Enterprise Security Leadership: Creating a World Class Security Operations Center (SOC)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Advanced
CEU/CPE
1
Video Transcription
00:00
This course is powered by Sai Buri for teams. Security leaders encounter new workforce challenges daily Cyber A for teams helps organizations build a cybersecurity enabled workforce to tackle new challenges, handles security incidents and prevent data breaches. If you'd like to learn more and see how other security leaders like yourself
00:19
are utilizing Sai Buri for teams,
00:21
you can schedule of free demo in the link below or search business in the navigation bar.
00:27
Okay, well, thank you very much and welcome everyone. I suspect we probably have ah lot of repeat students here. We did a couple of sessions earlier in the year and last year
00:40
that are focused on
00:42
leadership and management, governance of cybersecurity, enterprise teams and so on, so forth.
00:50
Um, we suspected there would be a big appetite for this, and I think we were right. Um,
00:56
almost everybody who comes to this discipline and in my experience comes from a
01:03
a background where there's some expertise in something probably technical might be compliance or audit, but it's usually technical
01:11
on de. Then you are all of us or your team. We find ourselves in these management predicaments like we saw with Joe Sullivan over at Uber are formally uber.
01:23
You know there's a criminal charges that he made some bad judgment and the guys freedom is ATT's steak here
01:30
to be determined by a bunch of lawyers in court. So I think for those of you who do this work, you should take the management
01:38
issues seriously. And I'm glad you're here because that's really what we do. We call it leadership, but it includes a lot of management and governance types decisions. What we don't do here in this course is, you know, deep computer science. And if you do that, you're gonna have to come take one of my classes at the other university or or elsewhere. But
01:59
here we talk about management. So if you're here to learn about
02:02
how to guide the program, how Thio optimize a portfolio program, how to minimize risk in your enterprise at a at a high level order to build your career towards becoming a
02:16
a C so or ah, senior leader and enterprise, a lot of you really have career aspirations in that
02:23
regarding make good money doing it.
02:25
Um, then you're in the right place. This is the right place. If that's what you're looking for. If you're here to get hands on training and some forensic tool, we're not going to be doing that here.
02:37
So that that's kind of the basis for the course. And I hope you stick around. I hope you enjoy it. Um, now, um,
02:43
this is where you can reach me. Um,
02:46
I think that my email here No, I guess it doesn't. It's the e Amoroso. A tag dash cyber dot com Don't know why I didn't put my email, but you know, it's first initial last name at at my domain And And if you follow me on linked in which I hope you dio I published quite a bit there and I push out on Twitter at that handle
03:05
and at our website here Tag cyber, We publish stuff all the time. It's a research and advisory company that has started
03:13
to democratize research to make it available to
03:16
everyone big and small budget, uh, groups. So I hope you'll tune into the stuff we dio and just to kind of established the maturity level here, start with a cartoon e do original cartoons bet every week with Rich Powell,
03:35
who spent his career as a professional
03:38
illustrator, Mad magazine and other places. So every week I write a cartoon sent him the script, he draws it, and we've created this cartoon character, Charlie C. So that's become really popular where we wrote a book.
03:53
Onda have quite a few clients who use Charlie for their awareness projects kind of fun. But in this one, I did it because I'm teaching your so I thought I'd be good. So
04:00
here's a guys teaching and these are all of you virtually, though I'd like I like to use simple household analogies in this course, for example, this humidifier and dehumidifier and fighting it out. It was straight modern cyber war. And then, of course, we have Charlie talking to Mary saying, I think we maybe need toe.
04:19
Think of a new instructors. I love the cartoons, and occasionally I'm probably gonna torture we with the cartoon.
04:27
Uh, but this is not just a light topic. This is kind of a grave topic is a kind of a deep picture. I think this is from that movie. War games many, many years ago, this how most of you run cyber ops, right? You run all these big screens and stuff.
04:44
I have a lot of experience doing that, and we just always call the marketing screens because
04:48
no analysts, you know, sit staring at a screen because most of that stuff is available in your console. But when the when the boss brings up a bunch of customers in having the lights dimmed in the big, glowing screens is, um,
05:03
good way to grow revenue, we're not gonna talk about any silly stuff like that. I'm going to give you some tips. Nine specific things
05:11
that I think you really need toe have in mind as you're building out. Ah, security Operation center on. I think that the comments here will scale from the smallest little law firm
05:21
to Ah, Big monster multinational financial services firm. I've had experience was with all of the above,
05:29
and I tried to quell what I think in a lifetime of doing this, where some of the decisions that you ought to be making, um, and there's no right answer to these decisions. Their questions? You ask yourself at the end of a checklist of the nine items on, Do you have to decide them?
05:46
So I'm not gonna decide them for you. I'll probably make some suggestions, but But if you got a couple of these, maybe save you a little time or effort, then then that's good. I think just about everybody is in some process of either building, optimizing, transforming, expanding virtual izing, globalizing the security operation center.
06:05
So we're gonna be together for, you know, their next
06:09
45 50 minutes or so. If there's a couple ideas that here that help you, it's kind of worth the price of admissions. I hope you listen that just the background,
06:18
Um, in a sense, working together in a group and kind of want to say crowd, in a sense, because nowadays security operations is really a conglomeration of multiple groups working together, sharing intelligence, coming to decisions for many years, the presumption was that she got more people
06:38
involved in decision making.
