Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Modernizing Your SOC: A CISO-led Training

199 views

Published on

Today's threats demand a more active role in detecting and isolating sophisticated attacks. This must-see presentation provides practical guidance on modernizing your SOC and building out an effective threat hunting program. Ed Amoroso and David Bianco discuss best practices for developing and staffing a modern SOC, including the essential shifts in how to think about threat detection.

Watch the presentation with audio here: http://info.sqrrl.com/webinar-modernizing-your-security-operations

Published in: Software
  • Be the first to comment

  • Be the first to like this

Modernizing Your SOC: A CISO-led Training

  1. 1. Modernizing Your SOC: It’s Hunting SeasonJanuary 2017
  2. 2. © 2017 Sqrrl Data, Inc. All rights reserved. 2 Presenters Edward Amoroso, David J. Bianco Sqrrl Security Technologist, Former lead threat hunter at GE CEO of TAG Cyber, Former CISO for AT&T
  3. 3. Dr. Edward G. Amoroso, CEO TAG Cyber eamoroso@tag-cyber.com Lessons Learned from Past, Present, and Future Security Operations Centers (SOCs)
  4. 4. Team Past SOCs Upgrade SOC Staff Capability Tools Improve Incident Response Tools Alarms Filter Endless False Alarms
  5. 5. Data Improve Quality of Data and Sources Tools Deploy Advanced Behavioral Analytics Team Hire and Nurture Expert Hunters Present SOCs
  6. 6. Workloads Distribute Local Control Tools Automate Security Prevention Management Virtualize Ops and Oversight Future SOCs
  7. 7. INVESTING I N A H U N T T E A M
  8. 8. © 2017 Sqrrl Data, Inc. All rights reserved. 8 The collective name for any manual or machine-assisted techniques used to detect security incidents missed by automated processes. What Do We Mean by “Threat Hunting”?
  9. 9. © 2017 Sqrrl Data, Inc. All rights reserved. 9 Proactive Iterative Human-driven Analytical What is Threat Hunting?
  10. 10. © 2017 Sqrrl Data, Inc. All rights reserved. 10 Why Hunt? The purpose of hunting is not to find new accidents. The purpose of hunting is to find new ways of finding incidents.
  11. 11. © 2017 Sqrrl Data, Inc. All rights reserved. 11 Detections IndicatorsFindings Detections Detection Improvements Hunting Intel Automated Detection Incident Response Detection Development Functions of a Modern SOC Incident Data
  12. 12. © 2017 Sqrrl Data, Inc. All rights reserved. 12 Detections IndicatorsFindings Detections Detection Improvements Hunting Intel Automated Detection Incident Response Detection Development Incident Data Functions of a Modern SOC Sqrrl‘s Focus
  13. 13. © 2017 Sqrrl Data, Inc. All rights reserved. 13 Fielding a Hunt Team Ad Hoc • Hunting in “spare” time • Can get a lot of hunters involved, but lacks strategy and coordination • Also, if “everyone” hunts, no one hunts Dedicated • “Go out and find me some bad guys!” • Enables strategic thinking, but concentrates expertise into the hands of a few Hybrid • The best of both! • The hunt function is dedicated, but team members rotate through • Encourages both strategic planning and broad participation
  14. 14. © 2017 Sqrrl Data, Inc. All rights reserved. 14 Team Skillsets: All Members Communication Business Knowledge Collaboration Critical Thinking
  15. 15. © 2017 Sqrrl Data, Inc. All rights reserved. 15 Data Analysis / Data Science Network Protocols OS Internals Security Logging Team Skillsets: Specialities Threat Internal
  16. 16. © 2017 Sqrrl Data, Inc. All rights reserved. 16 If possible, establish a core of experienced hunters with a demonstrated track record of mentorship. Procedures should encourage and require collaboration between analysts at all skill levels. Encourage “active mentorship” within the team: • Have members participate in creating and implementing a training/development plan each year, then give them the time and resources necessary to complete it. • Every team member has something they know more about than anyone else. Get them to document and share via blogs, brown bag lunch sessions, etc. • Involvement in the larger security community is great professional development! Growing Hunters and Hunt Teams
  17. 17. © 2017 Sqrrl Data, Inc. All rights reserved. 17 This Company Gets It Part of an actual job posting for a ”Hunt Team Analyst”. Skills enhancement is literally the second paragraph in the document. As a contributor to the team, this role will spend up to 30% of it’s time broadening skills by: • Participating in one-on-one hands-on mentoring with peers and senior team members • Researching new techniques for analysis & developing deeper technical analysis skills • Contributing to the security community through projects and presenting at conferences While spending 70% or more heads down doing the mission: • Hands-on hunting, event triage & analysis across NSM sensors & managed endpoints • Consumption, analysis, and production of tactical threat intelligence • Development & maintenance of detection scripts, rules, signatures and related logic • Finding evil, and generally having fun kicking it out of places it shouldn’t be
  18. 18. MAKING IT REALH U N T O P E R A T I O N S ( H U N T O P S )
  19. 19. © 2017 Sqrrl Data, Inc. All rights reserved. 19 Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Step 1: Choose Your Favorite Attack Model The Lockheed Martin Cyber Kill Chain: Intelligence-Driven Computer Network Defense Informed by Anwww.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf alysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http:// (Last checked January 20, 2017) MITRE ATT&CK: Adversarial Tactics, Techniques & Common Knowledge, MITRE, http://attack.mitre.org (Last checked January 20, 2017)
  20. 20. © 2017 Sqrrl Data, Inc. All rights reserved. 20 Example KC7 Activities • Lateral Movement • Data Staging & Exfiltration • Credential Dumping • Local Network Discovery • Disable Endpoint Security • Webshell Use • Email Theft • Malicious Data Encryption Factor in your own environment and business priorities! Step 2: Identify Malicious Behaviors Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  21. 21. © 2017 Sqrrl Data, Inc. All rights reserved. 21 Step 3: Align Your Strategy to Your Model Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Predict attacks Expand the stories you are able to tell High impact activity S O M E T I M E S D O T H I S R E G U L A R Y D O T H I S F R E Q U E N T L Y D O T H I S
  22. 22. © 2017 Sqrrl Data, Inc. All rights reserved. 22 Use this simple assessment to find out where you fall on the Hunting Maturity Model and what you can do to improve your SOC’s capabilities! How Mature Are Your Hunt Capabilities?
  23. 23. WRAP UP & QUESTIONS

×