Our recent virtual SOC Masterclass – held in collaboration with Microsoft – focused on cloud security transformation and was designed to inspire and upskill security operations leaders to future-proof and optimize their SOC.
The five sessions of the event, which attracted SOC leaders, engineers, CISOs, and security analysts from around the globe, provided a “deep dive” into the most pressing issues facing our industry including: the critical components of a modern SOC, leveraging threat hunting and threat intelligence during ransomware attacks, and adapting your detection and response workflows to keep pace with the changing landscape.
We’ve recorded the entire event – so you can watch on-demand. This blog is our summary of some of the event’s highlights with quotes from our cast of cyber presenters.
DRIVING THE NEXT GENERATION OF CLOUD SECURITY TRANSFORMATION
Microsoft's CSA, Ken Malcolmson, and CyberProof's Cloud Security Solutions Architect Team Leader, Saggie Haim, discussed how to make the transformation to cloud-native security, the differences between cloud-native, on-premises and cloud-based, and key priorities when securing multi-cloud environments. Some key quotes include:
- Ken Malcolmson, Chief Security Advisor, Microsoft: “Any time you make a change to your IT environment, you are changing your risk profile. When you move to the cloud, some things look very familiar – but they act in different ways. Authentication in the cloud, for example, is very different from authenticating on-prem. It’s a different set of threats, a different profile – and if you’re thinking that way, you’re off to a good start. It’s very important.”
- Saggie Haim, Cloud Security Architect, CyberProof: “We don’t ingest logs just for the sake of ingestion; we ingest logs when there is business risk behind it. If you need particular data only for regulation and compliance - we have other ways of storing it. We can ingest into Azure Data Explorer from any log source. Bottom line: One of the challenges in the cloud is to understand the consumption model. You pay per infrastructure, per transaction. Therefore, this is the way that you can really optimize costs: Take the logs you need for ingestion and put them inside Sentinel. Put the logs you don’t need for ingestion in Azure Data Explorer.”
THE PILLARS OF A MODERN SOC
CyberProof’s CEO Tony Velleca and VP of Strategy Bruce Roton explored how to prioritize your investments as you evolve your cyber defense architecture. They outlined the key pillars of a modern SOC that allow you to adapt as your business and threat landscape conditions change. Some key quotes include:
- Tony Velleca, CEO, CyberProof: “Automation shows up in terms of how people and technology interact with one another. In a security environment, where you’re looking for patterns in extensive amounts of data, there are some things that bots can do better. But what human beings need to bring to the interaction is our creativity – and that’s what is going to drive the relationship between humans and bots.”
- Bruce Roton, VP of Strategy, CyberProof: “The proliferation of new data sources and the move to the cloud is causing a data flood. Not just volume but also velocity, variety, veracity, and value are factors. For many organizations, it’s like sitting on a goldmine without a shovel. To start with, you need the tools to parse it, standardize it, tag it, and sort all available data sources. Use Analytics to route the highest value data into detection systems, and place lower value data in searchable, long-term storage only. You want to tag and correlate data in real time and map to schemas like MITRE, identifying anomalies using cloud-native architectures.”
In a security environment, where you’re looking for patterns in extensive amounts of data, there are some things that bots can do better. But what human beings need to bring to the interaction is our creativity – and that’s what is going to drive the relationship between humans and bots.
UNDERSTANDING THE RANSOMWARE THREAT
CyberProof’s President Yuval Wollman and Head of SOC Operations Roee Laufer presented a special simulation of a cyber attack, designed to illustrate how easy it is to fall victim to ransomware. Some key quotes include:
- Yuval Wollman, President, CyberProof: “It’s about having the right security posture: the right procedures, the team, and the necessary preparations. It’s also about how the business is prepared – understanding how to work with the authorities and managing the public relations mechanism – all of that together. The leadership level should acknowledge that risk. The bigger the trend of ransomware in the market, the more awareness we need at the ‘C level’ and in the boardrooms.”
- Roee Laufer, Head of SOC Operations, CyberProof: “What’s the role of management in a cyber incident? Financial damage, reputation, loss of current & future revenues, lost IP, legal liability, resuming operations, and following regulations. If you haven’t done all this work before an incident, trying to do it during an incident just doesn’t work – with all the other stresses. A cyber incident is not a technological issue, but rather an organizational issue. It’s not a question of ‘If’ – it’s a question of ‘When.’ Doing the work ahead of time makes the difference between being able to cope successfully, vs. not being able to cope at all.”
It’s about having the right security posture: the right procedures, the team, and the necessary preparations. It’s also about how the business is prepared – understanding how to work with the authorities and managing the public relations mechanism – all of that together.
RESPONDING TO RANSOMWARE: HOW TO LEVERAGE THREAT INTELLIGENCE AND THREAT HUNTING
Asaf Haski, Senior Cyber Threat Intelligence (CTI) Analyst, and Karina Daniel, Cyber Threat Hunter, discussed how CyberProof’s threat hunting and CTI teams collaborate in real time during a ransomware attack, and discussed the key points that need to be investigated to obtain answers when time is short. Some key quotes include:
- Karina Daniel, Cyber Threat Hunter, CyberProof: "As threat hunters, we detect a suspicious activity by correlating multiple events – for example, by connecting the fact that there is activity happening outside of work hours, with the fact that this activity is coming from a suspicious location. Threat hunters try to see the full picture – and not to rely on a single event. To improve our efficiency, we leverage automation. For example, our team maintains a rich repository of queries to be used with different security platforms. I can put a CTI lead into my query and cross-reference the data. Queries are based on different attack types – ransomware, phishing, etc. – and on techniques such as initial access. We use tools and scripts executed on the endpoints and leverage them to extract meaningful data.”
- Asaf Haski, Senior CTI Analyst, CyberProof: “One of the challenges CTI and Thread Hunting teams face when investigating a ransomware attack is collecting and translating external CTI leads into internal, focused and efficient hunting sessions. CTI leads rely on external analysis and assessment and include multiple types of observables – vulnerable servers and web applications, employees that may have been the source of an attack, CVEs that may have been exploited. Connecting external CTI leads to internal logs assists in understanding the sequence of events, helping us connect the dots when time is short so we can eliminate the threat faster.”
ADAPTING YOUR CYBER DEFENSE TO THE EVER-CHANGING THREAT LANDSCAPE
Christopher Schrauf, SIEM Architect, CyberProof, introduced an agile methodology that can be used to understand an organization’s current threat coverage and adapt detection & response workflows as a business changes and threat conditions continue to evolve. He explained: “Often fields in security alerts don’t give us the contextual information we require for sufficient correlation, so we need to use data enrichment methodologies. Some quick wins that I've used are:
- Enrichment of assets’ IP Information with data from Firewall Zone Concepts during alert time.
- Enrichment based on User Assessments – which user accounts are VIPs, CXOs , Admin Accounts, etc.
- Enrichment from the CMDB (where background information about machines including laptops, servers, users, OS, and software is frequently stored) – where you can find data representing a server or specific machine, often through the naming convention, which you can extract via Regex in the enrichment.
This enrichment can be case matched in lookups and supports you in creating a scoring for risked-based mapping.”
Interesting in hearing more? Watch the CyberProof SOC Masterclass sessions on demand!