1. The Security Operations Hierarchy of Needs
Business challenge
Reduce the burden on manpower by automating detection, data collection and clean-up
Automated Response
Investigation
Detection
Visibility
Audit key events, understand the impact of attacks, and the TTPs of attackers, and drive clean-up efforts
Understand when attacks are happening, and see what resources are compromised
Facilitate many security and operational use cases, while avoiding stability and performance risks
Discovery
Determine current risk posture by understanding the true infrastructure landscape
For each of the four SOC-less Hierarchy areas, we are interesting in learning:
● Why each stage of the hierarchy is important, what the challenges are at each stage, and the technologies and approaches needed to make it happen (including what people are using today)?
DISCOVERY - Under now - add fragmented - if security pros know they are lucky - might be other tools in infra/ops that re doing discovery that may/may not be covering cloud (BYOD), fragmented or nothing, developers may be just telling them “this is what we have this is where it is” and developers do what they want
Is it getting better bc of AWS, inventory, etc.
That’s on I&O side, we’re paying for these instances, but doesn't tell them if they are running containers, falls back to fragmented view, what do we really know and who knows it
Paying so could buddy up w I&O, if using instances as code, know what is substantiated, know, but need I&O folks
HUGE issue - it’s a blind spot
We don’t ask if pleasantly surprised by assets - don't have data on it
VISIBILITY - what are containers and what are they doing, visibility layer, what is going on on a system and not just what we do but could be operational, cpu memory utilization as well, function lacking bc it’s been an network appliance, need it closer to the endpoint
If they are saying they have SDLC and say they can handle zero day they are totally lying
Most this comes from if they’ve done next gen firewalls, they’ve implemented IAM, both are extremely high level and know who is coming in and out but not what is happening on the system, could catch large number of files in and out but can’t see if someone is doing something they shouldn't/is this process normal/expected
World of containers is a little better (twistlock/aqua/stackrox) will monitor and learn, piece together from the outside in, here’s what we think is happening, here is what we think is normal, etc.
Do you have tools that are watching/modeling behavior (most don't) and be super careful about the training data
Not just a technology problem, don’t have the people behind it either
Has to be done w/ technology, no bodies you can rely on
Need to see what is happening, what is normal, but have to watch out for training data
Learning what normal looks like in a world where you're pushing code to production every day or so, adds to the alert fatigue problem
Visibility sets the stage for detection - camera example - enhance enhance enhance
DETECTION - reactionary at this point, piecing together from different sources, if you’re lucky people have access to syslog, dump into analytics or SIEM, tie them together to understand if there is a problem or not
Not only is there alert fatigue bc everything looks terrible, so much to sort through and figure out what it means
On integration and continuous delivery side of the house, integration creating dictionaries where they are saying “this field means this”
Need architecture for the industry - if i create an integration - this is what this means and why, dumping my log on you means nothing
What we mean when we say XYZ, industry wide, better defined, better analytics to say “when I see these three pieces that is an attack”