Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | alienvault |
View: | 2,643 times |
Download: | 0 times |
Habits of Highly Effective Security Practitioners
BY: JOE SCHREIBER, SOLUTIONS ARCHITECT, ALIENVAULT
THE ONE-MAN SOC
About Me• Solutions Architect @ AlienVault• Former SOC Manager/Analyst/Programmer with AT&T Managed Security
Services• SIEM Enthusiast• Blog post: Open Source Intrusion Detection Tools: A Quick Overview• Blog post: MSSP – The New Acceptance• Webinars: Data Sources, Policies, and more…
Practitioners Guide: The Series• Practitioners Guide to SOC• The One-Man SOC (you are watching it now!)• Help us select our next topic in this series. Tweet: @pkt_inspector
Real Advice, for Real People
In this session you will learn:
HOW TO WORK AROUND THE LIMITATIONS OF A SMALL (OR ONE
PERSON) TEAM
KEY SKILLS TO IMPROVE YOUR EFFICIENCY
TIPS FOR ESTABLISHING A DAILY ROUTINE
STRATEGIES TO EFFECTIVELY PRIORITIZE DAILY TASKS
THE CONCEPT OF AUTOMATION AND WHEN TO USE IT
BENEFITS OF THREAT INTELLIGENCE SHARING
When you are alone in the SOC
Here’s what you are missing:
The Two Man RuleDouble VerificationLong Response TimesLess Investigation Time per Incident
So let’s get started
“So how can I work around these limitations?”
Different Data, Same StoryKnow Your Audience
Source: ISC2 Workforce Survey
The IT security function is understaffed. Seventy-percent of respondents say their organizations do not have enough IT security staff.
---Ponemon Institute LLC Feb 2014
Know Your Audience
Source: ISC2 Workforce Survey
Security Awareness
Security Awareness is critical
It is where it all starts
Vigilance
It’s your job to spread it
Listen how often this comes up….
Know Your Environment
It’s not always about IT, but it could be.
What are your users doing?
• Websites they visit?- Water Cooler attacks?
• What games are they playing?- Flash exploits?- Game owner hacked?
Where are your users?
• Where are teams located?- Why are they logging in from elsewhere?
Are there business procedures that put you at risk?
Remember you are not the NSA
Know Your Environment
PEER
You: Seen this heartbleed thing?Web Admin: Heart what?You: It’s serious, check it out. LinkWeb Admin: Holy !@#$Web Admin: Okay I’m generating CSRs now for new keys.You: Good call. Let me know how the patching goes too. Working on getting the IDS to see this attack.
Communication
MANAGER
You: New vulnerability called heartbleed. It’s very serious.Manager: What is the impact?You: Anything that uses OpenSSL is potentially exposed.Manager: What uses OpenSSL?You: EverythingManager: Are we hacked?You: It’s not that simple.Manager: Why is this more serious than the last one?
✓ Mission and Risk Understood ✗ Mission and Risk Understood
KNOW YOUR AUDIENCE
Let’s try this againCommunication
You: There was a vulnerability announced moments ago called heartbleed. You can find the technical details here. There are distinct factors that make this critical:
1. There is no known detection or audit mechanism available to determine if we are being attacked or were attacked
2. This vulnerability is present in a large percentage of our IT infrastructure3. Most importantly encrypted traffic could be read by others creating high risk
exposure
I will conduct an audit and then we need to start patching immediately. Lets get everyone together for a standing meeting now.
Manager: Totally agree. Calling the meeting now and starting escalation.
Save yourself time.
Clearly Defined Risks
Mission Stated. Call to Action created.
It MattersPerception
TECH SKILLS
The Journey Isn’t Over.Things to Learn
Automation Scripting
You have all the time you need right?
Automation
Why Automation?
Save time of courseAd-Hoc reportingIntegration• With other devices• With other groups
It’s the Little Things
XKCD is AwesomeWhen to Automate?
In this case there is no circle…maybe it’s not a cycle then?
Life Cycle
•Saving Time?•Serves Need?
Frequency?•Development Time?Script
•Schedule•Action
Automatic
Process
Security > AutomationStay Focused
Yes, More XKCD. He just gets it.
hoe kan ik automatiseren?
Time to learn a new languageLearning to script will save you time
How do I Automate?
Factors
What is already in your environment?• Heard that before?
Portability• Where else can I use this?
Which Language?
Basic Shell ToolsDo I Really Need to Learn Scripting?
Real World Example
I need to make an ACL quickly
PROCESS
Really, it is like totally important and stuff
Daily• Alarm Review• Event Review• Tuning
Weekly• Vulnerability Scanning• Audits
The Importance of Routine
What’s in your Routine?
Putting the routine to work
First!• This is your logic at work
Do not stop until critical or high severity are closedInvestigate by taxonomy• Exploitation• Malware• Policy
Alarm Review
Often. Do This.
Set aside time each and every day• You’ll get a feel for it• You’ll recognize patterns
Don’t believe me?
Event Review
WATCH THIS VIDEO
Methods
Use the alternative views
Event Review
PRACTICAL: OTHER VIEWS
Yes, Again!
Vulnerability Scanning• Run scans regularly• Run them in a targeted manner• Establish a remediation plan before scanning
Asset Detection
Profiling• Use Off Hours to detect automatic processes
- and then filter them!
Know Your Environment
Organization
Make Groups• Organize by
- Function- Location- Host Properties
Use Groups for• Polices• Scanning• Event Views
Your Environment
There will be a quiz at the end. Not Really.Taking Notes?
Information Recording
• Ticketing System
• Wiki
Benefits
• Time Saving
• Knowledge Transfer
THREAT SHARING
One Person. Many Friends.Threat Sharing
Anyone?
0-day? More like
yesterday.
APT? Yeah you know
me.
Malware makes me
happy.
Request
Help
Knowledge
Confirmation
THREAT INTELLIGENCE POWERED BY OPEN COLLABORATION
35
• Diverse set of data & devices
• 8,000 collection points• 140+ countries• 500,000 malware
samples analyzed daily
• 1500+ Event Correlation Rules
• 5 Event Attack Types
Today we learned…Summary
How to work around the limitations of a small (or one person) team
Tips for establishing a daily routineStrategies to effectively prioritize daily tasksBenefits of Threat Intelligence sharing
Final Thought
“Security is your problem, and everyone else's too.”
Now for some Q&A…Learn More about AlienVault USM
Register for our Weekly Live Product
Demo
https://www.alienvault.com/marketing/
alienvault-usm-live-demo
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial