Advancing SOC Triage & Investigation Through Destructive ...€¦ · This exclusive executive...
Transcript of Advancing SOC Triage & Investigation Through Destructive ...€¦ · This exclusive executive...
-
Advancing SOC Triage & Investigation Through Destructive Object Insights
ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by ReversingLabs
Agenda5:30 – 6:00 p.m.
Registration & Networking
6:00 – 7:00 p.m.
Roundtable Discussion
7:00 – 9:00 p.m.
Interactive Cooking Class & Dinner
-
Introduction
Machine-speed attacks require a machine-speed response, yet many
of today’s organizations still maintain legacy defenses and manual,
outdated processes that are unable to meet today’s challenges.
What should today’s SOC look like? And how can organizations create a “zero trust” stance and evaluate
the integrity of all digital assets, yet still remain operationally competitive? How can SOC teams filter
through volumes of data, identify high-risk threats and quickly pivot to resolve?
This exclusive executive roundtable on Advancing SOC Triage & Investigation Through Destructive
Object Insights will provide answers to these and other important questions.
Guided by expert insights from Mario Vuksan, CEO and Co-Founder of event sponsor ReversingLabs,
this invitation-only event will also draw from the experiences of the attendees, who will offer their views
on how threat intelligence drives SOC automation and why breaking down complex digital objects is
critical to exposing hidden malware that may put an organization at risk.
Among the discussion topics:
• What are the challenges of managing a SOC?
• What investments would provide the greatest ROI for a SOC?
• How is the threat landscape evolving?
You’ll have the opportunity to discuss the topic with a handful of senior executives and market leaders in
an informal, closed-door setting, from which you will emerge with new strategies and solutions you can
immediately put to work.
Advancing SOC Triage & Investigation Through Destructive Object Insights 2
-
Discussion Points
Among the questions to be presented for open discourse:
• How is the threat landscape evolving?
• What are the challenges of running today’s SOC?
• What should today’s SOC look like?
• How can SOCs improve their triage capabilities?
• What technologies show the greatest promise for dealing with today’s machine speed attacks?
Advancing SOC Triage & Investigation Through Destructive Object Insights 3
-
About the ExpertJoining our discussion today to share the latest insights
and case studies is:
Mario Vuksan
Co-Founder and CEOReversingLabs
Vuksan founded ReversingLabs in 2009. As CEO, he drives all aspects of the company's strategy,
operations and implementation. Previously, Vuksan held senior technical positions at Bit9 (now Carbon
Black), Microsoft, Groove Networks and PictureTel (now Polycom). He is the author of numerous research
studies and speaks regularly at FS-ISAC, RSA, Black Hat and other leading security conferences.
About ReversingLabs
Through its Titanium Platform, ReversingLabs delivers automated static analysis and file reputation
services that represent the fastest and most accurate insights in the industry, finding the hidden objects
that destroy enterprise business value. ReversingLabs maintains the largest repository of malware and
goodware in the industry, with more than 10 billion files and objects. And it’s the only vendor to speed
analysis of files in milliseconds. ReversingLabs seamlessly integrates at scale across the enterprise with
connectors that integrate with existing security investments, reducing SOC triage time with real-time
decision support and automating investigation and control action for incident responders while providing
continuous hunting through advanced tooling.
Advancing SOC Triage & Investigation Through Destructive Object Insights 4
-
About the ModeratorLeading our discussion today is:
Nick Holland
Director, Banking and Payments Information Security Media Group
Holland, an experienced security analyst, has spent the last decade focusing on the intersection of
digital banking, payments and security technologies. He has spoken at a variety of conferences and
events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by
The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,
The Economist and the Financial Times. He holds an MSc degree in information systems management
from the University of Stirling, Scotland.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such as
data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects
senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
Advancing SOC Triage & Investigation Through Destructive Object Insights 5
-
In advance of this event, ISMG’s Nick Holland spoke about SOC
triage and investigation with Mario Vuksan of ReversingLabs. Here
is an excerpt of that conversation.
Evolving Threat Landscape
NICK HOLLAND: How do you see the threat landscape evolving
over the next two to three years?
MARIO VUKSAN: Technology advances have always been
the biggest generators of new threat vectors. As such, many
organizations have realized several important things that will drive
the threat landscape and protective postures in the coming years:
• The layered security approach does not provide 100 percent
coverage.
• Addressing cyber risk has driven many organizations to form or
outsource SOCs, build fusion centers and implement data lakes
and file lakes.
• Visibility drives risk reduction and provides action items for the
first two tiers of SOC activity.
• The “zero trust” philosophy is only good if red teams and
threat hunters are continually evaluating the posture, allowing
organizations to button down the security in advance of the
known exploit and attack technique availability.
• Cloud infrastructure down times, performance variability, cost
lock-in and strategic single point of failure drive the move to the
hybrid cloud. Organizations with resources continue to manage
physical data centers to hedge their bets in case of catastrophic
downtimes.
• Destructive attacks could bring about corporate extinction events
and worse. Imagine the scenario of waking up and all production
servers, active directories and backups are wiped clean!
Cloud Security
HOLLAND: We're moving more apps and data to the cloud to
manage costs and improve availability. What threats are most
concerning?
VUKSAN: The cloud has been a new paradigm calling for new
and different application design. Simply virtualizing the physical
solutions actually reduces the security posture as many controls are
not available in that format in the cloud. Network security functions
differently in the cloud. Lifespan of instances is much shorter.
Data and applications access have new ways of hardening, thus
introducing new security vectors. Visibility for SOCs needs new data
and application infrastructure that is independent of any platform,
object size and type limitations.
