Building the Security Operations Center (SOC)


Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.

Advertisements

Get Your Daily Security Feed


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

ShmooCon 2013 Review – Malware Persistence and Shmooganography


Like any other HackerCon there are good and bad things, so I will jump right into the interesting stuff.  The start of the conference was a little slow taking less of an attacker security approach, which I prefer.  In any event around midafternoon was a talk called “Wipe the Drive!!! Techniques for Malware Persistence”.    Mark Baggett and Jake Williams discussed some amazing techniques used by attackers.  I mean things that even memory forensics don’t catch.  They were discussing persistence tactics like:

  1. You remove malware and later your computer scans for a wireless access point as a part of normal activity and that scan releases the malware again.
  2. Your remove malware and later you plug in a standard clean USB key.  At this point the trigger of the key being plugged in releases the malware and infects the system.

Again their entire suggestion on the talk was to suggest wiping the drive is again the only safe way to possibly remove malware and to think otherwise might be foolish.

Day 2 and More

On the second day I ended up attending a few different sessions.  There was a talk on running a CTF that went through some of the tactics but mostly explained the amount of time it takes to setup and run a CTF.  Several of the other talks I went to were less than technical in my opinion and I felt everything could be Googled in about the same time I was in the presentation.  There was one exception, Carson Zimmerman packed the room (seriously no sitting space) with his talk on “Ten Strategies of World Class Computer Security Incident Response Team”.  I came in late, but what I saw was good.

ShmooganographyOther activities at the Con were always entertaining.  The Lockpick village always provides a good time filler in-between sessions.  I enjoyed spending some time handing out a few Hacker&Agent card decks to  kids.  Also, there was plenty of hacker and security speak in the evenings at the hotel bar.  Otherwise if you like games there were some contests on the Xbox or I would suggest testing your skills by taking a stab at Shmooganography. If you get a chance and get into the 2014 conference its worth at least taking a look.  Below is a preview of the 2013 contest.

Again overall a good Con, but I think some of the talks need to be more technical and in-depth next year.

To Trust or Not to Trust


Over the past three weeks an ongoing LinkedIn thread titled “Shall we trust our employees or not?” has continued to be a hot topic of debate. There simply appears to be no agreement among all the contributors.  Trust is relative.  You can always trust an employee or an organization, but the key is to what extent. You can also always trust that particular characteristics or actions will be repeated by each entity.  For example, some employees will always keep a secret while others will always tell at least one other person.  Therefore, you can trust one person to keep a secret and you can also trust the other person to tell your secret.  Simply put its a matter of behavior and action over time that should be used to build the trust model.

When referring to trust among organizations Section 2.6.1 Establishing Trust Among Organizations in NIST SP800-39 provides the best explanation.

Parties enter into trust relationships based on mission and business needs. Trust among parties typically exists along a continuum with varying degrees of trust achieved based on a number of factors. Organizations can still share information and obtain information technology services even if their trust relationship falls short of complete trust. The degree of trust required for organizations to establish partnerships can vary widely based on many factors including the organizations involved and the specifics of the situation (e.g., the missions, goals, and objectives of the potential partners, the criticality/sensitivity of activities involved in the partnership, the risk tolerance of the organizations participating in the partnership, and the historical relationship among the participants). Finally, the degree of trust among entities is not a static quality but can vary over time as circumstances change.

 

New To Lockpicking


What to buy and why?  What pick set is required?

Before you start Lockpicking what type of set and locks should you get.   Is an 18 pick set or an 8 pick set better?  After traveling to several different Lockpick villages and engaging in research about different types of locks there are a few things to understand.

I recently co-wrote up a blog that was posted on Open Security Research: Getting Started with Lockpicking about this topic. 

Check it out!