Strategy 8: Leverage Tools and Support Analyst Workflow

SANS Institute · Intermediate ·🔐 Cybersecurity ·3y ago

Key Takeaways

The SANS Institute discusses strategy 8 of MITRE's 11 Strategies of a World-Class Cyber Security Operations Center, focusing on leveraging tools and supporting analyst workflow, with tools like SIEM and threat intelligence platforms.

Full Transcript

this is the blueprint podcast bringing you the latest in cyber defense and security operations from top blue team leaders blueprint is brought to you by the Sans Institute and is hosted by Sans senior instructor John hover and now here's your host John hubard hello everyone and welcome back to the blueprint podcast where we hope you build the world's best in cyber defense I'm your host John hubard and again we have our three amazing genius authors with us today cat nurer ingred Parker and Carson Zimmerman authors of miter 11 strategies of a world-class cyber security operations center how are we all feeling tonight we ready to jump into another episode absolutely sure are let's do it fantastic so last time uh we were talking about selecting and collecting the right data and that data's got to go somewhere right we're bringing it into this wealth of tools and that's what we get to talk about tonight uh the chapter8 that we're covering uh in this episode is going to be leverage tool tools to support analyst workflow and I think as I mentioned uh as we closed up that episode uh I have a lot of kind of strong opinions and feelings about tools as well I've I've run into a lot of terrible Tools in my life and struggled through uis that I hated and you know why have they design it like this did they use this product and all that kind of stuff anyone that's had me as a teacher listen to any of the podcasts in the past now I'm always talking about usability and like why is the tool in my way uh stuff like that so I'm really excited to hear what you all have to say about some of these kind of common tools and and any kind of tips you can give us about finding the right tools to get the job done so to kick off to this episode I want to start where we usually start um have all of you been uh victimized by terrible UI design and terrible Tools in your past or what is it that brought this chapter about and and put it into the book I I think we all have um and I'm I'm having visions just as you said that I'm having visions of of terrible Java uis that were conceived 25 years ago and a different time and a different place and and not on Windows and not on Linux and not on Mac OS and and it's all coming flooding back to me I think we've all got complicated feelings about this topic um and you know this has evolved so much and the many years that we've all been doing this obviously um it this chapter is and the content daring is one of the reasons why we felt like we needed to do a second edition like so many of the other strategies in the book um you know there's a couple there's a couple things I think about when I approach this topic um and one of them is you know the data estate for the sock is sprawling we talked about this in the previous strategy right the most good socks that work with in fact some of the best ones um are not in control of most of their data estate so they have to deal with this multitude of where the data is and the different tools to do something about that so um there's a lot of people out there who use single pane of glass and one of the expectations I would challenge straight away is that there is in fact a single tool that does it all rarely I don't think I've ever seen that that to actually be true rather and this what is inspired the title for this chapter is is that we instead have to think about it as a Confluence of tools that require care and feeding over time and that that Confluence needs to come together in a way that makes sense for our workflow so with those kind of functions we have to achieve whether we're calling them one thing or calling them another in your mind like what are some of the core tools that a sock has to have to kind of Wrangle and organize and use their data and respond to incidents so I'll start there um I think a Sim tool is probably the most common of larger sock organizations and a Sim tool or a security you know event management type of thing can bring together different kinds of data sets and you can build correlation rules to be able to sift through a lot of data at once so it's a good tool for bringing things together what other stuff might we need I think there's um it depends on what you're trying to do from workflow perspective but C certainly at this point uh many organizations are talking about automation talking about SAR talking you know uh security orchestration Automation and response figuring out how they um you know enhance what the analyst can do by doing automated types of activities as they go along you might think about thread intelligence platforms which we talked about during strategy six about thread intelligence um you might have separate log storage areas you might be thinking about uh data Lakes data lake houses data warehouses whatever term you want to put on all of that the you're doing right now um you might think about um you know kind of customer repositories you might be thinking we don't mention too much in the book but you might be thinking about tracking systems for uh different types of pieces and you might think about um even then case management and so there's just there's a lot of different pieces that can come together and we break it apart in the book as to like individual items and things that we can talk about in that space But one of the things that we've noticed over time is that there's a lot tools that are trying to converge and bring many of these functions in and so as we talk throughout the the conversation today we're talk about individual elements but it doesn't mean that there's a single tool that only does one thing or that one tool does all of these things and that's where it starts to become really challenging because as you uh work with different vendors or you work with your own kind of Open Source or custom applications figuring out what the boundaries are and how they integrate together is actually a bigger challenge than figuring out one particular tool because there's just so many ways that they can overlap yeah you can yeah uh go ahead Carson I was just gonna say s ingred absolutely elicited one of the biggest challenges I think we've all had is like where does one tool end in the other beginning because everyone's got different stuff that shape different ways and it's like is it a Sim and is an xdr like is it a sore is it case management what's the difference ah roll the dice um what and so that's one of the things we have to be thoughtful about in this spases is when when you say you're selling blank what does it actually do and and when you say you need blank what's the actual functionality that you're looking for you know and and some terms are very loaded and they have lots of emotion like some people have had terrible experiences with insert tool name here and they're going to say I don't need that I need this other thing like they'll say in the olden days they'll say I don't want an intrusion detection system they're worthless I need an ndr well we talked about that the previous chapter but just Illustrated it's like what does an ndr do well it collects data off the network and it produces alerts and it has metadata it's like this sounds very familiar to me so we want to be very thoughtful about saying oh technology X is dead I need technology y that tends to be a lot of marketing in hype yeah yeah and so I was going to break it down a little bit too into there's different kinds of tools depending on the function so analysis is One S type of tool um so anything that helps an analyst do what they do um from anything from scripts to uh being able to look at data in different kinds different perspectives in different ways another tool is for converging data sets and bringing them together um and you know doing rules on them to figure out you know how to look at things so if you break it down and think about things like that um that kind of helps you get your arms around these these different data sets and these different tools that kind of get muddy there's not a real clean way of describing them these days and the third thing would be about sensors or the alerts that we've talked about in the previous chapters so what's collecting things so you have your collection your correlation and your analysis so you could break it down like that so and that really goes to why we we titled the chapter like Leverage tools to support your analyst workflow because it really is figure out your workflow figure out how your team needs to function figure out how you integrate with other parts of your organization or with pure organizations and then find the tooling that's going to support what you want to do to the extent that you can go that route versus being driven by oh we just we bought this tool so now we have to do it this way right um so the way you break it down in the chapters specifically the terms you use there you know Sim ueba case management Source stuff like that we'll we'll definitely talk through all those I think Sim is the first one of the chapters so it probably makes the most sense to start with uh when you think about Sim uh we should probably Define what that means to you uh or at least what that usually means uh I think you've a little bit already mentioned the converging of data right I'm I'm guessing that's going to be part of it uh and people might be hearing that and thinking well okay uh we don't have that or do I need that maybe we haven't bought that yet that's one of those terms I keep hearing could you speak a little bit about what a Sim is why it's important what we we should be looking for it to do for us we'll be back after a quick break if you're enjoying this episode then you're undoubtedly interested in building the strongest security operations team that you can for those who want to go even deeper did you know that Sans has not won but two courses that cover security operations centers as well for the leaders managers and directors out there my co-author Mark Orlando and I offer 551 building and leading security operations centers this course covers building your team your physical and virtual workspace getting the right data into your tools and then focusing on security priorities through everyday execution of important security tasks and building the best sock team possible for the technical practitioners out there my course SEC 450 blue team fundamentals security operations and Analysis is designed to cover everything you need to jump in being the best sock analyst that you can be we cover important data types sock tools security logs malware analysis technique Automation and much much more in addition if you want to prove you can deliver the best on any security team both courses have an accompanying certification available from GAC that's the Gom for 551 and the gck for 450 check out both courses and free demos available on the Sans website you can get registered today for an in-person course at one of our many events or go to on demand and take either class class anywhere at your own pace thanks for listening I can I can start with a kind of a crisp definition I've been using for probably too long uh a Sim is a tool that is used to um collect normalize persist query um display and correlate large amounts of security relevant information um and one of the important things to understand about Sim products is that they they came about um in the early 2000s about 2002 2005 because at the time you know Big Data wasn't a thing like it it has been perhaps for the last 10 years or so um in fact a