Why Oh Why! The Confusion With SOC And IR - Jymit Khondhu

why are why the confusion with sock and I my name is Jim M condu I'm a secy engineering engineering manager at Amazon web services AWS and I manager and lead the team of automated threat detection and response engineers in our Cloud security organization I've worked in security operations and Engineering at places like Credit Karma Rackspace elastic logorithm and Zimbra I hold a few GX certifications by nowadays who doesn't and I'm a fan of their their training conferences and resources shout out to Ben doy and Grant of infect BattleBots I met them at besid Dublin earlier this year and I guess that's why I'm here and disclaimer All My Views Are My All Views are my own and not of my

employer this is not a talk related to AWS it's just my subjective take on on the topic abbreviations that might pop up sock SC your op ation Center IR instant response dfir digital forensics and instant response M malware analysis and reverse engineering and JD I'll probably use that one the most job uh just meaning job description okay so I want to talk about commonly noticed misunderstandings I see from sock analyst today so couple of questions does working in a sock automatically make you an instant responder no maybe is it a good pathway and builds the needful skills yes is diving into logs and closing alerts instant response it depends and this talk is for for the new

folks perhaps in your first second or third sock type role so I'm going to go over some some JDs and I've highlighted going over some sock ones specifically to start off with and I've highlighted in Orange I've got sock responsibilities blue IR responsibilities and the red for threat just to see how many times the word threat comes up and where where confusion can lie so job a I'm just going to talk about the highlighted pieces job a rapid investigation and response mention of security instance but also handling escalated security incidents and Performing investigations and these are just sock analyst roles job B develop threat detection capabilities identify prioritize detect and purple team also if you can work out where

these job descriptions come from that's fine how about it C uh accurate detection response containment and the word threat intrusion detection threat hunting and some sensitive Data before a potential breach job D respond to three threats the threats come up again responding to alerts and incidents incidents I'm I'm correlating with instant response and then escalating identified critical issues to the instant response team and then we have support threat response and instent investigations so I'm trying to just showcase like what does the the job what is the job for for a sock analyst but actually there's there's some connotation back to instance and threats what does that mean job e monitor prevent detect respond managing threats security incident has

come up again job F respond to secy incidents threat detection and investigation and produce documentation so which is it will these analysts be working on threats or incidents it's not very clear and so this talk isn't a deep dive into what a sock analyst or I folks do it's it's so I've purposely kept it high level and so just a couple of points on what typically what they do have strong technical skills and cyber security principles respond to security alerts or tickets or events whatever your your organization nomenclature is and have good communication skills you want to be able to analyze triage and respond with with good judgment and be quick Learners and I'm going to cover a couple

of ir job descriptions and here there's no real mention of any sock type work it's there's a lot of blue popping up so you know thorough thorough investigation in-depth knowledge threat actors forensics and then job B instant response Frameworks IRP your collaboration with engineering product and operations teams maintaining a robust response couple more before we move on the word threat has come up quite a few more times and so job C developing and maintaining an IP that's come up again and data collection and Analysis of inst response data job D super exciting opportunity so if anyone wants to link to this um let me know I'll send it across to you d uh investigate Hands-On

investigation complex digital forensics and ir and mentoring and training younger folks so training of the the sock analysts cool what they typically do again very high level respond to security or site incidents they have great communication skills especially written uh when you want to send instant Communications to to leadership internally or externally and they they they are experienced with putting events into UTC friendly chronological order because you kind of have to and using digital forensics and malware analysis for grot causal events and definitely should be out there is educate users and teams to prevent future incidents so that's all the like the data the the subjective bits I want to add and and talk about is is the

Blurred Lines there in in the in the sock job prescriptions there was a lot of use of the word threat and it looked like you'd be working on scy instance but the role is it can be confusing for sock analysts for instant responders it's completely different but there's there's Leed lines and that comes from a number of places uh one being the toob description another could be the the type of sock team design that the organization has they could have a tear or tearless model tear being tier one tier two tier three you can have a tier four so your your level one analyst your level two analyst you and then you also have tailor so all of those level one to

level four squashed into one and everyone works on everything so those the tearless model where everyone's working on everything that's where you could be doing instant response you could be trolling through logs and putting things in chronological order malware analysis so working on more complex things so that's one place confusion can come from for more Blurred Lines I do agree that roles there will be roles where you'll be doing a lot more um as we go into the future uh you'll be doing sock and ir and perhaps a bit more adding more capabilities into the business into Department such as um detection engineering threat hunting Etc I saw a tweet recently by by D Johnson and there's a list of roles in

our industry right now that are becoming extensive and I expect this to continue and and evolve further just to call out a few seam engineer endpoint security engineer security engineer for GRC offensive uh adversary emulations like the list goes on I've linked the tweet in the slides and there's there there's about another 20 more something security engineer rols out there nowadays so my my closing thoughts are the confusion comes from a number of places it's it's coming from the job descriptions it's coming from perhaps your conversations with recruitment perhaps how your leadership communicated with you so going into those those interviews what you're what you're hide to do versus what you're actually doing and um it all comes down to Young

understanding of it especially if you're new in in security operations know your first L1 or L2 role it's confusing but I I just want to say let's not confuse our analysts because they are going to be our the future dfir Engineers or or managers so yeah that's that's all for me so if anyone wants to talk anything sock anything engineering let's hang out afterwards thank you