SlideShare une entreprise Scribd logo

How to Build Effective SoC

Priyanka Aash
Priyanka Aash

This session will help individuals to get the indepth details on SoC and how they can build the SoC which can be Business Enabler in their organizations. This session will also give them the information on How can they evaluate some of the main components before they finalize them and consider them into the SoC Environment

Technologie
1  sur  32
Télécharger pour lire hors ligne
Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 How to Build Effective SoC Amit Modi #CISOplatform #SACON
Agenda • What is SoC • Key Functions of SoC • What are The Responsibilities of SOC • SoC Reference Architecture • Visualizing NextGen SoC • SoC Success Pillars • SoC Building Journey • Key Elements of Building SoC • SIEM Evaluation Criteria • SoC Maturity Model • Sample SoC Maturity Plan • Defining & Building the SoC Use Cases • SIEM Use Case Development Template • SoC as Business Enabler • MSSP Vs. On Premise SoC • SoC Implementation Methodology • Incident Management Cycle • Challenges of SIEM • Defining SOAR • Role of SOAR in Incident Management • Advantages of SOAR • Key Elements to Look for in SOAR • SOAR Use Case Development Template • SOAR Evaluation Criteria • Narrow Downing : Challenges & Expectation Vs. Solution • Reference Architecture with SOAR
What is SoC • A SOC stands for Security Operations Center, which is a team of cybersecurity personnel dedicated to monitoring and analyzing an organization’s security while responding to potential or current breaches. • The team is responsible for scanning all the security systems in real-time. • This first line of defence works around the clock to protect an organization’s security infrastructure from potential cyber threats.
Key Functions of SoC • Real Time Monitoring • Security Incident Detection & Mitigation • Risk Management • Vulnerability Scanning • Security Incident Analysis (Protecting Evidences for Investigation) • Intelligent Analysis & Correlation • Reporting
What Are The Responsibilities of SOC • SOCs use strategic methodologies and processes for active surveillance and real-time analysis of an organization’s security infrastructure. The team carries out the following tasks. Task Description Identify assets SOC operations start with gaining a holistic understanding of the tools and technologies at their disposal. The team learns about the hardware and software running on the systems. Their in-depth understanding helps in the early detection of potential cyber threats and existing vulnerabilities. Proactive monitoring A SOC primarily focuses on detecting malicious activities on the network before they can lead to substantial harm. Manage logs, configuration change, and response Thorough management of activity logs help a cyber forensic investigator trace back to the point where something may have gone wrong. Rank alerts as per their severity Whenever a SOC detects a threat or irregularity, it is responsible for ranking the severity of the incident. This data helps in prioritizing the response to the event. Adjust defenses A SOC adjusts its defenses by vulnerability management and increasing its awareness about threats. It helps the team stay vigilant for breaches. Check compliance SOCs can checks if the organization complies with applicable regulations and standards. Notify on security breach Organizations aim for minimal or no network downtime when hit by unexpected security incidents. A SOC alerts the stakeholders as quickly as possible to keep ensure business continuity.
SoC Reference Architecture
Visualizing NextGen SoC – Technologies & Process IT Infrastructure Security Application/DB Security Consulting & IT GRC Security Controls Policy & Audit RISK & Compliance Business Continuity Vulnerability Management Log Management Access & Identity Visibility & Compliance Security Analytics Data Protection & Control IT Change & End Point Monitoring & Management Incident Response Threat Intell. Feeds Forensic Data CaptureThreat Detection App Sec CMDB Software Asset Management
SoC Success Pillars
SoC Building Journey • Identification of various teams and types of devices • Identification and categorization of Logs – Critical , Major , Minor , Informational • Integration procedures for all types of device and awareness to the departments • Dashboard Customization as per Requirement • SOC Operation Manual (SOPs / Run Books) • BCP document for SOC devices • Back-up Procedure • Incident Management Policy and Procedure • Scheduled Reports • Trainings
