This month’s CyberProof SOC Masterclass attracted SOC Leaders, Engineers, CISOs, and Security Analysts. Our 2-day event covered a range of topics designed to upskill security operations leaders, who are looking to build or optimize their Security Operations Centers (SOCs). The SOC Masterclass was a great opportunity to share the latest industry knowledge – and we fully enjoyed hearing from CyberProof's own team, as well as from industry leaders and influencers.
If you missed the event, it’s not too late to watch the presentations. We’ve recorded the entire SOC Masterclass – so you can watch on-demand. This blog is our summary of the event highlights.
Optimizing Your Azure Sentinel Solution
- Saggie Haim, Cloud Security Architect at CyberProof, said, “Today, the traditional SIEM is not enough. Rule-based and security-based controls have not managed to provide protection. What Microsoft is doing now is shifting Azure Sentinel from being a traditional SIEM, to being a security analytics platform.”
- Javier Soriano, Senior Program Manager, Azure Sentinel at Microsoft, explained, “Using Sentinel, we create a new experience for the analyst for threat hunting. We use the MITRE ATT&CK tactics and techniques, and we provide information about the ‘delta’ – i.e., how these queries differ from previous queries. We also bookmark evidence and attach them to incidents.”
- Matt Prezbindowski, Vice President CISO Infrastructure & Operations, State Auto Insurance, advised that, “To ensure staff retention, train them and treat them well enough so it’s easy for them to take those skills with them into another role if they really want to – but hopefully, this will inspire a sense of loyalty.”
- Adam Drabik, CISO at CyberProof, said: “One of the best ways to motivate your team is to pair the juniors with the seniors for on-the-job training or shadowing.” He continued, “Also, try to take away the soul-destroying tasks that can be automated. The analysts can spend their time on stuff requiring what our brains are programmed for – not exact matching but pattern recognition with a lot of different variables and environments, finding shortcuts and deriving conclusions. It’s the investigative work analysts enjoy most – it’s how you get ultimate value from your SOC environment."
Modernizing SOC Operations
- Chris Crowley, SANS Senior Instructor at SANS Institute, spoke about outsourcing, saying, “Absorb some of the best practices from your MSSP. I talk to MSSPs who say, ‘Our customers oftentimes don’t follow up on our recommendations. They are stuck in this loop.’ Make sure part of what you’re doing, in terms of outsourcing, is finding out what your outsourced partner does well - and take advantage of what they are providing.”
- With regard to technology implementation, Chris mentioned that, “People often put the technology first instead of thinking they need to keep the analysts engaged. We often take the decisions away from the analysts – exactly the decisions we want them to be making – until it’s a critical moment in time, at which point the analyst ends up frozen because they don’t have the experience level to do this well.”
Actionable Threat Intelligence
- Dov Lerner, Security Research Lead at Cybersixgill, explained, “The deep and dark web is a supply chain of malicious infrastructure, a real open market that has a specialization of labor. Obtaining intelligence from the deep and dark web requires processing a huge amount of unstructured data. Automated capabilities, including machine learning processes, allow classification and detection of threats.”
- Orel Pery, Cyber Threat Intelligence Team Lead at CyberProof, explained: “A lot of experts think, ‘The Dark Web is interesting, but how can I make information from the Dark Web actionable? It’s too far from security operations.’ That’s not true. Threat intelligence can be super clear and super actionable. For example, after Darkfeed raw data is collected, CyberProof’s CTI solution integrates this feed to detect threats in the relevant security systems. By using the Darkfeed for direct integrations – from Deep and Dark Web sources to the SOC monitoring side – we find interesting cases that help create a safer environment for our clients.”
““Today, the traditional SIEM is not enough. Rule-based and security-based controls have not managed to provide protection."
Planning a Threat Hunting Program
- Aviel Golrochi, Threat Hunter Team Leader at CyberProof, offered his insight on hunting using behavior analysis: “Naming conventions are very useful for behavior analysis because the security teams can know the naming conventions for everything, but hackers hopefully won't.” He continued, "It's not about the technical stuff – antivirus, how many firewalls – rather, we need to understand how the organization is built and what behavior is normal. If we want to learn about our environment, we need to know how it lives."
- Aviel also shared that, “From the hunting perspective – the proactive perspective – you can search for pairs of 'user:endpoint' to gain visibility regarding which users usually logged on to which endpoints. You reduce the user:endpoint pairs that have a high frequency of occurrence. Then, hunt for users that are trying to connect to many hosts – and for hosts that are being authenticated by many users.”
