Injustice - Developers Among Us (SciFiDevCon 2024)
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
1. Groovy SOC Tunes
SOC Chronicles: What Has
Changed and What Has Stayed the
Same?
Dr. Anton Chuvakin
Google Cloud Security / Chronicle; ex-Gartner
@anton_chuvakin medium.com/anton-on-security
3. Outline
● SOC refresher for 2020
● WHY | WHAT | HOW
○ Why MODERN SOC?
○ What modern SOC is?
○ What modern SOC isn’t?
○ How to evolve your SOC to this?
● What to expect next?
○ Ah, and “Is SOC dead?” :-)
4. “A security operations center provides centralized
and consolidated cybersecurity incident prevention,
detection and response capabilities.” -- Gartner
SOC is first a TEAM. Next a PROCESS. And it uses
TECHNOLOGY too.
What is a SOC?
5. Why Modern SOC?
Force 1: Expanding attack surface
More things to secure...
Force 2: Security talent shortage
More things to secure than people...
Force 3: Too many alerts from too many tools
More things to secure that all scream for attention…
(source)
6. Modern SOC
● Teams is organized by skill, not rigid level
● Process structures around threats, not alerts
● Threat hunting covers for cases where alerts never
appear
● Multiple visibility approaches, not just logs
● Automation via SOAR works as a force multiplier
● Deeper testing and coverage analysis
● Threat intelligence is consumed and created
● Elegantly uses third party services
7. NOT Modern SOC
● Inspired by IT helpdesk philosophy
● Treats incidents as rare and abnormal
● Focuses on alert pipeline, and pairs alerts to analysts
● Centered on a SIEM (SOC = SIEM analyst team)
● Has walls between alert handlers and alert tuners
● Threat intelligence is sometimes consumed
● Shallow metrics on handling time
9. Highlights of Modern SOC: Tools
● Logs (such as via SIEM)
● Network data (such as via NDR)
● Endpoint data (such as via EDR)
Other data (deception, RASP, etc)
11. Highlights of Modern SOC: Detection Engineering
● Detection content versioning
● Proper “QA” for detection content”
● Content (code) reuse and modularity
● Cross-vendor and cross-tool content
● Metrics, coverage and improvement
P.S. This is not about programming as such
12. Highlights of Modern SOC: “Help”
“Every modern SOC is a hybrid SOC” -- Anton Chuvakin [source]
THIS OUTSOURCES WELL
- Deeper malware analysis
- Threat intelligence
- SIEM, EDR and other tool
management and tuning
- SOC tool tuning and use case
analysis
- Managed threat hunting
THIS OUTSOURCES BADLY
- Remediation of threats
- Full cycle of incident response
- Insider threat detection
- Business- and application-specific
threat detection
THIS DOES NOT OUTSOURCES AT ALL
- Accountability for security success
- Governance of security program
13. Recommendations
● Sure, handle alerts, but be aware that this is not your entire
world
● Make analysts and engineers friends; no walls in SOC
● Hire skills, not levels
● Automate routines, and keep fuzzy tasks for people (hunt)
● Prepare to trust 3rd parties with some tasks
● Keep your SIEM, but be aware that SOC visibility is broader
than logs
● Ah, and read https://medium.com/anton-on-security :-)
14. Intermission: Is SOC Dead?
● SOC as a CROWDED
ROOM may be dead…
● SOC as a detection and
response team is NOT
dead.
● Can it ever be dead? Well,
now, this is a topic for
another time …