Packet Capture 1) Unique Threat Detection, Forensics & Response lifecycle 2) Real-time forensics 3) Proactive hunting. 4) Detect Unknown 5) Visualize Attack on End Points. 6) Automatic Event Prioritization Cyber Security Operations Center Feeding 1. Defining an Asset, Network Based threat Modelled Usecase approach. 2. Seamless & SME level Log Monitoring & Correlation & Analysis 3. Resolution for L1/L2 incidents using Machine Learning 4. Self-Learning capabilities with Actionable Intelligence. IR Process / Tool 1. Automation of the manual Event to Incident trigger 2. Full response activities automation with Forensics linking. 3. Workflows & tasks for Cyber Sec Incident Response. 4. Remediation Advisory & Play Books availability. Threat Intel 1) Contextualisation, Prioritization and Automation of Events. 2) Empowering security operations centers, incident response teams domain specific curated feeds. 3) Feeds ingestion to Logs Events, & Packets. Security Governance Dashboard 1. Security Based OneVue Reporting with GRC View 2. Integrated Governance Model . Investigation & Analytics 1) Intelligence driven big data platform for NBA, UEBA. 2) Zero Day Analytics and pattern data analysis. 3) Providing predictive accurate & proactive assistance for Threat hunting processes. Visualization 1.Attack Tree Depiction. 2.Visualize a meaning full view of data. 3. Linking contexts of Risks ,Threats and Behaviour activities. 4. Interactive Dashboard. Key Elements of Building SoC
SIEM Evaluation Criteria • Real-Time Monitoring & Alerting • User Activity Monitoring • Use Case Investigation • Threat Detection / Intelligence • Forensic Capability • Data Analysis • Automated Response Capabilities • Long Term Event Storage • Scalability • Integration • Business Applications • Infra Devices • Reporting
SoC Maturity Model SoCMaturityModel GovernanceManagement Context and Leadership Evaluation and Direction Compliance,Audit, and Review Information Security Charter Culture and Awareness Information Security Organizational Structure Security Risk Management Security Strategy and Communication Security Policies Security & Engineering Compliance Management External Security Audit Management Review of Security Internal Security Audit & Security Assessments Prevention Detection Responseand Recovery Measurement Identity and Access Management Identity Security Data Security Asset Management Data Security & Privacy Infrastructure Security Network Security Metrics Program Endpoint Security Malicious Code Application Security Vulnerability Management Red Teaming Technical Assessments(Infra, App,Web) Physical Security Configuration and Change Management Vendor Management Security Threat Detection Log and Event Management Security Incident Management Security eDiscovery, Intelligence &Forensics Containment& Recovery Information Security in BCM Continuous Improvement Change and Support HR Security HR Security DevSecOps-Cloud Security ReportingBehaviour, Pattern and Anomaly TPS
Sample - SoC Maturity Plan Band Technology Offered What Will be Covered Expected Output Time Line of Maturity M1 SIEM + VAPT as a Service Organization's Infra - Network Devices - Security Devices Deliverables - Log Collection - Log Correlation - Alerts - Advisories - 24x7 Monitoring (People) - VAPT Services (Assessment & Closure Guidance) 1 Year M2 M1 + Advance SIEM as a Service Organization's Infra + Apps + DB + TIP - M1 Infra - Business Applications - Databases - Threat Intel Feed Deliverables - M1 - Business Application Uses Cases - Advance Correlation - 24x7 Monitoring (People) - VAPT Services (Assessment & Closure Guidance) 1 Years M3 M1 + M2 + Analytics + EDR + FIM M1 + M2 - UEBA - NBA - EDR (Servers & EndPoints) - File Integrity Monitoring Deliverables - M1 - M2 - User & Entity Behavioural Analytics - Network Behavioural Analytics - Malware + Ransomware Protection - 24x7 Monitoring (People) - File Integrity Monitoring - VAPT Services (Assessment & Closure Guidance) 1 Years M4 M1 + M2 + M3 + Incident Response + Process M1 + M2 + M3 - Incident Response - Incident Management - Process Deliverables - M1 - M2 - M3 - Incident Response - Incident Management - SoC Processes 1 Years M5 M1 + M2 + M3 + M4 + Automation M1 + M2 + M3 + M4 - Tool Automation - Process Automation Deliverables - M1 - M2 - M3 - M4 - Tool Automation - Process Automation 1 Years
