SlideShare a Scribd company logo

SOCstock 2021 The Cloud-native SOC

Download as PPTX, PDF
Anton Chuvakin
Anton Chuvakin

The Cloud-native SOC vision from SOCStock 2021 conference by Dr. Anton Chuvakin (v0.9 public)

Technology
1 of 26
A cloud-native SOC? Say what? Dr. Anton Chuvakin https://medium.com/anton-on-security and @anton_chuvakin Chronicle / Google Cloud Security
Inspiration: a hypothesis - if you are a cloud-native, you don’t need a SOC ... True or false?
Outline ● SOC in 2021 - a quick reminder ● Cloud-native … what does it even mean? ● SOC + cloud-native = ??? ● Changes to expect ○ Technology changes ○ Process changes ○ People changes ● What to do? More questions than answers...
SOC?
A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner First Things First: A SOC is Still … a SOC :-) SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
Reminder: Modern SOC (SOCstock 2020) Process structures around threats, not alerts Deeper testing and coverage analysis Teams are organized by skill, not rigid level Multiple visibility approaches, not just logs SOC elegantly uses third party services Automation via SOAR works as a force multiplier Threat intelligence is consumed and created Threat hunting covers cases where alerts never appear
Cloud-native?
“Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” Cloud-native = Born in the Cloud, Lives ...?
SOC + Cloud-native - Impact Assessment?
First … Traditional SOC Monitors Cloud, This Happens! Note: some of this is about CLOUD and some is about CLOUD-NATIVE! ● Uncommon log collection methods ● Telemetry data volumes may be high ● Alien licensing models for security tools ● Alien detection context (!) ● Lack of clarity on cloud detection use cases ● Governance sprawl ● SOC teams lacking cloud skills ● Ill-fitting tools ● Lack of input from SOCs into cloud decisions
TOOLS: Triad of Visibility + Cloud-native = ??? Logs (such as via SIEM) Still works! More logs of different types in the cloud. Network data (such as via NDR) It depends. Not for SaaS, limited for PaaS, and constrained by encryption. Endpoint data (such as via EDR) It depends. Not for SaaS or PaaS. Works for VMs and some containers. NEW: application observability New to cloud, but not fully explored for security use cases Note: Cloud or Cloud- native here?
TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS EDR NDR Logs CASB IaaS OK (*) OK (*) OK NO (*) PaaS NO Sort of OK Sort of SaaS NO NO OK OK Fortunately, SOAR works with all of them … Hi SIEMplify :-)
Detour: OK, What if I am “All SaaS”? CASB … one of the nastier Gartner acronyms … that is ... until CNAPP arrived [sorry, former colleagues] :-) “Can CASB be my SIEM?” -- Well, sort of ... “BTW, WTH is CNAPP?” -- Well, look this up, will ya?
PRACTICES: Security Meets Cloud Native Core SOC practices remain: ● Build detections (*) ● Detect threats ● Triage ● Investigate ● Remediate (*) New practices around SOC: ● CI/CD and “C-everything” ● DevOps and friends ● Faster everything ● Automated everything ● Developer-led everything ● Everything as code Note: super-simplistic view of SOC here! Note: development skills in the SOC: to code and to understand!
Some Answers: Cloud Process + Classic SOC Adapt FIRST... … Steal SECOND! CI/CD process Applications change, need good asset coverage and vulnerability context CI/CD for detections IT automation Need to integrate to not be left behind SOAR and friends, security ops automation Everything as code Absorb new context around infrastructure Detection as code
PEOPLE: SOC Skills vs Cloud Skills Classic SOC skills: ● Packet decoding ● Network IDS ● Windows security ● Linux/Unix security ● Threat intelligence ● SIEM/log analysis Cloud skills: ● Containers ● DevOps tools ● Serverless ● Infrastructure as code ● Everything as code Note: development skills in the SOC; “detection as code” means you need to code!
What to Do?
Going SOC-less for Cloud Natives? Insight: SOCless detection … … is a SOC, perhaps a modern SOC, but SOC nonetheless.
Cloud-native SOCless? ● No room full of analysts, so no physical SOC ● No analyst-only roles and so no hard tiers / levels of 1,2,3 ● “Analysts” = detection engineers ● Federated response; the best party responds (!) ● Detection team works closely with teams doing preventative security ● Detection team works closely with developers ● Pipelines from event sources to machines and/or humans, and they work well.
You say “SOCless” I say “modern SOC” SOC = detection team!
Select Lessons for On-premise Immigrants... ● NEW MONITORING SUBJECTS ○ Virtual machines [on a hypervisor you don’t own] ○ Containers ○ Functions and services ○ SaaS services ● NEW MONITORING DATA SOURCES ○ Cloud platform logs (e.g. GCP Cloud Audit Log) ○ Various other logs ○ Observability (in-app telemetry, essentially logs) ● NEW MONITORING CONTEXT ○ Account, resource group, distinguished names (sir? :-))
Select Observations on What to Expect ● Data flows vs wires; no more hardware-based security planning ● More application security monitoring (CASB, SaaS security, observability - all relate to applications) ● More “as code” (both “detection as code” and threat detection in CI/CD environments) ● More automation (SOAR links to IT automation) and higher speed ● Some on-premise approaches are worse-fit than others - and some don’t fit at all (pass hyperscape application access via an appliance on-premise)
Recommendations for Cloud-native SOC Success ● If SOC = detection team, than SOC lives on in the cloud-native world ● Modernize your SOC but preserve the mission: detection and response ● Evolve SOC to more automation to catch up with modern IT ● “DevOps” your detection engineering (Dev = content creator, Ops = analyst) ● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend ● Learn new detection context ● Mercilessly discard tools that don’t fit the cloud practices or fail to support cloud technology

