SlideShare a Scribd company logo

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

M
Mark Simos

Overview of key best practices, antipatterns, and more for security operations (SecOps/SOC) These slides were used during Mark Simos' Tampa BSides talk on "The no BS SOC" on April 6, 2024

Technology
1 of 26
Download to read offline
An Ode to Cybersecurity In digital realms where secrets dwell, cyber guardians stand without fear Vigilance unyielding and purpose clear When breaches occur, they arise to analyze forensic and clues Tracing digital footprints, seeking the source Thwarting the adversary’s remorseless course. So here’s to the defenders, the silent brigade Their battle fought in the binary shade They stand as our shield, night and day. - Copilot with prompting/editing by Mark Simos
The No BS SOC Mark Simos Lead Cybersecurity Architect, Microsoft Zero Trust Architecture Co-Chair, The Open Group Author, ZeroTrustPlaybook.com aka.ms/MarksList N
Agenda – the No BS SOC • Who is this dude? Where does this come from? • Where does the SOC BS come from? • SecOps Antipatterns – Common mistakes across SOCs • What does good look like? Mission, Success Factors, & Metrics • Challenges – Continuously Changing Threats & Risk of Burnout • How is AI changing SecOps? • Story of a SOC - How SecOps Teams, Careers, and Skills Grow • Call To Action: Stay Focused on What Matters!
About the Chef Author, Zero Trust Playbook ZeroTrustPlaybook.com aka.ms/MarksList Zero Trust Architecture Co-Chair The Open Group Lead Cybersecurity Architect Microsoft Mark Simos
Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Artificial Intelligence (AI) Security Metrics Information Protection / Data Security PAWs DLP Ransomware Business Email Compromise (BEC) OT & IoT Security Firmware threats Incident Response SecOps/SOC Nation State / APTs PIM/PAM Beyond VPN / Security Service Edge (SSE) Cloud Security & CSPM/CNAPP Social Engineering Supply Chain Risk Management Botnets Dark Markets / Criminal Forums Vulnerability Management Threat Hunting / Detection Engineering Hybrid Cloud Identity is the ‘new perimeter’ CASB Firewalls & WAFs XDR + SIEM SD-WAN / Software Defined Perimeter Board Reporting / Align Security to Business Risk Governance/Risk/Compliance (GRC) Network + Identity Convergence IDaM Security Education & Awareness BYOD Security Phishing App Security & DevSecOps Lateral Movement SAF Brings Clarity to Security Enables security execution by connecting and organizing security problems, solutions, and models DDoS Insider Risk Threat Intelligence (Data & Discipline) Patch Management Machine Learning (ML) SASE Incident Management MFA SSO Endpoint Security Red/Purple Teams & Penetration Testing Copilot Defender Sentinel Purview Intune Entra
Implementation Architects & Technical Managers CIO Technical Leadership CISO Business Leadership CEO Security Strategy and Program End to End Zero Trust Architecture Business and Security Integration Implementation and Operation Technical Planning Architecture and Policy Security Strategy, Programs, and Epics Securing Digital Transformation Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Modern Security Operations (SecOps/SOC) Microsoft Cybersecurity Reference Architectures (MCRA) Engaging Business Leaders on Security Workshops available in Microsoft Unified Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.) Includes Reference Plans CISO Workshop Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Technical Capabilities Implementation > > > > > > > > > > > > > > Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
Where does the SOC BS come from? ‘Silver Bullet’Mindset Believing a single solution could magically 100% solve a complex problem ➢ Making/believing an absolute claim ➢ Waiting for a perfect solution ➢ Lack of lifecycle thinking Common BS • Too high level (not actionable) • Too low level (too technical/specific) • Vendor Biased • Outdated or Just Plain Wrong Technology-Centric Thinking Believing security is about technology instead of protecting an organization’s business assets ➢ Ignoring burnout, collaboration, training, etc. ➢ Expecting tools solve people/process problems Contain nuggets of wisdom, but they are buried in poop Adversaries have a goal and a plan. Do you? Money
At some point the adversary has to do something anomalous… You have to spot that and quickly react to it Mean Time To Acknowledge (MTTA) Mean Time To Remediate (MTTR) Mission Reduce organizational risk by limiting the attacker dwell time (how long attackers can access business assets) through rapid detection and response. Security Operations Key Cultural Elements Mission Alignment Continuous Learning Teamwork Key Cultural Elements • Mission Alignment • Continuous Learning • Teamwork Key Measurements Attacker Dwell Time – via Mean Time to Remediate (MTTR) Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Key Measurements • Attacker Dwell Time – via Mean Time to Remediate (MTTR) • Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Metrics should never be punitive Attackers have a vote too! Partner for Success SecOps requires strong relationships and processes to help architects and engineers block preventable attacks (which otherwise flood SecOps)
What Matters in Security Operations? Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
Common Security Operations (SecOps/SOC) antipatterns Common mistakes impede SecOps effectiveness and increase burnout Best practice – Develop and implement a Security Operations (SecOps/SOC) strategy focused on clear outcomes across people, process, and technology This workshop includes references to help you define and rapidly improve: • Mission and Metrics • Organizational Functions and Teams (including use cases and scenarios) • Business and Technical processes • SOC Architecture, Tooling, and Integration • Skill education and enablement • Automation Strategy • Data strategy Toolapalooza! Buying many tools without integration forces analysts into swivel chair analytics mode Shiny Object Syndrome Prioritizing “cool” advanced scenarios/tools before critical basic outcomes and controls Collection is not Detection Focusing on collecting data instead of finding and removing adversary access One tool to rule them all False belief that a single tool solves all problems (SIEM, EDR, or other) ‘Network is only source of truth’ false belief that you only need network data to detect and investigate attacks Not invented here focusing on custom solutions and queries instead of established commercial tooling Implementation without requirements
Mean Time To Remediate (MTTR) (attacker dwell time) Mean Time To Acknowledge (MTTA) Status Metric Target Current & Previous Months Dwell Time: Mean Time to Remediate (MTTR) <## hours Responsiveness: Mean Time to Acknowledge (MTTA) <## minutes Caseload: # Cases Handled by each team Tracking Automation: # of Cases processed by SOAR Tracking Detection Fidelity: % True Positive + Benign Positive >##% SecOps Platform Availability: % of uptime >##% Case Resolution: Case volume by resolution Recommended SecOps Metrics Track Trends to understand changes from • Adversaries & Threats • SecOps investments (detections, tools, process improvements, training, staffing levels, etc.) Direct organizational risk Metrics should never be punitive Attackers have a vote too! Analyst capacity (for actual caseload) Understand impact on human analysts SOAR effectiveness Detection Noisiness/Quality How reliable are tools General view of trends
Response ANALYST PRIORITY Democratization of Credential Theft Tooling (~2008) [Human Operated] ‘Big Game’ Ransomware (~2019) [Human Operated] ‘Big Game’ Ransomware (~2019) Encrypting Ransomware (~2013) Encrypting Ransomware (~2013) Evolution of threats and security analyst priorities Commodity attacks Commodity attacks Ransomware/Extortion attacks nuisance ransomware (per machine) Commodity players re-sell access to ransomware/extortion operators Commodity players re-sell access to ransomware/extortion operators Current Priorities 1 2 Advanced Attacks Advanced attacks Few/rare targets (High R&D Cost) Increasing prevalence of advanced tools Including Nation States and other ‘advanced persistent threats (APTs)’ MAJOR CHANGES 3 Ruthlessly prioritize: Every incident is important, but urgency will vary Ruthlessly prioritize: Every incident is important, but urgency will vary
The passion that drives greatness can also cause burnout Address each source of fatigue that leads to burnout and attrition Protecting the organization Doing Other People’s Jobs Doing tasks that require different skillsets Schedule time for rest, learning, & self-care Establish and integrate supporting roles Implement and maintain tools (Security Engineers) Analyze/report on defense improvements (Architects) Manage & Coordinate Incidents (Incident Management) Research attacks and other questions (Threat Intelligence) • Scan and report on vulnerabilities (Posture Management) Wasted Effort on false positives & repetitive manual tasks Improve Tooling and Processes Filter out low-quality detections (requires hunting over them) Automation & Advanced Analytics (using SOAR, UEBA, and ML/AI) Integrated Threat Intelligence to enrich, filter, and prioritize detections No recognition For hard work, skills, and contributions Exhaustion non-stop investigation and eviction of attackers Document & celebrate wins Managers burn out too! Prioritize ruthlessly What is critical vs. what to ignore!
The Role of Artificial Intelligence (AI) in SecOps Machine Learning is already revolutionizing SecOps Technology integrated into XDR and SIEM technology is enabling data analysis and anomaly detection over mountains of data Generative AI will change how SecOps works & learns Generative AI enables a natural language computer interface that simplifies usage of complex systems and speed up learning new skills Top Microsoft Security Copilot scenarios Incident response capabilities are top priority (combines Generative AI and Security-specific ML/AI capabilities)
Evolution of Computer Interfaces Progressively becoming more natural/native human models Direct programming Command Prompt Graphical User Interface (GUI) Generative AI Chat/Conversation Skills and learning required to become productive Ability (and speed) to accomplish advanced tasks Native Computer Native Human
Security Copilot Priority Use Cases Impact Analysis Summarize the impact of an incident to enable better reporting and planning prioritization of mitigations against future attacks. Guided Incident response Surface an ongoing incident, assess its scale, and get instructions to begin remediation based on proven tactics from real-world security incidents. Discover whether your organization is susceptible to known vulnerabilities and exploits. Prioritize risks and address vulnerabilities with guided recommendations. Reverse engineering of scripts Incident Summarization Summarize any event, incident, or threat in seconds and prepare the information in a ready-to-share, customizable report for your desired audience.
Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more Broad Enterprise View Correlated/Unified Incident View Enabling a people-centric function focused rapid remediation of realized risk Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable alerts derived from deep knowledge of assets and advanced analytics Raw Data Security & Activity Logs (Case Management Ensure consistent workflow and measurement of success (Case Management Ensure consistent workflow and measurement of success Threat Intelligence (TI) Critical security context Security Operations Capabilities Automation (SOAR) reduces analyst effort/time per incident, increasing SecOps capacity Incident Response/Recovery Assistance technical, legal, communication, and other Incident Response/Recovery Assistance technical, legal, communication, and other Managed Detection and Response Outsourced technical functions Managed Detection and Response Outsourced technical functions Security Information and Event Management (SIEM) Hunting + Investigation platform with Automation and Orchestration (including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security Data Lake) Information & Data Applications (SaaS, AI, legacy, DevOps, and other) Endpoint & Mobile Identity & Access Management OT & IoT Platform as a Service (PaaS) Infrastructure & Apps Network Extended Detection and Response (XDR) High quality detection for each asset + investigation remediation capabilities API integration Generative AI Simplifies tasks and performs advanced tasks through chat interface Analysts and Hunters Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) December 2023 – https://aka.ms/MCRA
