soc-class.com || montance® llc
TRANSCRIPT
![Page 1: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/1.jpg)
![Page 2: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/2.jpg)
![Page 3: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/3.jpg)
SOC-Class.com || Montance® LLC3Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Do you Prefer the Status Quo?
![Page 4: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/4.jpg)
Source: Verizon 2021 Data Breach Investigations Report
Patterns over time in breaches
● We see minor variations in what attackers are doing
● Yet we continue to be reactive instead of proactive
Security Stagnation
![Page 5: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/5.jpg)
Are you wasting your security spend?
● Business impact and costs are increasing
● Cyber spending is boomingCyber investment $12B in 2021 so far, up to 20% from 2020 (NYT)
● Cyber is supposed to provide loss prevention
● Does your SOC deliver?
![Page 6: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/6.jpg)
SOC-Class.com || Montance® LLC6Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Supercharging the Modern SOC
![Page 7: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/7.jpg)
● Supercharge: (verb) Make faster or more powerful
● Cyber Supercharge: ○ Staff○ Capability○ Technology
● Purge complaisance, embrace bold action
● Let’s look at componentsto supercharge your SOC...
Supercharging is Required
![Page 8: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/8.jpg)
SOC-Class.com || Montance® LLC8Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Develop IT Operational ExcellenceComponent 1
![Page 9: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/9.jpg)
● Effectively deploy all of the following: ○ Operating system and application controls and patching ○ System architecture ○ Signing & encryption for communication○ Multi-factor authentication ○ Application restriction (whitelisting) ○ Detection and response technology
Operational Excellence Aids Security
![Page 10: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/10.jpg)
● The lifespan of information systems is about 5 years ○ IT systems are the brains of other
business systems ○ Durable and adaptive IT systems
is the objective
Match IT’s Pace
● Patch deployment and system replacement ○ Known part of the IT
investment ● Keep up with the pace of IT
development and deployment○ Prepare for the next
generation now
![Page 11: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/11.jpg)
SOC-Class.com || Montance® LLC11Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Align Cyber Operations to Your BusinessComponent 2
![Page 12: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/12.jpg)
● Validation provides confidence to focus on the right systems and detections○ MITRE ATT&CK defensive coverage ○ Track what you’ve encountered ○ Use cases focused on business risk
Optimize What is Ignored
![Page 13: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/13.jpg)
SOC-Class.com || Montance® LLC13Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Report Useful MetricsComponent 3
![Page 14: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/14.jpg)
Montance® LLC14
Optimize Collected Data and Analysis
Quantify:
● Loss prevention to show SOC’s value
● Impact based on affected system value○ Prerequisite: system
inventory and valuation ○ Organizational risk evaluation
![Page 15: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/15.jpg)
SOC-Class.com || Montance® LLC15Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Engineer Relevant DetectionsComponent 4
![Page 16: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/16.jpg)
● Gain visibility where needed ● Build environmentally cued detection opportunities
○ Behavioral differentiations trained through tracking, machine learning, or speculated
● Utilize threat Intelligence ○ Historically applied once ingested ○ Predictive based on knowledge of attack surface ○ Developed internally, then strategically shared to
ruin adversary capability
Engineer Relevant Detections
![Page 17: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/17.jpg)
SOC-Class.com || Montance® LLC17Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Embrace Hunting as a ParadigmComponent 5
![Page 18: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/18.jpg)
● Build a team hunting framework ● Reward hunting mindset
○ We’re compromised, but we can’t yet see it
● Cultivate staff creativity and relentless pursuit of adversaries
Hunting as a Paradigm
![Page 19: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/19.jpg)
● Hunting is “clumsy but swift” ○ Use case ideas on where
engineering is worth it ○ Fills gaps: rapid, responsive,
and ad hoc● It exposes gaps too
○ Posture improvements are outcome of hunts
Hunting to Supercharge Engineering
![Page 20: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/20.jpg)
SOC-Class.com || Montance® LLC20Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Deceive the AdversaryComponent 6
![Page 21: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/21.jpg)
● Switch suspect systems into observation networks for containment to aid verification
● Post email addresses to lure spam for easier identification
● Hint: “Live off the land” traps listed at LOLBALS-Project
Deception Aids Detection
![Page 22: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/22.jpg)
SOC-Class.com || Montance® LLC22Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Embrace the CloudComponent 7
![Page 23: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/23.jpg)
Cloud: 2021 SANS SOC Survey
![Page 24: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/24.jpg)
Cloud: 2021 SANS SOC Survey
![Page 25: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/25.jpg)
Embrace the cloud
● Embrace cloud deployments ○ Standard, secure baseline deployments ○ Ability to quickly change
● Utilize cloud to resolve SOC operations resource, staffing, and technology challenges
● Use cloud native monitoring, response, analysis ○ Native response capabilities leveraged
![Page 26: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/26.jpg)
SOC-Class.com || Montance® LLC26Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Train Superior AnalystsComponent 8
![Page 27: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/27.jpg)
Tools Supporting Analysis
● Enhance visibility through integrated tools
● Application whitelisting for execution restriction
● Automate as your standard practice
● Validate visibility and detection
![Page 28: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/28.jpg)
Encourage Analyst Performance
● Cultivate intelligence and analysis
● Good work practices: mental health, attentiveness, awareness, skepticism, humility, communication
● Analytical methodology producing fast, effective, reproducible, and defendable assessments
![Page 29: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/29.jpg)
SOC-Class.com || Montance® LLC29Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Unify Your TeamComponent 9
![Page 30: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/30.jpg)
Set Common Objectives
● Continuous self-training and information sharing
● Empowered, caring staff ○ Overcome technology
shortcomings ○ Rise to the level of effective
adversaries ● Purple teaming exposes gaps
and validates analyst performance
![Page 31: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/31.jpg)
SOC-Class.com || Montance® LLC31Copyright 2021 Montance® LLC - All
Rights Reserved. All Wrongs Reversed?
Supercharging Action Items
![Page 32: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/32.jpg)
Action Items
● Key components to supercharge a Modern SOC:
○ Develop IT Operational Excellence ○ Align Cyber Operations to Your Business ○ Report Useful Metrics ○ Engineer Relevant Detections ○ Embrace Hunting as a Paradigm ○ Deceive the Adversary ○ Embrace the Cloud ○ Train Superior Analysts ○ Unify Your Team
![Page 33: SOC-Class.com || Montance® LLC](https://reader030.vdocuments.us/reader030/viewer/2022040307/62475d067c97f4508e2f827b/html5/thumbnails/33.jpg)