Craig Browser - Baby Steps to the Future – Evolving into the Next-Gen SOC

all right I'm going to take I use this mic because I wander a bit and so I don't know how much only on the camera but uh who you know we'll we'll go with it so awesome so anyway welcome uh welcome to this talk appreciate you guys sticking around and as uh my the intro said I've been doing security for a while and I've been mostly blue team so that informs a lot of the way I think and the way I talk but I will tell you my the interest and what drove me to become part of these conferences and doing talks and going to these and interacting with people was actually listening to people who are on the red

team and wanting to understand their side better because absolutely uh you've heard this you know red inform forms blue and we also that blue and forms red I think it is a absolute Synergy uh that uh the information flows back and forth to improve our defense overall uh and so as part of this journey I have been really following and understanding you know the evolution of security over time and part of that really comes down to as I said blue team which is all about uh in general uh how we organize our defense how we you know the organization we do that which in one sense traditionally operates around the sock but you may have heard

that you know over the last few years that there is the stock is dead and I'm kind of here to say well yes but no uh the sock is not dead the sock really is just evolving it's changing and it has to why does it have to change because if you think about what where we started when or all right so some of you are great enough to remember where we started others you this is a bit of of of History you probably heard over and over again but nevertheless we started you know here on your left you know where we were protecting in a network that was built in a castle and moat type

of scenario it was um very hard and crunchy on the outside soft and chew in the middle uh and we we we just layered we just put our defenses you know in firewall and maybe an IDs uh out on the outside and watched everything coming in but over time we uh the network matured our tools improved or I should say we added tool capabilities and uh we started having you know remote capability remote logins uh access to our Network and then we added some tools like uh you saw the Sim starting to show up VPN started to show up uh ids's you know kind of matured or grew into ipss and uh this evolution of networking and

our networks and tools and defenses continue to change where in the 20 late 20 you know 2010s the late as sorry the early 2010s the late a uh we started you know Cloud came about and we started having tools where we had Brett Intel started showing up ndrs ubas were nent uh and this uh Evolution continued to move on through the mid uh the 2010s where we uh had moved into m and phones started going from you know your dumb phones to everyone had smartphones and access to uh you know uh information on our smartphones shopping um access to all the databases behind there we started seeing other additional tools where you had edrs and sassis started

showing up sores came out although to be honest if you really talk to anyone who's like a longtime Unix professional they're just like really I've been doing sore for years but that's you know you can argue with them that that's you don't want to go down that rapid hole but nevertheless um microservices and uh now before I get into that I should say now we're we're into this 20 uh you know 2020s and and Beyond where we're now pulling in things like zero trust where our networks are moving to this Evolution OT uh is now uh out there we're now integrating OT with our system microservices xdr casby uh um and I'm drawing a blank on

ACM uh which is basically surface tax surface monitoring thank you uh tax surface monitoring so all these tools now are are part of our Arsenal as Defenders our networks are far more complex than they ever were well what's the problem the problem is that our socks are still in this basic structure the structure and the architecture that we set up in the early 2010s right we're we're basically we're pulling in data from all these devices and sending it to some kind of centralized system it doesn't necessarily have to be a Sim but for all intents and purposes is acting as a repository for all the data Maybe we have threaten tell maybe we have a sar

uh but we have this tiered structure of analyst uh we have your your tier one socks that are doing the tri I'm sorry your tier analyst doing your Tri triage your tier two people who are doing The Deep a slight Deep dive and then your tier three people who are doing instant response your reverse engineering maybe they're threat hunting and so that is you know that's that's what's going on that is today's sock today's sock cannot handle that because it faces certain challenges that that uh our evolution of our Network in tools uh have bring us what are those challenges well first of all there's a lack of personnel well I know you guys are shocked that I brought

this up uh you're managing an increasing increasingly complex stack of things of with the increasingly complex data that you're bringing in of from all sorts of places um you have limited visibility into an increasing attack surface this was easy far easier when we just had a few computers and servers sitting in a building somewhere and now we're expected to protect any everything from everybody from everywhere that's that's a whole lot for that that that uh sock architecture that sock structure to do um which brings us to this point where you cannot operate at scale where you're handling better attacks coming at you at higher volumes you're still fighting this fight this fight is going to be around forever

