The document outlines strategies for building a next-generation Security Operations Center (SOC) focused on detecting advanced persistent threats (APTs) through a process-oriented detection approach. It discusses the importance of tracking phases of the cyber kill chain, creating use cases, and continuously improving detection capabilities while addressing concerns with traditional SOC methods. Additionally, the document highlights the need for developing an active playbook for threat management and adapting incident management practices to improve response effectiveness.

1. Building the NextGen SOC
Shomiron DAS GUPTA (GCIA)
Founder, CEO
NETMONASTERY Inc.
#SACON

2. Agenda
■ Why are APTs difficult to detect
■ Revisit the cyber kill chain
■ Process orient detection
■ NextGen SOC process
■ Building your threat mind map
■ Implement and measure your SOC
#SACON

3. Why are we failing to pick them
■ Made to order
■ Exploit trust relationships
■ Multi stage deployments
#SACON

4. The Cyber Kill Chain
■ Reconnaissance
■ Weaponize
■ Delivery
■ Exploitation
■ Installation
■ Command and Control
■ Actions on objectives
#SACON

5. So which are the phases you
should track to detect
Advanced Persistent Threats?
#SACON

6. The Cyber Kill Chain
■ Reconnaissance
■ Weaponize
■ Delivery
■ Exploitation
■ Installation
■ Command and Control
■ Actions on objectives
#SACON

7. So, what are you looking for?
Indicators Of Compromise
or
Attempt To Compromise
#SACON

8. Tackle Detection
with Process
#SACON

9. Process Orient Detection
■ Visualize your engagement with threats
■ Identify detection phases
■ Build a list of primary issues
■ Create use cases
■ Connect use cases for multi phase threats
■ Burn the context layer in to your SIEM for detection
#SACON

10. Concerns from the Old SOC
■ Lack of focus on detection
■ Push required to build new rules
■ Rules get out dated before you go production
■ Continuous improvement doesn’t exist
■ Lack of active pursuit
#SACON

11. ASOC One such option
Hunter
• Looking for threats
• Multiple toolkits
• No boundaries - laterals
• Finding loopholes
• Building content
• Writing process
• Handover and review
Process SOC Ops
• Understand threats
• React - FP Filtering
• Respond
• Resolve
• Metrics & Improvement
• Case retirement
#SACON

12. THREAT MAP
PLAY BOOK
USE CASES

13. What does it take?
■ Approach
IOC or ATC
■ Anticipation
High Probability Threats
■ Active Playbook
Build - Review - Improve
#SACON

14. WORKSHOP
BUILDING YOUR OWN PLAYBOOK

15. Implement and Measure
■ Watch for primary issues not events
■ Connect multi phase threats automatically with tools
■ Selectively implement incident management
■ Look out for threat trends
■ Cyclically iterate and improve every week
#SACON

16. Shomiron DAS GUPTA
shomiron@netmonastery.com
+91 9820336050
Thank You!
#SACON