SlideShare a Scribd company logo

Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx

Download as PPTX, PDF
Vikas Singh Yadav
Vikas Singh Yadav

Slides for the talk given at ISC2 Bangalore Chapter meeting on 03 June 2023. I covered the basics of Security operations and explained what a SOC is. I also shared challenges faced while doing security operations in Cloud and strategies on setting up an effective SOC in the Cloud.

Related slideshows

Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
1 of 24
Security Operations Cloud vs On Prem SOC for Cloud Native Companies Vikas Yadav
Little bit about Myself Current Current: CISO at Nykaa Prior CISO Max Life MTech IIT Kharagpur, CISSP, CCSK Military Veteran Outside Work Sports - Tennis, Golf, Trekking Reading Online Courses Love Travelling
Agenda 1. Need for a SOC 2. What is a SOC 3. Security Operations - Cyber Hygiene 4. SOC Essential Components 5. SOC Maturity 6. Modern SOC 7. SOC for Cloud Environments
Need for SOC ! ● Security Roadmap Item No 3 - Our Consultant told us. ● FOMO - Everyone has it. ● Tick in the Box - Regulatory Requirement. ○ CERT-IN / GDPR mandates 72 hr reporting ● Prevention is not Enough ! - Incident Detection and Response - Help respond and recover faster.
What are your trying to solve ? ● Business Problems ○ Fraud ○ Data Leakage ○ Ransomware ● Technical Challenges/ Security Gaps ○ Need to detect cyber attacks timely ○ Correlate alerts coming from different sources ● Process Issues ○ Too many disparate security solutions ○ No coordinate way to detect and prevent attacks
Security Operations vs Log Aggregation 1. Do you Monitors events and logs ? 2. Correlate and add context to detect a breach/attack ? 3. Performs investigations to understand root cause and mitigate impact ? 4. Coordinate with IT/ DevOps to to address the breach ? 5. Seek external help - Incident Response firm ? 6. Inform Senior management. 7. Take Remedial Action and document Lessons Learned ?
What is SOC ? A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents. A SOC is traditionally a physical facility within an organization, which houses an information security team. This team analyzes and monitors the organization’s security systems. The SOC’s mission is to protect the company from security breaches by identifying, analyzing, and reacting to cybersecurity threats. A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.
SOC Maturity Curve
Essential components of a SOC SNo Component Purpose Sample Gaps 1 PEOPLE - SOC Staff To monitor alerts , To triage , To respond, To recover NOT TO RAISE A TICKET No Designated Person or Structure 2 SOC PROCESSES Should be simple and effective Playbooks should be defined No Processes defined No one to look at alerts No ticketing systems 3 TECH Stack AV/ EDR, SWG, Firewalls SIEM - Logging and Correlation SOAR - Automation Inadequate Logging Not centralised 4 Data Sources Logs Central Solution - SIEM or Log Management Solution No SIEM Automation 5 Threat Intel IOCs Intelligence Feeds No Threat Intel No Intelligence Feeds 6 Use Cases Detect and Prevent Attacks Use Cases Relevant
SOC Maturity Model Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
Modern SOC - Outcome Based Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
Security Operations in Cloud SOC for Cloud environments
How things change in Cloud ? 1. People a. Conventional SOC analysts do not understand Cloud b. Need people with new Skill Sets 2. Technology a. Threat Model changes - You do not own Infra. b. Multi Cloud environment and SAAS applications c. Log Volume increases exponentially ( Web systems) d. Egress Costs e. Uncommon Log Collection methods 3. Processes a. Easier to automate b. Conventional slow processes may not work with DevOps team 4. Advantages a. Lot of controls out of the box - Native Security Controls b. AWS Guard Duty, Detective
Suggested strategies 1. Prioritise Visibility 2. Leverage new Tools a. CASB - Cloud Access Security Broker b. CSPM Cloud Security Posture Managements 3. Leverage Native Controls a. AI ML - AWS Guard Duty/ AWS Detective 4. Prefer Cloud and Native SIEMs( Egress Cost !) a. Google Chronicle/SUMO Logic/Elastic b. Microsoft Sentinel 5. Partner with DevOps a. More Agile and skilled than conventional IT b. Lateral hiring
Leveraging Native Services - AWS Example Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
AWS WorkFlow Example SIEM Solution Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
Way forward
A suggested Roadmap ! 1. Have basic Cyber Hygiene in place - CIS Critical controls a. Asset Inventory, Patching, EDR/AV, DLP, SWG b. Enable Cloud Native controls 2. SOC Fundamentals a. Know your Data Sources and Build your Use Cases b. Decide your model - Hybrid or In House or Outsourced c. Define KPIs for testing effectiveness of SOC 3. Evaluation and Selection a. Set up a Open Source Security Logging and Monitoring Setup first b. Do a POC before deciding on your SIEM solution and SOC Partner
Thanks
SIEM - The Holy grail ? 1. Can you set up a SOC without it ? 2. Log Management and Correlation 3. What about SOC Automation ? 4. Can it take all Log sources or you need to build custom parsers ? 5. How will you control the log volume ? 6. Or Price yourself out of your allocated budget / Bandwidth ! 7. SAAS or Self Hosted ( On Prem vs Cloud)
Value Add ons 1. UEBA - User Event Behavioral Analytics 2. SOAR - SOC Automation 3. Add Ons a. Brand Monitoring b. Dark Web Monitoring c. EDR - This alone can solve lots of your use cases d. XDR - Needs to mature
Top Questions 1. Model a. In house , Completely Outsourced or Hybrid 2. Which SIEM Solution ? a. SAAS vs Deployed, b. Open Source vs Commercial 3. How do you get Budgets ? 4. How will show its ROI ? a. Solve Business Problems b. Meet Compliance Mandates 5. How will it enhance your security capability ? a. Detect and prevent Cyber Attacks
Key Factors in Building a SOC Cost - Never Infinite Timeline - 3 - 6 months Maturity - 6 - 12 months - Better you plan, more you will reduce this duration ROI - Difficult to measure and show- BUT Essential to Demonstrate People with right Attitude and skill sets Right Partner - MSP or Consultant
References 1. Demystifying the SOC - Medium articles by Gorka Sadowski 2. Ten Strategies of a World-Class Cybersecurity Operations Center - Mitre Corporation 3. https://www.cisoplatform.com/profiles/blogs/evolving-soc-to-cloud-detections 4. https://blogs.gartner.com/pete-shoard/use-the-gartner-soc-hit-model/ 5. https://www.exabeam.com/security-operations-center/security-operations- center-a-quick-start-guide/ 6. https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/

More Related Content

Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx

  • 1. Security Operations Cloud vs On Prem SOC for Cloud Native Companies Vikas Yadav
  • 2. Little bit about Myself Current Current: CISO at Nykaa Prior CISO Max Life MTech IIT Kharagpur, CISSP, CCSK Military Veteran Outside Work Sports - Tennis, Golf, Trekking Reading Online Courses Love Travelling
  • 3. Agenda 1. Need for a SOC 2. What is a SOC 3. Security Operations - Cyber Hygiene 4. SOC Essential Components 5. SOC Maturity 6. Modern SOC 7. SOC for Cloud Environments
  • 4. Need for SOC ! ● Security Roadmap Item No 3 - Our Consultant told us. ● FOMO - Everyone has it. ● Tick in the Box - Regulatory Requirement. ○ CERT-IN / GDPR mandates 72 hr reporting ● Prevention is not Enough ! - Incident Detection and Response - Help respond and recover faster.
  • 5. What are your trying to solve ? ● Business Problems ○ Fraud ○ Data Leakage ○ Ransomware ● Technical Challenges/ Security Gaps ○ Need to detect cyber attacks timely ○ Correlate alerts coming from different sources ● Process Issues ○ Too many disparate security solutions ○ No coordinate way to detect and prevent attacks
  • 6. Security Operations vs Log Aggregation 1. Do you Monitors events and logs ? 2. Correlate and add context to detect a breach/attack ? 3. Performs investigations to understand root cause and mitigate impact ? 4. Coordinate with IT/ DevOps to to address the breach ? 5. Seek external help - Incident Response firm ? 6. Inform Senior management. 7. Take Remedial Action and document Lessons Learned ?
  • 7. What is SOC ? A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents. A SOC is traditionally a physical facility within an organization, which houses an information security team. This team analyzes and monitors the organization’s security systems. The SOC’s mission is to protect the company from security breaches by identifying, analyzing, and reacting to cybersecurity threats. A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.
  • 9. Essential components of a SOC SNo Component Purpose Sample Gaps 1 PEOPLE - SOC Staff To monitor alerts , To triage , To respond, To recover NOT TO RAISE A TICKET No Designated Person or Structure 2 SOC PROCESSES Should be simple and effective Playbooks should be defined No Processes defined No one to look at alerts No ticketing systems 3 TECH Stack AV/ EDR, SWG, Firewalls SIEM - Logging and Correlation SOAR - Automation Inadequate Logging Not centralised 4 Data Sources Logs Central Solution - SIEM or Log Management Solution No SIEM Automation 5 Threat Intel IOCs Intelligence Feeds No Threat Intel No Intelligence Feeds 6 Use Cases Detect and Prevent Attacks Use Cases Relevant
  • 10. SOC Maturity Model Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
  • 11. Modern SOC - Outcome Based Source: Gorka Sadowski Medium Article - New-soc-maturity-model-based-on-outcomes
  • 12. Security Operations in Cloud SOC for Cloud environments
  • 13. How things change in Cloud ? 1. People a. Conventional SOC analysts do not understand Cloud b. Need people with new Skill Sets 2. Technology a. Threat Model changes - You do not own Infra. b. Multi Cloud environment and SAAS applications c. Log Volume increases exponentially ( Web systems) d. Egress Costs e. Uncommon Log Collection methods 3. Processes a. Easier to automate b. Conventional slow processes may not work with DevOps team 4. Advantages a. Lot of controls out of the box - Native Security Controls b. AWS Guard Duty, Detective
