Advancing SOC Triage & Investigation Through Destructive Object Insights

ISMG SECURITY EXECUTIVE ROUNDTABLEsponsored by ReversingLabs

Agenda5:30 – 6:00 p.m.

Registration & Networking

6:00 – 7:00 p.m.

Roundtable Discussion

7:00 – 9:00 p.m.

Interactive Cooking Class & Dinner

Introduction

Machine-speed attacks require a machine-speed response, yet many

of today’s organizations still maintain legacy defenses and manual,

outdated processes that are unable to meet today’s challenges.

What should today’s SOC look like? And how can organizations create a “zero trust” stance and evaluate

the integrity of all digital assets, yet still remain operationally competitive? How can SOC teams filter

through volumes of data, identify high-risk threats and quickly pivot to resolve?

This exclusive executive roundtable on Advancing SOC Triage & Investigation Through Destructive

Object Insights will provide answers to these and other important questions.

Guided by expert insights from Mario Vuksan, CEO and Co-Founder of event sponsor ReversingLabs,

this invitation-only event will also draw from the experiences of the attendees, who will offer their views

on how threat intelligence drives SOC automation and why breaking down complex digital objects is

critical to exposing hidden malware that may put an organization at risk.

Among the discussion topics:

• What are the challenges of managing a SOC?

• What investments would provide the greatest ROI for a SOC?

• How is the threat landscape evolving?

You’ll have the opportunity to discuss the topic with a handful of senior executives and market leaders in

an informal, closed-door setting, from which you will emerge with new strategies and solutions you can

immediately put to work.

Advancing SOC Triage & Investigation Through Destructive Object Insights 2

Discussion Points

Among the questions to be presented for open discourse:

• How is the threat landscape evolving?

• What are the challenges of running today’s SOC?

• What should today’s SOC look like?

• How can SOCs improve their triage capabilities?

• What technologies show the greatest promise for dealing with today’s machine speed attacks?

Advancing SOC Triage & Investigation Through Destructive Object Insights 3

About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Mario Vuksan

Co-Founder and CEOReversingLabs

Vuksan founded ReversingLabs in 2009. As CEO, he drives all aspects of the company's strategy,

operations and implementation. Previously, Vuksan held senior technical positions at Bit9 (now Carbon

Black), Microsoft, Groove Networks and PictureTel (now Polycom). He is the author of numerous research

studies and speaks regularly at FS-ISAC, RSA, Black Hat and other leading security conferences.

About ReversingLabs

Through its Titanium Platform, ReversingLabs delivers automated static analysis and file reputation

services that represent the fastest and most accurate insights in the industry, finding the hidden objects

that destroy enterprise business value. ReversingLabs maintains the largest repository of malware and

goodware in the industry, with more than 10 billion files and objects. And it’s the only vendor to speed

analysis of files in milliseconds. ReversingLabs seamlessly integrates at scale across the enterprise with

connectors that integrate with existing security investments, reducing SOC triage time with real-time

decision support and automating investigation and control action for incident responders while providing

continuous hunting through advanced tooling.

Advancing SOC Triage & Investigation Through Destructive Object Insights 4

About the ModeratorLeading our discussion today is:

Nick Holland

Director, Banking and Payments Information Security Media Group

Holland, an experienced security analyst, has spent the last decade focusing on the intersection of

digital banking, payments and security technologies. He has spoken at a variety of conferences and

events, including Mobile World Congress, Money2020, Next Bank and SXSW, and has been quoted by

The Wall Street Journal, CNN Money, MSNBC, NPR, Forbes, Fortune, BusinessWeek, Time Magazine,

The Economist and the Financial Times. He holds an MSc degree in information systems management

from the University of Stirling, Scotland.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

Advancing SOC Triage & Investigation Through Destructive Object Insights 5

In advance of this event, ISMG’s Nick Holland spoke about SOC

triage and investigation with Mario Vuksan of ReversingLabs. Here

is an excerpt of that conversation.

Evolving Threat Landscape

NICK HOLLAND: How do you see the threat landscape evolving

over the next two to three years?

MARIO VUKSAN: Technology advances have always been

the biggest generators of new threat vectors. As such, many

organizations have realized several important things that will drive

the threat landscape and protective postures in the coming years:

• The layered security approach does not provide 100 percent

coverage.

• Addressing cyber risk has driven many organizations to form or

outsource SOCs, build fusion centers and implement data lakes

and file lakes.

• Visibility drives risk reduction and provides action items for the

first two tiers of SOC activity.

• The “zero trust” philosophy is only good if red teams and

threat hunters are continually evaluating the posture, allowing

organizations to button down the security in advance of the

known exploit and attack technique availability.

• Cloud infrastructure down times, performance variability, cost

lock-in and strategic single point of failure drive the move to the

hybrid cloud. Organizations with resources continue to manage

physical data centers to hedge their bets in case of catastrophic

downtimes.

• Destructive attacks could bring about corporate extinction events

and worse. Imagine the scenario of waking up and all production

servers, active directories and backups are wiped clean!

Cloud Security

HOLLAND: We're moving more apps and data to the cloud to

manage costs and improve availability. What threats are most

concerning?

VUKSAN: The cloud has been a new paradigm calling for new

and different application design. Simply virtualizing the physical

solutions actually reduces the security posture as many controls are

not available in that format in the cloud. Network security functions

differently in the cloud. Lifespan of instances is much shorter.

Data and applications access have new ways of hardening, thus

introducing new security vectors. Visibility for SOCs needs new data

and application infrastructure that is independent of any platform,

object size and type limitations.