lot of the original Sims were based on relational databases so um at the time the idea of collecting a large amount of data together to do security step was a really novel idea and one of the conversations we'll probably have in the next 30 to 60 Minutes is well G whiz there's a lot of ways to achieve that same outcome and maybe you buy a product that's labeled seam and maybe you don't so that's not something that in your opinion is going to be a uh a must have necessarily you need the functionality and this gets back to the point I made earlier is one way or another the sock needs to be able to collect persist and analyze and correlate and do all these wonderful things on an increasing uh variety velocity um of data and volume uh three of the v's and how they do that is a conversation yeah so I've worked in security operations and it's a loaded question about do you need a SIM or you don't need a SIM I've worked in some socks that don't have tons of money but have some really great scriptors uh folks that know how to analyze and you know use some coding language to be able to do things um and we've gone without a SIM um pretty well actually so that that's an interesting kind of uh you know approach to things right because a lot of times we just take it for granted that like oh everyone must to have a SIM right because we just hear everyone talking about it we see it RSA and black hat and everything um regardless of whether you have a SIM or not is there a set of core functionalities that whether you're building it on your own or otherwise that like uh lead to that deployment being successful like is there a concrete list of like it has to do this specific thing that specific thing otherwise we're just completely missing the boat for sure I'll I'll start there um so correlation rules are the bane of the existence of a lot of people who are managing Sims so being able to understand regular expression and create you know real complex correlation rules um that is it takes a real talented um person so I'm giving compliments to all those who are writing correlation rules and regular expression of your uh different Sim tools so that's definitely one of the biggest things about a Sim anything else yeah I think when you start breaking down the functionality you're really going back to some of what Katherine's said you're really looking at can you bring the data in and have it stored in a place where you have it accessible at the speed and you know time that you need and so that's something thinking about you know Sims are often uh you might want to think about them you know or or think about your live storage and what you want to be able to access right now versus something that you might have in a backup data store or someplace else so you're really thinking about how and where you store that data how much you have at any given time how much is immediately accessible for querying then you need to be able to run a set of queries on top of it um to get out and extract the information that you're looking for you need to think about accountability logging a lot of times a Sim is um used by organizations who have auditing requirements and so that ability to actually go in and know when data was put in have the Providence of it know who accessed it you know make sure that it's not going to be changed anything else um can be a really important factor for however you store your data whether it's a Sim or in another location then you need to think about you know the Quine the correlation normalization is one of the huge challenges because what is labeled as an IP address in one data dat feed is not is labeled as IP uncore address in another data feed is labeled as IP in the third data feed is wherever um so all of those things to help you normalize whether it's the naming or the time time zones or whatever else you need to bring in um and then thinking about how you do do you need a workflow on top of that data in that tool or is there going to be someplace else so as you start doing your case management as you start thinking about you know how are you going to take the data and what you find in the Sim and what you're looking at and start representing that or making it accessible to other analysts or putting it in to reporting or doing something else and then you need to figure out how far you need to go down that process of does this actually do reporting correlation uh you know with other types of data from maybe other departments or something else so it really is think you through the whole life cycle of how you're going to work an incident you know and how actually you're going to go from event to incident to response to everything else and figuring out what parts you you want to put in that play and so that's why we keep going back to you can call it a Sim but really you're trying to fit in certain parts of your workflow and make sure that you've got the capability ities that are going to allow you to do the things in that part of the workflow and now I have an idea for a third addition of changing this completely and not talking about the tools but talking about the workflow first and then talking about how the tools plug in so may maybe later maybe next year maybe later um you know John I think to to double down on what ingred and Katherine both said you know when I think about Sim versus going and buying kind of an ordinary um general purpose Big Data solution of some sort or another um or an EDR or something of that sort you know I think about probably four core features that I all expect to see in a Sim that may be missing from almost anything else I'd buy um number one I think about having a capability that has a lot of off-the-shelf um you know robust data collection and parsing one of the biggest challenges if you're starting from a generic solution um you know you're going to be missing a lot of those pares and Es are a pain in the butt to write a pain in the butt because there's thousands of them um and it takes a it it takes an army of of people uh you know be it working for a vendor open source Community or perhaps both to keep those up to date so that's number one the second um is in any modern seam um we expect that data store to provide sub minute query response for what I'll politely refer to as Ane amounts of data being queried in sane ways and sane is relative to your particular query language and and analytic problem um the third is that it's going to come off the shelf with a set of correlation capabilities or rules um where you have this beautiful menu of things to at least start from are they perfect for you probably not but they're they're the menu for you and then finally you have these prefabricated ways of viewing all the beautiful things you've either collected or generated and so so if I think about a generic approach or I think of something that's not a Sim it's likely missing one or more of those four things whereas a Sim should be giving all four of those to you gotcha so I like that way of breaking it down kind of the the input you know can we bring stuff in and like cleanly just understand what it is in the first place uh can we query the stuff that has been stored the rule sets and then kind of the the visualizations and the viewing and the output of the reports and all that sort of stuff um breaking that down into those those pieces I think makes a lot of sense and and hopefully is clear for the the listen uh in terms of maybe uh Roi or the value proposition on a Sim thinking about those things I I definitely have a lot of people ask me like I know we're paying a lot for this thing but I'm not sure I'm getting either what we're paying for it or the maximum that we could be getting for it uh any kind of guide questions that you could uh give to listeners to have them maybe kind of self-reflect on am I really getting anything or everything that I can get out of my sim what should they be expecting how can they evaluate the the ROI on their their purchase there I think that you're actually asking two different questions because there's the are you you know would you want to go simless would you want to say hey we don't want this tool you know we want to bring something else in and this is a discussion I often have whether it's about a particular tool or whether about to choose an open source project or whether it to roll your own or something else is how much time is it going to take an analyst on your team an engineer somebody else to do the same things that this tool is going to do and not just the initial time but keeping in mind that all the vendors are constantly updating what they do providing new features dealing with problems Carson was just talking about parsers you know so just doing that self- evaluation of where you stand and you know how much does a does a person cost you versus you know what does it cost to buy the tool and tools are incredibly expensive sometimes but so are people um and so really starting to think there and then I think there's the second question of okay you've decided to buy a tool and are you going to get the value out of it and that's a huge issue where you run into somebody just says oh we're g to open up the box and we're going to install it and we get our couple hours of of training and why is it not doing everything that we want and Katherine I just cut you off so where were you going with that well I had a couple thoughts on this um so this is back to your point about designing ingred and thinking about your workflow right so uh back in the day when pcap was super important um we didn't use Sims a lot for for pcap for example because uh you know the sheer size and the amount of processing and all that goes along with it um now that we have something called edrs um that helps us with the whole peacat problem but it also kind of um gives us some tradeoffs on whether you even need a SIM or not right um are you know when you start talking about Sims they're pretty expensive if you can do some of the similar things with Ed are and say some scripts to bring in some CTI and other kinds of data maybe that gets you 80% of where a Sim might get you so that's how you want to look at it is trade-offs are the kind of data that you're looking at what you already have um do you have some things that buy you a lot like edrs and memory and all those things that EDR does for you um and and look at it from that direction I I would offer you know I I've met I think probably I've heard more people Express more emotions about Sim since I've been doing this than any other tool and that's one of the reasons why this was the first big one in this chapter um you know and one of the reasons why um is when when Cloud before Cloud was really a thing people would spend like millions of dollars on these tools and they spent a lot of time setting them up and then as was implied they some of them would walk away and then at the end of their three-year maintenance contract to' be like wow that was terrible we're not doing that again and they go by something else and they they repeat the same cycle through over again and you know they'd be six years down the road and they'd still be wondering like why is my sock struggling um one of the reasons why you know we we can be thinking about excuse me we can be thinking about um Cloud solutions to turn some of that on their ear we're going to talk more later about the pros and cons for you know putting your sock data and tools in the cloud um but I think up front here you know how do you go from I need a tool to I'm getting value from that tool and um you know how do I minimize my risk in buying the tool um and that's actually one of the major things to look at in whatever Sim you're looking at on Prem or incloud and vendor a versus vender B versus open source a versus open source B um is what does that pricing model look like is it