Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
RESOURCE ALLOCATION
SOC MANAGER
SOC Nucleus
(must be on-site)
MALWARE
ANALYSTS
REVERSE
ENGINEERS
MALWARE
SUPPORT TEAM
INTELLIGENCE
ANALYSTS
External SOC
Support Teams
(can be remote)
INCIDENT RESPONSE
SUPPORT TEAMS
VENDORS DEPENDENCIES
When a system detects suspected malware, a good
portion of SOCs usually contact their antivirus vendor.
The vendor requests the quarantined file, analyzes it, and
subsequently builds an update with a clean version of
the corrupted file. The challenge is that, over time, SOCs
become overly reliant on the vendor to protect them from
threats they encounter.
More importantly, SOC managers dont often realize
the vendor had to take results from their proprietary,
corrupted file to fix the problem and then applied the
solution to all its other clients. This discloses a lot of
information about the defenses that make up the SOC
infrastructure that suffered the initial malware encounter.
3. Low-hanging Fruit: Address and prioritize information that has detailed context and is applicable
to your environment. For example, its faster to
crossreference a list of suspected IPs and domains than it is to call a source for further validation of possible intelligence.
4. Alert Overload: SOCs have teams of analysts that
work a host of technology from IDS, firewalls, and
mail scanners to endpoint security tools. The issue
is that vendors write alerts and detections. This
means that each tool and technology has different
alerts and thresholds, few of which are tailored for
your enterprise. A common example of this issue
is receiving 47,000 alerts per day and only having
a staff of five analysts. Reduce the noise by focusing on defense monitoring and response activities.
Tailor your alerts specifically to your environment
through an intelligence process. Pair this approach
with vendor alerts to identify value that applies to
your organization, and use custom detection to
pair your alerts with other intelligence sources.
INTELLIGENCE STANDARDIZATION
ffA clearly
ffNoise
ffThreats
ffVendor
ffCommunications
Only then can you set alerts based on past data, while
also anticipating changes in an attackers approach.
And only then will you start to move an oldfashioned
and outflanked SOC to a more advanced SIC able to
combat, and even anticipate, the modern, advanced
threats that target your organization.
XX-LH:V0