Craig Browser - Baby Steps to the Future – Evolving into the Next-Gen SOC

all right I'm going to take I use this mic because I wander a bit and so I don't know how much only on the camera but uh who you know we'll we'll go with it so awesome so anyway welcome uh welcome to this talk appreciate you guys sticking around and as uh my the intro said I've been doing security for a while and I've been mostly blue team so that informs a lot of the way I think and the way I talk but I will tell you my the interest and what drove me to become part of these conferences and doing talks and going to these and interacting with people was actually listening to people who are on the red team and wanting to understand their side better because absolutely uh you've heard this you know red inform forms blue and we also that blue and forms red I think it is a absolute Synergy uh that uh the information flows back and forth to improve our defense overall uh and so as part of this journey I have been really following and understanding you know the evolution of security over time and part of that really comes down to as I said blue team which is all about uh in general uh how we organize our defense how we you know the organization we do that which in one sense traditionally operates around the sock but you may have heard that you know over the last few years that there is the stock is dead and I'm kind of here to say well yes but no uh the sock is not dead the sock really is just evolving it's changing and it has to why does it have to change because if you think about what where we started when or all right so some of you are great enough to remember where we started others you this is a bit of of of History you probably heard over and over again but nevertheless we started you know here on your left you know where we were protecting in a network that was built in a castle and moat type of scenario it was um very hard and crunchy on the outside soft and chew in the middle uh and we we we just layered we just put our defenses you know in firewall and maybe an IDs uh out on the outside and watched everything coming in but over time we uh the network matured our tools improved or I should say we added tool capabilities and uh we started having you know remote capability remote logins uh access to our Network and then we added some tools like uh you saw the Sim starting to show up VPN started to show up uh ids's you know kind of matured or grew into ipss and uh this evolution of networking and our networks and tools and defenses continue to change where in the 20 late 20 you know 2010s the late as sorry the early 2010s the late a uh we started you know Cloud came about and we started having tools where we had Brett Intel started showing up ndrs ubas were nent uh and this uh Evolution continued to move on through the mid uh the 2010s where we uh had moved into m and phones started going from you know your dumb phones to everyone had smartphones and access to uh you know uh information on our smartphones shopping um access to all the databases behind there we started seeing other additional tools where you had edrs and sassis started showing up sores came out although to be honest if you really talk to anyone who's like a longtime Unix professional they're just like really I've been doing sore for years but that's you know you can argue with them that that's you don't want to go down that rapid hole but nevertheless um microservices and uh now before I get into that I should say now we're we're into this 20 uh you know 2020s and and Beyond where we're now pulling in things like zero trust where our networks are moving to this Evolution OT uh is now uh out there we're now integrating OT with our system microservices xdr casby uh um and I'm drawing a blank on ACM uh which is basically surface tax surface monitoring thank you uh tax surface monitoring so all these tools now are are part of our Arsenal as Defenders our networks are far more complex than they ever were well what's the problem the problem is that our socks are still in this basic structure the structure and the architecture that we set up in the early 2010s right we're we're basically we're pulling in data from all these devices and sending it to some kind of centralized system it doesn't necessarily have to be a Sim but for all intents and purposes is acting as a repository for all the data Maybe we have threaten tell maybe we have a sar uh but we have this tiered structure of analyst uh we have your your tier one socks that are doing the tri I'm sorry your tier analyst doing your Tri triage your tier two people who are doing The Deep a slight Deep dive and then your tier three people who are doing instant response your reverse engineering maybe they're threat hunting and so that is you know that's that's what's going on that is today's sock today's sock cannot handle that because it faces certain challenges that that uh our evolution of our Network in tools uh have bring us what are those challenges well first of all there's a lack of personnel well I know you guys are shocked that I brought this up uh you're managing an increasing increasingly complex stack of things of with the increasingly complex data that you're bringing in of from all sorts of places um you have limited visibility into an increasing attack surface this was easy far easier when we just had a few computers and servers sitting in a building somewhere and now we're expected to protect any everything from everybody from everywhere that's that's a whole lot for that that that uh sock architecture that sock structure to do um which brings us to this point where you cannot operate at scale where you're handling better attacks coming at you at higher volumes you're still fighting this fight this fight is going to be around forever where you have you're trying to balance compliance with best practices with effective security and operations that you know because things have to work right we're still trying to secure things that need to work when the president or the CEO clicks a button um or the your vendor or your customer clicks purchase right that still needs to happen in a secure way so you're still fighting that battle um and but here's a big one you have a paradigm shift that that some of us especially some of us older folks are trying to change how we think where our attackers are going after identities and data instead of servers right back in the day they were like oh I owned a server which is you know that was a big deal now they're like whatever Ser maybe I'll own it maybe I won't I just need the data right you know that that's all I need so how did we