4. Their Left vs Our Left:
Stages of the Software Supply
Code Build Run
Test Scan Deploy
Base images
Cloud Build
Code Policy as Code
Image metadata
Kubernetes
Container Registry
Vulnerability Scanning
Deploy time policy chokepoint
Structured, centralized
image knowledge base
Centralized, locked down
CI/CD pipeline/process
5. What Happens BEFORE The Alert?
Telemetry sources
● Telemetry data sources:
what to log, how to collect, etc
● What context to use for enrichment
Intelligence
● Threats in general and your threats
● Threat ranking and relevance
Assets / attack surface
● Assets and attack surface
● What do we have on-premise
and in the cloud
Testing the content and coverage
● Right detection coverage
● Testing and simulation
6. Testing
Does it actually work?
Threats
What are we
protecting from?
3 Keys to SOC Success Outside the SOC
Assets
What are we
protecting?
Detection content is created to cover threats against assets based on intelligence
7. The favorites are
● Reliable asset / attack surface inventory
● Reliable telemetry sources
● Current threat awareness
● Well-tested detection content
Things that happen to the
left of SOC matter a lot!
You can’t “10X the SOC”
by never leaving it
Why Look Left
for a SOC?
9. TL:DR : Shifting Left
Keep up with dynamic env.
Shift left and shield “right”
Test early, defend early
Security should be a shared responsibility
and pervasive throughout the development,
deployment, and operational life-cycles.
Security controls should be implemented
closer to the data, business logic, and much
earlier in the development process.
10. Tuning
● Alert enrichment
● Extra context collection
● Alert triage
● Escalation to IR
● Automation and action
Security Information
and Event Management
(SIEM)
● Log collection
● Context collection
(identity, asset, threat intel)
● Other telemetry collection
(EDR, NDR, etc)
Detection rules / content
Left of Stem
Questions:
What to collect (logs/context?
How to collect?
How to architect collection?
What to filter?
Right of Stem
Questions:
What is alert triage process?
What additional context to collect?
When to escalate?
What automation will run?
What will go to humans?
Editor's Notes
RSA 7-8 min preso: go ogle / ASO, Google, SRE lessons for SOC, pick 1 (toil) |||
proactive/reactive, shift left to before the boom D&R [proactive SOC - BS or not?], look to the left! from a detection, ASM, BAS, rule before rule triggers! left from the detection! TI?
Hey SOC, look to the left? SIEM in stereo! left and right
https://medium.com/anton-on-security/left-of-siem-right-of-siem-get-it-right-4b07c54cf062
not triage and TH but assets
--
Security operations has traditionally been reactive in nature - focusing efforts on early detection and response to attacks that have bypassed the organization's defenses. We believe modern security operations must evolve to be more proactive - this requires deep understanding of the adversary activity that is relevant for your organization, visibility into your potential exposure and the ability to integrate proactive remediation into your security operations processes.
proactive/reactive, shift left to before the boom D&R [proactive SOC - BS or not?], look to the left! from a detection, ASM, BAS, rule before rule triggers! left from the detection! TI?
Hey SOC, look to the left? SIEM in stereo! left and right
https://medium.com/anton-on-security/left-of-siem-right-of-siem-get-it-right-4b07c54cf062
Risk -> monitor objectives (“Journey… 1”)
If we look at the different stages of the software supply chain, first a developer checks in code to Git, then a image is built and test are ran.
As your container images are built and pushed to your Registry they might be scanned for known security vulnerabilities and categorized based on CVE rankings (a common compliance requirement.)
At the deploy stage, you can use tools like OPA or Anthos Policy Controler and Binary Authorization with Kritis to
create deployment policies and deny deployment into your environments based on these policies.
Let’s look at these
Simply put, with shift left, you test early, defend or catch early. You harden or shield the “right” and then most importantly you keep up with the risks in an ever changing environment
For example, a new VM instance connecting directly to a database server in the cardholder data environment (CDE) automatically becomes part of the CDE and thus is subject to PCI-DSS. So you want to that piece of code that deploys the VM to perform firewall checks on the VM before it attaches itself to the CDE.
With cloud and in general security should be a shared responsibility and pervasive throughout the development, deployment, and operational life-cycles.
You also want to Declare your compliance outcomes.
Or in other words, you want to shift left and declare your compliance outcome as code.