Define & Build the SoC Use Cases Objective – Problem Statement Threat / Protect / Monitor Stakeholders Data Required Logic Testing with Sample Data Priority Output (Rule / Alert) Evaluate & Refine
SIEM Use Case Development Template Aim Fundamentals of Use Case Log Sources Log Parameters Correlation Rule Threshold Outcome Benefit
SoC as a Business Enabler • SoC can be a “Business Enabler” by creating picking up the logs from Business Applications, Databases etc. • Build the Use Case based on the Problem Statement of the Business Owners. • Define the expected output • Pick up the data sources and fields from those applications, databases • Put the Logic based on the expected output against the Problem Statement • Define the Action, Priority & Output to Test it further • Keep Refining the same on a regular basis
MSSP Vs. On Premise SoC
SoC Implementation Methodology Strategy and Roadmap SIEM & Current Tech Optimization SOC Governance SOC Processes and Workflows 1 2 3 4 • Maturity assessment across governance, operation, technology and integration and processes • Strategy developmentfrom Current State and Future State • Roadmap with milestone and financialbudgeting • Use Case Fine Tuning and Framework • New use case creation • Response Run Book • Log Source Integration • Reporting and Visualization • SOC Organization • Roles and Responsibilitiesand RACI • Performance Indicator and Management • Skill Analysis and Metrics • Training • Roster Management • Incident Management – Monitoring, Validation, Analysis, Triage, Escalation, Response and Resolution • Problem Management • Forensics Process • Device on-boarding SOC Reportingand Analytics Cyber Defense and Security Operations 5 • SOC Advanced Reporting • Visualization • AnalyticalReporting and Dashboards. L - 1 Monitoring and Validation L - 2 Triage and Escalation L – 3 Response and Coordination Security Integration Vulnerability Mgmt Asset Management Identity Mgmt, Data Security Incident /ticketing tool Security Analytics & Incident Reporting SIEM Architecture SOC Engineering Rule Dev/Tuning Tool Integration Device Mgmt SIRT Incident Handling Forensic Handling Security 2.0 Operations Incident Monitoring IOC Management SIEM Rules and Use Case Response Playbooks Threat HuntingSimulations and Stress Test 6
Incident Management Cycle 4.0 Advanced Security &Analytics Operational Normalization Data Quality Management Data Collection and Enrichment Algorithmic Data Modeling Data Visualization Cybersecurity Governance 1.0 Threat Intelligence Threat Modeling Threat Analysis Intelligence Exchange Intelligence Gathering 2.0 Vulnerability Management Vulnerability Identification Remediation Tracking Vulnerability Prioritization and Reporting 3.0 Cyber Operational Advanced SOC Security Monitoring Event Triage Prioritization and Reporting Compliance Monitoring Log Management 7.0 Supporting Capabilities IT Governance IT Service Management Enterprise Risk Management Asset Management Analytics Security Service Performance Management 5.0 Security Incident Management Identification and Triage Forensic Analysis Communication Response Recovery 6.0 Active Defense Containment Reverse Engineering Track down Automation Continuous Improvement Prepare Predict and Detect Respond and Recover The Cybersecurity Logical Operating Model is comprised of three core intelligence driven functions : Prepare, Predict & Detect and Respond & Recover Deception
Challenges with SIEM Challenges • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based Expectations • Business Context to the Investigation • Adding BigData Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication • Practicing the Crisis Situation
Defining SOAR The term describes the merging of three distinct and interconnected Solutions. • Security Automation & Orchestration (SAO) • Threat Intelligence Platforms (TIP) • Security Incident Response Platform (SIRP) SOAR is a term coined by Garther which stands for Security, Orchestration, Automation and Response (SOAR). Many of the characteristics that describe SOAR are unique to this technology and that’s why SOAR is growing in demand in the modern cyber security industry. SOAR helps SecOps and CSIRT teams in many ways most notably with above.
