How to Enhance Efficiency for Your SOC in the AWS Cloud

©2020 SANSTM Institute | www.sans.org Sponsored by:

Sponsored by

How to Enhance Efficiency for Your SOC in the AWS Cloud


Today’s Speakers

• Dave Shackleford – SANS Analyst

• Nam Le – AWS Specialist Solutions Architect

2


Today’s Agenda

• Working with a Cloud-Native SIEM

• Defining the Cloud SOC

• Improving SOC Analyst Effectiveness and Efficiency

• Next Steps: Security Operations Maturity Through Cloud-Native Enablement

• Solutions in AWS Marketplace

• Customer Success Stories

3


• In the SANS survey “Closing the Critical Skills Gap for Modern and Effective Security Operations Centers (SOCs),” respondents identified their tops needs:

– Overall security operational skills

– Security event management

– Cloud-focused security operations

Introduction

4


• Several primary factors drive this need to update and change technologies and processes for a cloud-focused SOC:

– Larger technology footprint

– Shared security

– More event data

– Decreased visibility

• The cloud brings enough changes to necessitate a new approach to the many tools, services, processes and skills that security operations teams have relied upon for years.

What’s Driving These Changes?

5


• With the shift to cloud, it’s undoubtedly time for SIEM tools to evolve.

• Today, especially for large organizations, maintaining an on-premises SIEM deployment can be extremely expensive.

• A benefit of moving SIEM to the cloud is the possible unification of event data from both on-premises infrastructure and cloud-native assets.

Working with a Cloud-Native SIEM

6


• MITRE ATT&CK® is a mature attack life cycle that includes the following stages:

Cloud SIEM: Deep Expertise in Cloud-Specific Events

7

– Initial Access

– Persistence

– Privilege Escalation

– Defense Evasion

– Credential Access

– Discovery

– Lateral Movement

– Collection

– Exfiltration

– Impact


MITRE Enterprise ATT&CK® Matrix

8

Source: https://attack.mitre.org/matrices/enterprise/cloud/MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.


• Cyber threat intelligence (CTI) is a growing area for many security teams.

• Despite its obvious usefulness, organizations face challenges in starting or improving a CTI program.

• These challenges include a lack of skills in the community, integration challenges, and lack of sound standards and maturity in threat intelligence data feeds.

Cloud SIEM: Cloud Threat Intelligence

9


• Teams can improve their threat intelligence programs by:

– Gathering internal security event data and training internal teams on improving detection and prevention metrics

– Finding the most effective intelligence data feeds and sources by asking vendors and providers questions

– Determining how best to integrate threat intelligence data into SIEM platforms or standalone collectors


10



11

• When it comes to cloud-focused threat intelligence, many internal teams face a challenge with collecting and analyzing data that might prove useful in refining security operations functions.

– SOC teams are looking to cloud service providers and third-party cloud SIEM solutions to help.

• A dedicated cloud-based and cloud-native SIEM service should be able to help SOC teams quickly and effectively search for compromised assets based on indicators provided, events generated on workloads and within the cloud infrastructure, or communications with known malicious IP addresses and domains.

• The goals of cloud-centric threat intelligence should be finding and remediating incidents based on the intelligence.


• Another key benefit of a cloud-native SIEM is deep integration with cloud provider APIs and services that might allow for better streaming of events to a central analysis environment and more capable event detection.

• Cloud SIEM platforms can also leverage big data analytics to process more event data in large quantities.

• A cloud-native approach enables SOC teams to implement and benefit from rapid API integrations with both cloud provider APIs and third-party platforms used in the chosen cloud environment.

Cloud SIEM: Deep Integration of Cloud Providers’ APIs

12


• In terms of structure, little changes in terms of cloud.

• There might be some additional cloud-specific roles and titles within the security operations and investigations teams.

