Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Modernizing Your
SOC:
It’s Hunting SeasonJanuary 2017
© 2017 Sqrrl Data, Inc. All rights reserved. 2
Presenters
Edward Amoroso,
David J. Bianco
Sqrrl Security Technologist, For...
Dr. Edward G. Amoroso, CEO TAG Cyber eamoroso@tag-cyber.com
Lessons Learned from Past, Present, and Future
Security Operat...
Team
Past SOCs
Upgrade SOC Staff
Capability
Tools
Improve Incident
Response Tools
Alarms
Filter Endless False
Alarms
Data
Improve Quality of
Data and Sources
Tools
Deploy Advanced
Behavioral Analytics
Team
Hire and Nurture
Expert Hunters
P...
Workloads
Distribute Local
Control
Tools
Automate Security
Prevention
Management
Virtualize Ops and
Oversight
Future SOCs
INVESTING
I N A H U N T T E A M
© 2017 Sqrrl Data, Inc. All rights reserved. 8
The collective name for any manual or
machine-assisted techniques used to d...
© 2017 Sqrrl Data, Inc. All rights reserved. 9
Proactive Iterative
Human-driven Analytical
What is Threat Hunting?
© 2017 Sqrrl Data, Inc. All rights reserved. 10
Why Hunt?
The purpose of hunting is not to find new
accidents. The purpose...
© 2017 Sqrrl Data, Inc. All rights reserved. 11
Detections
IndicatorsFindings
Detections
Detection
Improvements
Hunting
In...
© 2017 Sqrrl Data, Inc. All rights reserved. 12
Detections
IndicatorsFindings
Detections
Detection
Improvements
Hunting
In...
© 2017 Sqrrl Data, Inc. All rights reserved. 13
Fielding a Hunt Team
Ad Hoc • Hunting in “spare” time
• Can get a lot of h...
© 2017 Sqrrl Data, Inc. All rights reserved. 14
Team Skillsets: All Members
Communication
Business Knowledge
Collaboration...
© 2017 Sqrrl Data, Inc. All rights reserved. 15
Data Analysis /
Data Science
Network Protocols
OS Internals
Security Loggi...
© 2017 Sqrrl Data, Inc. All rights reserved. 16
If possible, establish a core of experienced hunters with a demonstrated t...
© 2017 Sqrrl Data, Inc. All rights reserved. 17
This Company Gets It
Part of an actual job posting for a ”Hunt Team Analys...
MAKING IT
REALH U N T O P E R A T I O N S
( H U N T O P S )
© 2017 Sqrrl Data, Inc. All rights reserved. 19
Reconnaissanc
e
Weaponization Delivery Exploitation Installation
Command &...
© 2017 Sqrrl Data, Inc. All rights reserved. 20
Example KC7 Activities
• Lateral Movement
• Data Staging & Exfiltration
• ...
© 2017 Sqrrl Data, Inc. All rights reserved. 21
Step 3: Align Your Strategy to Your Model
Reconnaissanc
e
Weaponization De...
© 2017 Sqrrl Data, Inc. All rights reserved. 22
Use this simple assessment to find
out where you fall on the Hunting
Matur...
WRAP UP & QUESTIONS
Nächste SlideShare
Wird geladen in …5
×

Modernizing Your SOC: A CISO-led Training

202 Aufrufe

Veröffentlicht am

Today's threats demand a more active role in detecting and isolating sophisticated attacks. This must-see presentation provides practical guidance on modernizing your SOC and building out an effective threat hunting program. Ed Amoroso and David Bianco discuss best practices for developing and staffing a modern SOC, including the essential shifts in how to think about threat detection.

Watch the presentation with audio here: http://info.sqrrl.com/webinar-modernizing-your-security-operations

Veröffentlicht in: Software
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Modernizing Your SOC: A CISO-led Training

