Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
Download as PPTX, PDF•2 likes•767 views
The document discusses the necessity and components of Security Operations Centers (SOCs) for cloud native companies, highlighting the evolution from traditional on-premises SOCs to cloud-based solutions. It emphasizes the importance of skilled personnel, effective processes, and appropriate technologies in addressing evolving cybersecurity challenges such as fraud, data leakage, and ransomware. The roadmap suggested includes establishing basic cyber hygiene, defining SOC models, and evaluating SIEM solutions to enhance security capabilities.
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
- 1. Security Operations Cloud vs On Prem SOC for Cloud Native Companies Vikas Yadav
- 2. Little bit about Myself Current Current: CISO at Nykaa Prior CISO Max Life MTech IIT Kharagpur, CISSP, CCSK Military Veteran Outside Work Sports - Tennis, Golf, Trekking Reading Online Courses Love Travelling
- 3. Agenda 1. Need for a SOC 2. What is a SOC 3. Security Operations - Cyber Hygiene 4. SOC Essential Components 5. SOC Maturity 6. Modern SOC 7. SOC for Cloud Environments
- 4. Need for SOC ! ● Security Roadmap Item No 3 - Our Consultant told us. ● FOMO - Everyone has it. ● Tick in the Box - Regulatory Requirement. ○ CERT-IN / GDPR mandates 72 hr reporting ● Prevention is not Enough ! - Incident Detection and Response - Help respond and recover faster.
- 5. What are your trying to solve ? ● Business Problems ○ Fraud ○ Data Leakage ○ Ransomware ● Technical Challenges/ Security Gaps ○ Need to detect cyber attacks timely ○ Correlate alerts coming from different sources ● Process Issues ○ Too many disparate security solutions ○ No coordinate way to detect and prevent attacks
- 6. Security Operations vs Log Aggregation 1. Do you Monitors events and logs ? 2. Correlate and add context to detect a breach/attack ? 3. Performs investigations to understand root cause and mitigate impact ? 4. Coordinate with IT/ DevOps to to address the breach ? 5. Seek external help - Incident Response firm ? 6. Inform Senior management. 7. Take Remedial Action and document Lessons Learned ?
- 7. What is SOC ? A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents. A SOC is traditionally a physical facility within an organization, which houses an information security team. This team analyzes and monitors the organization’s security systems. The SOC’s mission is to protect the company from security breaches by identifying, analyzing, and reacting to cybersecurity threats. A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.
- 9. Essential components of a SOC SNo Component Purpose Sample Gaps 1 PEOPLE - SOC Staff To monitor alerts , To triage , To respond, To recover NOT TO RAISE A TICKET No Designated Person or Structure 2 SOC PROCESSES Should be simple and effective Playbooks should be defined No Processes defined No one to look at alerts No ticketing systems 3 TECH Stack AV/ EDR, SWG, Firewalls SIEM - Logging and Correlation SOAR - Automation Inadequate Logging Not centralised 4 Data Sources Logs Central Solution - SIEM or Log Management Solution No SIEM Automation 5 Threat Intel IOCs Intelligence Feeds No Threat Intel No Intelligence Feeds 6 Use Cases Detect and Prevent Attacks Use Cases Relevant
- 10. SOC Maturity Model Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
- 11. Modern SOC - Outcome Based Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
- 12. Security Operations in Cloud SOC for Cloud environments
- 13. How things change in Cloud ? 1. People a. Conventional SOC analysts do not understand Cloud b. Need people with new Skill Sets 2. Technology a. Threat Model changes - You do not own Infra. b. Multi Cloud environment and SAAS applications c. Log Volume increases exponentially ( Web systems) d. Egress Costs e. Uncommon Log Collection methods 3. Processes a. Easier to automate b. Conventional slow processes may not work with DevOps team 4. Advantages a. Lot of controls out of the box - Native Security Controls b. AWS Guard Duty, Detective
- 14. Suggested strategies 1. Prioritise Visibility 2. Leverage new Tools a. CASB - Cloud Access Security Broker b. CSPM Cloud Security Posture Managements 3. Leverage Native Controls a. AI ML - AWS Guard Duty/ AWS Detective 4. Prefer Cloud and Native SIEMs( Egress Cost !) a. Google Chronicle/SUMO Logic/Elastic b. Microsoft Sentinel 5. Partner with DevOps a. More Agile and skilled than conventional IT b. Lateral hiring
- 15. Leveraging Native Services - AWS Example Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
- 16. AWS WorkFlow Example SIEM Solution Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
- 17. Way forward
- 18. A suggested Roadmap ! 1. Have basic Cyber Hygiene in place - CIS Critical controls a. Asset Inventory, Patching, EDR/AV, DLP, SWG b. Enable Cloud Native controls 2. SOC Fundamentals a. Know your Data Sources and Build your Use Cases b. Decide your model - Hybrid or In House or Outsourced c. Define KPIs for testing effectiveness of SOC 3. Evaluation and Selection a. Set up a Open Source Security Logging and Monitoring Setup first b. Do a POC before deciding on your SIEM solution and SOC Partner
- 19. Thanks
- 20. SIEM - The Holy grail ? 1. Can you set up a SOC without it ? 2. Log Management and Correlation 3. What about SOC Automation ? 4. Can it take all Log sources or you need to build custom parsers ? 5. How will you control the log volume ? 6. Or Price yourself out of your allocated budget / Bandwidth ! 7. SAAS or Self Hosted ( On Prem vs Cloud)
- 21. Value Add ons 1. UEBA - User Event Behavioral Analytics 2. SOAR - SOC Automation 3. Add Ons a. Brand Monitoring b. Dark Web Monitoring c. EDR - This alone can solve lots of your use cases d. XDR - Needs to mature
- 22. Top Questions 1. Model a. In house , Completely Outsourced or Hybrid 2. Which SIEM Solution ? a. SAAS vs Deployed, b. Open Source vs Commercial 3. How do you get Budgets ? 4. How will show its ROI ? a. Solve Business Problems b. Meet Compliance Mandates 5. How will it enhance your security capability ? a. Detect and prevent Cyber Attacks
- 23. Key Factors in Building a SOC Cost - Never Infinite Timeline - 3 - 6 months Maturity - 6 - 12 months - Better you plan, more you will reduce this duration ROI - Difficult to measure and show- BUT Essential to Demonstrate People with right Attitude and skill sets Right Partner - MSP or Consultant
- 24. References 1. Demystifying the SOC - Medium articles by Gorka Sadowski 2. Ten Strategies of a World-Class Cybersecurity Operations Center - Mitre Corporation 3. https://www.cisoplatform.com/profiles/blogs/evolving-soc-to-cloud-detections 4. https://blogs.gartner.com/pete-shoard/use-the-gartner-soc-hit-model/ 5. https://www.exabeam.com/security-operations-center/security-operations- center-a-quick-start-guide/ 6. https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/