Building an Analytics - Enabled SOC Breakout Session

Editor's Notes

• #3: “Want to build a SOC” customers are primary audience and others are secondary. But even small orgs with no formal SOC plans can learn from this PPT. The material in this PPT is what our customers across many industries and sizes tend to do. It’s just a summary…precise SOC requirements will be different for each organization.
• #4: Without a SOC there often is siloed, incomplete visibility which leads to a weaker security posture. So by consolidating all the security experts and relevant data into a central location, threats can be spotted faster and efficiencies can be had.
• #5: Without a SOC there often is siloed, incomplete visibility which leads to a weaker security posture. So by consolidating all the security experts and relevant data into a central location, threats can be spotted faster and efficiencies can be had.
• #6: To build a SOC you need basic security products/process in place and tuned (see SANS 20 for examples), as well as enough skilled people to run a SOC. If you do not have a basic level of maturity, you may need to address this first before building a SOC. Prioritization includes: data sources to onboard (onboard the most critical sources first), which threats to model out and look for, playbooks, people, staffing hours (start 8x5 and move to 24/7, etc)
• #7: Any SOC is comprised of people, process, and technology. All 3 are critical to a successful SOC
• #9: This is step one of the SOC build out and prioritizes where to get started. 1. Could also include DDOS, protecting an asset or person, etc. Business people will help you decide this, perhaps based on overall $$ a specific threat could cost the organization. 2. The “indicators of compromise” 3. Includes: machine data to spot the threat (this drives which data sources to prioritize). Also searches needed to detect it (correlated events, anomaly detection, deviations) 4. This is all the detail on what to do when a specific alert is generated. Will vary based on the threat, but the playbook should have a lot of detail so when the alert pops up, everyone knows how to deal with it appropriately. Not shown here, but red team or simulation exercises are helpful to make sure processes work correctly. Red team exercises can also find unknown weaknesses that should be addressed in threat modeling.
• #10: This is a list of the basic process/incident flow in a SOC. Incidents come in at top left. They then are processed by the different Tiers personnel in the SOC. Typically tier-1 analysts are the least skilled analysts. They try to quickly dismiss false positives and for real incidents open a ticket and attempt to remediate the incident. If they cannot remediate it or do not fully understand the threat, they can escalate it to the more skilled tier-2 analysts. These tier-2 analysts often use more advanced tools, such as packet capture tools, to research an incident. Tier 2 tries to investigate/remediate all incidents but if they cannot, they may escalate the incident to the most advanced analysts, the tier 3 analysts. Since Tier 3 analysts are the most skilled and expensive, it is key to limit incidents reaching them to the very “difficult” or critical ones. Notice the responsibilities of the tiers on the right. We will come back to this later and how the proper technology can help with most of these use cases. Tier 2/3 can relay feedback into the rest of the org to improve security Tier 3 may be part of the incident review process, but in some orgs it is not – it is a separate team within the SOC. Also sometimes CSIRT (Computer Security Incident Response Team) is within the SOC as the tier2/2 levels, but sometimes it outside of the SOC and distributed across the organization
• #11: Most do one location. One Location – Better communication easier continuity and management. More expensive as differential for the late hours will have to be paid to employees.Multiple location – harder to work on same issues including language issues, but cheaper as no need for differential pay
• #14: Overlap is key so knowledge is transferred over smoothly and the outgoing shift can bring the incoming shift up to speed. Handover is key – everyone gets into a room and shares what is going on. Agree/disagree on next steps. Shift report is paperwork is a collection of many attack reports. Lists: case worked with comments, ongoing attacks and where they stood
