The Security Operations Hierarchy of Needs Business challenge Reduce the burden on manpower by automating detection, data collection and clean-up Automated Response Investigation Detection Visibility Audit key events, understand the impact of attacks, and the TTPs of attackers, and drive clean-up efforts Understand when attacks are happening, and see what resources are compromised Facilitate many security and operational use cases, while avoiding stability and performance risks Discovery Determine current risk posture by understanding the true infrastructure landscape For each of the four SOC-less Hierarchy areas, we are interesting in learning: ● Why each stage of the hierarchy is important, what the challenges are at each stage, and the technologies and approaches needed to make it happen (including what people are using today)? DISCOVERY - Under now - add fragmented - if security pros know they are lucky - might be other tools in infra/ops that re doing discovery that may/may not be covering cloud (BYOD), fragmented or nothing, developers may be just telling them “this is what we have this is where it is” and developers do what they want Is it getting better bc of AWS, inventory, etc. That’s on I&O side, we’re paying for these instances, but doesn't tell them if they are running containers, falls back to fragmented view, what do we really know and who knows it Paying so could buddy up w I&O, if using instances as code, know what is substantiated, know, but need I&O folks HUGE issue - it’s a blind spot We don’t ask if pleasantly surprised by assets - don't have data on it VISIBILITY - what are containers and what are they doing, visibility layer, what is going on on a system and not just what we do but could be operational, cpu memory utilization as well, function lacking bc it’s been an network appliance, need it closer to the endpoint If they are saying they have SDLC and say they can handle zero day they are totally lying Most this comes from if they’ve done next gen firewalls, they’ve implemented IAM, both are extremely high level and know who is coming in and out but not what is happening on the system, could catch large number of files in and out but can’t see if someone is doing something they shouldn't/is this process normal/expected World of containers is a little better (twistlock/aqua/stackrox) will monitor and learn, piece together from the outside in, here’s what we think is happening, here is what we think is normal, etc. Do you have tools that are watching/modeling behavior (most don't) and be super careful about the training data Not just a technology problem, don’t have the people behind it either Has to be done w/ technology, no bodies you can rely on Need to see what is happening, what is normal, but have to watch out for training data Learning what normal looks like in a world where you're pushing code to production every day or so, adds to the alert fatigue problem Visibility sets the stage for detection - camera example - enhance enhance enhance DETECTION - reactionary at this point, piecing together from different sources, if you’re lucky people have access to syslog, dump into analytics or SIEM, tie them together to understand if there is a problem or not Not only is there alert fatigue bc everything looks terrible, so much to sort through and figure out what it means On integration and continuous delivery side of the house, integration creating dictionaries where they are saying “this field means this” Need architecture for the industry - if i create an integration - this is what this means and why, dumping my log on you means nothing What we mean when we say XYZ, industry wide, better defined, better analytics to say “when I see these three pieces that is an attack”