Tuesday, April 25, 2017

Threat Hunting Summit 2017 and MGT517.2017.2

I had the opportunity to see many great talks, but missed just as many due to obligations and getting other work done. If you didn't get to attend the THIR summit, the high quality videos should be online soon here:


If you are interested in my talk, you can see the powerpoint here:


More elaboration on the security operations functional areas here:


Thank you to the people who took the time to chat with me about their opinions or experience on the topics I covered. It's tough to present a complete system in 30 minutes. I hope your organization has a strategic vision for what your security operations is going to be. If you don't, steal my diagram from the bit.ly link above and start to plan for how your functions can work together to optimize your scarce resources.

Also, much appreciation to the folks who attended MGT517. I was impressed by the discussions we had. I feel like I learn a massive amount each time I teach. Some of it is validation of the opinions I hold, some of it is a challenge to my approach. Criticism and permutations help to refine the system. I'm excited about a few things that I'm going to incorporate. First is the notion of a more data-centric depiction of the metrics I advocate for the SOC. Another enhancement planned for the next revision is a deeper dive into threat hunting scenarios. Finally, ACH brainstorm templates for incident types to encourage analysts to employ ACH, Kill Chain, and Diamond Model as analytical tools.

Wednesday, April 19, 2017

Positive feedback

...never has a SANS track been more relevant, timely, thorough, and pragmatic as I found the MGT517 course to be. In my opinion, Chis (and I am quite sure an entire team of reviewers) has thought of, considered, and addressed every issue that I have encountered in my journey to standing up an internal SOC at my company.
Positive thoughts. There are many things I'd like to refine within the class, but I appreciate the acknowledgement.

Friday, April 14, 2017

MGT517 Hot Wash - Orlando - 2017-04-14

MGT517 Hot Wash - Orlando - 2017-04-14

The first official run of MGT517 just wrapped up in Orlando, FL.

Primary take away messages from the attendees.
1. There are a number of companies trying to build a SOC, but they're not exactly sure what a SOC is.
2. Political issues are more difficult to overcome than technical problems.
3. I'm roughly 12-18 months late on this class. A common comment from people, "I wish I had taken this class 12 months ago when I started building the SOC for ____ company."

Some improvements I plan to make:
1. In the Design discussion, depict the ways we're going to cover the material in the build, operate, and mature sections. (TODO - near term)
2. Set up a website with resources for reference (TODO - near term).
3. Adjust the metrics to present the balanced scorecard approach, and include some of the examples that John Pescatore gave in his lunch time talk to the class. (TODO - near term)
4. Enhance the swimlane diagram depicts the functional area process relationships with updated inputs, people, artifacts, and technology. (TODO - ongoing)

I was pleased by the excellent attendees. Lots of great discussion and insight shared by people. A benefit of the class is making the connections with the small number of other professionals in the space.

Finally, I'm thrilled at the overwhelming response of people to attend the course. I know that it is full for the next couple of runs. Anyone who is unable to get into the class, please be patient, we're running the course many times this year. Take a look at the events later this year. If the demand is persistent, I'll work with SANS to add additional runs this year.