#RSAC

SESSION ID:SESSION ID:

Chris Kinnahan

Data Analytics, Developers, and Automation - What you want in next generation SOCs

SDS-R08

Director, Global Security Operations CenterSony Corporation

You Could Be Here

#RSAC

Evolution of SOCs – The Early Days

3

#RSAC

What We Defended

4

• Static Assets• Unencrypted Traffic• Limited Bandwidth

#RSAC

Awkward Teenage Years

5

#RSAC

What We Defended

6

• Limited Mobile• Some traffic encrypted

#RSAC

Today….

7

#RSAC

What We Defended

8

#RSAC

It’s not working….

9

So What Now?

#RSAC

Three Key Components to a Successful SOC

11

Data, Data, Data

Automation

SecDev – Security Development

#RSAC

It’s a Data Science Problem

12

Historically detection and response were centered around commercial signatures. Security was as good as the products that you purchased.

The problem with this model is that attacks had to reach a certain level of activity before vendors would take note and develop a signature. This worked when the primary threat was large worm outbreaks like Nimda and Code Red. Current threats are more sophisticated, customized, and focus on not drawing attention.

Our response has been gathering more and more data in the hopes that we will be able to detect activity. The problem is we are overwhelming our teams with data.

#RSAC

How do we adapt?

13

We need to approach it as a big data problem. So what does that mean?

• We need to move from tools to platforms• We need to apply data management solutions to solve our data

problems• Our analysts have to adapt and become smarter

#RSAC

Platforms

14

SIEMs are the heart of our IR Teams. At best they integrate with their own products. At worst they take in data but offer minimal opportunities to interact with their data in automated ways.

We need solutions that provide full fledged APIs or direct database access where we can integrate them with our other tools.

Your SOC needs to be able to integrate and automate how our tools interact with each other.

#RSAC

Data Management

15

We need to apply traditional data management and optimization techniques

Utilize summary tables for your most frequent queriesMake sure you are extracting all the fields your analyst needEnsure that your schema is dynamic and can change over timeBenchmark everything

Dedicate a Data Architect/Administrator to monitor analyst queriesMonitor how what analysts are querying changes over timeAssist Analysts in improving their searches

Analyst Need to Get Smarter

#RSAC

Smarter Analysts

17

Solid IT skills

Basic ability to script/code

Problem solving

Attention to detail

Innate interest in technology

#RSAC

Analyst Magic Quadrant

18

Intelligence

Mot

ivat

ion

Your actual Magic quadrant

What you thinkis your

magic quadrant

#RSAC

Automation

19

Ask yourself, do your analysts spend more time compiling and collecting data or analyzing data? Everything needs to be centered around the analysts. We need to bring the data to them.

• Historical incidents….have you seen this before?• Threat Intelligenace• Whois records• DNS resolution history• Analyst data• Vulnerability data• Etc.

#RSAC

Threat Pyramid

20

StandardThreats

Top Threats

#RSAC

Security Development

21

• Commercial solutions are usually “good enough” to take care of 90% of the threats assuming they are properly selected, managed, and tuned.

• For the top 10% of threats, they tend to be either too new or not wide spread enough for commercial solutions to tackle….this is where you need to invest development effort

• The 10% is a moving target. Eventually commercial solutions catch up and you have a new 10% to worry about.

• Analysts are your gateway into finding that top 10%, often times they know what they want but don’t know the “how”. That’s where a Security Development team comes in.

#RSAC

DevOps meet DevAns

22

Every SOC organization needs Developer/Analysts (DevAns). These are your senior analysts who have some coding capability and an understanding of what gaps exist in the detection or analysis process.

Your SOC needs an ability to experiment with data and tools in order to determine new ways to detect activity. Often times these experiments will lead to nothing but a few times they will allow you to find activity that was otherwise undetectable.

#RSAC

Avoid My Mistakes

23

Don’t fall in love with your custom tools….eventually you’ll replace them with commercial ones.Don’t buy into the vendor hype…test everythingStay focused, don’t get caught up in the solution….focus on the problemDon’t collect data for the sake of collecting dataBring in professionals….security people think they can do everything but you need DBAs, Developers, etc. as wellAbility to learn is much more valuable then experience

#RSAC

Questions To Ask Yourself

24

How quickly can your security technology pivot?

Who’s in charge of your security data architecture?

What do your analysts spend their most time on?

Do you have a security development capability?

How automated are your tools and processes?

#RSAC

25