Designing Modern SOC - Chuvakin

While you wait
for our webinar

to begin
Get more value

out of your
webinar experience
Download the
presentation
Dial in
Submit your questions
A PDF is available for download

in the Attachments tab.
Unable to attend via VoIP and

want to dial in? Dial-in directions
are in the Attachments tab.
Have questions for the analyst?

Submit them in the
Questions tab.
Visit
Share
Rate
gartner.com/webinars
the Gartner webinar calendar

with your colleagues.
in the Attachments tab
and comment on
your experience
Follow Gartner
Technical difficulties?
Keep the conversation going

#GartnerWebinars
Connect with us
@nancyatwork
@Gartner_Inc
Nancy Northrop
Gartner
CONFIDENTIAL AND PROPRIETARY I 2016 Gartner, Inc. and/or its affiliates. All rights reserved.
Email
gartnerwebinars@gartner.com
Design a Modern Security Operation Center
Dr. Anton Chuvakin

Research VP
5 years at Gartner, 15 years Industry experience
Gartner for Technical Professionals
@anton_chuvakin
hhttps://www.linkedin.com/in/chuvakin
For a broader insight into Gartner you can find us: @Gartner_inc on Twitter and Gartner on LinkedIn.
Outline
What defines the SOC of 2016?
Modern SOC toolset
Maturing SOC processes
2016 Gartner, Inc. and/or its affiliates. All rights reserved.
SOC of 2016,
Defined
SOC Defined
A security operations center provides centralized and
consolidated cybersecurity incident prevention, detection and

response capabilities.
Security operations functions often performed by a SOC:
Security monitoring a <- key focus!
Security device management and maintenance
Threat and vulnerability management
Cyber security incident response management
Security compliance management
Security training
Reminder: SOC = people, process, and technology

4
Do You Have An Old Sock?

Relies primarily on prevention technologies:
Rule and signature-based detection mechanisms that require prior knowledge of
attacker methods, both of which are insufficient to protect against and detect
current threats.
Treats incident response as an exception-based process:

Versus a continuous one.
Treats intelligence (TI) as a one-way product to be consumed:

Rather than as a process, leading to an intelligence-poor security strategy.
What Makes Your SOC A Modern SOC? - I

Processes
Not just alert triage!
Hunting and proactive data exploration
Selective use of outsourcing
People
Expansion of the L1/L2/L3 model
Specialty skills grow: TI, malware reversing, data analysis, etc.
What Makes Your SOC A Modern SOC? - II

Technology
Not just a SIEM! Endpoint and network visibility
A role for analytics tools (UEBA and other security analytics)
Wider use (and creation!) of threat intelligence (TI)
Orchestration and automation tools to streamline workflows
Top SOC Pre-requisites

Clear motivation
we need a SOC
because...
Executive management
support
Risk awareness or risk
assessment process
Asset management /
awareness
8
Solid IR process
Typically, a degree of
security operations maturity

Good understand of SOC
value and functions
Modern SOC Toolset
After SIEM, You Still Need More Visibility!
Network
Via Network Forensics (NFT) and/or Network Traffic Analysis (NTA)
10
Endpoints
via Endpoint Detection and Response (EDR)
You May Also Need An Extra Brain
Analytics
via User and Entity Behavior Analytics (UEBA or UBA)
11
And Some Intelligence...
Threat Intelligence
12
To Tie It, Together - Orchestration
13
Modern SOC Tooling

SOC Nuclear Triad
LOGS: Log analysis - SIEM
NETWORK: Network traffic analysis NTA and/or NFT
ENDPOINT: Endpoint activity analysis - EDR
Analytics
UEBA / UBA and other security analytics
Workflow and orchestration

Workflow, orchestration and automation platforms (SOAR in Gartner materials)
Threat intelligence
14
So, If I Buy All That .... Will I Have A SOC?
15
If You Actually Need An Answer....
NO!!!
SOC involves PEOPLE and PROCESS
which are in fact MORE IMPORTANT
than tools
16
SOC Tool Integration Framework
17
Workflow OR Automation?
What you can safely automate
Context enrichment and correlation/fusion of Intelligence
Gathering of evidence
Notifications and Response processes
Process raw inputs with analytic algorithms, and present the results
Ask for approval when needed
Many others still need humans!
18
Maturing SOC
Processes
19
Modern SOC Functions
20
Family of SOC Processes

Select SOC own processes:
1. Alert triage
2. Use case content management / detection engineering

3. Threat hunting
Select SOC process dependencies:

1. Security incident response
2. IT change management
3. IT asset management
21
Threat Hunting? But How?

Hunting Style
Description
Hypothesis-driven
Begins with an initial hypothesis or

question i.e., have we been
affected by a specific threat actor
campaign.
Known indicators of compromise are
used to initiate the investigation and
used to search security data for their
(or associated IOC's) presence.
Advanced analytics, machine
learning and other capabilities are
used to assist the analyst to identify
the most promising areas to begin
hunting.
IOC-driven
Analytics-driven
22
Side note: Outsource Selectively?

