Building and Instrumenting the Next-Gen. SOC Webcast

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning good afternoon or good evening depending on where you are in the world and welcome to today's webinar building and instrumenting the next generation security operations center brought to you by dark reading logarithm and broadcast by UVM I'm Tim Wilson editor-in-chief of dark reading and I'll be your moderator today we have just a few announcements before we begin the slides will advance automatically throughout the event you can also download a copy of the slides by clicking on the green folder icon located at the bottom of your screen you can participate in the Q&A session by asking questions at any time during the webinar just type your question into the Q&A to the right of the presentation window and then click the submit button at the end of the webinar we'll ask you to complete our feedback form your feedback will provide us with valuable information on how we can improve future events you can also launch the survey at any time by launch by clicking on the red survey button at the bottom of the console at this time we recommend you disable your popup blockers if you're experiencing any technical problems please type your issue into the QA text area and we'll be glad to offer one-on-one assistance and now on to the presentation building and instrumenting the next-generation Security Operations Center I'm excited to have an opportunity to speak about this topic at dark reading room we have spent a lot of time talking with readers about how they're approaching the the growing numbers of threats that they're dealing with and and and the huge volume of malware issues that they're dep they're wrestling with and the Security Operations Center is more and more as the answer to the question a lot of companies are thinking about building one or they have one and they're thinking about upgrading and today we'll have a chance to talk about the right way to do that the best wood methods best practices and some of the technologies that are out there for building the next generation to discuss the topic we have two excellent speakers our first speaker is Roselle Safran co-founder and CEO of uplevel security Roselle was previously the cyber security operations branch chief at the executive office of the president there she managed the 24 by 7 security operations center that protected and defended the White House's Network prior to this role Roselle was the digital analytics deputy branch chief at the Department of Homeland Security's u.s. served in this capacity she managed daily operations activities for the computer forensics and malware analysis teams and was instrumental in building to threat intelligence platforms one used internally by all of the u.s. cert analysts and one used by over 50 federal departments and agencies result was named one of the trending 40 power women of GC tech for 2016 and she's a graduate of Princeton University hi Roselle how are you hi Tim doing well thank you our second speaker will be Chris Peterson co-founder and senior VP of customer care and CTO at logarithm Chris co-founded logarithm and and currently serves as senior VP of customer care and as CTO prior to logarithm he was he led product marketing for the Dragon intrusion detection product line as part of the in terraces networks he was also a faculty member at the Institute for applied network security providing expert advice on it on across North America his 21 years of cyber security experience began at Price Waterhouse serving as senior consultant and developing a proprietary GRC solution he later joined Ernst & Young national information security and risk management practice where he held a management role and was responsible for leading the development of software solutions including East security online.com and information internet information security portal and managed vulnerability service in 1999 Chris was an early employee at counterpane internet security a pioneering managed security services provider a counter painting served as engineering manager leading threat intelligence research and supporting the development of Socrates their back-end SIM technology hi Chris how are you I'm great thank you um we're looking forward to the presentations just so the audience knows our flow we're going to hear from Roselle for about 30 minutes or so and then we'll hear from Chris and then do we'll have hopefully at least 10 or 15 minutes at the end for Q&A but you don't have to wait to ask your questions so as you're listening to the speakers please feel free to use that console ask questions all during this session and then we'll get to as many of them as we can at the act so with that I'll hand it over to you Roselle to get us started great thank you Tim so thank you Tim thank you logarithm Thank You dark reading it's a pleasure to be here and to talk to everybody today about building and instrumenting the next generation security operation center so just to give you a little bit of background on me I know Tim already mentioned some of it but I've been in cybersecurity for quite a while now so I started doing computer forensics back in 2004 and yes my ence and CISSP are still valid today and so I was doing computer forensics for a variety of different organizations the most recent being Ernst and Young and Ernst & Young obviously works with a lot of very large enterprises from there I went to Department of Homeland Security to us-cert and USR has a very unique perspective on cyber security because they have this umbrella view where they can see what's going on to an extent on for both government agencies and critical infrastructure companies so I had the opportunity to work with a large number of organizations and really understand what was working and not working with them and then from there I moved over to the executive of office of the president very very exciting opportunity there obviously no shortage of interesting work to be done and so I was defending the the network used by the White House and the rest of the agency so my team is a 24 by 7 shop with with plenty to do and I was working on both the tactical side making sure any vulnerabilities or incoming issues we're being addressed readily but then they also spent a lot of time on figuring out how we could improve because when you have a sock obviously you are always thinking how can we be better how can we do more because you know that's what the other side is thinking and so I spent a lot of time on trying to find out figure out ways that we could make our operations even better and what I found with that was that when it came to responding to to the alerts that were coming in and running them to ground and dealing with incidents that there was a big shortage when it came to the technology that helped with that process and that's what eventually prompted me to start up level security so that that we could address that issue in a very effective manner and so with uplevel we work with an organization's as small as startups with with about three or four hundred employees