Role of SOAR in Incident Management  Improving the efficiency of the security operations by automating workflow processes  Improving the detection of false positives through Incident Enrichment  Centralizing the operations from a single panel  Seamlessly integrating different cyber security tools to simplify workflow processes  Automating tasks without the need for human intervention wherever needed  Auto Alignment to the various Compliances  Help in accurate Threat Hunting  Faster Response (Containment & Eradication)
Advantages of SOAR • Improve the reaction Time To Threats (TAT) • Reduce the Number of False Positives • Calculate Risk Assessment • Perform Evidence Management • Free analysts from handling low-risk, repetitive tasks • Fully document threats analysis • Measure success by following important KPIs • Leverage the open-integration framework to align with various tools and technologies • Improving the efficiency of the security operations by automating workflow processes • Improving the detection of false positives • Centralizing the operations from a single panel • Seamlessly integrating different cyber security tools to simplify workflow processes • Automating low-risk tasks without the need for human intervention
Key Elements to Look for in SOAR • Case Management • Automation • Multi-Tenancy • Community Support • Additional Features • Pricing • RBAC • Automated Queue Management • Scalability • Reports and Dashboard • Vault Integration • Machine Learning • Other
SOAR Use Case Development Template Goals Integration Creating RunBook (Workflow) Enrichment Escalation Containment Response
SOAR Evaluation Criteria 1 Orchestrator 1.1 Data Ingestion 1.2 Decision Making 1.3 Task Execution 1.4 Human Supervision 1.5 Data Management 1.6 Fault Tolerance 2 Automation Engine 2.1 Scalability 2.2 Extensibility 2.3 Alert Management 2.4 Alert Details 2.5 Alert Correlation 2.6 Issuing Actions 2.7 Action Results 2.8 Activity Log 2.9 Alert Status, Severity & Sensitivity 2.10 Alert Collaboration 3 Case Management 3.1 Case Data Organization 3.2 Adding Data to a Case 3.3 Linking Cases to Alerts 3.4 Mapping to Existing Processes 3.5 Activity Auditing
SOAR Evaluation Criteria - Continue 4 Playbook Management 4.1 Playbook Organization 4.2 Bulk Edits to Playbooks 4.3 Revision Control and Distribution 4.8 Other 5 Automation Editor 5.1 User Interface Elements 5.2 Block-Based Representation of Code 5.3 Inserting Humans into the Decision Process 5.4 Information Exchange of Action Results 5.5 Access to Playbook Source Code 5.6 Simultaneous Visual and Non-Visual Playbook Construction 5.7 Build-In Testing and Debugging and Runtime Logging 5.8 Safe Mode 5.9 Other 6 Integration 6.1 API Based Integration 6.2 Bi-Directional Integration 6.3 Open Stack Integration 6.4 Cloud Integration 6.5 Supports Open Integration Framework 6.6 Wide Out of the Box Integration 6.7 Threat Intel Platform Integration 6.8 Other
SOAR Evaluation Criteria - Continue 7 Reporting 7.1 Customization of Reporting 7.2 Organizational Reporting 7.3 Role-Based Reporting 7.4 Incident Based Reporting 7.5 Compliance Reporting 7.6 Other 8 Data Enrichment 8.1 Supports Data Enrichment Integration 8.2 Capable of Reduce False Positive 8.3 Other 9 Licensing 9.1 Instance Based 9.2 User / Analyst Based 9.3 Both 10 Other Features 10.1 Secured Platform 10.2 Scalable 10.3 Open and Extensible 10.4 Ease-of-use 10.5 Easy Installation and Setup 10.6 Easy Onboarding 10.7 Accelerate the time-to-automate 10.8 Other
Narrow Downing : Challenges & Expectations Vs. Solution • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based (MSSP/Internal Team) • Business Context to the Investigation • Adding BigData Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication • Practicing the Crisis Situation • Matured Security Operation Center (SoC) • Identifying Unknown Threats • Incident Management • Incident Automation • Containment • Forensic Data for Accurate Eradication • Practicing Crisis Situation • Continuous Skills Improvement • Codification of Runbook for Accuracy
ALERTS SIEM Ticketing Email CRM Helpdesk EDR UBA RESPONSE TOOLS IPS EDR WAF Active Directory NAC Memory Dump Threat Intel CMDB HR Systems GRC Compliance Vulnerability Assessment Enrichment SOAR Reference Architecture SOAR Big-Data API’sAPI’s
Thank You Contact Details ---------------------------- Amit Modi +91-99206-60605 / +91-89284-48039 amitmmodi100@gmail.com https://www.linkedin.com/in/amit-modi-49a03b18/

Recommandé

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 

Recommandé

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
Priyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
Priyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Priyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
Priyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
Priyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
Priyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
Priyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
Priyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
Priyanka Aash
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
Priyanka Aash
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email Compromise
Priyanka Aash
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
Priyanka Aash
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
Priyanka Aash
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Contenu connexe

Plus de Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
Priyanka Aash
 

Plus de Priyanka Aash (20)

Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email Compromise
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Dernier (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

How to Build Effective SoC

  • 1. Best Of The World In Security Conference Best Of The World In Security 12-13 November 2020 How to Build Effective SoC Amit Modi #CISOplatform #SACON
  • 2. Agenda • What is SoC • Key Functions of SoC • What are The Responsibilities of SOC • SoC Reference Architecture • Visualizing NextGen SoC • SoC Success Pillars • SoC Building Journey • Key Elements of Building SoC • SIEM Evaluation Criteria • SoC Maturity Model • Sample SoC Maturity Plan • Defining & Building the SoC Use Cases • SIEM Use Case Development Template • SoC as Business Enabler • MSSP Vs. On Premise SoC • SoC Implementation Methodology • Incident Management Cycle • Challenges of SIEM • Defining SOAR • Role of SOAR in Incident Management • Advantages of SOAR • Key Elements to Look for in SOAR • SOAR Use Case Development Template • SOAR Evaluation Criteria • Narrow Downing : Challenges & Expectation Vs. Solution • Reference Architecture with SOAR
  • 3. What is SoC • A SOC stands for Security Operations Center, which is a team of cybersecurity personnel dedicated to monitoring and analyzing an organization’s security while responding to potential or current breaches. • The team is responsible for scanning all the security systems in real-time. • This first line of defence works around the clock to protect an organization’s security infrastructure from potential cyber threats.
