SlideShare a Scribd company logo

Journey to the Center of Security Operations

♟Sergej Epp

Why is Security Orchestration Automation & Response (SOAR) becoming the gravity center of Security Operations Centers worldwide?

Technology
1 of 30
Download to read offline
JOURNEY TO THE CENTER OF SECURITY OPERATIONS SERGEJ EPP Chief Security Officer, Central Europe
FRANKFURT, GERMANY 2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. SERGEJ EPP Chief Security Officer, Central Europe § Regional Cybersecurity Strategy and Operations § Thought Leadership Global Head of Cyber Forensics & Investigations Global Head of Cyber Hygiene Operations § Endpoint Detection Response § Fraud & Insider Investigations § Firmware and Supply Chain Forensics § Configuration Management, Neutral Control Global Head of Cyber Defense Center § Threat Intelligence § Threat and Forensics Response § Red Team § Cyber Analytics & Big Data § Security Awareness and Roadshows WHOAMI
EVOLUTION OF INFORMATION SECURITY OPERATIONS 3 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. NOC Compliance SOC Threat-Intel Driven SOC Integrated SOC Fusion Center Level 1 Perimeter focused operations Level 2 SIEM based, Policy driven operations and static playbooks Level 3 Threat-Intelligence focused security operations Level 4 Integrated detection, incident response, forensics, intelligence and vulnerability functions Level 5 Integrated non- cybersecurity functions such as physical security, fraud or business operations
4 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
5 | © 2018, Palo Alto Networks. All Rights Reserved. We have not responded to an intrusion using a ZeroDay exploit in the last 24 months - National Security Agency* * RSA Conference 2019 “ ”
GROW YOUR RISK MANAGEMENT 6 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. § Connected vehicle (air/rail/car) threats § Quantum computing § Data exfiltration in the cloud § Cyber Hygiene § AI voice fraud § AI phishing § AI chatbots § Firmware implants § Destructive threats § ID mass blackmailing § OT/IoT Threats § Insider Threat § Third Party Threat § Spyware § Identity theft § Ransomware Virus § AI Exploit Fuzzing § AI Malware Gen. § Biometrics loss § CEO Fraud § Compromised patch control § Crimeware-as-a- service § Phishing § Supervisory Oversight § BYOD threats § Attack obfuscation § Denial of Service § Banking Malware § Advanced regulations § Cryptojacking 10 mio 5 mio 1 mio 100k 10k 1% 2% 5% 10% 20% VULNERABILITIES AND MISCONFIGURATIONS IF YOU CAN FIX ONLY 1/10 OF YOUR VULNERABILITIES, WHICH ONES WILL YOU FIX? CVE-2017-0143 (aka EternalBlue) • Security risk = CVSS 9.3 High • Business risk = Critical • Change risk = Medium
7 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
HYPE CYCLE REACTIVE PREVENTIVE 80% of Enterprises IT investment in security* 72% of VC investments in security startups** *Source: VmWare Analysis ** Cyber Defenders Report, CB Insights 2019
9 | © 2018, Palo Alto Networks. All Rights Reserved. BURDEN TO TRIAGE IS STILL A PROBLEM A Tier concept makes sense when the symptoms are well understood. In cybersecurity, we ask the most unexperienced analyst in Tier1 to identify APT attacks. Are you surprised this does not work? TIER 1 TIER 2 TIER 3 106.887.657.123 37% Manual alert enrichment (e.g. checking IP in database)* The Definition of SOC-cess? SANS 2018 Security Operations Center Survey 34% Mostly automated alert enrichment* ALERT ENRICHMENTLACK OF CONSISTENT VISIBILITY FALSE POSITIVE FATIGUE FRONT LINE OF DEFENSE Threat actors are often leveraging Shadow IT, IoT devices or simply unmanaged devices to maintain persistent access. It requires a fusion between SIEM, network, endpoint etc. to enable triage of activities. Examples: APT10 (CloudHopper), NSA TAO Event if the attack is detected the chance that its identified by the analyst is small due to to many false positives Bonus: Hackers often launch a DDoS attack to flood SIEM systems shortly after a successful targeted attack against a bank.
