CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

Understanding and building a SOC (Security Operations Center) with Troy Santana

In this episode of The Security Repo we are joined again by Troy Santana from Critical Start to discuss how organizations can set up a Security Operations center regardless of their size. We explore exactly what a security operations center does and why you need one in the current security climate.

Video Transcript

we need to be able to get a security alert from a tool we need to be able to understand in plain English what is it trying to tell you why should you care what is the risk to my organization that this might pose and what did we do about it or what do we need you to do about it in order to resolve that they need to see it read the information and be able to make a decision those are the things that make a security team valuable as an augmentation to an existing business that was part of a conversation that we had with Troy Santana Troy joins us again this week last week he was with us talking about staff augmentation in security and this week he is back to discuss the soc security operations center exactly what these are why you need one and how you can set this up as an organization of any size we're going to get to that conversation in just a minute but first it's time to have our breach of the week thank you it has been a quiet week for breaches this week touch wood so we're going to look at some alarming trends that have been reported on by the cloud SEC intelligence research team and once again we're putting AI back into the spotlight last week we looked at chat GDP and how their AI chat bot was tricked into producing malware worthy of a bug Bounty today we're looking at a different use case for AI That's videos cloudsec team reported that they've seen a 200 to 300 percent month-of-a-month increase in AI generated videos that are designed to coach the Watcher into downloading malware if you're as old as me you may remember going on to LimeWire or beer shoe or some other kind of torrent client to try and find cracked software of programs that you really couldn't afford or shouldn't have well this trend has come back no longer are they using torrent to try and attach malware or just claim a virus as a crack program now they're using video to add a layer of authenticity and trustworthiness into the user the cloud Tech Team report that the videos are used to lure users by pretending to be tutorials on how to download cracked version of software such as Photoshop Premiere Pro Autodesk 3ds Max AutoCAD and other expensive softwares instead these videos actually lead the Watcher to download information Stealers these information Stealers will typically collect a victim's browser data including password cookies crypto wallets telegram data files such as Dot txt and Excel sheets and system information I've seen lots of videos of AI claiming to be good enough to be able to steal my job and perhaps one day they will be be right now you can clearly see Ai and while there are legitimate use cases for using AI avatars in videos the anonymity behind AI means that various actors can break down some barriers of trust by putting in front of a human face some research suggests that even if we know it is an AI Avatar the fact that we're looking at a human face means that we find that more trustworthy than if we were just looking at a screen share for example so yet again AI comes into the spotlight of our breach of the week and this scary new trend is certainly another reason why we need to have up-to-date security operations centers to be able to make sure that we are acting on the latest possible threat Trends so without further Ado here is a conversation with Troy Santana could you just give us a quick high level of like what do you do with an SOC what what is a security operations center why do we need one of those yeah yeah um so we were talking earlier about uh uh it folks in general um wearing many many hats right uh you are the fix the printer guy you're the hey my account's locked out you're the hey uh we have you know new new Tool rollouts uh what have you um so the the security operations centers the Sox of the world focus on actually using the information that's coming in from your security sources from from log sources that may have security relevance and investigating those to determine if there is actually a threat to the organization something that needs to be responded to and you know operationalizing that information getting it to your actual it admins getting it to uh whoever is is there that needs to make the the decision right so understanding that you know macros are part of our world especially for my my finance folks out there shout out to all my Excel spreadsheet gurus um do great jobs at building those things um but automation is uh the enemy of security in a lot of uh in a lot of situations and you know we a macro runs on a machine uh on you know Dave the finance guys machine I need to go to Dave and go hey uh is this actually something you're doing is was this something you're aware of you know that's what your sock is is doing they're they're being the the security facilitators for your organization well what kind of Integrations with with customers existing infrastructure does does it typically require in this sock you know how does he how does it all fit together security operations teams their big piece is being able to actually uh get in and get information as quickly as possible Right these days the the best way to have that interaction is mature uh API libraries for the security tools that are there right you want to be able to hook into those tools get the most out of it as quickly as possible and oftentimes that's not via GUI it's not relying on you know visually navigating here and there you want to be able to interact with that tool on that machine level so having a mature API basis for security tools that uh you know can talk and perform all of