SOCs for the rest of us
-
Upload
ryan-kovar -
Category
Presentations & Public Speaking
-
view
75 -
download
2
Transcript of SOCs for the rest of us
![Page 1: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/1.jpg)
SOCs for the Rest of Us
By Dave Herrald
And Ryan Kovar
![Page 2: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/2.jpg)
Disclaimer
2
During the course of this presentation, we may make forward looking statements regarding
future events or the expected performance of the company. I often lie. Maybe this is a lie.
Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes
The wøndërful telephøne system And mäni interesting furry animals The characters and
incidents portrayed and the names used in this Presentation are fictitious and any similarity
to the names, characters, or history of any person is entirely accidental and unintentional.
Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...
No realli! He was Karving his initials on the møøse with the sharpened end of an
interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and
star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our
roadmap outlines our general product direction and is subject to change at any time
without notice. Splunk undertakës no øbligation either to develøp the features or
functionality described or to include any such feature or functionality in a future release.
![Page 3: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/3.jpg)
> Dave Herrald @daveherrald
- Senior Security Architect- 20+ years in IT and security
-Information security officer, security architect, pen tester, consultant, SE, system/network engineer
- GIAC GSE #79, former SANS Mentor
# whoami
![Page 4: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/4.jpg)
• 17 years of cyber security experience
• Worked in US/UK Public Sector and DOD most recently in nation state hunting roles
• Enjoys clicking too fast, long walks in the woods, and data visualization
• Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research
• Currently interested in automating methods to triage data collection for IR analyst review.
• Also investigating why printers are so insubordinate ಠ_ಠ
4
Staff Security Strategist
Minster of the OODAloopers
@meansec
# whoamiRyan Kovar: CISSP, MSc(Dist)
![Page 5: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/5.jpg)
![Page 6: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/6.jpg)
![Page 7: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/7.jpg)
![Page 8: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/8.jpg)
Agenda•Our Experiences•Hypotheses•Who we interviewed•Synthesize•Things to take home• Conclusions
![Page 9: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/9.jpg)
What we do @Splunk
Architect Strategist
This That
![Page 10: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/10.jpg)
Where we go
![Page 11: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/11.jpg)
Who we see
![Page 12: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/12.jpg)
Who we see
![Page 13: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/13.jpg)
We’ve seen it all
I’ve got Bro, Splunk, FireEye. I do OSINT, collect ALL the Logs, and even drink beer
at work.
We don’t need a SOC. We have a guy named Dave. He is
friends with the boss and is great at
computers
Sure I’m secure. I have a Firewall!
![Page 14: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/14.jpg)
![Page 15: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/15.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs align to Kill Chain
model
![Page 16: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/16.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs align to Kill Chain
model
![Page 17: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/17.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs align to Kill Chain
model
![Page 18: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/18.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs align to Kill Chain
model
![Page 19: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/19.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs have similar people
and toolsets
![Page 20: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/20.jpg)
What we asked
![Page 21: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/21.jpg)
![Page 22: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/22.jpg)
We are here to share the best with you
![Page 23: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/23.jpg)
![Page 24: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/24.jpg)
People are more important than tools
>
![Page 25: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/25.jpg)
Trail of Tiers
![Page 26: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/26.jpg)
The ability to write code was the most valuable technical skill
![Page 27: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/27.jpg)
Degree typesdidn’t
matter
![Page 28: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/28.jpg)
Learn to communicating clearly both written and gooder speaking
![Page 29: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/29.jpg)
![Page 30: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/30.jpg)
VS
![Page 31: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/31.jpg)
Curiosity is the most important SOC analyst trait
![Page 32: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/32.jpg)
Findings
![Page 33: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/33.jpg)
• Orgs have moved past Tiers• Traditional “Tier 1” jobs are
replaced by automation• Best SOCs have Data
Scientists• No one has a good incident
recording tool• SOCs have similar people
and toolsets
REVIEW
![Page 34: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/34.jpg)
Orgs have moved past Tiers
REVIEW
![Page 35: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/35.jpg)
Traditional “Tier 1” jobs are replaced by automation
REVIEW
![Page 36: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/36.jpg)
Best SOCs have Data Scientists
REVIEW
![Page 37: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/37.jpg)
No one has a good incident recording tool
REVIEW
![Page 38: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/38.jpg)
SOCs have similar people and toolsets
REVIEW
![Page 39: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/39.jpg)
Takeaways
• Lorem
• Ipsum
• And
• Moresum
• ( Blogpost/whitepaper coming soon)
![Page 40: SOCs for the rest of us](https://reader031.fdocument.pub/reader031/viewer/2022020314/5a651b537f8b9aa2548b7217/html5/thumbnails/40.jpg)
Dave Herrald
@daveherrald
Ryan Kovar
@meansec
http://blogs.splunk.com/author/rkovar
Contact info