COLLECTING OR DETECTING? 10 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. BOTTOM-UP start with data LOG DATA TOP-DOWN start with use case MONTHS vs. DAYS Identify most relevant threats Create use-cases Collect only relevant data Analyze alerts Parse and interpret data Collect available data sources Build use case Data is oil for security operations teams, but collecting simply all available data will not only overload your infrastructure but also impact capacity of your team. Top-down approach considering the entire end-2-end (Identify- detect-respond) use-cases is the way to go for most of the SOCs.
Alerts must be 90%+ True Positive Move high False Positive Alerts to Hunting Dedicated hunt time Move high True Positive to Alerting 11 | © 2019 Palo Alto Networks. All Rights Reserved. Alerting Program Hunting Program „HUNTING IS A PROCESS, NOT A DEDICATED TEAM“
12 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. MACHINE LEARNING WILL INCREASE AUTOMATED RESPONSES PRE-COMPUTE LEARNING OF 1,000+ BEHAVIORAL DIMENSIONS Time Profile • History, per Detector • Network -> Application Peer Profile • Peer profile, per Detector Entity Profile • Entity Type • User, admin, workstation, server, server type MLTechnique Pre-Compute Learning UNSUPERVISEDSUPERVISED
13 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
14 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. GORCH FOCK SOC DATA LAKE
15 | © 2015, Palo Alto Networks. Confidential and Proprietary. DEMISTO - ORCHESTRATION ENGINEER ORCHESTRATEPLATFORMIZE
Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated Detection and Prevention Threat Alerting and Hunting Focus on this side Focus on this side AFAutoFocus TRTraps WFWildFire GPGlobalProtect AP Aperture 16 | © 2019 Palo Alto Networks. All Rights Reserved. Cortex XDR SHIFT RIGHT – TAKE THE HUMANS OUT OF ROBOTS
17 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASESecurity Operations Update: 1. Your Threat Intelligence team reports other companies experiencing the same Ransomware based cyberattack. 2. The attackers demand Bitcoin in order to decrypt the hard drive. 3. An interesting observation is that the Bitcoin wallet address is always the same.
THREAT INTELLIGENCE 18 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ✓ Mature capability for most organizations ✘ More than 95% of consumed intelligence is already known (Waste of money and time) ✘ Companies lack instrumentation of controls to automate consumption ✘ Most companies don’t generate actively threat intelligence CONSUME GENERATE SHARE OPERATIONAL (IOCs, TTPs,) TACTICAL (Adversary campaigns, Trends, Sharing) STRATEGIC (Business risk) ✓ Maturity on government level resulting in cyber policy influence ✘ Most boards lack understanding that they are in software business and cyber is one of the greatest risk ✘ Investment in cybersecurity are by far not proportional to investments in digitalization ✓ Mature capability in some industries e.g. Financial Industry. ✓ Strong community focus e.g. CTA, CSSA, CDA, FS-ISAC ✘ Application of Active Cyber Defense lifecycle takes time
EXAMPLE: INSTRUMENT YOUR CONTROLS FOR CONSUMPTION Block list Quarantine list Alert list Sandbox ExploitKits, Scanning IPs C2 IPs Move to quarantine network Rebuild device Analyze device Signatures Firewall Endpoint Indicators APT IPs Notify user AI: beaconing SHARING User Violation
MEASURING AND IMPROVING SOC-CESS 24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. www.soc-cmm.com
THREE CATEGORIES OF METRICS HEALTH % of controls running % of assets configured to best practices % of vulnerable systems % of traffic visible … Mean time to detect (MTTD) Time to discover all impacted assets Completeness per IOC sweep Detection for % of all attack vectors Detection for % of all data leakage vectors % of false positive alerts per analytic % of attacks automatically prevented % of users with privilege rights … RESILIENCE Mean time to respond (MTTR) Mean time to rebuild a desktop % of automated countermeasures % of red team exercises detected Time from intrusion to eradication (dwell) … VISIBILITY BUSINESS VALUE AND PRODUCTIVITY METRICS § Losses occurred vs. losses prevented § Mean cost per incident § % of XXX vs industry benchmark …
EXAMPLE: CONFIGURATION OF ATT&CK VISIBILITY – DETT&CT 27 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ü Identification of your visibility/log/detection maturity for common attacks described in ATT&CK can help to prioritize configuration ü BUT: To set the right coverage bar for your organization requires mature understanding for relevant threat actor
