• Is your SOC effective ?
• How can you Improve your SOC ?
• IS your SOC mature ?
• What sensors you have ? Is it enough to Threat detection ?
• What Logs & Data you gathering ?
• Do you enrich your data ?
• How you enrich your Data ?
• Is your incident management work properly ?
• Do you have threat management ?
10/7/2018 RezZaAdineH 2
Lets check out some more important questions:
• 1st of all what you need to protect ?
• 2nd how you want to protect ?
• 3rd do you have enough vision on what is happening ?
• 4th can you protect your asset from new threat ? How about existed
• 5th can you predict future ? what is going on ?
10/7/2018 RezZaAdineH 3
Check overall steps you should do:
1. Do Threat Management
2. Implement Castle Approaches, also avoid SPF (single point of Failure)
3. Plan & Implement high protection topology
4. Tune all of your sensors
5. Prioritize your sensors
6. Lets gather all data
7. Use ML & AI base solutions
8. Use Threat Intelligence & Do Enrichment on Logs & Data
9. Do threat Haunting
10. Do Cyber Exercise regularly & make improvement
11. Use a maturity model for best effort
10/7/2018 RezZaAdineH 4
How to effectively manage incidents?
• If you don’t have enough tools, you can not find out what's going on
• So, 1st of all solve lack of technology & use practical Tools for increase
• Apply good detailed process for handling tools via experienced &
10/7/2018 RezZaAdineH 5
10/7/2018 RezZaAdineH 6
Methodologies of Incident Management:
• "Incident Handler's Handbook”, SANS Institute 2011
• "Computer Security Incident Handling Guide„NIST 2012
• "Strategies for incident response and cyber crisis cooperation", ENISA 2016
• „CSIRT Services Framework”, Forum of Incident Response and Security Teams
• „SIM3 : Security Incident Management Maturity Model”, S-CURE and PRESECURE
Complex and time
How to effectively manage incidents?
10/7/2018 RezZaAdineH 7
(…) Multilayered security and
use of user and entity behavior
analytics will become a
requirement for virtually every
User-based threats are on the rise:
• 69% of organizations report incidents of attempted data theft — by
• 81% of breaches involve stolen or weak credentials.
• 91% of firms report inadequate insider threat detection programs.
Verizon Data Breach Investigations Report, 2017
10/7/2018 RezZaAdineH 8
Detect and Respond to Anomalous User Behavior
with Security Analytics and Machine Learning
• To avoid a data breach, your organization must detect and respond
quickly to anomalous activity. User and entity behavior analytics
(UEBA) can help you monitor for known threats and behavioral
changes in user data, providing critical visibility to uncover user-based
threats that might otherwise go undetected.
10/7/2018 RezZaAdineH 12
User & Entity behavior analysis (UEBA)
• User behavior analytics as defined by Gartner is a cybersecurity
process about detection of insider threats, targeted attacks, and
• UBA solutions look at patterns of human behavior, and then apply
algorithms and statistical analysis to detect meaningful anomalies
from those patterns—anomalies that indicate potential threats.
Instead of tracking devices or security events, UBA tracks a system's
users. Big data platforms like Apache Hadoop are increasing UBA
functionality by allowing them to analyze petabytes worth of data to
detect insider threats and advanced persistent threats.
10/7/2018 RezZaAdineH 14
With UEBA, your team can:
• Collect and prepare data from diverse sources to provide clean sets for effective
• Obtain a true view of the identity of users and hosts — not just their disparate
• Detect known and unknown threats by applying full-spectrum analytics.
• Accelerate threat qualification and investigation with powerful data visualizations
and direct access to underlying data.
• Streamline response using integrated playbooks, guided workflows, and approval-
driven task automation.
• Use artificial intelligence (AI) and machine learning (ML) technologies to improve
time to detect and respond to threats.
10/7/2018 RezZaAdineH 16
• Splunk UBA is a machine learning driven solution that helps
organizations find hidden threats and anomalous behavior across
users, devices, and applications. ... Splunk UBA visualizes the threat
over a kill-chain, thereby, providing contextual awareness, along with
supporting evidence for SOC analyst to consume.
10/7/2018 RezZaAdineH 17