Professional Documents
Culture Documents
Introduction
▪ Combined >60 years hands-on in cybersecurity operations
▪ SOCs of various sizes in commercial, research & development,
government industries
▪ Various roles including director, operations manager, researcher,
analyst, responder, forensics, consultant
▪ Current or former MITRE
The 11 Strategies
•STRATEGY 1: Know What You are Protecting and Why
Getting Started
•STRATEGY 2: Give the SOC the Authority to Do Its Job
Structure and •STRATEGY 3: Build a SOC Structure to Match Your Organizational Needs
Staffing •STRATEGY 4: Hire AND Grow Quality Staff
The SOC should be able to put any cyber event it observes into constituency context so that
it can effectively prioritize its actions.
7
… But use with care, precision and respect for constituency mission
8
Bigger
▪ Consolidated authority, resourcing
▪ Ability to sustain coherent cadre of cyber &
IT specialists, knowledge of threat
Critical Balance
▪ Visibility down to end asset, network
▪ Agility, relevancy, precision of response &
countermeasures
Smaller
10
Post open
position
Post open
position
Consider
internal and
Celebrate external
positive candidates
Hire changes with both
Rant and
externally
struggle
when they
leave
based
primarily on vs technical and
power skills
degree / certs
Post-Incident
Response, #5: Prioritize Incident Response
Bugs
SOPs &
Playbooks
User Reports &
Preparation Escalations
Adjustments & Planning
in Sensoring,
Detections,
Analytics
Contextual Data &
Improved Raw Telemetry,
Cyber Post Detection & Analytics
Hygiene &
Awareness
Incident Analysis
Activities
Building timeline
& COP
Reporting
Containment
Eradication & Verification,
Response
Recovery Coordination
w/System Owners w/System Owners
16
Host Sensors & Sources SIEM + Big Data + UEBA + Enrich Threat Intel Platform (TIP)
Anti-Malware Log Management Finished intel repository
Firewall Ingest Adversary & campaign
Real-time & historical analytics
EDR Near-real-time monitoring knowledgebase
Remote Imaging/Forensics Visualization Pivot Indicator curation
Reporting
Pivot
Pivot
Escalate
Ingest
Network Sensors & Sources Case & Workflow
Malware Detonation
Custom Detection Management
NetFlow & Traffic Metadata Pivot & File Analysis Escalate Ticketing
Ad hoc capture & reconstruction Static analysis
SOAR
File carving Dynamic runtime analysis
Metrics & Reporting
21
Completely Open
Balanced
Completely Closed
Approach
▪ Same identity plane ▪ Separate identity plane
▪ Same network ▪ Highly-enclaved
▪ Full integration ▪ No integration
▪ Two-way communication ▪ One-way communication
▪ Leverage data in place ▪ “Give us all your data”
▪ Shared situational awareness ▪ No shared reporting
▪ Select constituents participate ▪ SOC does everything
in hunting & detections
22
#9: Communicate
Clearly, Collaborate
Often, Share Generously
▪ Within the SOC
▪ With stakeholders
& constituents
▪ With broader cyber
community
23
11 Strategies
▪ Released March 2022
▪ Follow-on to 1st edition from 2014
▪ Primary distribution is electronic
▪ $0 PDF: mitre.org/11Strategies
▪ Print on demand and EPUB available
via Amazon and others
▪ Cost-neutral (0 profit)
▪ Neither MITRE nor co-authors profit
from this book’s distribution
26
“Now, here, you see, it takes all the running you can do,
to keep in the same place. If you want to get somewhere
else, you must run at least twice as fast as that!”
The Red Queen to Alice
Lewis Carroll’s Through The Looking-Glass
The 11 Strategies
•STRATEGY 1: Know What You are Protecting and Why
Getting Started
•STRATEGY 2: Give the SOC the Authority to Do Its Job
Structure and •STRATEGY 3: Build a SOC Structure to Match Your Organizational Needs
Staffing •STRATEGY 4: Hire AND Grow Quality Staff