Baby Steps to the Future – Evolving into the Next-Gen SOC

foreign

[Music] good afternoon good morning welcome to the second talk uh the third talk depending on what you're counting so uh it's awesome thanks for being here I know that this is an interesting time slot because I am effectively between you and lunch and so that's a little challenging so what I'm going to try and do is make sure I am both at least engaging as well as succinct and so I promise not to go over three hours that can we just just be happy with that all right great no seriously um so my name is Craig Bowser and I am talking on baby steps to the next gen sock and I have been Security in

security doing security for over 20 years in various roles almost all of it blue team and so that has given me a lot of insight into how security Opera operations has changed over that time and and as a result of just you know being in that field as well as uh talking to people at cons and online I've just seen a lot of how you know that has changed and is changing going forward and so uh that gave me some really thoughts about like hey what's going on with the sock what is going on as we move forward uh both in the past and in the future and so the first thing that usually happens is we have someone

pronounced that the sock is dead and usually that has you know it gets some interesting engagement going I mean uh just uh a few months ago there was a whole Twitter thread between Anton shavocking and Richard uh um and I always screw up his name uh latex um so um baitlick Richard baitlick um all on this topic but the reality is that it's sort of like you know the monarchy it's long-lived the sock the sock is dead but really long move the sock and the reason that of this disparity this difference between these two viewpoints is that um in uh what's going on is that the sock isn't really dead but the sock is evolving uh and this this stand

microphone this single in place microphone is driving me crazy I usually move around on the stage so hopefully I will not do that and if I do then our good Tech team in the back will scream and yell and tell me to get back to the mic because I can't hear what I'm saying but nevertheless the sock is evolving it's moving and it's changing and really if you think about where where we have come from to today you understand what's going on right back when we first started and for some of you this is before you were started and for a couple of you maybe before you were born which just goes to how old I am uh you know

um this it was the defense of the network was simple we were on-prem we had this castle and moat philosophy where we have this hard and crunchy outside and a soft and chewy inside we had AV we had firewalls ids's were just coming into uh just coming into Vogue and so that was that was the protection we had and then we got a few more tools we started adding remote capabilities to our Network I remember I was um you know add an organization and they gave me a 386 box to take home to dial in to do work at home so I'm you know lugging on the subway a monitor a a case with the 386 keyboard you know the whole

shebang that was that was my laptop at the time right you know quote it was a whole you know um base but anyway um here I am you know I'm remote we have ips's are just starting ubas or nascent I know when I say Nation it's like the concept and very you know lab like uba and then we moved to where we have more tools and so we start moving from a castle and a single perimeter we have the defensive depth concept starting we have cloud is starting to come out 2010 remembers about when AWS started offering services and capabilities uh threat Intel and uba are just starting up uh and so EDR the concept of DDR is

again nascentient oh we moved to the mid-2010s the mid teens on our um and uba and threaten tell are all over the place I remember going to a major conference 50 60 vendors and 80 of those vendors were selling either threat and tell or uba it was like the thing remember just like every new thing is the thing and then it's never the thing but now we're starting to see also sores starting to come out um although most Linux admins will tell you they've been doing soar for years but that's a whole other story um you know microservices are starting to pop up and now in the 2020s uh we're seeing seeing us shift again as defense

and depth is now uh moving towards zero trust we have more tools we have xdr we have Cosby we have Ace um a tax service management tools we have all these other tools that are coming in and we're still manage we're managing all of these and I'll talk about that the fact that we're managing all these but we're adding mobile and um and and operational technology into the things that we need to protect and so our socks also have changed a little uh we went you know when it was all on-prem uh you know in the early days that we could put everybody in room with with monitors and screens and Blinky lights and things like that and that was

good uh and then you know we started having the ability to remote monitoring and remote analysis and uh covid and the quarantine drove this quite a bit uh and now you know we have a lot of people most people are either fully remote or at best hybrid and their socks now a sock by the way traditionally we think of it as the picture on the left but really what the sock is uh it really kind of balances out is it's a group of people doing security monitoring detection response right so whatever you want to call that your security operations team your incident response your cert whatever you want to call the sock it's a generic term for

