CyberProof's recent SOC Masterclass – run in collaboration with Forrester and Microsoft – was an opportunity to hear from CyberProof’s expert team members as well as from industry leaders. If you missed the masterclass, which focused on “Managing your future with cloud-native security operations,” you can watch the sessions on-demand. Here are a few of the event’s highlights:
What it takes to build a world-class SOC
Allie Mellen, Forrester Senior Analyst (Guest Speaker):
Why CISOs need to think about buying services before products: “I was getting a lot of questions about products. I would ask whether the organization in question was using a managed service. The service provider is managing the product for you, especially for EDR and SIEM. It’s very important to establish that trusted relationship with your service provider before you go to rip & replace the technology you’re using.”
The service provider is managing the product for you, especially for EDR and SIEM. It’s very important to establish that trusted relationship with your service provider before you go to rip & replace the technology you’re using.
On XDR: “XDR is a big buzz word. When I first joined Forrester, my first task was to understand: What is this XDR ‘thing’? My findings from the continued research that I’ve done is that XDR is the evolution of Endpoint Detection & Response (EDR) technology, bringing a digital telemetry to provide better, more complete response capabilities. Some providers have been offering this as a service for a while – i.e., through MDR. With services (as opposed to products), you can provide a lot more, a lot faster – because products take iteration cycles and require more time to get to market. Many of the products that are offering XDR today, took their cue from MDR providers.”
Tony Velleca, CyberProof CEO: “The security problem is going to grow exponentially. We have everything connected. There’s massive amounts of data, more economic incentives to hack things – the need will continue to be there. But the skillset is going to change for people getting into it. We’ve learned that taking a network person and training them on security is harder than taking someone in security operations and training them in threat intelligence. As a result, working in security operations is going to continue to be a great career opportunity.”
Demystifying security provider acronyms: beyond the hype cycle
Jason Malacko, Director Architecture Strategic Solutions, CyberProof: “We have a consensus in the industry for what MDR When you think about the platform and the technology of any service provider, there are several things you need to ask: Where do the security analytics reside and how transparent can you be? It can be a ‘black box’ where you don’t know what’s going on beneath them. If you’re using an off-the-shelf solution, can you look at the analytics rules? Can you take them with you? When you talk about cloud provisioned vs cloud native, where does this platform live? How are the native components supported? Does it give you the visibility you need? How does it integrate with your threat intelligence?”
Chris Howden, Threat Analysis Team Lead, CyberProof: “Perhaps you have some exceptional skills in your organization – people with a good understanding of the tools and systems that are there already. But you need to complement those skills. An MDR provider can look across different verticals and act as an extension of an in-house team. At CyberProof, for example, we understand the process – how best to respond. It’s process-driven; you can train someone to understand a process and apply the same process to multiple technologies and platforms. Once we have a particular process defined, the question becomes how far we can go with the orchestration of those sets of automations.”
Managing the transition to native cloud security – challenges and opportunities
Ian Ruthven, Product Manager, Microsoft Security Service Line: “We don’t expect the hybrid environment to disappear any time soon. A big part of what we do involves figuring out how best to operate in the hybrid environment. We have a lot of legacy tools, and you can’t move from one way of doing things to another way of doing things and have a ‘magical’ transition period. You can’t just hope that it will work smoothly. Hope is not relevant – because you need continuity of service. You need a clear definition of responsibility. Everyone on your team should know what they need to be doing in the new environment, that they are accurately importing and ingesting. During the transition period, there should be an overlap period where you’re running the existing environment and the new environment, and you see both results. It’s all about planning the transition very carefully and understanding what the boundaries of responsibility are. If you don’t, there might be a time when there isn’t full coverage.”
It’s all about planning the transition very carefully and understanding what the boundaries of responsibility are. If you don’t, there might be a time when there isn’t full coverage.
Jaimon Thomas, Global Head, Customer Engineering: “How do you maximize the cloud security investment, i.e., when you’re transitioning to cloud-native security? Maximizing investments is a big topic for us. The value proposition behind some of the bundles that we do relates to this – as there are a lot of security entitlements embedded in some of what our customers already have. Sometimes they are not taking advantage of these entitlements.”
How to secure multi-cloud environments
Shay Amar, Senior Program Manager, Microsoft: “When it comes to understanding how to work with the cloud, you need to think a bit differently. Today we say, ‘Assume a breach.’ Why? The reality is that you need to react fast. You must be aware of all aspects of identity, and the context is much broader. The MITRE ATT&CK framework helps achieve targets when we are involved in threat mitigation, but how does it help me mitigate risk? The answer is that it’s about the journey. MITRE helps you understand what stage you are facing: Are you at the stage of exposure? It could be privilege escalation, etc. This gives you a footprint. You have a multi-cloud environment, and you find yourself looking at the main pillar of the security alert dashboard – with a bunch of alerts – what’s the first question to ask? Most analysts will tell you to prioritize. Knowing MITRE is not just something in your toolbox for threat investigation – it can help you prioritize and mitigate some of the threats in your environment.”
When it comes to understanding how to work with the cloud, you need to think a bit differently. Today we say, ‘Assume a breach.’ Because the reality is that you need to react fast.
Yuval Wollman, CyberProof President: “With multi-cloud deployments, the question is how we manage policies. How do we oversee multiple environments that need to be run through the multi-cloud framework? We need to understand how to protect the new attack surface, which is bigger now and more complicated, and how we leverage new products in a consolidated effort – and, in that way, we can improve the security posture.”
Saggie Haim, Cloud Security Solutions Architect Team Leader, CyberProof: “Visibility. Visibility. Visibility. That’s the key. One of the things we see a lot is the use of third-party solutions. It’s always a question of trying to mitigate the risks, while finding the right tools for the right problems. With so many tools, there’s the issue of dashboard fatigue – the difficulty SOC analysts face in jumping from platform to platform. This is where, at CyberProof, we’re trying to centralize solutions and pull them into a single pane of glass so we have visibility into multi-cloud, into our services, and into different teams in different areas. It’s not just a security value but also a financial value. We’re investing in so many tools and vendors – and it’s best to have a single vendor. The value you receive is so high.”
Interested in learning more? Listen to CyberProof’s SOC Masterclass sessions here.