06:40
Got worse Is this famous book by Charles McCain. I think this is like one of Warren Buffett's favorite books called Extraordinary Popular Delusions and the Madness of Crowds written a long time ago before things were even
06:55
moderately modern fact, the original title had been in the madness of crowds. I think it's like completely inappropriate. But this is a book that talks to, like the tulip bulb craze and how crowds can really go kind of nuts. And here's, uh,
07:10
you know, the movie Wall Street. I think it was the second Wall Street where he's pointing to tulip mania
07:15
and talking about, you know, here's the bubble for how much tulip bulbs were calling would cost in Holland during the crazy, he talked about crazy group can go in a crowd Could go, um, that's always been the conventional. But now
07:30
we talk about the wisdom of crowds like there's this belief that a large group of
07:35
people you know, the more the merrier. You can see Malcolm Gladwell being referenced in this
07:44
this book, the wisdom crowds and most of you, you know, would hear pitches from from firms that talked to crowd sourced security testing and how vetted, large, capable, um,
07:58
properly managed crowd is really the way to go. Um, if you wanna make decisions, I think that this is something that I recommend that you is a cybersecurity professional.
08:11
Develop a personal or local view around
08:16
this idea that,
08:16
you know a large crowd will move you in the right direction may or may not be right on again. I'm not going to sit here and tell you what I think is the right answer.
08:26
But I do think you need to have an opinion about this. It's not reasonable toe have no opinion to say, Well, you know, kind of whatever. When you do what we dio, you should have some belief. And I have a feeling most of you,
08:41
I would say It depends, you know, like there are certain circumstances where ah, large crowd is probably going to movie in the right direction.
08:50
And there's certain circumstances where crowd is gonna push you in exactly the wrong,
08:54
uh, direction. So the reason I bring this up is because when I started in the security analytic, analytic kind of game where you were digging deeply into data trying to figure something out, it was a solitary activity.
09:11
It was something that an individual may be using in case or something in the old days and then eventually Sims came along,
09:18
uh, early, primitive, similar tele tactics and the really, really old kind of pieces of software was an individual solitary activity. And what happened is that somehow that transformed into a group activity
09:35
now performed in a security operation center. And I understand that investigation and sock may be somewhat different. But you know they're related.
09:43
So should have an opinion about what does it mean for a group of experts toe work together under some coordinated set of rules, according to maybe even the shift work where you're responsible for some period of time and there's handoff to others who would have ever even imagined
10:03
that is You're doing an investigation. Maybe you're handing something off to someone else like a case.
10:09
And then suddenly there's this whole bureaucratic look and feel to the way you're dealing with things in a sock feels very blue collar. Is that right? Or is that wrong or or should be re reinventing the security operation as a collection of dynamically generated individual activities, where
10:28
on individual case manager gets ahold of something
10:31
and stays with it and there's no time limit? You just work it and your part of the sock and you deal thes air all decisions that I think or at least opinions that you should have, and that you should be thinking through as you make some determination about whether your security operation center, you know, will be something that is conventional.
10:52
ANDI, You'll see in the first sort of
10:54
tip here that we're going to talk to the most conventional of decisions that people make, and that's around tiered infrastructure. But that so that so these this idea of sock and and crowds modern versus I mean positive versus negative. I want you to give that some consideration and have some opinion about that.
11:15
And it should be untelevised opinion that you can support.
11:18
Let's start with our first tip. So we're gonna go through nine of these, you know, I'll spend a few minutes on each one. Then we'll pause at the end to make sure we have time for questions. I'm also kind of following the chat here s O. If you have a question, you can either
11:33
jot it down in the chat screen or there's also a Q and A
11:39
the section You could do that. I'll try and keep track of it. I teach it both N. Y. U and the computer science department and its stevens in the CS Department. Using using this tool, I used to be just terrible at it,
11:52
but getting sort of better like I could, actually, moderately multicast can watch, you know, for hands going up on things like e used to be really, really averse to this, But I've gotten a little better. So go go ahead and feel free. If you have something you want to say now, the first kind of decision
12:09
that has to be made if you're running a security operation center, whether it's three people or 300 people or 3000 people, um,
12:20
it's how you gonna organize. And I love this picture like it looks like
12:24
those nice ladies sitting there with that patch panel. All
12:28
it feels like
12:31
tier one, right? So you could almost doing the skill sets that air presumed a tier one like the ability toe follow a wrote procedure, the ability to stick with a task without getting up on wandering around like you're willing to sit butt in chair and worked through something and the ability and willingness to take direction
12:50
from the Tier two manager,
12:52
which is a scary looking schoolteacher type lady like she looks like somebody you don't particularly wanna piss off.
12:58
And she's standing on missions. I know she's posing for the picture, but I'm guessing even if she wasn't posing for the picture, she's probably every tear to sock manager I've ever met. You know, is somewhat of a descendant of this this lady looking over here,
13:13
and then you have these two smarter ones. I mean, I say smarter instead of a
13:18
pejorative sense, like they're the ones who get to sit off here. Maybe do something a little more interesting. Requires a little bit more skill. This is like your tier three experts I know is a ridiculous metaphor,
13:31
but you've got to decide how you're gonna organize. Like are you gonna organize around tears? I always have. I always felt that to be,
13:39
ah, useful measure. But what I learned over the years
13:45
is that tier one insecurity is like tear eight and anything else. Like, you know, you can't
13:52
put people in a tier one situation where they're just gonna follow some wrote procedure and not really have much training or background. It does not work. Even if you're MSs P tells you that they're doing like this idea that like when you get a t. P.
14:09
You know physical security and then, you know, like the fire alarm goes off. And then there's an operator who calls you, and it's just following Emmanuel to call you
14:18
and say, Look, I don't know anything about it. All I know is I see a light here. I see your number. I'm letting you know the alarms going off if you need more. Here's this number equal, like I get that I get there sort of romanticized idea that you could scale this with people who do that sort of thing. My first comment is you can automate that, and second comment is
14:37
there's not much value
14:39
in that kind of thing in cybersecurity. I wish I waas because that would be a lot of jobs you could create. But do not even consider for a moment
14:46
that in the common modern security operation center
14:50
that the Tier one sock is your one sock. Participants can be lightly trained and, you know, poorly motivated, willing to just do it, you know, So instead of doing this job, I'll do, that doesn't work. So the whole scale shifts forward. But you have to decide. Are you comfortable with
15:09
a tiered structure? 123 Or do you want to do something more vertically integrated? Where you say each of these individuals in the room are on par? There's nobody in charge. There's just a group of experts, all of whom have comparable skills. Maybe some have a little more. They coach the others.