EXAMPLE: CONFIGURATION OF DATA LEAKAGE VISIBILITY 28 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. HTTP HTTPS FTP FTPS SMTP ICMP DNS TELNET DNSSEC 62% of known data leakage vectors are identified or prevented Exfiltration of sensitive large data sets sent over longer period of time is not being detected! DATA LEAKAGE SIMULATION Easy and effective deployment allows both: • Prioritize configuration and rules in production • Test security products as part of PoC BUT, how do you define the threshold?
29 | © 2015, Palo Alto Networks. Confidential and Proprietary. PLAN FINANCIAL EXISTING METRICS SOAR DOPLAN CHECKACT VERIFICATION DOPLAN CHECKACT DOPLAN CHECKACT THE PATH TO METRICS MATURITY Mean time to X SOC productivity Countermeasure automation Stakeholder responsiveness Network Endpoint Email Security Controls Controls Resilience Exploitation Exfiltration Financial impact Fraud
EVOLUTION OF THE SOC ROLE – HOW TO KEEP UP? 30 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. *The Definition of SOC-cess? SANS 2018 Security Operations Center Survey TRAINING / ROTATIONS § Technical trainings (e.g. SANS, Data Science) § Rotation between offensive and defensive teams CAREER PATH Especially for technical experts, who are not interested in team management but still want to influence the strategic direction of the company CULTURE OF CURIOSITY will attract smart and passioned talent and help to grow naturally skill and capability LEGAL ENABLEMENT § Access to security data and analysis § Threat Sharing Lack of skilled staff is #1 problem in most organizations* Attrition rates of 20-25% are common in our business. What can be done to retain the staff? FROM ANALYST TO CODER AND DATA SCIENTIST
enterprise apps today are cloud-enabled /cloud-native Cloud is Everywhere Containers Have Gone Mainstream enterprises will use containers by 2020 8 of 10 1 in 2 of cloud users leverage 2 or more cloud providers (Gartner) 81% Multi-Cloud CLOUD SECOPS IS HEAVILY BEHIND SANS 2019 Cloud Security Survey ● 99% of cloud security failures will be the customers fault by 2023 (Gartner) ● 42% Lack of skills or training for specific public cloud services* ● 52% Inability to respond to incidents traversing our cloud apps and data* CYBERSECURITY LACKS ADOPTION FOR CLOUD TRANSFORMATION
32 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. SHIFT LEFT PRINCIPLES </> Code Build Test Deploy Monitor CI Continuous Integration CD Continuous Deployment SHIFT LEFT – WILL INCREASE CODING SKILLS IN SECOPS TEAMS 1. Security by design - establish criteria upfront 2. Integrate, automate, automate 4. Share tooling - don’t silo information 5. Train your developer teams for better awareness 3. Establish control gates SIEM IDS
COLLABORATION IS EXPLODING 33 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. FUSION CENTER DEPLOY STAFF IN SOC DEPLOY LIASON OFFICERS IN BUSINESS DEPARTMENTS PHYSICAL ✓ Insights into cyber threat actors ✓ Joint work on cyber enabled physical bugs TRANSPORTATION FRAUD BUSINESS ISOs ✓ Joint monitoring of transportation products ✓ Examples: Connected Car, Airplanes, Railways ✓ Improved time to mitigation for cyber enabled fraud ✓ Typically senior security manager roles ✓ Brokers stakeholder relationship and governs remediation in specific business unit DELEGATED TRIAGE ✓ Delegate triage of alerts to users e.g. “Have you been to Switzerland yesterday?”
34 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. TRANSFORM YOUR TEAM § Start hiring software engineers and data scientist § Focus on data analysis (Hunting is a process) and communication § Stop Use-Cases below 90% true positive and move to hunting MEASURE SMART § Show business impact § Crawl, walk, run (Same as LEGO) § Focus on “health” usecases first MODERNIZE TECH. STRATEGY § Build technology around automation and not vice versa § Evaluate your toolset: § Take out two for introducing one § Increase penetration rate § Enable features AUTOMATIZE PRODUCTION § Make automation a personal goal for everyone § Prevention First § Increase % of § enriched alerts § of automated countermeasure deployments DEMOCRATIZE COLLABORATION § Implement Delegated Monitoring TAKE AWAYS
35 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. Let‘s SOAR

