Video thumbnail (Frame 0) Video thumbnail (Frame 1624) Video thumbnail (Frame 2692) Video thumbnail (Frame 5119) Video thumbnail (Frame 5913) Video thumbnail (Frame 7222) Video thumbnail (Frame 9133) Video thumbnail (Frame 11119) Video thumbnail (Frame 12494) Video thumbnail (Frame 13691) Video thumbnail (Frame 14716) Video thumbnail (Frame 16396) Video thumbnail (Frame 17432) Video thumbnail (Frame 18964) Video thumbnail (Frame 20885) Video thumbnail (Frame 21689) Video thumbnail (Frame 22916) Video thumbnail (Frame 23919) Video thumbnail (Frame 25379) Video thumbnail (Frame 26377) Video thumbnail (Frame 27686) Video thumbnail (Frame 28578) Video thumbnail (Frame 30561) Video thumbnail (Frame 32778) Video thumbnail (Frame 34253) Video thumbnail (Frame 35781) Video thumbnail (Frame 36602) Video thumbnail (Frame 38448) Video thumbnail (Frame 40413) Video thumbnail (Frame 41461) Video thumbnail (Frame 42904) Video thumbnail (Frame 44548) Video thumbnail (Frame 47778) Video thumbnail (Frame 48993) Video thumbnail (Frame 51674) Video thumbnail (Frame 54661) Video thumbnail (Frame 55465) Video thumbnail (Frame 56548) Video thumbnail (Frame 57502) Video thumbnail (Frame 58944) Video thumbnail (Frame 60052) Video thumbnail (Frame 61200)
Video in TIB AV-Portal: BLUE TEAM VILLAGE - SOC of 2020

Formal Metadata

Alternative Title
Evolving Security Operations to the Year 2020
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The security operations aspect of your Information Security risk management program is where the “rubber meets the road” — the tools and people you have to implement the process and procedures you put together to find the badness and put out the fires. How has the concept of security operations evolved, and where are we headed? There is plenty of buzzword bingo: UBA, UEBA, machine learning and artificial intelligence, network abnormality detection, the marketing conversations of evolving to that SOC of 2020 — what do all these really mean to you and your operations and which can be useful in your efforts to find the badness?
Ocean current Presentation of a group Frame problem Dependent and independent variables Computer Incidence algebra Data transmission Operations support system Circle System on a chip Netzwerkverwaltung Information Statement (computer science) Implementation Message passing Information security Self-organization
Ocean current Variance Element (mathematics) Operations support system Arithmetic mean Operations support system Performance appraisal Process (computing) Type theory Time evolution System on a chip Flag Key (cryptography) Information security Information security Capability Maturity Model Self-organization
Computer program Context awareness Group action Dependent and independent variables Multiplication sign Compiler Public domain Local Group Operations support system Computer network Pattern language Information Information security Physical system Dependent and independent variables Information Computer Incidence algebra Cartesian coordinate system Message passing System on a chip Netzwerkverwaltung Normed vector space Self-organization Right angle Procedural programming Information security
Intel Dependent and independent variables Multiplication sign Collaborationism Mathematical analysis Event horizon Software maintenance Hacker (term) Profil (magazine) Netzwerkverwaltung Process (computing) Implementation Computer forensics Traffic reporting Position operator Physical system Software bug Dependent and independent variables Real number Mathematical analysis Shared memory Incidence algebra Price index Element (mathematics) Hand fan Degree (graph theory) Operations support system Process (computing) Cross-correlation Netzwerkverwaltung Chain Self-organization Right angle Information security Computer forensics
Game controller Server (computing) Group action Texture mapping Source code 1 (number) Set (mathematics) Spreadsheet Netzwerkverwaltung Information security Vulnerability (computing) Vulnerability (computing) Software bug Standard deviation Key (cryptography) GUI widget Information technology consulting Computer network Database Maxima and minima Lattice (order) Line (geometry) Entire function Process (computing) Penetrationstest Netzwerkverwaltung Right angle
Operations support system Computer program Software bug Building Mathematics Emulator Multiplication sign Normal (geometry) Right angle Incidence algebra Capability Maturity Model Product (business)
Point (geometry) Multitier architecture User interface Multiplication sign Plastikkarte Computer font Operations support system Goodness of fit Strategy game Different (Kate Ryan album) Touch typing Endliche Modelltheorie Data conversion Gamma function Information security Scalable Coherent Interface Area Cybersex Information Moment (mathematics) Coma Berenices Menu (computing) Hand fan Similarity (geometry) Type theory Moment of inertia System on a chip Lie group Internet forum Self-organization Right angle Table (information) Capability Maturity Model
Blog Direction (geometry) Right angle Evolute Hand fan
Process (computing) Software Multiplication sign Self-organization Right angle Bit Figurate number Procedural programming Product (business) Hand fan
Dependent and independent variables Group action Open source Multiplication sign Online help Wave packet Operations support system Software Natural number Energy level Self-organization Right angle Quicksort Information security Computer forensics Physical system
Operations support system Scaling (geometry) Process (computing) Multitier architecture Information security
Client (computing) IP address Operations support system Process (computing) Basis <Mathematik> Netzwerkverwaltung Energy level Right angle Information Information security Determinant Mathematical optimization Mathematical optimization Metropolitan area network
