SOC It Up! Common Frustrations and Solutions in SOC Teams Today

okay so suck it up common frustrations and solutions in soft teams today my name is Jim itson condi that's my Twitter handle con due to mostly use for following repost thing I don't really post a lot I've got a lot of content so I'll get started straight into that bit of a preamble into myself got a unique names is very easy to find stuff about me online please don't currently doing all things blue team for a cloud computing and hosting company fun fact recently back from sans Amsterdam facilitating there that's good fun shout out to Taz and Eva and my background is one of open source software full stack software support engineering with the likes of Zimbra logarithm knots open

source and then over to elastic but there's been heaps of cybersecurity along the way I've done that I joined the street team o res Umbra responding to vulnerability reports and internal testing or things seem at logarithm and elastic supporting logging as well as few T analytics folks anyways here I am and I'm here to tell you that just not that impressed I'm someone that likes to find areas of improvement and put those forward not to complain but to exactly improve improve improve the team improve the tooling and just what we do day to day so it doesn't become so mundane and boring so I'm gonna be going over some common frustrations I've got a fair few

frustrations and confusion of solutions at the end of it quite short at the end to call a lot of content but over the last over the last six months I've been talking to friends peers even interviewees and even a few instant response folks at sans to find out what what have they seen what they've frustrated whether within their sock teams or where they've worked or contracted and you know Alette fatigue old technology and budget constraints have been saw the top tail and there

is it too early for cabbages I'll get started so PSA by no means is this a depiction of the soft team that I work in right now and if your sock or your your set team have any one or many of these it's not a problem as long as it's it's a thought process it's something that's a work in progress and there's some priorities aligned to these at the same time I can't possibly go through everything today if you think there's one or two particulars that I really did miss out on please do mention me on Twitter but I'm more active on Linkedin happy to have a conversation always so this the layer I'm gonna follow is just

frustration and what it is what does it mean for the sock or the analysts and I'm going to start with legacy technology not alert fatigue the legacy technology being tooling or an application that was created X amount of years ago inside the organization and it's a part of the day-to-day processes for example at an asset management asset management tool that you've got to log into it's got a pretty slow UI could be based in another region and it's got a bit of a slow search so that's it's something I've gotta log into you've gotta have another tab open and it could be something that potentially needs to fall under the SSO of the the internal

security alert fatigue are you inundated with alerts I mean literally thousands of alerts heaps of false positives they could be low-level high quantity they could be high severity level high quantity and with that comes a potential for a lack of enrichment what that means for the stock and analyst is less downtime to do research and development automation of tasks as well as tooling you could have particular analysts that are passionate for an area they might want to learn some Python or scripting and they can't do that because they're just so inundated you have a higher turn of analysts and that's expensive for not for an organization where mistake-prone wanting to keep up with keep up with

alerts let's say your particular analyst really likes fishing they're following a phishing campaign or they're filling a following along with a particular apt so they I happened to do that as well as keep up today or keep on top of all of their day-to-day let's and this this actually this could be there's two things that could be a sign of is perhaps some of those alerts need suppressing or probably aggregating but I feel that's more very architecture or engineering side of things not so much sock depending on now the teams are set up and the other thing is perhaps you need to on board more analysts to low balance the number of alerts you can't get alert fatigue if

you just don't check their alerts right that's fact all right on to lack of enrichment oK you've got a setting set the set this site here is you've got them out whether you've got the IPS you've got the ports you've got in half that's great it's a good start but nothing else and then we're talking about yet another application you've got to log in to another tab you could I have open and wait this is transfer from being more mistake-prone another example being not being able to ingest DNS or full packet capture into your single pane of glass due to sizing issues or costs we've all heard of this before perhaps you can but for a short of retention period what

this means for the sock and/or analyst is especially for the first example is a slower mean time to detect and a slower mean time to respond yet another application keeps more tabs and that's just slowing down using so much RAM and on the on the other example of DNS and full packet capture you missing out on that pre attack if we're talking might for attack framework that pre attack stage that reconnaissance you're not getting those initiative IOC s to see how they scanning how they're gonna think about actually moving across there

on to outdated equipment and budget constraint so I'm gonna couple some of these up as I go along so you start the new role you've been given a managed machine that's three years old and it's got with a bit of a flickering screen if you're working with a US or a UK keyboard layout and you've got another for a DJ domain it's got funky european characters in there and you've gotta squint or you've got to really work it out the equipment doesn't really help the speed of us working through the alert working through those through those cases been nice for all of us to have you know juicy brand new machine 16 gigabytes to crack on with sandbox and

be producing reports for example what this means is immediately coming in being given that old machine in the back of your mind you're thinking I've put an X next to this company already they've give me old old machines I can't I can't work as efficiently as I can budget constraints means not the latest tools not the latest EDR all that course after ever now out there is using and not the latest training and the goal is to keep all the analyst happy you keep them happy they keep the sob churning along next inexperienced peers and tribal knowledge some socks or sets may have a tearing of analyst level one two three four four being the Yoder's the SMEs or

a particular area of malware analysis reverse engineering forensics or even seem aficionados and it's not nice therefore sometimes with with newer folks the older folks missed eight that new guy didn't follow our SOP or that runbook they've they've missed something and she's not nice there they're all they're always asking questions or making mistakes this slows down the team slows down case management and slowing down the sock those high number of alerts that we're talking about questions I think in my own opinion and I mention at the end is great that's how we've all started and that's how we got to where we are and then tribal knowledge Shammi right so tribal knowledge of those means they want to be the Super