all the way up to to the fortune 500 large enterprises multinational corporations so the main takeaway with all of this is I feel your pain I know how challenging it is to to be doing security operations and I am want to share my experiences to help make the job a little bit easier so let's start with the purpose of a sock so everyone in security knows CIA the confidentiality integrity and availability of your organization's information assets and system that's that's what you want to protect and so when you look at how security operations evolved well every organization has its crown jewels whether its intellectual property financial data customer data I mean combination of all of the above and so they need a way to protect it and so initially that really just involved building up a wall around it and in trying to prevent any attackers from getting in that way and so that eventually it became apparent that there are still ways to get in despite best efforts of prevention technologies and so that's when you need to be able to detect what's coming in and and what's going after your your crown jewels and then over the last few years organizations have discovered well yes it's important to prevent and yes it's really important to the text but then once you detect you actually have to respond and there's a whole process involved around that for cleaning up and mitigating when when you have something that has breached your system and so what we have now is essentially this is triad of prevention detection and response and the three of them go hand-in-hand they feed off of one another and this is the the core of a security operation center so how does the next-gen sock different so this is the Rozelle definition you're not going to find it in any textbook but this generally sums up that the main points about it so a next-gen sock uses a systematic approach to optimize the abilities of its people the capabilities of Technology and the structure of processes to most effectively protect against an increasingly varied adaptive and sophisticated set of adversaries so you are using all that you have to its greatest extent to try to ward off all of the challenges that are coming in on a regular basis from a very large and adaptive group of adversaries so how do you develop a next-gen sock unfortunately it's not as easy as just buying the shiny new product that as next time in the name or apt or advanced in the name that is not the way to do it and so what I've done is I've looked at what I've seen are the main components to building a next-gen sock and you can basically some them up into five key areas which I call following the trail so that's thoroughly scoped resilience by design automated to streamline intelligence driven and learning continuously and so what I'm going to do for the rest of this presentation is walk through each of these five components and show you how they affect the people technology and processes so thoroughly scoped this means when you're building and you're planning on how you want to build your sock you're taking into a into account how the sock relates both internally and externally so externally meaning within the greater organization now if you are already building a sock and you already have something in place I would advise that you still return to this step and make sure that you're thoroughly scoping as you build forward because this is the key aspect to making sure that you're getting off on the right foot so how does this work with the people so at the heart of any sock you have your analysts and historically you've had your tier one which do some initial investigation some initial gathering of information maybe some like correlating when you have your tier 2 which is looking into the issues more deeply and then your tier 3 which are your advanced malware analysis forensics network analysis where you're digging into pcap for example and what we'll talk more about the tiers later but obviously this is a core component for for any stock but when you're thoroughly scoping you have to look at other components as well and one of the other key ones is the other business units within the organization so gone are the days when the cyber security team is just tucked away in a little corner and doesn't have any interaction with the other business units it's actually completely imperative that that the sock has constant interaction and communication with other business units in order to be a next-gen sock so those other units could be the network administrators or net network operations teams the helpdesk ticketing system possibly HR or if it's a big case legal and public relations there are plenty of organizations that the Safa needs to develop relationships with when they're when they're doing their operations and also have insider threat so historically we think of a taxes coming from from the outside but there are occasions when they're coming from the inside as well and so increasingly what I'm seeing is that insider threat is falling under the fold of cyber security operation and from a technology perspective being thoroughly scoped means starting with the foundational elements and this is really an important issue and I see time and time again that is a big challenge for organizations to even have this this basic foundation level really squared away so and when you look at the technology in general you're I have a categorized prevention detection response but those are fluid boundaries and there's some overlap and some back-and-forth between them and I'm going to talk in terms of capabilities as opposed to specific technologies and a lot of Technology we'll cover more than one capability and so just keep that in mind it's not necessarily separate product but capability that's important so on the prevention side being able to filter email network traffic and endpoint data that is really critical and often really overlooks but but when it's done it's incredibly advantageous to the to the organization so I spoke to one company who filters about 80% of the email and you can how much easier than the work is for the security team when they have that covered in invent inventory management that's making sure that your software and your hardware and your configs you know what should be there and you have a grasp on that and vulnerability management that yeah that's an oldie but a goodie and very important component as well on the detection side you need to be monitoring the email network and endpoint data keeping tabs on what's going on and what looks suspicious and related to that is the the log management and that could be the log that you're monitoring and also additional logs that that are going to be a value like your DHCP or DNS logs or something along those farms and then on the response side you need a case management system and when my big pet peeves is when I see case management systems that are not designed for cyber security all the other tools here everyone makes is completely on board with making it cyber security specific but for some reason people think oh the taste management I could use