Game controller Public domain Client (computing) Disk read-and-write head Login Staff (military) Number Nichtlineares Gleichungssystem Self-organization Point cloud Multiplication Counting Public domain Cloud computing Thresholding (image processing) Number Operations support system Frequency Compilation album Self-organization Nichtlineares Gleichungssystem Right angle Information security Electric current Address space
Multitier architecture Shift operator Scheduling (computing) Enterprise architecture Multitier architecture Planning Public domain Number File Transfer Protocol Plane (geometry) Number Goodness of fit Operations support system Process (computing) Event horizon System on a chip Right angle Process (computing) Procedural programming Scheduling (computing) Mathematical optimization
Simulation Server (computing) System administrator Mathematical singularity 1 (number) Computer network Software maintenance Flow separation Software maintenance Product (business) Self-organization Right angle Information security Computing platform Tunis
Point (geometry) Computer program Service (economics) 1 (number) Design by contract Client (computing) Regular graph Revision control Term (mathematics) Office suite Data conversion Information security Traffic reporting Physical system Condition number Service (economics) Email Key (cryptography) Chemical equation Computer program Internet service provider Bit Basis <Mathematik> Cross-site scripting Pi Addressing mode Design by contract Self-organization Website Right angle Information security
Open source Software developer Video game Perspective (visual) Different (Kate Ryan album) Software Information security Physical system Area Information Simultaneous localization and mapping Cycle (graph theory) Building Software developer Projective plane Open source Code Computer network Staff (military) Incidence algebra Operations support system Integrated development environment Different (Kate Ryan album) Website Social class Right angle
Operations support system Medical imaging Metric system System on a chip Infinite conjugacy class property Right angle Automation Metric system Mereology Information security Physical system
Link (knot theory) Duplex (telecommunications) Dependent and independent variables Multiplication sign Sampling (statistics) Mathematical analysis Incidence algebra Regular graph Sample (statistics) Error message Type theory Different (Kate Ryan album) Befehlsprozessor System on a chip OSI model Self-organization Right angle
Chemical equation Direct numerical simulation Term (mathematics) Cuboid Information security Binary multiplier Firmware Computing platform Salem, Illinois Link (knot theory) Common Language Infrastructure Firewall (computing) Forcing (mathematics) Software developer Computer network Range (statistics) Line (geometry) Software Integrated development environment Analog-to-digital converter Direct numerical simulation Self-organization Video game Information security Service-oriented architecture
Intel Vulnerability (computing) Context awareness Simulation Decision theory Real number Mereology Port scanner Orbit Uniform resource locator Grand Unified Theory Bit rate System on a chip Pressure volume diagram Netzwerkverwaltung Direct numerical simulation Computing platform Right angle Automation Data integrity Computing platform Address space Physical system
Point (geometry) Scripting language Metric system Dependent and independent variables Multiplication sign Set (mathematics) Online help Client (computing) Usability Product (business) 2 (number) Goodness of fit Hash function Pressure volume diagram Computing platform Self-organization Scripting language Joystick Algorithm Simulation Information Online help Multitier architecture Correlation and dependence Computer network Price index System call Word Integrated development environment Personal digital assistant Function (mathematics) Computing platform Self-organization Right angle Information security Spacetime
Server (computing) Ripping Multiplication sign Disintegration Similarity (geometry) Set (mathematics) Focus (optics) Software bug Product (business) Direct numerical simulation Chain Mathematics Machine learning Intrusion detection system Service-oriented architecture Arc (geometry) Position operator Self-organization Machine learning Computer network Film editing Software Function (mathematics) Data center Computing platform Right angle Cycle (graph theory) Service-oriented architecture Communications protocol Spacetime
Functional (mathematics) Email Simulation Hoax IP address Human migration Function (mathematics) Intrusion detection system Chain System programming Computing platform Self-organization Right angle Quicksort Computing platform Address space Physical system
PC Card Computer program Multitier architecture Game controller Dependent and independent variables Direction (geometry) Characteristic polynomial Archaeological field survey Mereology Measurement Data model Profil (magazine) Authorization Process (computing) Information Endliche Modelltheorie Information security Mathematical optimization Capability Maturity Model Area Characteristic polynomial Archaeological field survey GUI widget System administrator Computer network Basis <Mathematik> Storage area network Cyberspace Operations support system Process (computing) Internetworking Internet forum Self-organization Right angle Procedural programming Information security Mathematical optimization Capability Maturity Model Identity management
Graphical user interface Process (computing) Profil (magazine) Self-organization Planning Software testing Data conversion Endliche Modelltheorie Information security Measurement Host Identity Protocol
Area Game controller System administrator Multiplication sign System call Operations support system Hacker (term) Triangle Self-organization Energy level Right angle Data conversion Information security Local ring Information security
