有效的 SOC 管理和事件響應 (Effective SOC Management and Incident Response)

字幕列表影片播放

由 AI 自動生成

Did you know that you can be part of the lucrative cyber security industry?

您知道您可以加入利潤豐厚的網絡安全行業嗎？
Even top companies like Google, Microsoft, Amazon, IBM, Facebook, and Dell all hire cyber security professionals.

即使是谷歌、微軟、亞馬遜、IBM、Facebook 和戴爾這樣的頂級公司，也都會聘用網絡安全專業人員。
The cyber security industry has a 0% unemployment rate.

網絡安全行業的失業率為 0%。
The average salary for an entry level cyber security job is about $100,000 per year in the United States.

在美國，初級網絡安全工作的平均年薪約為 100,000 美元。
Furthermore, you don't need to know coding and learn from your home, and you get a scholarship to kick start your career.

此外，你不需要懂編碼，在家就能學習，還能獲得獎學金，開啟你的職業生涯。
Apply now.

立即申請
EC Council is pledging a $3.5 million CCT scholarship for cyber security career starters.

歐洲委員會理事會承諾為網絡安全職業新手提供 350 萬美元的 CCT 獎學金。
Scan the QR code on the screen to apply for the scholarship.

掃描螢幕上的二維碼申請獎學金。
Fill out the form.

填寫表格。
Hello everyone, and welcome to today's session, Effective Soft Management and Incident Response.

大家好，歡迎參加今天的會議：有效的軟管理和事件響應。
I'm Shilpa Goswami, and I'll be your host for the day.

我是希爾帕-戈斯瓦米，今天由我來主持。
Before we get started, we would like to go over a few house rules.

在開始之前，我們想先談一下一些內部規則。
For our attendees, the session will be in listen-only mode and will last for an hour, out of which the last 10 minutes will be dedicated to Q&A.

對於我們的與會者來說，會議將採用只聽模式，持續一個小時，其中最後 10 分鐘將用於問答。
If you have any questions during the webinar to organizers or our speaker, use the Q&A window.

如果您在網絡研討會期間向組織者或主講人提出任何問題，請使用問答窗口。
Also, if you face any audio or video challenges, please check your internet connections or you may log out and log in again.

此外，如果您遇到任何音頻或視頻問題，請檢查您的網絡連接，或者您可以退出並重新登錄。
An important announcement for our audience.

向觀眾宣佈一個重要消息。
As a commitment to closing the cyber security workforce gap by creating multi-domain cyber technicians, EC Council pledges $3.5 million towards CCT education and certification scholarship to certify approximately 10,000 cyber professionals ready to contribute to the industry.

作為通過培養多領域網絡技術人員來彌補網絡安全人才缺口的承諾，歐洲委員會理事會承諾為 CCT 教育和認證獎學金提供 350 萬美元，以認證約 10,000 名網絡專業人員，使他們能夠為該行業做出貢獻。
If you want to know more, kindly visit our website given in the chat section.

如果您想了解更多資訊，請訪問我們在哈拉部分提供的網站。
Also, we would like to announce to audiences about the special handouts.

此外，我們還想向觀眾宣佈一些特別的派送活動。
Take the screenshot of the running webinar and post in your social media LinkedIn, Twitter tagging, EC Council, and hashtag CyberTalks.

截取網絡研討會的運行截圖併發布到您的社交媒體 LinkedIn、Twitter 標記、EC Council 和 hashtag CyberTalks 上。
We will share free handouts to first 15 audience.

我們將向前 15 名觀眾免費派發講義。
Our speaker for today's session, Randy Thomas.

今天會議的主講人是蘭迪-托馬斯。
He is responsible for the SOC security product development, which includes detection as code,

他負責 SOC 安全產品開發，其中包括代碼檢測、
DIFI, incident command, vulnerability management, threat intelligence, driven security operations, threat hunting, and offensive security at Syntex, a leading managed cloud provider.

在領先的託管雲提供商 Syntex 負責 DIFI、事件指揮、漏洞管理、威脅情報、驅動型安全營運、威脅獵取和攻擊性安全。
He has over 21 years of experience in enterprise cyber security in a wide range of environments, including the US military and intelligence, commercial e-com, detail, and MSSP, MSSSP markets.

他在企業網絡安全領域擁有超過 21 年的豐富經驗，涉及美國軍事和情報、商業電子商務、細節以及 MSSP 和 MSSSP 市場等多種環境。
He leverages his combined 28 plus years of enterprise IT experience and 18 years of experience in DevOps, DevSecOps, SOC, security engineering, and software development to deliver high quality security products and solutions.

他擁有 28 年以上的企業 IT 經驗和 18 年的 DevOps、DevSecOps、SOC、安全工程和軟件開發經驗，能夠提供高質量的安全產品和解決方案。
Without any further delay, I will hand over the session to you, Randy.

蘭迪，不再耽擱，我將把會議交給你。
Thank you, Shilpa.

謝謝你，希爾帕。
Good day, everyone.

大家好
Thank you for taking this time to join the webinar, either live or later recorded.

感謝您抽出寶貴時間參加網絡研討會，無論是現場直播還是稍後的錄製。
Today, we're going to talk about management and leadership in security operations.

今天，我們來談談安全營運中的管理和領導力。
As with all things cyber security, it is iterative and you're always learning, regardless of your role and position inside of a SOC.

與所有網絡安全工作一樣，無論你在 SOC 中擔任什麼角色和職位，都需要不斷迭代和學習。
Overview of what we're going to discuss, we're going to talk about what is a SOC, that varies.

綜上所述，我們要討論的是什麼是 SOC，這一點各不相同。
What are the business cases that you're using to defend your organization?

您用什麼業務案例來為您的組織辯護？
What's the role of a leader?

領導者的角色是什麼？
How do you plan and organize your team?

如何規劃和組織團隊？
Give an example and talk through a threat intelligence driven SOC lifecycle, something that can be done regardless of your maturity.

舉例說明威脅情報驅動的 SOC 生命週期，無論您的成熟度如何，都可以做到這一點。
Go into some measures of effectiveness so you can know where you're at and know where you're going.

對成效進行一些衡量，這樣你就能知道自己的現狀，也能知道自己的未來。
And give an example of iterative growth of a SOC.

並舉例說明 SOC 的迭代增長。
And this is from a personnel progression, personnel growth standpoint.

這是從人員進步、人員成長的角度來看的。
And then have some further research for you that are interested, either are in a leadership position or interested in it, or just want to know how leaders in operations think.

然後為有興趣的人提供一些進一步的研究，這些人可能正擔任領導職務或對此感興趣，或者只是想了解營運領域的領導者是如何思考的。
So I've seen SOCs that have been everything from a SIM tool in an IT shop of one person to actually being responsible for not only the security operations, but the digital forensics, incident response, the threat intelligence work, the hunt work, building cyber threat intelligence products, offensive security, vulnerability management, SIM operation, and maybe engineering.

是以，我所見過的 SOC 從一個人的 IT 部門中的 SIM 工具，到實際上不僅負責安全營運，還負責數字取證、事件響應、威脅情報工作、狩獵工作、構建網絡威脅情報產品、攻擊性安全、漏洞管理、SIM 操作，甚至工程。
And likewise for EDR and other platforms.

同樣，EDR 和其他平臺也是如此。
In my background, I've had to do the extremes there.

在我的背景中，我不得不做一些極端的事情。
So it comes across.

所以，它就出現了。
So understanding what your responsibilities are, very important.

是以，瞭解自己的責任非常重要。
So another area that you want to look at as a security operations leader is at some point to create a charter and write down your roles, your responsibilities, and really the limits of what the SOC can do.

是以，作為安全營運領導者，您需要關注的另一個方面是，在某些時候創建一個章程，並寫下您的角色、責任以及 SOC 的真正權限。
And that can cover a lot of things, and you want that to be an iterative and a learning or a living document, and not just let it sit on a shelf.

它可以涵蓋很多內容，你希望它成為一個迭代、學習或有生命力的文件，而不是讓它束之高閣。
It should be something you come back and look at, whether it be during exercises or during actual incidents.

無論是在演習中還是在實際事件中，這都應該是你回來查看的東西。
And it should be communicated across your organization with IT, with legal, with corporate communications, what have you.

此外，還應在整個組織內與信息技術部門、法律部門、企業傳播部門等進行溝通。
These are important.

這些都很重要。
They help reduce ambiguity where it exists, because as a security operations professional, you will deal with lots of ambiguity, lots of events that you cannot plan for.

它們有助於減少存在的模糊性，因為作為一名安全營運專業人員，你將處理大量的模糊性，處理大量你無法計劃的事件。
So when you can plan and can organize, do yourself a favor in your team and do that.

所以，當你能計劃、能組織時，就幫自己的團隊一個忙，去做這件事。
And that always is something you iterate on.

而這始終是你需要反覆斟酌的問題。
It's never stagnant, never stale.

永不停滯，永不陳舊。
So again, wherever we can, being proactive, being responsive is very important.

是以，在我們力所能及的範圍內，積極主動、有求必應同樣非常重要。
Be intentional where you can.

在可能的情況下，要有意識。
As a leader, it's important when you give directions and intent that you are not changing that constantly.

作為領導者，當你下達指令和意圖時，重要的是不要不斷改變指令和意圖。
You have a good path.

你有一條好路。
You have a good plan.

你的計劃很好
Obviously, you have to be able to adapt.

顯然，你必須能夠適應。
We'll talk more about the OODA loop later, you know, observe, orient, decide, and act.

我們稍後會詳細討論 OODA 循環，即觀察、定位、決定和行動。
That is a helpful tool in the process.

這是一個很有用的工具。
It's also important to either, one, establish, or two, take what is there and curate it so you look at your responsibilities, your roles.

同樣重要的是，一是要建立，二是要把現有的東西加以整理，這樣你就能看到自己的責任和角色。
A RACI matrix is a very good way to do that.

RACI 矩陣就是一個很好的方法。
It would go across your organization.

這將貫穿整個組織。
If you're in the MSP, Managed Service Provider, Managed Security Service Provider space, such as

如果您是 MSP、託管服務提供商、託管安全服務提供商，例如
Syntax is, we have to have those with each of our customers.

文法是，我們必須與我們的每一位客戶進行溝通。
That way, it's understood.

這樣就能理解了。
You also should build workflows that are accurate and reflect not only the RACI, but how that actually works in practice.

您還應該建立準確的工作流程，不僅要反映 RACI，還要反映實際工作中的實際情況。
It's very important that you take these things in mind and you always have the iterative life cycle development process.

重要的是，你要牢記這些事情，並始終堅持迭代生命週期開發流程。
Everything you do affects other aspects of the organization.

你所做的一切都會影響到組織的其他方面。
You know, think of it as throwing a boulder in a pond and the ripples in the water.

你知道，就像把一塊巨石扔進池塘，水面會泛起漣漪。
So, you have to be intentional about what you do.

是以，你必須用心去做。
Train how we fight.

訓練我們如何戰鬥
Use exercises.

使用練習。
Definitely do tabletop exercises, TTXs.

一定要做桌面練習、TTX。
Also, highly recommend operational exercises in the environment.

此外，強烈建議在環境中進行操作演練。
Do OPEXs and do them often.

做 OPEX，而且要經常做。
Internal to start with, internal to SOC, you know, expand it to security engineering if there is a security engineering organization.

從內部開始，從 SOC 內部開始，如果有安全工程組織，還可以擴展到安全工程。
Expand it from there.

從這裡開始擴展。
Include aspects of your enterprise IT.

包括企業 IT 的各個方面。
That could be different departments, different divisions, and then look at doing it with customers as well, especially if you have customer environments, particularly in MSSPs, where there is split roles and responsibilities across not only the customer, but inside the SOC as an MSSP as well.

這可以是不同的部門、不同的分部，也可以是客戶，特別是如果你有客戶環境，尤其是在 MSSP 中，不僅客戶有不同的角色和責任，作為 MSSP 的 SOC 內部也有不同的角色和責任。
Okay.

好的
A SOC is going to be in an organization that already exists.

SOC 將設在一個已經存在的組織中。
The organization does what the organization does.

組織做組織該做的事。
Perhaps it's an e-commerce company and they sell retail products online.

也許這是一家電子商務公司，他們在網上銷售零售產品。
Perhaps there's a mix with brick and mortar as well.

也許，磚和砂漿也是一種混合體。
Perhaps you're a governmental organization, what have you.

也許你是一個政府組織，諸如此類。
That exists.

那是存在的。
So, you need to understand things such as what are the business cases for the SOC.

是以，您需要了解 SOC 的業務案例是什麼。
You have to focus in and understand where the SOC fits in the larger organization.

你必須集中精力，瞭解 SOC 在更大組織中的位置。
It's also important to build and, again, curate an understanding of crown jewels.

同樣重要的是，要建立對皇冠上的明珠的瞭解，並再次加以整理。
It's often called a crown jewels analysis.

這通常被稱為皇冠上的寶石分析。
It's exactly what it sounds like.

聽起來就是這麼回事。
These are the top 10, the top 100 important things to the organization.

這是對組織最重要的 10 件事，也是最重要的 100 件事。
Again, to go back to what's why, this is what the organization is doing.

再次回到 "為什麼 "的問題，這就是本組織正在做的事情。
That typically would include not just technical, but personnel aspects as well.

這通常不僅包括技術方面，還包括人事方面。
If you've been in the industry for long, most breaches tend to occur via email, business email compromise, or BEC, huge, huge vector.

如果你在這個行業工作了很長時間，那麼大多數洩密事件往往都是通過電子郵件、商業電子郵件洩密或 BEC 發生的，這是一個巨大的載體。
What are some of the aspects of that?

其中有哪些方面？
Not only do you get the supply chain side attacks that are becoming more common, you also have the old but good attacks on invoice and wire fraud.

不僅有越來越常見的供應鏈方面的攻擊，還有古老而有效的發票和電匯欺詐攻擊。
So, your finance department could be a CFO.

是以，你的財務部門可以是首席財務官。
So, all of these people, your C-suite, your board, you have your HR department.

是以，所有這些人，你的 C-suite、你的董事會，還有你的人力資源部門。
We're out of, in the U.S., income tax season.

在美國，我們已經過了所得稅季。
That's also an issue as well with W-2 fraud, for instance, things like that.

這也是一個問題，比如 W-2 欺詐，諸如此類。
You want to identify those, not just the identity and access management IAM pieces, which, of course, you want to include, you know, endpoint, detect and respond, EDR, things such as that.

你要識別這些內容，而不僅僅是身份和訪問管理 IAM 部分，當然，你要包括端點、檢測和響應、EDR 等內容。
Boundary protection is fine.

邊界保護沒問題。
That's not a panacea, of course.

當然，這並不是萬能的。
Hence, other technologies such as zero trust, network access, CTNA coming about.

是以，零信任、網絡接入、CTNA 等其他技術應運而生。
So, you leverage this work you do as a leader putting this together to prioritize what you work on, whether it's adding new capabilities to the SOC, such as detection engineering, or how you respond.

是以，無論是為 SOC 增加新功能（如檢測工程），還是如何做出響應，您都可以利用作為領導者所做的這些工作來確定工作的優先級。
And this deserves mentioning because, unfortunately, I've been in environments that have done this.

這一點值得一提，因為不幸的是，我所處的環境就是這樣。
You can only actually have one number one priority.

實際上，你只能有一個頭等大事。
You cannot have A through Z.

不能從 A 到 Z。
You cannot have 26 number one priorities.

你不能有 26 個頭等大事。
You need to make choices.

你需要做出選擇。
The resources are always limited.

資源總是有限的。
Doesn't matter if you have a budget of $20,000 U.S. or $20 million.

預算是 2 萬美元還是 2000 萬美元並不重要。
You have severe limitations on what is achievable.

你的能力受到嚴重限制。
Also, some aspects to consider in a more holistic manner are words have meanings.

此外，還需要從更全面的角度考慮詞語的含義。
So, anything the SOC gets in from systems that are instrumenting, such as a SEM or other tools, is an event.

是以，SOC 從儀器系統（如 SEM 或其他工具）獲取的任何資訊都是一個事件。
The event came in potentially based upon an alert or as an informational feed.

該事件可能是根據警報或作為資訊饋送進來的。
So, the SOC has to determine whether it's manual or with automation, hopefully the latter.

是以，SOC 必須確定是人工操作還是自動化操作，希望是後者。
That's a growth area, right?

這是一個增長點，對嗎？
You have to build contextual reference and relevance to the event.

您必須建立與活動相關的背景參考和關聯性。
What does that mean?

這是什麼意思？
If you're in the retail space, for instance, or hospitality, your enemy number one is threat actors such as FinCET.

例如，如果你從事零售業或酒店業，你的頭號敵人就是 FinCET 這樣的威脅者。
This is how they act.

這就是他們的行為方式。
This is their tools, techniques, procedures, their TTPs.

這就是他們的工具、技術、程序、TTPs。
So, you look for things like that.

所以，你要尋找這樣的東西。
So, once something comes in as an event, the SOC, whether manually or automatically, either clears the event, the alert, or it's elevated to be a probable incident.

是以，一旦有事件發生，SOC 會手動或自動清除事件或警報，或者將其提升為可能發生的事件。
So thus, thus comes into play your incident handling process, which is a process if you don't have, definitely should make.

是以，這就涉及到事件處理流程，如果沒有這個流程，就一定要制定。
There's plenty of references.

有很多參考資料。
I have some at the end we can go over.

我最後還有一些，我們可以再看看。
And one other point of note, particularly in more mature organizations, they will have an information technology information library, ITIL, based IT service management process.

還有一點值得注意，特別是在比較成熟的組織中，他們會有一個基於信息技術服務管理流程的信息技術信息庫（ITIL）。
Those define incidents at the ITSM level.

這些定義了 ITSM 層面的事件。
That is not necessarily a security incident that comes in as an event and or an alert to the SOC.

這不一定是安全事件，不一定會作為事件或警報發送到 SOC。
In the SOC, we then, therefore, have to process that.

是以，在 SOC 中，我們必須對其進行處理。
Okay, being a SOC leader, we can manage our processes, manage our metrics, we can manage our timesheets and expense reports.

好了，作為一名 SOC 領導者，我們可以管理我們的流程，管理我們的指標，管理我們的時間表和費用報告。
When you're managing people, in my view, you've got some challenges to work through.

在我看來，當你管理員工時，你需要克服一些挑戰。
So, leadership is important.

是以，領導力非常重要。
Again, as I mentioned earlier, from a resource standpoint, it's always limited.

同樣，正如我前面提到的，從資源的角度來看，資源總是有限的。
You must be pragmatic.

你必須務實。
You cannot, nor should you really want to solve 100% of anything because when you start that process and when you finish it, it takes some period of time.

你不可能，也不應該真的想要百分之百地解決任何問題，因為當你開始這個過程，當你完成這個過程，都需要一段時間。
There's periodicity in there.

這裡面有週期性。
And the threat landscape typically evolves.

而威脅環境通常是不斷變化的。
So, whether it's cyber hygiene or full coverage, that can always be a challenge.

是以，無論是網絡衛生還是全面覆蓋，這始終是一個挑戰。
Now, obviously, full coverage of something like EDR, of other advanced authentication mechanisms such as MFA or other tools such as CyberArk, most certainly, those should be employed.

現在，顯然應該全面採用 EDR、MFA 等其他高級身份驗證機制或 CyberArk 等其他工具。
But you want close to 100% coverage.

但你想要接近 100% 的覆蓋率。
That's not the, of course, the intent of the discussion point there.

當然，這並不是討論的重點。
But understand that it's always evolving.

但要知道，它一直在發展。
We always have to iterate.

我們必須不斷改進。
So, as a leader in SOC, when everything else is on fire and there's chaos abounds because that's what a SOC has to deal with, right?

是以，作為 SOC 的領導者，當其他一切都著火了，到處都是混亂的時候，因為這就是 SOC 必須面對的，對嗎？
We deal with challenges from our customers, whether they're internal or external or both.

我們要應對來自客戶的挑戰，無論是內部挑戰還是外部挑戰，抑或是兩者兼而有之。
So, be calm, be consistent, do your best, learn, you know, have the sixth step in your six phases of incident response is your lessons learned, your after-action report, as many of us like to call it.

是以，要冷靜、堅持、盡力、學習，要知道，在事件響應的六個階段中，第六個步驟是總結經驗教訓，也就是我們很多人喜歡稱之為的 "行動後報告"。
So, get better afterwards.

所以，以後要好起來。
And again, everything we do has consequences, ripples in the pond, as I said.

再說一遍，我們所做的一切都會產生後果，就像我說的那樣，會在池塘裡激起漣漪。
As a leader, it's particularly important for you to either learn or continue to hone soft skills.

作為領導者，學習或繼續磨練軟技能尤為重要。
So, interpersonal communication is huge.

是以，人際溝通非常重要。
Body language is a huge part of that, even in video.

肢體語言是其中很重要的一部分，即使在視頻中也是如此。
You know, you need to have empathy for what the affected victim or victims are having to deal with and what the ramifications they will have to deal with with countermeasures.

你要知道，你需要同情受影響的受害者所要面對的一切，以及他們在採取反制措施後將不得不面對的後果。
You know, if you have an environment with 80,000 associates and there's no MFA, you can't just turn MFA on instantly because that goes back to crown jewels.

要知道，如果你有一個擁有 8 萬名員工的環境，卻沒有 MFA，你就不能立即開啟 MFA，因為這又回到了皇冠上的寶石。
If they're an e-com environment and nobody can get in to do the work, you can't sell anything.

如果是在電子商務環境中，沒有人能夠進入工作，你就什麼也賣不出去。
So, it takes balance.

是以，這需要平衡。
Crucial conversations happen.

關鍵的對話會發生。
Those are difficult conversations.

這些都是艱難的對話。
There is a course on that, which I took years ago.

有一門關於這個問題的課程，我幾年前學過。
It's very good.

非常好。
And human psychology.

還有人類心理學。
It's a great hobby to have, not just for self-growth, but in general, and particularly as a leader in cybersecurity.

這是一個很好的業餘愛好，不僅有利於自我成長，也有利於整體發展，尤其是作為網絡安全領域的領導者。
So, even as a director or as a C-suite, if you are responsible for operations and or engineering in the space, it is very important that you maintain some technical acumen.

是以，即使作為總監或首席執行官，如果您負責該領域的營運和工程，保持一定的技術敏銳度也非常重要。
So, have a lab.

所以，要有一個實驗室。
Spin up VMs in AWS, Azure, DigitalOcean, what have you.

在 AWS、Azure、DigitalOcean 等平臺上啟動虛擬機。
You know, and I like the example of can you do packet analysis?

我喜歡 "你能進行數據包分析嗎？
I can.

我可以
You know, it's something that is good to have as a basic fundamental skill, and doing protocol analyzer work, too, with Wireshark is also good.

使用 Wireshark 進行協議分析工作也很不錯。
Lastly, on this point, one of the important things we need to know is how we learn as an individual.

最後，關於這一點，我們需要了解的一個重要問題是，作為一個個體，我們是如何學習的。
Only we can do that for ourselves.

只有我們自己才能做到這一點。
You know, as an instructor for university courses, I can't force you to learn anything.

你知道，作為大學課程的講師，我不能強迫你學習任何東西。
You have to go, and you have to have enough drive to be able to figure it out.

你必須去，你必須有足夠的動力去想辦法。
So that's important, because you go on vacation, you're behind.

所以這一點很重要，因為你去度假，你就落後了。
The point is not to feel like you have to catch up, because you can never catch up.

關鍵是不要覺得自己必須迎頭趕上，因為你永遠也趕不上。
That's, again, going back to being pragmatic.

這又回到了務實的問題上。
Understand the environment of what you need to focus on.

瞭解您需要關注的環境。
And that skill takes time, and it's a constant skill to work on.

這項技能需要時間，也是一項需要不斷練習的技能。
Okay, some basics on organization.

好了，關於組織的一些基本知識。
So I'm a strong believer in honing individual strengths of your members.

是以，我堅信要發揮成員的個人優勢。
Obviously, you have diversity of background and thought in the team.

很明顯，你們的團隊擁有不同的背景和思想。
That is very important.

這一點非常重要。
As a team grows, it's good to have people that have a non-cyber IT background.

隨著團隊的壯大，擁有非網絡 IT 背景的人員也是件好事。
They have a different perspective, somebody with a finance background.

他們有不同的視角，有金融背景的人。
I've worked with those.

我和他們一起工作過。
They've worked on my team.

他們在我的團隊中工作過。
It's great.

太棒了
You get different perspectives.

你會獲得不同的視角。
And you mitigate weaknesses as best you can.

你要儘可能地減少弱點。
Going back to part one, what is your SOC?

回到第一部分，你的 SOC 是什麼？
If you don't have that answered, it's really hard to organize your team.

如果你沒有回答這個問題，就很難組織起你的團隊。
And how do you organize your team?

您如何組織您的團隊？
Into sub-teams.

抽成小隊。
Do you do squads if you're an MSSP?

如果你是 MSSP，你會參加小隊嗎？
Do you separate out and have a six-person cell for 15 customers, and you just multiply that out?

你會把 15 個客戶抽成一個六人小組，然後再乘以這個數字嗎？
Or do you break it up into current operations and future operations?

還是將其分為當前業務和未來業務？
Current operations is what's happening right now and in the next two weeks.

當前行動是指現在和未來兩週內的行動。
Future operations is things that are further out and take more resources, such as detection engineering, detection as code, things like that.

未來行動是更遠的事情，需要更多資源，如檢測工程、檢測即代碼等。
Or do you just have a big pool of personnel, and you just look at the queue?

還是說你有一大批人員，你只需要看看排隊的情況？
There's reasons to do all of those, and they don't have to be a static point or place in time.

做這些事都是有理由的，而且不一定非要在一個靜止的時間點或地點。
And again, going back to crown jewels, that should be your priorities.

再說回皇冠上的寶石，這應該是你們的優先事項。
That should go into how you divide your team up, how you handle on-call, how you handle nights and weekends.

這應該包括如何劃分團隊、如何處理值班、如何處理晚上和週末的工作。
Do you have follow the sun?

你有跟蹤太陽嗎？
Do you have a Panama-type schedule?

你們有巴拿馬式的時間表嗎？
Or do you have something else?

還是你有別的東西？
Or are you eight to five?

還是八點到五點？
So do you have an incident response plan for the organization?

那麼，您是否為組織制定了事件響應計劃？
Do you have an incident commander?

您有事故指揮官嗎？
And it really doesn't matter the size.

而且大小真的沒有關係。
It's not an excuse.

這不是藉口。
It can be a one-pager if you're a five-person company.

如果你是一家只有五個人的公司，可以只寫一頁紙。
It should be more than that if you're 500,000.

如果是 50 萬，應該不止這個數。
And as I tell my mentees and students, the R in incident response is not react.

正如我告訴我的導師和學生的那樣，事件響應中的 R 不是反應。
We have to do enough of that.

我們必須做得足夠多。
So plan and develop accordingly.

是以，要有相應的計劃和發展。
And always remember, we are attacked at machine speed.

永遠記住，我們是以機器的速度被攻擊的。
It's not just a guy sitting in his basement like I am at the unofficial Rocky Mountain

這不僅僅是一個坐在地下室裡的人，就像我在非官方的落基山會議上一樣。
Syntax Cyber Operations Command Bunker doing things.

文法網絡行動指揮部碉堡做事。
So pivot your team and grow at a more machine-responsive rate.

是以，請調整你的團隊，以更快的機器響應速度發展。
Okay.

好的
This is an eye chart, and it's best to talk through it.

這是一個眼圖，最好能說清楚。
So this isn't a course on OODA loops, but the idea is you quickly iterate, you look, you figure out where you are contextually, you make choices, and you act.

是以，這並不是一門關於 OODA 循環的課程，但其理念是你要快速迭代，你要觀察，你要弄清你所處的環境，你要做出選擇，然後你要行動。
It should not be 42 steps that take three days.

這不應該是需要三天時間的 42 個步驟。
It should be, again, minutes, hours, because we are under attack at machine speed.

應該是幾分鐘、幾小時，因為我們正以機器的速度遭受攻擊。
So and in a more mature organization, not saying a larger organization, again, this could just be a few people, you need to start incorporating threat intelligence to focus the limited resources that we have on the largest threat profiles.

是以，在一個更成熟的組織中，不是說一個更大的組織，同樣，這可能只是幾個人的事，你需要開始結合威脅情報，將我們有限的資源集中在最大的威脅概況上。
And you can put this together using open source intelligence work, OSINT.

你可以利用開放源代碼情報工作（OSINT）將其整合在一起。
So you have some process in place, and there is incident handling that escalates, and you now have an incident to respond to.

是以，您已經制定了一些流程，並對事件進行了升級處理，現在您需要對事件做出響應。
So as we mentioned earlier, it didn't clear out, so it got considered a potential incident.

是以，正如我們之前提到的，它沒有被清除，所以被認為是一個潛在的事件。
Okay.

好的
Well, what work have you done to contextualize this with threat data against the organization's threat profile?

那麼，你們做了哪些工作，將威脅數據與組織的威脅概況結合起來？
Build a threat profile.

建立威脅檔案。
Start out with what market verticals you're in.

從您所在的垂直市場開始。
Go through your board of directors, your C-suite, your other important parts of the organization, and critical infrastructure.

檢查董事會、C-suite、組織的其他重要部門和關鍵基礎設施。
It could be your credit card data environment.

這可能是您的信用卡數據環境。
If you have to do PCI DSS type of work with credit card information that's not encrypted or hashed, and it could be anything else along those lines.

如果你必須對信用卡資訊進行 PCI DSS 類型的工作，而這些資訊沒有經過加密或散列，也可能是其他任何類似的資訊。
So you should have a process of doing threat hunting against that threat intelligence data to better understand and build a threat product so you know what your environment is and or your customers.

是以，你應該有一個針對威脅情報數據進行威脅獵取的流程，以便更好地瞭解和構建威脅產品，從而瞭解你的環境和客戶。
So you can, again, rapidly focus in on what are the latest indicators of compromise, IOCs, the latest known campaigns, and the previous campaigns.

是以，你可以再次快速關注最新的妥協指標、增支經營成本、最新的已知活動和以前的活動。
Just because it's an old campaign doesn't mean it's not a good campaign and won't get used again or reused by other actors.

舊的宣傳活動並不意味著它不是一個好的宣傳活動，也不會被其他演員再次使用或重複使用。
Call them copycats.

說他們是模仿者。
That's also common.

這也很常見。
Do some pen testing, whether it's third party or internal red teaming or purple teaming.

做一些筆測試，無論是第三方測試還是內部紅隊或紫隊測試。
Use real threat-based work that's been observed or researched.

使用經過觀察或研究的真實威脅作品。
And the idea is you already have some detections in place.

我們的想法是，你已經有了一些檢測設備。
And if not, this is a process where you identify those.

如果沒有，這也是一個識別的過程。
You do threat analysis work based on that to help understand how to process that information and have the analysts work it.

在此基礎上進行威脅分析工作，幫助瞭解如何處理這些資訊，並讓分析人員進行處理。
And then you follow that up by doing detection engineering to create a new detection or you tune existing detections based upon changes in the threat landscape as it does change.

然後，根據威脅環境的變化，進行檢測工程，創建新的檢測或調整現有的檢測。
And for this example, for each of those phases, you need to rapidly go through effectively the OODA loop process.

在這個例子中，在每個階段，你都需要快速有效地完成 OODA 循環過程。
One caveat that a lot of people fall into, it's a trap, is they'll go straight from observe to act.

很多人都會掉進一個陷阱，那就是他們會直接從觀察到行動。
Spend a few minutes, a few hours, orienting and deciding.

花幾分鐘、幾個小時來定位和決定。
Again, everything has impacts to the target organization for any kind of countermeasures or detections.

同樣，一切都會對目標組織的任何反措施或檢測產生影響。
So all part of being organized and responsive and not reactive.

是以，所有這些都是有組織、有反應而不是被動反應的一部分。
So if you do not measure it, you cannot manage it, do not know who wrote that, it was not

是以，如果不對其進行測量，就無法對其進行管理。
Peter Drucker, although he gets attributed with it often.

彼得-德魯克（Peter Drucker），雖然他經常被人這樣說。
So what are some things as a leader you can do?

那麼，作為領導者，你能做些什麼呢？
At the highest level, I would call them OKRs, your objectives and key results.

在最高層面上，我會把它們稱為 OKRs，即你的目標和關鍵成果。
I like to have them as quarterly goals, generally speaking.

一般來說，我喜歡把它們作為季度目標。
We're going to work on initial detection as code, pipeline deployment using SGMA rules in a quarter.

我們將在一個季度內使用 SGMA 規則進行初步的代碼檢測和管道部署。
And it may be nascent, it may be a 0.5 version of it, that's okay.

它可能還很稚嫩，可能只是 0.5 版本，沒關係。
What's the next quarter going to do to that, right?

下個季度又會怎樣呢？
Have these as goals.

把這些作為目標。
If you work in a large environment that is doing Agile safe, scaled Agile framework, that can very easily feed into your program increment, your PI planning as well.