per node that processes the data is it gigabytes per day is it per number of analyst there's a bunch of things that go into it yeah one of the bigger downfalls of Sims uh if you're talking about how much value you're getting out of it it's those correlation rules I I mentioned earlier if you're not getting everything out of your sim part of it because maybe you don't have the the right talent that are sitting there writing those rules so that's somewhere I've focused before and had people brought in some more expertise to to help build out the capabilities what what's end up happening is that a lot of the organizations I've I know who originally bought Sims you know many years ago are now doing what what I'll call uh or I've heard referred to is running dual stack meaning they've got their Sim right and that's doing a bunch of their kind of prefab simy stuff and then they've also got some bespoke ml Big Data things you know doing the kinds of analytics um and detections and data science and machine learning and more buzzword Bingo um that doing in an ordinary Sim by itself would be inappropriate or simply not possible um and then they they will put together the kind of this bespoke data architecture to you know ingest the data once and send it to where it needs to go and you know enter message buses to solve that problem um but generally speaking these are things that you would only find in some of the largest organizations right so with with all that potential complexity uh you know I I think there's no tool that I've heard more over the year is referred to at least having the potential to be that single pane of glass right that term we mentioned at the the top of the uh episode here uh you know you mentioned having you know sensors producing data we have our kind of converge that data which is what the Sim is doing and the analysis piece which is also to a large extent but not entirely happening in a Sim uh and case management which could also potentially and sometimes does happen in a Sim uh is that the tool that is going to be if anything the mythical pain of glass or are we moving into a world where uh that's not a thing anymore or is there a better newer buzzword acronym that might be the new single paint of glass any thoughts on that I don't know if there ever was a single pain of glass John I think you're right that that Sim is the closest we get I think a different way to think about it is what is which personas focus at which stage of the incident life cycle meaning for example a triage analyst's Focus will indeed be the Sim and the Sim only for a very large percentage of their day the the ti analyst or the hunter Focus will likely be a bunch of other things including a tip if you've got it if you think that's that's necessary for you it might not be um you know if there's a big investment in other big data stores you know that might be it set you know rinse repeat so I would rather say um when we and that's why we again called this chapter that what we called is is focusing on NAS workflow is at in the different personas in the sock think about that life cycle for them think about their focuses at each stage of that life cycle and then you'll have your answer gotcha so so no there's no single paint of glass so we've closed the conversation so don't expect to really hear that term ever again I guess we oh yeah done this is it May May 17th dig its grave put it in there bury it over we're done with single paint of glass no um so so one other kind of thing I wanted to touch on on Sim uh in terms of just plain usability factors right you kind of mentioned viewing and searching and things like that and speed right as well uh you know being some of the things that we need to do or have from a SIM any other kind of thoughts on what makes a Sim more pleasant to use or what you should be looking for and like the user experience of getting into a Sim maybe that's search queries maybe that's you know I mean the query language or visualization options or anything else that comes to mind there for me one of the big ones is your ability to Pivot and to say the Sim is not necessarily going to hold every single piece of data that you need access to so how easy is it to for you to move from working in that tool to saying oh I need to go get this particular you know log or I need to look at this mare I need to look at this data or I need to do something else so it really is about the Integrations and the pivoting um and making sure that you're not having to like look at your Sim in one window and go okay now let me hand type over here you know this hash that I just saw and it's like you know no mistakes would possibly happen as I'm doing that and and look for the next thing and so really trying to make sure that it's um again going to support you in doing things as quickly as possible without having to do duplication of work and Sims have enabled us to break down the jobs into um you you can use less experienced people to kind of help with that first line on Sims and then have more advanced folks you know following up and pivoting and doing some other things on the side at the same time so it kind of you know helped us to break down the sock um the window so to speak John one of the ways I de deconstruct this going along with what ingred said is is thinking about for the different personas in the sock um how is that Sim improving either Effectiveness or efficiency at a given stage in that life cycle Andor for a given you know incident investigation response triage type scenario um and that's where you know going from alert to you know a series of curated queries quered you know curated dashboards you know enriched information um and the things that the stock does repeatedly and helping them reason through that information even before they start response um you know to me is where the value can be really great and is once again another point in today's conversation where we can say the Sim is one way to do it analytic notebooks are another way to curate a set of queries and data visualizations together that enables people to reason through data very rapidly and pull data together from a bunch of different places yeah so plenty of options on all this stuff right um one of the other I do want to actually close out though because we've talked about this a little bit and said like oh you could do other things besides Sim and here's some of the problems and here's whatever else I have worked with socks where Sims are incredibly successful um and so they are still a very valid tool and I want to make sure we're not overemphasizing like all the problems without acknowledging it you know for many socks it is a it is well worth your time to look and see is this going to be the right tool for you I I agree I I don't think I'm curious if if a an official industry analyst was here what they would say um but you you're settling for us today the four of us today I would argue that seams are on the plateau of productivity when it comes to the trademarked um hype cycle I think they've ascended the plateau of productivity and I think we all kind of have these kind of mature viewpoints on what they are and what they're not yeah there's one point I meant to bring up earlier this is a more detailed thing but um bringing history of your incidents into a Sim is a super useful thing so back to what everybody's saying I know it's a detail but uh I meant to say it earlier one of the cool things about using Sims is you can build the the history into what you're doing yeah there's there's a lot of like in my view right a Sim you know I I see a ton and ton of value of that just everywhere like largely if you can get the right data in if you can write the right rules if you can make the right visualizations and dashboards it's probably going to be worth it right in nearly every case there's no other tool that really gets all your data in one spot makes it more usable the slide I have in my class is like it's the tool that turns the coal into diamonds right if you make it do that and so it may not be making your data but it's probably uh or should be making your data better in a lot of cases and as long as you have enough data to justify getting a whole system to do that and have those specific needs and you don't have other kind of scripts that can do that I think it's definitely a well Justified tool in nearly all cases and yeah very mature product that's been around as much as everyone loves to you know joke and and point out some of the ways we can mess up with it because it is complex right it's easy to mess up um easy to not get the value uh but I think in general yeah solid solid bet for a lot of people um the other thing that that I wanted to bring up here is you know with the context that the SIM can bring that's all great but we've moved into a world where there's a lot more focus on identity we brought it up last episode right we were talking about identity kind of uh being the next thing after looking at Network then endpoint now we're more focused on that uh the other thing that or the next thing that you bring up in the book is ueba uh so I'd love to kind of start off the the the chat on that with what is uba and is it more the function we're looking for here or you know just kind of the same thoughts on are we looking for a product or are we just looking for a thing that does X I I think definitely this is a thing that does X and UA user entity and behavioral analytics is is that concept of being able to understand that it's not just about what happens on a system it's what the users are doing in this space um and especially as we get as we talked in the last episode more towards SAS applications you maybe not even hosting a lot of the um kind of data stores and um applications that your users are getting involved with really understanding what's happening in that space who's using it are they allowed to use it when are they allowed to use it are they accessing it from a different location are there um you know things that seem off about the the kinds of activities that they're doing that's really what you want to be looking for um and with this you're talking about users and entities so you're also looking for you know devices and um you know kind of the the service calls and the things that are that are expect you're really looking for those anomalies of what's expected in your environment and so this is one of those areas where people might look at it from an identity perspective and say hey yeah there's a lot of tools out there that are capturing this now you might also be looking this is a place where you know the machine learning data Lakes other things are coming in where people are trying to say okay how do we model behavior in our environment and this is a tough one because there are some environments where yeah you expect a user to uh log in at a certain time from a certain location they're in the office they're doing what they're doing you know it's a 95 whatever and then you have obviously you have remote work you have people that are on shifts you have people that travel around the world you have you know devices that might be used between multiple people you have all of these things that can make it really complex and so this is a really uh this is one of those where companies and the reason we talk about it from a tool perspective is you know there are companies that are spending a lot of time to try and figure this out and put those machine learning algorithms on top of it and figure out how does this all go together which is something that many socks you know cannot afford and there just aren't enough of the people who can do these kinds of analytics you know for every sock to bring in their own person to think about this the challenge is when you start doing that from a vendor perspective they're looking at it