Execution unit Dependent and independent variables MIDI Open source Computer Open set Disk read-and-write head Word Operations support system Integrated development environment Different (Kate Ryan album) Self-organization Integrated development environment Information security
Goodness of fit Network socket Self-organization
hello ladies and gentlemen boys and girls how we doing today wow we're still hungover still certainly not still drunk no I not have that at all let's start
out with the disclaimer this was not reviewed by my current past or future employers they have no insight into what I have been talking about this nor that I was intending to so don't hold them accountable please basically I speak no one nobody speaks for me various other legalese in there so Who am I yeah I'll drop a couple f-bombs here and there I apologize but it's nice to be able to give this talk because so many years ago I actually started out as a sock analyst in a security operations center here in Las Vegas itself worked there for many years transferred to work being the technical lead for a incident response team a large research laboratory and been downhill ever since so this is going to
talk about why is this important because in my current day job I get to talk with VARs and vendors and are talking about evolving to the sock of 2020 and this tool will solve all your problems and there's a hiring shortage air quotes etc etc and I just keep throwing up the flags so let's talk about this let's talk about how we've gotten into this situation what can we really do to improve and what things should we be working on and when those vendors come in going hey this is a great tool you should look at it you should buy it you know how to see through that so what is
security operations right what are we looking at here what is the real meaning of that first let's set the stage for what we should be doing and then how we should be evolving - I look at security
operations as being that where the rubber hits the road for your organization where your policies procedures what you're looking at is all those tool sets that you have bought those operating systems that you're running those applications databases etc what they're feeding into what are you looking for to find the badness what are you looking for to find when Tim's been sending those harassing text messages to your secretary or surfing for porn or downloading amount of etc not that I've ever done that this is where it all feeds together right if you're not getting the right logs if you're not getting the right information how do you get that visibility normally we don't write that feeds into when we find something how we're gonna do Incident Response with it right oh this is involving certain person now you need to do a forensic investigation in regards to what they've been up to that should also feed into our security awareness program with our employees in here's the things that we're seeing here's that phishing attack that our CEO got yesterday about hey I need to change my w-2 deposit from yes from some like Coast com account because I'm locked out of my domain account right security
operations a computer network defense we can call it a sock we can call it a Caesar we call an S or whatever three or four letter acronyms you want in there fundamentally is this is the group of folks of individuals or one individual in some places right that's looking for the badness and trying to put the fire out and then figuring out what we can do to make this better so it isn't as painful the next time
though we sometimes forget there's three key pieces of this people process technology what do we tend to focus on because we're tech hacker geek nerds and we don't like talking to people and we hate writing down process as we print as we have if some of us have evolved I've moved up the food chain as it were into sucky management positions that we don't get to do all with cool technical stuff we need to focus on all three how do we leverage that each of the pieces there is no silver bullet right no matter how often our seeso is looking for that right or no we don't have a seat oh see so let's talk about the CTO there are
certain necessary capabilities that each organization should have to varying degrees of how big they are with the resources they have what their threat profile look like what critical infrastructure sector they're in etc right looking at the events and what they're happening trying to correlate those to get some quantifying idea of what those events are looking like right leveraging that threat Intel leveraging that indicators putting those together to get an understanding of what your threat profile looks like and when the hits the fan and Senate responds put the fire out clean it up what can we do to make it better and try to prevent it from happening in the next time right if it's more in-depth do we need to do digital forensics on it right as this some commodity ransomware we've dealt with a million times or is this something new targeting us is this something that we can do some analysis on and share with the rest of the threatened tilt and incident response communities and then just supporting the tool sets the things that we have hey Tim how come we haven't gotten a report from the DLP system for two weeks oh yeah because we're not doing a performance monitoring it and the drive filled up derp