Recommended

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 

Recommended

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Cloudflare
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMEAlienVault
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Threat Modeling Using STRIDE
Threat Modeling Using STRIDEThreat Modeling Using STRIDE
Threat Modeling Using STRIDEGirindro Pringgo Digdo
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 

More Related Content

What's hot

Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited ResourcesLogRhythm
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Ben Rothke
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 

What's hot (20)

Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 

Similar to SOCstock 2021 The Cloud-native SOC

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Sqreen
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecuritySymantec
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Codit
 
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony GoddardOSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony GoddardNETWAYS
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101Wavestone
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Amazon Web Services
 
Integracia security do ci cd pipelines
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelinesJuraj Hantak
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriDemi Ben-Ari
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudSedthakit Prasanphanich
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016Shannon Lietz
 

Similar to SOCstock 2021 The Cloud-native SOC (20)

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?Serverless security - how to protect what you don't see?
Serverless security - how to protect what you don't see?
 
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
apidays LIVE Paris - Serverless security: how to protect what you don't see? ...
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The Cloud
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud SecurityGet Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
Get Your Head in the Cloud: A Practical Model for Enterprise Cloud Security
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
Why integration is key in IoT solutions? (Sam Vanhoutte @Integrate2017)
 
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony GoddardOSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
OSMC 2017 | Monitoring Challenges in a World of Automation by Anthony Goddard
 
BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101BruCON 2015 - Pentesting ICS 101
BruCON 2015 - Pentesting ICS 101
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Understanding the Cloud
Understanding the CloudUnderstanding the Cloud
Understanding the Cloud
 
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
Managing WorkSpaces at Scale | AWS Public Sector Summit 2016
 
Integracia security do ci cd pipelines
Integracia security do ci cd pipelinesIntegracia security do ci cd pipelines
Integracia security do ci cd pipelines
 
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-AriThinking DevOps in the Era of the Cloud - Demi Ben-Ari
Thinking DevOps in the Era of the Cloud - Demi Ben-Ari
 
Future Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloudFuture Prediction: Network Intrusion Detection System in the cloud
Future Prediction: Network Intrusion Detection System in the cloud
 
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
A Throwaway Deck for Cloud Security Essentials 2.0 delivered at RSA 2016
 

More from Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinAnton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Anton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
 
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...
 