如果你在一個大型環境中工作，而這個環境正在實施敏捷安全、規模化的敏捷框架，那麼這很容易就會影響到你的項目增量和 PI 規劃。
Have the process work for you as much as possible, as challenging as that can be at times.

儘可能讓程序為你工作，儘管有時這很有挑戰性。
So service level agreements, SLAs, that term gets abused.

是以，服務水平協議（SLA）這一術語被濫用。
So SLAs are high level, relatively speaking, objectives that we agree to meet whether internally or in the case of an MSP, MSSP environment, it's going to be tied to contract documents or it should be anyway.

是以，相對而言，SLA 是我們同意達到的高層次目標，無論是在內部還是在 MSP、MSSP 環境中，它都將與合同文件掛鉤，或者無論如何都應該與合同文件掛鉤。
An easy example building off that is after the SOC identifies an incident from the EDR within five minutes of that escalation, an alert goes out to the customer or to the SOC to work it depending on what the construct is of the SOC and the contractual requirements.

一個簡單的例子是，當 SOC 從 EDR 中識別出一個事件後，根據 SOC 的結構和合同要求，會在五分鐘內向客戶或 SOC 發出警報。
But it's not, this is not atomic level indicators.

但這不是，這不是原子級指標。
That would be a bad place to put them, having done many, many contracts.

他們已經簽了很多很多的合同，把他們放在那裡是不合適的。
So next level you take internally, it wouldn't go in the contract normally, would be service level objectives, SLOs.

是以，你在內部採取的下一個層面，通常不會寫入合同，而是服務水平目標（SLO）。
Okay.

好的
So the SOC has to meet a five-minute SLA.

是以，SOC 必須滿足五分鐘的服務水平協議。
How do we do that?

如何做到這一點？
Well, we want to get a two-minute alert process to make it an incident in two minutes based upon those atomic indicators.

我們希望根據這些原子指標，在兩分鐘內發出警報，使其成為一個事件。
What are and where do atomic indicators live?

原子指標是什麼？
They should live at the SLI, the service level indicators level.

它們應符合 SLI（服務水平指標）的要求。
That would be things you cannot break down anymore.

那將是你無法再分解的東西。
That could be something such as an IOC, hashes, domain names, IP addresses.

這可以是 IOC、哈希值、域名、IP 地址等。
The point is to contextualize event data and to feed that back up through the process.

問題的關鍵在於將事件數據背景化，並通過流程將其反饋上來。
So these are things we can do irrespective of all the chaos that can and will often come with security operations.

是以，我們可以做這些事情，而不考慮安全行動可能和經常會帶來的各種混亂。
So this picture I pulled from Twitter from hacking articles, I like it as a baseline.

這張照片是我從推特上的黑客文章中截取的，我喜歡把它作為一個基準。
I would say tweak it for your organization.

我想說的是，要根據貴組織的情況進行調整。
But, you know, here's an idea for what we call job qualification requirements, JQRs, for a SOC analyst one.

但是，你知道，這裡有一個我們稱之為 SOC 分析師崗位資格要求（JQR）的想法。
You should be able to do these types of things, understand what the diamond model of intrusion analysis is, and be able to give descriptive analysis work.

您應該能夠做這些事情，瞭解什麼是入侵分析的鑽石模型，並能夠進行描述性分析工作。
And as a leader, one of the things you want to do with areas such as this is you want to establish a baseline, whether it's style guides or something along those lines.

而作為領導者，你要做的事情之一就是在這樣的領域建立一個基線，無論是風格指南還是類似的東西。
You want it to be consistent and repeatable.

你希望它是一致的、可重複的。
You don't want to have everything to be special, you know, special snowflake, as we like to say.

你不希望擁有的一切都是特別的，你知道，特別的雪花，就像我們喜歡說的那樣。
You should understand the basics of threat modeling.

您應該瞭解威脅建模的基本知識。
Depending on your organization, you should understand the basics of the frameworks, PCI-DSS,

根據貴組織的情況，您應該瞭解 PCI-DSS 框架的基本內容、
NIST, HIPAA, sometimes all of those, and their importance.

NIST、HIPAA，有時是所有這些，以及它們的重要性。
With frameworks, regardless of what the framework is, you should also recognize that they're not straitjackets, they should be adapted to the organization.

有了框架，無論框架是什麼，你都應該認識到，它們不是束縛，它們應該適應組織。
That is an entirely different talk.

這是完全不同的話題。
So you should understand the fundamentals of vuln management.

是以，您應該瞭解漏洞管理的基本原理。
The difference between vuln management and enterprise patch management, to me, is you have threat overlay for that.

在我看來，漏洞管理和企業補丁管理之間的區別在於，你有威脅疊加功能。
Just because you're patching the top vulnerabilities does not mean you're doing vuln management.

為頂級漏洞打補丁並不意味著你在進行漏洞管理。
Because as you get more into threat-related work and you dig into it, you'll realize that the bad guys, the more sophisticated bad guys, tend to use a lower level of vulnerabilities.

因為隨著你對威脅相關工作的深入研究，你會發現，壞人、更復雜的壞人往往會使用更低級別的漏洞。
They tend to string them together and do their compromises, drop their mal-doc, do the business email compromise, take your session cookie for your ZTNA access, et cetera.

他們往往會把這些資訊串聯起來，然後進行妥協，丟棄他們的惡意文檔，進行商務電子郵件妥協，拿走你的會話 cookie 以進行 ZTNA 訪問，等等。
It sells well to talk about zero days, but the reality is typically not that.

談論零天很有賣點，但實際情況通常並非如此。
We have to deal with the more mundane.