those audit and compliance controls why should we sit in a weekly meeting going through spreadsheets why can't we leverage the technology and tools of Duty's cross-checks for us right the intent of audit and compliance was okay kids this is you have to be this tall to ride this ride because companies didn't want to do security so let's set something up as bare minimum to do well with the tool sets we have what things can we do to have this do it for us and then certainly some insider threat detection how many people are still in source code how many people are how many salespeople are stealing the entire customer database for the next company they go to not that that ever happens right key piece learner ability management what vulns do you have trying to correlate that with which ones the bad guys are trying to target and what things do we need to get the network server desktop folks to fix priority right and then outreach as all we're collecting all this stuff as we have this visibility understanding how do we communicate that in a way that the business folks understand it the pointy-head managers understand it the sea levels and even sometimes the board and for some of our us even to our customers right because all those
capabilities because Matt did a great job at putting another pyramid together how do we build from that how do we need those different pieces in getting that understanding right and if you're looking at the sands top 20 if you're looking at the mist and all this other standards up there this is pretty along the same lines it just gives you better pretty pictures and another good way to display it to you the plea pointy-head manage or do you have to try to explain it to but let's try to group those
together and Matt did a great way of doing this right so when we're building and trying to maturity operations programs this gives us some guidelines and some tool sets to help evangelize this to the folks that we need to to get those resources whether it be money for tools cooperation with other tea James headcount etc and Wendy did this
great one I really like this she just tweeted us out about two weeks ago I'm like oh yeah this is going in a talk because we all need some kind of pyramid right but yeah fundamentally knowing what you have and what is it doing how many times I sat in that sock not too many miles away from here and I'm dealing with first and second to your sake and also like oh yeah that's normal and I started digging into it anyway ended up being one of the biggest incidents for that quarter controlling those changes understanding those threats and who's taking them and using the products effectively and also monitoring their performance because
there's that capability chasm and here John Lambert did a really good way of eye identifying those different areas that a lot of security operation centers or security operations capabilities fall into problem wise not having an executive support fall into various traps you don't have the right data or you have too much of it basically how do we as teams stay poor how do we keep running around trying to put out fires instead of taken than a couple hours every Friday afternoon and doing something more strategic to help us in the long run so there's different types
of security operations right first one bare bones beginning ad-hoc when it hits the fan when there's a certain individual or two from a certain three-letter agency that's packing a weapon and knocks on your door going we need to have a conversation right not that I've ever experienced that yeah the foe organizations that have evolved to a point of hey we might have one or two security people within IT that do this too we actually have a full-fledged c-cert whether that's dedicated or assigned people to full-fledged security operation centers in this table here on the outline the organizational model kind of the size of the organization and we'll touch on how to quantify that in a moment and then geographical scope and this is directly from the mitre ten strategies of a world-class cyber security operations center I will reference this book a couple different times even though I don't agree with everything it says it has some really good information in it so
let's talk about that evolution how have we started how did we evolve how are we still hunched over on that crappy s desk
well we started as cavemen right we might not be talking about Wesley Dale quite yet but we're certainly looking in that direction right this is that ad hoc when it hits a fan this is that IT guy that knows oh I don't need blogs this is not knowing but we're starting right we trying to figure out the wheel we're trying to figure out how to get fire and then we kick out the person from fire right because you know the IT guys this
is this is so easy a caveman can do it right but you know Irish there there's no evil bit on a packet so we just let all of it through right this is the organization that doesn't know what they don't know right meanwhile all their data is being exfilled and some foreign countries making product based on their IP that you know they didn't have to do any R&D for other than figure out how to compromise your network so let's go to
the Middle Ages right let's go to the somewhat organised ad hoc as needed when we need to go conquer Jerusalem or need to go conquer an eight local nation-state we need to go put out the fire and then we disband when we don't need it anymore right so when it does hit the fan well we might have some process and procedures we might have some things going on but it's all old from the last time we did
that distributed co-managed I look at this as being three explorers here in the United States right let's go explore what's out there we have an organized team doing it but we still need some local help do we need an MSSP do we need somebody on retainer to do instant response do forensics what what did you know thinking of Lois and Clark and what things they needed to do to make their Explorer Surry exploration so meaningful and documenting all the birds they found all of the nature that they found right how do we do that within our security operation center room kind of hit this level right have that tight at ticketing system and document every little piece and then leveraging that as a resource that we're searching for the next time something comes up oh hey we've had this ticket four or five tickets with this same source IP because it's been beaten on our network leveraging the tools and the data that we're pulling together so that our exploration our voyage is that much more meaningful then we have some sort of