get to this spot right uh you know we talked about the the the changes we talked about the challenges but really what is how do how does that kind of put come together well a big thing was the shift in operations in the early 2010s uh that went from uh went to devop right this concept that we we don't we don't have to um uh do upgrades and do patches sort of very slowly so back in those days um many of you remember this that right when when Ops and and the developers said we're going to come out with a new version they would they would build it and then they give it over you hopefully that didn't always happen but hopefully and then you spend some time testing it and then send it back and that worked you know if you had an efficient process that was okay but it still gave you time to actually kind of interact with with with the releases yeah that doesn't happen when they're releasing 5 to 8 to 10 releases a day per product so this devops thing made it really hard for the way security traditionally would review things now before I go on I do want to say that some and there are a good number I should say there are a good number of organizations that are very very good at devs Ops um and that have figured out how to do this and have their security built into the dev devop cycle extremely well I don't want to um to gloss over that but many of us are still trying to figure out how to keep up and we are have various stages of of or various levels of success uh for this so um again I'm going to reference the fact that we have moved to a mobile anytime anywhere any time um any place access expectation especially over the last 3 four years of coid right or three or four centuries depending on how you feel after being home by yourself all that time so there is that challenge um there and you know one good I'm sorry one good piece of news is that security he has gotten better right so who here remembers The Slammer worm please just don't let me feel like the oldest person in the room okay I'm already the oldest person in my job and that's really depressing um all right so the slammer Worm for those of you who don't know was a SQL worm that just was Auto automated just like and when it came out in the early 2000s just killed networks I was um I was at Tuli air base and this is back when Tuli had like a single pipe that was like uh a 1 and that is less bandwidth than most of you have ever even thought of but we thought it was great at 1 point something Meg we were like woo man a littleit large I don't know what I'm going to do with 1 point something Meg coming over my fight May watch a video in 5 hours but darn it I'm happy anyway um and I remember they were like oh this is killing us just shut down to the airbase in Greenland it's like we're working but um but yeah that was that was bad you know the slam worms still out there go go sniff Port 1433 right 14 1433 yeah it's still out there do do any of you care no we we we we're like whatever but you know what so Security's gotten better but guess what so of the attackers so we're you know it's a lead frog thing right um security tools and methodologies have increased in number complexity and above all we are no longer operating under the assumption that our networks are unhackable for the you know some of you may not remember this but Larry Ellison head of Oracle came out and said we're totally unhackable that lasted less than a week I think uh yeah things you do not want to say in public or really anywhere so what is the solution uh hint it's in the title yeah become nextg right well that sounds great good uh buzzword could we put some handles on that yes let's put some handles on what does that mean what is a nextg s well I tried to break it down into some uh really strategic things that you can measure right so the first thing is uh shift your strategy uh shift from becoming defense in depth and I heard someone say expense in depth I like that analogy it is um um but I will tell you zero trust is not less but that's a different talk um but true you got to figure this out move to a zero trust model move to resilience in your network um have a or a sock and processes that are that handle routine attacks and alerts automatically get you know get uh get get your analyst out of doing Point uh clickity Clickety pointy clickey things and get them into thinky thinky things right that's what you really want your analysts to do you you're paying not for their finger but you're paying for the gray matter in between their head so leverage that alerts are enriched in triage triage I don't know where I get triad from I guarantee you I'm going to say that again least once more um detections and automated responses are continually being built and tuned uh you are moving some of your the devops things uh Concepts into the sock on a constant Improvement basis continually and frequent uh you are ingesting logs and events from all over the place I I will tell you my my feeling on this has has evolved over time at one point I was like you know minimize the things that you're ingesting then I was like ingest all the things and then I went back to uh reduce the amount of things you're ingesting but I think to take advantage of the analytic capabilities uh that we have now and are coming out you are going to have to to inest more information than ever and I I get that we'll talk uh I get the expense and the challenge of that we'll talk about that uh and some solutions to that uh utilize ML and Ai and threat intelligence uh as well as atomic alerts and just to level that Atomic alerts are things that you know are bad if I see this that's bad send me an alert very very straightforward uh is what I mean by atomic alert so how do we get there well the way I broke this down is I broke it down and I I'll slow down a little bit but uh because I want to I want to go through these steps I broke it down into three phases with multiple steps on each phase and the whole purpose of this is not to say that everyone needs to do everything this is not a one siiz all you can you know uh all you can e you know here's your plate consume it all type of endeavor it is a Choose Your Own Adventure so pick what is a appropriate and applicable for your organization if it's really large with lots of resources well you know consume it all if it's smaller with you know very um very limited very restricted resources then you figure out what is best for your organization that you can do well Outsource what you can and then find ways to mitigate the challenges from the rest the point of all of this that I'm giving you and additionally you don't have to do this in the order I prescribe