Recommended

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 

Recommended

PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
Prime Infoserv
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
Symantec Brasil
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Priyanka Aash
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 

More Related Content

What's hot

Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Elasticsearch
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
Sounil Yu
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
Dilum Bandara
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
Arpan Raval
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
Splunk
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 

What's hot (20)

Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
 
Cyber Defense Matrix: Revolutions
Cyber Defense Matrix: RevolutionsCyber Defense Matrix: Revolutions
Cyber Defense Matrix: Revolutions
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Splunk Phantom SOAR Roundtable
Splunk Phantom SOAR RoundtableSplunk Phantom SOAR Roundtable
Splunk Phantom SOAR Roundtable
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 

Similar to Journey to the Center of Security Operations

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
EnergySec
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Cristian Garcia G.
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
GuardEra Access Solutions, Inc.
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
Aleksey Lukatskiy
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
Terry Young
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
Terry Young
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
Rahul Neel Mani
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
Paul-Charife Allen
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
CMR WORLD TECH
 
Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015
Clint Walker
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
Metaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
Metaorange
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
japijapi
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
Nixu Corporation
 
Evolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesEvolution security controls towards Cloud Services
Evolution security controls towards Cloud Services
Hugo Rodrigues
 

Similar to Journey to the Center of Security Operations (20)

How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)A Guide To SMB Network Security Compliance Research Group(1)
A Guide To SMB Network Security Compliance Research Group(1)
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final150 0046-001 cost-lte_outages_industryinsights_final
150 0046-001 cost-lte_outages_industryinsights_final
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015Infographic-1-MainFrame BlindSpots_082015
Infographic-1-MainFrame BlindSpots_082015
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
Symantec Webinar | Redefining Endpoint Security- How to Better Secure the End...
 
Aalto cyber-10.4.18
Aalto cyber-10.4.18Aalto cyber-10.4.18
Aalto cyber-10.4.18
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Evolution security controls towards Cloud Services
Evolution security controls towards Cloud ServicesEvolution security controls towards Cloud Services
Evolution security controls towards Cloud Services
 

Recently uploaded

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
FODUU
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Things to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUUThings to Consider When Choosing a Website Developer for your Website | FODUU
Things to Consider When Choosing a Website Developer for your Website | FODUU
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Journey to the Center of Security Operations

  • 1. JOURNEY TO THE CENTER OF SECURITY OPERATIONS SERGEJ EPP Chief Security Officer, Central Europe
  • 2. FRANKFURT, GERMANY 2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. SERGEJ EPP Chief Security Officer, Central Europe § Regional Cybersecurity Strategy and Operations § Thought Leadership Global Head of Cyber Forensics & Investigations Global Head of Cyber Hygiene Operations § Endpoint Detection Response § Fraud & Insider Investigations § Firmware and Supply Chain Forensics § Configuration Management, Neutral Control Global Head of Cyber Defense Center § Threat Intelligence § Threat and Forensics Response § Red Team § Cyber Analytics & Big Data § Security Awareness and Roadshows WHOAMI
  • 3. EVOLUTION OF INFORMATION SECURITY OPERATIONS 3 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. NOC Compliance SOC Threat-Intel Driven SOC Integrated SOC Fusion Center Level 1 Perimeter focused operations Level 2 SIEM based, Policy driven operations and static playbooks Level 3 Threat-Intelligence focused security operations Level 4 Integrated detection, incident response, forensics, intelligence and vulnerability functions Level 5 Integrated non- cybersecurity functions such as physical security, fraud or business operations
  • 4. 4 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 5. 5 | © 2018, Palo Alto Networks. All Rights Reserved. We have not responded to an intrusion using a ZeroDay exploit in the last 24 months - National Security Agency* * RSA Conference 2019 “ ”
  • 6. GROW YOUR RISK MANAGEMENT 6 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. § Connected vehicle (air/rail/car) threats § Quantum computing § Data exfiltration in the cloud § Cyber Hygiene § AI voice fraud § AI phishing § AI chatbots § Firmware implants § Destructive threats § ID mass blackmailing § OT/IoT Threats § Insider Threat § Third Party Threat § Spyware § Identity theft § Ransomware Virus § AI Exploit Fuzzing § AI Malware Gen. § Biometrics loss § CEO Fraud § Compromised patch control § Crimeware-as-a- service § Phishing § Supervisory Oversight § BYOD threats § Attack obfuscation § Denial of Service § Banking Malware § Advanced regulations § Cryptojacking 10 mio 5 mio 1 mio 100k 10k 1% 2% 5% 10% 20% VULNERABILITIES AND MISCONFIGURATIONS IF YOU CAN FIX ONLY 1/10 OF YOUR VULNERABILITIES, WHICH ONES WILL YOU FIX? CVE-2017-0143 (aka EternalBlue) • Security risk = CVSS 9.3 High • Business risk = Critical • Change risk = Medium
  • 7. 7 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 8. HYPE CYCLE REACTIVE PREVENTIVE 80% of Enterprises IT investment in security* 72% of VC investments in security startups** *Source: VmWare Analysis ** Cyber Defenders Report, CB Insights 2019
  • 9. 9 | © 2018, Palo Alto Networks. All Rights Reserved. BURDEN TO TRIAGE IS STILL A PROBLEM A Tier concept makes sense when the symptoms are well understood. In cybersecurity, we ask the most unexperienced analyst in Tier1 to identify APT attacks. Are you surprised this does not work? TIER 1 TIER 2 TIER 3 106.887.657.123 37% Manual alert enrichment (e.g. checking IP in database)* The Definition of SOC-cess? SANS 2018 Security Operations Center Survey 34% Mostly automated alert enrichment* ALERT ENRICHMENTLACK OF CONSISTENT VISIBILITY FALSE POSITIVE FATIGUE FRONT LINE OF DEFENSE Threat actors are often leveraging Shadow IT, IoT devices or simply unmanaged devices to maintain persistent access. It requires a fusion between SIEM, network, endpoint etc. to enable triage of activities. Examples: APT10 (CloudHopper), NSA TAO Event if the attack is detected the chance that its identified by the analyst is small due to to many false positives Bonus: Hackers often launch a DDoS attack to flood SIEM systems shortly after a successful targeted attack against a bank.
  • 10. COLLECTING OR DETECTING? 10 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. BOTTOM-UP start with data LOG DATA TOP-DOWN start with use case MONTHS vs. DAYS Identify most relevant threats Create use-cases Collect only relevant data Analyze alerts Parse and interpret data Collect available data sources Build use case Data is oil for security operations teams, but collecting simply all available data will not only overload your infrastructure but also impact capacity of your team. Top-down approach considering the entire end-2-end (Identify- detect-respond) use-cases is the way to go for most of the SOCs.
  • 11. Alerts must be 90%+ True Positive Move high False Positive Alerts to Hunting Dedicated hunt time Move high True Positive to Alerting 11 | © 2019 Palo Alto Networks. All Rights Reserved. Alerting Program Hunting Program „HUNTING IS A PROCESS, NOT A DEDICATED TEAM“
  • 12. 12 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. MACHINE LEARNING WILL INCREASE AUTOMATED RESPONSES PRE-COMPUTE LEARNING OF 1,000+ BEHAVIORAL DIMENSIONS Time Profile • History, per Detector • Network -> Application Peer Profile • Peer profile, per Detector Entity Profile • Entity Type • User, admin, workstation, server, server type MLTechnique Pre-Compute Learning UNSUPERVISEDSUPERVISED
  • 13. 13 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASE
  • 14. 14 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. GORCH FOCK SOC DATA LAKE
  • 15. 15 | © 2015, Palo Alto Networks. Confidential and Proprietary. DEMISTO - ORCHESTRATION ENGINEER ORCHESTRATEPLATFORMIZE
  • 16. Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated Detection and Prevention Threat Alerting and Hunting Focus on this side Focus on this side AFAutoFocus TRTraps WFWildFire GPGlobalProtect AP Aperture 16 | © 2019 Palo Alto Networks. All Rights Reserved. Cortex XDR SHIFT RIGHT – TAKE THE HUMANS OUT OF ROBOTS
  • 17. 17 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. USE CASESecurity Operations Update: 1. Your Threat Intelligence team reports other companies experiencing the same Ransomware based cyberattack. 2. The attackers demand Bitcoin in order to decrypt the hard drive. 3. An interesting observation is that the Bitcoin wallet address is always the same.
  • 18. THREAT INTELLIGENCE 18 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ✓ Mature capability for most organizations ✘ More than 95% of consumed intelligence is already known (Waste of money and time) ✘ Companies lack instrumentation of controls to automate consumption ✘ Most companies don’t generate actively threat intelligence CONSUME GENERATE SHARE OPERATIONAL (IOCs, TTPs,) TACTICAL (Adversary campaigns, Trends, Sharing) STRATEGIC (Business risk) ✓ Maturity on government level resulting in cyber policy influence ✘ Most boards lack understanding that they are in software business and cyber is one of the greatest risk ✘ Investment in cybersecurity are by far not proportional to investments in digitalization ✓ Mature capability in some industries e.g. Financial Industry. ✓ Strong community focus e.g. CTA, CSSA, CDA, FS-ISAC ✘ Application of Active Cyber Defense lifecycle takes time
  • 19. EXAMPLE: INSTRUMENT YOUR CONTROLS FOR CONSUMPTION Block list Quarantine list Alert list Sandbox ExploitKits, Scanning IPs C2 IPs Move to quarantine network Rebuild device Analyze device Signatures Firewall Endpoint Indicators APT IPs Notify user AI: beaconing SHARING User Violation
  • 20. MEASURING AND IMPROVING SOC-CESS 24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. www.soc-cmm.com
  • 21. THREE CATEGORIES OF METRICS HEALTH % of controls running % of assets configured to best practices % of vulnerable systems % of traffic visible … Mean time to detect (MTTD) Time to discover all impacted assets Completeness per IOC sweep Detection for % of all attack vectors Detection for % of all data leakage vectors % of false positive alerts per analytic % of attacks automatically prevented % of users with privilege rights … RESILIENCE Mean time to respond (MTTR) Mean time to rebuild a desktop % of automated countermeasures % of red team exercises detected Time from intrusion to eradication (dwell) … VISIBILITY BUSINESS VALUE AND PRODUCTIVITY METRICS § Losses occurred vs. losses prevented § Mean cost per incident § % of XXX vs industry benchmark …
  • 22. EXAMPLE: CONFIGURATION OF ATT&CK VISIBILITY – DETT&CT 27 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. ü Identification of your visibility/log/detection maturity for common attacks described in ATT&CK can help to prioritize configuration ü BUT: To set the right coverage bar for your organization requires mature understanding for relevant threat actor