• #15: Have a process for involving business people, other IT and security teams (incl red teams) , and SMEs outside the SOC to help with threat modeling, incident investigations, and remediation. It is key to have the business people involved in telling you what the mission critical apps/data is so you can then protect it. Also, you perhaps can even share machine data or UI access with these other IT teams to help them with their jobs, increase uptime, and to improve collaboration Have a process so learnings are incorporated back into the SOC, IT security, and the organization Adjust correlation rules in the securrity intelligence platform, change product settings and configurations, recommend user education, fix unsafe business processes, etc Automate processes where possible: Use security intelligence platform to prioritize alerts, and give incident investigators interfaces to accelerate reviews. An example could be SOC analyst can type in an IP or user name in a form box on the UI and then get back a lot of relevant info that reflect the playbook. Or a right-click workflow action to grab a PCAP file. Ticketing systems for workflow and incident management
• #16: SOCs require a significant ongoing investment so it is key to show the value of the SOC to keep the resources coming Ongoing metrics to show the value of the SOC could include: Total events, total cases opened and closed, total threats remediated, average time to escalate, average time to remediate number of recommendations the SOC has made to the rest of the organization to reduce risk Show how the SOC has met the original goal of reducing business risk Periodic communication to key stakeholders and others groups to promote the value of the SOC Have meaningful anecdotes and high-level metrics ready to show value to executives
• #18: Need to staff multiple roles. Different background, skills, pay levels, personalities for each role: SOC architect, SOC manager, tier 1 analyst, tier 2 analyst, tier 3 analyst, malware engineer, forensics specialist, counter-intelligence specialist, content developer, etc For tier 2/3 it is helpful to have staff who know the environment well and what “abnormal” looks like. Also staff who are willing to leverage stats to find threats. Provide a promotion path so personnel can move up the tiers. Staffing model drives headcount Some 3rd-party sources indicate a minimum of 7 people are needed for 24x7 monitoring. Others indicate 10 people for 24x7. Another source says for 8x5 at least 2 people are needed. Then again, at large SOCs (for example at a major defense contractor) there can be 50+ people in the SOC and also more than 3 tiers.
• #21: Need a Security Intelligence platform which is a SIEM plus more. We will come back to that later. In summary this platform can automatically sift through hundreds or thousands of daily security-related events to alert on and assign severity levels to only the handful of incidents that really matter. For these incidents, the platform then enables SOC analysts to quickly research and remediate incidents. This platform can ingest any type of machine data, from any source in real time. These are listed here on the left and are flowing into the platform for indexing. The platform should also be able to leverage lookups and external data to enrich existing data. This is showed on the bottom and includes employee information from AD, asset information from a CMDB, blacklists of bad external IPs from 3rd-party threat intelligence feeds, application lookups, and more. Correlation searches can include this external content. So for example the platform can alert you if a low-level employee accesses a file share with critical data, but not if the file share has harmless data. Or the platform can alert you if a user name is used specifically for an employee who no longer works for your organization. These are especially high-risk events. A SOC can then perform the use cases on the top right on the data. These use cases cover all the personnel tiers in the SOC so they can all leverage the platform. They can search through the data, monitor the data and be alerted in real-time if search parameters are met. This includes cross-data source correlation rules which help find the proverbial needle in the haystack so the SOC only needs to focus on the tiny number of priority incidents that matter hidden among a sea of events. The raw data can be aggregated in seconds for custom reports and dashboards. Also the platform should be one that developers can build on. It uses a well documented Rest API and several SDKs so developers and external applications can directly access and act on the data within it.
• #22: The security intelligence platform enables all these use cases. Put in the data once then do all of this. In theory it could also extend to non-security use cases for an even stronger ROI.