Broad Enterprise View Correlated/Unified Incident View Microsoft Reference Architecture Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable detections from an XDR tool with deep knowledge of assets, AI/ML, UEBA, and SOAR Raw Data Security & Activity Logs (Classic SIEM (Case Management (Case Management Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise API integration Legend Consulting and Escalation Outsourcing Native Resource Monitoring Event Log Based Monitoring Investigation & Proactive Hunting Security Operations SOAR reduces analyst effort/time per incident, increasing SecOps capacity Security & Network Provide actionable security detections, raw logs, or both Microsoft Sentinel Microsoft Sentinel Machine Learning (ML) & AI Behavioral Analytics (UEBA) Security Data Lake Security Incident & Event Management (SIEM) Security Orchestration, Automation, and Remediation (SOAR) Infrastructure & Apps PaaS OT & IoT Identity & Access Management {LDAP} Endpoint & Mobile Information SOAR - Automated investigation and response (AutoIR) Microsoft Defender XDR Extended Detection and Response (XDR) Defender for Cloud Defender for Cloud Containers Servers & VMs SQL Azure app services Network traffic Defender for Endpoint Defender for Endpoint Defender for Cloud Apps Defender for Cloud Apps Defender for Office 365 Defender for Office 365 Defender for Identity Defender for Identity Entra ID Protection Entra ID Protection December 2023 – https://aka.ms/MCRA Managed Security Operations Managed Security Operations Microsoft Security Experts Microsoft Security Experts Managed XDR Managed threat hunting Managed XDR Managed threat hunting Incident response Formerly Detection response team (DART) Incident response Formerly Detection & response team (DART) Security Operations Modernization Security Operations Modernization Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Defender for IoT OT Defender for IoT & OT Applications (SaaS, AI, legacy, DevOps, and other)
Deep or External Specialties • Smaller organizations • Large organization earlier in maturity/growth Larger organizations (later in maturity/growth) Evolution and Sources of SecOps Roles As Security Operations Grows and Matures Incident Response Investigation (Tier 2) – High Complexity Detections Triage (Tier 1) – High Volume Detections Threat Hunting & Detection Engineering (Tier 3) Threat Hunting Detection Engineering Purple & Red Teaming Penetration Testing Digital Forensics Reverse Engineering Incident Management Automation & data science as dedicated roles or shared service(s) Intelligence Professionals Threat Intelligence SecOps Management Insider Risk investigation capabilities are often incubated in security operations teams
Growth Path of Security Operations typical stages as the team grows and matures Part Time Part time analyst duties Small Dedicated Team with Single Manager Medium Multiple SOC Managers Large 24x7 coverage Dedicated specialized teams Not all organizations need (or can afford) a large team Partnership with IT Operations and other teams is critical for any size team
Building a SecOps team – Stage 1 Part-time staffing Core Functions Tooling Detection response by part-time analysts Often seen in small organizations or early stages of building a capability Sometimes staffed by non-security teams (IT Operations, Support, etc.) Triage Investigation IR from single alert queue Basic Hunting 24x7 On Call XDR (Endpoint/Email/Identity + Automation) Case management Security Information and Event Management (SIEM) Enforce detection quality XDR is ideal for starting out (vs. SIEM) Simpler to install & use (less time/expertise) Produces results immediately Includes automation (SOAR) for common tasks Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Many Security Operations teams started out with SIEM because it was the only technology available at the time. Insider Risk investigation capabilities are often incubated in security operations teams
Building a SecOps team – Stage 2 Full-time staff (small team) Core Functions Tooling Advanced/Support Functions Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts IR from single alert queue Enforce detection quality XDR (All Assets + Automation) Case management Security Information & Event Management (SIEM) Triage Investigation Hunting Full time analysts performing specific roles Basic Hunting 24x7 On Call BI/Reporting Tools (Major) Incident Management Threat Intelligence Business Intelligence/Reporting On-call rotation for 24x7 coverage Basic hunting keeps noise out of triage queue without missing attacks. (e.g. senior analysts reviewing low fidelity detections once a day) Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Advanced Hunting Advanced tooling increases process maturity as team grows XDR Extends to all assets
Core Functions Tooling Advanced/Support Functions XDR (All Assets) Case management Security Information & Event Management (SIEM) BI/Reporting Tools Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Building a SecOps team – Step 3 Full-time staff (medium team) IR from single alert queue Basic Hunting Enforce detection quality 24x7 On Call or On Shift Triage Full time teams focused on different functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting Investigation Hunting Triage often extends to multiple shifts. On-call rotation for managers, investigation, hunting Define inter-team processes, metrics, tooling Build advanced/support functions for multi-team operations Advanced Hunting Increasing focus on advanced SOAR automation/orchestration, advanced hunting, and Detection Engineering Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts
Building a SecOps team – Step 4 Full-time staff (large team on shifts) Triage Investigation 24x7 Global Operations Hunting Core Functions Tooling Advanced/Support Functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting IR from single alert queue Advanced Hunting Enforce detection quality 24x7 On Shift XDR (All Assets + Automation) Case management BI/Reporting Tools Dedicate BI function enables continuous improvement Complex operations require sophisticated inter-team processes, metrics, tooling, & advanced/support functions 24x7 Triage Coverage Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Security Information & Event Management (SIEM) Advanced SOAR and Analytics (AI/ML, UEBA, etc.)
Stay Focused on what matters! Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
Resources. Questions? aka.ms/MarksList Mark’s List ...of Cybersecurity Resources frequently sent to customers and colleagues. ZeroTrustPlaybook.com For all roles - Simple language and description of concepts that everyone from the board room to technologists need to understand ▪ Zero trust overview Security for the modern world we are in ▪ Playbook introduction Methodology to get there and do it well aka.ms/SAF Security Adoption Framework (SAF) - Guides Zero Trust security modernization and business alignment using recommended initiatives