Using MSSP for all security monitoring != having a
SOC
Just a reminder...
However, a lot of SOCs use external help.

What does it mean?
23
Side note: Outsource Selectively?

SOC/MSSP hybrid models:
1. MSSP for Level 1/in-house for triage.
2. MSSP at night, SOC for
daytime/workdays.
3. MSSP for basic monitoring, advanced
in-house.
4. MSSP for DMZ alerts, SOC for inside
5. MSSP helps manage SIEM
6. Partner helps with serious incident IR
24
"MSSP's business is
business,
not your security"
Briefly on People
25
A REAL PROBLEM Statement

24/7 SOC is risky, but doable with 12-15 FTEs and
generally comfortable with 20.
9-10 people is a theoretical minimum that may
break HR rules in some countries or leave you with
no SOC during some days
This is a REAL PROBLEM ... of resources!
26
Risks and Pitfalls
27
Risks and Pitfalls

Trying to build a SOC with limited resources (people, tools, budget)
SOC built in a vacuum, no organization support, no clear mission or
link to other groups

Not enough visibility tools; sole focus on SIEM
Sole focus on alert pipeline; no deeper analysis apart from
processing alerts that are shown to analysts

Not learning from local incidents and events, not creating internal TI
from available data:

Trying to provide SOC services from a NOC/Help Desk
Not working to retain staff and not having a staff retention strategy
28
Conclusions
A good SOC today is not just an alert pipeline [like in 2003], but
includes hunting and threat intelligence consumption/generation

Selective outsourcing some SOC functions is very common
Expand SOC toolkit beyond SIEM to UEBA, EDR, NFT, etc.
When doing a business case for SOC, plan for initial proof of value
AND ongoing proof of value, this helps prevent SOC decay

Use TI to boost various SOC processes, evolve to TI creation
Look for our SOC bible on Gartner.com in the next 2-3 weeks!
29
IOC driven investigation

Check endpoints
Find installed malware
Verify the spread of infection

Assess whether privileges
have been escalated
laterally transferred
Provide guidance on risk and mitigation steps to
Operations
Evaluate associated threat actors and campaigns
Deduce Tactics, Techniques and Procedures (TTPs),
Motivations of the adversary
Anticipate and predict ultimate objective and next targets
30
Get more value from your webinar experience

Exclusive complimentary piece of research
Special Report: Cybersecurity at the Speed of Digital Business

Cybersecurity is the foundation of digital business and innovation. It must address a new reality in which IT
organizations have little direct infrastructure, and their biggest security concerns will come from services outside their
control.
Free Research
Watch the recording here

Design a Modern Security Operation Center
Watch Replay
31
Top trends and predictions

Mastermind guests and Gartner keynotes
Face-to-face analyst consultations
Unparalleled peer connections
In-depth interactions with leading solution providers

An agenda mapped to your priorities
Thank you
Dont forget
Download the
presentation
Download our monthly

webinars


Get more value

out of your
webinar experience
33
Share
gartner.com/webinars
the Gartner webinar calendar

with your colleagues.
in the Attachments tab
Follow Gartner
@nancyatwork
@Gartner_Inc
Nancy Northrop
Gartner
and comment on
your experience
Visit
Keep the conversation going

#GartnerWebinars
Connect with us
Rate
Technical difficulties?
Email
gartnerwebinars@gartner.com

Designing Modern SOC - Chuvakin

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Designing Modern SOC - Chuvakin

Caricato da

Copyright:

Formati disponibili

While you wait

for our webinar

Get more value

Submit your questions

A PDF is available for download

Unable to attend via VoIP and

Have questions for the analyst?

the Gartner webinar calendar

Keep the conversation going

Design a Modern Security Operation Center

Dr. Anton Chuvakin

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

consolidated cybersecurity incident prevention, detection and

Reminder: SOC = people, process, and technology

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Do You Have An Old Sock?

Treats incident response as an exception-based process:

Treats intelligence (TI) as a one-way product to be consumed:

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

What Makes Your SOC A Modern SOC? - I

Specialty skills grow: TI, malware reversing, data analysis, etc.

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

What Makes Your SOC A Modern SOC? - II

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Top SOC Pre-requisites

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

security operations maturity

value and functions

Modern SOC Toolset

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

After SIEM, You Still Need More Visibility!

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

You May Also Need An Extra Brain

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

And Some Intelligence...

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

To Tie It, Together - Orchestration

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Modern SOC Tooling

Workflow and orchestration

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

So, If I Buy All That .... Will I Have A SOC?

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

If You Actually Need An Answer....

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

SOC Tool Integration Framework

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Many others still need humans!

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Modern SOC Functions

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Family of SOC Processes

2. Use case content management / detection engineering

Select SOC process dependencies:

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Threat Hunting? But How?

Begins with an initial hypothesis or

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Side note: Outsource Selectively?

However, a lot of SOCs use external help.

2016 Gartner, Inc. and/or its affiliates. All rights reserved.

Side note: Outsource Selectively?