the the actions that your tools have I think is incredibly important and mature socks will they hire smart people and they will find ways they will find ways to help automate investigations or automate like oh hey every time I see this alert these are the contextual pieces of information that I get let me go query the tool and now every time this comes in I'm going to build a python script and it's going to say hey every time I see this uh you know the security alert come in I want to get this piece of information from it I want to go ask these other questions that I'm going to ask every single time and now I can skip that step because the system will do it for me and it'll show me what I need and the contacts that I need to make an important decision is there an advantage you think to bringing in and outside set of eyes and a set of skills to basically Outsource that skill set of building a security Operation Center versus having that pile of money up front to hopefully hire someone who can build that specifically for you sure um so the the big ones return on investment right um again Ideal World yes you can hire an internal team Build It Up Inside they're going to be tuned in and focused exactly where you want them to be all of that takes time it takes time it takes experience and all you know the more time and the more experience that somebody has coming in the more money they're going to cost up front and that's that is incredibly limiting resource for for you and your organization that that Roi I need it you know hey prove to me that it happened you're building a team it may take more than a year to get that team completely spun up trained doing all the things that they need to do whereas when you go in and you use something like our MDR service you're getting an entire team of professionals that we spend time training getting technically ready and Savvy our analysts take 300 hours of training before they ever touch a customer's security environment and that is understanding all of the technical Nuance from my security perspective not training on just a specific tool in these specific alerts that they have um we could be an email system if all we were doing was going hey you got a security alert you should go investigate that no our expectation is that if you're hiring us to do security professional work we need to be able to get a security alert from a tool we need to be able to understand in plain English what is it trying to tell you why should you care like what is the risk to my organization that this might pose and what do what did we do about it or what do we need you to do about it in order to resolve that and I I need to be able to translate that in a way that a customer doesn't need to sit down and have a an encyclopedia and another reference book to understand what I'm telling them they need to see it read the information and be able to make a decision those are the things that make a security team valuable as an augmentation to an existing business and if you can do those I I think that is what is going to drive customers to not only obtain your services but to to stick with you right uh that kind of year over year going hey I trust these folks they're going to tell me what they're doing and I'm going to be able to understand the value of having them on my team uh you know from a security perspective and if anybody ever asks the question how do you know well it's it's all auditable I can go back and I can see every investigation every button that they clicked on um uh they're telling me where they're getting their information and why it matters so nothing that they're doing do I have to guess or assume uh is happening there so the idea of assumed risk goes out the window all of my risk is explicitly because I chose to have it not because it's built into it by default the hack can an external team understand the risk to their business better than they do and so when you have this kind of outsourced um sock how can you understand or How can any external team you know understand what's happening in a business that um that they're not intimately familiar with sure um I I think the key uh to all of that is that that phrase staff augmentation right you're not the security team you are an extension of the security team so if you're looking for staff augmentation then important you know an important question to start with is how do how does your service work with my team to improve our security what does that look like and asking that and understanding the collaboration that a security vendor or a staff augmentation is going to have with your existing team if they can't answer that question in a way that's satisfactory then we're probably not in the same place of getting the value that you're looking for and that I think is is the big part is hey I I need to know what you're going to do for me in in plain English that there's people that are going to sign contracts they're going to do the redlining they're going to do all the other pieces but when it comes down to it at the end of the day a security alert happens and we have to work on it what does that look like and you should be able to explain that in a way and show real world examples of hey this is how we worked with teams in the past to meet specific needs to have um you know to to meet their unique environment uh needs almost everyone has worked with a contractor at some point to go and do X for them and it doesn't go exactly right and then it's that back and forth value and this is very much a different thing that's what I was getting from what you were saying earlier um this is really a team effort like how do we bring on a new team member efficiently quickly in a way that doesn't just show X result but also helps us expand as a business and that's that's a really interesting aspect to this yeah well and then also there's how do you hold your how do you hold your vendor accountable or what are they promising you for accountability's sake right um