something designed for a helpdesk or for software development and you really need that cyber security specific case management tool and then you need the visibility to investigate the email the network traffic and at the endpoint data and that doesn't necessarily mean that you're logging everything is specifically with the endpoint data you just have to be able to reach it when you need to and there are a couple other items I'm not including on here like ID management and access control which are your standard elements not not often necessarily a software ability and only when you have that foundational element completely in place can you really effectively start building on those advanced capabilities and we'll talk a lot more about what some of those advanced capabilities are but I just want to stress the importance of getting the foundational down first you need to be able to crawl before you can participate in the Olympics okay and then from a processes perspective so at the very core of your your sock of course your people and so you need to be able to define their roles and likewise you write after that you have your technology and you need to be able to define how that fits within within your organization but on top of that you need to have an understanding of your policy your business policies and this has a big impact on your operations so something like whether you can block web mail or black USB access that will profoundly impact how you run your operations so you need to be able to keep track of those policies and if possible be able to influence of how those policies are written based on the metrics and the information that you have from from your operations on top of that you of course have your playbooks you know I have prevent the tech respond a lot of it melts together but you have your general workflows of how you're going to incorporate your your team and your your technology together and I would say one important rule of thumb is that you should have each team and each technology in at least one or two playbooks if not then you need to rethink your playbooks a little bit and then you have performance metrics and I call performance metrics because I want all four to be P's but that's it yeah your metrics so those are on the the managerial perspective where you are relying what work you're doing to upper management and then there are metrics on the operational levels that are you're using to improve how you're doing your day-to-day and then you have your plants and so the plans are often a combination of play books together with communications wrapped around it and that's that's also really critical for making sure that that you have the the overarching view of everything fitting together well and so what I'm provided at the end of each section here is just a recap of everything that I went over in case you missed something on the animations there and so you have it for for when you're looking at the deck later if you'd like to so that's just a recap on thoroughly scoped so moving on to resilient by design so there's a lot here so when when everyone thinks of resilience from a thought perspective they're they're automatically thinking of the tactical side of responding to incidents and that is absolutely a critical component for Sox but there are also operational and strategic issues to adjust to so operational is yep if your your security infrastructure goes down which I will say is no picnic if your case management system goes down and you don't have visibility tickets coming in or if your your prevention tools are suddenly defaulting to open instead of clothes there are lots of potential problems that can happen that you need to be able to respond to and then on strategic level you know the business you that you're you're providing your sock support for is going to have change and so being able to adapt to that as well is absolutely critical for for a next-gen sock so the one certainty in all of it is that you know that there will be change and so you have to respond in an effective manner so so what does that mean on the people side well you have your engineers absolutely critical to operations because they're the ones that are often doing the implementation of the technology you know the analysts are more than then over task all the the words that they need to do and so it's great if you can have an engineering team in place who can can handle that work specifically and engine in general when I talk about the people here yep the bigger organizations will have separate teams but obviously the smaller organizations will have people fitting different roles and wearing multiple hats same could be said with engineers but it's really great if you have full-time engineers that that you can devote to looking at the architecture and then we also have red team you know so looking at that tactical side of resiliency and the red team helps you see where the holes are before the adversaries find them and so with red team that you have to make sure that the whole process of red team does not become a game of gotcha where the red team's is aha look at all that we found look at what you're doing wrong but instead you're working side by side by side and red and blue are are learning from one another so to one company I had a great approach of having the red team do some activity and then the defenders coming back and saying AHA this I saw this in show up in this lot I saw this happen I saw that happen until you're creating this this great back-and-forth where both teams are learning and improving the defensive posture as a result and then another aspect of resiliency which I know it's tough is is going 24 by 7 or at least following the Sun and I know you it's challenging when when the government shutdown occurred in 2013 and a lot of my team was furloughed I ended up working on the night shift for several weeks no picnic totally get it so sending managers out there I would say you need to have a very comfortable night differential for the people that are working on the night shift or you do follow the Sun model but then you run into some challenges with working front with people in different countries but but either way the next in sauk is going to have to be on the ball 24/7 because here's the attackers they they don't just work 9:00 to 5:00 and even if they do their nine-to-five is not necessarily our 9:00 to 5:00 all right so getting to some of the technology here there's there's a lot that goes into this and resiliency side so first of course pen testing if you've got red teams or the like you want to be able to see what's wrong before someone else does then on top of that the response so it historically a lot of responses just focus on on that investigation component of it but really you want it to have three full levels the first being triaging so that you're responding to the most pressing issues first and then you have that investigative process which is of course iterative and can be quite lengthy and then you want to to remediate mitigate cleanup and capture those lessons learned and so the response now