- Hen Porcilan, Senior SOC Analyst at CyberProof, explained, “I can tell you from my own experience as a SOC analyst that there’s constant pressure. You wonder, ‘What will happen next?’ To break out of that feeling, you need to take courses. Study new skills and gain greater knowledge of various technical and professional areas. Industry certifications are really important; for example, my team did Microsoft certification (EC200). Another important area relates to Zoom – today, all security professionals need to excel in giving Zoom presentations.”
- Maayan Cohen-Haziz, Israel Site Manager and Global Director of HR at CyberProof, advised SOC leaders, “Try to be more of a coach – not a micromanager. Make yourself available for 1-on-1 meetings, especially when people are working at home. And invest in mid-level managers, giving them more tools for performance management and time management and providing courses that give them the ‘big picture.’ By strengthening them, you strengthen the business – it’s a win-win.”
“For continuous improvement, I recommend moving from SLA to KPI metrics. KPIs link to key goals within the organization - validating measurements within those key goals."
Driving Down Security Spending
- Bruce Roton, Global Head of Security Strategy, explained, “If I can map the risk to an attack scenario, that will drive a lot more attention from the board for future investment”
- He added, “For continuous improvement, I recommend moving from SLA to KPI metrics. KPIs link to key goals within the organization - validating measurements within those key goals. For example, let’s say key goals are effectiveness and accuracy. Am I capturing the right events? Am I getting the right percentage of incidents from them? Every measurement you’re taking should drive a decision. Otherwise, it’s not actually a KPI.”
“OT is one of the most sensitive areas. That’s why it’s essential to have continuous visibility of the environment and get a good handle on the risks in these environments."
Managing OT Security Risk
- Rani Kehat, CISO at Radiflow, said, “At the end of the day you need to communicate the results, and you can do that in two ways: The first way is risk. Have I reduced the risk? Do I bring business value to the company? Have you reduced susceptibility to a loss event? The other way is compliance. If you already entered the controls, then complete the requirements of IEC 62443 showing security level achieved and security level targets.”
- Jaimon Thomas, Global Head, Security Solutions at CyberProof, said, “OT is one of the most sensitive areas. That’s why it’s essential to have continuous visibility of the environment and get a good handle on the risks in these environments. As new techniques and tools come out, we need to make sure our cyber capabilities keep up with the changes and maintain continuous visibility to identify suspicious activities, leveraging the capabilities of a SOC. We use the SOC to minimize the business impact to the organization going forward."
Successful XDR Adoption
- Omri Shamir, SIEM Architect at CyberProof, said, “XDR offers a lot of advantages. It provides better root cause analysis – a better understanding of what’s going on with specific incidents. It also helps us reduce the amount of false positive alerts because we obtain very precise data. In addition, it has the ability to build orchestration and automation – in terms of optimized workflows. And, you can see all of this in a single place.”
- Omri Shmul, Professional Services Engineer at CyberProof, explained, “There are challenges in implementing XDR solutions within enterprise environments. For example, let’s say we have an office in the UK and the US, these offices are not necessarily presenting the same types of behaviors. We need different configurations, policies, rules, and other aspects. They may have different behaviors – one office works longer hours, the other works standard business hours. Or, one is R&D related, while one is financial. They use different applications. These are all challenges that must be addressed.”
“XDR offers a lot of advantages. It provides better root cause analysis – a better understanding of what’s going on with specific incidents."
Importance of Attack Simulation
- Nir Aharon, Incident Response at CyberProof, said, “It’s important to mention that in simulating different attack scenarios, you can use a variety of ways to achieve your goals. We encourage you to experiment. Use different approaches and see how they show up in your local events. Identify what type of security mechanisms are limiting those capabilities. For each attack scenario, you can use different ways to achieve your goals.”
- Aviel Golrochi, Threat Hunter Team Lead at CyberProof, pointed out, “When choosing an attack scenario, the first step is to decide what we are testing. There are multiple options of how we can utilize the environment to meet our needs. For instance, we could test new exploits and review relevant event logs, behaviors, and other indicators that may be relevant for the detection. We could also choose to simulate certain techniques or tactics and in this way, we can prepare our environment and adjust it accordingly.”
If you missed one or more sessions at this year’s event, you can watch all the sessions, on demand here.You can find out about upcoming events at CyberProof by registering for our newsletter here.