Journey to the Center of Security Operations

JOURNEY TO THE CENTER OF
SECURITY OPERATIONS
SERGEJ EPP
Chief Security Officer, Central Europe

FRANKFURT, GERMANY
2 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.
SERGEJ EPP Chief Security Officer, Central Europe
§ Regional Cybersecurity Strategy and Operations
§ Thought Leadership
Global Head of Cyber Forensics & Investigations
Global Head of Cyber Hygiene Operations
§ Endpoint Detection Response
§ Fraud & Insider Investigations
§ Firmware and Supply Chain Forensics
§ Configuration Management, Neutral Control
Global Head of Cyber Defense Center
§ Threat Intelligence
§ Threat and Forensics Response
§ Red Team
§ Cyber Analytics & Big Data
§ Security Awareness and Roadshows
WHOAMI

EVOLUTION OF INFORMATION SECURITY OPERATIONS
NOC
Compliance SOC
Threat-Intel
Driven SOC
Integrated SOC
Fusion Center
Level 1
Perimeter focused
operations
Level 2
SIEM based,
Policy driven
operations and static
playbooks
Level 3
Threat-Intelligence
focused security
operations
Level 4
Integrated detection,
incident response,
forensics, intelligence
and vulnerability
functions
Level 5
Integrated non-
cybersecurity
functions such as
physical security,
fraud or business
operations

USE
CASE

5 | © 2018, Palo Alto Networks. All Rights Reserved.
We have not responded to
an intrusion using a ZeroDay
exploit in the last 24 months
- National Security Agency*
* RSA Conference 2019
“
”

GROW YOUR RISK MANAGEMENT
§ Connected vehicle
(air/rail/car) threats
§ Quantum
computing
§ Data exfiltration in
the cloud
§ Cyber Hygiene
§ AI voice fraud
§ AI phishing
§ AI chatbots
§ Firmware implants
§ Destructive threats
§ ID mass
blackmailing
§ OT/IoT Threats
§ Insider Threat
§ Third Party Threat
§ Spyware
§ Identity theft
§ Ransomware Virus
§ AI Exploit Fuzzing
§ AI Malware Gen.
§ Biometrics loss § CEO Fraud
§ Compromised
patch control
§ Crimeware-as-a-
service
§ Phishing
§ Supervisory
Oversight
§ BYOD threats § Attack obfuscation
§ Denial of Service
§ Banking Malware
§ Advanced
regulations
§ Cryptojacking
10 mio
5 mio
1 mio
100k
10k
1% 2% 5% 10% 20%
VULNERABILITIES AND
MISCONFIGURATIONS
IF YOU CAN FIX ONLY 1/10
OF YOUR VULNERABILITIES,
WHICH ONES WILL YOU FIX?
CVE-2017-0143 (aka EternalBlue)
• Security risk = CVSS 9.3 High
• Business risk = Critical
• Change risk = Medium

USE
CASE

HYPE CYCLE
REACTIVE
PREVENTIVE
80%
of Enterprises IT investment
in security*
72%
of VC investments in
security startups**
*Source: VmWare Analysis ** Cyber Defenders Report, CB Insights 2019

9 | © 2018, Palo Alto Networks. All Rights Reserved.
BURDEN TO TRIAGE IS STILL A PROBLEM
A Tier concept makes sense
when the symptoms are well
understood.
In cybersecurity, we ask the
most unexperienced analyst
in Tier1 to identify APT
attacks. Are you surprised
this does not work?
TIER 1 TIER 2
TIER 3
106.887.657.123
37%
Manual alert
enrichment (e.g.
checking IP
in database)*
The Definition of SOC-cess? SANS 2018 Security Operations Center Survey
34%
Mostly
automated
alert
enrichment*
ALERT ENRICHMENTLACK OF CONSISTENT
VISIBILITY
FALSE POSITIVE FATIGUE FRONT LINE OF DEFENSE
Threat actors are often
leveraging Shadow IT, IoT
devices or simply
unmanaged devices to
maintain persistent access.
It requires a fusion between
SIEM, network, endpoint etc.
to enable triage of activities.
Examples: APT10
(CloudHopper), NSA TAO
Event if the attack is detected
the chance that its identified
by the analyst is small due to
to many false positives
Bonus: Hackers often launch a
DDoS attack to flood SIEM
systems shortly after a
successful targeted attack
against a bank.

COLLECTING OR DETECTING?
BOTTOM-UP
start with data
LOG DATA
TOP-DOWN
start with use case
MONTHS vs. DAYS
Identify most
relevant threats
Create use-cases
Collect only relevant
data
Analyze alerts
Parse and interpret
data
Collect available data sources
Build use case
Data is oil for security operations teams, but
collecting simply all available data will not only
overload your infrastructure but also impact
capacity of your team. Top-down approach
considering the entire end-2-end (Identify-
detect-respond) use-cases is the way to go for
most of the SOCs.