15:28
But when issues or threads or situations or cases, whatever your metaphor is
15:33
at the sock again. For me, it was always a case that would be open then. That's what our KP ice would be around, like keeping track of number of cases and setting the granularity to match the number of cases you felt you could need on a 338 hour shift.
15:50
But if you set up threads, then what happens is everybody is kind of their something comes in and you just grab it. You grab a case, you work it. And if you could work two cases, you do that and your superstars come work Five cases and the newer people can work one.
16:03
But it would be more vertical where the tier 12 and three all merged into one individual,
16:10
and there are many other possibilities you could have like almost a subject matter expert model where this person over here is the network expert. This person over here knows D N s and B g p and infrastructure,
16:26
this person over your nose applications. This person over here knows
16:30
something else. You know, there's a data science or something. That's another possibility. But you have to decide. So I always laugh when I say Tell me about your sock and someone will say, Well, we have three people, but we want to go to a
16:45
e o. Okay. While to do what? Well, we think three is not enough. So we need eight. Okay, What are the other five gonna dio
16:56
right now? They're just gonna be there all the same or that you follow like it's kind of it strikes me that it's a sign of maturity. So don't do it if you just sort of counting numb counting bodies and measuring the value of your sock and the ability to cover based on some number of people that you've assigned to the task,
17:15
it's more than that. It's what's your model?
17:18
Like I said for me, I've always thought tiered made sense. That's horizontal, but you might like vertical or you might like an expert model or something else. There's a lot of others. In fact, you know, if you're outsourcing, then all you're doing is pushing these decisions to someone else. So is you. Write your RFP
17:36
for your M s S p r m d r. Then you should be asking them. How are you set up? What do you dio? Has the Sox set up? I bet you probably don't have that in your RFP material or your solicitation material for the your service providers, but demand to know how they're set up and make sure it's something that you agree with.
17:53
So that's the first of our nine tips that I really strongly recommend that you take some time to think through and again, I'm not prescribing. I'm just telling you that a decision that you have to make
18:04
now this one. By the way, this is a picture from Chitty Chitty Bang Bang, I think,
18:10
um,
18:12
balancing automation, human processes. So
18:15
this is also a decision
18:18
that you're going tohave to make
18:22
in the context of your sock design.
18:25
So first thing
18:26
is make sure that if you have executives in the business or people around you who don't know the difference between automation,
18:36
an artificial intelligence than sit them down and give them a little tutorial is there is a very big difference, right?
18:42
So the question of whether I should be embedded into a sock strikes me personally as, ah version of this, but a different question. I don't even included in the nine, because that's a an advanced enough question that sort of comes after these first nine tips. But automation is much simpler,
19:02
and here's what it comes down to.
19:03
If there are tasks that you do manually
19:07
that can be described in a clear and implementing ble procedure, then for God's sake, automated. You know this idea that
19:17
calls and contacts and other types of things might come through your sock or this idea that data at whatever level of abstraction it could be audit records or logs or or something that's coming over
19:30
into your repository or your SIM or something. The idea that those air you're doing some sort of analysis on it you're building metadata around accounting them. You know, you always asked how many events you know happen today, Um,
19:47
that those things could be automated. I mean, that's the kind of thing that if you've got a like an intern or ah, new higher and it's their job to do these counting tasks and to put together a power point with Cem metadata that they're just off gathering, you know, manually, then that's a sign of an immature sock, because that person could be curating something much
20:07
higher value.
20:07
So so anything that can be written as a procedure and that you believe could be implemented. It is your obligation, in my opinion, to try to automate. Now again, I'm not telling you what those things are. That's your decision again. I'm not going to prescribe
20:22
that. Make sure you know all your workflow is always automated in the sock. I mean, I think that's probably right,
20:29
but there could be reasons why you decide that something needs to be manual. There's a lot of good reasons why
20:36
you can see some very uneven decisions, and they're very justifiable about one thing being automated. One thing being, not that's up to you,
20:44
but again, you should have an opinion. It should be a strong opinion, one that's that's heartfelt around
20:51
a whether automation is something that you want to be super aggressive on and be whether there are manual processes floating around that really stand to be automated. So that's another thing on your journey when people say, Tell me about your sockets always. I have three people I want to eat.
21:08
I told you that's not right.
21:11
It should be more about you know, what functions are you trying to do here? Your line. But a more important thing when someone says tell you about what was telling you about stock is kind of the balance of human versus automation. That seems to me the essence of what this is all about. What, what have you put in place that runs lights out
21:30
and doesn't really require 24 7?
21:33
Um, you know, Manning old NASA term. It's men and women,
21:38
but the idea of putting a human being on a task that's expensive, it doesn't scale, and it has interruptions as human beings or not automata. So this is the second thing that I think it's super important for you is the sock planner to have an opinion about and again
21:59
not talking about artificial intelligence. Talk about automation,
22:03
and it's really important to make sure that people around you, particular executives boards never get this. And then they always go from these crazy directions of Oh, my gosh, You automate. So we're gonna have less jobs. You can automate all the humans with total bunk. What happens instead is the jobs get better. You know, one of the reasons why
22:22
tier one is no longer just this
22:25
dumb call you up is because we have tools like Sore and Sim. And you know, these kinds of autumn automated support mechanisms that do most of that stuff for you. And yes, there are a I tools that provide somewhat skilled analytics. And those are all things that you could decide to dio
22:45
or or not doing. So
22:47
s. So I think that that, in a sense, is the second kind of key that needs to be taken into account. Now, third one here has to do with range training.
22:59
I suspect you've heard of this. I love this picture, right? These NASA dudes,
23:03
I think that's Apollo one, because that looks like us charism here.