  • 23. EXAMPLE: CONFIGURATION OF DATA LEAKAGE VISIBILITY 28 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. HTTP HTTPS FTP FTPS SMTP ICMP DNS TELNET DNSSEC 62% of known data leakage vectors are identified or prevented Exfiltration of sensitive large data sets sent over longer period of time is not being detected! DATA LEAKAGE SIMULATION Easy and effective deployment allows both: • Prioritize configuration and rules in production • Test security products as part of PoC BUT, how do you define the threshold?
  • 24. 29 | © 2015, Palo Alto Networks. Confidential and Proprietary. PLAN FINANCIAL EXISTING METRICS SOAR DOPLAN CHECKACT VERIFICATION DOPLAN CHECKACT DOPLAN CHECKACT THE PATH TO METRICS MATURITY Mean time to X SOC productivity Countermeasure automation Stakeholder responsiveness Network Endpoint Email Security Controls Controls Resilience Exploitation Exfiltration Financial impact Fraud
  • 25. EVOLUTION OF THE SOC ROLE – HOW TO KEEP UP? 30 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. *The Definition of SOC-cess? SANS 2018 Security Operations Center Survey TRAINING / ROTATIONS § Technical trainings (e.g. SANS, Data Science) § Rotation between offensive and defensive teams CAREER PATH Especially for technical experts, who are not interested in team management but still want to influence the strategic direction of the company CULTURE OF CURIOSITY will attract smart and passioned talent and help to grow naturally skill and capability LEGAL ENABLEMENT § Access to security data and analysis § Threat Sharing Lack of skilled staff is #1 problem in most organizations* Attrition rates of 20-25% are common in our business. What can be done to retain the staff? FROM ANALYST TO CODER AND DATA SCIENTIST
  • 26. enterprise apps today are cloud-enabled /cloud-native Cloud is Everywhere Containers Have Gone Mainstream enterprises will use containers by 2020 8 of 10 1 in 2 of cloud users leverage 2 or more cloud providers (Gartner) 81% Multi-Cloud CLOUD SECOPS IS HEAVILY BEHIND SANS 2019 Cloud Security Survey ● 99% of cloud security failures will be the customers fault by 2023 (Gartner) ● 42% Lack of skills or training for specific public cloud services* ● 52% Inability to respond to incidents traversing our cloud apps and data* CYBERSECURITY LACKS ADOPTION FOR CLOUD TRANSFORMATION
  • 27. 32 | © 2018 Palo Alto Networks, Inc. All Rights Reserved. SHIFT LEFT PRINCIPLES </> Code Build Test Deploy Monitor CI Continuous Integration CD Continuous Deployment SHIFT LEFT – WILL INCREASE CODING SKILLS IN SECOPS TEAMS 1. Security by design - establish criteria upfront 2. Integrate, automate, automate 4. Share tooling - don’t silo information 5. Train your developer teams for better awareness 3. Establish control gates SIEM IDS
  • 28. COLLABORATION IS EXPLODING 33 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. FUSION CENTER DEPLOY STAFF IN SOC DEPLOY LIASON OFFICERS IN BUSINESS DEPARTMENTS PHYSICAL ✓ Insights into cyber threat actors ✓ Joint work on cyber enabled physical bugs TRANSPORTATION FRAUD BUSINESS ISOs ✓ Joint monitoring of transportation products ✓ Examples: Connected Car, Airplanes, Railways ✓ Improved time to mitigation for cyber enabled fraud ✓ Typically senior security manager roles ✓ Brokers stakeholder relationship and governs remediation in specific business unit DELEGATED TRIAGE ✓ Delegate triage of alerts to users e.g. “Have you been to Switzerland yesterday?”
  • 29. 34 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. TRANSFORM YOUR TEAM § Start hiring software engineers and data scientist § Focus on data analysis (Hunting is a process) and communication § Stop Use-Cases below 90% true positive and move to hunting MEASURE SMART § Show business impact § Crawl, walk, run (Same as LEGO) § Focus on “health” usecases first MODERNIZE TECH. STRATEGY § Build technology around automation and not vice versa § Evaluate your toolset: § Take out two for introducing one § Increase penetration rate § Enable features AUTOMATIZE PRODUCTION § Make automation a personal goal for everyone § Prevention First § Increase % of § enriched alerts § of automated countermeasure deployments DEMOCRATIZE COLLABORATION § Implement Delegated Monitoring TAKE AWAYS
  • 30. 35 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. Let‘s SOAR