from a very um you know kind of broad lens of hey these are things that typically you might find to be unusual or you might find to be different but they re these systems require a ton of tuning to actually make them appropriate for your environment and so one of the things I've seen in this space is uh some of these tools actually have a lot of automation that go in with them and a lot of people don't use it what they're do is say okay we're take the alerts that come out of these systems but we don't trust them enough to actually go in and then take action like actually just go shut down an account or turn off a system or do something else and so people are are trying to figure out like how to use them but this is um I I still remember 20 years ago working with an early version of these and just every every couple years I go okay have they gotten better are they right yet are they a good thing um and they they can offer a lot of functionality so if you are a place that has um a lot of very specific concerns about maybe your user group or you have you know a lot of people that are visiting or you just you need to be monitoring that in a more robust way absolutely something to include if that is maybe not in your use case you might want to think about this more from a generalized identity perspective than this specific technology yeah so I was going to say that the thing about ueba and and why it may maybe hasn't taken off like it might have is because you have to understand what's normal and and finding out what's normal for most environments is is near impossible to do if you're in anything other than a you know strict N9 to-5 we only use Office Products kind of uh situation then ubaa probably will work for you but if you're massive research organization that does different things every week and uses all the ephemeral ports all over the place there it's really really challenging to come up with what is your Baseline and what is normal therefore you end up with a lot of um false positives you you end up tracking things down and so people just get kind of tired over time that's that's been my direct experience with ubaa I'd offer a couple points here uh plus one as usual I I think we look at it as a set of functions you know and we can achieve those functions by buying a product or not um this is a yet another place where I will double down on my perspective that the way the sock builds value and builds momentum is tearing off one small piece of the Enterprise where impact There's an opportunity to make impact and building focused detections and scenarios around that thing so as Katherine was talking about taking any capability ueba or otherwise and just throwing it on a highly heterogeneous organization and expecting magic to come out probably not work out the best for you however if you have a constrained set of Engineers or um help desk people or people within a constrained set of roles with with typical patterns for data and access and whatnot you're probably going to make a lot of hay pretty quickly um but it takes diligence and some of it can be tedious and um you know that's true here or anywhere else and that's a really great Point Carson which is this particular set of tools um is not something you have to think about deploying across your entire environment it is something that you might choose to use for just certain parts of it that need additional monitoring um and where this is you know you can reduce the amount of like false positives overall that you have and just say okay we're looking for something very specific here yeah that's actually a really good point when someone's looking at a ubaa product and let's assume for argument sake that product is uh costed on the per seat basis and you say well you know I've got 50,000 people on my Enterprise and each of those people have four accounts boy you just got a pretty big Bill pretty quickly why not focus that down a little bit to get started yeah that's one of the things I I commonly bring up as well is cu I I've seen that as well right I worked in a very large organization hundreds of thousands of assets and we we tried to like I don't know let's turn it on and see what we find and of course it's just like right and and goes off like like a alert bomb and after tune tune tune tune tune yeah I did find stuff right and we did find some useful stuff but there was a lot of work that got into it and so uh that was my my exact kind of experience is like we need to focus this on a single group that is going to act a little more uniformly than just just this company right and then I kind of thought about it and I was like well given the stuff that we found like to some degree had I known that we were looking for that going into it maybe I could have actually wrote some of those rules without the machine learning magic so if there are people out there that are like listening to this and like yeah we're not we're not fancy enough for getting into machine learning tools and spending all that time uh do you think there's still value in trying to write your own kind of identity and entity based uh rules just looking for anomalies based on Purely you know Windows logs and that kind of stuff you can I have I've spent a lot of time in the middle of this exact problem John that you're describing you absolutely can however I recommend against it and this is why the velocity at which we are accumulating diversity in our Enterprise and our it and Shadow it footprint that acceleration is accelerating right so and I'm sorry I'm getting use the cliches and I apologize in advance the point is is like 10 years ago you could have a SIM and you could collect a bunch of host logs and a bunch of network logs and like there was a fairly B bounded finite set of detections you needed to write to feel really good about yourself and now it's like it's just totally blown up and what I advise people to do is monetize as much as you can meaning you know don't write a like 300 different detections against ordinary Windows logs or audit D logs or CIS log I mean you can it's GNA take you a long time you can go buy products to do that now move on to the next problem buy the product and move on to the next problem or download an open- Source collection of stuff to solve the problem and move on yes maybe maybe not write it all yourself but get get a pre-written rule set of some sort and like try to leverage that even if you don't have a specific tool implementing all the machine learning and and stuff although that is being built into more and more products it seems like in my experience as well um I also would probably be remiss and not me and if I did not mention that increasingly there's this ecosystem being built up around both commercial and open source products and we start blurring the line where they're like these communities where where people will offer things they've done um there are languages intermediate languages you can write some of these rules in that you can go pick up and use so you're not starting from scratch so I think it would be incorrect for us today to portray this as you know take what some vendor has written for you them by themselves and and go use it rather it's it's in any case leverage a community leverage what else is out there gotcha so the next kind of section after you your ueba uh piece in the book was case management and I know a lot of people have have you know varying setups when it comes to that as well there's the people that kind of jump into the oh I don't know I'll use what the help desk uses cuz that's ticketing right and then we have the like I'll try an open source thing we have the the dedicated like incident response platform and all of that uh regardless of the way you approach it what are some of the things we think uh we should be looking for in collecting all of those alerts and working through processing them in an efficient way so one thing that's super important about any case management is that you're using it so I've worked for environments and I've used all these tools I've you know we've bought them we've you know got modules that do incident response to other the bigger relational D databases we've gotten you know open source I've done them all and and the biggest downfall is when people don't use them and and by that I mean the advanced people who are doing incident response uh may not update a case for the operations manager to be able to brief out so being able to trace from start to finish as you go uh a case management tool is the most key to that and being able to store information and search on that information so being able to look for dates and being able to look for certain strings and you know whatever malware you know whatever you're trying to look for also be careful about malware um but being able to um use the tool and have multiple people looking at it is the key to that so beyond using it what else can we look for and that's totally R because I work with a lot of companies I'm going double down because this is this is so important Catherine absolutely nailed it um if you have any Casa any kind of case management system you absolutely must be driving case hygiene case correctness case completeness you know time to close some set of kpis that are meaningful to ensure that you know the people who are using it are using it and they're doing so held to a set of expectations that are commensurate with the complexity of your shop right and that might be three people it might be 300 people um you know the way I think about case management and and I'm going to do a little compare contrast back to seam people often ask do I need a case management system at all and I would say and yes yes you do the question is where and how right back to Katherine's Point um I it's if there is a Sim out there who has a case management system that is as robust as a freestanding commercial grade or mature open source solution I'm not aware of it but you might not need that especially if you only got five people in your sock so um I would say the main thing I look for in a case management system other than ensuring you're using it is um does the complexity of the information capture and workflow management that it has there meet your needs and not just the here and now but think about you know where you're going to be in the time span that you expect to be using that solution moving from one case management solution to another uh after a sock has been stood up like oh we don't like this one we're going to go use this other one I would argue is as painful if not more painful than dumping a Sim vendor and going with another one oh it's terrible yep amen it is and that history of your incidents that's where the case management tool is super important so if you're moving from one to another and I've gone from open source to a purchased one and back uh and it is very very painful but keeping that history of what has happened is super important yeah that's the uh you know I think the term you used before on that Carson is the socks persistent memory uh that's one of the places that it largely lives right and and depending on if you have a dedicated threat intelligence platform or not like that might be where all of the indicators you've ever seen may live and only there right and so if you're not recording that you're going into every case with amnesia right it's just like oh I hisory exactly I don't know right yeah yep absolutely agree with that any other thoughts on uh usability or workflow or specific features you you like to see or don't like maybe in a a case management software I just I think about this again from that workflow perspective of okay you have to be able to get the data into it somehow and how much work is it going to take to actually put it in there like can you hook it up to your sim can you automatically push information can you pull in from other you know other systems you know so if you've got usernames or IP addresses or something else that's going in there you know is this another place where you can do correlation it can automatically you know provide context around who is actually involved you know with this particular information then there's the how do you share it out is this something that only your so can see is this going to be one of those modules Katherine was talking about that's part of a bigger uh maybe you know management system so you could get legal could see it or Communications or somebody else so that if you have a major incident and they need to be aware what's happening you know you don't have to then take it out and you know put it in a different format for them that may or may not be important to your organization um you want to think about you know how do you connect related incidents that's a big one where a lot L of times you might have you know five or six or a hundred different things happening depending on the scale of the incident and you want to be able to group those in some ways and talk about the fact that they're related and they have a relationship and maybe it's parent child maybe it's you know they go with each other um you want to think in about that AUD you know audibility and can you um know who made what changes at what time you know and who did updates if you need to do different things and then you want to think about what comes out of it so how does it support your reporting how does it support metrics um you know especially uh you know that's a way this is going to be one of the ways that the shock is the sock is going to show value over time is being able to pull those metrics out and show what's actually happening and show what work they were they were doing and so having that kind of system where you can go in in query and pull the information out and have it in a structured format and to be able to kind of add the fields and the tags and the the information that you need to make it valuable for how you need to present that up to your leadership team is going to be really important as well so again it's about what's your workflow who are the people you work with what access do they need to have and how do you need to get the data in and out of it in order to to support and unfortunately I could say that about just every tool that we have that we're talking about but that that's a lot of what it comes down to and then you just look at okay and Visually can you look at these things and like you know are they pleasing to look at are they does it make sense to to click on this button to get to that next place because if it doesn't do that you're not going to get people to adopt it and they're going to go back to their spreadsheets no I that's where they're going to track I want to pull the threat on one of the things ing just mentioned because this is also getting this is another another source of of conflict and emotion in every sock I've run into when you graduate from a system that is a fairly in inflexible uh ticketing approach to one where like you can paint UI with boxes and buttons and dials and and and you can it's like painting and like you've got to resist the temptation from going absolutely bananas straight out of the gate because otherwise the aners are going to be like ah it's take me 10 minutes just to close this one case and I got to do a 100 of these today and like they're just going to revolt so um as you increase the robustness and complexity of what you're implementing there at every stage it's important to get that buy in from the user Community because they've got to feel like hey it's worth my time to fill off this field I'll give you an example one of the 3,7 62 I just made up that number of things that you can track in your case management systems did I have the data I needed for this incident and one of the closure criteria for a case can be yes yes no or partial and it the analysts need to understand it's in their interest to actually fill out that field accurately because then they can go make a case for not having the data they needed 372 different times last year so get that buying as you go yeah and for case management you want to look at the functions and some of this depends on size which parts of the the case management you might use so most of them you know the fancier ones will let you do workflow meaning you can actually move workflow along um if you're in a smaller sock that can be you know overwhelming to Carson's point with oh my gosh I have to click this and then I have to move the workflow and um so looking at things like workflow as a function that may not be as important as say putting like all the indicators and things of how it looked into to a certain set of fields so that you can trace it later to other incidents so really think about the design and what you use for case management yeah for sure design is a a very very crit I mean the case management thing that's probably the one tool that I've either It's Made Me Love or hate going to work because it's like you're always in there you're always fighting it or it's a total dream and like everything's great right uh and so there there are certain features that you know I personally think are really really important in those things and I think you hit on a lot of them um one thing I did want to add ask is uh related to kind of that playbooks and workflow customization uh could you speak a little bit about where The Sweet Spot is on that are we trying to take the definition of workflow more toward the extreme first you click this then you click this then you do this or do we want to have it more open or probably somewhere in the middle right as I would I'm guessing the answer is but how do we find that sweet spot you're going to get three different answers I think here from us because I I don't love work I have to say you know and I've managed socks I've been an incident responder I've done all these roles and I just don't like that rigidity of I have to do this and then I have to next do that I like the creativity that comes out of not being so rigid at least in the systems themselves I bet ingred and Carson have different opinions I I found a little bit further on the spectrum of I like having the playbooks I like having the you know definition and check checklists and the things that you can say okay did I do the main points that I needed to do did I work you know is there anything I forgot did I hit this um the intent of what we were trying to do and figuring out how to do that in a way so that you know as I as a manager in a sock like as the indivi and this is the problem as an individual analyst like just leave me alone let me do my job I'll tell you the answer in the end as a manager it's please give me all the data have it in a structured format and I need to be able to do a report out of it and so that's why you end up somewhere in the middle of you know I think that I think you have to have some level of of Playbook and repeatability and structure behind it because otherwise it's going to be um it is very helpful for uh people that are earlier in their career getting into this space it is very helpful for the managers and then you just have to figure out what is that spot for your senior people that doesn't break their creativity and doesn't squash their hopes and dreams every day that they come in um you know and and allows them the flexibility they need to actually be the people that they can be so I I think we're actually fairly aligned here you know I've seen really well-meaning experienced IR managers come and say we're going to take our 8,000 pages of Sops and right into their case management system we're gonna we're gonna turn every case every sop into a case management workflow it's like whoa dude um you know the the point about being a supporting creativity um while reconciling that with uh consistent information capture to me is one of the the most important pieces in that you know and ensuring that you know we're driving um the the essentials around um case hygiene and the kpis that are important to us and I've seen even in massive sprawling organizations the workflows didn't mean to get that complex what got complex was that you then have lots of different teams who have very nuanced feelings about the workflows that need to be built into the system and what information is captured in which fields and you know group a uses one kpi that's worded the same that's actually totally different than Group B and like them getting in food fights around that so um you know one of the things to think about when spinning up a any kind of case management or for that matter soore anything where you're managing workflow um for a sock of more than a handful of people is having good uh change management um and principles around how you're building those workflows and those structures because otherwise it'll just be chaos of I want this I want that and when we get to uh our strategy on metrics we're going to have a lot of conversations about figuring out what is the right level of tracking and are you actually able to answer questions because of what you're tracking or are you just tracking for its own sake and those types of things and so so I think that's going to come up again as a trying to find the balance between things between structure between playbooks between metrics between everything else and still wanting this to be a a fun but tough job and needing human creativity and the machines have not solved it for us and everything else so and one final Point whatever you decide is your minimum amount of data that needs to go into your case management there needs to be someone following up to make sure that it's actually getting put in there and you know look at that quality control as you go along yes yes yes yes you might even think about having like a Cas closure meeting or something like that on in addition to not instead of the kind of the kpis and metrics that are tracked by managers and perhaps the the executive directly over the sock on a routine basis yep yeah I I'm of the same mind of as all of you on that in fact I have some some labs and courses that align with exactly some of the stuff you just said so yeah totally agree right I I think there's this interplay between like the man wants perfect metrics and perfect process and the people don't want to go crazy right and there's a there's a short-term versus long-term we discussion that we had there that we won't get into now but like it is it's that it's finding that balance right I'm gonna mention one more quick thing um I would I would strongly encourage socks that everyone in the sock should be in some kind of on call rotation including the managers and the manager in call rotation might be around like who's the incident in incident executive responder for the day or some cool title that said that designates them as the the person who gets tagged with important decision making during their their on call period um the reason why I make this remark in the context of case management system it keeps it real and it forces them to use some many of the same processes um and particularly the case management system the rest of the sock does and it will it will drive down this big dissonance to you know put everything in here and make it complicated versus just let me do my job yeah so one of you mentioned the uh the phrase until the machines take over uh which is an interesting statement uh in 2023 as we all know um up until roughly the end of 2022 we wanted the machines to take over right one of the one of the things that we were kind of you know pushing our work towards was sore platforms right and AI is going to be you know the the new kind of answer to that uh with sore platforms it it did it took a lot of the