that group of people in your organization that are doing the security and monitoring for your organization so this is kind of where security as far as the team goes and where we're going with the tools and so but so what we have now is this but we still have a sock architecture that looks like this we have a bunch of uh tools on the left here that are sending data to some kind of central a repository now most of the time that's a Sim but it could be other uh other capabilities other storage and analytical capabilities I'm just using Sim as that generic term because most groups have that but you have this Sim you have a tiered group of people that

are uh you know doing analysis and monitoring of the data coming in of rules and such you have some ticket ticketing case management system you maybe have some threat and tell you maybe have a sore and when I say maybe I mean a lot of places do but not every place does and that's how our today's sock is but the reality is that this architecture the way this sock is designed is really geared toward defending monitoring and protecting the defense in-depth capability uh with you know a limited amount or a certain amount of data coming in and so what is the problem with that well that has created some challenges in today's environment as the

networks and the Enterprises that we are charged with protecting uh have can have changed faster than our sock architecture first of all the elephant in the room which no one will be surprised is the lack of personnel to do the monitoring protecting I don't really have to talk much about that you guys talk about it all the time we all do we've talked about it for 10 years we'll probably talk about it for the next 10 years getting enough Personnel to do this is hard um we are managing an increasingly complex security stack both which includes on-prem cloud and mobile capabilities The Cisco security outcome study uh stated that uh on average there are 63

security tools and I will come back to that number later in the presentation but there are 63 security tools that uh single organization is responsible for managing administrating monitoring and responding to that's a lot of tools and not all of them work the same way and you for those of you who do multiple things your head explodes trying to figure out which tool you're in at what time you have limited visibility into an increasing attack surface okay uh your attack Surface by the way if you haven't figured out on your own is increasing it's growing as we expand into the cloud as we expand to mobile as we expand around the world into new locations

offer more services that is just more places for the attacker to uh to Target and you have to monitor all those that's challenging uh you are not able the socks are less and less able to operate at scale to handle better attacker attackers with increasing volumes of attack um there you know we you know there's just attacks going on all the time from multiple places and by the way at more scale and by the way you have not been cloned yet um and so that's hard of course cloning would solve problem number one but that's another story so we're still fighting this fight this fight probably will be fought forever but it doesn't it still adds to the

problem right where you have compliance which we use to get resources so it's not bad but it goes up against best practices which goes up against effective security which goes up against operations in I.T so these are all things that we're trying to fight and balance between the two it's that's hard uh attackers primary targets now are no longer devices they are identity and data and so we have you know so we have to shift how we think uh if you haven't already some there are organizations that have but if you haven't already shipped how you think about what you know we have to do that and not every place has so how did we get to the how did these challenges

come about uh first of all operation shifted they moved to the cloud they moved to devops and they did this 10 years ago and most security is not even close to being able to help in this manner we are um so operations is pushing out updates and changes and new things you know two to three to up to eight times a day depending on the industry that you are in and you are woefully behind you're still waiting at the show it up show up in your test lab so you can run through a battery of tests to determine if it should be uh pushed to uh production or not operations because like I they have

bypassed you uh in many ways and you know and because they they cannot slow down to wait for your testing or or analysis uh you know in some ways you know there are definitely organizations that have adapted to this process but at the same time it is a challenge to ensure that you know the update that was pushed out 11 A.M is secure when there are already four revisions past that at 3 pm so that is a challenge we have moved to a remote mobile anytime anywhere access that is whether it's your users or your customers right there they there is a desire to hey I need access to the data I need access to the store whether I am

at Starbucks at home on the beach on the mountains uh I'm on a laptop or on a phone um on a tablet you know or I'm on some kind of iot device anytime anywhere uh that's hard we don't control most of those endpoints all right this is different than when we controlled almost all the end points almost all the access and the location so we're no longer at that point I do I do have some good news security has become better anyone currently worried about Red Alert or Slammer anyone no those are still out there they're still popping around the internet we're not worried about those things right we're you know so secure security is better than it was 20 years

ago I remember who remembers your network shutting down right of an unplugged that Network because of those things yeah we don't care anymore whatever uh but guess what uh the attackers are way past that the script kitties are way past that so um you know the script cookies are like Slammer so that's old stuff right so um so you know so the attackers are better uh but so are we so that's good and bad but all right security tools and methodologies have increased in number and complexity I've already talked about that and so that's hard that's a lot more data from a lot more tools each one of those tools sorry each one of those