where you have you're trying to balance compliance with best practices with effective security and operations that you know because things have to work right we're still trying to secure things that need to work when the president or the CEO clicks a button um or the your vendor or your customer clicks purchase right that still needs to happen in a secure way so you're still fighting that battle um and but here's a big one you have a paradigm shift that that some of us especially some of us older folks are trying to change how we think where our attackers are going after identities and data instead of servers right back in the day they were like oh I owned a server which

is you know that was a big deal now they're like whatever Ser maybe I'll own it maybe I won't I just need the data right you know that that's all I need so how did we get to this spot right uh you know we talked about the the the changes we talked about the challenges but really what is how do how does that kind of put come together well a big thing was the shift in operations in the early 2010s uh that went from uh went to devop right this concept that we we don't we don't have to um uh do upgrades and do patches sort of very slowly so back in those days um

many of you remember this that right when when Ops and and the developers said we're going to come out with a new version they would they would build it and then they give it over you hopefully that didn't always happen but hopefully and then you spend some time testing it and then send it back and that worked you know if you had an efficient process that was okay but it still gave you time to actually kind of interact with with with the releases yeah that doesn't happen when they're releasing 5 to 8 to 10 releases a day per product so this devops thing made it really hard for the way security traditionally would review things now before I go on I do want to

say that some and there are a good number I should say there are a good number of organizations that are very very good at devs Ops um and that have figured out how to do this and have their security built into the dev devop cycle extremely well I don't want to um to gloss over that but many of us are still trying to figure out how to keep up and we are have various stages of of or various levels of success uh for this so um again I'm going to reference the fact that we have moved to a mobile anytime anywhere any time um any place access expectation especially over the last 3 four years of coid right or three

or four centuries depending on how you feel after being home by yourself all that time so there is that challenge um there and you know one good I'm sorry one good piece of news is that security he has gotten better right so who here remembers The Slammer worm please just don't let me feel like the oldest person in the room okay I'm already the oldest person in my job and that's really depressing um all right so the slammer Worm for those of you who don't know was a SQL worm that just was Auto automated just like and when it came out in the early 2000s just killed networks I was um I was at Tuli air base

and this is back when Tuli had like a single pipe that was like uh a 1 and that is less bandwidth than most of you have ever even thought of but we thought it was great at 1 point something Meg we were like woo man a littleit large I don't know what I'm going to do with 1 point something Meg coming over my fight May watch a video in 5 hours but darn it I'm happy anyway um and I remember they were like oh this is killing us just shut down to the airbase in Greenland it's like we're working but um but yeah that was that was bad you know the slam worms still out there go go

sniff Port 1433 right 14 1433 yeah it's still out there do do any of you care no we we we we're like whatever but you know what so Security's gotten better but guess what so of the attackers so we're you know it's a lead frog thing right um security tools and methodologies have increased in number complexity and above all we are no longer operating under the assumption that our networks are unhackable for the you know some of you may not remember this but Larry Ellison head of Oracle came out and said we're totally unhackable that lasted less than a week I think uh yeah things you do not want to say in public or really

anywhere so what is the solution uh hint it's in the title yeah become nextg right well that sounds great good uh buzzword could we put some handles on that yes let's put some handles on what does that mean what is a nextg s well I tried to break it down into some uh really strategic things that you can measure right so the first thing is uh shift your strategy uh shift from becoming defense in depth and I heard someone say expense in depth I like that analogy it is um um but I will tell you zero trust is not less but that's a different talk um but true you got to figure this out move to a zero

trust model move to resilience in your network um have a or a sock and processes that are that handle routine attacks and alerts automatically get you know get uh get get your analyst out of doing Point uh clickity Clickety pointy clickey things and get them into thinky thinky things right that's what you really want your analysts to do you you're paying not for their finger but you're paying for the gray matter in between their head so leverage that alerts are enriched in triage triage I don't know where I get triad from I guarantee you I'm going to say that again least once more um detections and automated responses are continually being built and tuned uh you are moving some of your