• #23: This slide has come from many customers that have used and evaluated multiple SIEM technologies. Traditional SIEMs have limitations because: Only selected data sources can be brought into the system – inflexible. Challenge to support diverse environment, esp if there are custom devices, applications, environments Slow query and reporting, Slow response from reports coming back. Security intelligence platform scalability refers to a flat file data store (not a structured database), distributed search, and installation on commodity hardware. Also the ability to scale out horizontally to handle the largest and most demanding global SOC needs, with the ability to index over 100 TB a day Forced to build custom reporting suite outside of the actual SIEM - out of box functionality looks good, but limited flexibility. Caution, companies that don’t need or want customization will see this as a strength and not a weakness Traditional SIEMs have limited ability to so anomaly detection and risk scoring so it is more difficult to find the advanced threats that evade detection from traditional security products b/c they are not signature based. For these, anomaly detection is helpful to uncover them and their atypical patterns. SIEMS often are closed platforms with no APIs/SDKs, rigid UIs and configuration settings, and difficulty integrating them with other apps in the SOC or IT environment. A security intelligence platform is the opposite with APIs/SDKs, underlying configurations that are all exposed and adjustable, and a flexible UI in XML that can be customized. SOC teams have the full ability to customize the platform to meet their needs and integrate into anything else in the SOC.
• #24: Threats follow the steps at the top right -to-to enter an org and exfiltrate data. To spot this you need to connect the dots as they move through this process. To do this you need data from the 4 data source categories on the far left. Examples are to the right. Note – “malware sandbox” includes FireEye and Palo Alto Network’s Wildfire technology which detonates email and web-based payloads and attachments and links in a virtual sandbox to see what they do & if they are malicious. Sometimes this category is also called “payload analysis” or “advanced malware detection”. ETDR is Endpoint Threat Detection and Response, an emerging category of next-gen endpoint technology. Cyvera (now part of Palo Alto Networks), Carbon Black (part of Bit9), RSA ECAT, Bromium, and Mandiant MIR fall into this category. Tell this slide perhaps as a “story” where you start with an alert at top (threat intel) and then pivot and use the other data sources to complete the investigation. See the appendix slide with a sample story.
• #25: Other specialized tools are needed in a SOC. Other advanced tools for complex incident investigations. A ticketing system to hand off incidents among the SOC tiers.
• #28: In scenario 1 the products are completely standalone. The SIEM alerts and the SOC analysts then walk over to Splunk for the deep investigation. In Scenario 2 it is Splunk feeding the SIEM. Usually the SOC analysts are comfortable with the UI and reports of the existing SIEM so want it in place for correlations/alerting/reporting. Splunk still used for deep investigations. In scenario 3 the existing SIEM feeds Splunk but all SOC use cases are done in Splunk. The existing SIEM is only in place because SIEM connectors to bring in data are on hundreds or thousands of hosts already so removing/replacing them is difficult. Usually with time the organization will start sending data from the sources directly to Splunk, often with the universal forwarder, and eventually the traditional SIEM is retired.
• #29: Over 45 pre-built searches 37 predefined dashboards 160 reports Supporting common security metrics
• #32: SOC Assessment – Utilizing highly experienced SOC consultants, Splunk will review or create an engagement model for the customer specifically designed to provide a detailed “rules of engagement” document for their SOC and usage of Splunk. Depending on the needs of the customer, this can include anything from Core/ES tuning, dashboard and correlation search creation, SOC process flows for notifications and alerts, and tabletop exercises to confirm the processes are being executed upon by SOC analysts. Average engagement size: 3-6 week
• #36: And finally, I would like to encourage all of you to attend our user conference in September.   The energy level and passion that our customers bring to this event is simply electrifying.   Combined with inspirational keynotes and 150+ breakout session across all areas of operational intelligence,   It is simply the best forum to bring our Splunk community together, to learn about new and advanced Splunk offerings, and most of all to learn from one another.
