How to Build A SOC for Small to Mid-Size Companies

[Music] afternoon everyone my name is Sam mcclain I am the head of security operations with arctic wolf we are manage detection and response service run out of the cloud my last slide the marketing guys put some stuff in there so I'll talk a little bit more about us then just give you a little bit of my background I have been with artic wolf I'm a co-founder been there since the beginning spent 15 12 15 years at Blue Coat and before that was it loosen KPMG as a security engineer in pre-sales working with firewalls today my my conversation is about building a sock a security operation center I'm focused on on mid-market companies not going to

talk about it if you're you know Fortune 1000 company and you've got money in people but rather actually you know how do you how do you determine what to focus on if you're a smaller company you may be a two or a three man shop maybe even a one-man shop depending upon the level of investment the company's made so that's really we want to sort of go through some of this if you're an advanced person is going to seem a little basic but the idea is to be a little bit more comprehensive and how you go about making decisions on life technologies to use and what to do so start by thinking about why one would

need a sock why do you need an operation center focus purely on security rather than say overloading a network operation center and you know there's lots of different problems out there it's you know users are some people like to say bad I like to say users do what users do so there's a lot of hygiene issues out there and you know most of the time smaller companies don't have money to invest in the security space and so they wind up with lots of debt they basically patch them do the bare minimum put in a firewall put in a V maybe some kind of a spam filter and then everything else can sit until something bad happens and they

become completely reactive deal with what they need to deal with and then three months later they forget about how bad things were and they just sort of let it leave so there's lots of debt and and having a sock is a way to actually see the things that you're letting in that you're missing so that you actually can deal with them and then just as you move to the cloud as you move to different technologies you move from traditional desktops and laptops to mobile devices and other things just the threat landscape changes and if you're not paying attention to the new sources of data as a new attack vectors you're going to miss stuff and again you're

going to wind up really getting damaged and then you know the other thing that we see often in the mid market is that a lot of people are like I'm not a target and so you know when we talk to people what we've seen is is that they are getting attacked most mid-market companies five hundred thousand employees their average loss from a data breach is measured in the millions and and that's significant that can bring a company down and that's why you know one of the reasons why this is so important and most of them have some form of security spend coming this year and so you know that's why this kind of it this

is an area where you know as consultants as security people this is relevant to us it's not just working at a large bank or working for you know a government or state agency so when you think about what a sock does you know it's just the basic sort of what am I talking about when I mentioned what a sock is it is you know sort of most people think of sort of that NASA space where you've got all these monitors output basically it's a group of people that are going to be used to monitor what's going on in the environment they respond they detect things they figure out you know do triage forensics is this bad then they

respond and generally the sock is the group of people that may or may not be together that's going to manage that response as well they make sure the right resources are around they make sure the right people are notified the right incident response plans been implemented generally they have some hand and user awareness training so that they can help prevent things so there's a lot of effort involved in a sock in managing maintaining all the different aspects of a security infrastructure and again lots of small companies don't have enough of the different piece parts to actually make make them believe it's worth it and so that's that's where this really can become interesting most of

the time the complexity that's involved with setting up a sock setting up you know a sim because that's sort of the core what most people think of a sock that most of the time that that that's expensive it's hard and most of the people we've talked to that have tried to do it themselves are going to fail mostly because they just didn't realize what was involved longer term with it so if we if we take a step back and just sort of rather than thinking about all the different pieces that would go into building an enterprise-grade sock let's say that you know your Goldman Sachs or your John Deere or your you know the department of homeland

security and you're looking to spend millions of dollars and have hundreds of people to work on it what exactly you know is the problem that you're trying to solve and what's it going to look like so if you think about sort of the normal metrics and these are getting better in the industry but fine by and large most people still go over half a year before they detected that something bad has happened in their organization and even then it can take them up to another two to three months before they respond and so you're looking you know at nine months twelve months before people are dealing with it that this this survey includes the fortune 500 so

the people that are in the mid market are probably even worse than this they're a lagging indicator of what's going on so again what I sort of walk through this again so what are you looking to build well you need a way to collect all the data necessary you need to be able to monitor what's going on you need effective alerts that are meaningful and then you need to be able to respond effectively when it when an event occurs and you know you're looking at all the different aspects again back to that second slide of what kinds of things are driving this this sort of desire for mid markets to have a sock and it's sort of the changing landscape

is it it's not just users desktops or Windows servers anymore its mobile devices it's you know Internet of Things all the different areas you've got to be able to collect all that and make sure you've got the right processes in place to deal with it so when you think about building this when you think about setting up a sock it is a combination of these three things and this is fairly standard fare but again for a mid-market company they may not even realize that this is something they need to be looking at so you need the right people generally you're going to need some operations people to manage the systems that you're using you need security expertise that's