tools according to the vendor who sold it to you is the most important thing since sliced bread um and most importantly we no longer operate under the assumption that our networks are unhackable okay we uh we used to think that if we do all the things and turn all the knobs and Patch all the uh patch all the devices that are we will be unassailable uh we don't don't think that anymore we think if we ever get to that point then somebody's just going to find some unknown zero day or five of them or you know basically um fish my CEO or CFO or Secretary of the CEO and they're still going to get in so we don't we are no longer under

that assumption so we don't operate we don't think about that um you know that maybe that keeps up keeps us up at night or maybe we just go whatever I just go to sleep because it's you know the same scary story uh but that's that's no longer the thing so what's the solution spoiler alert it's in the title so we become next gen but what does that mean right you've probably heard this people are like oh next gen next gen next gen so what does that mean well let me tell you what how I am defining it for the purposes of this talk how I am going to define a next-gen talk uh cover several things first we are

shifting our security strategy from defense and depth to zero trust and I know zero trust is a big buzzword but I'm telling you it is coming and it is coming like a very slow moving freight train and I say slow moving because this is not an overnight flip a switch thing but a freight train nevertheless that is coming and it is different for everybody so don't assume like oh I can't do it because I'm too small just you know it adapts so but shifting our thought and our process and our strategy to this concept uh is going is a key part uh routine attacks and alerts are handled by automation right get rid of the crap that you see all the time

every day um you know what it's like I think about it like if if your bill pay you just say pay this bill as long as the bills for my cell phone is beneath x amount just automatically pay it actually Banks don't have that setting it would be great if they did just you know a greater less than or equal to pay this amount automatically if greater than this thing give me an alert that would be awesome if you patent that give me credit please but um nevertheless uh just anything in a routine just is just automated just do it don't I don't even want to see it um alerts are enriched and tri-aged so

the things that don't get our automatically handled they come in fully enriched most of you hopefully are already doing enrichment for your alerts if you're not get to it add data to your alerts that makes your analysts be able to make decisions faster and more accurately because they don't have to go find out stuff that is related to the alert they're looking at so it should show up with all the information they need to make a 30 second decision right away and then triage as much of it as possible that you know automation doesn't necessarily mean you take care of things without human intervention it means it can mean that but it can also mean that you have done as much as

possible with minimal risk to your to your operations to your business and now you put it in front of a human to make final decision or to final decisions right so you are you know tree you know triaging as much as possible if you think about like a medical triage sometimes the uh the the nurse or the the EMT does as much as possible and then gives it to the doctor to go okay do this do that do the other right so that's really where I'm talking about thinking about a triaging your alerts as much as possible before the human gets there oops um so detections and automation automated responses are constantly being built in tune so you have devs SEC Ops

you have devops in your security your where your your alerts and your automations are constantly built and tuned and two to three to four to five times a day you're pushing out these updates it's changing uh based on feedback and results so uh so next gen sock is doing this so logs and events then also have to be ingested from a variety of sources you have increased the amount of data you're pulling in and I get that comes at a cost and we'll talk about how to manage that in a slide or two but you're pulling in all of that stuff so that you can have detections automated responses and so you can take care of routine and alerts by automation

and then finally you're using ml machine learning and Ai and threat until alongside of automated alerts all of these things are helping you generate High um drawn a blank of the word um low false positive High Fidelity thank you that was it High Fidelity alerts right you're using this you know so where you can create Atomic alerts Atomic alerts or things like if I see this and this give me an alert because those two things are bad that very simple alerts you're like you know yes no on off alerts as opposed to machine learning and AI type of alerts where it requires a lot more processing and thought in large volume analysis so um so uh using all of those to uh uh

together to help defend it so that's really what I see as an exchange sock so how do we go from uh what does that look like in reality what does that look like practically uh in in real life so we're going to talk about that picture so keep in mind that how today's sock architecture uh was was pictured a few slides ago and we're going to start migrating we're still evolving that to uh next-gen sock because this is not a overnight Journey you're not going to go back and go okay here are the things we need to do and we're going to have them done by next year no this is like just like zero trust just like anything it's

going to take three five ten years of of of change slow change but deliberate planned changed and flexible change because things will be different in five years than they are now but you know we need but that's that's you know but this is how you know this is the things the steps you need to take and by the way also uh you can grocery shop in this right if you are a large multi-billion dollar worldwide organization uh you may be able to do all of these things if you are a 100 million 100 million dollar uh 30 person um you know organization maybe you only do four or five of these things the concept is that you are getting to the

point where you are doing uh implementing many of those overall capabilities uh regardless of how many of the actual steps you're able to do you have to find a way to do it with the resources and capabilities at your level that you have so let's jump into it so phase one and by the way I broke this into phases not that you have to follow this order but just be because I try to group things that made sense so phase one what you're going to do is you're going to increase your automation Automation and integration okay that same Cisco outcome study also said that that tools that are well able to be no that are able to be integrated well with

each other increase the efficiency and effectiveness of your security team and this makes sense right so I was I've been doing a demo lab I've been trying to build a demo lab that has some automated response capabilities in the demo lab and I will tell you that we found out that some of the tools we're using don't integrate well they don't have full API capability they like one of them says yeah you can create a user using an API you can delete a user but I can't suspend a user okay now I gotta either not use that tool or do something else right I can't suspend a user in that tool so I need better integration capabilities I don't

need you to open up your you know vendors I don't need you to open up your secrets I need you to just allow me to to access the things that I can do in the GUI via remote API so I can just have your you know tool a push data to tools B and then based on that tool C does something and I want to just do that in a script I don't want to have to point and click so um better animate better integration and automation increase that uh ingest threat intelligence uh ingest relevant threat intelligence and I say that because I was working with a client a few months ago it's a big us-based

pharmaceutical International Company and they one of their threat feeds was for Australian Public Schools and I said to them why are you having this start feed I don't see that and they're like well just in case there's something relevant and I'm not exactly sure why they think a threat against Australian Public Schools is relevant to Big Pharma based in the U.S but okay but I think that's a waste of time and money and resources so ingest relevant threat intelligence uh plan for a migration to cloud-based sock tools your on-prem tools will not be able to if they are already falling behind be able to handle the amount of data that you will need to ingest and

the amount of processing and compute capabilities you will need to have excuse me uh going forward as you start uh basically protecting your network at the level that you uh that you know where you have mobile and remote and cloud and devsecops you're not going to be able to ingest all that and and process all the information at a level on-prem or well you could but you're going to spend so much money on Hardware to do it so just start moving to the cloud take advantage of that flexibility and elastic and expansion capability uh start creating and refining metrics that will drive your planning and prioritization of tasks and by that I mean things like how many of your

current tasks are you automated what percentage of those tasks are automated uh you know how much of your uh how many of your devices have you that are part of your network have you identified how much of your data have you identified how much of your data has you labeled right these are things this isn't like you know meantime the resolution metrics these are things like how are we making our sock better at protecting and more efficient at protecting so these are metrics that that drive those steps not just oh uh you know we didn't detect that attack for 20 days or 90 days or whatever uh speaking of which start getting uh inventory I have asset here

but I really should say of your assets your data and your identities all right I mentioned before that attackers are going after data and identities now so you need a inventory of those day of the data you have and the data and the identities you that access it as well as the assets if you still have assets not all of us you know not all places have assets anymore those of you who work for companies that are completely cloud-based you don't have assets so then do you have an ass uh inventory of the data that's important and do you know where that data is do you know whose access using it and if they should

be start getting that information uh and So based on that then you start planning and shifting to monitoring protecting the data and identity rather than the devices uh that are you know that you have or that are accessing it so as you get to that point where you are doing those things well in my opinion then you start moving to phase two so phase two is where you are implementing technology because now you are ingesting a lot more data but you don't need all that data in your security tool so stop sending it to your security tool send it somewhere else because you're going to need a lot of this data that you are collecting for

compliance for forensics for incident response but you don't need oh and for machine learning analysis and algorithms and and possibly uh AI type anal use but you don't need it in your security tool which is more expensive to collect and ingest and store send it somewhere cheaper and then access it there so uh so get a tool to that does this routing send uh send all that stuff somewhere else uh begin your migration if you haven't already to cloud-based sock tools I beat on this horse on the last slide so start the migration that you planned in Phase One or continue it if you had already started that uh begin using machine learning to analyze large data sets start simple and

build on that right this is uh this you know and to do it well doesn't mean you just go in and turn on all of the algorithms it means understanding which algorithm applies to you and your environment and start turning those on and or building your own and just moving slowly through that process right this is not sort of like remember you know a lot of people when we first got Sims we just turned on all the default rules this is we should have learned this lesson we don't do that um unfortunately we still find places that do this don't do that spend the time analyze it I get it there's a lot of stuff you have to do and doing uh