Alerts must be 90%+
True Positive
Move high False Positive
Alerts to Hunting
Dedicated hunt time
Move high True Positive
to Alerting
11 | © 2019 Palo Alto Networks. All Rights Reserved.
Alerting
Program
Hunting
Program
„HUNTING IS A PROCESS,
NOT A DEDICATED TEAM“

MACHINE LEARNING WILL INCREASE AUTOMATED RESPONSES
PRE-COMPUTE LEARNING OF 1,000+ BEHAVIORAL DIMENSIONS
Time Profile
• History, per Detector
• Network -> Application
Peer Profile
• Peer profile, per
Detector
Entity Profile
• Entity Type
• User, admin, workstation,
server, server type
MLTechnique
Pre-Compute Learning
UNSUPERVISEDSUPERVISED

USE
CASE

GORCH FOCK
SOC
DATA LAKE

15 | © 2015, Palo Alto Networks. Confidential and Proprietary.
DEMISTO - ORCHESTRATION
ENGINEER ORCHESTRATEPLATFORMIZE

Reconnaissance Weaponization
and Delivery
Exploitation Command
and Control
Lateral
Movement
Installation Actions on
the Objective
Automated Detection and Prevention
Threat Alerting and Hunting
Focus on this side
Focus on this side
AFAutoFocus
TRTraps
WFWildFire
GPGlobalProtect
AP
Aperture
16 | © 2019 Palo Alto Networks. All Rights Reserved.
Cortex XDR
SHIFT RIGHT – TAKE THE HUMANS OUT OF ROBOTS

USE
CASESecurity Operations Update:
1. Your Threat Intelligence team reports other
companies experiencing the same
Ransomware based cyberattack.
2. The attackers demand Bitcoin in order to
decrypt the hard drive.
3. An interesting observation is that the Bitcoin
wallet address is always the same.

THREAT INTELLIGENCE
✓ Mature capability for most organizations
✘ More than 95% of consumed intelligence is
already known (Waste of money and time)
✘ Companies lack instrumentation of controls
to automate consumption
✘ Most companies don’t generate actively
threat intelligence
CONSUME
GENERATE
SHARE
OPERATIONAL
(IOCs, TTPs,)
TACTICAL
(Adversary campaigns,
Trends, Sharing)
STRATEGIC
(Business risk)
✓ Maturity on government level resulting in cyber policy influence
✘ Most boards lack understanding that they are in software business
and cyber is one of the greatest risk
✘ Investment in cybersecurity are by far not proportional to
investments in digitalization
✓ Mature capability in some industries e.g. Financial Industry.
✓ Strong community focus e.g. CTA, CSSA, CDA, FS-ISAC
✘ Application of Active Cyber Defense lifecycle
takes time

EXAMPLE: INSTRUMENT YOUR CONTROLS FOR CONSUMPTION
Block list
Quarantine list
Alert list
Sandbox
ExploitKits,
Scanning IPs
C2 IPs Move to quarantine
network
Rebuild device
Analyze device
Signatures
Firewall
Endpoint
Indicators
APT IPs
Notify user
AI:
beaconing
SHARING
User
Violation

MEASURING AND IMPROVING
SOC-CESS
24 | © 2019 Palo Alto Networks, Inc. All Rights Reserved. www.soc-cmm.com

THREE CATEGORIES OF METRICS
HEALTH
% of controls running
% of assets configured to best practices
% of vulnerable systems
% of traffic visible
…
Mean time to detect (MTTD)
Time to discover all impacted assets
Completeness per IOC sweep
Detection for % of all attack vectors
Detection for % of all data leakage vectors
% of false positive alerts per analytic
% of attacks automatically prevented
% of users with privilege rights
…
RESILIENCE
Mean time to respond (MTTR)
Mean time to rebuild a desktop
% of automated countermeasures
% of red team exercises detected
Time from intrusion to eradication (dwell)
…
VISIBILITY
BUSINESS VALUE AND PRODUCTIVITY
METRICS
§ Losses occurred vs. losses prevented
§ Mean cost per incident
§ % of XXX vs industry benchmark
…

EXAMPLE: CONFIGURATION OF ATT&CK VISIBILITY – DETT&CT
ü Identification of your visibility/log/detection maturity for common attacks
described in ATT&CK can help to prioritize configuration
ü BUT: To set the right coverage bar for your organization requires mature
understanding for relevant threat actor

EXAMPLE: CONFIGURATION OF DATA LEAKAGE VISIBILITY
HTTP
HTTPS
FTP
FTPS
SMTP
ICMP
DNS
TELNET
DNSSEC
62%
of known data leakage
vectors are identified or
prevented
Exfiltration of sensitive large data sets sent over longer
period of time is not being detected!
DATA LEAKAGE SIMULATION
Easy and effective deployment allows both:
• Prioritize configuration and rules in production
• Test security products as part of PoC
BUT, how do you define the threshold?

