Last week TruSTAR sat down with two former NSA directors to discuss the future of SOC operations.
We tapped Sherri Ramsay, Strategic Consultant and Former Director of NSA’s Threat Operations Center (NTOC), and Tony Sager, Senior Vice President and Chief Evangelist for CIS (The Center for Internet Security) and Director of SANS Innovation Center, for their insights into the future of Security Operations Centers.
Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, scroll down or click here.
Paul Kurtz, CEO of TruSTAR (PK): What were some of the Major attack patterns of 2017?
Sherri Ramsay, Former NSA (SR): Ransomware and command and control patterns dominated the headlines in 2017. Bad actors are breaking into government and corporate environments to understand leadership structures and to learn what tools we’re building. In my tenure at NSA I saw more state-sponsored attacks, but more recently the private criminal market has exploded. Clickless and fileless exploits like WannaCry and Shamoon are proliferating.
Tony Sager, Center for Internet Security and SANS (TS): Since I retired from NSA I’ve been focusing more on attack patterns. I like to say, “just knowing about flaws doesn’t get them fixed.” The key is not only understanding each attack instance, but also understanding common attack patterns and templates and then defending against them accordingly.
Some less mainstream attack patterns of 2017 had to do with centralization vs. localization. For example, when the Department of Defense first deployed Active Directory, my NSA red teams were licking their chops. Centralized management accounts have helped streamline network operations, but they have also made Active Directory a shinier target for the bad guys. Many managed cloud environments have the same problem.
PK: How has the role of SOC operators evolved? What advice would you give to security analysts starting out today?
TS: SOC operators are expected to crunch through threat intelligence feeds like information machines, the most critical asset we have is the layer of human intelligence to remediate all of these different inputs.
We must strive for efficiency. SOCs can use automation and standardized data ingest methods to solve for the sheer volume of data analysts are expected to monitor. We need to optimize our tools so that our analysts can come to use their clever intuition to decide what data to act on and escalate. We have to get past the point where the assumed universal data capture method is Excel spreadsheets.
SR: The role of the SOC will grow and morph. We have physical security, network operation centers, fraud teams, and cybersecurity centers. All of these organizations need to merge into one multifunctional SOC to work as a well-oiled machine. It’s about people, process, technology. You need all three to succeed.
PK: These are great points. I met with a senior director of a financial institution recently and he told me that his organization just realigned all of their security portfolios under one organization. Now the role of the CISO is going to cover fraud, incident response, and threat hunting because he realized his organization needs to look at all of these functions more holistically.
Organizations need to understand the breadth of their own data first, and then bring in data from third parties to correlate and escalate events. Company leaders are finally seeing the value of a multifunctional SOC.
PK: In 2018 what tools do you see rising and falling in SOC operations this year?
TS: At CIS we’re actively looking for standardized ways to move information around. You want to find out ways to get people’s attention on things that really matter. We’re seeing the emergence of better analytics and better integration tools.
We’re also finding that with the rate of jobs coming in, you need better project management infrastructure. SOC analysts are expected to juggle a lot of different tasks, tools, tickets. They’re responsible for keeping track of lots of moving parts.
Finally, I think we need better visualization tools. Threat intelligence is complex and nuanced, and yet you have to explain it to all kinds of different people, including senior business leaders. For that reason, we need better visualization tools that can cleary speak to what the business impact is.
SR: We have tons of tools on the market — some SOCs can buy them all, but some can’t. The most important tools are the ones that help analysts make sense of large amounts of data. On top of that we need more collaboration tools that allow SOC analysts to collaborate amongst themselves and industry peers.
Thank you Sherri and Tony for this enlightening discussion!
Full webinar here:
TruSTAR’s threat intelligence platform supports many of the tools and solutions described in this webinar. Interested in a demo? Click here.