  • 14. Suggested strategies 1. Prioritise Visibility 2. Leverage new Tools a. CASB - Cloud Access Security Broker b. CSPM Cloud Security Posture Managements 3. Leverage Native Controls a. AI ML - AWS Guard Duty/ AWS Detective 4. Prefer Cloud and Native SIEMs( Egress Cost !) a. Google Chronicle/SUMO Logic/Elastic b. Microsoft Sentinel 5. Partner with DevOps a. More Agile and skilled than conventional IT b. Lateral hiring
  • 15. Leveraging Native Services - AWS Example Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
  • 16. AWS WorkFlow Example SIEM Solution Source : https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/
  • 18. A suggested Roadmap ! 1. Have basic Cyber Hygiene in place - CIS Critical controls a. Asset Inventory, Patching, EDR/AV, DLP, SWG b. Enable Cloud Native controls 2. SOC Fundamentals a. Know your Data Sources and Build your Use Cases b. Decide your model - Hybrid or In House or Outsourced c. Define KPIs for testing effectiveness of SOC 3. Evaluation and Selection a. Set up a Open Source Security Logging and Monitoring Setup first b. Do a POC before deciding on your SIEM solution and SOC Partner
  • 20. SIEM - The Holy grail ? 1. Can you set up a SOC without it ? 2. Log Management and Correlation 3. What about SOC Automation ? 4. Can it take all Log sources or you need to build custom parsers ? 5. How will you control the log volume ? 6. Or Price yourself out of your allocated budget / Bandwidth ! 7. SAAS or Self Hosted ( On Prem vs Cloud)
  • 21. Value Add ons 1. UEBA - User Event Behavioral Analytics 2. SOAR - SOC Automation 3. Add Ons a. Brand Monitoring b. Dark Web Monitoring c. EDR - This alone can solve lots of your use cases d. XDR - Needs to mature
  • 22. Top Questions 1. Model a. In house , Completely Outsourced or Hybrid 2. Which SIEM Solution ? a. SAAS vs Deployed, b. Open Source vs Commercial 3. How do you get Budgets ? 4. How will show its ROI ? a. Solve Business Problems b. Meet Compliance Mandates 5. How will it enhance your security capability ? a. Detect and prevent Cyber Attacks
  • 23. Key Factors in Building a SOC Cost - Never Infinite Timeline - 3 - 6 months Maturity - 6 - 12 months - Better you plan, more you will reduce this duration ROI - Difficult to measure and show- BUT Essential to Demonstrate People with right Attitude and skill sets Right Partner - MSP or Consultant
  • 24. References 1. Demystifying the SOC - Medium articles by Gorka Sadowski 2. Ten Strategies of a World-Class Cybersecurity Operations Center - Mitre Corporation 3. https://www.cisoplatform.com/profiles/blogs/evolving-soc-to-cloud-detections 4. https://blogs.gartner.com/pete-shoard/use-the-gartner-soc-hit-model/ 5. https://www.exabeam.com/security-operations-center/security-operations- center-a-quick-start-guide/ 6. https://www.sans.org/webcasts/enhance-efficiency-soc-aws-cloud-112950/

Editor's Notes

  1. Use images rather than text
  2. Convert into a Picture
  3. https://gorkasadowski.medium.com/demystifying-the-soc-part-5-the-new-soc-maturity-model-based-on-outcomes-7746402130e0