CONTEXT
Advancing SOC Triage & Investigation Through Destructive Object InsightsQ&A with ReversingLabs Mario Vuksan
Mario Vuksan
“Addressing cyber risk has driven many organizations to form or outsource SOCs, build fusion centers and implement data lakes and file lakes.”
Advancing SOC Triage & Investigation Through Destructive Object Insights 6
-
The cloud has certainly proven that it is a heterogeneous mix of technologies, platforms
and programming languages that requires developers, DevOps and SOCs to work closely
together.
Large object sizes, reliance on third-party and open source libraries and frameworks, and
non-traditional file type and application transactions formats have proven to be powerful
conduits for infection and wholesale compromise for critical applications that shield
intellectual property and, more importantly, marshal great quantities of sensitive if not
personally sensitive data.
Whether using traditional architecture in the cloud or migrating to services-based
architectures, organizations need a universal way to analyze binary and text content,
regardless of its size, for the presence of malware, backdoors, accidental credential leaks or
security downgrade situations that may yield to exploitation.
ReversingLabs provides an elastic infrastructure that can handle safe and cost-efficient
inspection of all cloud stored files and objects. Simple Services are meant to be a one-
stop-shop for all documents, firmware, software, financial transactions and other custom
configuration and data file formats. In a safe and elastically scalable fashion, ReversingLabs
can process Linux, Windows, MacOS content, containers, VMs, snapshots, healthcare
records and financial transaction formats, among other types of objects that need to be
validated, classified and deeply analyzed to provide visibility information to SOCs and other
automated systems.
SOC Challenges
HOLLAND: It seems prudent that enterprises staff a full SOC, or perhaps have some shared
responsibility with an MSSP, to manage the increasingly hostile digital environment. What are
the challenges of managing a SOC?
VUKSAN: A SOC is an essential part of the protective stack for any organization. It does not
need to be entirely (or at all) staffed internally. However, it is essential that organizations
implement an infrastructure that monitors logs, alerts and anomalous data from all digital and
especially internet-connected systems.
By implementing a SOC workflow, an organization increases visibility, reducing risk and
generating the data that can quantify effectiveness and gaps associated with the existing
protection measures.
However, just processing alerts is not sufficient. Organizations need to track a decision
matrix behind all investigated incidents. Does the organization lack supplemental information
to be able to adequately make a decision? Were previously closed incidents false positives
and false negatives? Are there patterns among wrong adjudications that are associated with
certain technologies, personnel or pre-existing security policies?
Understanding day-to-day challenges and goals for security operations will allow the
management to accurately build a risk model for it cybersecurity exposure.
“It is essential that organizations implement an infrastructure that monitors logs, alerts and anomalous data from all digital and especially internet-connected systems.”
Advancing SOC Triage & Investigation Through Destructive Object Insights 7
-
Key Investments
HOLLAND: Where should SOCs be placing their investments today? What technologies
show the most promise?
VUKSAN: SOCs need to rely on infrastructure elements that give them absolute visibility
over all aspects of the organization’s digital footprint.
SOCs are an essential part of any organization’s risk strategy where information/
protection gaps drive risk exposure. This starts with the understanding of any anomalies
in an organization’s production network software and firmware stacks and ends with the
operational data and applications needs that the organization and its employees deal with
on an everyday basis.
From web and source code downloads, in-house software development to email-borne
threats, endpoint, server, storage and cloud app data, organizations need efficient analysis
infrastructure that focuses on data available in their networks and cloud deployments.
Rich visibility over “locally” generated data allows for the best leverage of global threat
intelligence feeds that can greatly accelerate alert/incident adjudication with second
opinions on file and network classification, additional context and alerts on data disposition
changes – such as understanding that a threat deemed uninteresting a week ago can now
definitely be identified as malicious.
Lessons Learned
HOLLAND: Mario, You've been doing this for over 10 years now. What lessons can you
share with us?
VUKSAN: One should continuously evaluate technology advances and landscape evolution.
Security is not a game of “whack a mole” but rather a strategic game theory exercise.
Defenders need to be continually evaluating their posture to anticipate the adversary’s next
move.
Is our strategy and security posture good enough? How do we compare to our industry/
geography peers? Are we the weakest link? If we’re doing well, what are the adversaries
doing while we’re asleep? How will technology evolution allow adversaries to discover new
attack vectors? What gaps are being exposed with my aging technology stack? Will my
corporate technology stack outmaneuver the security protection layers? Can we recover
from catastrophic incidents? If yes, then how soon and at what cost to us, our customers and
the economy?
ReversingLabs evolved by focusing on the essential technology evolution. Attackers are
studying how we write software and firmware applications and how we structure documents
as well as financial, healthcare and other business transactions. They are looking for
advantage through stealth, speed of evolution and insight, knowing full well that defenders
cannot anticipate their every move.
We have focused on understanding the tools, techniques and execution environments where
the adversary is looking to get the greatest advantage. In this way, we have understood
from very early on that the compute is moving to the cloud and that the objects will be more
complex, larger and heterogeneous than traditional technologies were ever able to handle.
We understood that the compute and control effect of large-scale detonation will never be
able to keep up with attacker’s ability to evolve.
That’s why we invested in stealth, avoided being pigeonholed into any given corner,
embraced elastic computing and focused on understanding data complexity that gives
defenders information to make quick and accurate decisions and gives sufficient context to
threat hunters to investigate scenarios that we do not know how to describe today. n
Advancing SOC Triage & Investigation Through Destructive Object Insights 8
-
Notes
Advancing SOC Triage & Investigation Through Destructive Object Insights 9
-
Notes
Advancing SOC Triage & Investigation Through Destructive Object Insights 10
-
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information
security and risk management. Each of our 28 media properties provides education, research and news that is
specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from
North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.
Our annual global Summit series connects senior security professionals with industry thought leaders to find
actionable solutions for pressing cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd