SlideShare a Scribd company logo

Future of SOC: More Security, Less Operations

Download as PPTX, PDF
Anton Chuvakin
Anton Chuvakin

"Future of SOC: More Security, Less Operations" was originally presented by Dr Anton Chuvakin in March 2024 at a virtual conference in Finland The future of SOC looks less like its past. AI is part of the future, but engineering-led approach to SOC is more critical Detection and Response of the future will be more heavily automated

Technology
1 of 23
Future of SOC: More Security, Less Operations Dr. Anton Chuvakin Office of the CISO, Google Cloud March 2024 https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast/
Inspiration! [In 2024] “you can’t “ops” your way to SOC success, but you can “dev” your way there” -- Dr. Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog) So, which lessons does your SOC need? Operations excellence or development success?
Outline ● SOC, a reminder ● Do we have to SOC, really? ● SOC automation: the ultimate in “easier said than done” ● SOC or “SOC”? ○ Do we have to engineer anything? ● AI will come and save us… right? RIGHT? ● Recommendations
SOC, SecOps, Security Operations Reminder
A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner A Classic SOC View! SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
“We don’t have enough skilled engineers to make everything work” “Our processes are too manual, we are too slow to respond to and remediate threats” “We struggle to build effective detection and have too many false positives/negatives” 2003 or 2023? Sec Ops is Ripe for Transformation “We can’t store and analyze all data, resulting in blindspots” “It takes too long to investigate alerts” “It’s cost prohibitive to ingest all the data we need”
07 This is How 20+ Years of Progress Look Like! :-( Organizations were notified of breaches by external entities in 63% of incidents (Mandiant M-Trends 2023)
Know anybody who does not have those problems? Yeah, that’s us :-)
You think you want to know just how Google does Detection and Response? WARNING FOR THOSE VIEWING ON SLIDESHARE: NEXT SLIDE IS SKIPPED
Your SOC DNA? 1990s NOC and Help Center Security Engineering Team
Secret 1: Why There is No Door that Says “SOC” at Google? It is because of the letter “O”..
… just like “IT Operations” SRE
Q: Would you rather write threat detection rules in Python or in Go? A: Eh…. no?
SRE, DevOps and Modern IT
Problem What does Google do? What do most enterprises do? Efficiency Automation/SRE is a mindset – part of the hiring process, part of OKRs, and performance reviews Experimenting with SOAR, full adoption is tough due to minimal automation culture Employee Shortage Requires coding interviews, attracts the best, invests in growth Hires traditional roles, no coding, outsources, less growth, more stress Employee Burnout 40/40/20 between eng, operations, and learning Utilization is almost always >100% Expensive Investment in efficiency solves for human costs Cost-prohibitive data ingestion, oftentimes paying SIEM and DIY, increasing cost from complexity Efficacy Intel strongly embedded in D&R, mostly utilized towards proactive work, strong collaboration across teams & benefits from developer hygiene CTI team produces great reports, SOC consistently doing fire drills, >90% false positive rate, uneven distribution of skill (Tier 3) Google D&R vs Enterprise “SecOps”
Increase overall tooling footprint 1 Eliminate toil Embrace change 2 Strive for continuous improvement 3 Bridge all siloes 4 Use service level objectives 5 Avoid hero mentality 6 7 Aim for simplicity Should: Restrict hiring to top professionals Require an engineering-only culture Aim for only incremental gain Autonomic Modern Security Operations Principles 1 2 3 4 Should not:
1 Reduce toil Create an automation queue Implement blameless postmortems Conduct Weekly Incident Reviews Implement SOAR Hire Automation Engineer(s) Train your team on toil and automation Implement CD/CR pipelines with metrics Key activities to reduce toil 02 03 04 05 06 01 07
● Analyst utilization gets optimized ● More creative work, less toil ● Time back to do more proactive work ● Deeper operationalization of intel ● SecOps can scale with the business! Evolve Automation 10X is an Underestimate!
Three phases of SecOps transformation Tactical Carries a sense of urgency and immediacy. A cautious way of saying “we’re in trouble and need an immediate fix before we go down in flames.” Often implies a 3-5 year vision and a roadmap how to achieve that vision. A major change that completely reshapes the organization in response to, or anticipation of, significant changes in organization’s environment. Strategic Transformational People Process Technology Influence
● Model your D&R on DevOps, not best ops. ● A modern SOC is a team that “engineers” detection and response for an organization ● Reduce toil in your SOC - shift toil to machines. Evolve automation in SIEM, SOAR, threat intel, etc ● Magic? Relentless drive to D&R automation powered by a rapid feedback loop and engineering — led mentality. ● AI will help change the micro game for the defenders … but not the macro game. Recommendations
● WTH is Modern SOC, Part 1 ● Kill SOC Toil, Do SOC Eng ● The original ASO paper (2021) ● Google/Deloitte Future SOC papers ● Detection as Code? No, Detection as COOKING! ● Cooking Intelligent Detections from Threat Intelligence (Part 6) ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Resources
Google_logo 2021 | Confidential and Proprietary pg. 23 More Resources ● “Achieving Autonomic Security Operations: Reducing toil” ● “Achieving Autonomic Security Operations: Automation as a Force Multiplier” ● “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” ● “More SRE Lessons for SOC: Simplicity Helps Security” ● “More SRE Lessons for SOC: Release Engineering Ideas” ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil ● SRE Books

Recommended

SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Hacking Marketing By Scott Brinker
Hacking Marketing By Scott BrinkerHacking Marketing By Scott Brinker
Hacking Marketing By Scott BrinkerMarTech Conference
 
Atlogys presentation
Atlogys presentationAtlogys presentation
Atlogys presentationRitika Garga
 
Atlogys Technical Consulting
Atlogys Technical ConsultingAtlogys Technical Consulting
Atlogys Technical ConsultingAtlogys Technical Consulting
 
Is IIOT Right for You?
Is IIOT Right for You?Is IIOT Right for You?
Is IIOT Right for You?InSource Solutions
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 

Recommended

SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Hacking Marketing By Scott Brinker
Hacking Marketing By Scott BrinkerHacking Marketing By Scott Brinker
Hacking Marketing By Scott BrinkerMarTech Conference
 
Atlogys presentation
Atlogys presentationAtlogys presentation
Atlogys presentationRitika Garga
 
Atlogys Technical Consulting
Atlogys Technical ConsultingAtlogys Technical Consulting
Atlogys Technical ConsultingAtlogys Technical Consulting
 
Is IIOT Right for You?
Is IIOT Right for You?Is IIOT Right for You?
Is IIOT Right for You?InSource Solutions
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations CenterSiemplify
 
Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
Operationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the EnterpriseOperationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the Enterprisemark madsen
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
Intro to ai application emeritus uob-final
Intro to ai application emeritus uob-finalIntro to ai application emeritus uob-final
Intro to ai application emeritus uob-finalLuis Fernando Gonzalez Sanchez
 
InSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or RevolutionInSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or RevolutionInSource Solutions
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.02014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0Joakim Lindbom
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game DevelopmentGameDesire Company
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013lokori
 
Successful Technology Implementations Transcript
Successful Technology Implementations TranscriptSuccessful Technology Implementations Transcript
Successful Technology Implementations TranscriptTom Floyd
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game DevelopmentMaciej Mróz
 
I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...PMILebanonChapter
 
Software Analytics = Sharing Information
Software Analytics = Sharing InformationSoftware Analytics = Sharing Information
Software Analytics = Sharing InformationThomas Zimmermann
 
Landing ai transformation_playbook
Landing ai transformation_playbookLanding ai transformation_playbook
Landing ai transformation_playbookBruno Sorice
 
Putting data science in your business a first utility feedback
Putting data science in your business a first utility feedbackPutting data science in your business a first utility feedback
Putting data science in your business a first utility feedbackPeculium Crypto
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsEvident.io
 
Demystifying ML/AI
Demystifying ML/AIDemystifying ML/AI
Demystifying ML/AIMatthew Reynolds
 
Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...APMDonotuse
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Downaccenture
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 

More Related Content

Similar to Future of SOC: More Security, Less Operations

Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsGene Kim
 
Operationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the EnterpriseOperationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the Enterprisemark madsen
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
InSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or RevolutionInSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or RevolutionInSource Solutions
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.02014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0Joakim Lindbom
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game DevelopmentGameDesire Company
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013lokori
 
Successful Technology Implementations Transcript
Successful Technology Implementations TranscriptSuccessful Technology Implementations Transcript
Successful Technology Implementations TranscriptTom Floyd
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game DevelopmentMaciej Mróz
 