Recently uploaded

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

SOCstock 2021 The Cloud-native SOC

  • 1.
  • 2. A cloud-native SOC? Say what? Dr. Anton Chuvakin https://medium.com/anton-on-security and @anton_chuvakin Chronicle / Google Cloud Security
  • 3. Inspiration: a hypothesis - if you are a cloud-native, you don’t need a SOC ... True or false?
  • 4. Outline ● SOC in 2021 - a quick reminder ● Cloud-native … what does it even mean? ● SOC + cloud-native = ??? ● Changes to expect ○ Technology changes ○ Process changes ○ People changes ● What to do? More questions than answers...
  • 6. A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner First Things First: A SOC is Still … a SOC :-) SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
  • 7. Reminder: Modern SOC (SOCstock 2020) Process structures around threats, not alerts Deeper testing and coverage analysis Teams are organized by skill, not rigid level Multiple visibility approaches, not just logs SOC elegantly uses third party services Automation via SOAR works as a force multiplier Threat intelligence is consumed and created Threat hunting covers cases where alerts never appear
  • 9. “Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach. These techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.” Cloud-native = Born in the Cloud, Lives ...?
  • 10.
  • 11.
  • 12. SOC + Cloud-native - Impact Assessment?
  • 13. First … Traditional SOC Monitors Cloud, This Happens! Note: some of this is about CLOUD and some is about CLOUD-NATIVE! ● Uncommon log collection methods ● Telemetry data volumes may be high ● Alien licensing models for security tools ● Alien detection context (!) ● Lack of clarity on cloud detection use cases ● Governance sprawl ● SOC teams lacking cloud skills ● Ill-fitting tools ● Lack of input from SOCs into cloud decisions
  • 14. TOOLS: Triad of Visibility + Cloud-native = ??? Logs (such as via SIEM) Still works! More logs of different types in the cloud. Network data (such as via NDR) It depends. Not for SaaS, limited for PaaS, and constrained by encryption. Endpoint data (such as via EDR) It depends. Not for SaaS or PaaS. Works for VMs and some containers. NEW: application observability New to cloud, but not fully explored for security use cases Note: Cloud or Cloud- native here?
  • 15. TOOLS: There is a Lot of Cloud - IaaS, PaaS, SaaS EDR NDR Logs CASB IaaS OK (*) OK (*) OK NO (*) PaaS NO Sort of OK Sort of SaaS NO NO OK OK Fortunately, SOAR works with all of them … Hi SIEMplify :-)
  • 16. Detour: OK, What if I am “All SaaS”? CASB … one of the nastier Gartner acronyms … that is ... until CNAPP arrived [sorry, former colleagues] :-) “Can CASB be my SIEM?” -- Well, sort of ... “BTW, WTH is CNAPP?” -- Well, look this up, will ya?
  • 17. PRACTICES: Security Meets Cloud Native Core SOC practices remain: ● Build detections (*) ● Detect threats ● Triage ● Investigate ● Remediate (*) New practices around SOC: ● CI/CD and “C-everything” ● DevOps and friends ● Faster everything ● Automated everything ● Developer-led everything ● Everything as code Note: super-simplistic view of SOC here! Note: development skills in the SOC: to code and to understand!
  • 18. Some Answers: Cloud Process + Classic SOC Adapt FIRST... … Steal SECOND! CI/CD process Applications change, need good asset coverage and vulnerability context CI/CD for detections IT automation Need to integrate to not be left behind SOAR and friends, security ops automation Everything as code Absorb new context around infrastructure Detection as code
  • 19. PEOPLE: SOC Skills vs Cloud Skills Classic SOC skills: ● Packet decoding ● Network IDS ● Windows security ● Linux/Unix security ● Threat intelligence ● SIEM/log analysis Cloud skills: ● Containers ● DevOps tools ● Serverless ● Infrastructure as code ● Everything as code Note: development skills in the SOC; “detection as code” means you need to code!
  • 21. Going SOC-less for Cloud Natives? Insight: SOCless detection … … is a SOC, perhaps a modern SOC, but SOC nonetheless.
  • 22. Cloud-native SOCless? ● No room full of analysts, so no physical SOC ● No analyst-only roles and so no hard tiers / levels of 1,2,3 ● “Analysts” = detection engineers ● Federated response; the best party responds (!) ● Detection team works closely with teams doing preventative security ● Detection team works closely with developers ● Pipelines from event sources to machines and/or humans, and they work well.
  • 23. You say “SOCless” I say “modern SOC” SOC = detection team!
  • 24. Select Lessons for On-premise Immigrants... ● NEW MONITORING SUBJECTS ○ Virtual machines [on a hypervisor you don’t own] ○ Containers ○ Functions and services ○ SaaS services ● NEW MONITORING DATA SOURCES ○ Cloud platform logs (e.g. GCP Cloud Audit Log) ○ Various other logs ○ Observability (in-app telemetry, essentially logs) ● NEW MONITORING CONTEXT ○ Account, resource group, distinguished names (sir? :-))
  • 25. Select Observations on What to Expect ● Data flows vs wires; no more hardware-based security planning ● More application security monitoring (CASB, SaaS security, observability - all relate to applications) ● More “as code” (both “detection as code” and threat detection in CI/CD environments) ● More automation (SOAR links to IT automation) and higher speed ● Some on-premise approaches are worse-fit than others - and some don’t fit at all (pass hyperscape application access via an appliance on-premise)
  • 26. Recommendations for Cloud-native SOC Success ● If SOC = detection team, than SOC lives on in the cloud-native world ● Modernize your SOC but preserve the mission: detection and response ● Evolve SOC to more automation to catch up with modern IT ● “DevOps” your detection engineering (Dev = content creator, Ops = analyst) ● Rely on CSP data feeds and tools more; for SaaS, CASB is your friend ● Learn new detection context ● Mercilessly discard tools that don’t fit the cloud practices or fail to support cloud technology