c-cert capability right we're in that organized wagon train across the desert hopefully we don't get stuck in Truckee for the winter right but it's a group of individuals working together in any organized some sort of organized way right for a common goal hopefully don't kill too many of the natives while doing it
but you also have those security operation centers that are like the gold rush right they keep running to every place they hear that there's gold and they dig and dig and what do they find mm-hmm and they completely run out all the land that's there that we completely devastated looking for that one nugget
but then we could do security operations at scale let's get a tier 1 tier 2 to 3 let's get a bunch of tier 1 folks doing the same process manually over and over and over again just like sewing just like the seamstresses that died in that fire because they're gonna get burned out I'm gonna say eff this I'm going somewhere else so let's try to put some automation
into it right what's those things that we can do that we do every day how can we automatically create a ticket and pull in a threat Intel from our feeds and from internal and connect all the tickets that have that same IP address in it let's try to make it easier for ourselves easier to make those determinations on how how risky isn't how much do we have to take this take care of this right
so I mentioned The MITRE book in the process certainly determining optimal manning levels I've worked with multiple clients in regards to how do we figure this out well certainly there's no firm
answer there's no real equation to figure this out but I have put this together based on mitre based on my own experiences as an analyst and working with multiple clients and Merkin in multiple places for many years in how can we get at least into the ballpark of how many head count how many people we need and how do we leverage them this also you need to look at how you as a company are growing so you can project how you need to grow your team right so first thing just like the pyramids just like the sands critical controls you have to know number of what you have in your organization which you're trying to monitor at least a ballpark right including a number of sensors you think you're going to need to use how many cloud providers domains etc internal external because you're gonna be getting the logs from that
then what's your scope what's your threat who's targeting you and how what compliance and regulatory obligations you have which a geographical soap etc
add all that up if you have less than a thousand then you probably don't need a 24/7 but depending on your threats and your risk plane you're probably you're probably going to need something all right and if you have many thousands then you definitely need something if you don't I really like to know how you're dealing right now and I'll buy you some alcohol the deal with it right
so specifically for analysts specifically folks that's going through all the data good ballpark number is one FTP FTE per 50 to 75 devices eyepiece domains etc this certainly depends on the number of Lodge you're getting from those in the intent is to handle all those critical or alerts you're getting after tuning your tools as well as process of procedures so optimal situation right number four ratio for tier 1 to tier 2 for basically every two Tier one analyst between one and four tier two and if you're doing FTE for a 24 by 7 Security Operations Center it's more like five to one or three to one in a sock because you need shift operations he's scheduling you need floaters for when people are out sick or say eff this I'm leaving a company I got a better job etc or hey the half of the sock is going to Def Con not that that ever happens
right so for engineers you know as the folks that we have that are doing a sensor tuning are soon as sensor maintenance basically to stuff all that toolsets platforms that we're getting the data from about half of FTE depending on the deployment and also the tool sets you're using right if you're using certain sims that start with an A you're probably need a few more right other ones products that potentially you less just because of what's involved and keeping them running if you have your system administrators
broken out from your engineers then your typical racial 101 or one or two to sysadmin engineer types depends on your organization depends on mature you are depending on your separation of duties and to your fellow segments out there a belated sysadmin day so placement in
your organization for your security program because this is going to directly really write do you have the wherewithal do you have the resources does the individual that you report to know the balance of the confidentiality risk etc right where is it gonna be like no don't turn that off we need that for such a business thing we don't care so you have that conflict of interest yeah we might have a C so but who does that C so report to does he report or she report directly to a CTO or you still have that conflict of interest right do you actually mature enough or as big enough our organization now you have a chief risk officer it looks all of this and some organizations hey they might have security in a sock underneath legal which is awesome but are they tech that's a being enough do you understand what you're talking about when you come and tell them that your website is a cross-site scripting attack going on so