  1. 1. Modernizing Your SOC: It’s Hunting SeasonJanuary 2017
  2. 2. © 2017 Sqrrl Data, Inc. All rights reserved. 2 Presenters Edward Amoroso, David J. Bianco Sqrrl Security Technologist, Former lead threat hunter at GE CEO of TAG Cyber, Former CISO for AT&T
  3. 3. Dr. Edward G. Amoroso, CEO TAG Cyber eamoroso@tag-cyber.com Lessons Learned from Past, Present, and Future Security Operations Centers (SOCs)
  4. 4. Team Past SOCs Upgrade SOC Staff Capability Tools Improve Incident Response Tools Alarms Filter Endless False Alarms
  5. 5. Data Improve Quality of Data and Sources Tools Deploy Advanced Behavioral Analytics Team Hire and Nurture Expert Hunters Present SOCs
  6. 6. Workloads Distribute Local Control Tools Automate Security Prevention Management Virtualize Ops and Oversight Future SOCs
  7. 7. INVESTING I N A H U N T T E A M
  8. 8. © 2017 Sqrrl Data, Inc. All rights reserved. 8 The collective name for any manual or machine-assisted techniques used to detect security incidents missed by automated processes. What Do We Mean by “Threat Hunting”?
  9. 9. © 2017 Sqrrl Data, Inc. All rights reserved. 9 Proactive Iterative Human-driven Analytical What is Threat Hunting?
  10. 10. © 2017 Sqrrl Data, Inc. All rights reserved. 10 Why Hunt? The purpose of hunting is not to find new accidents. The purpose of hunting is to find new ways of finding incidents.
  11. 11. © 2017 Sqrrl Data, Inc. All rights reserved. 11 Detections IndicatorsFindings Detections Detection Improvements Hunting Intel Automated Detection Incident Response Detection Development Functions of a Modern SOC Incident Data
  12. 12. © 2017 Sqrrl Data, Inc. All rights reserved. 12 Detections IndicatorsFindings Detections Detection Improvements Hunting Intel Automated Detection Incident Response Detection Development Incident Data Functions of a Modern SOC Sqrrl‘s Focus
  13. 13. © 2017 Sqrrl Data, Inc. All rights reserved. 13 Fielding a Hunt Team Ad Hoc • Hunting in “spare” time • Can get a lot of hunters involved, but lacks strategy and coordination • Also, if “everyone” hunts, no one hunts Dedicated • “Go out and find me some bad guys!” • Enables strategic thinking, but concentrates expertise into the hands of a few Hybrid • The best of both! • The hunt function is dedicated, but team members rotate through • Encourages both strategic planning and broad participation
  14. 14. © 2017 Sqrrl Data, Inc. All rights reserved. 14 Team Skillsets: All Members Communication Business Knowledge Collaboration Critical Thinking
  15. 15. © 2017 Sqrrl Data, Inc. All rights reserved. 15 Data Analysis / Data Science Network Protocols OS Internals Security Logging Team Skillsets: Specialities Threat Internal
  16. 16. © 2017 Sqrrl Data, Inc. All rights reserved. 16 If possible, establish a core of experienced hunters with a demonstrated track record of mentorship. Procedures should encourage and require collaboration between analysts at all skill levels. Encourage “active mentorship” within the team: • Have members participate in creating and implementing a training/development plan each year, then give them the time and resources necessary to complete it. • Every team member has something they know more about than anyone else. Get them to document and share via blogs, brown bag lunch sessions, etc. • Involvement in the larger security community is great professional development! Growing Hunters and Hunt Teams
  17. 17. © 2017 Sqrrl Data, Inc. All rights reserved. 17 This Company Gets It Part of an actual job posting for a ”Hunt Team Analyst”. Skills enhancement is literally the second paragraph in the document. As a contributor to the team, this role will spend up to 30% of it’s time broadening skills by: • Participating in one-on-one hands-on mentoring with peers and senior team members • Researching new techniques for analysis & developing deeper technical analysis skills • Contributing to the security community through projects and presenting at conferences While spending 70% or more heads down doing the mission: • Hands-on hunting, event triage & analysis across NSM sensors & managed endpoints • Consumption, analysis, and production of tactical threat intelligence • Development & maintenance of detection scripts, rules, signatures and related logic • Finding evil, and generally having fun kicking it out of places it shouldn’t be
  18. 18. MAKING IT REALH U N T O P E R A T I O N S ( H U N T O P S )
  19. 19. © 2017 Sqrrl Data, Inc. All rights reserved. 19 Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Step 1: Choose Your Favorite Attack Model The Lockheed Martin Cyber Kill Chain: Intelligence-Driven Computer Network Defense Informed by Anwww.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf alysis of Adversary Campaigns and Intrusion Kill Chains”, Hutchins, Cloppert, Amin, http:// (Last checked January 20, 2017) MITRE ATT&CK: Adversarial Tactics, Techniques & Common Knowledge, MITRE, http://attack.mitre.org (Last checked January 20, 2017)
  20. 20. © 2017 Sqrrl Data, Inc. All rights reserved. 20 Example KC7 Activities • Lateral Movement • Data Staging & Exfiltration • Credential Dumping • Local Network Discovery • Disable Endpoint Security • Webshell Use • Email Theft • Malicious Data Encryption Factor in your own environment and business priorities! Step 2: Identify Malicious Behaviors Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives
  21. 21. © 2017 Sqrrl Data, Inc. All rights reserved. 21 Step 3: Align Your Strategy to Your Model Reconnaissanc e Weaponization Delivery Exploitation Installation Command & Control (C2) Actions on Objectives Predict attacks Expand the stories you are able to tell High impact activity S O M E T I M E S D O T H I S R E G U L A R Y D O T H I S F R E Q U E N T L Y D O T H I S
  22. 22. © 2017 Sqrrl Data, Inc. All rights reserved. 22 Use this simple assessment to find out where you fall on the Hunting Maturity Model and what you can do to improve your SOC’s capabilities! How Mature Are Your Hunt Capabilities?
  23. 23. WRAP UP & QUESTIONS

×