29 | © 2015, Palo Alto Networks. Confidential and Proprietary.
PLAN
FINANCIAL
EXISTING
METRICS
SOAR
DOPLAN
CHECKACT
VERIFICATION
DOPLAN
CHECKACT
DOPLAN
CHECKACT
THE PATH TO METRICS MATURITY
Mean time to X
SOC productivity
Countermeasure
automation
Stakeholder
responsiveness
Network
Endpoint
Email
Security Controls
Controls
Resilience
Exploitation
Exfiltration
Financial impact
Fraud

EVOLUTION OF THE SOC ROLE – HOW TO KEEP UP?
*The Definition of SOC-cess? SANS 2018 Security Operations Center Survey
TRAINING / ROTATIONS
§ Technical trainings (e.g. SANS, Data Science)
§ Rotation between offensive and defensive teams
CAREER PATH
Especially for technical experts, who are not interested in
team management but still want to influence the
strategic direction of the company
CULTURE OF CURIOSITY
will attract smart and passioned talent and help to grow
naturally skill and capability
LEGAL ENABLEMENT
§ Access to security data and analysis
§ Threat Sharing
Lack of skilled staff is #1 problem in most organizations*
Attrition rates of 20-25% are common in our business.
What can be done to retain the staff?
FROM ANALYST
TO CODER AND
DATA SCIENTIST

enterprise apps today
are cloud-enabled
/cloud-native
Cloud is
Everywhere
Containers Have
Gone Mainstream
enterprises will use
containers by 2020
8 of 10 1 in 2
of cloud users
leverage 2 or more
cloud providers
(Gartner)
81%
Multi-Cloud
CLOUD SECOPS IS HEAVILY BEHIND
SANS 2019 Cloud Security Survey
● 99% of cloud security failures will be the customers fault by 2023 (Gartner)
● 42% Lack of skills or training for specific public cloud services*
● 52% Inability to respond to incidents traversing our cloud apps and data*
CYBERSECURITY LACKS ADOPTION FOR CLOUD
TRANSFORMATION

SHIFT LEFT PRINCIPLES
</> Code Build Test Deploy Monitor
CI Continuous Integration CD Continuous Deployment
SHIFT LEFT – WILL INCREASE CODING SKILLS IN SECOPS TEAMS
1. Security by design - establish criteria upfront
2. Integrate, automate, automate
4. Share tooling - don’t silo information
5. Train your developer teams for better awareness
3. Establish control gates
SIEM
IDS

COLLABORATION IS EXPLODING
FUSION
CENTER
DEPLOY STAFF IN SOC
DEPLOY LIASON OFFICERS
IN BUSINESS DEPARTMENTS
PHYSICAL
✓ Insights into cyber
threat actors
✓ Joint work on cyber
enabled physical bugs
TRANSPORTATION FRAUD
BUSINESS
ISOs
✓ Joint monitoring of
transportation products
✓ Examples: Connected
Car, Airplanes, Railways
✓ Improved time to
mitigation for cyber
enabled fraud
✓ Typically senior security
manager roles
✓ Brokers stakeholder
relationship and
governs remediation in
specific business unit
DELEGATED
TRIAGE
✓ Delegate triage of alerts
to users e.g. “Have you
been to Switzerland
yesterday?”

TRANSFORM YOUR TEAM
§ Start hiring software engineers and data scientist
§ Focus on data analysis (Hunting is a process) and communication
§ Stop Use-Cases below 90% true positive and move to hunting
MEASURE SMART
§ Show business impact
§ Crawl, walk, run (Same as LEGO)
§ Focus on “health” usecases first
MODERNIZE TECH. STRATEGY
§ Build technology around automation and not
vice versa
§ Evaluate your toolset:
§ Take out two for introducing one
§ Increase penetration rate
§ Enable features
AUTOMATIZE PRODUCTION
§ Make automation a personal goal
for everyone
§ Prevention First
§ Increase % of
§ enriched alerts
§ of automated
countermeasure
deployments
DEMOCRATIZE COLLABORATION
§ Implement Delegated Monitoring
TAKE AWAYS

Let‘s SOAR

Journey to the Center of Security Operations

More Related Content

What's hot (20)

Similar to Journey to the Center of Security Operations (20)

Recently uploaded (20)

Journey to the Center of Security Operations