11 Strategies of a World-Class

Cybersecurity Operations Center

Ingrid Parker and Carson Zimmerman Presenting

Material also co-authored by Kathryn Knerler

SANS Blue Team Summit, October 2022

 2

A World-Class SOC is one

which excels at the things it is
chartered to do,
not one which tries to do all the
things.
 3

Introduction
▪ Combined >60 years hands-on in cybersecurity operations
▪ SOCs of various sizes in commercial, research & development,
government industries
▪ Various roles including director, operations manager, researcher,
analyst, responder, forensics, consultant
▪ Current or former MITRE

Kathryn Knerler Ingrid Parker Carson Zimmerman

Cybersecurity Solutions Innovation Center Intelligence Manager M365 Security Response
Department Manager & Cyber Architect Investigations Team Lead
Red Canary
MITRE Microsoft
 4

Required legal & disclaimers

This presentation incorporates elements of the work developed by The
MITRE Corporation on behalf of the U.S. Government; public release case
number 21-3946.
© 2014-2022 The MITRE Corporation. All rights reserved.

Not speaking on behalf of our employers past or present; any opinions

expressed are our own.
 5

The 11 Strategies
•STRATEGY 1: Know What You are Protecting and Why
Getting Started
•STRATEGY 2: Give the SOC the Authority to Do Its Job

Structure and •STRATEGY 3: Build a SOC Structure to Match Your Organizational Needs
Staffing •STRATEGY 4: Hire AND Grow Quality Staff

•STRATEGY 5: Prioritize Incident Response

Core Functions
•STRATEGY 6: Illuminate Adversaries with Cyber Threat Intelligence

•STRATEGY 7: Select and Collect the Right Data

Data and Tools
•STRATEGY 8: Leverage Tools to Support Analyst Workflow

•STRATEGY 9: Communicate Clearly, Collaborate Often, Share Generously

Connect and
•STRATEGY 10: Measure Performance to Improve Performance
Evolve
•STRATEGY 11: Turn up the Volume by Expanding SOC Functionality
 6

#1: Know What you are protecting and why

▪ Have a business mindset
▪ Be curious about your
organization
▪ Support the development and
maintenance of a composite/
asset inventory that goes beyond
the traditional endpoint

The SOC should be able to put any cyber event it observes into constituency context so that
it can effectively prioritize its actions.
 7

#2: Give the SOC the Authority To Do Its Job

Charter and authorities saying the SOC has the support to:
1. Be the one (and only) organization responsible for cyber security incident
detection & response across their designated constituency
2. Be the decision authority for cyber incident response: monitoring, redirecting,
or blocking adversary actions
3. Participate in decision-making for incident prevention: patches, firewall blocks
4. Communicate directly with stakeholders: CIO, CISO, IT Ops, etc.
5. Acquire, engineer, deploy, operate, tune, and upgrade SOC tools
6. Collect, retain and share artifacts: network traffic, log data, hard drives, malware,
cyber intel (tippers, indicators, reports)

… But use with care, precision and respect for constituency mission
 8

#3: Build a SOC

Structure to Match Your
Org’s Needs
▪ SOCs from “additional duty” to
nation coordination centers
▪ What functions to pick
▪ How to organize
▪ Physical location and remote work
▪ 24x7 coverage models
▪ Outsourcing: expectations and
success factors
41 possible functions or services for a SOC:
which will you choose?
 9

Balancing size with agility and visibility

Bigger
▪ Consolidated authority, resourcing
▪ Ability to sustain coherent cadre of cyber &
IT specialists, knowledge of threat

Critical Balance
▪ Visibility down to end asset, network
▪ Agility, relevancy, precision of response &
countermeasures

Smaller
 10

Consolidate & Synchronize SOC Elements

One Team One Mission

▪ Detection & response
▪ Analytic tradecraft
▪ Unity of effort
▪ Economy of force
▪ Trust & comradery
▪ Shared situational
awareness
 11

Pursuing DevOps Culture

Anti-Patterns Patterns Potential Approaches:
“Us versus them” Working together ▪ Ops simply owns
engineering & budget
Requirements & solutions Iterative requirement ▪ Engineering resources
thrown over a brick wall development, satisfaction permanently matrixed to
ops
Tools forced upon
Joint decision-making ▪ Rotation between ops &
operators engineering
Operators are “cowboys” Lightweight CM ▪ Requirements specialists
in ops track projects &
Beg, borrow, steal Designated budget requirements

Zero risk acceptance Managed risk profile

 12

#4: Hire AND Grow Quality Staff

Post open
position
Post open
position
Consider
internal and
Celebrate external
positive candidates
Hire changes with both
Rant and
externally
struggle
when they
leave
based
primarily on vs technical and
power skills
degree / certs

Limit growth Enable

to keep staff growth
in place Pre-plan for
opportunities
movement
and continual
learning
 13

#4: Hire AND Grow Quality Staff

▪ Hiring well
– Your organization’s reputation precedes you
– Don’t overload job requirements
– Many successful cyber professionals come
from non-IT/CS backgrounds
– Look internally
▪ Team member growth and encouraging
them to stay
– Pay fair market value
– Support career progress, skill expansion as
well as promotion
– Evolve your SOC capabilities

Build your team as if they will be with you forever,

while still preparing for their eventual departure.
 14

#5: Prioritize Incident Response

▪ Anticipate types of incidents and
plan
▪ Prioritize expertise
▪ Fully assess situation before acting:
– User insight is valuable
– Understand root cause and extent
– Balance need to know more with
need to act
▪ Take time to conduct lessons
learned:
– Feedback to inform improvement
– Can spark change in the
organization
 15

Post-Incident
Response, #5: Prioritize Incident Response
Bugs

SOPs &
Playbooks
User Reports &
Preparation Escalations
Adjustments & Planning
in Sensoring,
Detections,
Analytics
Contextual Data &
Improved Raw Telemetry,
Cyber Post Detection & Analytics
Hygiene &
Awareness
Incident Analysis
Activities
Building timeline
& COP
Reporting
Containment
Eradication & Verification,
Response
Recovery Coordination
w/System Owners w/System Owners
 16

#6: Illuminate Adversaries with Threat Intelligence

▪ Everyone is doing it, you should too
▪ Cyber Threat Intelligence (CTI) should
be actionable!
▪ Internal data is a form of threat
intelligence
▪ Someone else’s cyber intel may not be
yours
▪ Association vs Attribution of threats –
what does your SOC really need?
▪ Moving beyond spreadsheets requires
significant planning
▪ Integrate CTI and SOC tools /
processes for maximum impact
 17

#7: Select and Collect the Right Data

▪ Sources and retention
should align with
organizational priorities
– Expand beyond network
and endpoint to mobile,
operational technology,
and identity
– Recognize the role of
configuration, especially
with cloud and software as
a service (SaaS)
▪ It’s a balancing act
– Tune, tune, and tune some
more
 18

Painting a Complete Picture for the Analyst

▪ For every alert:
– Must be contextual data
available to explain what
happened
▪ For every telemetry
source:
– Must be a set of
applicable detections and
analytics
▪ Providing one without the
other gives the illusion of
monitoring and coverage
 19

#8: Leverage Tools to Support Analyst Workflow

▪ Plan investments in core tech
▪ Engineer to ops’ requirements
▪ Resist “ooh shiny”
▪ Maximize technology $

▪ Practice continual improvement over

lifetime of tool
▪ Dedicate resources to tuning &
analytics
▪ Build custom use cases to
environment
▪ Integrate them into one coherent
architecture and workflow
 20

Notional SOC Architecture Data Analyst workflow focus

Where do I start?
Pivot

Event-based Data Sources Asset Knowledge

Cyber Threat Intel
Firewalls & Proxies Management IoC feeds
Applications Business information Incoming tips from other SOCs
IoT/ICS/SCADA Patch and config status Finished reporting
Mobile, Cloud Risk scoring

