socs for the rest of us

SOCs for the Rest of Us

By Dave Herrald

And Ryan Kovar

Disclaimer

2

During the course of this presentation, we may make forward looking statements regarding

future events or the expected performance of the company. I often lie. Maybe this is a lie.

Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes

The wøndërful telephøne system And mäni interesting furry animals The characters and

incidents portrayed and the names used in this Presentation are fictitious and any similarity

to the names, characters, or history of any person is entirely accidental and unintentional.

Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus...

No realli! He was Karving his initials on the møøse with the sharpened end of an

interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and

star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of

Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our

roadmap outlines our general product direction and is subject to change at any time

without notice. Splunk undertakës no øbligation either to develøp the features or

functionality described or to include any such feature or functionality in a future release.

> Dave Herrald @daveherrald

- Senior Security Architect- 20+ years in IT and security

-Information security officer, security architect, pen tester, consultant, SE, system/network engineer

- GIAC GSE #79, former SANS Mentor

# whoami

• 17 years of cyber security experience

• Worked in US/UK Public Sector and DOD most recently in nation state hunting roles

• Enjoys clicking too fast, long walks in the woods, and data visualization

• Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research

• Currently interested in automating methods to triage data collection for IR analyst review.

• Also investigating why printers are so insubordinate ಠ_ಠ

4

Staff Security Strategist

Minster of the OODAloopers

@meansec

# whoamiRyan Kovar: CISSP, MSc(Dist)

Agenda•Our Experiences•Hypotheses•Who we interviewed•Synthesize•Things to take home• Conclusions

What we do @Splunk

Architect Strategist

This That

Where we go

Who we see

Who we see

We’ve seen it all

I’ve got Bro, Splunk, FireEye. I do OSINT, collect ALL the Logs, and even drink beer

at work.

We don’t need a SOC. We have a guy named Dave. He is

friends with the boss and is great at

computers

Sure I’m secure. I have a Firewall!

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs align to Kill Chain

model

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs align to Kill Chain

model

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs align to Kill Chain

model

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs align to Kill Chain

model

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs have similar people

and toolsets

What we asked

We are here to share the best with you

People are more important than tools

>

Trail of Tiers

The ability to write code was the most valuable technical skill

Degree typesdidn’t

matter

Learn to communicating clearly both written and gooder speaking

VS

Curiosity is the most important SOC analyst trait

Findings

• Orgs have moved past Tiers• Traditional “Tier 1” jobs are

replaced by automation• Best SOCs have Data

Scientists• No one has a good incident

recording tool• SOCs have similar people

and toolsets

REVIEW

Orgs have moved past Tiers

REVIEW

Traditional “Tier 1” jobs are replaced by automation

REVIEW

Best SOCs have Data Scientists

REVIEW

No one has a good incident recording tool

REVIEW

SOCs have similar people and toolsets

REVIEW

Takeaways

• Lorem

• Ipsum

• And

• Moresum

• ( Blogpost/whitepaper coming soon)

Dave Herrald

dherrald@splunk.com

@daveherrald

Ryan Kovar

rkovar@splunk.com

@meansec

http://blogs.splunk.com/author/rkovar

Contact info