needs to have those three components in order to to be most effective and then I'm from and that that's on the tactical side now getting to the operational side the main issue is that eventually all next-gen Sox are going to have the infrastructure in private cloud and I know some of you are thinking no way that's not happening with our organization we had a whole talk about this with management and we have too much regulation too much sensitive data where we're not moving to the cloud and I recognize that issue I completely hear you I had very similar mindset on my last job but the reality of the situation is that you're going to keep having those conversations every six months until you eventually move to the cloud and we talked to the customers all the time that are moving their security operations to to virtual private clouds where they have control of the environment but but their infrastructure is in the cloud and then you know bring your bring your own device is becoming pretty prevalent in most organizations so having some some form of mobile device management which covers a bunch of capabilities I love them all together into this management that's that's going to be absolutely critical you don't want just any all device ending up on your network and or any of the devices that you have for your employees just just going all over the place and logging into Starbucks Wi-Fi czar the like and with that you there's also a component for if you have executives for example that are traveling overseas the mobile device management is increasingly important then and of course it said you like moving to the cloud there's cloud cloud protect prevention and detection technology that comes with that sometimes it's based baked in with with what the providers of the cloud systems have available and then there are some that are more specific to to what your business is doing so so with all of these at and I'm adding here now these are more for the business side that strategic side where you're you're adapting to the changes that are coming within your organization and your building your security posture accordingly so so what tell me of the crown jewels is is web server based or application or database related so so then you need technology around that as well and what I'm also seeing increasingly is that especially the larger organizations that have locations in multiple countries they're looking at the physical security monitoring and they're fusing that with their cybersecurity data in a very interesting way obviously insider threat does this but there are some other areas where it can be done as well all right so that's a lot of technology there and then on the the processes side so number one always number one training training the team members so as you bring in all those different technologies as you're evolving with your organization to selecting me those additional capabilities and then the team needs to be trained up on that then in terms of making sure that your your playbooks and your plans are actually effective a great way to do that is is a periodic exercises to really get a feel for what's happening productively and what needs room for improvement and when there are needs for improvement then make sure that that's documented which what you don't want is to have these situations where you've got exceptions and exceptions are in the heads of a couple analysts but they're not documented so that when when something really goes down you're you're not really prepared for it and then there's always implementing technology and this shows up on every process like because you know we we're not working with an advocates or five ruler where we're dealing with technology all day every day and so implementing technology is absolutely critical certainly don't want to have shelf where that doesn't help anybody all right a little recap on reviewing it by design there so moving on automated to streamline so first point I want to make with with automating to streamline is that automating to streamline does not mean that the whole team is going to be just going home that means that you're going to be more effective with what they're doing and making sure that you're using the automation capabilities as they're required so first issue with that is then you wind up with your tier one analysts have not having that role anymore and I know you're saying well you just said you're not going to send all the animals home and I'm not what but I will say is that they then moved to tier two and Tier three and that creates tremendous human analytical power if you can move them to those levels and you get far more bang for your buck snow no organization can really afford to just have Tier one functionality when that talent could be used elsewhere and then top of it you have the hunters which is a relatively new group that is doing a lot towards making sure that finding detect ways to detect innovative ways is done effectively and that when those ways are discovered you can automate them out in a matter that that makes it going forward so the technology involved in streamlining and automating to streamline well sandboxing is a pretty common one for from our analysis graph analysis links a lot of it together and then you have your PlayBook orchestration which is very common for connecting everything with api's and then you have tracking the responses so that you're actually seeing what can be automated going forward and then you you need to train your analysts for new roles you need to assess their tech periodically make sure it's not a black box that that's not helping you any you need to update the the play books to include the automation and add in some some new metrics to make sure that all that it automation is actually improving your operations and then you of course at the implement new technology so intelligence-driven that's where you want to make sure that you're bringing in all the information that you need whether it's IOC s or other types of data and you have thread Intel analyst that are great at finding out what's what needs to be focused on both from an IOC perspective and a geopolitical perspective and so the technology involved is simply thread Intel management and scoring a record generation so you don't want to have a situation where you have far more Intel coming in than what you really need you want to be able to take advantage of the information in a way that's effective for you and that means scoring it properly and having a way to report it out in addition to managing it and so managing it does not mean just having a spreadsheet or a text file you have to be able to go beyond that and so the process of course revolves training your thread Intel analysts and the rest of the team on what that thread Intel means assessing the feeds to make sure that they're they're actually pertinent to your investigations into your environment updating your playbooks to include your intelligence and then implementing the technology of course and last but not least we get to learning continuously so this is where you have this positive snowball