common conversation is do you need something internal or Dini it can't just contract it all out give it to the MSSP certainly could be useful to augment your internal capabilities for your smaller less mature organizations but you know MSSP services are commoditized there's those common issues you deal with when you talk with certain organizations of how come you don't do this oh well you didn't buy that package you didn't look through the terms and conditions T and C so we don't do that so certainly if you're in the market for getting an MS SP understand what they're going to be providing you there are the big ones there's the small ones and then there's the one MSS peas in the middle I kind of I try to I call those the boutique MSS Peas those tend to fit most clients most folks I work with a little bit better in regards to their capabilities and being able to pay attention to you and your needs versus just shooting alerts via email or to your ticketing system key point is that last bullet there you I need to manage that relationship and nurture that relationship if you're not talking with them on a regular basis if they're not going to care if you don't hold them accountable they're certainly not gonna care because they're just collecting your money oh I don't need a
buy-in MSSP I don't need to sign it up I'll just do it myself how well has that gone certainly if you're the Facebook Google's of the world and you have a ton of developers and that's all they love to do go ahead I've seen some of their projects that they use internally that they started 10 years ago and then the guy left and nobody's maintained it since so what your software development site will look like what happens when the folks that do you maintain that get hit by a bus or leave the company or retire I got my stock I'm out what is it about those open source tools that are already out there what is it about Greylock that you don't like like that you can't use it in your environment that you're gonna need to create you're known for brand new why can't we just fix what you don't like and improve the open source project that's out there
tied to that is also how do we staff our sock so that mitre booked heavily encouraged that we only needed developers in the sock I call sorry it's that diversity piece of getting different individuals that have experiences in different areas within information technology and information security that in the middle of an incident go hey I was a sysadmin at on a son system and this is what it does this is how we can go and find it this is how we can fight the badness right no slam against developers but most developers don't run their own systems right they don't have that expertise it's having different individuals at different perspectives in to deal with that firefight sooner and faster and also come up with better ideas on how to prevent this from happening in the future based on the background experience that we have we need real and
valuable metrics this is how we use the justify that security operation center we have this is the baseline that we use to figure out how are we going to evolve to the sock of 2020 if we don't know how well we're doing now if we're not monitoring the performance on that DLP system to realize that the drive filled up how are we supposed to know how we need to evolve to
so I did a Google search this is the first image that came up in evolving that Thank You marketing all right cuz that's part that's a good portion of it
right there's a whole lot of companies
out there trying to pitch this stuff what's really gonna make a difference so the first thing I've seen is having some
robust monitoring a detection right but tip but we have span ports all right wait a minute span ports were never intended to be a permanent fixture they were only supposed to be a diagnostic tool right they're only a sample of the traffic and then the first to die when that device gets overloaded and when I'm in the middle too many times I've been in a Middle incident and I'm trying to figure out why our devices are not triggering on the badness because that span ports dying on me basically we're missing activity if we can't see it we can't fight it we can't put the fire out when's this normally become a problem when the organization runs out of span ports a little too late right but all right so the packet
brokers there's a couple other terms out there basically it's a middleman for your network traffic so instead of putting multiple devices in your network in line you put the packet broker there and then fill make a copy of all that traffic and then filter it however you want to you're monitoring the tection tools so it makes it's a force multiplier for the tool sets that's monitoring your network not just for security but also for performance monitoring so there's a tag team effort with your network folks some of these also give you IP fix DNS other data out of it this also lets you use less tech less platforms so they're in a prior life particular organization got a quote for I think was 35 boxes this company wanted to install in this environment you can imagine the price tag on that brought in a packet broker we were able to cut that in half that quote went down significantly that vendor was not happy ish but at least they were happy to are getting the opportunity to the deal and we all helped that Conner that organization out by getting a better coverage for their environment and into the tools that they wanted to deploy not all packet brokers
are created equal there's certainly a ton of marketing a ton of fun out there the ux/ui experience with some of these are horrible some abilities you can only access through the command-line not through the UI also check the security posture of these devices themselves have they updated their firmware lately what's their software development lifecycle certainly do a third-party risk assessment before you buy these platforms now internally who's going to maintain these is this your networking team is this crew team those are some questions that come up and certainly the cost of them quick picture and how those
are normally deployed let's talk about
data integration right getting that data into your monitoring the techs and platforms hey I already have X platform it has the data feeds coming into it great how are you using those feeds in your sim in your other platforms you able leverage though is is a pipeline is it stovepipes into each of these tools and you're not sharing them back and forth is it feeding in your ticketing system for when hits happen and a ticket gets opened need that situation awareness provides better mitigation decisions basing it on real data not that gut feel that we tend to do with insecurity these tools are not intended to be myopic why do we keep trying to deploy them as such and then from that let's automate an orbit rate using the real data address that low-hanging fruits or you're less of a target
I just call automated orchestration Gartner likes to make big acronym words alright whatever this is no different than the Python Perl other scripts I did 10-15 years ago right but now we have a platform okay awesome because it's a relatively ease of deployment I can have a tier 1 tier 2 analyst go in and do some clicks and create or update a playbook and the next place we go to or the new person that comes into the team is already familiar with it we can't say that about that Perl and Python script that I wrote on a Sunday night after a couple of bourbon barrel-aged outs right when you're looking at these be cautious there's been plenty of acquisition there's a ton of buzzword bingo out there do a POC do a POV look at the acquisition space and what who's looking at it and what's going on oh yeah how
many times did we see this on the blackhat floor yesterday day before right the premise is to take all that information your logs and come up with that user account or that entity account and try to identify that this is risky or there's a major threat all right yes it is useful in ways of if you're mature enough and you have a threat hunting or you have a wolf team to go digging this gives them some indicators to go chase down this also will help some of your first tier analysts in if you're not mature enough to create some of those pretty advanced rule sets in your sim this will help simmer some of those things up to the top and help correlate some of those log entries that you know don't really quite make sense good case in point is was working with a client they had a alert come up that one of their employees one of their phone was in South America trying to log into all their accounts okay the analysts tried saying false positive this product sucks get it out of our environment wait a minute this is a question of risk all right is that employee actually in South America well call HR yes she's on vacation okay good second question why did she take her work phone with her and why is she trying to log in and does she still have her phone with her because in that particular country it could have been stolen and quite likely could have been so is that question of risk when you're looking at these tool sets it might be less risky for your organization but intentionally not for others and that's where we need to look out for these tool sets of it's just helping giving you indicators of rabbit holes that go down into to make that assessment it can't make that judgment call on risk for you
so with that UBA UBA let's add the MLA I and this is getting thrown on a lot as well right is it really machine learning is it really artificial intelligence or is it that startup that a friend of mine worked at that they called MLA I by just counting how many times an end-user would log in they didn't do really in a potential math after that so definitely dig into when you're talking with these vendors to cut through the cut through the marketing buzz similar with that attention of false positive similar to you BA you EBA what's that question of risk in those alerts that it's providing you because
when you had those things alert it's not like an old IDs alert anymore where this is a but this is bad this packet was bad these tool sets are trying to correlate all these different things together to go this is kind of fuzzy this might be bad so it's a question of how we're gonna assess risk so let's take that MLA I and look at all the network activity from your spam port or your packet broker right and then look at that endpoint and look at that traffic to figure out how bad it is be very cautious with some of the vendors in this space some of you folks I'm sure have already gone through the sales pitch with a certain company that only hires very pretty dude Bros right out of college that could be the hard sell that have completely drank the kool-aid and if they get any inkling that they are not making a sale they completely flip rip the gear out of your data center and they will never talk to you again even if you see them on a conference show floor they will turn the other way because you didn't drink their kool-aid what does that say about their product their sales cycle and what they can really do if that's their marketing approach and sales approach the thing about I have been able to use in the anomaly detection space is very similar of looking at this traffic over a long term and try to figure out what's really bad what is those protocols that we're not expecting why are these two DNS servers talking to each other over open VPN on our network