Saiyan experts of those particular areas they could have an ego we've always all come across someone with an ego or who have also come across folks that are just so willing to share amazing folks but those knowledge holders sitting on forums or Twitter like yes I've seen that sure hash before or that's apt eighteen there now to unpack all the malware's they know all the Olly debug shortcuts tribal knowledge another piece that is they could just be geographically or not available in that time zone to disseminate knowledge with the junior engineers and I think this holds back to unit analysts from learning it creates a culture of not sharing culture as well as in the work

space no one starts sharing knowledge even if a junior analyst goes away and learn something they don't feel that they they're in an environment to share that even wider inadvertently slowing down the growth and strength of the sock team on to the next lack of automation lack of using the latest methodologies and a lack of tooling I'm gonna set the scene here you've got you've got one tab where you're your seam is and your legs have come in you've got another tab of case management you've got another for your run books where you've got your instant response steps and it's all very compartmentalize you haven't of log in to so many yet another application some

you're just you're very prone to making mistakes all of that could be your automated save yourself 15 to 30 minutes of alert or case time and then on to not using the latest methodologies methodologies let's say you're not using the latest cloud technologies container security or technologies Maps not even machine learning yet have you thought about a zero trust model also tying this in with budget constraints is are you using the latest IDs and SM EDR DDoS mitigation tools what this means for the sock and or analysts is they're having to put a lot more time and effort into their day-to-day work without having that automation there they're inundated with alerts it's just it just piles on

it's not that great and for analysts they don't just don't get and that much exposure into the latest tooling then they might personally feel that they're not employable if they were to leave that employer at that time they're not just they're not working on all think Lauer or things cloud all things sec DevOps that we hear nowadays on to the next this is one of my own personal not personal but one i feel close towards is a lack of communicate in cohesion lack of threat intelligence and a lack of purple teaming you've got your red team running their hands their normal operations sometimes they tell you sometimes they don't tell you that they're running a hunt that might give

you an IP address or SSO user so you know that if you see that in your in your scene you know what to look for that's false positive that's cool your blue team running business as usual but all of this there's a lack of cohesion communication and for me and I put this in there most importantly is collaboration I've seen something in the last 12 months where there's been I owe sees in the wild three days prior and there's no threat intelligence or a red team or any of that bought in to case management's and then we saw scanning and potential pre exploit due to that but if if we had that threat intelligence already whether it's by a

threat intelligence team by a red team or even a proactive blue team a-- to go in there grab those ILCs put those in a case you're one step ahead you you want to find the vulnerabilities before others do all right quick Catterick I think we okay now this is a nine weeks old kitten named Zeus that my mom's babysitting I'm very I'm adorned in a lot of cat stuff today take his love cats okay I want to go into common solutions I sort of pay these up and given the time legacy tech use those pain areas to drive budget okay it's fine you're using legacy technology if you got saw an old asset management tools that you've got to log into it's

cool but make it work for you make it drive the budget I stopped perhaps even start looking and talking about his zero trust model inside of the the soccer organization alert fatigue automate make more time hire more analyst get management into the trenches talking with the analyst find out what the analysts like love what they're passionate for and where they want to grow in enrichment or a lack they are wrong it is not too hard is you know there's heaps of open-source technology out there too if you want to spin up a VPC and try out a new cool osun's technology or feed and just POC it talk talk to your folks in the stock saying hey I did this in my

spare time I want to bring this into the sock because you're so inundated with alerts okay you have you're having to use time outside of work and if your working 1012 hours shift rotations it's not that easy so be proactive old equipment and budgets use those pain areas for budget you've rather pay fifty thousand pound pre breech for a tool or technology or for analysts then five hundred k plus post next to do with the junior peers and the traveled knowledge teach grow learn goddammit as in you've got to disseminate that knowledge how else will the juniors learn or how they become seeing as one day automation is awesome automations efficiency take take an analyst out of rota for one day let

them go learn and you'll get more tomato something automating case management so you don't waste fifteen minutes copy paste to their case closed save time efficiency perhaps even R&D into machine learning for faster detection and response giving this sock more time to do all the good stuff fast response purple teaming i think i'm gonna do talk about this next there's there's so much there just collaborate an aim for greatness get the get the red and blue team sitting together give them feedback the red team run a hunt or whatever they do have a five minute ten minutes zoom calls slack send them over some documentation this is what we found these are the IOC s

do it aim for greatness over communicate I've I've worked remote previously and over communication and collaboration is a good thing you're better over communicating they're not in short everyone's on the same page locally regionally geographically so not that someone wakes up in an ER or a pack one day saying oh by the way we're replacing our seam and you just found out about it on the day not cool communicate and yeah let's say ego more EQ more empathy more whiteboarding more sharing knowledge have patience teach I like to disseminate knowledge as much as I can I'm not that great we're still learning but it's cool thing because if you share the knowledge you feel like

you really feel that you really do know it so yeah don't be shy share the love and thank you very much