23:07
And, you know, training is a group in a simulated environment. Here is probably the one of the managers or something in these of the scuba divers helping. But the way range training works, if you haven't done it before, is a simulated. Um, situation is presented to your team,
23:26
a lot of good commercial vendors that do this.
23:29
I'm a big proponent of this. I think it builds camaraderie amongst the soccer team members, and even if you're working cases all day, it does make sense to go off and do some sort of realistic training. We all know that individual training, like pilots, have to go and sit in a simulator
23:47
and deal with some incidents that they wouldn't normally see up in the air. Some scary things. They have to learn how to deal with
23:52
in a stimulator. So in case it happens, it's not the first time they're dealing with it. Same thing with a sock, right? Like I always think it's less important that, for example, you know, there there be realism around the case, but more shuffling it up amongst the team members like I've always recommended.
24:12
It's kind of cool if you do a range training and always make sure
24:17
thio
24:18
to kind of I don't get have one member always missing from, um,
24:26
you know, from the from the training, like, that's kind of cool every time one person is not there and you see what happens if that person is in there, how does that group support? Or you do something like
24:40
you try to do training where you presume that people are having trouble they can't communicate like you can only communicate by email or
24:47
it create all these things I remember, you know, after right after 9 11, most of the incident first teachers that we had in telecommunication
24:55
actions involves flying.
24:57
They, you know, whatever Telkom resource is were required to the affected region. And that was kind of dumb, you know, because you couldn't fly after night s Oh, I think that that is this idea of range training really flexible. And how you do it is a decision you'll have to make, so
25:17
have to think through individual versus group, because you can do both
25:19
whether you want to provide continuing professional education c p e credits for the team or for the individuals, whether you want to mix it up whether you want to do with the commercial vendor or do it on your own. How frequently I did a survey with a bunch of CSOs about six months ago,
25:36
where this pre pandemic, I said, How how frequently
25:40
do you think you should be doing range training? And I'd expected them to say once a year if that and came back to quarterly was the most popular answer. Now I know that we asked a bunch of people like it is a good idea to meditate, eat well and be vegetarian and
25:56
reduce stress. Everybody goes, Yeah, do all that stuff doesn't mean they're actually doing it. No, but so So maybe that this quarterly number might be aspirational, but I think that's a decision you'll have to make. If you're going to run a sock, you have to have a decision around range training, how frequently you do it,
26:14
how you set it up on what the parameters would be
26:17
for that kind of thing.
26:18
Physical versus virtual is kind of a weird picture here from the old days. But the challenge with physical versus virtual in my mind
26:30
is that I think we've all learned now with pandemic,
26:34
that you really can coordinate operations. Virtually. It is something that
26:40
we've. We've made work as a sort of a society. I wasn't quite sure. I think that we're gonna go. I kind of like to go to the work every day and in stocks that I've ever managed to run. It's always been a physical kind of thing with being the occasional ad junk
26:59
that were out in different areas, like somebody in Australia,
27:03
to cover the time when you know, perhaps in America, in the Northeast, when they're all sleeping or awake in that region. So you might have these adjunct areas. That's what I what I always thought. But I don't think that's right anymore for May. But you have to decide this is for you to decide so again when
27:22
hey, tell me about your security operation center.
27:26
I think the answer that comes back should include some measure of whether you're doing it virtually or physically. And what are the advantages on the pros and cons of each won the primary pro? I think for a physical saw
27:40
is just the cooperation, coordination and ability to kind of share immediately and physically in tangibly amongst different groups that are working on cases, similar ones or different ones. In fact, you'll see in a minute we're gonna talk about Knox and socks, having them all together.
27:59
You know, you have this romanticized view.
28:02
Perhaps it may be inaccurate
28:06
that you're gonna have everyone collaborating. Uh, and does that happen in practice? Sometimes again, you have to decide. Thea Vantage of virtual First one is you can hire really, really good people who may not be in your region.
28:19
So you get access to sometimes the best. So again, if you're that person saying I said, tell me about your stocking. So we have three people. 18 I said, What you gonna do with the five organs, blah, blah, blah, blah. If it's virtual, then I might know somebody. I'd say I know somebody you know, just graduated be really good. Or I know this, uh,
28:37
young lady who really would be wonderful for you. I know this
28:41
person who would be great and who you wouldn't even have to ask. Where are they? Who cares? You know, whether it might not even care what country.
28:48
So that's wonderful. That creates a kind of a global, very expansive view of the ability for you to set up an operation that,
28:56
for the most part would always find the best people optimizing the best staff.
29:03
Now the kind of physical you'll stuffed in one place. And you're kind of as you've seen with government. Or if any of you have ever worked in a skiff
29:12
that could be very inconvenient. It's not a It's not a simple way
29:18
for people toe work. Stay off hours when there's a problem having to run into the sock to do something.
29:23
Um, and it also it does confine the number of types of people that you could bring in setting aside. You know, the fact that you know people do are are often willing to move if a job is good.
29:34
But nevertheless, I think you know that physical definitely
29:40
creates a a knish you for. For some people, the primary con against virtual is it's really hard to manage. You know, you do have to put the time in to make sure that people are all working on the same sort of thing. And
29:56
if you've got different time zones, it can be quite the difficulty
30:00
thing. I've always said you should have a center if you're doing virtual should be a small clump of some people that provide the critical mass and and center of gravity. And everything should sort of emanate around that I'm not a big fan of everything. Just being completely peer to peer,
30:15
I think having someplace where you can ground a virtual operations. Not a bad idea, but you decide. This is kind of, in some sense, the see what we have. 123 The fourth decision is to be on the checklist. I'll have in the last start, but you got to decide what are your physical or virtual and And how are you going to manage that?
30:36
The next thing has been threat hunting.