Recommended

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Adam Englander
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 

Recommended

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Threat Modeling for Dummies - Cascadia PHP 2018
Threat Modeling for Dummies - Cascadia PHP 2018Adam Englander
 
100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdf100 Security Operation Center Tools.pdf
100 Security Operation Center Tools.pdfMAHESHUMANATHGOPALAK
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on LabAmazon Web Services
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptxMohit Chhabra
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
AWS CodeBuild Demo
AWS CodeBuild DemoAWS CodeBuild Demo
AWS CodeBuild DemoAleksei Bulgak
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
Développement sécurisé
Développement sécuriséDéveloppement sécurisé
Développement sécuriséfacemeshfacemesh
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 

More Related Content

What's hot

Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Matt Soseman
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organizationkunwaratul hax0r
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...Mohamed Nizzad
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfiantoidsecconf
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelCheah Eng Soon
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 

What's hot (20)

Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
 
GuardDuty Hands-on Lab
GuardDuty Hands-on LabGuardDuty Hands-on Lab
GuardDuty Hands-on Lab
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
AWS CodeBuild Demo
AWS CodeBuild DemoAWS CodeBuild Demo
AWS CodeBuild Demo
 
Making security champions in organization
Making security champions in organizationMaking security champions in organization
Making security champions in organization
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?SAST vs. DAST: What’s the Best Method For Application Security Testing?
SAST vs. DAST: What’s the Best Method For Application Security Testing?
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Practical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief KarfiantoPractical DevSecOps - Arief Karfianto
Practical DevSecOps - Arief Karfianto
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
 
Développement sécurisé
Développement sécuriséDéveloppement sécurisé
Développement sécurisé
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
 

Similar to Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecuritySecuraa
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Enterprise Management Associates
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideroongrus
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...infosecTrain
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real WorldMark Curphey
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfParishSummer
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Asep Syihabuddin
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 

Similar to Tampa BSides - The No BS SOC (slides from April 6, 2024 talk) (20)

Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Soar cybersecurity
Soar cybersecuritySoar cybersecurity
Soar cybersecurity
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?Why Should Organizations Consider Extended Detection and Response (XDR)?
Why Should Organizations Consider Extended Detection and Response (XDR)?
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
The SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guideThe SIEM Buyer Guide the siem buyer guide
The SIEM Buyer Guide the siem buyer guide
 
SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016SOC 3.0: strategic threat intelligence May 2016
SOC 3.0: strategic threat intelligence May 2016
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Software Security in the Real World
Software Security in the Real WorldSoftware Security in the Real World
Software Security in the Real World
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...Alienvault how to build a security operations center (on a budget) (2017, a...
Alienvault how to build a security operations center (on a budget) (2017, a...
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 

Recently uploaded

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)

  • 1. An Ode to Cybersecurity In digital realms where secrets dwell, cyber guardians stand without fear Vigilance unyielding and purpose clear When breaches occur, they arise to analyze forensic and clues Tracing digital footprints, seeking the source Thwarting the adversary’s remorseless course. So here’s to the defenders, the silent brigade Their battle fought in the binary shade They stand as our shield, night and day. - Copilot with prompting/editing by Mark Simos
  • 2. The No BS SOC Mark Simos Lead Cybersecurity Architect, Microsoft Zero Trust Architecture Co-Chair, The Open Group Author, ZeroTrustPlaybook.com aka.ms/MarksList N
  • 3. Agenda – the No BS SOC • Who is this dude? Where does this come from? • Where does the SOC BS come from? • SecOps Antipatterns – Common mistakes across SOCs • What does good look like? Mission, Success Factors, & Metrics • Challenges – Continuously Changing Threats & Risk of Burnout • How is AI changing SecOps? • Story of a SOC - How SecOps Teams, Careers, and Skills Grow • Call To Action: Stay Focused on What Matters!
  • 4. About the Chef Author, Zero Trust Playbook ZeroTrustPlaybook.com aka.ms/MarksList Zero Trust Architecture Co-Chair The Open Group Lead Cybersecurity Architect Microsoft Mark Simos
  • 5. Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Artificial Intelligence (AI) Security Metrics Information Protection / Data Security PAWs DLP Ransomware Business Email Compromise (BEC) OT & IoT Security Firmware threats Incident Response SecOps/SOC Nation State / APTs PIM/PAM Beyond VPN / Security Service Edge (SSE) Cloud Security & CSPM/CNAPP Social Engineering Supply Chain Risk Management Botnets Dark Markets / Criminal Forums Vulnerability Management Threat Hunting / Detection Engineering Hybrid Cloud Identity is the ‘new perimeter’ CASB Firewalls & WAFs XDR + SIEM SD-WAN / Software Defined Perimeter Board Reporting / Align Security to Business Risk Governance/Risk/Compliance (GRC) Network + Identity Convergence IDaM Security Education & Awareness BYOD Security Phishing App Security & DevSecOps Lateral Movement SAF Brings Clarity to Security Enables security execution by connecting and organizing security problems, solutions, and models DDoS Insider Risk Threat Intelligence (Data & Discipline) Patch Management Machine Learning (ML) SASE Incident Management MFA SSO Endpoint Security Red/Purple Teams & Penetration Testing Copilot Defender Sentinel Purview Intune Entra
  • 6. Implementation Architects & Technical Managers CIO Technical Leadership CISO Business Leadership CEO Security Strategy and Program End to End Zero Trust Architecture Business and Security Integration Implementation and Operation Technical Planning Architecture and Policy Security Strategy, Programs, and Epics Securing Digital Transformation Secure Identities and Access Modern Security Operations (SecOps/SOC) Infrastructure & Development Security Data Security & Governance IoT and OT Security Modern Security Operations (SecOps/SOC) Microsoft Cybersecurity Reference Architectures (MCRA) Engaging Business Leaders on Security Workshops available in Microsoft Unified Coordinated & integrated end-to-end security across the ‘hybrid of everything’ (on-prem, multi-cloud, IoT, OT, etc.) Includes Reference Plans CISO Workshop Security Adoption Framework (SAF) Zero Trust security modernization rapidly reduces organizational risk Technical Capabilities Implementation > > > > > > > > > > > > > > Security Capability Adoption Planning (SCAP) Technology Implementation & Optimization
  • 7. Where does the SOC BS come from? ‘Silver Bullet’Mindset Believing a single solution could magically 100% solve a complex problem ➢ Making/believing an absolute claim ➢ Waiting for a perfect solution ➢ Lack of lifecycle thinking Common BS • Too high level (not actionable) • Too low level (too technical/specific) • Vendor Biased • Outdated or Just Plain Wrong Technology-Centric Thinking Believing security is about technology instead of protecting an organization’s business assets ➢ Ignoring burnout, collaboration, training, etc. ➢ Expecting tools solve people/process problems Contain nuggets of wisdom, but they are buried in poop Adversaries have a goal and a plan. Do you? Money
  • 8. At some point the adversary has to do something anomalous… You have to spot that and quickly react to it Mean Time To Acknowledge (MTTA) Mean Time To Remediate (MTTR) Mission Reduce organizational risk by limiting the attacker dwell time (how long attackers can access business assets) through rapid detection and response. Security Operations Key Cultural Elements Mission Alignment Continuous Learning Teamwork Key Cultural Elements • Mission Alignment • Continuous Learning • Teamwork Key Measurements Attacker Dwell Time – via Mean Time to Remediate (MTTR) Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Key Measurements • Attacker Dwell Time – via Mean Time to Remediate (MTTR) • Responsiveness/Capacity - Mean Time to Acknowledge (MTTA) Metrics should never be punitive Attackers have a vote too! Partner for Success SecOps requires strong relationships and processes to help architects and engineers block preventable attacks (which otherwise flood SecOps)
  • 9. What Matters in Security Operations? Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
  • 10. Common Security Operations (SecOps/SOC) antipatterns Common mistakes impede SecOps effectiveness and increase burnout Best practice – Develop and implement a Security Operations (SecOps/SOC) strategy focused on clear outcomes across people, process, and technology This workshop includes references to help you define and rapidly improve: • Mission and Metrics • Organizational Functions and Teams (including use cases and scenarios) • Business and Technical processes • SOC Architecture, Tooling, and Integration • Skill education and enablement • Automation Strategy • Data strategy Toolapalooza! Buying many tools without integration forces analysts into swivel chair analytics mode Shiny Object Syndrome Prioritizing “cool” advanced scenarios/tools before critical basic outcomes and controls Collection is not Detection Focusing on collecting data instead of finding and removing adversary access One tool to rule them all False belief that a single tool solves all problems (SIEM, EDR, or other) ‘Network is only source of truth’ false belief that you only need network data to detect and investigate attacks Not invented here focusing on custom solutions and queries instead of established commercial tooling Implementation without requirements
  • 11. Mean Time To Remediate (MTTR) (attacker dwell time) Mean Time To Acknowledge (MTTA) Status Metric Target Current & Previous Months Dwell Time: Mean Time to Remediate (MTTR) <## hours Responsiveness: Mean Time to Acknowledge (MTTA) <## minutes Caseload: # Cases Handled by each team Tracking Automation: # of Cases processed by SOAR Tracking Detection Fidelity: % True Positive + Benign Positive >##% SecOps Platform Availability: % of uptime >##% Case Resolution: Case volume by resolution Recommended SecOps Metrics Track Trends to understand changes from • Adversaries & Threats • SecOps investments (detections, tools, process improvements, training, staffing levels, etc.) Direct organizational risk Metrics should never be punitive Attackers have a vote too! Analyst capacity (for actual caseload) Understand impact on human analysts SOAR effectiveness Detection Noisiness/Quality How reliable are tools General view of trends
  • 12. Response ANALYST PRIORITY Democratization of Credential Theft Tooling (~2008) [Human Operated] ‘Big Game’ Ransomware (~2019) [Human Operated] ‘Big Game’ Ransomware (~2019) Encrypting Ransomware (~2013) Encrypting Ransomware (~2013) Evolution of threats and security analyst priorities Commodity attacks Commodity attacks Ransomware/Extortion attacks nuisance ransomware (per machine) Commodity players re-sell access to ransomware/extortion operators Commodity players re-sell access to ransomware/extortion operators Current Priorities 1 2 Advanced Attacks Advanced attacks Few/rare targets (High R&D Cost) Increasing prevalence of advanced tools Including Nation States and other ‘advanced persistent threats (APTs)’ MAJOR CHANGES 3 Ruthlessly prioritize: Every incident is important, but urgency will vary Ruthlessly prioritize: Every incident is important, but urgency will vary
  • 13. The passion that drives greatness can also cause burnout Address each source of fatigue that leads to burnout and attrition Protecting the organization Doing Other People’s Jobs Doing tasks that require different skillsets Schedule time for rest, learning, & self-care Establish and integrate supporting roles Implement and maintain tools (Security Engineers) Analyze/report on defense improvements (Architects) Manage & Coordinate Incidents (Incident Management) Research attacks and other questions (Threat Intelligence) • Scan and report on vulnerabilities (Posture Management) Wasted Effort on false positives & repetitive manual tasks Improve Tooling and Processes Filter out low-quality detections (requires hunting over them) Automation & Advanced Analytics (using SOAR, UEBA, and ML/AI) Integrated Threat Intelligence to enrich, filter, and prioritize detections No recognition For hard work, skills, and contributions Exhaustion non-stop investigation and eviction of attackers Document & celebrate wins Managers burn out too! Prioritize ruthlessly What is critical vs. what to ignore!
  • 14. The Role of Artificial Intelligence (AI) in SecOps Machine Learning is already revolutionizing SecOps Technology integrated into XDR and SIEM technology is enabling data analysis and anomaly detection over mountains of data Generative AI will change how SecOps works & learns Generative AI enables a natural language computer interface that simplifies usage of complex systems and speed up learning new skills Top Microsoft Security Copilot scenarios Incident response capabilities are top priority (combines Generative AI and Security-specific ML/AI capabilities)
  • 15. Evolution of Computer Interfaces Progressively becoming more natural/native human models Direct programming Command Prompt Graphical User Interface (GUI) Generative AI Chat/Conversation Skills and learning required to become productive Ability (and speed) to accomplish advanced tasks Native Computer Native Human