• #41: Have in place strong ticketing/case management system. Think about queues and interaction with groups outside the SOC. If you need to hand a task to a different group keep in mind you may need to open a ticket on their system as well. Also determine how to receive tickets and when to open a ticket Automating escalations is way in the security intelligence platform to automatically grab relevant data for the ticket Attack/Incident Reports is the ticket with all the detail
• #45: An example of an advanced threat. You need data from the 4 data source categories on the far left in order to connect the dots to see the full activity of the threat
• #46: An example of an advanced threat. You need data from the 4 data source categories on the far left in order to connect the dots to see the full activity of the threat
• #47: An example of an advanced threat. You need data from the 4 data source categories on the far left in order to connect the dots to see the full activity of the threat
• #49: Breach response – Using the tools incumbent with Splunk (Bro, Stream, ES, etc), hand-picked security consultants will help a customer identify compromised hosts, origin of breach, malicious payload research and inspection, and gap analysis / remediation recommendations SPR (Security Program Review) – Using a “10,000 foot view,” consultants will review the customer’s current security posture around their Splunk deployment, assess any gaps and pitfalls, create and deliver a remediation and roadmap deliverable, and provide ongoing touchpoints and engagements throughout the life of the SPR. SPRs are not meant to be a tactical engagement type. Instead, they are meant to be long term (1+ years) partnership with the customer to solidify their security posture around their Splunk deployment SOC Assessment – Utilizing highly experienced SOC consultants, Splunk will review or create an engagement model for the customer specifically designed to provide a detailed “rules of engagement” document for their SOC and usage of Splunk. Depending on the needs of the customer, this can include anything from Core/ES tuning, dashboard and correlation search creation, SOC process flows for notifications and alerts, and tabletop exercises to confirm the processes are being executed upon by SOC analysts. Validation Services – Using similar methodologies of penetration testers, Splunk Security Consultants will perform penetration tests (or vulnerability scans) that will validate the dashboards, reports, and alerts identify nefarious activities. This service could also include the creation of breach logs to confirm the implementation of Splunk and the response activities of a customer’s SOC, security team, and/or IT team. Security Advisory Services – An all-encompassing engagement that is meant to be a gap analysis, assessment, deployment, tuning, and ongoing health check all in one. This offering is meant to be a long-term strategy focused engagement with the customer. SIEM Migration Services – An offering that implements the usage of SIEM specific experts to efficiently migrate from one of our competitors to either Core or ES. A secondary path for this service is supplementing Splunk with the information coming from a competing SIEM. Security Workshop – A non-product workshop with the customer to review a customer’s security posture. Can include discussion points such as: governance/compliance, network security (firewall, IDS, endpoint, etc), SOC positioning, and overall security placement. This is meant to be a precursor to additional security services and Splunk license sales.
• #50: Breach response (Proactive) – The point of this offering is to review the customer’s current breach response protocol, confirm their own internal processes, and provide them a path toward better breach response. A common project team would consist of an ES/SIEM consultant, a security consultant, and a project manager. There is a heavy documentation requirement at the end of the engagement that could include a gap assessment, future road map, and could possible include rewritten or new process and procedure documentation for the customer. Average engagement size: 2-4 weeks.
• #51: SPR (Security Program Review) – Using a “10,000 foot view,” consultants will review the customer’s current security posture around their Splunk deployment, assess any gaps and pitfalls, create and deliver a remediation and roadmap deliverable, and provide ongoing touchpoints and engagements throughout the life of the SPR. SPRs are not meant to be a tactical engagement type. Instead, they are meant to be long term (1+ years) partnership with the customer to solidify their security posture around their Splunk deployment Average engagement size: 3-6 weeks which will extend over the lifecycle of the customer (assumed re-engagement on a regular basis)
• #52: SOC Assessment – Utilizing highly experienced SOC consultants, Splunk will review or create an engagement model for the customer specifically designed to provide a detailed “rules of engagement” document for their SOC and usage of Splunk. Depending on the needs of the customer, this can include anything from Core/ES tuning, dashboard and correlation search creation, SOC process flows for notifications and alerts, and tabletop exercises to confirm the processes are being executed upon by SOC analysts. Average engagement size: 3-6 week
• #53: Validation Services – Using similar methodologies of penetration testers, Splunk Security Consultants will perform penetration tests (or vulnerability scans) that will validate the dashboards, reports, and alerts identify nefarious activities. This service could also include the creation of breach logs to confirm the implementation of Splunk and the response activities of a customer’s SOC, security team, and/or IT team. Average engagement size: 2-4 weeks