30:37
I love this picture. By the way, this is, uh, you know, we're in a pandemic right now. And this was a cholera outbreak in 18 54. Where Jon Snow, uh, early data scientist, I presume
30:52
I traced the outbreak to an infected pump
30:56
on, did it looking at data and mapping things out and could pinpoint where there was a problem. And I know most good threat hunters will always reference tools and say, you know, really, the essence of threat hunting is sharpening and improving and identifying and making the tools really do the right thing.
31:15
But there's usually this idea and the threat hunting process that, in addition,
31:21
Thio, you know, working with and improving your tool set that you are answering questions. There's no question that threat hunters will do this. Now here's the problem.
31:32
You got all these things, and I'll get the incident response in a minute.
31:34
If you're a sizable organization, you got some people who want to call themselves threat hunters,
31:40
and you got people who want to say they do incident response. And you've got people who want to say they do digital forensics and you've got people want to call himself investigators, and you've got people who want to say that they're sock managers or sock experts working with the SIM and you have data scientists and it goes on and on and on and on.
31:57
It becomes this big complicated, then diagram where all intersecting and all this stuff. And yet you like I do threat nothing, but I don't to soccer the investigation. I don't digital friends. What is this?
32:09
That's what you have to decide, Like I'm just saying it Z
32:15
threat hunting has become almost like, ah, buzzword to attract people like you're You're saying we got a cool place toe work because we call our soccer team hunters. I've seen that level of kind of
32:27
It's not. It's not misuse of the term. It's just
32:31
it's become sort of a buzzword for people who just do operational type things. You have to manage that. You have to decide what the roles and responsibilities are and what positions are. I know this is going to sound really boring and terrible, but I really do think you should sit down and write a job description for just bet anyone touching data
32:51
in doing anything operational.
32:52
Don't put names next to it just right. The job descriptions and make sure that you think them through. What are the boundaries and where the overlaps. It's okay. Toe have overlaps, overlaps air good. You know where people that's places where people can coordinate a songs. They understand that there is some overlap, but you need to have an opinion here
33:12
about the positions in the organization, what they do, and in particular
33:15
when somebody asks you about threat hunting, you should have a pretty clear understanding and answer to the question. What your threat hunters dio. What does that even mean? Thio be a threat hunter And look, it's related to the next thing here. And that's the sock role in incident response.
33:34
This is the bunker in the UK
33:37
My family and I went and visited this last summer.
33:40
These were like Churchill was running World War Two from Daniel's. Very cool, very creepy
33:46
to be down there. But the idea is here, let me give you an example.
33:52
I remember, you know, after I left 18 teen, I started my consulting business tag.
34:00
I was working with a company. There's a company kind of in the transportation sector.
34:05
Dr.
34:06
And
34:07
we were doing sock design. I've been hired to do the stuff we're talking about here.
34:13
It was I like doing it. And I was very proud. Wrote these beautiful reports that really nice formatted nice. Everybody liked it. It was PowerPoint deck.
34:22
And then they said, Oh, this is great. And I went with a We're gonna make some changes and it looked good and we were clear about the role of the sock in response that one of the recommendations was that the sock play a primary role because they don't really have a setting where incident response was managed. So I drew these power point diagrams. I was so proud of that
34:42
and delivered it. I got paid. It was good. And then I found that afterwards they had a big problem and I connected up with them later
34:47
and it was chaos. The incident response was done all over the place. The sock was not in the middle of it. They hadn't really read. My report didn't make much sense. I felt like the worst consultant in the world.
34:58
Now maybe I am. But the point is for you guys. I think it's important that you think through when something happens. I don't mean day in, day out stuff like, I understand that there is the factory element of running a security operation center. We dealt with
35:16
10 cases
35:19
that were based on 42 events. That was based on 63 million indicators or something like that, and yesterday it was about the same and we graph it and it goes to the sea. So no, there's like this factory thing, But then, boom, there's a big problem
35:34
and some other groups pops up
35:37
doing incident response that maybe. OK, maybe you buy a platform
35:42
and it's got nice workflow and maybe the coordinates. All the groups and the soccer is just one of my totally get that. That's okay,
35:50
but what I written here is you got to define the Sox role. It might be a central role. It might be a participatory role. It might have no role. I don't think that seems somewhat unlikely, but you kind of figure out what the Dickins is. The role. What is it that the Sakis supposed to do? What, when something happens
36:09
when there's a stress, is the sock the place where you brown things? I've always found that part of the problem dealing with incident response is finding people and getting everybody onto a bridge and following the process, and I know there's workflow and platforms that do that, but sometimes those things still have trouble.
36:29
I was like the idea. I've always liked the idea of complimenting that automation and workflow
36:35
with up with an incident manager human being, and I think a sock is a great place to position those people. But that's up to you. You design, you figure it out, you make the decision. It's fun to think these things through. This is different than writing code. It's different than interpreting data. It's different than
36:52
you know, doing some sort of cyber security task from which
36:57
most of us are pretty well suited. But the idea of designing these processes and who's going to do what is a beautiful art? And I really do think the last one, you know, the previous chart that talked about Hunt
37:07
and this one about response. You can generalize that I could also say, Define the sock role in investigations and other things that go on and on and on. But I just want to make the point that roles and responsibilities air spectacularly important. And you want to make sure that you have some decisions there about what, what it is that you're doing.
37:28
This is the big one, right? Just keep your eyes. So the reason I say is a big one,
37:32
because I've seen Mawr ridiculous. Meaningless meant metrics come out of security operation centers, and we can't seem as an industry
37:42
to arrive a TsUM basic
37:45
kind of agreements around units, right? If a chemist from France is working with a chemist from, you know, I don't know from Mexico.
37:57
I think they both agree on common units,
38:00
right. I mean, way don't have different periodic tables in different in different countries. But in cybersecurity we we don't have I mean miter attack may be somewhat of a periodic table tag. Stieber. We have, like something we literally call the periodic table controls. But setting that side
38:19
if I say it was attacked 10 times last week
38:22
and you say you were attacked 10 million times last week, we could both be right
38:28
and it doesn't make sense. It doesn't connect. The KP ice that you define won't cross over between organizations. I know this to be a problem because I've been a board member and when you sit on boards, multiple boards which I've done a swell,
38:43
you know that one CSO is coming in and reporting 10 attacks and the others reporting 10 million.