  • 16. Security Copilot Priority Use Cases Impact Analysis Summarize the impact of an incident to enable better reporting and planning prioritization of mitigations against future attacks. Guided Incident response Surface an ongoing incident, assess its scale, and get instructions to begin remediation based on proven tactics from real-world security incidents. Discover whether your organization is susceptible to known vulnerabilities and exploits. Prioritize risks and address vulnerabilities with guided recommendations. Reverse engineering of scripts Incident Summarization Summarize any event, incident, or threat in seconds and prepare the information in a ready-to-share, customizable report for your desired audience.
  • 17. Enterprise Assets – Multiple generations of technology spanning clouds, Devices, Operating Systems, Applications, Data Formats, and more Broad Enterprise View Correlated/Unified Incident View Enabling a people-centric function focused rapid remediation of realized risk Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable alerts derived from deep knowledge of assets and advanced analytics Raw Data Security & Activity Logs (Case Management Ensure consistent workflow and measurement of success (Case Management Ensure consistent workflow and measurement of success Threat Intelligence (TI) Critical security context Security Operations Capabilities Automation (SOAR) reduces analyst effort/time per incident, increasing SecOps capacity Incident Response/Recovery Assistance technical, legal, communication, and other Incident Response/Recovery Assistance technical, legal, communication, and other Managed Detection and Response Outsourced technical functions Managed Detection and Response Outsourced technical functions Security Information and Event Management (SIEM) Hunting + Investigation platform with Automation and Orchestration (including machine learning (ML), User/ Entity Behavior Analytics (UEBA), & Security Data Lake) Information & Data Applications (SaaS, AI, legacy, DevOps, and other) Endpoint & Mobile Identity & Access Management OT & IoT Platform as a Service (PaaS) Infrastructure & Apps Network Extended Detection and Response (XDR) High quality detection for each asset + investigation remediation capabilities API integration Generative AI Simplifies tasks and performs advanced tasks through chat interface Analysts and Hunters Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) December 2023 – https://aka.ms/MCRA
  • 18. Broad Enterprise View Correlated/Unified Incident View Microsoft Reference Architecture Expert Assistance Enabling analysts with scarce skills Deep Insights Actionable detections from an XDR tool with deep knowledge of assets, AI/ML, UEBA, and SOAR Raw Data Security & Activity Logs (Classic SIEM (Case Management (Case Management Microsoft Threat Intelligence 65+ Trillion signals per day of security context Human Expertise Microsoft Threat Intelligence 65+ Trillion signals per day of security context & Human Expertise API integration Legend Consulting and Escalation Outsourcing Native Resource Monitoring Event Log Based Monitoring Investigation & Proactive Hunting Security Operations SOAR reduces analyst effort/time per incident, increasing SecOps capacity Security & Network Provide actionable security detections, raw logs, or both Microsoft Sentinel Microsoft Sentinel Machine Learning (ML) & AI Behavioral Analytics (UEBA) Security Data Lake Security Incident & Event Management (SIEM) Security Orchestration, Automation, and Remediation (SOAR) Infrastructure & Apps PaaS OT & IoT Identity & Access Management {LDAP} Endpoint & Mobile Information SOAR - Automated investigation and response (AutoIR) Microsoft Defender XDR Extended Detection and Response (XDR) Defender for Cloud Defender for Cloud Containers Servers & VMs SQL Azure app services Network traffic Defender for Endpoint Defender for Endpoint Defender for Cloud Apps Defender for Cloud Apps Defender for Office 365 Defender for Office 365 Defender for Identity Defender for Identity Entra ID Protection Entra ID Protection December 2023 – https://aka.ms/MCRA Managed Security Operations Managed Security Operations Microsoft Security Experts Microsoft Security Experts Managed XDR Managed threat hunting Managed XDR Managed threat hunting Incident response Formerly Detection response team (DART) Incident response Formerly Detection & response team (DART) Security Operations Modernization Security Operations Modernization Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Microsoft Security Copilot (Preview) Simplifies experience for complex tasks/skills Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Align to Mission + Continuously Improve Measure and reduce attacker dwell time (attacker access to business assets) via Mean Time to Remediate (MTTR) Analysts and Hunters Defender for IoT OT Defender for IoT & OT Applications (SaaS, AI, legacy, DevOps, and other)
  • 19. Deep or External Specialties • Smaller organizations • Large organization earlier in maturity/growth Larger organizations (later in maturity/growth) Evolution and Sources of SecOps Roles As Security Operations Grows and Matures Incident Response Investigation (Tier 2) – High Complexity Detections Triage (Tier 1) – High Volume Detections Threat Hunting & Detection Engineering (Tier 3) Threat Hunting Detection Engineering Purple & Red Teaming Penetration Testing Digital Forensics Reverse Engineering Incident Management Automation & data science as dedicated roles or shared service(s) Intelligence Professionals Threat Intelligence SecOps Management Insider Risk investigation capabilities are often incubated in security operations teams
