Who Says a SOC Can`t Have Windows?
Transcription
Who Says a SOC Can`t Have Windows?
Who Says a SOC Can’t Have Windows? Rethinking the Modern SOC Introduction VP Product & Strategy MSS 2004 Built a 8x5 SOC for Nokia 2006 Outsourced it 2008 Built 24x7 Consumer Operations (ecommerce, accounts) 2010 Ran 24x7 Cloud Operations and Automation Development for those systems 2012 Developed Repeatable Security Programs for Blackstone’s portfolio (and ran network) 2014 Helped plan Accuvant acquisition and now run Managed Services #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 2 How I describe my job to my friends: #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 3 What I leave unsaid: Most of my analysts want to see the sun! #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 4 But what’s the problem? … Everyone loves it on the SOC tour! 0% Unemployment in security © Copyright 2014 EMC Corporation. All rights reserved. Finding people is hard, making them work without windows (24x7) is even harder #RSAsummit 5 This is what they really want #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 6 Yes, a little tongue in cheek … but this presentation is about rethinking assumptions There are many drivers of change today: • Technology and especially infrastructure management is transforming • The potential impact of todays threats to the enterprise (and its visibility) are skyrocketing • Various threat actors (not just state actors) willingness to use cyber weapons is increasing • Technical Defenses are also rapidly evolving #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 7 Rethinking assumptions In SOC Operations • The SOC is not a NOC • Teach Analytics not (just) SLA • Ecosystem of tool chains vs. single toolset • Software Driven Everything • Constant QA not Red Team Exercises #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 8 SOC is not a NOC Rethinking Tier 1 NOC Process: “Quote goes here. Increase or decrease text to fit.” Something goes Red Ping down. System not responding. Assigned to Tier 1 Try something Is it green? Reboot Is it green? Escalate Keep working until things become green Generally it is clear something is wrong The problem is how to fix it? It is usually clear once it is fixed #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 9 SOC is not a NOC Rethinking Tier 1 SOC Process: “Quote goes here. Increase or decrease text to fit.” There is a lot of Yellow “stuff” and some Red Assigned to Tier 1 Is something actually wrong? Are we vulnerable to this? Oh, that machine is johnny-desktop01 let’s just re-image it Great, no more alerts. I guess its all good. Close case …. Few days later… hmm, how come Johnny keeps logging into the domain controller? Didn’t we re-image his machine? OR: We re-imaged Johnny’s computer because of commodity attack that didn’t even get actually compromised? Now he is screaming at me for taking his computer away for 2 days! It is completely unclear if something is wrong “Fixing” it is easy But it is never clear if the problem is really fixed #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 10 SOC Analyst as Frontline Medic Not the Call Center Tier 1 There is no green. Get to classification “Recon, Exploit, Exfiltrate” Depending on severity and confidence level pull in more experienced people on a call Pool teams together for mix of skills and experience as a team “Tier 1” has to be able to make informed decisions and investigate, not just run through a script #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 11 Analytics not (just) SLA • Like the NOC case, we have looked at SLA as a way to measure the quality of a SOC • Time to Respond/Time to Resolve • However not all cases are the same • The countdown timer is efficient for maximizing profit but doesn’t necessarily lead to best quality • Need to drive the mentality of handling the problem effectively not just quickly #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 12 Analytics not (just) SLA Measure using trends – – – – – What were the characteristics of the longest cases to investigate? How could we reduce the time? On average how many tools used to reach an FP or TP conclusions? Can we consolidate? What is normal? These are the same types of questions analysts need to ask when investigating events – – – Understanding what “normal” is Looking for patterns in the data that indicate potential issues or a false positive Where have we seen similar cases? #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 13 Toolset: A Christmas gift favorite Valhalla: One tightly coupled solution suite to solve Your CM, Monitoring, security, issues One stop shop for security operations © Copyright 2014 EMC Corporation. All rights reserved. #RSAsummit 14 Reality is more like this • Multiple tools to fit job • Some tools you like better than others • Miscellaneous tools used only once but needed #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 15 Ecosystems are the new SOA Use them to your advantage • • • • SOP Documentation Automated Versioning & Search On call management Automated notification • • Security Events Situational Awareness Monitoring Health QA Checklist • • • • • • • Event Analytics Pattern detection © Copyright 2014 EMC Corporation. All rights reserved. Time tracking Reporting Email Automation #RSAsummit 16 Engineers are grinning But managers are shaking their heads: WARNING: IVORY TOWER THINKING • Of course you still need to balance best of breed with manageability • But don’t get locked in • Don’t be afraid to build the skills Abort Fail Retry AND … #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 17 “Magic” Piece of Advice One of the best tools you have to retain your people Is to support contributing back to the community Intrinsic Motivators outweigh extrinsic factors once people have their basic needs met • • • • Wikipedia Firefox Linux Toms Shoes #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 18 Software Driven Everything Everything has an API now Which means everyone is a developer (or has to become one) – Everything is designed to be integrated – A little python can build a toolkit that used to take months to put together More importantly, the way IT is built is changing – Cloud/API driven compute – Software Define Networking – System Configuration Automation Understand how these capabilities work will be just as important as understanding how to read a pcap file is today © Copyright 2014 EMC Corporation. All rights reserved. #RSAsummit 19 Software Driven Everything Ways of Working are Just as Important as “Coding” Shared ops experience: sleeping in the data center – It’s a shared experience that bonds a team’s experience – And drives critical lessons like why Change management is important • Developer Version: Don’t break the build! • Understanding how an SDLC is run will be critical – Source Control – REST and Callbacks – QA Automation and build chains #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 20 Constant QA not Red Team Exercises As infrastructure gets defined as software… Security becomes part of QA Begin to think of your tooling like an SDLC When deploying new capabilities “Continuously Test” – Unit Tests (is my firewall blocking?) – End to End (is this attack detected and stopped?) – Regression test (am I still checking for old exploits?) #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 21 What doesn’t change • Core Security Operations Processes are still critical – Hire the right people with the right attitude – Define and follow critical process such as incident response, change management, post mortems – Practice your ability to execute these processes – Continuously train This presentation is to help you get more out of what you do foster an environment to retain the best people adapt to the ever changing landscape #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 22 That’s still not all easy … can I outsource it? • 24x7 is very hard to do (8x5 is bad enough) – – – – It seems inevitable to need outsourced help Just recruiting, training and retaining people for 8x5 is not easy You still need some strong internal incident responders There is no way to get all the tribal knowledge into an outsourcer • The Outsourced SOC should be a force multiplier – Yes it can save save 3-4 FTE Cost, – they should make your 1-2 FTE 10x more capable #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 23 What about SOC in the Cloud? • Its inevitable • What’s the difference though between Provider, Cloud, SaaS? – – – – Not much on the surface SIEM in Public Cloud as SaaS is more important (scaling is what matters) Its happening already (ex: SumoLogic) The value will be in reducing cost, improving quality , crowdsourcing & ecosystem • Expect new on demand models – QA: uTest – Proxy: zScaler – Tools: Cloudshark #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 24 How does Ecosystem work with Outsourcing? • Not very well • I’m a believer in eco-system I’m a believer in co-managed – – – – Customer has full access to the product they bought Provider utilizes that product to act on their behalf Keeps it healthy, tuned to be a force multiple for the Incident Handler Its not easy to do • Cloud based SIEM which you have full access to it that a 3rd Party is also monitoring and providing crowdsourced data is the future #RSAsummit © Copyright 2014 EMC Corporation. All rights reserved. 25 Summary and Key Takeaways • The SOC is not a NOC – Tier 1 as your field medic – There is no green • Teach Analytics not (just) SLA – Trends and patterns will be critical for security analysts – Put emphasis on it even in daily work • Ecosystem of tool chains vs. single toolset – Take advantage of ecosystem of tools – Focus your effort where you think it helps the most • Software Driven Everything – Look for software skills sets – Training on software development methodologies • Constant QA not scheduled Red Team exercises – Regularly test your defenses – Consider how software testing processes can be integrated © Copyright 2014 EMC Corporation. All rights reserved. #RSAsummit 26 THANK YOU