Defining the Cloud SOC: SOC Structure

13


• Team roles may likely include:

– SOC manager

– Tier 1 analysts

– Tier 2 analysts

– Incident responders

– Threat intelligence analysts

– Threat hunting analysts

– Forensic analysts

– Malware reverse engineering analysts

Defining the Cloud SOC: Cloud-Specific Team Roles

14

People

ProcessTechnology


• SOC workflows will also likely change when enabling the team for cloud-based detection and response.

• Once cloud event data is being collected and aggregated, and a cloud-native SIEM is in use, analysts need to sift through all the various events and start prioritizing them:

– Add context.

– Define priorities.

– Tune alerts.

Defining the Cloud SOC: SOC Workflows

15


• Once important events and correlation cases are built, workflow and process updates should be refined to better improve speed and efficiency in cloud investigations:

– Collaboration

– Centralized services

– Automated response actions

– Automated queries and scripts

• Many core processes and practices won’t need a complete overhaul, but most SOC workflows will require at least some tuning for the cloud.

Defining the Cloud SOC: SOC Workflows

16


• Common activities that can be partially or completely automated in the cloud include:

– Alerting and correlating events

– Suppressing false positives at scale

– Investigating and hunting for threats and IoCs

– Managing tickets and cases

– Generating reports and long-term metrics

The Role of Automation in the Cloud-Enabled SOC

17


1. AWS CloudTrail generates an event for suspicious activity from an Amazon EC2 instance, which is then sent to a central Amazon CloudWatch log group for aggregation.

2. An Amazon CloudWatch metric is triggered, sending an alarm via email to a central SOC account.

3. An automated AWS Lambda function parses the Amazon CloudWatch log group, detects the specific API event and triggers the following actions:

a. An automated Amazon Inspector scan is started on the Amazon EC2 instance to detect vulnerabilities.

The Role of Automation in the Cloud-Enabled SOC: An Example

18

(steps continue on next slide)


The Role of Automation in the Cloud-Enabled SOC: An Example

19

b. The security group assigned to the Amazon EC2 instance is changed to a more restricted set of rules that only allows SSH access to the instance from the SOC team.

c. An automated AWS Systems Manager script is run that creates a snapshot of the EBS disk volume, as well as live memory collection. These evidence items are then automatically copied to a separate Amazon S3 bucket, which the SOC team controls.

4. The SOC team can run automated investigation scripts and threat hunting tools against collected evidence to see if any IoCs are detected, possibly compared to threat intelligence feeds or data.

(steps continued from previous slide)


• A good cloud SIEM should enhance SOC analyst productivity and efficiency with:

– Prioritized cloud environment alerts

– Attack timelines

– Integration with cloud APIs for automation

• Another key aspect of a cloud-focused SOC strategy should be alignment with industry leading attack frameworks, such as MITRE ATT&CK.

Improving SOC Analyst Effectiveness and Efficiency

20


• Examples of great SOC metrics that can help determine cloud security effectiveness include:– Mean time to detect events– Mean time to respond (opening tickets, for example)– Mean time to close (entire investigation completion)– Threat intelligence dissemination time (detection and aggregation

of IoCs and other items of interest being distributed to threat hunting teams and others as needed)

– Time to sweep the environment (threat hunting for specific indicators)– Mean/median adversary dwell time– Time waiting on “other teams to do things”– Cases left open by initial reporting/detection type


21


• There are also many metrics specific to analyst performance that organizations can use:– Number of alerts triaged in last 30 days

– True positive rate for escalations

– Number of escalated cases handled in last 30 days

– Mean time to close a case

– Number of analytics/detections created that are currentlyin production

– Number of detections modified that are currently in production

– Success/fail rate of queries executed in last 30 days

– Median runtime per query


22


• Bloat in security point solutions and lack of skilled staff has led to SOC team overload.

• Many SOC teams are still trying to manage a huge volume of alerts (some of which are likely redundant and lacking actionable context) using tools that haven’t adapted well in the age of cloud.