effect of what you learn then it's used to find something new and then you pull that into to learn even more and so on that side we have we're seeing more and more innovation departments where you have these different units that are just looking for startups that have new technology that they could implement into their ecosystem and you have internal auditors and again this is not a gotcha game they're working with the teams to see what's working what's not working and and how you can learn from from what you have to make the operations better and on the technology side this is where we get into a lot of the technology that people automatically go to when they think of next-gen so for the first of all baseline is really critical you need to be able to separate out what you what you know is good and what you know is bad and so once you have that insight then you have something you have some anomaly detection because you can see when something bad pops up that doesn't match with with what you know is good on top of that you have heuristics analysis you know everyone knows of Av using heuristic analysis but you can also use it basically all the time with a sim as well or something along those lines where you're saying you have set of rules and and this is what what I know is indicative of something that's probably bad and you can you can set heuristics to that it works on the response side as well because you can also incorporate heuristics work for example with escalating issues from just alert level to incident level think when you know X Y & Z indicates that it's something really serious and then machine learning of course is one of the big buzz words definitely has some some great capabilities as you see it with user behavior analytics where you have machine learning combined with baselining to give you an understanding of what's going on and that crosses the spectrum prevention detection response and and likewise predictive analytics yeah this is sort of a Venn diagram between machine learning and predictive analytics they can encompass each other they can be separate but what you're doing is leveraging what you have what you know to to better predict and move forward and so then in the process side of course you have training and I could really spend a whole webinar on some of the training can do it doesn't all have to be external doesn't have to be very expensive but it needs to be done need to fine-tune all of the appliances especially on the detection side on a regular basis just to make sure that you are keeping up with what you know and not creating a situation where you're flooding your team with with information that it's not going to be very helpful you're updating the the playbooks on a regular basis as you learn what's working and what's not working and you're you're implementing your technology once again to make sure that that learning is happening on on two levels both for the people as well as the technology so that's Lillian continuously summed up and that pretty much sums it sums up what I have yeah we'll have a Q&A session at the end of this and feel free to ping me if you have any questions about anything that I mentioned thank you all for your time and with that I'll turn it back over to Tim thanks rose oh I have to say that that is one of the best presentations I have seen on building the the stock from people process and technology you've got it all laid out there I'll remind the audience that you can download a copy that slides at the end of the presentation I'll give you information on how to do that and you can also if you missed anything because I know she had a lot of material to cover you missed anything you can also watch this over again in on-demand so we'll give you instructions on how to do all of that I'll also remind the audience you can ask questions at any time during the session I see a couple of good questions already in there so if you have questions please go ahead and ask them any time and we'll get to them as soon so we first were going to give a chance to for Chris to talk us through his perspective on this process so with that I'll toss it over to you Chris thanks Dan thanks Raziel that was uh that was great hi all Chris Peterson here so if we look at internet Rose ills laid out I really couldn't agree more as a company a logarithm you know what we really haven't focused on since the founding we started logarithm was really reinventing Sam and log management into what it should be you know to power the next gen stock and it's reserved we pointed out there is no magic technology that's going to do this that just you know you out of technology suddenly appears a stock that's fully functional and delivering the right organizational value it really is the DVD at the confluence of technology and innovation but how that optimally brings together young people in process to realize you know faster detection and you know and and in response within that security operation center and as a company that's what we are very much focused on and have been focused on and innovating a couple of key areas around analytics and automation which I'll touch on here in a second but as we look at the problem and as we look at the sock and we're larger than fits in the sock it really is to be that platform that brings people and process together to help organizations focus on and reduce we think are the two you know critical operating metrics for sec ops for today and tomorrow we're the first metric you know is it is the organizational ability to detect threats you know threats that actually represent real risk to the business and we call that the mean time to detect detection is not when an alarm fires from a sensor because we get a lot of those every single day too many in most cases detection is when you know a technology you know or an organization or person has said we know this is a real threat or we're highly confident it is and requires more investigation because we believe there's real risk here you know that is where detection you know is it needs to be and how needs be thought of the second metric is in that mean time to response so once where there is a threat you know that we have qualified and we believe represents real risk to the business how quickly can respond to that you know how quickly can the organization fully investigate that threat determine conclusively is this a true positive is there an incident here and if so you know how fast can they organizationally respond to that threat to reduce or eliminate you know the risk to the business to an acceptable level and that's the mean time to respond and I think unfortunately what we see today and why we see these high profile data breaches and organizations experience these really really damaging cyber incidents is that these two metrics will be measured in most companies in weeks or months when in reality given the threat landscape they need to be driven down into Denia days hours and minutes there's simply too much motivation out there right now to do you know bad things the world of cyber whether it be criminal actors nation-states