SBN

Combined SOC Webinar Q&A: From EDR to ITDR and ASO … and ChatGPT

In recent weeks, I did two fun webinars related to Security Operations, and there was a lot of fun Q&A. The questions below are sometimes slighting edited for clarity, typos, etc.

For extra fun, I had ChatGPT answer some of them, to see if it can replace me 🙂

So, first, ISACA webinar “Modernize Your SOC for the Future” focused on our Autonomic Security Operations vision.

Q: If not called SOC, would you like to share what you have named the team? [this question is related to the fact that at Google, there is no team called “SOC”]

A: The discussion about naming the security operation center comes from the longer debate about whether SOC includes just the analysts watching the screens or the infrastructure and processes for producing the alerts, threat research, detection creation, etc. As a result, some organizations assume that SOC stands only for a team content watching the screens and they do not want to call their combined/integrated team the same name

The names I encountered are just detection and response team, D&R team, etc with some name choices unique to Google. Please don’t say “XDR team”, if at all possible 🙂

Q: The “modern SOC” looks great on paper, but it’s harder to find analysts who have necessary skills to focus on threats when you have to deal with attrition. What can you propose to find skilled people for these roles faster?

A: Indeed, the challenges with using the analysts for creating detection content and pursuing threats implies that they have the skills to study the threats and to create detection content. Some people assume that this problem is solved primarily by hiring, but in our opinion it is solved by motivation, training, retention, and, perhaps last, by hiring.

We are certainly not suggesting you fire your SOC analysts and hire some mythical full- stack security engineers instead (or robots, for that matter). What you do is start to select, train and motivate your analysts to explore outside of passing the alerts around. More details on this are provided in the original ASO paper.

Q: Could you please explain a bit more on the use case library?

A: When we refer to the use case library in the context of SOC, we mean a collection of your rules, playbooks and other detection content, with its associated processes. Think about it, a book library is a collection of content for people to read while a use case library is a collection of use case content for the detection tools to run. Such a library comes with its own processing workflows such as use case creation, tuning and modification, and retirement.

Details of this can be found in this “How to Create and Maintain Security Monitoring Use Cases for Your SIEM” Gartner paper (sorry for the paywall, analysts need to eat)

Q: Please expand Threat Hunting with examples, any risks?

A: I would defer to stuff that others have written and to some of my own writing from the past to define threat hunting. Here I would say that merely searching for indicators may be part of hunting but it isn’t the entire thing, for sure.

To me, the more interesting part of your question is a question about risks of threat hunting. During the webinar, my response focused on the fact that while there are no risks of hunting, there may be associated risks of uncovering something that you don’t know how to deal with. While we can joke all we want about calling for help in this case (“call Mandiant!”), that is absolutely the correct advice in this situation.

See “My “How to Hunt for Security Threats” Paper Published” and see also “Threat Hunting Is Not for Everyone.” And also “Beware: Clown-grade SOCs Still Abound” for advice on when NOT to hunt.

P.S. And if you don’t trust humans, here is the answer from your friendly neighborhood robot, ChatGPT by OpenAI

Q: What are the baselines of SOC /SIEM Implementation? Is there any standard for SIEM/SOC?

A: These are essentially four questions, each fairly complicated. They’re definitely industry guidance documents on implementing SIEM (google for it, I don’t have a shortlist of faves somehow), and I have written a fair share of them while at Gartner. However, the differences between organizations drive differences in how they implement SIEM tooling and run their SOC teams. Probably the closest to the standard SOC guidance is the “11 Strategies of a World-Class Cybersecurity Operations Center” book, that has recently been updated

Beyond that and especially if you cannot access Gartner content, Google is your friend.

Q: Should SOC staff be made up of a multi-lingual team to handle the global diversity of threats?

A: My answer to this question will be determined by whether you treat your threat intelligence team as a part of the SOC. At other places, the threat intelligence team is a peer to the SOC rather than a part of it. If you are planning to stand up a large research team, you probably would need multilingual talent. However, for a more traditional SOC that seems excessive.

See “About The Tri-Team Model of SOC, CIRT, “Threat Something” for details.

Q: Do you believe in interdepartmental training examples from Business Analyst to SOC analyst?

A: I believe that literally any background may lead to somebody being a great security professional, and can perhaps point at examples of each. So, definitely a business analyst can become a SOC analyst.