work out of maybe some of those really rigid or like the boring steps of the process that we may have created and it made it so like oh if it's easily defined like this this thing's going to do it for us right um can you talk a little bit about where sore fits into the other tools that that we've talked about uh here and how it's maybe different from a SIM and and do you need one or do you not I'll take a crack because I think SAR is an an area where people also have a lot of feelings about what is it even um when I think about SAR I think about a platform that is focused on as the name implies building robust and iterating and making them even more robust workflows for the sock and that is usually around coalescing data that's in different places supporting reasoning over that data and effectuating um you know faster or more effective response than would be otherwise and we can think of sores in a way as a platform in contrast to sim rather than being focused on collecting a lot of data though they do collect some data some sores do um rather than being collecting a large amount of data um instead of being focused on you know the Automation and Analysis pieces and you often see sore and case management you know fused together so um and then you'll see a bunch to seams with half sore capabilities then the All Case Management systems that also like we have a sore module and it all gets very confusing and this is why I'll repeat the same thing we said a couple times already is let's focus on what are the functions we're trying to achieve rather than applying a superficial label to a thing we're considering buying and as I've been thinking about sore lately it's like many of these these tools and Concepts it's not a single thing from a complexity standpoint Sor can be very simple it literally can be you know if I see this take this action I mean if I see this kind of email come in you know delete it out of a user's inbox or shut down a a user account or you know lock it or something else like you can do some just very simple things that can be really powerful they can take that base set of actions off your plate and that's actually a great way to start because if you if you start trying to do things that are really complex or you start doing things that are going to maybe be more disruptive in your organization you have to get a lot more buy in for that and if you make a mistake then you're going to get kind of shut down like oh yeah the you know what what's the sock doing they went off they they did X um and so you actually want to build up some trust and get to that point and so uh you know and maybe you get into those more advanced modules or an independent store platform or something else but don't think of this as something where it's like oh you have to go H hog and you know again do this across your entire environment for every single use case you have you can really start pretty simply um to to come up with something that can be effective and even those little wins of hey yeah this is how we respond or this is how we reach out to a user if we have a question about did they really lug in from this location um all of that can take workload off the day-to-day actions from the from the sock team and that's really what you're trying to get the two things you're trying to do are one uh be faster at your response well I guess you're doing a couple things you're trying to be faster you want to be you know as fast as the machines um two you want repeatability and you know kind of feeling like yeah when this happens this is always the thing we want to do and so you don't have to get the variances of how an analyst might do it if you know that you've got that standard to it and then three you want to make sure that the analysts are focused on the things they need to be focused on which are the more human- based things than what you can actually do the automation on and so but I just I wanted to I think it can really be a very simple thing without having to think of it as this big complex problem yeah and maybe I'm saying this the same thing ingred or maybe I'm building on it but it's basically how can I expand my responders role how can I extend what they do by augmenting what they do with some automated little things whether they be bringing data together uh more effectively or actually taking some actions somewhere um of course we want to be careful about taking automated actions we've uh um as as Ai and ml become a lot more prevalent um we need to be thinking about not doing denial service and not uh creating malicious machines that take over for us but I do think we are already working with AI and ml type algorithms to be able to look more intelligently at large data sets across a lot of different things and it is starting to show some promise you were talking about user Behavior analytics earlier that's an area where AI can really be useful if we do it in a you know in a in a in a smart way so we're looking to augment what an analyst does I think that's what sore can do for us yeah I want I want to expand on something Katherine mentioned when people approach Sor they often immediately get these visions of strapping lasers to sharks and having sharks with freaking laser beams and and shooting those lasers at Cyber adversaries and cyber space and submillisecond times Pew PE Pew like Pew map PE Pew maps and it's it's all quite terrible and humorous and I would my number one recommendation for SAR which is consistent with a more General recommendation I make in the census start with collecting and enriching information about whatever the analyst is first let me give you a very compelling example if you are decorating your alerts correctly you could very likely save an analyst one to two hours of work for every alert they look at because you are decorating that alert with everything about the user the host the service um the the threat the cve you pick an aspect of that alert and decorate the heck out of it so um I would strongly encourage folks approaching this a new to really hit a home run with that and when you've done that you will know that it's time to strap those those lasers on top of the Sharks and go after people in sub midle second times um the more General comment I'd make about Sor we alluded to it earlier with seam Etc is um always start in alerton mode on any kind of preventative or response capability you've got but to the point that was made much earlier was a lot of people find themselves challenged to get out of that mode yeah the uh you know the sore kind of um I don't know vendor space and and all of that has definitely you know blown up over the last couple years a lot of socks are are getting you know various tools for it I always ask in class how many people have it how many people don't it's not one of those things that everyone has right and I'm what I'm kind of thinking as I watch the space is like I wonder if we're going to see more sore or if AI allowing you to just phrase what you want and spit it out as code is going to cause less sore because now you don't like part of the value proposition was you don't have to code it we coded it for you but when you can just ask for that I'm wondering what that's going to do to the market as well so well you're you're absolutely right John I think it's a means to an end right and you know with the emergence of of a lot of cloud-based Computing you also have this intermediate piece right you had sore and then you've got a lot of the ways to achieve the same outcome based on cloud-based um automation Frameworks which are also kind of codeless you know broadscale Automation and you can go get them for you know just pennies pennies to be able to go do stuff that it would have taken a trem tremendous amount of things to build on Prem before yeah so definitely options are expanding uh in that field uh so well that goes um very very interesting space you know I think we're all in agreement that automation is generally always better until it isn't and you've told it to do something you shouldn't tell it to do uh but you know faster more predictable all the you know U you know reliable response kind of stuff you brought up is is exactly what I hear people kind of using it for and fishing is the one like I ask every class wait what is your killer use case for a sore platform and your automation Frameworks and stuff fishing is every single time that is the answer and so if you if you haven't started this before you know take that for what it is I hear a lot of people um use it for that in a lot of successful ways and I think it's because it's a a fairly standard problem it's like you have to take apart an email we can parse an email we can do these things with the pieces so you know that that would be kind of my thoughts on on that sort of thing is I I hear a lot of people jump in on that I don't know if there's any other use cases that jump to your mind that you you always see people use any any other like oh yeah definitely do this specific thing with it well I mentioned the one big one I always think of is that of is of alert enrichment um and or um automating elements of engaging users which might overlap with your fish example um the sock uh especially if it's doing anything in the in the realm of what either you buy or implement that smells like ueba the the the frequent was this you emails saying hey we saw you do something that was weird was that you um there's a lot of automation opportunities there yeah I've seen examples of that like U not just over email but like over slack messages or whatever and saying like hey yeah was that you you know hitting knowledge two Factor off like all that kind of stuff and that's cool way to get rid of some of maybe those anomaly alerts that would otherwise have humans talking to other humans in a slow way right so definitely that's one of those skies the limit you can do kind of whatever your specific use case is but certainly a very value added product as soon as you come up with those use cases the last thing I want to mention the last piece of this section here and and I've been maybe the most excited about getting to this one because I'm I'm really excited to to hear your take on this is protecting all of these tools right the sock Enclave as you call it and I think I want to start by throwing this specifically over to Carson because I know that things have changed in chapter from the previous version of the book you had mentioned that before and and that was one of the things I was thinking as I read it as well could you start with a little bit about what is the sock enclave and how has your thinking about what's necessary there changed over the years um thank you uh I have lots of feelings about this and they're very complicated and they've evolved over time um the sock exists predicated on the idea that the Enterprise it protects will be intruded upon in a major way at some point and the sock needs to be able to continue operating through such a condition um this in turn means that it must be able to to trust the tools and data um that it has um in the presence of an advanced or persistent threat and in that way um socks are obliged to protect those tools and that data um from you know other parts of the Enterprise he needs to insulate them in some way um taken to an extreme this can feel like the sock has become a black hole and an event horizon forms around the black hole and old data goes into the sock and it never emerges and you never hear from that data ever again that's not good um the sock needs to be able to constantly interact with its users its services it its Executives its Partners um and it needs to be able to pull levers on a a increasing set of response actions that grw over time so there's no Absolut way of doing it there's no way of saying I'm just going to oneway feed all of my data