you know what have you and companies need to be focused on you know how do we detect how to respond faster and technology is going to be the key enabler to that in terms of doing this efficiency efficiently across the teams that you have and so if we look at our focus as a business it is to really help organizations effectively realize what we call for lifecycle management you know really that end-to-end detection and response work flow across a technology platform that does bring people and process seamlessly and efficiently together where this workflow begins with visibility you know the acquisition you know of you know of data and there are you know multiple different ways in which we can get visibility into the input the first is your security event data you know you've all bought a lot of security products and they generate something in some cases you know high quality intelligence they're they're alarming all the time out things that are suspicious the challenge is there's a lot of suspicious things that happen every single day and these technologies can block certain things other cases all they can do is warn but those warnings are creating alarm fatigue in a lot of cases however we can't we can't ignore them it's a high quality source of data that does need to be consumed and made and may be useful the other source of data is login machine data in the general system logs application logs in that data set is an understanding of what happened who did what when and this is very important when conducting a forensic investigation to actually understand your is that threat real will the scope of the incident what that user do how's that host compromised when was it compromised it's very critical in that regard but also in this data set is the comprehension of what's normal what normally happens in the environment if we can leverage that data effectively I'll talk about that in a second and then lastly for visibility our friends extensors you know products that can give us deeper visibility products in the endpoint and detecting an endpoint detection response plate in place like carbon black we have our own sensor as well or network forensic sensors full packet capture products you know we've got a product there as well but there are other technologies out there also that can provide this visibility that can passively record all network communications that your ingress egress points capturing all packets if that's as far as you want to go where again this data can provide gradients from a instant response standpoint where we can now actually look and see what data actually left my network and when did I leave over what period of time that data also is very useful in behavioral modeling which moves us on to the next part of the workflow and the capability and and that moves us then into you know the actual detection and prioritization so once we can see we can begin to detect and prioritize there really are two principal ways in which the sock you know will detect and prioritize threats that require further qualification and investigation the first is what we call search analytics it's leveraging that visibility through kind of search based tools to ask questions of that data and this is principally used on things such as reviewing reports but also in things like hunting where if you have a team that can hunt and can actually look for threats search analytics is fantastic the challenge though is that search analytics does require people and some cases and a large enterprise lots of people people that are hard to get people are hard to retain and people that are expensive you know to use expensive and often out of the reach for a lot of organizations so that's why the second method is is it's so critical and where we believe the future is when it comes to the art of detection Enterprise and that is more machine analytics leveraging all this visibility that we have across our security devices across our log data forensics sensors to apply a I like techniques machine learning behavior profiling cooperative analytics across this data set to get to a class of threats that can only be seen in a centralized analytics approach leveraging all that visibility and also to better prioritize you know the the alarms and events coming out of your other security products by infusing things like environmental context and risk context where the goal of machine analytics you know is to ultimately serve up to the organization really high quality intelligence you know that that smaller set of alarms that are infused with business risk that the saw can now reasonably consume because in reality most organizations you're not you're going to have finite capacity there are only so many alarms you can actually get through every single day and we need technology we need automation that can analyze this data and serve up the right intelligence with increasing at you is it's with increasing accuracy over time so that the next step of detection can happen very quickly and effectively and that's a qualification in qualification is now when a human operator it does need to get involved where ideally you know what a key what a human operator is looking at is a small set of automatically qualified and prioritized alarms that they can quickly get through because the platform has made that easy for them and so you know here's where features such as machine assisted investigations are very important so imagine if you know what we're looking for is a behavioral anomaly for rating it for a user count you know we're modeling maybe three or four different behaviors and where they log in from frequency of login time they log in maybe what they access within the environment and these are all things that logarithm can do now if we see some behaviors trip across maybe a baseline of seven days there's a lot of data that went in that baseline potentially millions and millions of logs so when that human operators to qualify this alarm the logarithm is now generated and says hey I think this counts compromised these are the job of the technology platform to serve up the right dataset to that analyst so that analyst is now looking at the CV the information of highest relevance it allows them to make a decision of you know is this a false positive or a true positive and so that's also where machine Analects plays a key role is in that machine assist investigation process where the technology itself is intelligently serving up the right data set so annals can make make it quick well informed decisions and you know that is then you know what gets us to detection you know actually a human operator saying yes I believe this threat is real and now I'm going to move on to the response time we're the first part of them responses any full investigation and here is resilient it out you need case management and I loved your her comment about you need a case management system designed for security because security is unique in security we cannot trust the environment around us we have to assume the entire environment is untrustworthy and if we're using IT ticketing systems