very often uh what I've heard from security providers are slos um they are um what a service level uh objectives where they say hey we're going to try to do this thing right and that's all great hey everybody try as hard as you can um but is that a guarantee somehow um you know look for those look for those security vendors and yeah honestly vendors in general from a service perspective that have service level agreements hey we're going to do this in X time and if we don't this is what you get you get secure you get uh service credits you get money back you get something else uh and if that's not part of the actual terms and conditions if that's not there for you to understand up front um ask them why you know uh if and if they can't answer that or dance around that that's something that I think you need to consider when you're looking at is this is this worth the investment and is this the right uh vendor to pair with um for for me and my business where we are right now um we're coming to the end of the end of the time here and I just want to uh finish off with a couple of a couple of questions here is what advice would you give to people wanting to get into security um that may be starting off on their Journey or looking to Pivot what advice do you think that you you can give to help people along their Journey um they're the biggest thing is uh honestly get involved with your local groups um b-sides is a great example um there are a lot of uh local groups like you'll see um Defcon groups b-sides groups uh your uh issas lots of tech groups out there are getting together and have professionals and folks that are just uh hobbyist or interested they're meeting talking collaborating about their their problems their Solutions their you know General day-to-day things um and like you mentioned before finding professionals and holding on to them is incredibly difficult um because there's the the competition is fierce and the uh the money from some of these these tech companies is really good and very difficult to go oh very difficult to compete with for you know say an SMB right um in that perspective if you are an SMB and you are uh you know maybe a smaller business then you know understanding how do you incentivize uh folks to stay well maybe what you you look at is uh look at those college students coming out look at those people that have you know are looking for entry-level jobs are looking for uh security and and use use that as an opportunity to build up your security and provide a uh an inroad for these people that are trying to break into the business to have that security experience to get into it um it it's really I think a mutual mutually beneficial situation that is overlooked very often um there's one person that says yeah I want a security professional and I want it now well my budget is fifty thousand dollars a year and I want somebody with 10 years of experience good luck good luck like let's be realistic right if it's your budget it's your budget totally get that but let's make sure that we're using it wisely right um so I guess I kind of dove into both directions right if you're the person looking for it go out get involved um there are also a bunch of free resources or very cheap resources for learning more about the tech side of things learning more about uh security try hack me you got your hack well it's a hacker one you've got your you know a bunch of different websites and things that will walk you through step by step um it is completely honest took um an aunt of mine that was in her her 50s 60s and uh kind of we're talking about all the stuff and like how does somebody get started in that and took her to like a try hack me website and watched her sit there somebody that has not had a lot of technical background experience and everything else and learn some common web hacking techniques of how that works so that you know walking down the road of penetration testing now that's not what she did but if if somebody without any experience can use tools like that and start to understand those bits and pieces somebody that has the drive to actually make a career out of this you absolutely can where where can people learn more about critical starts or follow you or kind of dive a little bit more where can the listeners go to to learn a little bit more about what we've spoken about today sure so looking into critical Start If you're looking into Security Services consultation everything from we do a full security provision whether that's Professional Services to help you you know roll out those new tools that you bought you are in the unfortunate situation that you found yourself in a security event and you need IR services or you're trying to prevent uh such a security event by doing staff augmentation with MDR sock Services a great place to start is criticalstart.com go in have a look at you know our staff there and look at the different services that we provide and see where we can help you if nothing else just have a conversation about where your security is today and where you want it to be and we'll figure out how to help you get there thank you so much for uh for joining in Dwayne any final words before we before we click the red big red button uh just quick supplement to everything that Troy just mentioned uh oh wasp don't forget about them uh the open uh Source web application security uh Team out there uh awesome open source project and they have free training for all of their members through a platform called secure flag another one of those websites where they can dig in to uh various projects start hacking start moving toward that security credentials um quicker but b-sides absolutely amazing uh organization check it out in your neighborhood and hopefully I'll see you again at a future one troy oh yes I'm definitely looking forward to that and uh looking forward to the next time I can come in and talk to you guys more about you know security whether that's soccer or something else it's been fun