SACON16 - SOC Architecture
This document discusses building a next-generation security operations center (SOC) to better detect advanced persistent threats (APTs). It recommends taking a process-oriented approach to detection by visualizing engagement with threats, identifying detection phases, and connecting use cases for multi-phase threats. An advanced SOC (ASOC) model is presented that separates hunters to actively look for threats from SOC operations teams to react, respond, and resolve incidents, with metrics and continuous improvement. The document encourages building a threat mind map and playbook of use cases tailored to an organization's highest probability threats to anticipate attacks. It emphasizes focusing on indicators of compromise or attempt to compromise over individual events and iterating the SOC process weekly.
SACON16 - SOC Architecture
- 1. #SACON Building the NextGen SOC Shomiron DAS GUPTA (GCIA) Founder, CEO NETMONASTERY Inc.
- 2. #SACON Agenda ■ Why are APTs difficult to detect ■ Revisit the cyber kill chain ■ Process orient detection ■ NextGen SOC process ■ Building your threat mind map ■ Implement and measure your SOC
- 3. #SACON Why are we failing to pick them ■ Made to order ■ Exploit trust relationships ■ Multi stage deployments
- 4. #SACON The Cyber Kill Chain ■ Reconnaissance ■ Weaponize ■ Delivery ■ Exploitation ■ Installation ■ Command and Control ■ Actions on objectives
- 5. So which are the phases you should track to detect Advanced Persistent Threats?
- 6. #SACON The Cyber Kill Chain ■ Reconnaissance ■ Weaponize ■ Delivery ■ Exploitation ■ Installation ■ Command and Control ■ Actions on objectives
- 7. So, what are you looking for? Indicators Of Compromise or Attempt To Compromise
- 9. #SACON Process Orient Detection ■ Visualize your engagement with threats ■ Identify detection phases ■ Build a list of primary issues ■ Create use cases ■ Connect use cases for multi phase threats ■ Burn the context layer in to your SIEM for detection
- 10. #SACON Concerns from the Old SOC ■ Lack of focus on detection ■ Push required to build new rules ■ Rules get out dated before you go production ■ Continuous improvement doesn’t exist ■ Lack of active pursuit
- 11. #SACON ASOC One such option Hunter • Looking for threats • Multiple toolkits • No boundaries - laterals • Finding loopholes • Building content • Writing process • Handover and review Process SOC Ops • Understand threats • React - FP Filtering • Respond • Resolve • Metrics & Improvement • Case retirement
- 12. #SACON THREAT MAP PLAY BOOK USE CASES
- 13. #SACON Building your Threat Mind Map
- 14. #SACON What does it take? ■ Approach IOC or ATC ■ Anticipation High Probability Threats ■ Active Playbook Build - Review - Improve
- 18. #SACON WORKSHOP BUILDING YOUR OWN PLAYBOOK
- 20. #SACON Alerts v/s Incidents ■ Alerts are instant and descriptive ■ Incidents are usually delayed and vague ■ Alerts can be remediated ■ Incidents need handling What would you work towards - Alerts or Incidents
- 21. #SACON Watching the AfterLife ■ Sold in the underground unless a sponsored activity ■ Stolen data is segregated ■ Sometimes published ■ Mostly used quickly for monetary gain How would you track your data in the AfterLife?
- 22. #SACON Implement and Measure ■ Watch for primary issues not events ■ Connect multi phase threats automatically with tools ■ Selectively implement incident management ■ Look out for threat trends ■ Cyclically iterate and improve every week #SACON
- 23. Shomiron DAS GUPTA shomiron@netmonastery.com +91 9820336050 Thank You!