I'm just trying to break it down in a way that's easily digestible uh so that you can regurgitate it later the point is I want I think all of these steps are the things that need are needed to happen uh for a good sock uh to become in that sense nextg so let's jump in first and I if I haven't said this enough I will say it more increase your automat autom increase your Automation and your integration so Cisco's um security outcome study believe number three the last one that came out a couple years ago great great report by the way all three of them if you haven't read them go find them they're great reads to understanding the tools and processes that make socks effective and they are surprisingly not very Cisco based okay um Wendy nather and um uh uh uh wolf I cannot pronounce his last name awesome awesome authors among other people from Cisco who put this out so go read those reports uh one of the things they say is that the better tools integrate the more effective automation you will be able to perform so this is a really important because the better you have your processes and your steps automated the more effective your stock is uh if you ever get a chance read some of the things that poo Alto sock is doing they are very highly automated and they are consuming responding and analyzing millions of events like per hour it's like insane and there it's really really good uh uh what they are doing so um inest threat intelligence and I'm going to say I'll I'll refer to this later in just applicable threat intelligence I can't tell you it still bugs me to this day we had a customer I was integrating their threat Andel into their Sim product and they uh they're so they're a us-based worldwide pharmaceutical company and one of their threat feeds was about um attackers against Australian education systems and I said why you have this you are a US based pharmaceutical and they said well you never know when that group might pivot okay then you wear the tin foil hat at night too I bet so yeah all right let's go um plan migration to cloud-based sock tools you are not going to be able to handle the amount of data and the amount of storage and the amount of an uh analytical compute that you are going to need on your on Prem system not at scale um and that is absolutely going to be a fact and I get it it's hard you invest you know your companies invested a lot in on-prem stuff uh but at some point you just not going you going to start to have to making hard choices about what you bring in in fact if you're not doing this already you're going to be making hard choices about what you bring in and what you analyze especially as ML and AI uh become more and more required uh to do the kind of analysis that you're going to need to do so start planning how to move that to the cloud uh create and refined metrics that Define your tasks get an asset um excuse me get an asset management and inventory system figure out what you have and it's not just assets right because I I wrote this and then I was thinking when I was going over this but I didn't bother to change it uh it's also who you who is in your system what your identities are and where your data is uh I mentioned before that your attackers are G after identities and data well it should you should know what identities you have and what data you have in your system yes that's hard but I you know raise your hand if you thought this was an easy gig so um so yeah it's a challenge um I I don't know how to do it I we have tools you can buy tools you can write tools you can buy and write tools um but I will tell you even a 60% knowledge of what you have is better than 0% so don't let perfect get in the way of good so um what else oh yeah um speaking of which plan and begin a shift to monitoring and protecting your data and identity um now notice also uh the difference that is in this picture here for phase one Vice what I had before uh we are now looking at a cloud-based Sim uh we have brought in threaten tell we have added sore and most importantly we have started to change the structure of our sock where instead of uh we have kind of tears but we're kind of Mo uh moving that tiers into groups more so where that lower group is handling more than just triage they're doing uh threat hunting they're doing uh detection analysis they are doing um what else did I say they're doing I can't read my writing uh threat threat so they are doing a lot of different things things and then that third tier is still doing IR but eventually you're going to see they're going to start doing uh engineering uh so phase two and just to continue that thought that upper group that upper group is now you're detection engineers and so they are creating and writing detections use cases playbooks and updating those things um and your lower group is broken more into uh instead of tiers although it's still labeled tier one tier 2 they're going to be migrating or evolving into groups where each group has is self-contained doing all the things uh you now each person in the group may have a specialty but that group as a whole maybe one maybe it's two people maybe it's five people but they're doing all of the everything from Tre eyes to threat hunt to um uh analytic stuff um I'll just continue with the with the diagram before I get into some of the points uh which uh will probably cover some of these things when you're bringing in in fact one of the first one is you're going to implement a technology to filter and Route logs because when now what you're going to do is you're going to figure out among your logs among your data sources what data is really key for Atomic alerts or you know very simple machine learning right that data you're going to send to your your your sim or your xdr or your EDR that's the data you're going to send there the other data that's like I don't know what good it takes a whole lot of compute to figure out what's bad in this you're going to send to something else like a data Lake something that's cheap storage that your analytical capability can leverage to do deep learning uh you are going you know so also you're going to look at saying you know you're going to really start migrating to cloud from that you know at this point because now you're ingesting a lot more data you're opening up the fire hose coming from your Source in there you're putting in Al and uh a I'm sor sorry Al Ai and well I'm going to say machine learning I'll get to AI in a minute um you're going to start using machine learning to analyze those large Log sets um you are using threaten tell to enhance your data to figure out what's going on you using U uh uba that's user