38:49
I'm mature enough to know that they've just locally defined these things and they're KP eyes are based on
38:54
you know, some local thing. By the way, if you don't know what KP is, key performance indicator these air your metrics for what you do. Thio measure success. What is it you're looking at?
39:05
So you have to decide this. You have to sit down, write them down, make sure you discuss them, get him perfect and everybody in agreement. And and now here's the Here's the litmus test. Here's what always happens.
39:19
It's usually local. Team comes up with a P. I said sketch something up. It's in like something self spreadsheets
39:24
that goes to the boss. Boss looks it over and goes, man, Yeah, I really want this and this You put two more KPs in, then it goes to one or two others. They all chime in before you know, you have, like, 11 KPs and you the ops manager. Look at it. You think thes air dumbness doesn't match what I measure and you've got a
39:43
piece of paper. The things you're really looking at each day
39:46
that is the nightmare scenario on what has to happen is that you is the sock designer.
39:52
Need to go get that sorted out that KP ice have to match, have to match up across the board and you have to explain what it is that you're measuring. I totally get that. A board member might want one or two high level things, and you might have these operational KP ice that feed the more high level executives. That's fine.
40:13
You build a structure, but it's got to be one
40:15
structure, not 10 and not different things and not things that are meaningless because we all have been there. All right, I've I've seen, you know, a number of pages written per day and, you know, into users manuals is ridiculous. I've even seen,
40:31
and I don't laugh, because I know a lot of you have this. A number of people who come to meetings
40:37
as a K p I.
40:38
I think that's a terrible K p I. I mean, I know some of you probably do that like how many people were on the incident responsible. Many organizations represented.
40:47
I don't like those. I think that they push the wrong type of behavior. But yeah, if that's what you need to do, and everybody agrees, and then you build it. But keep your eye should solve problems and they should move you from point A to point B. And by the way, it's also wonderful
41:04
to recognize that a k p I should have a finite life.
41:08
It does not necessarily mean once you put a cap in place that it must be there forever.
41:14
It's wonderful. If it's just there for a period of time, get a task done. Throw the *** thing out. That's what it's like when regulators hand you findings. That in a sense becomes the performance measurement
41:27
for As you tick off and close out the findings, you go from 10 findings to four toe 120 You throw that out, it's meaningless. You closed it down, you shut it down. You're useful Metric while you were using it, but no longer useful now that you fix the problem,
41:44
so make sure you're spending a lot of time in this area. I think it's a big mistake.
41:47
It's a rookie mistake, frankly, that people make all the time
41:52
ignoring. You know this decision Thio decide the right types of metrics,
42:00
not versus cycle of this picture. It's a kind of old NORAD picture.
42:06
I don't even know what those things stand for. Some of you probably know on the wall and the cool map up there, whatever
42:13
but
42:14
recognize that a larger organization is probably going to have something along the lines of a an I T managed Operation Center to Do network and APS and other types of things. I put knock here
42:28
his probably network operations. Everyone might be something else that just might be the I t. Operations
42:34
capability. And I say center metaphorically because it may not be a bunch of, you know, these old bald men sitting here. It's probably much more modern and vibrant and diverse and virtual on doll that all of the above on global in I t.
42:52
So your I T operations team, including network,
42:57
has to be balanced with your security operations team. You got to figure that out. The canonical place where they collide, his identity and access management. We all know that.
43:08
So
43:09
id strong I t operations managers, they're going to say
43:13
I am is mine. You know that Z identity is how we registered, enable and track and build inventory of
43:21
of users. And that's that's the core of running I t support. You know we need to do that. And and the right KP eyes are registration time user satisfaction, you know,
43:35
speed to retiring identities when people leave and all these other kinds of metrics that don't have a lot to do with threat but rather have more to do with enabling the business and making services operate properly.
43:50
So that's what they want to dio. The security team looks that I am a God. No, no, no, no. That's the new you know, the thing you say the identity is the new perimeter. You're probably seeing that where we got this distributed suffer to find perimeter
44:04
and any time on access decision is made. That's the perimeter. In fact, I used that definition frequently. When people say defined perimeter, I said, Where oven access decisions made. There's a perimeter you're saying yes or no? The classic James Anderson Reference model from 1970 that lives on
44:22
Um, but there's where ah security team would say No, we need to do I am. And we need to be collecting telemetry from things like Kerberos space. That's also or whatever. Collect that telemetry, dump it in the SIM, collect the registration telemetry to detect evidence of fraud and and account takeover
44:43
and and other types of things. The security team makes a wonderful case that I am should be there.
44:47
I don't know what the answer is. I'm not telling you one of them saying Just go balance it, figure it out. It's been my experience that the argument is usually one by the more forceful Mawr. Stubborn, more demanding team.
45:00
That's depressing, but it's been my observation. I don't think that needs to be the rule. It's just been empirically what I've seen that usually if you've got a very strong ops manager that ops manager and I am and other things are likely to,
45:16
you know, make a big fuss about having this function.
45:21
But you have to decide this. If you let it fester and it's not clear who's in charge of what,
45:28
then you're going tohave, the dreaded process seem, and we all know process seems or where we get vulnerable. That's where handoff is not fumbling the ball.
45:37
There's some issue, some something you're not doing. I say, Hey, are you collecting telemetry about Kerberos ticketing into the Sim and the identity team over and I T operations says,
45:52
Well, we're not. We're assuming the security team was doing it, and the security team says, Well, we're not you made a big fuss about owning this. You got to do that stuff, too, and it doesn't get that.
46:02
And and both of them could blame the other. And both of them could be right. So you're giving them an excuse. Thio allow process Seems and there's nothing more infuriating to a manager or to someone running and managing and governing sock operation than when there are these
46:22
thes seems because seem equals vulnerability.
46:24
It implies a softness or weakness that could be exploited or that could just inadvertently lead Thio some something being left open. You know, uh, that could be exploited by someone else. So So this is an important one, because every one of you listening,
46:42
you know, either is an I. T or Security. I doubt there's anybody on this call who doesn't connect up with one of the two groups
46:49
and depending on the culture of your organization, either get along or you don't. And I've worked in places where there answer that question has been yes. No, maybe
46:58
or yes, no, it depends. Mostly would say it depends,
47:01
but you got to decide this
47:04
so again when I said, tell me you got your sock, you guys Three people. But we want to go to eight. And we say, Well,
47:09
is I t have operations team? Oh, yeah, they have 25.
47:14
Um and so do you work with them,
47:16
you know? Well, a couple things. Well, instead of going from 3 to 8,
47:21
have you thought about maybe merging with their 25 then do you still need five and then they go like this? Hmm.
47:28
I would do that. But we don't really get along. You know that? Well, then fair enough. Don't do that. But there's an opportunity loss because the two groups are not getting along or because somebody got a power play or somebody doesn't want to give up their staff or
47:40
or God only knows why. But it's things like that balancing the tomb, making executive decisions. This is what security people are not trained to do. Let's face it,
47:51
most of you, if you're a security expert, then your confidence in your ability probably little stubborn, and you probably presume if your security person that the i t. People don't Noah's Muchas you because that's what security people like us did again, we dio I'm one of you,
48:09
Bond. I'm just exposing that. That's a bias.
48:13
Then get rid of it. You don't wanna have any bias. You wanna be balancing to knock an I T. And Security. Fair enough important decision once. You better not forget on then. Tools. This is, uh I think that might I think it might be
48:29
that Edison's workplace. Um,
48:31
not sure, but it's a nice picture. And and And if you've ever seen pictures of medicines, workplace one of things that made him such a wonderful inventor,
48:40
I have a weird guy. I read his biography recently. It's a strange guy.
48:46
In fact, it was depressing because I didn't like him in the biography at all.
48:52
Um,
48:54
was it Isaacson who wrote a biography, may have been I heard somewhere in my office here, but
49:01
But he would claim that what made him a great inventor and made his facility Menlo Park another place Great isn't tools
49:08
that they had every tool you could ever imagine. It didn't matter what you needed.
49:13
If such a tool existed, then they had it.
49:15
The reason I bring that up is because you'll notice on the bottom here. I didn't say making sure you have all the tools
49:23
I said, selecting the right tools, including your SIM, which we'll get to in a minute.
49:29
So let's make sure that if you're listening now,
49:32
you know the difference between trying toe have all the tools and selecting the right tools, and I get that. There's gonna be budgetary reasons why you couldn't do the first thing even if you wanted Thio.
49:46
But it shouldn't even be your objective. It shouldn't be. Wow, I wish I could do that
49:53
because this is not Thomas Edison, and you know that every tool on the planet,
49:58
because there's lots of different options here. Walk into the Florida Arce walk into the Expo Hall. Look out across the floor. There's 800 vendors there in a tag cyber. We tracked 2000. You don't need all 800 of those things, nor should you want Thio. It should be kicking the right ones. You need to have a criteria for doing that.
50:17
Now, Sim. That's a big one.
50:20
The reason it's a big one
50:22
is because we all know that it's probably the thing you spend the most on
50:27
on. Def. You buy your SIM from you know who,
50:30
then you're probably paying by the drink. And if you're a large enough organization that can become many millions of dollars now, that could be fine. Look, it could be that you built your program around that. You decide you're going to splurge on an expensive SIM build process around it, but make sure tools connect into it. Train the team on it.
50:51
God bless you. Go for it. That could be a absolutely, spectacularly functioning, highly sort of successful security operations kind of engagement. But here's what you don't want to dio.
51:04
You don't want to sort of half attend or it's just partially attend to something that's ridiculously expensive
51:12
that has every bell and whistle in the book
51:15
that's eating up half your budget.
51:16
But surely using a little piece of it
51:19
like that's the wrong. That means you've got the wrong tool
51:22
and then give me this thing about we're gonna grow into it because you know, you never dio maybe in five years you might. But then you buy it then
51:30
so selecting right tools is not just,
51:34
you know, like this philosophical things very practical because if you can make sure you're not over paying in any one area. You'll have more budget to make sure you have the right tools and a lot of areas. So, for example, breaching tax simulation has become very popular. Um,
51:50
and you can imagine, like the consoles and some of the some of the data that feeds back being managed by your sock team. That's possible.
51:59
Um,
52:00
I get that you might be compliance or vulnerability management teams or whatever, But if these things were running continuously, which is what Bass is supposed to be rights, continuous security validation. A lot of cool vendors doing this
52:13
continuous to me means 24 7. Okay, so if your vulnerability team wants thio, you know, deploy of basketball and keep track of it on weekends and nights, go for it. That's fine.
52:27
But maybe you decide that it becomes a nice sock function. Seems like it would to may, and it becomes data that comes in. It goes into the workflow. It feeds into the SIM. It becomes part of the workflow, and you're ready to go. Reason I bring it up is most of you don't have bags tools from last year, right? It wasn't
52:45
something you bought in 2019. It's something A lot of your buying in 2020 was new last year.
52:51
So you don't have that legacy budget slot.
52:54
We've already got it budgeted, and you just buy a tool. And if you want to get a better when you replace what you have now with what you had before and yes, some of you may have bought something last year, but then go back a year before that when you come when you need a new tool, you either have to go to the Boston Beg for more money, or you find a way to save money somewhere else. Toe
53:14
slide things over, so you have room for this new thing you want to buy.