• In a cloud environment, with well-integrated tools and services for detection and automation for response, organizations should see definitive improvements in analyst effectiveness and efficiency over time.

Next Steps: Security Operations Maturity Through Cloud-Native Enablement

23

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Enhancing efficiencies for

your SOC in the AWS Cloud


Frontlines

Frontlines

AWS services helping to deliver a SOC workflow

SME/

Hunter

(threat intel)

SME/

Hunter

(endpoint)

SME/

Hunter

(malware ME)Amazon

Detective

investigation

AWS

Security Hub

organization

AWS

Security Hub

organization

Amazon

GuardDuty

finding

Amazon

GuardDuty

finding

Amazon

GuardDuty

finding

Amazon

GuardDuty

finding

SOC

Manager

Tier 1

Tier 2

Tier 2

Tier 1

Tier 1

Tier 1


Gain findings through monitoring your environment


Forward findings and create custom remediation rules

AWS Services

Amazon

Eventbridge EventBridge

Rule

AWS

Security Hub

Monitor Detect Respond

Monitor Detect RespondAggregate

and View Investigate

Event

Published

Action

Recorded

Near Real-Time Workflow

Investigate Workflow


Security analyst productivity solutions available in AWS

Marketplace


How are AWS customers leveraging Sumo Logic?

Continuous correlation across

diverse sources

Automated incident

prioritization, alert triage,

and noise reduction

Security analyst workflow

with built-in event

management


Benefits:

• Spotting and eliminating

threats more effectively

• Proactively identifying

emerging, abnormal

behaviors

• Analyzing device and

network information via a

single interface

The University of Lethbridge increases agilityWith Sumo Logic cloud-native analytics platform


Barton Associates accelerates incident responseLeveraging Rapid7 InsightIDR

Benefits:

• Reduced MTTD from hours or

days to seconds

• Instantaneous incident

response through built-in

automation

• Saved thousands of

engineering hours with out-

of-the-box integrations


Relativity enriches detection with contextUsing Recorded Future’s threat intelligence solution

Benefits:

• Continuous information fed

into SIEM solution for

external context comparison

• Enhanced decision-making

around suspicious traffic

• Hunting packages for

retroactive threat hunting


Why AWS Marketplace?

IT decision-makers (ITDMS) cut their

time in half using AWS Marketplace

compared to other sources.

ITDMS feel 2.4x better about

purchasing using AWS Marketplace

compared to other sources.

Find, buy, and deploy solutions quicker Make more satisfying purchases

*Amazon Web Services (AWS) Marketplace surveyed 500 IT decision-makers (ITDMs)

and influencers across the U.S. to understand software usage, purchasing,

consumption models, and compared savings.


How can you get started?

Find

A breadth of security

solutions:

Buy

Free trial

Pay-as-you-go

Budget alignment

Bring Your Own License (BYOL)

Private Offers

Billing consolidation

Enterprise Discount Program

Private Marketplace

Through flexible

pricing options:

Deploy

SaaS

Amazon Machine Image (AMI)

CloudFormation Template

Containers

Amazon EKS/ Amazon ECS

AI / ML models

AWS Data Exchange

With multiple

deployment options:


Webinar summary

New tools? Select solutions in AWS Marketplace for a curated list proven on AWS.

Current tools? Bring your own license to leverage benefits of AWS Marketplace.

Leverage AWS Services that integrate with your AWS environment.

Deploy threat monitoring and intelligence solutions to improve efficiencies of your

SOC in the cloud.


Please use GoToWebinar’s Questions tool to submit questions to our panel.

Send to “Organizers” and tell us if it’s for a specific panelist.

Q&A

36


And to our attendees, thank you for joining us today!

Acknowledgments

Thanks to our sponsor:

To our special guest: Nam Le

37

How to Enhance Efficiency for Your SOC in the AWS Cloud

Documents

Transcript of How to Enhance Efficiency for Your SOC in the AWS Cloud