the devops things uh Concepts into the sock on a constant Improvement basis continually and frequent uh you are ingesting logs and events from all over the place I I will tell you my my feeling on this has has evolved over time at one point I was like you know minimize the things that you're ingesting then I was like ingest all the things and then I went back to uh reduce the amount of things you're ingesting but I think to take advantage of the analytic capabilities uh that we have now and are coming out you are going to have to to inest more information than ever and I I get that we'll talk uh I get the expense and the

challenge of that we'll talk about that uh and some solutions to that uh utilize ML and Ai and threat intelligence uh as well as atomic alerts and just to level that Atomic alerts are things that you know are bad if I see this that's bad send me an alert very very straightforward uh is what I mean by atomic alert so how do we get there well the way I broke this down is I broke it down and I I'll slow down a little bit but uh because I want to I want to go through these steps I broke it down into three phases with multiple steps on each phase and the whole purpose of this is

not to say that everyone needs to do everything this is not a one siiz all you can you know uh all you can e you know here's your plate consume it all type of endeavor it is a Choose Your Own Adventure so pick what is a appropriate and applicable for your organization if it's really large with lots of resources well you know consume it all if it's smaller with you know very um very limited very restricted resources then you figure out what is best for your organization that you can do well Outsource what you can and then find ways to mitigate the challenges from the rest the point of all of this that I'm giving

you and additionally you don't have to do this in the order I prescribe I'm just trying to break it down in a way that's easily digestible uh so that you can regurgitate it later the point is I want I think all of these steps are the things that need are needed to happen uh for a good sock uh to become in that sense nextg so let's jump in first and I if I haven't said this enough I will say it more increase your automat autom increase your Automation and your integration so Cisco's um security outcome study believe number three the last one that came out a couple years ago great great report by the way all three of them if

you haven't read them go find them they're great reads to understanding the tools and processes that make socks effective and they are surprisingly not very Cisco based okay um Wendy nather and um uh uh uh wolf I cannot pronounce his last name awesome awesome authors among other people from Cisco who put this out so go read those reports uh one of the things they say is that the better tools integrate the more effective automation you will be able to perform so this is a really important because the better you have your processes and your steps automated the more effective your stock is uh if you ever get a chance read some of the things that poo Alto sock is

doing they are very highly automated and they are consuming responding and analyzing millions of events like per hour it's like insane and there it's really really good uh uh what they are doing so um inest threat intelligence and I'm going to say I'll I'll refer to this later in just applicable threat intelligence I can't tell you it still bugs me to this day we had a customer I was integrating their threat Andel into their Sim product and they uh they're so they're a us-based worldwide pharmaceutical company and one of their threat feeds was about um attackers against Australian education systems and I said why you have this you are a US based pharmaceutical and they said well

you never know when that group might pivot okay then you wear the tin foil hat at night too I bet so yeah all right let's go um plan migration to cloud-based sock tools you are not going to be able to handle the amount of data and the amount of storage and the amount of an uh analytical compute that you are going to need on your on Prem system not at scale um and that is absolutely going to be a fact and I get it it's hard you invest you know your companies invested a lot in on-prem stuff uh but at some point you just not going you going to start to have to making hard

choices about what you bring in in fact if you're not doing this already you're going to be making hard choices about what you bring in and what you analyze especially as ML and AI uh become more and more required uh to do the kind of analysis that you're going to need to do so start planning how to move that to the cloud uh create and refined metrics that Define your tasks get an asset um excuse me get an asset management and inventory system figure out what you have and it's not just assets right because I I wrote this and then I was thinking when I was going over this but I didn't bother to change it uh it's

also who you who is in your system what your identities are and where your data is uh I mentioned before that your attackers are G after identities and data well it should you should know what identities you have and what data you have in your system yes that's hard but I you know raise your hand if you thought this was an easy gig so um so yeah it's a challenge um I I don't know how to do it I we have tools you can buy tools you can write tools you can buy and write tools um but I will tell you even a 60% knowledge of what you have is better than 0% so don't let perfect get

in the way of good so um what else oh yeah um speaking of which plan and begin a shift to monitoring and protecting your data and identity um now notice also uh the difference that is in this picture here for phase one Vice what I had before uh we are now looking at a cloud-based Sim uh we have brought in threaten tell we have added sore and most importantly we have started to change the structure of our sock where instead of uh we have kind of tears but we're kind of Mo uh moving that tiers into groups more so where that lower group is handling more than just triage they're doing uh threat hunting they're doing uh detection

