Upload
vumien
View
219
Download
1
Embed Size (px)
Citation preview
#RSAC
SESSION ID:SESSION ID:
Chris Kinnahan
Data Analytics, Developers, and Automation - What you want in next generation SOCs
SDS-R08
Director, Global Security Operations CenterSony Corporation
#RSAC
Three Key Components to a Successful SOC
11
Data, Data, Data
Automation
SecDev – Security Development
#RSAC
It’s a Data Science Problem
12
Historically detection and response were centered around commercial signatures. Security was as good as the products that you purchased.
The problem with this model is that attacks had to reach a certain level of activity before vendors would take note and develop a signature. This worked when the primary threat was large worm outbreaks like Nimda and Code Red. Current threats are more sophisticated, customized, and focus on not drawing attention.
Our response has been gathering more and more data in the hopes that we will be able to detect activity. The problem is we are overwhelming our teams with data.
#RSAC
How do we adapt?
13
We need to approach it as a big data problem. So what does that mean?
• We need to move from tools to platforms• We need to apply data management solutions to solve our data
problems• Our analysts have to adapt and become smarter
#RSAC
Platforms
14
SIEMs are the heart of our IR Teams. At best they integrate with their own products. At worst they take in data but offer minimal opportunities to interact with their data in automated ways.
We need solutions that provide full fledged APIs or direct database access where we can integrate them with our other tools.
Your SOC needs to be able to integrate and automate how our tools interact with each other.
#RSAC
Data Management
15
We need to apply traditional data management and optimization techniques
Utilize summary tables for your most frequent queriesMake sure you are extracting all the fields your analyst needEnsure that your schema is dynamic and can change over timeBenchmark everything
Dedicate a Data Architect/Administrator to monitor analyst queriesMonitor how what analysts are querying changes over timeAssist Analysts in improving their searches
#RSAC
Smarter Analysts
17
Solid IT skills
Basic ability to script/code
Problem solving
Attention to detail
Innate interest in technology
#RSAC
Analyst Magic Quadrant
18
Intelligence
Mot
ivat
ion
Your actual Magic quadrant
What you thinkis your
magic quadrant
#RSAC
Automation
19
Ask yourself, do your analysts spend more time compiling and collecting data or analyzing data? Everything needs to be centered around the analysts. We need to bring the data to them.
• Historical incidents….have you seen this before?• Threat Intelligenace• Whois records• DNS resolution history• Analyst data• Vulnerability data• Etc.
#RSAC
Security Development
21
• Commercial solutions are usually “good enough” to take care of 90% of the threats assuming they are properly selected, managed, and tuned.
• For the top 10% of threats, they tend to be either too new or not wide spread enough for commercial solutions to tackle….this is where you need to invest development effort
• The 10% is a moving target. Eventually commercial solutions catch up and you have a new 10% to worry about.
• Analysts are your gateway into finding that top 10%, often times they know what they want but don’t know the “how”. That’s where a Security Development team comes in.
#RSAC
DevOps meet DevAns
22
Every SOC organization needs Developer/Analysts (DevAns). These are your senior analysts who have some coding capability and an understanding of what gaps exist in the detection or analysis process.
Your SOC needs an ability to experiment with data and tools in order to determine new ways to detect activity. Often times these experiments will lead to nothing but a few times they will allow you to find activity that was otherwise undetectable.
#RSAC
Avoid My Mistakes
23
Don’t fall in love with your custom tools….eventually you’ll replace them with commercial ones.Don’t buy into the vendor hype…test everythingStay focused, don’t get caught up in the solution….focus on the problemDon’t collect data for the sake of collecting dataBring in professionals….security people think they can do everything but you need DBAs, Developers, etc. as wellAbility to learn is much more valuable then experience
#RSAC
Questions To Ask Yourself
24
How quickly can your security technology pivot?
Who’s in charge of your security data architecture?
What do your analysts spend their most time on?
Do you have a security development capability?
How automated are your tools and processes?