good has variance has the right knowledge then you got to be able to keep those people that's actually one of the bigger things that we see in the industry is that we'll go talk to someone and they'll be like I had a great guy he was awesome he got all trained and then he went to work for you know juniper and it's just like okay so now I've got to retrain a new guy and finding someone that you can afford that knows all the tools that you were using this is not an easy task to solve and then you find out that you know someone's phone got hacked you don't have the right expertise you got

to then go find someone who can do the forensics on a mobile device figure out exactly what the threaded problem is so there's a lot going on here from a process perspective again there's lots of things involved in having good security response processes most small companies are like we know how to do backups we test them twice a year or good to go and that's they're the sort of the extent oh and we change our passwords and when you go and talk to them and say well someone gets fished what's your notification policy how often do you actually run tests and there's like not so much so again all of those best practices that you take for

granted if you've got good people on staff a lot of people are just missing and then lastly the technology itself on this is an ever-changing landscape but you know just about everybody in the spaces like our widget does the best thing and the problem with that is is that a the person that you start with in your sock that sort of starts to build it might be a Linux person and so you've got all these great Linux pools and then he goes off goes and works for a reseller or goes you know decides to move someplace better and now you suddenly got a Windows guy and he's like I don't like any of this crap I want my

own stuff so you wind up replacing everything that was there and from scratch and again you're eighteen months before you're actually up and running but having the right technology having the right time to operate it maintain it keep it up to date make sure that the log sources are collecting in your sim are actually real last time you updated you're a sa it didn't change the log format and suddenly your parse was wrong and you've got gibberish data but you won't know that till you go look at it and then suddenly you're like oh well I really needed that data because I'm mid breach and I need to figure it out so doing all this is a fairly significant

thing so then let's think about how you might design it what are the capabilities that you're looking for so let's start by thinking about the areas you'd like to cover and I mentioned this earlier it's going to be the people it's going to be the devices it's going to be apps can be the network and then you think about the different layers that you have in sort of your security portfolio whether it's just going to be prevention detection or response so here detection or prevention is sort of the first step everyone gets a firewall everyone does sort of the same things you've got Active Directory for the most part you've got Identity Management you've got controls when it comes to

users for detection you know what you're going to use some kind of behavioral analytics it may just be as simple as checking for failed logins once a week or might be something like metrics which is a much deeper package but again depending upon where you're worried about what your concerns are you're going to have different areas of this spectrum all the way up that if you really do have concerns you'll have all kinds of governance packages that sort of deal with these things from an application perspective you'll have a web you know a laugh so again that's probably the basic that everyone puts in there but then when you want to detect things you've got to collect all

that data run them into a sim have someone who understands what they're looking at they can tune it and deal with it and then from a response perspective again nack you're going to do user management and depending upon you know as I build out the rest of this I'm not going to go through each of these because well it's boring the idea here is that depending upon what risks you have depending upon what kind of problems you have is it user data because you're a finance person or is an intellectual property because you're a manufacturer or developer you'll pick different areas of this matrix to focus on with your security spent and again as a mid-market company you're not going to

have millions of dollars in your budget it might be a couple hundred thousand every year that you get to spend on and every three years you've got to upgrade your firewall and you've got to upgrade your desk top agents and all those things so as you work your way through here you do figure out what's important what's not and then of course you have to deal with recovery so depending upon how you fill this out and and and what you do with this data you really sort of playing Sudoku on this and figuring out exactly where you're going to where you're going to come back of it so then let's start actually think about how

you're going to set it up you know where you want to cover you know the different piece parts but you want to you know sort of integrate into your sock how are you going to build it what are you going to do so first thing is let's pick an architecture a lot of people this could start as simple as I've got Splunk I've gotten feeding it data let's just build around that so you actually start sending it all of the log data and everything that you want and someone happens to set debug on a router and you wind up getting you know a pretty hefty bill from Splunk because you send them a couple terabytes over a week without

really thinking about it or you might go cloud based and again simpler someone else's computers it's all good but they're going to charge you and then you wind up also having to send everything off-site and a lot of people are like you know what we can't we can't send our data off-site it's just a company won't allow it I'm Yugo hybrid there are a whole bunch of different technologies gardeners all over the different architectures that are out there you need to figure out what architectures you're going to do and then you actually need to sit down and actually figure out what you're building so you start with all the different data sources and then you get

it into some kind of a system generally a sim you're going to do a bunch of work to tune it to pare it down and eventually you're going to get a list of alerts and you know when we do this for customers you know you start out I'm feeding it 20 30 billion log lines in a week you're going to get a couple million alerts trying to figure out which ones are really important which ones are that sort of the science here once you get it tuned down then you've got real alerts those are going to turn into incidents because you're going to start to recognize things that are real and then the security team the analysts

