Security Operations Center (SOC)

Security Operations Center (SOC)
If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Top Answer: Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

Does the concept of Attack Surface Management vs. Attack Surface Analysis make sense to you?

Top Answer: Speaking from a security standpoint the two terms mean different things and they should be distinguished. Attack Surface Analysis is an analysis of the number of exploitable vulnerabilities. It can be used by both sides to discover weaknesses in a system. You start by scanning the target for vulnerabilities and then checking which ones have exploits available, and you choose the attack vector. OWASP has an attack surface analysis cheat sheet. Attack Surface Management is the process of, discovering/resonance, inventorying, classification and monitoring of the systems. This is more on the offensive (attacker) side point of view. You are looking at what IT assets are exposed inside the organization and to the internet.

Security Operations Center (SOC) High Level OverviewSecurity Operations Center (SOC) High Level Overview

How are decision-makers running their SOC (if they have one)? Benchmark against your peers.

How does third-party risk complicate your operations?

Top Answer: In a past role, there was malware that appeared on our network and we weren't sure how it got there at first. It was wormable and it had propagated itself to a number of systems. After investigating, we found our patient zero: a network sniffer that was portable. The sniffer was maintained by the network engineering team who had a contract with a third party. The third party would have these portable sniffers sitting on a shelf and they would ship them out to wherever they were needed. And they had a fourth party that was responsible for maintaining the image on those devices. They would get re-imaged each time they got sent back. But the fourth party had a malware compromise in their environment, so when they rebuilt the appliance on their network, it had the malware propagate to it. So that was a fun conversation to have with both the third and fourth party because we had to tell them, "You need to clean up your stuff."

How can organizations adapt their security policies to create better protections against ransomware?

Top Answer: A “bring your own device” policy is asking for trouble. I understand the flexibility that it offers, but it's almost impossible to protect every asset an employee can bring in. Instead of protecting ourselves, we create more opportunities for criminals. Another policy that creates opportunities for attacks is allowing employees to download any software. At a former organization, I could buy any software on my own and install it on my laptop—nobody controlled that. As a part of the enterprise architecture, I created an architecture review board that was required to approve any software. It was good because people were sharing this information with us honestly.  We tried to monitor who was using what, but it was very difficult to catch every possible scenario, especially when engineering teams were bringing in 4-5 new tools every week. It's a challenge when we give employees so much flexibility that we don't have enough mechanisms for proper control and monitoring. We need policies to provide more guidance on what is allowed, and what is not allowed.

If these companies were affected then the foundation of computing could be at risk. If you could manipulate at the hardware layer via the firmware, BIOS, ect then a threat actor could weaponize well below the operating system which brings in to question the integrity of the entire computing stack and everything above it.  The firmware and bios are like the rebar and concrete for a building. If that foundation is weak then the entire structure and anything dependent on it is at risk. We cannot underestimate the potential or the severity of these companies being potentially affected by the SolarWinds hack and what that means for the foundational computing hardware they provide to the world.  What do others think ?  How could this impact your organization ?   Big tech companies including Intel, Nvidia, and Cisco were all infected during the SolarWinds hack - The Verge

Top Answer: The message here is: one is never out of the woods ever, so pay attention! Just because today's news eclipses yesterday's doesn't mean companies get to shove the bad under the rug and stay silent. Remember, vulnerabilities discovered 10-15 years back are still at the top of the list of the most exploited.