  • 4. Key Functions of SoC • Real Time Monitoring • Security Incident Detection & Mitigation • Risk Management • Vulnerability Scanning • Security Incident Analysis (Protecting Evidences for Investigation) • Intelligent Analysis & Correlation • Reporting
  • 5. What Are The Responsibilities of SOC • SOCs use strategic methodologies and processes for active surveillance and real-time analysis of an organization’s security infrastructure. The team carries out the following tasks. Task Description Identify assets SOC operations start with gaining a holistic understanding of the tools and technologies at their disposal. The team learns about the hardware and software running on the systems. Their in-depth understanding helps in the early detection of potential cyber threats and existing vulnerabilities. Proactive monitoring A SOC primarily focuses on detecting malicious activities on the network before they can lead to substantial harm. Manage logs, configuration change, and response Thorough management of activity logs help a cyber forensic investigator trace back to the point where something may have gone wrong. Rank alerts as per their severity Whenever a SOC detects a threat or irregularity, it is responsible for ranking the severity of the incident. This data helps in prioritizing the response to the event. Adjust defenses A SOC adjusts its defenses by vulnerability management and increasing its awareness about threats. It helps the team stay vigilant for breaches. Check compliance SOCs can checks if the organization complies with applicable regulations and standards. Notify on security breach Organizations aim for minimal or no network downtime when hit by unexpected security incidents. A SOC alerts the stakeholders as quickly as possible to keep ensure business continuity.
  • 7. Visualizing NextGen SoC – Technologies & Process IT Infrastructure Security Application/DB Security Consulting & IT GRC Security Controls Policy & Audit RISK & Compliance Business Continuity Vulnerability Management Log Management Access & Identity Visibility & Compliance Security Analytics Data Protection & Control IT Change & End Point Monitoring & Management Incident Response Threat Intell. Feeds Forensic Data CaptureThreat Detection App Sec CMDB Software Asset Management
  • 9. SoC Building Journey • Identification of various teams and types of devices • Identification and categorization of Logs – Critical , Major , Minor , Informational • Integration procedures for all types of device and awareness to the departments • Dashboard Customization as per Requirement • SOC Operation Manual (SOPs / Run Books) • BCP document for SOC devices • Back-up Procedure • Incident Management Policy and Procedure • Scheduled Reports • Trainings
  • 10. Packet Capture 1) Unique Threat Detection, Forensics & Response lifecycle 2) Real-time forensics 3) Proactive hunting. 4) Detect Unknown 5) Visualize Attack on End Points. 6) Automatic Event Prioritization Cyber Security Operations Center Feeding 1. Defining an Asset, Network Based threat Modelled Usecase approach. 2. Seamless & SME level Log Monitoring & Correlation & Analysis 3. Resolution for L1/L2 incidents using Machine Learning 4. Self-Learning capabilities with Actionable Intelligence. IR Process / Tool 1. Automation of the manual Event to Incident trigger 2. Full response activities automation with Forensics linking. 3. Workflows & tasks for Cyber Sec Incident Response. 4. Remediation Advisory & Play Books availability. Threat Intel 1) Contextualisation, Prioritization and Automation of Events. 2) Empowering security operations centers, incident response teams domain specific curated feeds. 3) Feeds ingestion to Logs Events, & Packets. Security Governance Dashboard 1. Security Based OneVue Reporting with GRC View 2. Integrated Governance Model . Investigation & Analytics 1) Intelligence driven big data platform for NBA, UEBA. 2) Zero Day Analytics and pattern data analysis. 3) Providing predictive accurate & proactive assistance for Threat hunting processes. Visualization 1.Attack Tree Depiction. 2.Visualize a meaning full view of data. 3. Linking contexts of Risks ,Threats and Behaviour activities. 4. Interactive Dashboard. Key Elements of Building SoC