are actually going to go in they're going to do the forensics they're going to do the detailed work to figure out is the ticket they're going to work the remediation but what you're really looking for here is again you don't want 240 days before you've detected something and then another 30 before you respond the the you know the idea that the goal here the gold standard is I want to actually get some kind of real-time correlation I want to know within five minutes that something's occurred I want to be able to react before I have to go all the way to recovery I was talking with a gentleman out at our booth earlier about an hour ago we

had a customer that got a ransomware and you know we had it we detected it we were able to get that person to yank that device off the network in under three minutes and I'm standing here and I'm just tracking it the email system that we're using watching it happen that's what you're going for a lot of times what we'll hear from customers that we talk to customers I've talked to when I was at Blue Coat is they'll come in in the morning and everything's gone and so their idea of detection is I just realized I'm going to have a hateful day if not a hateful week trying to recover it really sort of depends on what you're

doing the other area that you want is you need to have forensics capabilities you need to collect the right data you need to know where it is you need to understand where it is so this is a sort of high level architecture of what a soft should be this is a lot of the detection and and forensics pieces but basically you need a system that can collect the right data can augment it with the right kinds of data feeds from you know whether it's security feeds open source security tools maybe you subscribe to something else get that all in there understand how it works and then have the right people and if you're really going to go

for broke you want to actually go out and hunt and actually find things before they happen and this is sort of the latest craze in the industry of taking everything that you've got in a big you know I think they're calling them data lakes now instead of data mined but basically you go into your data your big data soup try and find indicators to compromise that are not necessarily the compromises about to happen or just happen but rather I just got someone opened up an Excel spreadsheet and they've they've reached out to a command and control center just say I'm here and then it goes dormant for three months you've got it tuned right you can see that first

reach out and stop it before it ever goes any further also you can start to look for new things you can go back and replay data through the system as new indicators of compromise come across sort of the horizon of what you're paying attention to you go back have I seen this in the previous two three four months see if some see if you were part of the original group that got that it got broken into but this is what you're going for and so for a mid-market company you do want some version of something like this so the thing that's really important when you're when you're dealing with this is to know what you're

going for this is sort of a setup for a sock then also know what what you aren't going for so when you start to think about well what else what are other things doing the biggest of a competitor if you will - I see of going and trying to convince customers that they need a sock is the concept I'm already doing it I already have a sock and if you're a security person and you want to go talk to your boss your finance guy your business owner and say we need a sock they're like I thought we already did this everyone else seems to things we do it so what isn't a sock let's start talking about that so a sim

on its own is not a sock it's a tool it's a piece of software it's cloud service everyone to look at it problem with this is they're generally expensive generally they charge you for what you put in to the database and then they're very difficult to maintain and like I said if you have one person who really likes plunk and then they go and they leave if someone else who likes cue radar or one of these others or logarithms or something you wind up completely reshuffling things over and over again or you start to compare yourself I don't want to send all my Active Directory data in there because it cost too much so the reason that we

say a sim not a sock is because sometimes their models their business models are sort of contrary to the idea of vacuum every piece of data you have up because you never know when something's going to be important the next thing is let's overload our NOC we have a bunch of guys so if someone's laptop breaks they get it we'll just send the firewall logs to those guys and they'll get an inbox with 30,000 alerts that say this that this happened those guys generally don't have the expertise they don't have the time and eventually what will happen is is that they'll turn it off they'll just put it put in an Outlook roll filter it out of the system

and it they'll just ignore it and then oh yeah we're getting the alerts but but they actually don't do anything there so and then managed service providers and here I'm not talking about an MSSP I'm talking about a managed provider that provides storage or printers or other things they'll say absolutely we can monitor this that's just like the cloud of someone else's computers and that's as MSPs that do this someone else is not again do they have the right staff do they have the right people how much are they going to charge you to do it there's all kinds of things here do they understand the SLA is involved with something like ransomware or they could

actually go out and do things in a timely fashion and then the last one this always makes me chuckle googling something is not a sock and I have lots of people who are like I get them I do reviews it's just not there it's a it's Google will start with that it's a great resource but it's the this is really I don't need a smart person that's going to be expensive I can go ask the internet and I'm just like ok look where that got the United States this year sorry sorry so the other option besides building it yourself is buying a service and you know again this is not this is not a sales pitch it's not I mean that's

what we do but at the end of the day there are a lot of people who can't felt it there are three person outfit and they can barely keep their head above water but then there's some people are like no I don't need it the functionality that you need needs to be there no matter what so again what you're looking for is the right people or a process the right technology and you know not to plug my company that's what we do we provide security people we provide technology soup-to-nuts to make this all work and that's really what you need when you're talking about a sock and that's what I have I don't know if

there any questions or anyone I'll be out at the booth to answer any questions if you don't want to talk about it in the group nope okay thank you