analysis they are doing um what else did I say they're doing I can't read my writing uh threat threat so they are doing a lot of different things things and then that third tier is still doing IR but eventually you're going to see they're going to start doing uh engineering uh so phase two and just to continue that thought that upper group that upper group is now you're detection engineers and so they are creating and writing detections use cases playbooks and updating those things um and your lower group is broken more into uh instead of tiers although it's still labeled tier one tier 2 they're going to be migrating or evolving into groups where each group

has is self-contained doing all the things uh you now each person in the group may have a specialty but that group as a whole maybe one maybe it's two people maybe it's five people but they're doing all of the everything from Tre eyes to threat hunt to um uh analytic stuff um I'll just continue with the with the diagram before I get into some of the points uh which uh will probably cover some of these things when you're bringing in in fact one of the first one is you're going to implement a technology to filter and Route logs because when now what you're going to do is you're going to figure out among your logs among your data sources what

data is really key for Atomic alerts or you know very simple machine learning right that data you're going to send to your your your sim or your xdr or your EDR that's the data you're going to send there the other data that's like I don't know what good it takes a whole lot of compute to figure out what's bad in this you're going to send to something else like a data Lake something that's cheap storage that your analytical capability can leverage to do deep learning uh you are going you know so also you're going to look at saying you know you're going to really start migrating to cloud from that you know at this point because now you're ingesting

a lot more data you're opening up the fire hose coming from your Source in there you're putting in Al and uh a I'm sor sorry Al Ai and well I'm going to say machine learning I'll get to AI in a minute um you're going to start using machine learning to analyze those large Log sets um you are using threaten tell to enhance your data to figure out what's going on you using U uh uba that's user really it's user entity Behavior analytics or RBA which is risk based analysis which I love and no Mr xun that is not just a Splunk term other U other Sims have it Sumo logic has that capability as well as other other uh

Sims have that um but use risk-based analysis to help figure out what is bad in the mass amount of data that you are collecting you start really being focused on security uh your start really focusing your security on identity on uh on data right at some point you know you have should have implemented things like idam and multiactor authentication and you start using that data along with um uh restricted analysis to the different parts of your data as you start doing zero trust to be able to really identify malicious behavior or suspicious behavior in your identities and data access uh you continue to use metrics to uh evaluate tool Effectiveness and your progress um uh in in these things so last phase was

is where you um and I I one thing I I failed to mention excuse me one thing I failed to mention is that this is not an overnight thing this is not a tool or switch or a 9mon project this is 5 10 years okay um so there's a lot here and it is designed and my the thought process is designed to be accomplished over time over I said you know as I said 5 to 10 years if not longer and of course the challenge is of you know that there could be additional things that you you might figure out along the way that you have to do however uh you know this is not

something that you should rush through either because each of these is a deliberate step and a deliberate not only uh change in process but it's a change in mindset uh and it's a change in your organizational structure and that takes time to do well and efficiently so phase three phase three you have completed your migration to Cloud because now you are ingesting all the things and you're hoovering it all up but you also are now sending that into a log storage uh capability you're not really putting it into a Sim uh you're cuz you what you've done is you've separated uh and I this is where I see the the industry going going in 10

years 7 to 10 years you're going to have to separate your log storage from your analytic capability or at least be able to vendors will still want to sell you everything in one package because that's what vendors want to do but the concept is that your analytic capability is going to have all the Specialties all the from the atomic alerts to the AI to the UA to the RBA to the ml all of it built in and there's going to be so much of that that you're going to want to have and there all of that is going to access a log storage location where all your logs are going to be whether structured and or unstructured that

capability of saying hey I I'm going to analyze this and maybe even you know I'm just projecting here this is a total guess maybe you're able to purchase multiple log analytic capabilities from different vendors each of whom specialize in a different type of analytic um ability the point being is is that what you by doing this you're able to pick the best of breed to analyze what you want and then you have an automation component that is able to reach back uh reach into either the results that your analytic is is uh um that your analytic uh uh tier is doing or reach back into uh into your devices into your into your instances uh to