  • 11. SIEM Evaluation Criteria • Real-Time Monitoring & Alerting • User Activity Monitoring • Use Case Investigation • Threat Detection / Intelligence • Forensic Capability • Data Analysis • Automated Response Capabilities • Long Term Event Storage • Scalability • Integration • Business Applications • Infra Devices • Reporting
  • 12. SoC Maturity Model SoCMaturityModel GovernanceManagement Context and Leadership Evaluation and Direction Compliance,Audit, and Review Information Security Charter Culture and Awareness Information Security Organizational Structure Security Risk Management Security Strategy and Communication Security Policies Security & Engineering Compliance Management External Security Audit Management Review of Security Internal Security Audit & Security Assessments Prevention Detection Responseand Recovery Measurement Identity and Access Management Identity Security Data Security Asset Management Data Security & Privacy Infrastructure Security Network Security Metrics Program Endpoint Security Malicious Code Application Security Vulnerability Management Red Teaming Technical Assessments(Infra, App,Web) Physical Security Configuration and Change Management Vendor Management Security Threat Detection Log and Event Management Security Incident Management Security eDiscovery, Intelligence &Forensics Containment& Recovery Information Security in BCM Continuous Improvement Change and Support HR Security HR Security DevSecOps-Cloud Security ReportingBehaviour, Pattern and Anomaly TPS
  • 13. Sample - SoC Maturity Plan Band Technology Offered What Will be Covered Expected Output Time Line of Maturity M1 SIEM + VAPT as a Service Organization's Infra - Network Devices - Security Devices Deliverables - Log Collection - Log Correlation - Alerts - Advisories - 24x7 Monitoring (People) - VAPT Services (Assessment & Closure Guidance) 1 Year M2 M1 + Advance SIEM as a Service Organization's Infra + Apps + DB + TIP - M1 Infra - Business Applications - Databases - Threat Intel Feed Deliverables - M1 - Business Application Uses Cases - Advance Correlation - 24x7 Monitoring (People) - VAPT Services (Assessment & Closure Guidance) 1 Years M3 M1 + M2 + Analytics + EDR + FIM M1 + M2 - UEBA - NBA - EDR (Servers & EndPoints) - File Integrity Monitoring Deliverables - M1 - M2 - User & Entity Behavioural Analytics - Network Behavioural Analytics - Malware + Ransomware Protection - 24x7 Monitoring (People) - File Integrity Monitoring - VAPT Services (Assessment & Closure Guidance) 1 Years M4 M1 + M2 + M3 + Incident Response + Process M1 + M2 + M3 - Incident Response - Incident Management - Process Deliverables - M1 - M2 - M3 - Incident Response - Incident Management - SoC Processes 1 Years M5 M1 + M2 + M3 + M4 + Automation M1 + M2 + M3 + M4 - Tool Automation - Process Automation Deliverables - M1 - M2 - M3 - M4 - Tool Automation - Process Automation 1 Years
  • 14. Define & Build the SoC Use Cases Objective – Problem Statement Threat / Protect / Monitor Stakeholders Data Required Logic Testing with Sample Data Priority Output (Rule / Alert) Evaluate & Refine
  • 15. SIEM Use Case Development Template Aim Fundamentals of Use Case Log Sources Log Parameters Correlation Rule Threshold Outcome Benefit
  • 16. SoC as a Business Enabler • SoC can be a “Business Enabler” by creating picking up the logs from Business Applications, Databases etc. • Build the Use Case based on the Problem Statement of the Business Owners. • Define the expected output • Pick up the data sources and fields from those applications, databases • Put the Logic based on the expected output against the Problem Statement • Define the Action, Priority & Output to Test it further • Keep Refining the same on a regular basis
  • 17.
