Introductions... Share your story!

Hi All,

I’m happy to join this community. My name is thephisherman. I’m interested in threat intelligence information security, and cybersecurity. Would love to get recommendations on great posts about those topics.

As you can tell from the username, I have taken a keen interest in phishing, the people behind it, the websites people are directed to and finding the phishing kits.

I am a career geek being in tech and support for about 15 years before turning to the cyber security field.

Look forward to learning and (trying!!) to help where I can.

Ryan

@thephisherman

Welcome to the community. Look forward to connecting with you and learning more about your skills.

What are your top 3 go-to phishing emails you use?

Hi everyone,

My name is Said and I am so happy to have the opportunity to learn more about cybersecurityqna and everyone here. I started pursuing my career in cybersecurity to learn the importance of security in our everyday lives. I’m really interested in security roles such as SOC analyst and cyber threat intelligence.

I’m looking forward to gaining as much knowledge as I can and having the opportunity to help and advance my career in any related field

I am willing to do whatever it takes to learn, help, and start my journey with the right people and with what I am passionate about.

Thanks!

Welcome @saidmu95

Looking forward to some of your posts about your recent training, and how you can help educate others who are starting in this industry.

I don’t send the emails (although I will be starting to do that to test the awareness of employees in the very near future!) but I prefer to chase down the websites that are phishing, try to find out who is behind them, get them taken down and generally cheese the phishers off :slight_smile:

There are changes going on on how some operate at the moment which is interesting to watch.

@thephisherman

For example what changes are you seeing ?

You got me intrigued… share your wisdom.

Hi everyone,

My name is Stefan and I’m from New South Wales, Australia.

Originally from England and I’ve been in and around security operations for about 20 years. 15 years as an endpoint security specialist (Anti-Virus, Device Control, Application Control, Host Intrusion etc.) and around 5+ years now in SIEM technologies, security operations and the whole end to end people, process and technologies found within security operations.

I’ve been a security analyst, security architect, practice lead, sales engineer and principal consultant and built a successful MSSP SOC (along with helping many other organisations do the same).

Currently looking for a new role (in talks with a SIEM vendor) after being made redundant back in June.

Happy to share knowledge where required.

Stefan

@Stefan that’s extremely interesting. What’s the best way to build a MSSP SOC for client acquisition in today’s marketplace?

Let me know how we can support your goals over next 90 days

That’s a good question Ben.

There are a few things to consider when approaching the Managed SOC market, firstly it’s a fast growing market so whatever you do needs to be a differentiator from the rest of the field, probably best answered in part by some Do’s and Dont’s which I can list below:

Do’s

  • Do scope out the local market, who are the current players, what do they offer, what’s their USP (Unique Selling Point)

  • If you currently operate as an MSP, talk to your existing customers and have a deep discovery session with them around their organisation’s profile, what are their perceived risks and threats, what are their pain points in security monitoring currently (I.E. detection capability, staffing, experience, funding)

  • Do build a list of security threat use cases using the following workflow: Identify risk - create use case - identify required data sources (and validate they can send the required information in the logs) - method of detection - remediation plan

  • Do think long and hard about what your core SOC tool (the SIEM) is going to be, in conjunction with the identified use cases from the step above, which vendor platform will meet those needs (Hint: A SIEM that uses basic correlation won’t cut it). You will need a combination of static correlation rules, machine learning and behaviour analytics

  • Do take considerable time looking at how the SIEM vendor charges for their solution, I’m going to go out on a limb here and say that vendors who charge by ingestion are going out of fashion due to unpredictable costs which result in customers having to reduce log source scope due to costs, far better to have a per user priced vendor, but do be aware of buying a solution that is constrained by sizing, e.g. can only handle X EPS (Events per Second) or X GB or TB per day unless it is fully scalable and cost effective to do so. NOTE: Be very wary of vendors who will deliberately undersize just to gain business!

  • Do plan for Automation - I’m not just talking about post-detection and alert automation (E.G. SOAR), you should be looking at a SIEM that performs automation of the events that triggered the alert, there’s no value in having an alert trigger if the analysts have to then go and piece together all of the activity that led up to the alert

  • Do consider how you will handle multiple tenants (customers). Not all SIEM’s are capable of multi-tenancy and in fact, make sure you understand what multi-tenancy really means, there are many options including; single platform - multi tenant - SPOG (Single Pain of Glass) dashboard/view, single platform per tenant - SPOG, single platform per tenant - discrete dashboard per tenant, and probably a few iterations of these.

  • Do think about what the SIEM platform will be - Physical appliance, virtual appliance or cloud based. Both physical and virtual appliance based bring challenges and costs associated with physical data centre racking or VM hosting, these are harder to scale and some vendor solutions need dozens, if not hundreds of appliances. Cloud hosted solutions are the way forward, the management costs such as hosting, upgrading etc. are encompassed in the solution cost by the vendor, native cloud solutions can scale automagically as you or your customers grow or see burst activity due to incidents etc.

  • Do ensure you have robust People, Process and Technology within your SOC, the right people doing the right job, with the right tools following clearly defined and most importantly, repeatable processes!

Don’ts

  • Don’t think you can offer a Managed SOC service where you simply ingest all of your customers data sources and expect to find stuff. This is absolutely 100% the wrong approach and you will fail. You should use a use case driven approach as mentioned in the Do section. Those use cases should be repeatable across all your customers, about 80-90% of all use cases apply to all customers, the remainder is for bespoke customer specific use cases

  • Don’t skimp on resourcing, there are many roles you need to have to run a successful MSSP SOC, from Tier 1, 2 and 3 analysts through to threat hunters, content engineers. You may not need them all at once, build out as you grow but make sure you have enough physical people to perform all the roles required from day one

  • Don’t overload your staff! In conjunction with a fully optimised SIEM solution and the correct number of staff you should be generating no more than 10 incidents per analyst per day/per shift. That figure even then only allows 40 minutes per incident for investigation, triage and mitigation. Alert fatigue is the number one reason why SOC’s have such high staff turnover

  • Don’t expect your analysts to come to the same conclusion when faced with the same alert! Use clearly defined processes and playbooks to ensure you achieve the same repeatable outcome each time

  • Don’t build your MSSP SOC on top of your parent organisations infrastructure. An MSSP SOC should be on it’s own network and infrastructure

  • Don’t build your MSSP SOC in the corner of an office! It should be a dedicated facility with proper segregation and access controls. A dedicated SOC should have a main SOC room preferably with decent wall mounted video screens showing primary SIEM information, one screen with a news channel feed, decent lighting with limited inward visibility from external windows. You should also have a dedicated war room, an isolated malware analysis lab (if that’s a service you offer) and if you can accomodate it, a limited viewing area for prospective customers (just be mindful of what can be viewed from that position)

That’s a few of my recommendations Ben, please feel free to pull this info out in to a seperate post or article, would love to see other practitioners add their thoughts and recommendations also. I’ve been lucky enough to work for and with MSSP SOC’s from small state based providers through to huge global American based telecoms giants, from Australia, throughout Asia and the UK and USA too.

Regards

Stefan

@Stefan that is awesome… I have reviewed this post a few times. I will move this post for you into a new post because it is a topic on it’s own. I am sure others will have comments and questions.

Thanks for sharing your experience can’t wait to learn more from you