I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...PMILebanonChapter
 
Software Analytics = Sharing Information
Software Analytics = Sharing InformationSoftware Analytics = Sharing Information
Software Analytics = Sharing InformationThomas Zimmermann
 
Landing ai transformation_playbook
Landing ai transformation_playbookLanding ai transformation_playbook
Landing ai transformation_playbookBruno Sorice
 
Putting data science in your business a first utility feedback
Putting data science in your business a first utility feedbackPutting data science in your business a first utility feedback
Putting data science in your business a first utility feedbackPeculium Crypto
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsEvident.io
 
Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...APMDonotuse
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Downaccenture
 

Similar to Future of SOC: More Security, Less Operations (20)

Winnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOpsWinnipeg ISACA Security is Dead, Rugged DevOps
Winnipeg ISACA Security is Dead, Rugged DevOps
 
Operationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the EnterpriseOperationalizing Machine Learning in the Enterprise
Operationalizing Machine Learning in the Enterprise
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
Intro to ai application emeritus uob-final
Intro to ai application emeritus uob-finalIntro to ai application emeritus uob-final
Intro to ai application emeritus uob-final
 
InSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or RevolutionInSource 2017 IIoT Roadshow: Evolution or Revolution
InSource 2017 IIoT Roadshow: Evolution or Revolution
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
 
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.02014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
2014-10 DevOps NFi - Why it's a good idea to deploy 10 times per day v1.0
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game Development
 
Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013Agilelessons scanagile-final 2013
Agilelessons scanagile-final 2013
 
Successful Technology Implementations Transcript
Successful Technology Implementations TranscriptSuccessful Technology Implementations Transcript
Successful Technology Implementations Transcript
 
Scaling Online Game Development
Scaling Online Game DevelopmentScaling Online Game Development
Scaling Online Game Development
 
I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...I, project manager, The rise of artificial intelligence in the world of proje...
I, project manager, The rise of artificial intelligence in the world of proje...
 
Software Analytics = Sharing Information
Software Analytics = Sharing InformationSoftware Analytics = Sharing Information
Software Analytics = Sharing Information
 
Landing ai transformation_playbook
Landing ai transformation_playbookLanding ai transformation_playbook
Landing ai transformation_playbook
 
Putting data science in your business a first utility feedback
Putting data science in your business a first utility feedbackPutting data science in your business a first utility feedback
Putting data science in your business a first utility feedback
 
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps PatternsRugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
Rugged DevOps (eBook): 10 Ways to Start Embedding Security into DevOps Patterns
 
Demystifying ML/AI
Demystifying ML/AIDemystifying ML/AI
Demystifying ML/AI
 
Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...Project professionals: Ready for the future? AI and Change Management, James ...
Project professionals: Ready for the future? AI and Change Management, James ...
 
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...
 
Executive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top DownExecutive Perspective Building an OT Security Program from the Top Down
Executive Perspective Building an OT Security Program from the Top Down
 

More from Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinAnton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin
 

More from Anton Chuvakin (20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
 
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton ChuvakinPCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Future of SOC: More Security, Less Operations

