Tuesday, June 6, 2017

SANS SOC Summit 2017

A quick listing from each talk on TODO items that I extracted from the presentation.

The presentations are available here:

Day 1

Keynote Good vs Evil: Winning the Age Old Battle
Doug Burks (@dougburks), CEO, Security Onion Solutions LLC
TODO: Practice Japanese. More work on motivating people to perform optimally.

Stuck in the Box: A SIEM's Tale
Justin Henderson (@SecurityMapper), Systems and Security Architect, GSE # 108, Cyber Guardian Red/Blue
TODO: Develop a list of "go to" Event IDs

How to Measure Anything in the SOC
Rich Seiersen, Former General Manager - Cyber Security & Privacy, GE Healthcare
TODO: Develop predictive analytical model for SOC (and read Rich's book)

Metrics for Justifying SOC Investment to the CEO and Board
John Pescatore, Director of Emerging Security Trends, SANS Institute
TODO: Decide on key performance indicators and develop report / dashboard to depict them.

Debunked: Traditional IR Calls
Gregory Braunton, National Director, Threat Management, Incident Response and Forensics, Catholic Health Initiatives
TODO: Visual collaboration tool. (Reminds me also to develop the ACH rubrics for common incident scenarios.)

Siri for SOC: How an Intelligent Assistant can Augment the SOC Team
Bobby Filar (@filar), Sr. Data Scientist, Endgame
Rich Seymour, Sr. Data Scientist, Endgame
TODO: Develop question based playbook for analysts.

The Need for Investigation Playbooks at the SOC
Matias Cuenca-Acuna, Principal Engineer, Intel Security

Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services
TODO: Differentiate response playbook and investigative playbook, refine current playbook.

Day 2

Keynote: Survey Says: Actionable Insights from the SANS SOC Survey
Chris Crowley (@CCrowMontance), SANS Institute
TODO: Build a survey that captures a representative sample of SOCs globally.

SIEMple Simon Met a WMIman
Craig L. Bowser, Sr. Security Engineer, Dept. of Energy
TODO: Adapt this for SOC Analysts, and have a punch list of checks to be sure they're accomplishing these checks.

Inattentional Blindness (IB) & Security Monitoring
Ismail Cattaneo, Sr. Manager of Security Operations & Engineering, Verizon Enterprise Solutions
TODO: Pay attention, and keep working on a converged analytical methodology between "Organizational Dimensions, Analysis of Competing Hypotheses, Kill Chain, and Diamond Model"

Hunting Adversaries with "rastrea2r" and Machine Learning
Gabriel Infante-Lopez, Software Architect & Data Science, Intel Security
Ismael Valenzuela, SANS Certified Instructor, GSE #132; Global Director of Foundstone Consulting Services
TODO: Look at the open source project for collecting information between disparate tools.

Color My Logs: Understanding the Internet Storm Center
Johannes Ullrich, PhD, Dean of Research, SANS Technology Institute
TODO: Look for ways to enrich information in SOC data with restful information from within SANS ISC. Install a Raspberry Pi.

SOCs for the Rest of Us
Dave Herrald (@daveherrald), GSE #79, Senior Security Architect, Splunk
Ryan Kovar (@meansec), Staff Security Strategist, Splunk
TODO: Take the questions Dave and Ryan used and turn it into an assessment capability.

Building the Cybersecurity Workforce We Need: Creating Pipelines and Pathways Without Poaching
Arlin Halstead, Strategic HR Business Partner, NTT Security
Maxwell Shuftan (@SANSCyberTalent), Director of CyberTalent Solutions, SANS Institute
TODO: Refine hiring standard questions and look at retention methodology.

DDoS Attacks in Action
Ben Herzberg, Security Research Group Manager, Imperva Incapsula
TODO: Practice Python. Inventory DDoS vulnerability assessment and remediation tools.