In other regards, this is a difficult question as a lot would depend on the person. Sure, some best security analysts in particular and security professionals in general come from all sorts of backgrounds, including some that are very unusual — like music or physics. However, such a person will definitely have to learn a lot about information security, technology and practice, etc and cover both technical and non-technical domains of security.

Q: What’s the most common problem encountered when you have SOC managed by a third party vendor?

A: This is something that I’ve mentioned many times in my previous analyst writing. The most common problem between a client and the managed services provider is an expectation mismatch. When clients approach a third party for managed security services and their expectation is that “they would pay money” and “they would get security,” disaster is almost certain. A more healthy model that solves this problem is thinking of your work with such third party as jointly operating (“JointOps” anybody?) your SOC, rather than using the dreaded “O word” — outsourcing.

Let’s see what the AI thinks:

Now, the questions below are from the BlackHat webinar “SOC Modernization: Where Do We Go From Here?”

Q: With agile application development in a large organization — are there tips to better integrate those native cloud apps, pipelines, etc. with the SOC?

A: I have an entire presentation largely on that and while it does not go into all the details, I would point you there. Definitely more work on this is needed, as I see many who struggle with “fast DevOps, meet slow Security” in various forms of this disease.

Q: Do you think that “SOC” includes development resources or is it a more investigatory function or … any recommendation for small and medium sized companies with limited “SOC” resources?

A: This topic comes up a lot and I would say that there are companies that treat their SOC as only the team watching the screens while they have the more engineering components outside of the SOC. Perhaps you can call it a more traditional model.

However, in my opinion, a modern SOC tightly integrates security analysts with people who develop detections. Ultimately, this model evolves more closely to our ASO-style operation where they are the same people

Q: With the rise of SOAR/XDR/etc. and other tools, do you still see the SIEM as the main engine or operating system of the SOC?

A: This is a fascinating question that has a lot of nuance in response. The short answer is that I still see some log analysis capability (such as SIEM) to be the center of many SOC teams.

However, would I insist on this as before? No, at this point I have seen enough of the EDR-centric SOC teams (for example) that actually use their endpoint tools as a primary console and they treat log analysis as an auxiliary.

I’ve also seen organizations that center their SOC on their SOAR tool which then access data from SIEM or EDR, but ultimately the analysts live inside the SOAR console most of the time.

In the future, this may well be rebalanced. It is very possible that we are at peak EDR and as cloud native services are adopted more widely, the importance of endpoint would again decrease yet the importance of logs — and this likely means SIEM — will increase.

See “Can You Do a SIEM-less SOC?” for more details.

Q: In the cloud and on-premises mixed environment, do you think installing the user behavior analysis agent on the laptop makes sense?

A: In my experience, endpoint-based employee monitoring addresses special use cases that some organizations may have, while many don’t. So I would say that endpoint-based user monitoring tools remain popular at select organizations such as those that place high importance at insider threats. For them, installing the agents for deeper employee monitoring makes sense for others, I’m not so sure…

Q: Given your comment on EDR-centric SOCs, do you think SOCs should migrate to be more Identity-centric as customers migrate to the cloud / SaaS services?

A: My former colleagues at Gartner just coined the term ITDR that stands for identity thread detection and response. While we can debate whether a new acronym is needed here, this is not debatable: cloud environments place increased importance on this type of monitoring and detection.

However, a lot of identity centric monitoring is in fact a very traditional feature of SIEM and UEBA (now part of SIEM) going back almost 20 years

Q: Is the major trend here using a premises-based SOC to monitor/manage more cloud resources, or pushing more SOC functions to the cloud?

A: Well, “Today, You Really Want a SaaS SIEM!” — so I very much believe in most SOC technologies being cloud-backed and cloud-native. As we say in our original ASO paper, deploying such tools as cloud-based SIM and cloud-based EDR becomes almost the only choice for many organizations. If I have a limited team, I’d rather this team use the tools and deliver security value rather than maintain and manage the tool.

Enjoy!


Combined SOC Webinar Q&A: From EDR to ITDR and ASO … and ChatGPT was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/combined-soc-webinar-q-a-from-edr-to-itdr-and-aso-95ecec02782?source=rss-11065c9e943e------2