Placeholder Image

Subtitles section Play video

  • Did you know that you can be part of the lucrative cyber security industry?

  • Even top companies like Google, Microsoft, Amazon, IBM, Facebook, and Dell all hire cyber security professionals.

  • The cyber security industry has a 0% unemployment rate.

  • The average salary for an entry level cyber security job is about $100,000 per year in the United States.

  • Furthermore, you don't need to know coding and learn from your home, and you get a scholarship to kick start your career.

  • Apply now.

  • EC Council is pledging a $3.5 million CCT scholarship for cyber security career starters.

  • Scan the QR code on the screen to apply for the scholarship.

  • Fill out the form.

  • Hello everyone, and welcome to today's session, Effective Soft Management and Incident Response.

  • I'm Shilpa Goswami, and I'll be your host for the day.

  • Before we get started, we would like to go over a few house rules.

  • For our attendees, the session will be in listen-only mode and will last for an hour, out of which the last 10 minutes will be dedicated to Q&A.

  • If you have any questions during the webinar to organizers or our speaker, use the Q&A window.

  • Also, if you face any audio or video challenges, please check your internet connections or you may log out and log in again.

  • An important announcement for our audience.

  • As a commitment to closing the cyber security workforce gap by creating multi-domain cyber technicians, EC Council pledges $3.5 million towards CCT education and certification scholarship to certify approximately 10,000 cyber professionals ready to contribute to the industry.

  • If you want to know more, kindly visit our website given in the chat section.

  • Also, we would like to announce to audiences about the special handouts.

  • Take the screenshot of the running webinar and post in your social media LinkedIn, Twitter tagging, EC Council, and hashtag CyberTalks.

  • We will share free handouts to first 15 audience.

  • Our speaker for today's session, Randy Thomas.

  • He is responsible for the SOC security product development, which includes detection as code,

  • DIFI, incident command, vulnerability management, threat intelligence, driven security operations, threat hunting, and offensive security at Syntex, a leading managed cloud provider.

  • He has over 21 years of experience in enterprise cyber security in a wide range of environments, including the US military and intelligence, commercial e-com, detail, and MSSP, MSSSP markets.

  • He leverages his combined 28 plus years of enterprise IT experience and 18 years of experience in DevOps, DevSecOps, SOC, security engineering, and software development to deliver high quality security products and solutions.

  • Without any further delay, I will hand over the session to you, Randy.

  • Thank you, Shilpa.

  • Good day, everyone.

  • Thank you for taking this time to join the webinar, either live or later recorded.

  • Today, we're going to talk about management and leadership in security operations.

  • As with all things cyber security, it is iterative and you're always learning, regardless of your role and position inside of a SOC.

  • Overview of what we're going to discuss, we're going to talk about what is a SOC, that varies.

  • What are the business cases that you're using to defend your organization?

  • What's the role of a leader?

  • How do you plan and organize your team?

  • Give an example and talk through a threat intelligence driven SOC lifecycle, something that can be done regardless of your maturity.

  • Go into some measures of effectiveness so you can know where you're at and know where you're going.

  • And give an example of iterative growth of a SOC.

  • And this is from a personnel progression, personnel growth standpoint.

  • And then have some further research for you that are interested, either are in a leadership position or interested in it, or just want to know how leaders in operations think.

  • So I've seen SOCs that have been everything from a SIM tool in an IT shop of one person to actually being responsible for not only the security operations, but the digital forensics, incident response, the threat intelligence work, the hunt work, building cyber threat intelligence products, offensive security, vulnerability management, SIM operation, and maybe engineering.

  • And likewise for EDR and other platforms.

  • In my background, I've had to do the extremes there.

  • So it comes across.

  • So understanding what your responsibilities are, very important.

  • So another area that you want to look at as a security operations leader is at some point to create a charter and write down your roles, your responsibilities, and really the limits of what the SOC can do.

  • And that can cover a lot of things, and you want that to be an iterative and a learning or a living document, and not just let it sit on a shelf.

  • It should be something you come back and look at, whether it be during exercises or during actual incidents.

  • And it should be communicated across your organization with IT, with legal, with corporate communications, what have you.

  • These are important.

  • They help reduce ambiguity where it exists, because as a security operations professional, you will deal with lots of ambiguity, lots of events that you cannot plan for.

  • So when you can plan and can organize, do yourself a favor in your team and do that.

  • And that always is something you iterate on.

  • It's never stagnant, never stale.

  • So again, wherever we can, being proactive, being responsive is very important.

  • Be intentional where you can.

  • As a leader, it's important when you give directions and intent that you are not changing that constantly.

  • You have a good path.

  • You have a good plan.

  • Obviously, you have to be able to adapt.

  • We'll talk more about the OODA loop later, you know, observe, orient, decide, and act.

  • That is a helpful tool in the process.

  • It's also important to either, one, establish, or two, take what is there and curate it so you look at your responsibilities, your roles.

  • A RACI matrix is a very good way to do that.

  • It would go across your organization.

  • If you're in the MSP, Managed Service Provider, Managed Security Service Provider space, such as

  • Syntax is, we have to have those with each of our customers.

  • That way, it's understood.

  • You also should build workflows that are accurate and reflect not only the RACI, but how that actually works in practice.

  • It's very important that you take these things in mind and you always have the iterative life cycle development process.

  • Everything you do affects other aspects of the organization.

  • You know, think of it as throwing a boulder in a pond and the ripples in the water.

  • So, you have to be intentional about what you do.

  • Train how we fight.

  • Use exercises.

  • Definitely do tabletop exercises, TTXs.

  • Also, highly recommend operational exercises in the environment.

  • Do OPEXs and do them often.

  • Internal to start with, internal to SOC, you know, expand it to security engineering if there is a security engineering organization.

  • Expand it from there.

  • Include aspects of your enterprise IT.

  • That could be different departments, different divisions, and then look at doing it with customers as well, especially if you have customer environments, particularly in MSSPs, where there is split roles and responsibilities across not only the customer, but inside the SOC as an MSSP as well.

  • Okay.

  • A SOC is going to be in an organization that already exists.

  • The organization does what the organization does.

  • Perhaps it's an e-commerce company and they sell retail products online.

  • Perhaps there's a mix with brick and mortar as well.

  • Perhaps you're a governmental organization, what have you.

  • That exists.

  • So, you need to understand things such as what are the business cases for the SOC.

  • You have to focus in and understand where the SOC fits in the larger organization.

  • It's also important to build and, again, curate an understanding of crown jewels.

  • It's often called a crown jewels analysis.

  • It's exactly what it sounds like.

  • These are the top 10, the top 100 important things to the organization.

  • Again, to go back to what's why, this is what the organization is doing.

  • That typically would include not just technical, but personnel aspects as well.

  • If you've been in the industry for long, most breaches tend to occur via email, business email compromise, or BEC, huge, huge vector.

  • What are some of the aspects of that?

  • Not only do you get the supply chain side attacks that are becoming more common, you also have the old but good attacks on invoice and wire fraud.

  • So, your finance department could be a CFO.

  • So, all of these people, your C-suite, your board, you have your HR department.

  • We're out of, in the U.S., income tax season.

  • That's also an issue as well with W-2 fraud, for instance, things like that.

  • You want to identify those, not just the identity and access management IAM pieces, which, of course, you want to include, you know, endpoint, detect and respond, EDR, things such as that.

  • Boundary protection is fine.

  • That's not a panacea, of course.

  • Hence, other technologies such as zero trust, network access, CTNA coming about.

  • So, you leverage this work you do as a leader putting this together to prioritize what you work on, whether it's adding new capabilities to the SOC, such as detection engineering, or how you respond.

  • And this deserves mentioning because, unfortunately, I've been in environments that have done this.

  • You can only actually have one number one priority.

  • You cannot have A through Z.

  • You cannot have 26 number one priorities.

  • You need to make choices.

  • The resources are always limited.

  • Doesn't matter if you have a budget of $20,000 U.S. or $20 million.

  • You have severe limitations on what is achievable.

  • Also, some aspects to consider in a more holistic manner are words have meanings.

  • So, anything the SOC gets in from systems that are instrumenting, such as a SEM or other tools, is an event.

  • The event came in potentially based upon an alert or as an informational feed.

  • So, the SOC has to determine whether it's manual or with automation, hopefully the latter.

  • That's a growth area, right?

  • You have to build contextual reference and relevance to the event.

  • What does that mean?

  • If you're in the retail space, for instance, or hospitality, your enemy number one is threat actors such as FinCET.

  • This is how they act.

  • This is their tools, techniques, procedures, their TTPs.

  • So, you look for things like that.

  • So, once something comes in as an event, the SOC, whether manually or automatically, either clears the event, the alert, or it's elevated to be a probable incident.

  • So thus, thus comes into play your incident handling process, which is a process if you don't have, definitely should make.

  • There's plenty of references.

  • I have some at the end we can go over.

  • And one other point of note, particularly in more mature organizations, they will have an information technology information library, ITIL, based IT service management process.

  • Those define incidents at the ITSM level.

  • That is not necessarily a security incident that comes in as an event and or an alert to the SOC.

  • In the SOC, we then, therefore, have to process that.

  • Okay, being a SOC leader, we can manage our processes, manage our metrics, we can manage our timesheets and expense reports.

  • When you're managing people, in my view, you've got some challenges to work through.

  • So, leadership is important.

  • Again, as I mentioned earlier, from a resource standpoint, it's always limited.

  • You must be pragmatic.

  • You cannot, nor should you really want to solve 100% of anything because when you start that process and when you finish it, it takes some period of time.

  • There's periodicity in there.

  • And the threat landscape typically evolves.

  • So, whether it's cyber hygiene or full coverage, that can always be a challenge.

  • Now, obviously, full coverage of something like EDR, of other advanced authentication mechanisms such as MFA or other tools such as CyberArk, most certainly, those should be employed.

  • But you want close to 100% coverage.

  • That's not the, of course, the intent of the discussion point there.

  • But understand that it's always evolving.

  • We always have to iterate.

  • So, as a leader in SOC, when everything else is on fire and there's chaos abounds because that's what a SOC has to deal with, right?

  • We deal with challenges from our customers, whether they're internal or external or both.

  • So, be calm, be consistent, do your best, learn, you know, have the sixth step in your six phases of incident response is your lessons learned, your after-action report, as many of us like to call it.

  • So, get better afterwards.

  • And again, everything we do has consequences, ripples in the pond, as I said.

  • As a leader, it's particularly important for you to either learn or continue to hone soft skills.

  • So, interpersonal communication is huge.

  • Body language is a huge part of that, even in