to the sock and that's that and what that that so in in the first Edition in 10 strategies you know back in 2014 I made some fairly absolutist statements like never join the socks tools or data or users to the same Windows um domain or uh or active directory Forest as the rest of the Enterprise I stand by the assertion that that's probably non ideal for a lot of a lot of circumstances however there are many socks that don't have that luxury and there's this sliding SC SC of risk and complexity and dollars you want to spend on on how to solve these problems and where in the Spectrum you fall speech over perfect so go ahead yeah so um I it's a real simple thing you you you you don't want your adversaries to know that you're tracking your adversaries so uh you need to do something um to protect at least your case management um and and some of the other things that you're looking at right so uh Carson speech you know very very eloquently done um you you need something in between you know absolutely don't share anything and share everything so could you give us a kind of example or two like a quick specific like attacker gets into the environment what are they doing to the sock or to the socks data or to the socks accounts and how are they doing it and why does the sock Enclave stop that or how does the sock Enclave stop that there's there's two there's two very concrete things that come to my mind um and one of them the Sak Enclave may or may not be able to help and that one is sensor blinding um turning off host Bay agents um you know doing things in the network that means they can't be seen by your network sensors um doing things to either turn off your log feeds or or do things that they think that your log feeds won't indicate so that's um that's the first and then the other one goes along with exactly what Catherine was talking talking about is is that the adversary using um your tools as a means to understand what you see um and then to be able to act just as fast as you are because you see what they see or they see what you see same difference so you know those are those are two things I think about and uh we could have a ve we could write a whole book probably on how to solve this just just this one problem um and one of the immediate things that always comes to mind is always have multiple perspectives from different log feeds from from different sensing Technologies and different detections On Any Given part of the Enterprise or any given single threat um in terms of protecting you know the information the most critical information that we're collecting in particular thread intelligence and case data we always think about um either putting that in in a different identity plane or adding some kind of MFA on top of that understanding those two things by themselves are imperfect and can potentially be circumvented so we just think about raising the cost to the adversary and I think Communications is an important part here you know we're talking about tools but this also feeds into incident response process and thinking about your Communications channels and looking to make sure you've got at least one alternate Communications Channel that's a little bit you know different or outside or that can be more protected or you know somehow is not all tied together through the same systems because if if they can get in and compromise an email account and now suddenly they are you know or multiple accounts and they're able to track the messages that are going across or they get into your messaging system you know or your whatever the platform is do you have another route I mean honestly going back to actual phone calls and phone Bridges is something that I've seen where it's like because that's just not something we do on a regular basis uh some organizations like just knowing that you have an additional setup or being prepared that if you um if you do find that your your email systems are compromised what would it take to go do something else where you can have a communications platform that's a little bit different is a really important consideration here um I have a tang go go for it Caron um so every sock is well advised to consult um their legal counsel on what I'm about to say because nothing we're we're offering today should be construed as legal advice how however um in the the sock should think about having that alternative uh means of communication and have them sanctioned and and aware um to their lawyers in advance particularly if the the sock thinks that down the road they have regulatory requirements for for records retention or or ecovery requirements again on the on the advice of the legal council they should think about having that all kind of thought about in advance rather than like you know tomorrow like oh everyone download the following app on your phone so we can call each other like and the lawyers might be like right so that's something to think about yeah absolutely there's always that kind of piece of it where we're like oh and then we have to think about the lawyers too uh because yeah you know it's very easy to be like oh let's just talk on telegram or Whatsapp or whatever right like that would be simple Until you realize like oh that becomes discoverable on a personal device or whatever if there's a big breach in your you know highly regulated industry whatever so perfect advice there um the way that I kind of think about this problem is there's the the multiple kind of planes kind of like what we talked about before really right there's the identity piece of it there's the endpoint and there's kind of the the network piece uh let's say you're a you know 100,000 person and asset company and you have the political will and the budget to do something reasonably complex you don't have to go full you know top secret data skiff you know paranoia tier separ ation um what kind of like practical things would you suggest for a sock to like do what what would your setup look like in that situation so if you have the means I have uh procured separate network connections so you can buy you know uh different kinds of networking um and multiple vendors across that networking um you know just kind of changing it up so you're not relying on one particular provider for everything turns out voice over IP tends to be um intermingled with some so it is good to look at multiple carriers for your networks it's good to look at um different kinds of um Communications um you can go what like satellite you can go there's all kinds of different ways to change it up so that's one the networks I would I would say the second is identity um and and on a couple layers um I'm going to use Azure terms for a second because Azure is the cloud I know the best um so in Azure terms you know the sock would think about having the separate AED tenant or failing that separate Azure subscriptions um in which to put its stuff in its users um providing it some insulation um from compromise of that and we also think about the on-prem Federation uh for that as well and there's some implications on email and collaboration in chat I probably longer conversation than what we're going to do today so I would definitely offer that the identity plane be it on premer or in cloud or usually now hybrid um is going to be an interesting story as well what about Hardware are you thinking like is this a you know we need a separate what we might call a privileged access workstation and dedicated machine for being a sock analyst versus being a normal employee are we separating things on on that level and and one goes on the corporate Network one goes in this magical sock Enclave network uh you know are we taking it to that extreme I use Carson's uh phrase I've got feelings let me tell you I have set up a dedicated Network um with one computer on it that collected dust for two years because it was it was by itself and it was very secure but no one would go over there and use it so you have to provide uh ways for analysts to be able to do their their work right across different kinds of networks and things so if it's its own dedicated box it'll be lonely sitting in the corner and this is another one of those where you know so many times the information that's coming into the sock you know from a threat intelligence perspective or from you know constituents or something else is going to come across a corporate Network and you need to be able to take that information and put it into the sock Enclave as well and so you really like having those separate systems can be really challenging you know one thought is you can do the virtual machine where you have your you know less secure system actually in the VM because then if it gets compromised like they can't really Escape out of there and then still have the ability to copy and paste and take things out of that and put it into the more secure system which is more the the system that's around it and that's a a pretty simple way to start doing at least some level of segregation so that you get um a a little bit of differentiation between the different functions that you have but um as an analyst who has had to at one point I had four different systems on four different networks across a single desk and the number of times I'm like I just want this piece of information over in this system please can I and I'm sitting there typing the hash in again so I've got feelings about this too yep I've got feelings um big surprise uh I would summarize what I just heard in my own feelings and that copy paste in and out of the sock onclave is absolutely essential the way you achieve that copy paste could be in and out of an RDP session um it could be in and out of chat um God help us all it could be in and out of email that's got its own set of of challenges um and the way you achieve that copy paste can become a source of hugely passionate debates between these security people and the security people talking about how we're going to be secure about security and it it it's they become absolutely spectacular yeah yeah there's there's a lot of potentially complex things that can go on here and is is a constant struggle of usability versus Security even on this level like anything else right and in my own experience you know I've I've tried varying levels of you know segment the network put a firewall in between us and the corporate Network and then you can and you can't do other stuff and you know is it the identity plane that's going to get compromised um the way I break this down is like how easy is it going to be for a compromise of the constituency to become a compromise of the sock and you know whatever that level of comfort is for you right that's what you're going to have to pick but ideally it's very difficult and whatever you can do uh without sacrificing too much usability uh still having an acceptable level of usability to kind of accomplish that uh that's that's my feelings there's um there's another tangent on this that we are thinking about usability right now which we are very passionate about and being able to move within the decision cycle of the adversary one of the other W things to think about in terms of the s enclave and you may have feelings about on Prem and in the cloud and putting sock tools and data on Prem versus on the cloud Etc one of the essential things to think about here is how quickly can the sock iterate not Bing through an incident in through that incident that that like alert life cycle we've talked about but also iterate and improve its own tools and capabilities right being able to deploy new capabilities to perform data analysis or you know getting data a from point point A to point B Etc in the cloud is massively transformative massively um and one of the very important things for the sock is if it's going to go put its stuff in the cloud it's got to get really good about how