customized focused um review of these things takes time I get it but it's time well spent because the end result is higher fidelity results higher Fidelity alerts and speaking of which going back to point number the first point here the routing and filtering logs that means you have to spend time looking at the data you're coming that you're collecting and deciding whether it actually should come into your security tool or not or and if it comes in do you need all of the fields I was at a low I was at a client recently that was pulling in Cloud AWS cloudtrail logs and they were just pulling in the the all the fields there's like 50 fields per event stop

you don't need 50 fields to do security you maybe need 20 or maybe 10. the rest of them send to the data Lake okay so but that takes time to look and analyze what's in those fields I get it that's a lot because and you're running around with like a one-legged man and a butt kicking contest you're busy I get it but spend 30 minutes a week 30 or an hour a week doing this and over time you will make progress okay you're not going to do this all at once you're gonna just just take you know like eating an elephant an elephant one bite at a time all right so take the time um all right moving on to my next

soapbox um I have a lot of them but um start using uba and RBA all right stop you know where you're building alerts based on uh a series of behavior not just Atomic actions right not just singular action so you're getting you're going to get higher Fidelity alerts because you're not just saying if this alert if this thing happens then send me an alert and now I gotta go figure out if everything else that happened around it uh means that this thing that happened was bad right now you're building like if I see this and this in this time frame with this person from this site um you know and he's done it four times

then send an alert okay that's a much better alert than just hey someone logged in at 2am okay so um you know and now you have to figure out well did they log in on purpose what not you know so you know so spend the time build this out uh start building your security focused on identity and data use the metrics that you started in the phrase one start keep using that metrics to drive uh and also to evaluate the effective effectiveness of your tools guess what you may find out as you're going through this that your tools aren't very good or they're redundant so get rid of them oh my gosh you don't know how long it

took to us to deploy that tool yeah I do I was part of DOD when we rolled out hbss I get it and you know and you wonder why it's still there because it sucks to remove but you know what if if not you know not talking about hbss but if the tool in your organization you determine wow we're we don't need it's not very effective and we're using this one much better than that one then go rip it out yeah spend whatever amount of hours it's going to take to rip it out but the end result is better protection and more efficient then it's worth the effort and start using AI to explore appropriate tasks I'm thinking you know

I don't understand I have to confess I'm not you know a big chat BT GPT um uh fan but just like every technology this is only going to get better so five years from now it's going to be better and so what do you what can you use it for can you use it to help write rules can use it to help threat hunt can you use it to do simple automated response right how can you use this this tool because it's a tool um how can you use it to in this environment so explore that figure that out I don't have anything specific that's five years from now maybe that it'll by then it'll be different all

right so phase three all right so this is where we're coming in uh we're coming in for the landing right we're getting to the point where we're getting to that next-gen stock so at this point you should have completed your migration to the cloud you should have all of your data storage all of your analytic analytical capability all of your compute everything should be in the cloud all your remediation so it should be reaching back into any on-prem places that you have uh and doing remediation so all of that should be there you um and so that you're taking advantage of the scalable costs and the K and the scalable storage there you have a

detection engineering devsec Ops process in place okay you are writing rules and uh writing Automation and writings uh and building and updating and tuning this stuff on a regular um repeatable consistent basis that happens multiple times excuse me multiple times a day so uh this process is in place and so you are able at this point to keep up with Ops okay and their deployments this is the goal do you want to be you want to be pacing Ops like half a step behind if not in front of Ops but you need to you know get to that point organize your teams out of Tears they should be in uh in built on skill sets

this is going to do so much uh for our ability it's going to help our uh it's going to help our hiring because we're going to be able to hire Junior people entry-level people they're going to enter into an environment where they can learn and grow they're not expected to know everything right away and so we can train them we can build them up and they can decide as they get uh more and more seniors they move from entry to Junior to Mid to senior do they want to be a threat Hunter do they want to be an incident responder do they want to be an a security engineer right we have that they can they're going to stay if you

have that environment where you bring them on and raise them up and train them up uh because and they're going to have the OJT and the support system to do that but that only happens if you have the I mean teams and not in tears because in tears you say well I don't have any space in my tier two and they're going to go welcome going to go somewhere else that has a open position at tier two but if you have if you're just like well now I'm no longer Junior I'm a mid-person analyst and boom that's what you are you're not like oh I'm tier two you're just a mids analyst and then I'm going to be a threat Hunter okay

you're still on the same team and now you're at that Hunter you don't have to be worried about like oh I need this position right uh partner with an MSP or MDR to cover gaps I get it you know not all organizations can or want to do all the things or do it all the time so make that decision partner with somebody uh where you're going to Outsource and how are you going to Outsource uh and then as I you know tying back into the teams concept you want to develop fund and Implement a comprehensive training program now I'm not saying go out and hire teachers I'm saying at a minimum build an Excel spreadsheet that has hey here's all the

videos to go and watch on YouTube or the internet to be a threat Hunter and these are you know this is you know go watch these go read these blogs and then go do it oh by the way here are some VMS that you can download and install and learn how to threat hunt that's your training program it costs you nothing okay um you have a and you give that spreadsheet to somebody and they check off each item as they do them and they hand it back and you say good job here's your next spreadsheet go learn how to be an incident responder watch these videos read these blogs hear some VMS check them off and give them back to me right

now that's simple you can do that it's free you can also you know get a company subscription to like udemy or cybrary or you know name your platform of choice or you could you know have you know go and hire you know Black Hills to come in and give you know on on-site training whatever your flavor is but build that have that in-house right so that you have the capability to hire some entry level guy um and train them up and I'm going to steal understudies comment when we were having this conversation last night by the way entry level and security is not necessarily an entry level in entry level position right you have to come in

as Security even as entry level with some basic knowledge um and if and so we have to kind of change that and that's a whole nother story of a whole nother lecture so um but that's uh tier three so wrapping up here how do you get there so some strategies first of all start with what you have okay let's just you're not going to rip and replace you're not going to just throw out what you the you know everything out that you're doing so start with what you have uh increase the use of managed Services if you to cover gaps uh where you need so but you can pull those back in house later that's

fine you need to do is like hey we need you for a year we um my company has a managed service and there are plenty of places that say we need you for six months and then at that point we'll have the in-house stuff back and that's it and that's the contract we go in we cover them for six months and then we hand it over to their in-house people boom done that's that's awesome those are cool all right so you can do that um I'm not bothered but I'm not you know but that's fine simplify the tools talked about the number of tools that you have right it's possibly 63 so figure out which ones you don't need

take them out make yourselves more efficient simplify the you know take that that stress out increase at the same time increase the amount of tools that have good integration with each other okay figure out where that is right um make that happen higher develop higher and develop internally you know externally skills that you need coming up Cloud programming devops data analytics skills all of those are going to be crucial skills that we need to have okay going forward uh formalize your secops process begin your zero trust Journey okay um so some conclusions uh as I come in here just wrapping up so no two socks will look alike okay um there's a lot of stuff here and some

of you are probably going we're not doing all that we can't afford that I get it okay I've worked for small companies pretty much my entire life I get that uh that's why I say figure out what is applicable and what you can do and how you can do it because the end of the day what you want is you want a sock that is capable has the capabilities I talked about at the beginning right and not everybody is going to be able to do all of the steps but there are ways that you can uh you know achieve those goals without uh spending millions or billions of dollars so Implement uh and and continue automation efforts that's going

to help uh consume tailored Brett and tell we talked about that don't consume Australian Public School threat and tell models if unless you are Australian Public Schools shift your operations to the cloud start protecting identity and data instead of devices shift change your thinking it's too easy that's even in my head I have to change what I say change how I think change how I plan increase the Telemetry that you're ingesting develop machine learning and data analytic capabilities plan for uh cicd detection engineering basically devsec opts the heck out of your detection and monitoring and automation use short and learn long-term planning okay this again this is not an overnight thing you are going to need to plan this out over time

and that uh short and long-term planning allows you to change Midstream okay I get it you know five two years from now the landscape could be completely different right four years ago who was planning on covid nobody that shifted everything so change your plans right things are going to happen so with that um I'll take any questions I will say that um so uh let me I'm going to come back to the slide in a minute um here are some references the top references is a paper I wrote on this it's about uh probably this point about a year old so this talk is updated but if you want that paper you can go to

that website guidepoint security resources sock the Next Generation you will have to give up blood samples I mean uh some data to get it but um and I do say thank you to my company for allowing me to use their logo and their uh their formula on this uh on this talk but uh feel free to reach out to me and with that I have a few minutes for questions