  • 20. Growth Path of Security Operations typical stages as the team grows and matures Part Time Part time analyst duties Small Dedicated Team with Single Manager Medium Multiple SOC Managers Large 24x7 coverage Dedicated specialized teams Not all organizations need (or can afford) a large team Partnership with IT Operations and other teams is critical for any size team
  • 21. Building a SecOps team – Stage 1 Part-time staffing Core Functions Tooling Detection response by part-time analysts Often seen in small organizations or early stages of building a capability Sometimes staffed by non-security teams (IT Operations, Support, etc.) Triage Investigation IR from single alert queue Basic Hunting 24x7 On Call XDR (Endpoint/Email/Identity + Automation) Case management Security Information and Event Management (SIEM) Enforce detection quality XDR is ideal for starting out (vs. SIEM) Simpler to install & use (less time/expertise) Produces results immediately Includes automation (SOAR) for common tasks Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Many Security Operations teams started out with SIEM because it was the only technology available at the time. Insider Risk investigation capabilities are often incubated in security operations teams
  • 22. Building a SecOps team – Stage 2 Full-time staff (small team) Core Functions Tooling Advanced/Support Functions Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts IR from single alert queue Enforce detection quality XDR (All Assets + Automation) Case management Security Information & Event Management (SIEM) Triage Investigation Hunting Full time analysts performing specific roles Basic Hunting 24x7 On Call BI/Reporting Tools (Major) Incident Management Threat Intelligence Business Intelligence/Reporting On-call rotation for 24x7 coverage Basic hunting keeps noise out of triage queue without missing attacks. (e.g. senior analysts reviewing low fidelity detections once a day) Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Advanced Hunting Advanced tooling increases process maturity as team grows XDR Extends to all assets
  • 23. Core Functions Tooling Advanced/Support Functions XDR (All Assets) Case management Security Information & Event Management (SIEM) BI/Reporting Tools Advanced SOAR and Analytics (AI/ML, UEBA, etc.) Building a SecOps team – Step 3 Full-time staff (medium team) IR from single alert queue Basic Hunting Enforce detection quality 24x7 On Call or On Shift Triage Full time teams focused on different functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting Investigation Hunting Triage often extends to multiple shifts. On-call rotation for managers, investigation, hunting Define inter-team processes, metrics, tooling Build advanced/support functions for multi-team operations Advanced Hunting Increasing focus on advanced SOAR automation/orchestration, advanced hunting, and Detection Engineering Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts
  • 24. Building a SecOps team – Step 4 Full-time staff (large team on shifts) Triage Investigation 24x7 Global Operations Hunting Core Functions Tooling Advanced/Support Functions (Major) Incident Management Threat Intelligence Business Intelligence/Reporting IR from single alert queue Advanced Hunting Enforce detection quality 24x7 On Shift XDR (All Assets + Automation) Case management BI/Reporting Tools Dedicate BI function enables continuous improvement Complex operations require sophisticated inter-team processes, metrics, tooling, & advanced/support functions 24x7 Triage Coverage Legend Optional Strongly Recommended Mandatory Same as Previous Stage On Call Multiple Shifts Security Information & Event Management (SIEM) Advanced SOAR and Analytics (AI/ML, UEBA, etc.)
  • 25. Stay Focused on what matters! Minutes Matter – rapidly detecting and evicting attackers will limit damage and risk to your organization • People matter – Human judgement is critical. Continuous learning is required to keep up with technology, processes, and attack techniques. • Process matters – clarity and execution across internal and external teams is required for accuracy, impact, and speed. • Technology matters – Simplify and automate common tasks to reduce frustration/burnout and keep people focused where needed most. • Intelligence matters – to provide current context for people and tools Teamwork matters! – Collaboration across individuals & teams is critical to success! Microsoft CDOC is main source of best practices Best practices and recommendations are directly sourced from Microsoft’s Cyber Defense Operations Center (CDOC) or validated against current practices.
  • 26. Resources. Questions? aka.ms/MarksList Mark’s List ...of Cybersecurity Resources frequently sent to customers and colleagues. ZeroTrustPlaybook.com For all roles - Simple language and description of concepts that everyone from the board room to technologists need to understand ▪ Zero trust overview Security for the modern world we are in ▪ Playbook introduction Methodology to get there and do it well aka.ms/SAF Security Adoption Framework (SAF) - Guides Zero Trust security modernization and business alignment using recommended initiatives