  • 1. Future of SOC: More Security, Less Operations Dr. Anton Chuvakin Office of the CISO, Google Cloud March 2024 https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast/
  • 2. Inspiration! [In 2024] “you can’t “ops” your way to SOC success, but you can “dev” your way there” -- Dr. Anton Chuvakin (source: “Kill SOC Toil, Do SOC Eng” blog) So, which lessons does your SOC need? Operations excellence or development success?
  • 3. Outline ● SOC, a reminder ● Do we have to SOC, really? ● SOC automation: the ultimate in “easier said than done” ● SOC or “SOC”? ○ Do we have to engineer anything? ● AI will come and save us… right? RIGHT? ● Recommendations
  • 5. A security operations center provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. –Gartner A Classic SOC View! SOC is first a TEAM. Next a PROCESS. And it uses TECHNOLOGY too.
  • 6. “We don’t have enough skilled engineers to make everything work” “Our processes are too manual, we are too slow to respond to and remediate threats” “We struggle to build effective detection and have too many false positives/negatives” 2003 or 2023? Sec Ops is Ripe for Transformation “We can’t store and analyze all data, resulting in blindspots” “It takes too long to investigate alerts” “It’s cost prohibitive to ingest all the data we need”
  • 7. 07 This is How 20+ Years of Progress Look Like! :-( Organizations were notified of breaches by external entities in 63% of incidents (Mandiant M-Trends 2023)
  • 8. Know anybody who does not have those problems? Yeah, that’s us :-)
  • 9. You think you want to know just how Google does Detection and Response? WARNING FOR THOSE VIEWING ON SLIDESHARE: NEXT SLIDE IS SKIPPED
  • 10. Your SOC DNA? 1990s NOC and Help Center Security Engineering Team
  • 11. Secret 1: Why There is No Door that Says “SOC” at Google? It is because of the letter “O”..
  • 12. … just like “IT Operations” SRE
  • 13. Q: Would you rather write threat detection rules in Python or in Go? A: Eh…. no?
  • 14. SRE, DevOps and Modern IT
  • 15.
  • 16. Problem What does Google do? What do most enterprises do? Efficiency Automation/SRE is a mindset – part of the hiring process, part of OKRs, and performance reviews Experimenting with SOAR, full adoption is tough due to minimal automation culture Employee Shortage Requires coding interviews, attracts the best, invests in growth Hires traditional roles, no coding, outsources, less growth, more stress Employee Burnout 40/40/20 between eng, operations, and learning Utilization is almost always >100% Expensive Investment in efficiency solves for human costs Cost-prohibitive data ingestion, oftentimes paying SIEM and DIY, increasing cost from complexity Efficacy Intel strongly embedded in D&R, mostly utilized towards proactive work, strong collaboration across teams & benefits from developer hygiene CTI team produces great reports, SOC consistently doing fire drills, >90% false positive rate, uneven distribution of skill (Tier 3) Google D&R vs Enterprise “SecOps”
  • 17. Increase overall tooling footprint 1 Eliminate toil Embrace change 2 Strive for continuous improvement 3 Bridge all siloes 4 Use service level objectives 5 Avoid hero mentality 6 7 Aim for simplicity Should: Restrict hiring to top professionals Require an engineering-only culture Aim for only incremental gain Autonomic Modern Security Operations Principles 1 2 3 4 Should not:
  • 18. 1 Reduce toil Create an automation queue Implement blameless postmortems Conduct Weekly Incident Reviews Implement SOAR Hire Automation Engineer(s) Train your team on toil and automation Implement CD/CR pipelines with metrics Key activities to reduce toil 02 03 04 05 06 01 07
  • 19. ● Analyst utilization gets optimized ● More creative work, less toil ● Time back to do more proactive work ● Deeper operationalization of intel ● SecOps can scale with the business! Evolve Automation 10X is an Underestimate!
  • 20. Three phases of SecOps transformation Tactical Carries a sense of urgency and immediacy. A cautious way of saying “we’re in trouble and need an immediate fix before we go down in flames.” Often implies a 3-5 year vision and a roadmap how to achieve that vision. A major change that completely reshapes the organization in response to, or anticipation of, significant changes in organization’s environment. Strategic Transformational People Process Technology Influence
  • 21. ● Model your D&R on DevOps, not best ops. ● A modern SOC is a team that “engineers” detection and response for an organization ● Reduce toil in your SOC - shift toil to machines. Evolve automation in SIEM, SOAR, threat intel, etc ● Magic? Relentless drive to D&R automation powered by a rapid feedback loop and engineering — led mentality. ● AI will help change the micro game for the defenders … but not the macro game. Recommendations
  • 22. ● WTH is Modern SOC, Part 1 ● Kill SOC Toil, Do SOC Eng ● The original ASO paper (2021) ● Google/Deloitte Future SOC papers ● Detection as Code? No, Detection as COOKING! ● Cooking Intelligent Detections from Threat Intelligence (Part 6) ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil Resources
  • 23. Google_logo 2021 | Confidential and Proprietary pg. 23 More Resources ● “Achieving Autonomic Security Operations: Reducing toil” ● “Achieving Autonomic Security Operations: Automation as a Force Multiplier” ● “Achieving Autonomic Security Operations: Why metrics matter (but not how you think)” ● “More SRE Lessons for SOC: Simplicity Helps Security” ● “More SRE Lessons for SOC: Release Engineering Ideas” ● EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil ● SRE Books