and we're using things like email to communicate we're using the file server to collaborate across documents those are all untrusted positive repositories and communication channels so that's why we have in our platform built our own case management solution that has a cyber events locker you know that controls who can collaborate on that case of tight access control then sure all communications are encrypted and those communications in history stay within logarithm and don't leak more broadly across the organization and that is a critical part of a security driven case management system of course also we need to integrate though with third party ticketing systems which is also important to action on the response side but in terms of that investigation process what's critical here is that you have a facility for bringing in all that forensic data that bit me on that said that deep intelligence in a centralized place where you can effectively collaborate across your team and also route it through potentially multiple tiers of workflow a lot of stocks you have a Tier one team Metiria mean I our team and you want to be able to route and move cases as they go through the qualification through maybe initial investigation now it's a full response effectively through a system that make sure there's real-time visibility and routing to get you know you know highest risk incidents in front of the right people so they can they can investigate action as quickly as possible and then we want to couple that with automation because once we have an incident and we know is real there's real risk we need to neutralize it and here's the second you know key area that automation plays a critical role today and going forward and in our platform what we have you know built as we call Smart Response you know it's the ability to create plugins so that we a we built our customers can build that can action a wide variety of responses across the IT environment so that you that were investigating in terms of that account being compromised you know gets me of that investigation moved into a case the Tier one team looks at it and they say yes this accounts definitely compromised baseball we see in the data they move it on to an incident we can have smart response now to eat up to do things like disable that user account where within that centralized secure workflow a button can be pushed with a pre-qualified pre-tested action that can within seconds neutralize the threat of that account by disabling it through Active Directory or some other I'm identity access management system and that's the other key area of accelerating accelerating the time to response is that automation on the on the IR side and you know it's not just automate the response the response is also to automate workflows through investigations as well and be able to do things such as I need to go see what may be so the product thinks about that IP address where I want to launch virustotal and past sites and pass this file hash to it the other things I can automate as well we're from that that that's that that user interface you know which this workflow is being executed ideally it is also automating mr. Kotori actions around that workflow into other systems with you know we very seamlessly because time is of the essence and then lastly in our platform we focused on the recovery you know where this kind of you know I think really wraps up you know why we believe and well that we can deliver this workflow on one platform you get the ultimate efficiency because if this entire workflow and all this data is done in one platform the recovery process is very quick you've accent out to the full history around the case the instant all the forensic data in one place to then Marshall the full cleanup action and also then to review will is dhananand and to adapt so we can do better next time it's so in hole what we built over more than a decade now it's a platform design to deliver you know this workflow end-to-end bringing automation around machine analytics automation around response to make it possible to efficiently drive down organizational tanja tech and time to respond through the optimal common technology people and process and one things that we've developed to help organizations you know get to a higher maturity is a maturity model because practically speaking a lot of organizations are still just rolling with I need to do blog management better and have centralized visibility we've yet to actually leverage things like user and entity behavioral analytics or have yet to look at you know how we maybe build a sock even or virtual cycle two or three people and get them working effectively to case management system so our maturity model is designed to give organizations kind of a stepping you know kind of a step by step path for across years raising their maturity and really of their set Gups leveraging a platform like logarithm as well as those critical technologies that enable this workflow around around our platform and we've a white paper on this and would encourage you all to read it and and so with that all I'll pass it back to you back to Tim thanks so much Chris dunder one of the the only disadvantage of having really good speakers is that there's never enough time there there there are so many issues to cover here and and and you both brought up so many good points we've got a bunch of questions here we may not get to all of them I want to reassure the audience that we will have the ability to answer some questions over email so if we don't get to your question we will definitely try to get back to you by email before we get into the Q&A portion I want to tell the audience that we have a survey here in front of you it's a feedback form that will give us a chance to get some feedback on this particular session if your popup blockers have prevented the forum from launching on your computer you can click the red survey icon at the bottom of your screen to complete the form please press the submit answer button at the bottom of the page thanks in advance for filling out the feedback form this helps us to better serve you with that I'll just remind the audience we have some questions here if you have a question please go ahead and type of type it into the Q&A icon the bottom of your screen and click the submit button um you know we've got questions is there's an interesting cross section in the audience we've got some folks from small organizations and some folks from large organizations so let me ask one from each we have one of the our audience members is the net of the question is this is great but what if my organization isn't big enough to have you know three tiers and threat hunters and insider threat people and and that sort of thing what are the key sort of capabilities and functions that I need to have if I'm in one of the smaller organizations can maybe both of you want to take this but either one if you want to start yes sure that's a very good question certainly not not every organization is very well resourced so when you have that type of situation you wind up with with