CONTEXT

Advancing SOC Triage & Investigation Through Destructive Object InsightsQ&A with ReversingLabs Mario Vuksan

Mario Vuksan

“Addressing cyber risk has driven many organizations to form or outsource SOCs, build fusion centers and implement data lakes and file lakes.”

Advancing SOC Triage & Investigation Through Destructive Object Insights 6

The cloud has certainly proven that it is a heterogeneous mix of technologies, platforms

and programming languages that requires developers, DevOps and SOCs to work closely

together.

Large object sizes, reliance on third-party and open source libraries and frameworks, and

non-traditional file type and application transactions formats have proven to be powerful

conduits for infection and wholesale compromise for critical applications that shield

intellectual property and, more importantly, marshal great quantities of sensitive if not

personally sensitive data.

Whether using traditional architecture in the cloud or migrating to services-based

architectures, organizations need a universal way to analyze binary and text content,

regardless of its size, for the presence of malware, backdoors, accidental credential leaks or

security downgrade situations that may yield to exploitation.

ReversingLabs provides an elastic infrastructure that can handle safe and cost-efficient

inspection of all cloud stored files and objects. Simple Services are meant to be a one-

stop-shop for all documents, firmware, software, financial transactions and other custom

configuration and data file formats. In a safe and elastically scalable fashion, ReversingLabs

can process Linux, Windows, MacOS content, containers, VMs, snapshots, healthcare

records and financial transaction formats, among other types of objects that need to be

validated, classified and deeply analyzed to provide visibility information to SOCs and other

automated systems.

SOC Challenges

HOLLAND: It seems prudent that enterprises staff a full SOC, or perhaps have some shared

responsibility with an MSSP, to manage the increasingly hostile digital environment. What are

the challenges of managing a SOC?

VUKSAN: A SOC is an essential part of the protective stack for any organization. It does not

need to be entirely (or at all) staffed internally. However, it is essential that organizations

implement an infrastructure that monitors logs, alerts and anomalous data from all digital and

especially internet-connected systems.

By implementing a SOC workflow, an organization increases visibility, reducing risk and

generating the data that can quantify effectiveness and gaps associated with the existing

protection measures.

However, just processing alerts is not sufficient. Organizations need to track a decision

matrix behind all investigated incidents. Does the organization lack supplemental information

to be able to adequately make a decision? Were previously closed incidents false positives

and false negatives? Are there patterns among wrong adjudications that are associated with

certain technologies, personnel or pre-existing security policies?

Understanding day-to-day challenges and goals for security operations will allow the

management to accurately build a risk model for it cybersecurity exposure.

“It is essential that organizations implement an infrastructure that monitors logs, alerts and anomalous data from all digital and especially internet-connected systems.”

Advancing SOC Triage & Investigation Through Destructive Object Insights 7

Key Investments

HOLLAND: Where should SOCs be placing their investments today? What technologies

show the most promise?

VUKSAN: SOCs need to rely on infrastructure elements that give them absolute visibility

over all aspects of the organization’s digital footprint.

SOCs are an essential part of any organization’s risk strategy where information/

protection gaps drive risk exposure. This starts with the understanding of any anomalies

in an organization’s production network software and firmware stacks and ends with the

operational data and applications needs that the organization and its employees deal with

on an everyday basis.

From web and source code downloads, in-house software development to email-borne

threats, endpoint, server, storage and cloud app data, organizations need efficient analysis

infrastructure that focuses on data available in their networks and cloud deployments.

Rich visibility over “locally” generated data allows for the best leverage of global threat

intelligence feeds that can greatly accelerate alert/incident adjudication with second

opinions on file and network classification, additional context and alerts on data disposition

changes – such as understanding that a threat deemed uninteresting a week ago can now

definitely be identified as malicious.

Lessons Learned

HOLLAND: Mario, You've been doing this for over 10 years now. What lessons can you

share with us?

VUKSAN: One should continuously evaluate technology advances and landscape evolution.

Security is not a game of “whack a mole” but rather a strategic game theory exercise.

Defenders need to be continually evaluating their posture to anticipate the adversary’s next

move.

Is our strategy and security posture good enough? How do we compare to our industry/

geography peers? Are we the weakest link? If we’re doing well, what are the adversaries

doing while we’re asleep? How will technology evolution allow adversaries to discover new

attack vectors? What gaps are being exposed with my aging technology stack? Will my

corporate technology stack outmaneuver the security protection layers? Can we recover

from catastrophic incidents? If yes, then how soon and at what cost to us, our customers and

the economy?

ReversingLabs evolved by focusing on the essential technology evolution. Attackers are

studying how we write software and firmware applications and how we structure documents

as well as financial, healthcare and other business transactions. They are looking for

advantage through stealth, speed of evolution and insight, knowing full well that defenders

cannot anticipate their every move.

We have focused on understanding the tools, techniques and execution environments where

the adversary is looking to get the greatest advantage. In this way, we have understood

from very early on that the compute is moving to the cloud and that the objects will be more

complex, larger and heterogeneous than traditional technologies were ever able to handle.

We understood that the compute and control effect of large-scale detonation will never be

able to keep up with attacker’s ability to evolve.

That’s why we invested in stealth, avoided being pigeonholed into any given corner,

embraced elastic computing and focused on understanding data complexity that gives

defenders information to make quick and accurate decisions and gives sufficient context to

threat hunters to investigate scenarios that we do not know how to describe today. n

Advancing SOC Triage & Investigation Through Destructive Object Insights 8

Notes

Advancing SOC Triage & Investigation Through Destructive Object Insights 9

Notes

Advancing SOC Triage & Investigation Through Destructive Object Insights 10

902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • sales@ismg.io

CyberEd