SOC-Class

Security Operations: Design, Build, Operate, Mature

@CCrowMontance

Use the space-bar to advance through slides

CSOC

  • Cyber - I prefer "Information" but Cyber is Standard
  • Security - Protecting the Interests of the Organization
  • Operations - Ongoing Performance
  • Center - The Nexus or Hub of Activity

We'll just use SOC for simplicity.

SOC-Class

Designed to address the needs of security operations.

After attending this class, the participant will have a roadmap for what needs to be done in the organization seeking to implement security operations.

Description

The inclusion of all functional areas of security operations is intended to develop a standardized program for an organization and express all necessary capabilities. Admittedly ambitious, the intention of the class is to provide a unified picture of coordination among teams with different skillsets to help the business prevent loss due to poor security practices.

Description

I have encountered detrimental compartmentalization in most organizations. There is a tendency for a specialist to look only at her piece of the problem, without understanding the larger scope of information security within an organization. Organizations are likely to perceive a security operations center as a tool, and not the unification of people, processes, and technologies.

Value Provided

This course provides a comprehensive picture of what a Cyber Security Operations Center (CSOC or SOC) is. Discussion on the technology needed to run a SOC are handled in a vendor agnostic way. In addition, technology is addressed in a way that attempts to address both minimal budgets as well as budgets with global scope. Staff roles needed are enumerated. Informing and training staff through internal training and information sharing is addressed. The interaction between functional areas and data exchanged is detailed.

Who Should Attend

Ideally, attendees will be SOC managers, team leads in security specializations or lead technical staff, security architects. CIO, CISO or CSO (Chief Security Officer) is the highest level in the organization appropriate to attend. This is not technical specifically, but someone without knowledge of IT common practices and Information Security fundamentals (such as the Confidentiality, Integrity, and Availability triad) will be lost very quickly. This is not a class to send SOC analysts to.

This Should Describe Your SOC

“If you know your enemies and know yourself, you will not be imperiled in a hundred battles.”
- Sun Tzu
ttst: 3

Design

Architecture of the SOC

what capabilities are needed

how those capabilities interact

Functional Areas

  • Steering Committee
  • Command Center
  • Network Security Monitoring
  • Threat Intelligence
  • Incident Response
  • Forensics
  • Self Assessment

Steering Committee

Objective: Align SOC capability and performance with business needs

Command Center

Objective: Maintain situational awareness of systems and threat environment, manage threats, proactively protect systems

Network Security Monitoring

Objective: fast and accurate detection of issues

Threat Intelligence

Objective: tactical and strategic advantage over adversaries

Incident Response

Objective: minimize impact of problems

Forensics

Objective: detailed data and event analysis for incident verification and impact assessment

Self Assessment

Objective: detailed data and event analysis for incident verification and impact assessment

Functional Areas Work in Concert

Outsourcing is a Necessity

Careful selection of what to outsource is important

Accomplishing 24x7 coverage frequently requires leveraging outsourcing

Designing Functional Interfaces

Design Elements:
Inputs
People
Processes
Technology
Artifacts (output)

Multi-SOC Models

In some organizations there will be multiple SOCs. Potential arrangements:

Federated

Multi-SOC Models

Hierarchical arrangement

Multi-SOC Models

Delegated Functions

Build

create what is needed


Business Alignment

The Steering Committee

provides an ongoing adjustment of function

and awareness of changing business structure

composed of business unit leaders

Process Creation

Develop the process before selecting tools

Most organizations put tools first

Process first enables tool optimization

Process

Command Center Overall

Process

Network Security Monitoring - Data Collection

Process

Enumerated

Inputs
People
Processes
Technology
Artifacts (output)

Process Visualized

Technology Selection

Contentious

Politicized

Challenging

Technology Selection Methodology

Open Source Prototype, then Shop

Develop the process,
select an open source tool,
or use whatever tool is in place,
use it until you understand its shortcomings,
then shop for a tool, knowing what you need.

You get the benefit of operational wisdom.

Technology Selection Methodology

Buy and Deploy

Buy all products up front,
fork lift upgrade or installation,
(frequently) hire new staff,
train everyone on new tools,
the builders leave and the operations begin.

Many Choices to Make

Regardless of method

You need an exhaustive list of technology

Operate

When you discover an incident, how does your IR team respond?

like this?

or this?

Well Practiced Operations

"We don't have time for exercises"

Fallicy is this claims you're too busy to improve

Study success and failure.

You have plenty of material for exercises...

...every incident you've ever had.

Right Level of Specificity

Let each functional area define its internal procedures

Have well defined handoffs between areas. Define:

  • Inputs Required
  • Process Performed
  • Artifacts Produced
  • Objectives

Metrics

Measure accomplishment of objectives through metrics

  1. Method of Detection
  2. Dwell Time
  3. Incident Avoidability

Service Level Agreement

Offer SLAs from the SOC to the business

  1. Initiate Response
  2. Report Incident to Business Unit
  3. Sweep Enterprise for Indicators

Staff

You can't do this without competent people

Manage staff of varying disciplines and cultures

Hiring skilled staff is a challenge

Train in analytical process

Analysis of Competing Hypotheses (ACH),
Kill Chain, Diamond Model

Staff Roles

Tier 1 - interrupt handling, repetitive well-defined tasks

Tier 2 - triage support, analysis, tactical support

Tier 3 - deep analysis, methodology development, strategic support

Command Center

  • Manager

  • Analysts

    • concepts and vocab
    • understand the network
    • attacker techniques & response

Network Security Monitoring

  • Manager

  • Analysts

    • understand the network
    • attacker techniques & response
    • Detection, Analysis, and Hunting
    • FOR572 - Network Forensics

Incident Response

  • Manager

  • Analysts

    • understand the network
    • attacker techniques & response
    • Detection, Analysis, and Hunting
    • forensics fundamentals
    • enterprise response
    • memory forensics
    • Network Forensics

Threat Intel

  • Manager

  • Analysts

    • concepts and vocab
    • Threat Intelligence

Forensics

  • Manager

  • Analysts

    • attacker techniques & response
    • forensics fundamentals
    • enterprise response
    • memory forensics
    • Network Forensics
    • mobile forensics
    • executable reverse analysis

Self Assessment

  • Manager

  • Analysts

    • attacker techniques & response
    • network pen test
    • mobile pen test
    • exploit dev
    • adv exploit dev (rop/aslr)

How to Retain?

  • Make people who want to be experts, experts
  • Make people who want to be generalists, generalists

How to train?

  • Classes and conferences are obvious
  • Internal "flight simulators" - every incident
  • Fire drills

Questions?

@CCrowMontance