  • 18. MSSP Vs. On Premise SoC
  • 19. SoC Implementation Methodology Strategy and Roadmap SIEM & Current Tech Optimization SOC Governance SOC Processes and Workflows 1 2 3 4 • Maturity assessment across governance, operation, technology and integration and processes • Strategy developmentfrom Current State and Future State • Roadmap with milestone and financialbudgeting • Use Case Fine Tuning and Framework • New use case creation • Response Run Book • Log Source Integration • Reporting and Visualization • SOC Organization • Roles and Responsibilitiesand RACI • Performance Indicator and Management • Skill Analysis and Metrics • Training • Roster Management • Incident Management – Monitoring, Validation, Analysis, Triage, Escalation, Response and Resolution • Problem Management • Forensics Process • Device on-boarding SOC Reportingand Analytics Cyber Defense and Security Operations 5 • SOC Advanced Reporting • Visualization • AnalyticalReporting and Dashboards. L - 1 Monitoring and Validation L - 2 Triage and Escalation L – 3 Response and Coordination Security Integration Vulnerability Mgmt Asset Management Identity Mgmt, Data Security Incident /ticketing tool Security Analytics & Incident Reporting SIEM Architecture SOC Engineering Rule Dev/Tuning Tool Integration Device Mgmt SIRT Incident Handling Forensic Handling Security 2.0 Operations Incident Monitoring IOC Management SIEM Rules and Use Case Response Playbooks Threat HuntingSimulations and Stress Test 6
  • 20. Incident Management Cycle 4.0 Advanced Security &Analytics Operational Normalization Data Quality Management Data Collection and Enrichment Algorithmic Data Modeling Data Visualization Cybersecurity Governance 1.0 Threat Intelligence Threat Modeling Threat Analysis Intelligence Exchange Intelligence Gathering 2.0 Vulnerability Management Vulnerability Identification Remediation Tracking Vulnerability Prioritization and Reporting 3.0 Cyber Operational Advanced SOC Security Monitoring Event Triage Prioritization and Reporting Compliance Monitoring Log Management 7.0 Supporting Capabilities IT Governance IT Service Management Enterprise Risk Management Asset Management Analytics Security Service Performance Management 5.0 Security Incident Management Identification and Triage Forensic Analysis Communication Response Recovery 6.0 Active Defense Containment Reverse Engineering Track down Automation Continuous Improvement Prepare Predict and Detect Respond and Recover The Cybersecurity Logical Operating Model is comprised of three core intelligence driven functions : Prepare, Predict & Detect and Respond & Recover Deception
  • 21. Challenges with SIEM Challenges • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based Expectations • Business Context to the Investigation • Adding BigData Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication • Practicing the Crisis Situation
  • 22. Defining SOAR The term describes the merging of three distinct and interconnected Solutions. • Security Automation & Orchestration (SAO) • Threat Intelligence Platforms (TIP) • Security Incident Response Platform (SIRP) SOAR is a term coined by Garther which stands for Security, Orchestration, Automation and Response (SOAR). Many of the characteristics that describe SOAR are unique to this technology and that’s why SOAR is growing in demand in the modern cyber security industry. SOAR helps SecOps and CSIRT teams in many ways most notably with above.