the analysts being sort of a jack-of-all-trades so they're spending some time on analysis they're spending some time on threat intelligence they're even sometimes spending some time on engineering and it makes for very well-rounded cybersecurity professionals which is great so there's a lot of value in that but and from a technology perspective I would say if you're a small company just focus on that fundation foundational level that I was talking about don't even bother with any of the advanced analytics or advanced capabilities yet just make sure you have those fundamentals down really well because there's a lot that you can do with that and there's a lot of power in having that set up in a very effective way and it can stretch your team a lot further if you have all of those bases covered yeah I guess I just you know add you know add to that that I think if you are if you're super small if you're a small business and you get practical resource constraints I think one first focus on what you want to protect I would instrument that with monitoring make sure that you understand what's happening around and if I Armant and i think ideally see if you can allocate some resource I'm even like time box it and say you know we are going to monitor for a class of things around our highest critical data or systems and we're going to do it two hours a day I'm going to make sure I've got somebody on my security team who is at least going to look through the highest priority alarms for that part of our environment we said is most critical two hours a day if it's one person doing just that you begin to build the organizational muscle memory around some that detection and analysis process and can then build a little maybe IR in the back of that even using I t's or IR side but I think if I focus on what's most critical and begin to get some of that monitoring capability built in in terms of looking at some of the highest priority alarms and issues around environment okay that this is great um let me ask a question on sort of a larger end you mentioned performance metrics I think they were talking about your presentation result you know are their KPI so you know how do you go about measuring their performance of your sock and and you know and how it's doing our G can you give the audience some ideas on what you can do to kind of give a sense for you know what the activity levels are and how your organization is performing yeah so that's a good question unfortunately it's usually very enterprise specific base at least in part on the technology that you have what you don't want to end up doing though is creating these very basic metrics that have no value behind them for example the number of tickets closed in a month because that doesn't tell you very much if that number goes up does that mean that you're becoming more efficient or does that mean that you've had a lot of noisy alerts that you knew you could close right away so what you want to do is have what I would call sort of compound metrics where you're looking at more than one variable because it proves it provides a better picture so instead of just saying go on I just want to look at a number of alerts or incident in total maybe doing something like mapping it to the cyber kill chain where so you can see well over time the number of incidents that have progressed to this advanced level has decreased and then when you can see the different stages and you can also gain a perspective on how much time it takes to do the analysis because yeah even if you're you're the amount of time to finish one ticket goes down that doesn't necessarily mean that you're more effective until you want to be able to capture how difficult a ticket is in addition to just that quantity so from a perspective of reporting to management then looking at something like the kill chain and those types of metrics are a better value on the operational level it's really going to depend on the technology and you want to keep a close eye on that to make sure that what you're you're working on is actually improving your operation so you have false positives that's that's a big one any any detection tool or sin that that's giving you a high false positive rate that's something you need to know about and so you need to have metrics around that so that that you can you can tune it down and then responsiveness again you need to factor in different variables but but that's that's also important to consider and so those are just a few of them but I would just err on the side of not not looking at really simple metrics because that ends up often just doing you a disservice Chris did you have any thoughts on that well I would say just gently and generally I think it's a it's a tough thing to get meaningful metrics around I've actually been think about this a lot myself so have some conversations some big financial I'm providing your customers of our so you were asking me those questions because they're struggling with us from these systems CISOs I think I guess the one medical might I might throw out there for organizations were tanking started in this is maybe start symmetric around visibility I personally think visibility is one of most important staying you know for organizations what can we actually see you know so that we have a chance to detect and we and what's what volume would be that we have that would support a response process so you know maybe you look at you know what are critical systems and our environment what's our broader environment and what our visibility percentage from a logging standpoint across their environment I mean that's a basic metric that I think is is very important as a foundational metric in terms of the ability to detect and defend from cyber threats yeah I like that one well I'm going to apologize to the audience because we're just about out of time here but again we do have questions here that we will try to get back to you on email and I want to thank our presenters today what I thought you both did a fantastic job for more information related to today's webinar please visit any of the resource links available in the green folder icon at the bottom of your screen within the next 24 hours you'll receive a personalized follow-up email with details and a link to today's presentation on demand thank you for attending today's webinar building and instrumenting the next generation Security Operations Center brought to you by dark reading logarithm and broadcast by UVM this webinar is copyright 2016 by UVM the presentation materials are owned by or copyrighted by dark reading and logarithm and the individual speakers are solely responsible for their content in their opinions on behalf of our guests Rozelle Safran and Chris Peterson I'm Tim Wilson thanks for your time and have a great day thank you thank you

Info

Channel: LogRhythm

Views: 10,925

Rating: 4.7837839 out of 5

Keywords: Security operations center, soc, best practices, staffing, effective soc, building a soc, LogRhythm, uplevel

Id: jDbBOqtKA2A

Channel Id: undefined

Length: 64min 35sec (3875 seconds)

Published: Tue Oct 18 2016