I had the opportunity to see many great talks, but missed just as many due to obligations and getting other work done. If you didn't get to attend the THIR summit, the high quality videos should be online soon here:
https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017/summit-videos/
If you are interested in my talk, you can see the powerpoint here:
https://bit.ly/crow-th
More elaboration on the security operations functional areas here:
http://www.montance.com/mgt517
Thank you to the people who took the time to chat with me about their opinions or experience on the topics I covered. It's tough to present a complete system in 30 minutes. I hope your organization has a strategic vision for what your security operations is going to be. If you don't, steal my diagram from the bit.ly link above and start to plan for how your functions can work together to optimize your scarce resources.
Also, much appreciation to the folks who attended MGT517. I was impressed by the discussions we had. I feel like I learn a massive amount each time I teach. Some of it is validation of the opinions I hold, some of it is a challenge to my approach. Criticism and permutations help to refine the system. I'm excited about a few things that I'm going to incorporate. First is the notion of a more data-centric depiction of the metrics I advocate for the SOC. Another enhancement planned for the next revision is a deeper dive into threat hunting scenarios. Finally, ACH brainstorm templates for incident types to encourage analysts to employ ACH, Kill Chain, and Diamond Model as analytical tools.
No comments:
Post a Comment