How To Drive Value with Security Data

Editor's Notes

• #4: Challenges – these are things you want to be aware of when you invest in any data capability – or assess your own Use-Cases - Focus on the wrong use-cases - Email is still prevalent vector for attacks, not vulnerabilities - Not having a use-case driven approach at all - Sharing use-cases is still non existent – Sigma - SOCs are building use-cases for the data they have instead of for the things they want to detect Scalability Running many rules Collecting all data (expensive) Collecting all data Correct data architecture Trying to do it ourselves, rather than outsourcing – can you get the right people? Why does everyone re-invent their processes? Cloud helps, but it still expensive SOCs are running an average of 30 tools! Data - Visibility gaps (email and humans) – how is it that we buy phishing solutions and do not understand our email communication patterns better? - Understanding data and knowing what to do with it (remediation) – alerts are not indicative of whether a system / user is under duress - Application visibility and understanding – SaaS applications anyone? - Beyond alerts : inventory as well – CSPM, … AND metrics collection as well False Positives - A threat / exploit / vulnerability centric view makes event prioritization challenging - We are still operating on an event level instead of an entity (user, device) level - We are prioritizing all events / alerts that our data sources send us … Beyond events/alerts - CSPM / configuration / asset information Shared Frameworks - ATT&CK -> I think that’s a bad trend – it’s not really covering the right set of detections and is not enough prescriptive for your use-cases! - Sigma -> is an okay start, but very very limited still to date and hasn’t been shown to really produce good thorough detections Move to the Cloud - Not solving all our problems, in fact, introducing new problems – governance, … - Let’s be clear, your SIEM will run in the cloud Insider Focus - Monitoring the users and understanding them – away from the latest vulnerability / … because even an external attack will show a change in the user’s behavior
• #5: Rethink what we really want from SIEM / security data analytics -> Some call that XDR now Data Inventory Classification Movement App Posture Activity SaaS Cloud posture Device Asset Info Posture (Vuln, Patch, Config) User HR Identity Access Priv’s. Activity / Behavior Personality Anomaly - To self and to peers Interaction with critical data Gets you out of the cat and mouse game – yet another attack type (ransomware today, phishing tomorrow, etc.)
• #6: AI and ML to the rescue – or not We will get better at anomaly detection from a behavioral standpoint, but not through supervised ML! Expert systems We will keep using ML (supervised) for malware detection, document classification, and basically all kinds of pattern matching Let AI help automate machine-enabling tasks – and visualize more Verifyability and explainability of approaches That’s IT, folks! Cloud We are moving to the cloud. Period. Your SIEM too. How do you monitor on-prem in that case? Visibility - Challenges to see and understand it all? What are all the assets in your environment right now? How do you track them? What are they? What are their risks? - What about all your users? - Across on-prem and cloud / SaaS / … Automation - built into products and not separate as SOAR - beyond the simple ‘augmentation’ use-cases – phishing playbook – remediate across your risk engine … - we need to push toward remediation. Why do we still need security analysts making decisions? Why can’t we learn from past activity? Privacy - Needs to be designed with ‘privacy first’ (only collect what you need, in a secure manner) Securing collected data - Anonymization? Nuances of regional regulations (GDPR, CCPA, etc.) Where are the socio-ethical boundaries?
• #7: SIEM visibility has been focused on network – it’s time to get endpoint and cloud visibility. AND DATA – including SaaS The risk-based approach will help you not just defend from external attacks, but also monitor your insiders. They are becoming more of a problem! Sharing – from TI to TTPs / analytics sharing
• #8: http://slideshare.net/zrlram @raffaelmarty