[Applause] thank you uh in the back

uh yeah so the question is where would I put msps like malware sharing platforms I think you like like misp um I would put that under thread Intel absolutely uh you know if you if you are managing and running your own as opposed to subscribing to um anomaly or some such company yes sir

so I don't have 50 minutes for another oh so let me let me back up so the question is if we're going if you're going to Outsource your sock what are some good questions to make sure that you have reliable uh vendor to do it that's a good summary of it and I my answer initial answer to that is I don't have 50 minutes for another talk um but I would absolutely talk about what their processes are uh how they take feedback how they verify that they are monitoring everything and how they uh um how you can communicate to them what your critical data identities and devices and processes are so they know what to prioritize

yes ma'am

I personally am not but I'm a little bit biased because I've had people say hey let's look over this Python program I wrote with chappie ghbt and I have to spend like an hour debugging it so um there is definitely talk about that about chat about Ai and things like the chat the gpts and the berts um changing threat but I think at the end of the day that most of you know when you look at what exploits come out and vulnerabilities are found in exploits I'm sorry and vulnerabilities found a lot of that is human intuition of looking at something and going oh that's funny I wonder why that does that right and sometimes and that's not

something that you know I think I think you may see commodity stuff come out of it but I don't think you're going to see the really advanced stuff that's my personal opinion any other questions yes ma'am

say again I didn't hear you

exactly because right so the question was uh I had said earlier that there's often conflict between compliance and best practices and insurance companies sometimes ask you to do best practices and so what you know one of my thoughts on that is that a good summary so a lot of times compliance tries to say you know comply with best practices and maybe points to something like nist 853 or some ISO model or something like that and and in that case sometimes that's that those are the same but at the same time we have to remember that sometimes best practices are just um aren't necessarily enough and that a compliance standard doesn't always match that and so a best practice Can can not

only be an implementation but an understanding of the environment in which that implementation occurs and so there there's still that um there's still that that sometimes uh difference and you have to figure out how to to cover that difference cover that gap between what I can expect and you know what should be done a good example is PCI right so PCI has compliance and compliance is based on best practices you would think but there's still that gap between their and effective security does that answer your question awesome yes

so the question is I as I said I talked about shifting strategy from protecting devices to protecting identities and data and so what are some thoughts on tools or capabilities that you know you would employ to do that and especially in the difference between structured and unstructured data is that a fair summary excellent so wow um I think that just talking about the overall change in your strategy I think when you talk about the protecting devices that that's very much like I have a physical thing and I can easily control what goes in and out of that thing even if that thing is an instance in uh the cloud as like ec2 or Azure or

such it's a thing and I can control what goes in and out as opposed to data which can be anywhere and moves often right I'm not going in and I'm not picking up a server and moving it from you know from this data center to that data center or I'm not moving an ec2 instance from you know from from Zone from this availability Zone to that availability Zone um so but data can shift all the time it can have multiple copies um same with identities that can be just anywhere at any time moving through places and so what you end up doing is you start looking for tools that are able to uh identify that stuff and we're

not some tools can do that sort but you know but I think those tools are still very much at the beginning we're still trying to figure out how to um these tools are still trying to figure out you know the best way to track this data and keep keep track of it and and control access to it as well as trying to manage our identities and because every uh the challenge with identities is that everything you connect to uh has a different way of identifying you even if you have SSO all SSO is a front end to everything you're accessing and so everything you're accessing has an identity all you do is they have one

reference to many things and so it's very nebulous I think we haven't we're not there yet we're starting to but for those of you who have worked and trying to build actual identity and data protection especially if you're doing any kind of zero trust engineering you realize this is hard um and it's hard tracking it hard matching it and it's hard uh you know uh it's hard protecting it um and I think we have a lot a long way to go with that um there are some tools out there I mean I'm not going to talk about them because we sell some of them um but um some are better than others but we're we're we're we're we're ways yet from

there does that answer a question or at least give you you know some warm fuzzies all right awesome anyone else awesome well thanks for coming out to my talk I'll be around as I said uh you know I'm reachable on on the interwebs and uh thanks for appreciate all your feedback so awesome foreign [Applause]