Ingest Enrich Ingest

Pivot

Host Sensors & Sources SIEM + Big Data + UEBA + Enrich Threat Intel Platform (TIP)
Anti-Malware Log Management Finished intel repository
Firewall Ingest Adversary & campaign
Real-time & historical analytics
EDR Near-real-time monitoring knowledgebase
Remote Imaging/Forensics Visualization Pivot Indicator curation
Reporting
Pivot
Pivot
Escalate
Ingest
Network Sensors & Sources Case & Workflow
Malware Detonation
Custom Detection Management
NetFlow & Traffic Metadata Pivot & File Analysis Escalate Ticketing
Ad hoc capture & reconstruction Static analysis
SOAR
File carving Dynamic runtime analysis
Metrics & Reporting

Balancing Sharing & Protection
Completely Open
Balanced
Approach
▪ Same identity plane
▪ Same network
▪ Full integration
▪ Two-way communication
▪ Leverage data in place
▪ Shared situational awareness
▪ Select constituents participate
in hunting & detections
21
Completely Closed
▪ Separate identity plane
▪ Highly-enclaved
▪ No integration
▪ One-way communication
▪ “Give us all your data”
▪ No shared reporting
▪ SOC does everything
 22

#9: Communicate
Clearly, Collaborate
Often, Share Generously
▪ Within the SOC
▪ With stakeholders
& constituents
▪ With broader cyber
community
 23

#10: Measure Performance to Improve

Performance
Business Objectives ▪ Goals:
Why Measure
▪ Drive & demonstrate success,
value, consistency
Data Sources and Collection
What the SOC knows and does that can be measured ▪ Drive positive behaviors
▪ Metrics for Internal SOC
Data Synthesis consumption
Combine the why and the what to generate meaning
▪ System & tool health
Reporting ▪ Detection program & alerting
Present metrics for consumption by stakeholders
▪ Externally-facing metrics
▪ Mean/median time to *
Decision-making and Action
How metrics are used ▪ Coverage depth & breadth
 24

#11: Turn Up the Volume by Expanding SOC

Functionality
▪ Hunting ▪ Malware analysis capability
▪ Structure & repeatability ▪ How to get started
▪ Successful outcomes ▪ Increasing ramp of capability
and sophistication
▪ Exercising the SOC
▪ Red & purple teaming
▪ BAS
▪ TTX
▪ Digital forensics
▪ Deception
 25

11 Strategies
▪ Released March 2022
▪ Follow-on to 1st edition from 2014
▪ Primary distribution is electronic
▪ $0 PDF: mitre.org/11Strategies
▪ Print on demand and EPUB available
via Amazon and others
▪ Cost-neutral (0 profit)
▪ Neither MITRE nor co-authors profit
from this book’s distribution
 26

Conclusion & Questions

“The future has already arrived. It’s just not evenly

distributed yet.”
William Gibson

“Now, here, you see, it takes all the running you can do,
to keep in the same place. If you want to get somewhere
else, you must run at least twice as fast as that!”
The Red Queen to Alice
Lewis Carroll’s Through The Looking-Glass

Thanks to MITRE for making this book possible!

 27

The 11 Strategies
•STRATEGY 1: Know What You are Protecting and Why
Getting Started
•STRATEGY 2: Give the SOC the Authority to Do Its Job

Structure and •STRATEGY 3: Build a SOC Structure to Match Your Organizational Needs
Staffing •STRATEGY 4: Hire AND Grow Quality Staff

•STRATEGY 5: Prioritize Incident Response

Core Functions
•STRATEGY 6: Illuminate Adversaries with Cyber Threat Intelligence

•STRATEGY 7: Select and Collect the Right Data

Data and Tools
•STRATEGY 8: Leverage Tools to Support Analyst Workflow

•STRATEGY 9: Communicate Clearly, Collaborate Often, Share Generously

Connect and
•STRATEGY 10: Measure Performance to Improve Performance
Evolve
•STRATEGY 11: Turn up the Volume by Expanding SOC Functionality