS or not?], look to the left! from a detection, ASM, BAS, rule before rule triggers! left from the detection! TI? Hey SOC, look to the left? SIEM in stereo! left and right https://medium.com/anton-on-security/left-of-siem-right-of-siem-get-it-right-4b07c54cf062 Risk -> monitor objectives (“Journey… 1”)
- If we look at the different stages of the software supply chain, first a developer checks in code to Git, then a image is built and test are ran. As your container images are built and pushed to your Registry they might be scanned for known security vulnerabilities and categorized based on CVE rankings (a common compliance requirement.) At the deploy stage, you can use tools like OPA or Anthos Policy Controler and Binary Authorization with Kritis to create deployment policies and deny deployment into your environments based on these policies. Let’s look at these
- Simply put, with shift left, you test early, defend or catch early. You harden or shield the “right” and then most importantly you keep up with the risks in an ever changing environment For example, a new VM instance connecting directly to a database server in the cardholder data environment (CDE) automatically becomes part of the CDE and thus is subject to PCI-DSS. So you want to that piece of code that deploys the VM to perform firewall checks on the VM before it attaches itself to the CDE. With cloud and in general security should be a shared responsibility and pervasive throughout the development, deployment, and operational life-cycles. You also want to Declare your compliance outcomes. Or in other words, you want to shift left and declare your compliance outcome as code.