SESSION ID: LAB2-W02 Put the Analysis Back in Your SOC! Kristy Westphal VP, CSIRT MUFG Union Bank #RSAC Disclaimer • The views, opinions, and material presented by Kristy Westphal at this conference are solely based on her experience and opinions related to incident response. • The content of this presentation does not reflect the views or opinions of MUFG Union Bank. #RSAC Why am I here? Information security leader specializing in security assessments, operational risk and program development Security is painful all around; hopefully I can help Let’s share knowledge and make it less painful for all of us! #RSAC #RSAC Agenda Why we need to train in-house Ignorance and importance of analysis (the techniques) Lots and lots of practice – Log analysis – Network forensics – Endpoint forensics – A quick side journey to Cloud incident response – Putting it all together How to go back and do this (starting right away) 4 Why train in-house? #RSAC How well do you sleep at night? If you asked your analysts what they do, what would they say? – And how happy are they doing it? How long did it take you to fill your last open role? – Let’s take it upon ourselves to up the game of existing employees – And to train good people to become cyber security analysts Improve the security posture of your organization by putting the analysis back in your SOC! Poll the audience How would you rate your SOC's analysis skills today? LAB2-W02 A. Low B. Medium C. High https://rsa1live.eventbase.com/polls?event=rsa2020&session=1997652731 #RSAC How do we do that? This class is about how to approach analysis techniques Not about how to use tools or hack stuff – We need to teach thinking, not hacking It’s all about understanding what you’ve found And most importantly, how to teach it to others #RSAC #RSAC Think about this… 8 #RSAC “Ignorance is the absence of fact, understanding, insight, or clarity about something.” – Firestein It is very difficult to find a black cat in a dark room—especially when there is no cat. Analysis is like solving a mystery… #RSAC "I was trained as a physicist, and in physics we're always trying to figure out how the world works," he explained. "But you have to ask the right questions. You have to investigate things. You always have to be willing to question your assumptions. DDoS defense is very similar. You can't just look at the attacks you're getting. You have to be more proactive and try to attract more attacks and take some risks.“ – Damian Menscher #RSAC This never happens Multiple lockouts from same source – Happens to be a development server No response from owner – No one wants to claim ownership Ticket closed as ‘uses vaulted credentials; associate and close’ – Really? Did anyone check? 11 #RSAC Let’s talk about Target (yes, again) “Predicting or targeting some specific advance is less useful than aiming for deeper understanding.” –Firestein Ouch! #RSAC Wanna Cry? But you know what the most interesting thing is? “We might even go a step further and recognize that there are unknowable unknowns—things that we cannot know due to some inherent and implacable limitation.” -Firestein #RSAC Analysis Paralysis What justifies good analysis? #RSAC Context Accepting that you don’t know everything Understanding there is more than one way to analyze something A little humility… Traditional analysis techniques Qualitative vs. quantitative We are generally trying to solve problems – – – – – Mind Maps Ishiwaka diagram (cause and effect diagrams) Five forces (could be twisted to security analysis) TOC (Theory of Constraints) CPM (Critical Path Method) These are great, but maybe not how to approach technical analysis – So we turn to data analysis (yes, Big Data too) #RSAC How do you like to do analysis? Spreadsheets? Text searches? Trend graphs? Data lakes? Did you say “reading log files?” #RSAC Think about a task you are given - how do you analyze it? #RSAC You put together a timeline/project plan You work diligently to achieve it Yet the steps you originally map out never end up completed like you originally planned – Oftentimes, the end-result isn’t what was originally asked for either Poll the audience Where are the gaps in skill sets in your SOC? LAB2-W02 A. Network B. Operating System C. Security Controls https://rsa1live.eventbase.com/polls?event=rsa2020&session=1997652731 #RSAC #RSAC Maybe a little process