  • 23. Role of SOAR in Incident Management  Improving the efficiency of the security operations by automating workflow processes  Improving the detection of false positives through Incident Enrichment  Centralizing the operations from a single panel  Seamlessly integrating different cyber security tools to simplify workflow processes  Automating tasks without the need for human intervention wherever needed  Auto Alignment to the various Compliances  Help in accurate Threat Hunting  Faster Response (Containment & Eradication)
  • 24. Advantages of SOAR • Improve the reaction Time To Threats (TAT) • Reduce the Number of False Positives • Calculate Risk Assessment • Perform Evidence Management • Free analysts from handling low-risk, repetitive tasks • Fully document threats analysis • Measure success by following important KPIs • Leverage the open-integration framework to align with various tools and technologies • Improving the efficiency of the security operations by automating workflow processes • Improving the detection of false positives • Centralizing the operations from a single panel • Seamlessly integrating different cyber security tools to simplify workflow processes • Automating low-risk tasks without the need for human intervention
  • 25. Key Elements to Look for in SOAR • Case Management • Automation • Multi-Tenancy • Community Support • Additional Features • Pricing • RBAC • Automated Queue Management • Scalability • Reports and Dashboard • Vault Integration • Machine Learning • Other
  • 26. SOAR Use Case Development Template Goals Integration Creating RunBook (Workflow) Enrichment Escalation Containment Response
  • 27. SOAR Evaluation Criteria 1 Orchestrator 1.1 Data Ingestion 1.2 Decision Making 1.3 Task Execution 1.4 Human Supervision 1.5 Data Management 1.6 Fault Tolerance 2 Automation Engine 2.1 Scalability 2.2 Extensibility 2.3 Alert Management 2.4 Alert Details 2.5 Alert Correlation 2.6 Issuing Actions 2.7 Action Results 2.8 Activity Log 2.9 Alert Status, Severity & Sensitivity 2.10 Alert Collaboration 3 Case Management 3.1 Case Data Organization 3.2 Adding Data to a Case 3.3 Linking Cases to Alerts 3.4 Mapping to Existing Processes 3.5 Activity Auditing
  • 28. SOAR Evaluation Criteria - Continue 4 Playbook Management 4.1 Playbook Organization 4.2 Bulk Edits to Playbooks 4.3 Revision Control and Distribution 4.8 Other 5 Automation Editor 5.1 User Interface Elements 5.2 Block-Based Representation of Code 5.3 Inserting Humans into the Decision Process 5.4 Information Exchange of Action Results 5.5 Access to Playbook Source Code 5.6 Simultaneous Visual and Non-Visual Playbook Construction 5.7 Build-In Testing and Debugging and Runtime Logging 5.8 Safe Mode 5.9 Other 6 Integration 6.1 API Based Integration 6.2 Bi-Directional Integration 6.3 Open Stack Integration 6.4 Cloud Integration 6.5 Supports Open Integration Framework 6.6 Wide Out of the Box Integration 6.7 Threat Intel Platform Integration 6.8 Other
  • 29. SOAR Evaluation Criteria - Continue 7 Reporting 7.1 Customization of Reporting 7.2 Organizational Reporting 7.3 Role-Based Reporting 7.4 Incident Based Reporting 7.5 Compliance Reporting 7.6 Other 8 Data Enrichment 8.1 Supports Data Enrichment Integration 8.2 Capable of Reduce False Positive 8.3 Other 9 Licensing 9.1 Instance Based 9.2 User / Analyst Based 9.3 Both 10 Other Features 10.1 Secured Platform 10.2 Scalable 10.3 Open and Extensible 10.4 Ease-of-use 10.5 Easy Installation and Setup 10.6 Easy Onboarding 10.7 Accelerate the time-to-automate 10.8 Other
  • 30. Narrow Downing : Challenges & Expectations Vs. Solution • SIEM Generating Huge amount of Alerts • Incidents Getting Missed • Lack of Threat Visibility • Finding Lateral Impact • Learning from Past • Finding the RCA • Skills Shortage • Incident Based SLA Management • Incident Closures • Reporting • Technical • Business Context • Performance Based (MSSP/Internal Team) • Business Context to the Investigation • Adding BigData Analytics • Bulletin Boards to the Team • Case Management • Automating Runbook • Threat Visibility & Spread • Avoid Over Detection & False Positive • Automate Similar Incidents • Prioritization Based on Business Impact • Incident Containment as a First Step • Surgical Response for Accurate Threat Eradication • Practicing the Crisis Situation • Matured Security Operation Center (SoC) • Identifying Unknown Threats • Incident Management • Incident Automation • Containment • Forensic Data for Accurate Eradication • Practicing Crisis Situation • Continuous Skills Improvement • Codification of Runbook for Accuracy
  • 31. ALERTS SIEM Ticketing Email CRM Helpdesk EDR UBA RESPONSE TOOLS IPS EDR WAF Active Directory NAC Memory Dump Threat Intel CMDB HR Systems GRC Compliance Vulnerability Assessment Enrichment SOAR Reference Architecture SOAR Big-Data API’sAPI’s
  • 32. Thank You Contact Details ---------------------------- Amit Modi +91-99206-60605 / +91-89284-48039 amitmmodi100@gmail.com https://www.linkedin.com/in/amit-modi-49a03b18/