53:17
Selecting the right tool and emphasis on the SIM
53:22
is a really important decision for sock manages, something that we do. A tag cyber. We were in the portfolio management big part of my
53:30
data. Davis. What I see when I'm not teaching with you guys many cases I'm sitting with enterprise teams were optimizing that spend because sometimes it's really crazy. And here's the dream scenario. When you're doing this, you look at a portfolio you see opportunity to shuffle some things around.
53:50
There's a dividend that gets kicked out.
53:52
The management team let you keep it. Keep it. Did you go by all these You by deception And you could buy until bug bounty program by all these things you've been meaning to dio Just by selecting tools and not overspending on things that you don't need, it's really pretty important. So let's summarize here. This is like the crib sheet.
54:12
You know, tiered support, we said, was important automation. We said it was important training like the range training.
54:17
What facility? Physical versus virtual. You know, what is the role of hunting response and other activities in the sock? What do your KP eyes were? You measuring s a darn thing. We have determined success. How do you coordinate with I T and Network?
54:32
And then finally, how much process for selecting tools when somebody asks you,
54:38
you know, hey, tell me about your sock
54:42
and your instinct is to say we have three. We want to goto eight.
54:45
That's not notice. I don't even have staffing here it all And it's a number of people finding people. I know Staffing is an issue But it's not the main issue. Thes air. The issues thes air, the things that strike me,
54:59
as you know, helping you achieve your mission, which is gonna be different in all sorts of things. Let's face it, the reason we're talking sock here is that it's not obvious what the mission should be in your sock mission is gonna be locally determined.
55:15
You know, one place to be different than another. You know, service provider carrier.
55:21
It's certainly gonna have a different kind of sock
55:23
than a bank because the carrier has to be worried about 24 7 up time and dependable available operation the main KPRC keeping things up, making sure denial of service and outages don't cause problems. Banks, Different story.
55:39
You know, they're much more concerned with preserving the integrity of the financial infrastructure. Yeah, availability is important, but let's say it's Tuesday, you know, two in the morning. In some country, if some network infrastructures down, it may not be that big a deal, but to a service provider being an enormous deal, So it would be different in each case. So with that,
55:59
you know, I wanna That's sort of the what I had prepared. I've been following some of the chat here,
56:05
appreciate some sort of interesting conversation here that
56:09
some folks are going through and appreciate some of the commentary around
56:15
some of the, uh, folks coming from some different places here. I hope you you'll share with me any feedback or suggestions you can have. You might have for how I can make this more fun and more useful for you. Like I said, I'm
56:30
generally pretty available more than happy to engage. If there's something that you have here, I see really know Q and A again. I'm following the chat here. I don't think there's necessarily anything
56:42
important that I haven't covered here.
56:45
Um, I t certifications running the sock from management level. Yeah. I mean, the cyber security certifications are all they will transcend the sock, right that you're honest PC I and
56:58
sock to and hip and so on and so forth. There is going to be a component there that's gonna be asking about how you do security operation. So I think that's important. Isil was always something that I like to see in a security operation center. Then, depending on, you know, customers, you're dealing with. You're gonna all these customer related
57:15
certifications, like if you do work
57:17
with the federal government, us, they're going to be coming through your sock. Give my favorite
57:22
Sox certification thing I ever saw in my life. I use it to close. I started with a joke all in with a joke, but this wasn't a joke. I remember a
57:31
assessor audit or something like that coming in and saying the skiff, your secure facility has to be less than I figured. It was like a two minute walk, five minute walk, something, something done like that from the Saw.
57:46
And I was like, Okay, we'll see over there, there's the skiff door and here we're standing in. It's like I could reach over and touch it. And then I remember the auditor holding the clipboard and say, We'll do it. We'll do what? Walk
58:00
from there. They're like, Okay, so hits stopwatch thio across all Stop it! Stop watching. I'm guessing it wrote down like, eight seconds, you know? So So you could take that for what? It's well, I'm sending a message that we're going to just take our word for it then
58:19
you know, we couldn't stumble down the road, not get over there in two minutes. But
58:22
is that kind of thing certifications? You take it for what it's worth. Best thing is toe attend to these kinds of things. Get thes right
58:30
and you'll have a sock that's gonna be wonderfully, uh, put in Last thing. I see Paul's asking about head can greet whole body or need for additional headcount. That's right. That's of course, Paul. I'm just saying that Think through like how you're set up. So it could be, for example, that's an existing resource might be useful.
58:49
Or could be that a combination of insourcing and outsourcing will be there or yeah, you might say,
58:55
Hey, I have three and I have 30. I need 50. And here's why. And the answer should be rooted in support Automation Train like, If I'm your boss and your telling I wanna go from 30 to 50 I would say, Well, what have you automated?
59:09
And if you say
59:10
here's what we did and it's all laid out of them,
59:14
it's a 30 to 50.
59:15
Are you doing hunt an investigation? Respond all that stuff, too, or is that separate? You go No, we do all of that.
59:23
Have you worked with I t Are you coordinating the knock? You have already done that.
59:30
How are you set up? You tell me.
59:32
It's all right. Sounds like you've got your ducks in order. Let's go get you funded. But if you said automation? No, we really thought about that. And I say, Oh, what do you do? Hunting A response to go? I'm not really sure.
59:45
I said, what are you coordinate with? I t man, I really I'm not going to give you the head count. A million years. Forget. I gotta go fix those. Like you could work those things out. And then you come back and talk, you know, on degree with the
59:58
the last point. They're choosing the right tool. Very, very, very really, really correct. So Well, listen, we've reached the top of the hour. I'll turn it back to the Cyberia team and we'll see you all next week. I'm really appreciate your participation here. A nice big group, and we'll see you all next week.
Enterprise Security Leadership: Creating a World Class Security Operations Center (SOC)

There are 9 tips to help you build a world-class Security Operations Center. In this session of Enterprise Security Leadership, Ed Amoroso covers everything from establishing support to implementing training to utilizing the right tools for the job.

Instructed By