the one-man soc: habits of highly effective security practitioners

Habits of Highly Effective Security Practitioners

BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT

THE ONE-MAN SOC

About Me• Solutions Architect @ AlienVault• Former SOC Manager/Analyst/Programmer with AT&T Managed Security

Services• SIEM Enthusiast• Blog post: Open Source Intrusion Detection Tools: A Quick Overview• Blog post: MSSP – The New Acceptance• Webinars: Data Sources, Policies, and more…

Practitioners Guide: The Series• Practitioners Guide to SOC• The One-Man SOC (you are watching it now!)• Help us select our next topic in this series. Tweet: @pkt_inspector

Real Advice, for Real People

In this session you will learn:

HOW TO WORK AROUND THE LIMITATIONS OF A SMALL (OR ONE

PERSON) TEAM

KEY SKILLS TO IMPROVE YOUR EFFICIENCY

TIPS FOR ESTABLISHING A DAILY ROUTINE

STRATEGIES TO EFFECTIVELY PRIORITIZE DAILY TASKS

THE CONCEPT OF AUTOMATION AND WHEN TO USE IT

BENEFITS OF THREAT INTELLIGENCE SHARING

When you are alone in the SOC

Here’s what you are missing:

The Two Man RuleDouble VerificationLong Response TimesLess Investigation Time per Incident

So let’s get started

“So how can I work around these limitations?”

Different Data, Same StoryKnow Your Audience

Source: ISC2 Workforce Survey

The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff.

---Ponemon Institute LLC Feb 2014

Know Your Audience

Source: ISC2 Workforce Survey

Security Awareness

Security Awareness is critical

It is where it all starts

Vigilance

It’s your job to spread it

Listen how often this comes up….

Know Your Environment

It’s not always about IT, but it could be.

What are your users doing?

• Websites they visit?- Water Cooler attacks?

• What games are they playing?- Flash exploits?- Game owner hacked?

Where are your users?

• Where are teams located?- Why are they logging in from elsewhere?

Are there business procedures that put you at risk?

Remember you are not the NSA

Know Your Environment

PEER

You: Seen this heartbleed thing?Web Admin: Heart what?You: It’s serious, check it out. LinkWeb Admin: Holy !@#$Web Admin: Okay I’m generating CSRs now for new keys.You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack.

Communication

MANAGER

You: New vulnerability called heartbleed. It’s very serious.Manager: What is the impact?You: Anything that uses OpenSSL is potentially exposed.Manager: What uses OpenSSL?You: EverythingManager: Are we hacked?You: It’s not that simple.Manager: Why is this more serious than the last one?

✓ Mission and Risk Understood ✗ Mission and Risk Understood

KNOW YOUR AUDIENCE

Let’s try this againCommunication

You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical:

1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked

2. This vulnerability is present in a large percentage of our IT infrastructure3. Most importantly encrypted traffic could be read by others creating high risk

exposure

I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now.

Manager: Totally agree. Calling the meeting now and starting escalation.

Save yourself time.

Clearly Defined Risks

Mission Stated. Call to Action created.

It MattersPerception

TECH SKILLS

The Journey Isn’t Over.Things to Learn

Automation Scripting

You have all the time you need right?

Automation

Why Automation?

Save time of courseAd-Hoc reportingIntegration• With other devices• With other groups

It’s the Little Things

XKCD is AwesomeWhen to Automate?

In this case there is no circle…maybe it’s not a cycle then?

Life Cycle

•Saving Time?•Serves Need?

Frequency?•Development Time?Script

•Schedule•Action

Automatic

Process

Security > AutomationStay Focused

Yes, More XKCD. He just gets it.

hoe kan ik automatiseren?

Time to learn a new languageLearning to script will save you time

How do I Automate?

Factors

What is already in your environment?• Heard that before?

Portability• Where else can I use this?

Which Language?

Basic Shell ToolsDo I Really Need to Learn Scripting?

Real World Example

I need to make an ACL quickly

PROCESS

Really, it is like totally important and stuff

Daily• Alarm Review• Event Review• Tuning

Weekly• Vulnerability Scanning• Audits

The Importance of Routine

What’s in your Routine?

Putting the routine to work

First!• This is your logic at work

Do not stop until critical or high severity are closedInvestigate by taxonomy• Exploitation• Malware• Policy

Alarm Review

Often. Do This.

Set aside time each and every day• You’ll get a feel for it• You’ll recognize patterns

Don’t believe me?

Event Review

WATCH THIS VIDEO

Methods

Use the alternative views

Event Review

PRACTICAL: OTHER VIEWS

Yes, Again!

Vulnerability Scanning• Run scans regularly• Run them in a targeted manner• Establish a remediation plan before scanning

Asset Detection

Profiling• Use Off Hours to detect automatic processes

- and then filter them!

Know Your Environment

Organization

Make Groups• Organize by

- Function- Location- Host Properties

Use Groups for• Polices• Scanning• Event Views

Your Environment

There will be a quiz at the end. Not Really.Taking Notes?

Information Recording

• Ticketing System

• Wiki

Benefits

• Time Saving

• Knowledge Transfer

THREAT SHARING

One Person. Many Friends.Threat Sharing

Anyone?

0-day? More like

yesterday.

APT? Yeah you know

me.

Malware makes me

happy.

Request

Help

Knowledge

Confirmation

THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION

35

• Diverse set of data & devices

• 8,000 collection points• 140+ countries• 500,000 malware

samples analyzed daily

• 1500+ Event Correlation Rules

• 5 Event Attack Types

Today we learned…Summary

How to work around the limitations of a small (or one person) team

Tips for establishing a daily routineStrategies to effectively prioritize daily tasksBenefits of Threat Intelligence sharing

Final Thought

“Security is your problem, and everyone else's too.”

Now for some Q&A…Learn More about AlienVault USM

Register for our Weekly Live Product

Demo

https://www.alienvault.com/marketing/

alienvault-usm-live-demo

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial