140 likes | 145 Views
Explore the fundamental changes in security and how to modernize your SOC. Discover the shift towards manual threat hunting, the importance of machine learning and analytics in malware detection, the impact of cloud adoption, and the benefits of SOAR integration.
E N D
Modernizing Your SOC David Swift – Security Geek CISSP, GSEC, GCIH, GCIA, GSNA, MCSE, MCNE, ACTP… dswift@securonix.com
Fundamental Changes in Security - 2019 • Threat Hunting – Move to Manual • Discovery of threats is devolving into queries increasing staffing requirements • Dependency on point solutions to detect and block is increasing • SIEM (Parsing, Normalization, Categorization, Correlation) is devolving into log collection and storage • Elastic Search (Lucene Indexing, Text Searching, GREP), ELK is becoming pervasive 2. Machine Learning & Analytics is Becoming Pervasive – Better Malware Detection • Anti-Virus, IDS, Dynamic Malware Analysis (FireEye, Wildfire…), behavior vs. signature • Detection of malicious content at an end point has increased, but users still bypass controls (“Goofs”) 3. Cloud Adoption – Reduced Infrastructure/HW to Maintain • SIEM, AV, VA, IDS, FW, Email, File Storage • Cloud First is the new norm • Threats are occurring in the cloud without endpoint detection • Kubernetes and Containers replacing traditional OS and Network 4. Cloud Vendor Databases – Nearly Free Storage, Pay Based on Compute Google – Big Query, Cloud SQL, Spanner, Big Table… Amazon - Aurora, RDS, DynamoDB 5. SOAR Integration - Automated Response
Fundamental Changes in Security - 2018 1. User Based Threat Detection • For the past decade we’ve collected and searched events. But there’s an infinite number of events to search, and only so many people to do it. Even worse, the number of events, log sources, and devices increases every day, and our staffs seldom do. There are however a finite number of users and machines. When we group events by user or machine and build chains of events, we can deal with a finite set and a solvable problem with a reasonable number of people. • Reduce the number of raw events to a finite number of devices and users grouped and risk scored into kill chains. 2. Behavior Profiling/Analytics • For a decade we’ve had rule engines detecting known threats, and we’ve been owned by attackers. Rules won’t detect the zero day threats. Rules can’t detect insiders and compromised accounts. • Machine learning, building behavior profiles and watching for changes lets us find the unknown, never before seen, anomalous behavior. • Learn normal and find the weird. • Turn security into “Sesame Street”. One of these things is NOT like the others. 3. Hadoop • The world is moving from captive proprietary data stores to an open shared storage model. Hadoop is the platform of choice. The change is analogous to changes in storage nearly a decade ago as organizations moved from captive internal storage to storage area networks (SANs), and many of the drivers are the same (high performance, high availability, reusability…). • Collect once, reuse the same data over and over by different applications (SOC, NOC, CRM, ERP…).
Key Security Problems Today • Not Enough People • Process has been Abandoned • Log All and ANALYZE • Collect, Detect, Respond • Garbage In, Garbage Out (GIGO) • Collection without enrichment and correlation makes for a “data swamp” • Search by Meaningful Value Fails • (User Name, Source IP, Department)
One Ring! One Ring to Rule Them All • Alphabet Soup • SOC, SIEM, UEBA, SOAR • IDS, FW, AV, VA, IAM, EDR, EMR • Visibility and Targeting • Risk Based Alerting • Threat Triangulation • Automated Response I do NOT Want ANOTHER Damn Tool! One Integrated Platform and View!
What’s the Problem? Ain’t No One Got Time for That! I Love my SIEM!&*$ I Love my SIEM$%! I Love my SIEM&^%! False Positives • Making the Infinite Finite
Tired of Text? Tired of Text? Slack, Email, and SMS, Oh My! If they page me tonight, someone’s Gonna Die!
Want to know the Root Cause? Want to know the root cause? How many queries do I have to run? Can someone please just pass me my gun?
Group and Compare Can you say “Sesame Street?” One of these things ain’t like the others.
Triangulate and Act! Triangulate and Act Three Strikes, You’re OUT! If a single tree falls in the woods I DON’T CARE! If Johnny pours gasoline, lights a match, and then a tree catches fire, maybe it’s time to wake someone up!
How do we solve for X? • Collect Logs (Security + Context + Apps) • Configure Detection for 5 Patterns (EOI) • Group (by user or machine) • Model Responses (Playbooks) Five Patterns Repeat Attacks – Everything Counts in Large Amounts Success After Fail – Kept Trying Until they Found a Way In Never Before Seen – First Use, Unusual Activity No One Else Does That – Peer Anomaly How Much???? - Quantity or Volume Spike
Use Cases Top 10
Why should I care? • The average cost of a breach is $3.92M* • The normal company has roughly a 10% risk of a breach on any given year. • Average Annual Loss Expectancy $392,000 We’ve never been hacked before! *IBM 2019 Data Breach Cost https://www.ibm.com/security/data-breach
Thank You David Swift dswift@securonix.com 214-724-7174 www.securonix.com Offers Deep Dive Demo Use Case Workshop