our the tool sets we're using our IDs our IPS the MLA I all these other tools are they working as they're intended and supposed to how do we take the scientific method to prove or disprove that that IDs is feeding into our sim and we're getting the right alerts and we're taking the right automation tools measures to stop the badness right so there's some companies out there they're doing this threat simulation platforms is what I'm calling it right basically you establish some fake endpoints and some systems internally there's a similar system outside your network and they run attacks in between those segment pockets and does your tool sets adequately detect through the kill chain as they're simulating them what you need to see the find the badness when it's the real bad like anything else there's some FUD be cautious right how are they integrated is it really a separate platform or is it a function of some existing tools you already have internally just haven't leveraged yet and then deception which again just like some of the automation things I we have done in the 10 15 some odd years ago and there's some stuff we've done on our own in regards to deception and sending up honey pots and fake documents and fake email addresses and that sort of thing sure now you have a vendor that's providing a platform to do that for you and monitor for the badness and activity again like everything else we've been talking about there's a whole lot of FUD out there what would be useful to you and how mature you are as an organization can you do this yourself can you deploy it out yourself or can you leverage this vendor to push it out and maintain it in an easier way with less resources so how are we doing how
do we measure ourselves how do we say
that we need to go in this direction or that direction right there's those optimal characteristics and capabilities like we mentioned earlier in grouping in different areas there's that organizational model how we're structured do we have the authority doing you do do we have the capabilities etc do we have the right process procedures to implement all this how do we get there how do we have that capability internally we can run with
enca the c-cert self-assessment the first glow of first GCS also has a maturity survey certainly leveraging the SANS critical controls we have the NIST ISO AEC so as part of our security program as parties process procedures are putting together we should also put in cross checks for us to check if we're doing the right things are we feeding the right stuff and on a periodic basis depending on your organization and your threat profile finding somebody to bring from an external agency to make that assessment and make recommendations on how you should improve hopefully with an organization you already have a rapport with that already know you taking that
measurements and given you a model of hey here's where you at and from our conversations and your threat profile and where you should be as an organization here's where you should be and you put together a road how do you get there and then you take that roadmap to your director of security and your seaso and they go and fight for budget and headcount etc and here's our plan on how we're going to mature as an organization so where do we
go from here we have our log processors we have our dirty sock we have the pen tester come in every so often what's next
through the ages we've evolved but we certainly have not matured as a entity as an organization as a profession so as security professionals as hackers what can we do to help with that we need to ensure the basics are complete back to those triangles do we have that foundation to build from or have we jumped ahead be willing to hire be willing to invest in those hires be wise to the hiring in your local area to your needs and capabilities and what's available in your local market because if you're trying to go oh we're gonna deploy this tool but there's nobody available in your local market and an affordable level for your organization to run it and maintain it does that make economic sense for your organization does that make proper sense in regards to risk for your organization and is it good enough or are we trying for that
perfect solution so many times we're having conversations not just what last week week before Oh read it got pwned because they were using SMS two-factor and SMS two-factor sucks and nobody should be using it blah blah da da da well for them they made a risk call and they said hey it's good enough certainly they probably have potentially have the right monitoring pieces in there to go are these sysadmin is getting targeted if it's good enough have that monitored there to be able to detect and see is it not good enough anymore and we need to add another mitigations or other compensating controls
so some takeaways from me rambling for the last few minutes be careful look past that Bing those word bingo in the marketing use that real data to try to determine what's useful for your environment your risk posture what's that size and scope for your organization when do you need to step aside and go hey that I'm in over my head when do I need to bring somebody in turn from external helped us with this certainly with that higher to your realistic needs and be willing to invest in them if you can't find somebody hire for this why she had that position open for six months hire somebody now you can train them up in that six months right a
couple different references I've already mentioned a couple of them quite actually all of them it looks like thank
you for joining on and so first the other organizations thank to all that have come before us that have worked in socks and have helped us evolve to where we are today and thank you all that are going to take that next step and help us evolve to the socket 20/20 any questions
yes so if you have any questions let's meet outside in the hallway next to the bar thank you very much all have a good day enjoy Def Con [Applause]