perform uh actions and activities uh that enhance or protect or um monitor what's going on uh your sock structure has completely migrated to the teams and the detection engineer uh concept where your security Engineers are totally just that's what they're doing they're just constantly updating the alerts constantly updating the um the the automation based on interaction between um themselves and your your analysts and then uh you know there's and I always have at the bottom you probably notice that I have the ticketing cuz I think the help desk will always be a component that you're going to need uh to help uh capture monitor track uh and respond uh interact with the users or the customers and other

customers for individual activity so um so yeah so some of the points here developing the SE Ops group you've developed that you've organized your teams into tiers one important thing is you know as I mentioned this is not a one-size spits all so uh you are going uh the recommendation is to partner with an MSP or an MDR uh to cover gaps where you can't do that another thought is that some of these activities may not be if you're a small organization or a smaller organization or perhaps even a larger one you don't necessarily have to do all the time maybe you don't need a full-time um individual to do detection engineering right that they don't need

to do this uh updating all the time so maybe you hire somebody to come in uh you Outsource someone to come in once a month and they come in and and and update rules uh for a week and then they go away for a month and then they come back for a month I I know our company has hire been hired to do that and I'm 100% sure 150% sure other companies um other um service vendors have been hired to do the same thing so that that's a option if you don't need that 24/7 uh you can Outsource the threat hunting you can Outsource the threat and tell so those are ways to accomplish this

capability without having that full-time person on staff um develop fund and Implement a comprehensive training program internally uh I will foot stop on this because you know as I mentioned earlier you know we're we're struggling to bring people in we're struggling with the lack of personnel but one way to do that is to train in house it accomplishes one thing immediately it helps with retention so uh retain the people that you have by training them up into doing the things you need them to do uh but it also attracts people it makes your company more attractive you say hey we've got a great in-house training program now that in-house training program doesn't necessarily mean that

you have a trainer but it means that you have ways to get people up to speed and to train them uh for the skills they need whether it's sending them to training if you have the budget for sending them to conferences or allowing them and to go and uh spend time learning on their own having a lab internally it's um we are running a um uh a a AWS lab that's nearly automated spins up machines and people can get in and just do things and learn how to do things it costs us less than 200 bucks a month to run this for 30 people okay this is you know absolutely within budget of nearly every company uh

out there and ours is not that complex um so AI so when I wrote this initially there was no such thing as chat TBT and then chat TBT came out and basically everyone in their brother is like well AI is going to solve the entire world crisis cure cancer and um um just about everything else it's it possible I mean that that's I've read science fiction my whole life so that's so it's in the real possibility at least the realm of imagination I think in essence there are a lot of people trying to figure out how it can help Defenders it's definitely been helping uh in some ways um attackers but I think we haven't figured

out the the best way yet so I don't know I I spent some time trying to figure out how it would be used in this scenario and I think the way I see it now is that it will be uh that I see it evolving effectively is helping people know what to do next um and providing recommendations based on the data that it collects to say oh I see that this event happened in on the endpoint this event happened um in your ID Dam and this event happened over here uh based on this you know you should go check these places or uh monitor this this type of activity I think that is probably a a a legit use that you will

see near term become better and better better um I see eventually that it will be able to maybe take some automated simple actions by making um calculated risks on responses that it will say based on the analysis of your environment and what you do uh what your organization does uh I will take this automated response because that is a 2% risk of stopping your you know blowing up your organization so I can see it doing that in the midterm and then in the the long term I can see it sort of working um in a um side by side kind of environment where you you're familiar I mean you remember when we worked in offices and

we have a problem and we just sit in a big circle and throw out ideas and every it bounces off each other and eventually we figure something out I I can see AI be coming that kind of uh interactive kind of uh voice activated thing so you know who knows but that's that's kind of where I see it going uh and you know helping with analysis and investigative assistance so how do we get there start with what you have I mean AB don't get overwhelmed with like oh I got to you know get all the things and put all these things in or grab many of them as can but start with what you have increase the use of