to secure that stuff in the cloud as well and for that matter which Cloud right is the same Cloud as the constituency um or not so there's there's some intricacies there and and there's regulatory implications if the if the sock has data subject to regulatory scrutiny and it puts us data in the cloud where is that data going and are there laws or regulations um that are relevant to that conversation yep yeah yeah a lot of a lot of potential concerns but a lot of you know hopefully things are getting easier over time right uh that they kind of open up the ability to move data around and and as long as you know how to secure the cloud right uh we're in potentially in a a and that's a whole different conversation um a world of of things getting better and and going in the right direction uh so to close this up uh any final thoughts anyone wants to throw out there on uh usability for sock tools or integration or anything else that has gone unstated so far I'd go back to something I said um in strategy 3 is is always getting always be getting better but stated better than that meaning you know we've had this conversation about the sock tools and sock architecture and sock workflow and I think this is another time to repeat the importance of having those Engineers or the people doing engineering development for the sock um you know frequently have contact and of intimate nuanced understanding of what um the analyst the investigators the responders the triage folks who whatever their titles are what do they do every day and how do we constantly make that better yeah I guess what I would add to all of this is that um tools make and break security oper ations when you have Cool Tools it's easier to attract and keep you know really great analysts so um making sure that you just constantly evolve your tools and your ability to correlate and bring things together that's fun for analysts um and it's a place where I would focus if you know for any sock and I think uh boting from some of the things we've talked about with people and kind of taking what both Katherine and Carson said and building from that is you have to give your team the time to actually understand these tools to learn these tools to research the tools and to evolve the tools over time because if all you do is pull it out of the box stick it you know in your rack hook it up and hope for the best and then three years later you know you're you're done and you're like well we need the next tool because that one didn't work you're never going to be successful all of these tools require care and feeding they require maintenance they require constant learning because the you know especially if you're going with vendor tools they're going to be evolving themselves over time and you're going to have to learn the new features and the new integration opportunities or if you're doing open source tools you're going to have to look for what the community is putting out there and figuring out how you're going to you know bring in the latest from that so there's just there's a lot of Maintenance that goes into these um that is really important and needs to be part of your workflow and part of your process and part of your Staffing plan it's not just going to magically happen because they had 15 minutes before they went to lunch and they decided to look at something yep yep so I think that's a a perfect kind of uh cap on the episode there we all got chance to to share our feelings and and go through the uh blueprint sock tool therapy hour uh awesome stuff though I had a lot of fun on this one uh you know as everyone said and and has mentioned that you know tools will make or break the socks so uh you know absolutely I agree with that uh and an important thing for anyone to consider and improve over time so uh next time we're going to be back with episode nine which is going to be communicate clearly collaborate often and share generously so excited for that one as well uh in the meantime listeners and Watchers if you're on YouTube uh make sure you subscribe on your podcast aggregator or on YouTube to make sure you get that uh as soon as that one comes out you won't want to miss that either so with that we appreciate you all for being here thank you to our authors for spending their time with us again and we will see you on the next episode of blueprint bye [Music] everyone [Music]

Original Description

Tool choice can be a make-or-break decision for security analysts, driving whether getting work done is a struggle, or an efficient, stress-free experience. How can we select the right tools for the job? Which tools are most important? Answers to these questions and more are in this week's episode of Blueprint! This special season of the Blueprint Podcast is taking a deep dive into MITRE’s 11 Strategies of a World-Class Cyber Security Operations Center. Each episode John will break down a chapter of the book with the book’s authors Kathryn Knerler, Ingrid Parker, and Carson Zimmerman. Sponsor's Note: Support for the Blueprint podcast comes from the SANS Institute. If you like the topics covered in this podcast and would like to learn more about blue team fundamentals such as host and network data collection, threat detection, alert triage, incident management, threat intelligence, and more, check out my new course SEC450: Blue Team Fundamentals. This course is designed to bring attendees the information that every SOC analyst and blue team member needs to know to hit the ground running, including 15 labs that get you hands on with tools for threat intel, SIEM, incident management, automation and much more, this course has everything you need to launch your blue team career. Check out the details at sansurl.com/450 - Hope to see you in class! Contact, Courses, and More: For feedback, reviews, guest pitches, or to get in contact with me for any other reason, head to blueprintpodcast.live (https://blueprintpodcast.live/) ! Check out John's SOC Training Courses for SOC Analysts and Leaders: • SEC450: SOC Analyst Training - Applied Skills for Cyber Defense Operations (https://sans.org/sec450) • LDR551: Building and Leader Security Operations Centers (https://sans.org/ldr551) Follow and Connect with John:  LinkedIn (https://www.linkedin.com/in/johnlhubbard/)
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from SANS Institute · SANS Institute · 0 of 60

← Previous Next →
1 SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
2 SANS Institute Cybersecurity Training Customer Stories
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
3 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
4 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
5 CISSP® Prep Exam, MGT414, by SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
6 SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
7 Information Security Training from SANS Institute - Student Testimonials
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
8 SANS NetWars
SANS NetWars
SANS Institute
9 SANS DFIR NetWars
SANS DFIR NetWars
SANS Institute
10 Hack The Drone - SANS Cyber Academy UK
Hack The Drone - SANS Cyber Academy UK
SANS Institute
11 SANS VetSuccess Immersion Academy
SANS VetSuccess Immersion Academy
SANS Institute
12 SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
13 The 2015 SANS Holiday Hack Challenge
The 2015 SANS Holiday Hack Challenge
SANS Institute
14 SANS VetSuccess Academy: Hands-on Skills
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
15 SANS VetSuccess Academy Overview
SANS VetSuccess Academy Overview
SANS Institute
16 SANS ICS Security Summit & Training 2017
SANS ICS Security Summit & Training 2017
SANS Institute
17 Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
18 WannaCry recap, patches, and analysis
WannaCry recap, patches, and analysis
SANS Institute
19 If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
20 Graduation Day - SANS HM Gov Cyber Retraining Academy
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
21 Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
22 SANS Data Breach Summit & Training 2017
SANS Data Breach Summit & Training 2017
SANS Institute
23 SANS Secure DevOps Summit & Training 2017
SANS Secure DevOps Summit & Training 2017
SANS Institute
24 How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
25 SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
26 SANS Cybersecurity Programs for the Department of Defense
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
27 SANS Pen Test HackFest Summit & Training 2017
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
28 SANS SIEM & Tactical Analytics Summit & Training
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
29 If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
30 SANS Institute
SANS Institute
SANS Institute
31 ICS515: ICS Active Defense and Incident Response
ICS515: ICS Active Defense and Incident Response
SANS Institute
32 SANS Institute
SANS Institute
SANS Institute
33 Introducing the NEW SANS Pen Test Poster
Introducing the NEW SANS Pen Test Poster
SANS Institute
34 SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
35 SANS ICS Security Training, Munich, Germany
SANS ICS Security Training, Munich, Germany
SANS Institute
36 SANS Automotive Summit Webcast
SANS Automotive Summit Webcast
SANS Institute
37 Privesc Playground - SANS Pen Test HackFest Summit 2017
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
38 Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
39 Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
40 SANS Security Operations Summit & Training 2018
SANS Security Operations Summit & Training 2018
SANS Institute
41 Sh*t Happens!  (But You Still Need to Drink the Water) – SANS ICS Summit 2018
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
42 ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
43 You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
44 A Sneak Peak at the New ICS410
A Sneak Peak at the New ICS410
SANS Institute
45 Jumping Air Gaps – SANS ICS Summit 2018
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
46 Introduction to Linux
Introduction to Linux
SANS Institute
47 Introduction to Malware Analysis
Introduction to Malware Analysis
SANS Institute
48 You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
49 Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
50 Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
51 Apples and Oranges?:  A CompariSIEM – SANS Security Operations Summit 2018
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
52 SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
53 SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
54 The Science of Security: The Psychological Impacts of Security Awareness Programs
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
55 How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
56 Practical Advice for Submitting to Speak at a Cybersecurity Conference
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
57 SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
58 SANS Webcast - Zero Trust Architecture
SANS Webcast - Zero Trust Architecture
SANS Institute
59 SANS STX Cyber Range
SANS STX Cyber Range
SANS Institute
60 Part 1 – SANS Institute and Tenable talk about cloud security
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute

This video discusses the importance of tool selection and workflow support for security analysts, covering topics like SIEM and threat intelligence, and providing resources for further learning.

Key Takeaways
  1. Identify key tools for security operations
  2. Evaluate tool effectiveness
  3. Implement workflow support
  4. Automate security tasks
  5. Continuously monitor and improve
💡 The right tool choice can significantly impact the efficiency and stress levels of security analysts

Related Reads

Up next
Why AI Coding Agents Are a Hidden Security Risk Nobody Talks About
IMH | AI & Tech
Watch →