Name: 有效的 SOC 管理和事件響應 (Effective SOC Management and Incident Response)
Uploaded: 2024-08-10T20:50:54.000Z
Duration: 56 min 56 s

Did you know that you can be part of the lucrative cyber security industry?

您知道您可以加入利潤豐厚的網絡安全行業嗎？

程度副詞

Even top companies like Google, Microsoft, Amazon, IBM, Facebook, and Dell all hire cyber security professionals.

即使是谷歌、微軟、亞馬遜、IBM、Facebook 和戴爾這樣的頂級公司，也都會聘用網絡安全專業人員。

The cyber security industry has a 0% unemployment rate.

The average salary for an entry level cyber security job is about $100,000 per year in the United States.

在美國，初級網絡安全工作的平均年薪約為 100,000 美元。

Furthermore, you don't need to know coding and learn from your home, and you get a scholarship to kick start your career.

此外，你不需要懂編碼，在家就能學習，還能獲得獎學金，開啟你的職業生涯。

EC Council is pledging a $3.5 million CCT scholarship for cyber security career starters.

歐洲委員會理事會承諾為網絡安全職業新手提供 350 萬美元的 CCT 獎學金。

Scan the QR code on the screen to apply for the scholarship.

掃描螢幕上的二維碼申請獎學金。

Hello everyone, and welcome to today's session, Effective Soft Management and Incident Response.

大家好，歡迎參加今天的會議：有效的軟管理和事件響應。

I'm Shilpa Goswami, and I'll be your host for the day.

我是希爾帕-戈斯瓦米，今天由我來主持。

Before we get started, we would like to go over a few house rules.

在開始之前，我們想先談一下一些內部規則。

For our attendees, the session will be in listen-only mode and will last for an hour, out of which the last 10 minutes will be dedicated to Q&A.

對於我們的與會者來說，會議將採用只聽模式，持續一個小時，其中最後 10 分鐘將用於問答。

If you have any questions during the webinar to organizers or our speaker, use the Q&A window.

如果您在網絡研討會期間向組織者或主講人提出任何問題，請使用問答窗口。

Also, if you face any audio or video challenges, please check your internet connections or you may log out and log in again.

此外，如果您遇到任何音頻或視頻問題，請檢查您的網絡連接，或者您可以退出並重新登錄。

An important announcement for our audience.

As a commitment to closing the cyber security workforce gap by creating multi-domain cyber technicians, EC Council pledges $3.5 million towards CCT education and certification scholarship to certify approximately 10,000 cyber professionals ready to contribute to the industry.

作為通過培養多領域網絡技術人員來彌補網絡安全人才缺口的承諾，歐洲委員會理事會承諾為 CCT 教育和認證獎學金提供 350 萬美元，以認證約 10,000 名網絡專業人員，使他們能夠為該行業做出貢獻。

If you want to know more, kindly visit our website given in the chat section.

如果您想了解更多資訊，請訪問我們在哈拉部分提供的網站。

Also, we would like to announce to audiences about the special handouts.

此外，我們還想向觀眾宣佈一些特別的派送活動。

Take the screenshot of the running webinar and post in your social media LinkedIn, Twitter tagging, EC Council, and hashtag CyberTalks.

截取網絡研討會的運行截圖併發布到您的社交媒體 LinkedIn、Twitter 標記、EC Council 和 hashtag CyberTalks 上。

We will share free handouts to first 15 audience.

我們將向前 15 名觀眾免費派發講義。

Our speaker for today's session, Randy Thomas.

今天會議的主講人是蘭迪-托馬斯。

He is responsible for the SOC security product development, which includes detection as code,

他負責 SOC 安全產品開發，其中包括代碼檢測、

DIFI, incident command, vulnerability management, threat intelligence, driven security operations, threat hunting, and offensive security at Syntex, a leading managed cloud provider.

在領先的託管雲提供商 Syntex 負責 DIFI、事件指揮、漏洞管理、威脅情報、驅動型安全營運、威脅獵取和攻擊性安全。

He has over 21 years of experience in enterprise cyber security in a wide range of environments, including the US military and intelligence, commercial e-com, detail, and MSSP, MSSSP markets.

他在企業網絡安全領域擁有超過 21 年的豐富經驗，涉及美國軍事和情報、商業電子商務、細節以及 MSSP 和 MSSSP 市場等多種環境。

He leverages his combined 28 plus years of enterprise IT experience and 18 years of experience in DevOps, DevSecOps, SOC, security engineering, and software development to deliver high quality security products and solutions.

他擁有 28 年以上的企業 IT 經驗和 18 年的 DevOps、DevSecOps、SOC、安全工程和軟件開發經驗，能夠提供高質量的安全產品和解決方案。

Without any further delay, I will hand over the session to you, Randy.

蘭迪，不再耽擱，我將把會議交給你。

Thank you for taking this time to join the webinar, either live or later recorded.

感謝您抽出寶貴時間參加網絡研討會，無論是現場直播還是稍後的錄製。

Today, we're going to talk about management and leadership in security operations.

今天，我們來談談安全營運中的管理和領導力。

As with all things cyber security, it is iterative and you're always learning, regardless of your role and position inside of a SOC.

與所有網絡安全工作一樣，無論你在 SOC 中擔任什麼角色和職位，都需要不斷迭代和學習。

Overview of what we're going to discuss, we're going to talk about what is a SOC, that varies.

綜上所述，我們要討論的是什麼是 SOC，這一點各不相同。

What are the business cases that you're using to defend your organization?

您用什麼業務案例來為您的組織辯護？

Give an example and talk through a threat intelligence driven SOC lifecycle, something that can be done regardless of your maturity.

舉例說明威脅情報驅動的 SOC 生命週期，無論您的成熟度如何，都可以做到這一點。

Go into some measures of effectiveness so you can know where you're at and know where you're going.

對成效進行一些衡量，這樣你就能知道自己的現狀，也能知道自己的未來。

And give an example of iterative growth of a SOC.

And this is from a personnel progression, personnel growth standpoint.

這是從人員進步、人員成長的角度來看的。

And then have some further research for you that are interested, either are in a leadership position or interested in it, or just want to know how leaders in operations think.

然後為有興趣的人提供一些進一步的研究，這些人可能正擔任領導職務或對此感興趣，或者只是想了解營運領域的領導者是如何思考的。

So I've seen SOCs that have been everything from a SIM tool in an IT shop of one person to actually being responsible for not only the security operations, but the digital forensics, incident response, the threat intelligence work, the hunt work, building cyber threat intelligence products, offensive security, vulnerability management, SIM operation, and maybe engineering.

是以，我所見過的 SOC 從一個人的 IT 部門中的 SIM 工具，到實際上不僅負責安全營運，還負責數字取證、事件響應、威脅情報工作、狩獵工作、構建網絡威脅情報產品、攻擊性安全、漏洞管理、SIM 操作，甚至工程。

And likewise for EDR and other platforms.

同樣，EDR 和其他平臺也是如此。

In my background, I've had to do the extremes there.

在我的背景中，我不得不做一些極端的事情。

So understanding what your responsibilities are, very important.

是以，瞭解自己的責任非常重要。

So another area that you want to look at as a security operations leader is at some point to create a charter and write down your roles, your responsibilities, and really the limits of what the SOC can do.

是以，作為安全營運領導者，您需要關注的另一個方面是，在某些時候創建一個章程，並寫下您的角色、責任以及 SOC 的真正權限。

And that can cover a lot of things, and you want that to be an iterative and a learning or a living document, and not just let it sit on a shelf.

它可以涵蓋很多內容，你希望它成為一個迭代、學習或有生命力的文件，而不是讓它束之高閣。

It should be something you come back and look at, whether it be during exercises or during actual incidents.

無論是在演習中還是在實際事件中，這都應該是你回來查看的東西。

And it should be communicated across your organization with IT, with legal, with corporate communications, what have you.

此外，還應在整個組織內與信息技術部門、法律部門、企業傳播部門等進行溝通。

They help reduce ambiguity where it exists, because as a security operations professional, you will deal with lots of ambiguity, lots of events that you cannot plan for.

它們有助於減少存在的模糊性，因為作為一名安全營運專業人員，你將處理大量的模糊性，處理大量你無法計劃的事件。

So when you can plan and can organize, do yourself a favor in your team and do that.

所以，當你能計劃、能組織時，就幫自己的團隊一個忙，去做這件事。

And that always is something you iterate on.

而這始終是你需要反覆斟酌的問題。

So again, wherever we can, being proactive, being responsive is very important.

是以，在我們力所能及的範圍內，積極主動、有求必應同樣非常重要。

As a leader, it's important when you give directions and intent that you are not changing that constantly.

作為領導者，當你下達指令和意圖時，重要的是不要不斷改變指令和意圖。

We'll talk more about the OODA loop later, you know, observe, orient, decide, and act.

我們稍後會詳細討論 OODA 循環，即觀察、定位、決定和行動。

It's also important to either, one, establish, or two, take what is there and curate it so you look at your responsibilities, your roles.

同樣重要的是，一是要建立，二是要把現有的東西加以整理，這樣你就能看到自己的責任和角色。

A RACI matrix is a very good way to do that.

RACI 矩陣就是一個很好的方法。

If you're in the MSP, Managed Service Provider, Managed Security Service Provider space, such as

如果您是 MSP、託管服務提供商、託管安全服務提供商，例如

Syntax is, we have to have those with each of our customers.

文法是，我們必須與我們的每一位客戶進行溝通。

You also should build workflows that are accurate and reflect not only the RACI, but how that actually works in practice.

您還應該建立準確的工作流程，不僅要反映 RACI，還要反映實際工作中的實際情況。

It's very important that you take these things in mind and you always have the iterative life cycle development process.

重要的是，你要牢記這些事情，並始終堅持迭代生命週期開發流程。

Everything you do affects other aspects of the organization.

你所做的一切都會影響到組織的其他方面。

You know, think of it as throwing a boulder in a pond and the ripples in the water.

你知道，就像把一塊巨石扔進池塘，水面會泛起漣漪。

So, you have to be intentional about what you do.

Also, highly recommend operational exercises in the environment.

此外，強烈建議在環境中進行操作演練。

Internal to start with, internal to SOC, you know, expand it to security engineering if there is a security engineering organization.

從內部開始，從 SOC 內部開始，如果有安全工程組織，還可以擴展到安全工程。

That could be different departments, different divisions, and then look at doing it with customers as well, especially if you have customer environments, particularly in MSSPs, where there is split roles and responsibilities across not only the customer, but inside the SOC as an MSSP as well.

這可以是不同的部門、不同的分部，也可以是客戶，特別是如果你有客戶環境，尤其是在 MSSP 中，不僅客戶有不同的角色和責任，作為 MSSP 的 SOC 內部也有不同的角色和責任。

A SOC is going to be in an organization that already exists.

SOC 將設在一個已經存在的組織中。

The organization does what the organization does.

Perhaps it's an e-commerce company and they sell retail products online.

也許這是一家電子商務公司，他們在網上銷售零售產品。

Perhaps there's a mix with brick and mortar as well.

也許，磚和砂漿也是一種混合體。

Perhaps you're a governmental organization, what have you.

也許你是一個政府組織，諸如此類。

So, you need to understand things such as what are the business cases for the SOC.

是以，您需要了解 SOC 的業務案例是什麼。

You have to focus in and understand where the SOC fits in the larger organization.

你必須集中精力，瞭解 SOC 在更大組織中的位置。

It's also important to build and, again, curate an understanding of crown jewels.

同樣重要的是，要建立對皇冠上的明珠的瞭解，並再次加以整理。

It's often called a crown jewels analysis.

這通常被稱為皇冠上的寶石分析。

These are the top 10, the top 100 important things to the organization.

這是對組織最重要的 10 件事，也是最重要的 100 件事。

Again, to go back to what's why, this is what the organization is doing.

再次回到 "為什麼 "的問題，這就是本組織正在做的事情。

That typically would include not just technical, but personnel aspects as well.

這通常不僅包括技術方面，還包括人事方面。

If you've been in the industry for long, most breaches tend to occur via email, business email compromise, or BEC, huge, huge vector.

如果你在這個行業工作了很長時間，那麼大多數洩密事件往往都是通過電子郵件、商業電子郵件洩密或 BEC 發生的，這是一個巨大的載體。

字幕列表影片播放

有效的 SOC 管理和事件響應 (Effective SOC Management and Incident Response)

process

access

vulnerability

compromise