managed services to cover gaps it's okay to use a managed service to do something now and then bring it in house later that's fine um that happens a lot those of you who do c do Professional Services know that you get hired because the company can't do X and eventually they can do X and the contract ends and that's good that that's a successful engagement um simplify the number of tools or possible uh just you know I think um that Cisco's outcome study said that an organization has an average of 63 tools that's a lot of tools that is a lot to really for any group to know I mean if you have 20 people you got to

maintain and and upgrade and check all that's a lot um increase the ability of those tools that you have to integrate with each other right sometimes that may mean getting rid of a tool because you just can't get it to talk to anything else and that's painful I get it it's hard to get rid of tools that that have been integrated um and there's politics involved so um but look at ways of doing that higher develop um these skills these are the skills that we're going to need in the sock uh going forward I mean including the skills you have now but add people with these skills that have these skills or develop the skills

yourself um formalize SE op process continue to uh re-engineer procedures to leverage new tools right how many times have people gotten tool and then not realize that the procedures that are in the SOP apply to the old tool right and so you have a new someone come in they're reading the SOP and they're like I I don't get it the tool doesn't do this and you're like oh that's right that was for you know such and such which you know went out of business 10 years ago or something so update those so in conclusion again no two stocks will look alike right they should all have the same goals but they don't they will not

look alike at the end uh Implement automation efforts continue your automation efforts absolutely I keep pounding that that's going to help us it's not going to get rid of people it's going to make your people better remember get them out of pointy clicky get them into thinky thinky um consume tailed threat Intel shift your operations to the cloud start protecting identity and data really start really thinking about that um increase your teley that you ingest you're going to need more more data to do ML and AI effectively um so you can develop ML and AI plan for cicd continuous integration continuous development protection engineering and ultimately use short and long-term planning to pursue zero trust

and network and security resilience so um absolutely we have got to stop stop we have got to start moving out of this model of stock that we have it is holding us back from being able to to meet and secure the environments that our our organizations are going to so with that here are my contacts um I am way more active on madon than I am on Twitter so if you want to reach me to go um and uh I haven't written anything on that blog in like 3 years so but it's there uh awesome so questions yes we working we get these slides um I will put the slides out probably on that actually I do have a

page on there called presentations that I tend to update because I do presentations so that so that's where we go awesome yes so how how often do you go back and and think about the CIS critical security controls and the sock and the next J that the how still is it still applicable uh you know today yes how often do I think about the CIS critical controls and the nextg stock I actually I don't think specifically in terms of the CSC but I do think in terms of the regulations uh that ALS that do Encompass it so um the NIS 853 uh this the dod stigs um and other things and I think they are still

applicable remember these get updated uh you know all the time it's just how we Implement them how we put those into those tools are are valid and that's part of the challenge when you think about um just maintaining and protecting when you think about like uh you think about uh uh like csc1 you know knowing you know having an asset management inventory right well that becomes Asset Management data management identity management uh having all of that known right so it's still valid but it you know it does some changes you into that and that was the I think the first bullet on your first slide asset asset inventory man right yeah yeah exactly but I I use it as a foundation I

always say are we doing the fundamentals and then I start looking at a Ai and the new things no I I 100% agree um and I I I'm trying to try a lot of what I like to do is I try to figure out this High concept give you handles so that you can be very practical so you can do exactly that so tools just to add to Craig tools like ml make Asset Management um 100 times easier because you don't have to do abstraction you don't have to do manual correlation you don't have to do decision trees none of that you teach it the data you show it what it looks like and you say these

objects and these attributes look together check and it get starts running it right this idea of um extraction AI what generative AI does really well if you want to play with it is the idea of Rex to extract data out of something to pass it into another thing like a function call that's you don't have to do that anymore you just have to tell the AI to go do it awesome and it figures it out I think I'm being kicked out am I am I done do one more question one more question yes in the back so on your diagrams after the first one the term IR got dropped off is that still tier three

or is that independent from the socket I moved it down into the teams okay I didn't if I didn't label that I I apologize but thank you for pointing that out um so it it moves from the tech the the security Engineers who were doing the detection updating down to the teams and as everyone knows there are definitely times it's all hands on deck anyway when you have a major incident it's just like I don't care what you're doing you're doing IR now so um yeah so with that I will be out in the hall uh if anyone has further questions or discussions thank you so much for coming to my talk and uh have a great

conference appreciate also if