Cybersecurity

operations (I)
Alfredo Reino
whoami

- Over 25 years doing cybersecurity

- CrowdStrike, Secureworks, Accenture, Verizon,

Symantec, Roche…

- Experience in endpoint security, incident

response, security architecture, security
operations, MSSP/MXDR/MDR

- Teacher at several universities

- https://areino.eu/
The problem
Source: “M-Trends 2018”
Landscape

Attacks more frequent, varied and sophisticated

Regulatory compliance requirements
Multitude of security solutions and technologies
Attack-surface becoming “fractal”
Data overload
Prevention fails
Assume compromise, focus on detection and response
Respond to incidents in a timely manner
Source: “DBIR 2022”, Verizon
 eCrime Breakout Time

62 Mins

“ 32 new tracked
adversaries for a total
of 232 in 2023
The goal

Detect Investigate Respond

1 Minute 10 Minutes 60 Minutes
“If you think technology can solve your security
problems, then you don’t understand the problems
and you don’t understand the technology.”
– Bruce Schneier
What is a SOC
Objectives
Prevent incident
Detect incident as soon as possible
Detect incident early in the cyber kill-chain
Initiate effective and informed incident response

In summary:
• Risk reduction
• Cost reduction
Source: https://electrospaces.blogspot.com.es/2014/01/nsas-organizational-designations.html
Source: https://www.itnews.com.au/gallery/photos-csc-launches-sydney-security-operations-centre-387244
SOC mission

▪ Prevent cybersecurity incidents proactively

▪ Monitor, detect and analyse incidents in real time
▪ Respond to confirmed security incidents
▪ Provide situational awareness, analysis, trending and reporting
▪ Engineer and operate security/SOC technologies
Aspects of a
SOC
Capabilities of
a SOC
Security
monitoring SOC tooling and
engineering

Incident analysis Vulnerability Ruleset

and response management engineering

Security device
management (*)
Artefact analysis

Threat intelligence

Analysis and trending

Processes
Vulnerability Management

Vulnerability
Vulnerability Remediation
Prioritization and

Basic capabilities
Identification Tracking
Reporting Vulnerability Context

Security Incident Management

Vulnerability Context Threat Intelligence

Operational Monitoring Forensic Analysis

Alerts
Security
Identification and
Monitoring Triage
Log Prioritization Response Recovery
Event Triage
Management and Reporting
Compliance Focused
Monitoring Monitoring
Requests Communication

Triggers

Threat Threat Intelligence

Events Operationalize Intelligence Threat Incidents

Extended capabilities
Analytics Threat Intelligence Intelligence
Modeling Exchange

Advanced Security Analytics Active Defense

Intelligence Threat
Operational Gathering Analysis
Containment
Normalization
Data Collection
and Enrichment Intelligence
Algorithmic Data Gathering Automation Confusion
Modeling
Data Quality
Management
Data
Disruption
Visualization

Source: Accenture
Monitoring
and incident
response

Source: “Ten strategies of a world-class cybersecurity operations center”, MITRE

team

Source: “Building a World-Class SOC: A Roadmap”, SANS

 People
▪ Tier/Level 1
▪ Entry level job or 1-2 years of security experience
▪ Technical background, security background
▪ Some certification (CompTIA, CISSP, CEH, GCIH, etc.)
▪ Either required or to be attained during first year
▪ Onboarding training program
▪ Tier/Level 2
▪ 2-5 years of experience
▪ Incident response experience
▪ Typically promoted from Tier 1
▪ Advanced certifications (CEH, GCIH, GCFA, etc.)
▪ Tier/Level 3
▪ 5-10+ years of experience
▪ Advanced skills (threat intel, reverse engineering, malware analysis, forensics, etc.)
People (shifts)
▪ Two main methods
▪ Follow-the-sun (need more than 1 SOC)
▪ Fully-staffed
▪ Factors to bear in mind
▪ Shift duration (8, 10, 12h)
▪ Rotation and repeat cycle
▪ Average hours per week
▪ Overtime, night shifts
▪ Number of people per shift
▪ Example shift patterns
▪ Metropolitan pattern – 8h shifts, fast forward rotation (2 day, 2 evening, 2 night, 2 days off),
repeating every 8 days, requires 4 teams, average 42 h/week
▪ Continental pattern - 8h shifts, fast forward rotation, requires 4 teams, average 42 h/week
▪ Dupont pattern – 12 hour shift, slow rotation, requires 4 teams, average 72h/week
▪ …
Build vs buy
Important SIEM/XDR technology Team
factors ▪ Customization requirements
▪ Where are the logs stored
◦
◦
Internal, external, hybrid model
Skills, training and certifications
▪ Who manages, keeps
uptime, patches… Processes
◦ Are you currently running the
desired processes/capabilities?
Capabilities required
◦ Current metrics
▪ Monitor only (24x7?)
◦ What is your maturity level?
▪ Monitor and manage
▪ Manage only Cost
▪ Vulnerability management ◦ Budget
▪ Threat Intel ◦ Total Cost of Ownership (TCO)
◦ CAPEX vs OPEX
Risk profile ◦ Sizing (GB/day, EPS, # devices…)
▪ High value assets ◦ Time constraints
▪ Targeted organization?
MSS vs
internal
SOC
Total cost of
ownership
(TCO)
Evaluating
SIEMs
MSSPs
Reasons to
use an MSSP
▪ Security is not a core competence
▪ Budget constraints
▪ Not able to hire enough skilled staff (budget, culture, etc.)
▪ Security technologies grow in complexity
▪ Relying on specialists to gain better value from existing technology investments
▪ Changes in threat landscape or business strategy
▪ OPEX preferred to CAPEX
▪ Broader outsourcing initiative
▪ Complexity reduction by service provider consolidation
▪ Better threat intelligence
▪ Support to specific compliance requirements
▪ Have someone take care of the “day to day” job while focusing on higher value
tasks in house Source: “How to Work With an MSSP to Improve Security”. Gartner 2016
Types of
MSSPs
▪ Strategic Outsourcers
▪ Provide full IT outsourcing solutions.
▪ MSS is a natural “add on” to wider outsourcing deals.
▪ Typically strong in systems monitoring, managed SIEM, endpoint security.
▪ Telecommunication Providers
▪ Provide full networking solutions (LAN, WAN, MPLS, internet access)
▪ MSS is a natural “add on” to wider networking deals.
▪ Typically strong in “clean pipes”, cloud security offerings, DDoS mitigation.
▪ Enterprise MSS Players
▪ Software or services companies offering MSS as part of their core portfolios.
▪ Boutique Pure Plays
▪ Focus on MSS and maybe a small consulting component.
▪ Experts in few core areas but might not scale to a full offering.
MSSP business
model
▪ Goal of an MSSP
▪ Standardization of processes
▪ Standardization of tools
▪ Shared platform
▪ Shared team

▪ Standard service must be adequate for 80% of the customers.

▪ Customization increases cost.
▪ How to detect a MSSP which is not really a MSSP
Evaluating
MSSPs
Engaging with
a MSSP
Defining the
scope ▪ What MSSPs don’t do well
▪ Enterprise/business risk assessment and enterprise IT architecture.
▪ Overall security governance and security program design.
▪ Patching and remediation, and other IT system management tasks.
▪ Tasks that cannot be completely outsourced
▪ Incident response (specifically the oversight, coordination, remediation,
assessing business risk of the incident and remediation activities)
▪ Defining the scope
▪ Security monitoring
▪ Define systems and devices to monitor based on “log value”
▪ Obtain preliminary sizing (number of sources, GB/day or EPS)
▪ Decide between co-managed SIEM or use the MSSP monitoring capabilities
▪ Security management
▪ Define systems and devices to manage
▪ Vulnerability management
▪ Determine type of scanning/assessment
▪ Define scope (number of devices, internal/external IPs, etc.)
Assignment