我們必須處理更平凡的事情。
We'll talk about that on the next slide a bit.

我們將在下一張幻燈片中稍作討論。
So understand the differences between risk and threat and vulnerability.

是以，要了解風險、威脅和脆弱性之間的區別。
Again, packet analysis.

再次，數據包分析。
Understand the basics of the SIEM that you should be using.

瞭解您應該使用的 SIEM 的基本知識。
And understand how you're supposed to respond.

並瞭解你應該如何迴應。
And understand as a Tier 1 how you are to support incident handling.

並瞭解作為 1 級人員如何支持事件處理。
As a Tier 1, at least from my perspective, it's unfair and unreasonable to have a Tier 1 analyst be conducting, leading the IR process.

作為一級分析師，至少從我的角度來看，讓一級分析師主持、上司投資者關係流程是不公平、不合理的。
Supporting it?

支持嗎？
Absolutely.

當然可以。
Doing aspects of it.

做的方面。
But understand where you fit in the picture.

但要明白自己在全局中的位置。
Understand events.

瞭解事件。
Understand incidents.

瞭解事件。
And the breach word, the B word, is not a SOC term.

違約詞、B 詞不是 SOC 術語。
It is a legal term.

這是一個法律術語。
Just for the U.S. at below federal levels of state, territories, and districts, there are at least 54 laws on the books at that level that define what a breach is.

僅就美國聯邦一級以下的州、領地和地區而言，就至少有 54 部法律規定了什麼是違規行為。
That's not water cooler talk anymore.

這已經不再是飲水機旁的話題了。
So when your legal department says it's a breach or your customers, then you call it a breach.

是以，當你的法律部門或你的客戶說這是違規行為時，你就說這是違規行為。
And again, soft skills are important for everyone.

同樣，軟技能對每個人都很重要。
We deal with customers.

我們與客戶打交道。
And it's important to hone those skills.

磨練這些技能非常重要。
All right.

好的
So as all things are with cyber, it depends on your personal drive and ambition.

是以，正如網絡上的所有事情一樣，這取決於你的個人動力和雄心。
So here are some areas, some breadcrumbs, if you will, to go after.

所以，這裡有一些領域，一些麵包屑，如果你願意的話，可以去追尋。
Or to, as me and others often do, we knock the dust off of these.

或者，像我和其他人經常做的那樣，我們敲掉這些東西上的灰塵。
So if you've ever searched for how to stop ransomware on Google, I'm sorry.

所以，如果你曾經在谷歌上搜索過如何阻止勒索軟件，我很抱歉。
Because most of it is regurgitated information, and it's not useful.

因為大部分都是重複的資訊，沒有任何用處。
So what actually causes it are what would be characterized in the CIS top six.

是以，造成這種情況的實際原因是獨聯體前六名的特點。
What are your physical virtual assets, your hosts?

您的物理虛擬資產、主機是什麼？
What applications do you have?

您有哪些應用程序？
What level of access?

什麼級別的訪問？
How do you control it?

如何控制？
Do you have your active directory?

有活動目錄嗎？
Do you have your file share internet exposed either directly or indirectly?

您的文件共享是否直接或間接暴露在互聯網上？
That's how those things happen.

這些事情就是這樣發生的。
Do you have it really easy for your admins to get to the domain controllers or other domain attached servers?

管理員是否很容易訪問域控制器或其他域附屬服務器？
Or do you have a process, you know, be it a bastion host type of setup or something along those lines?

或者你有一個程序，你知道的，是一個堡壘主機類型的設置或類似的東西？
Again, defense in depth.

再次，縱深防守。
So that affects your business email compromise as well.

是以，這也會影響您的業務電子郵件。
And by the way, your wire and invoice fraud.

順便說一下，你的電匯和發票欺詐行為。
So there's no magic in it.

所以，這裡面沒有魔法。
There's just work.

有的只是工作。
So a recent book is the new version of building a world-class cybersecurity operations center for MITRE.

是以，最近出版的一本書就是 MITRE 的新版《建立世界級網絡安全營運中心》。
It's fantastic.

太棒了
I know Carson personally, he's one of the authors of this one.

我認識卡森，他是這本書的作者之一。
He authored the first book solo about nine years ago.

大約九年前，他獨自撰寫了第一本書。
Fantastic reference, highly recommend it.

精彩的參考資料，強烈推薦。
If you're not using for incident response, characterization, contextualization, and sharing

如果不用於事件響應、特徵描述、背景分析和共享
Veris, go learn about Veris.

Veris，去了解一下 Veris。
You should understand diamond model of intrusion analysis as well and how the cyber kill chain framework works in there.

您還應該瞭解入侵分析的鑽石模型，以及網絡殺傷鏈框架在其中是如何運作的。
And last but not least, even though it gets mentioned first a lot, how do you employ the

最後但並非最不重要的一點是，儘管它經常被首先提及，但您如何使用
MITRE ATT&CK framework?

MITRE ATT&CK 框架？
My favorite way to start that is at the enterprise level.

我最喜歡從企業層面入手。
What are they after?

他們的目的是什麼？
Are they after data or are they trying to burn it down, your environment down?

他們是在追逐數據，還是在試圖燒燬數據，燒燬你的環境？
Or both?

還是兩者都有？
Or can they potentially do both?

還是說他們有可能兩者兼顧？
And then you work from there.

然後再從那裡開始工作。
You take the information from doing your intelligence profile, that dossier, and then you go work

你從你的情報檔案中獲取信息，即檔案，然後你去工作
MITRE ATT&CK framework to see what they're doing.

MITRE ATT&CK 框架，看看他們在做什麼。
Again, no magic, it's just work.

還是那句話，沒有魔法，只有工作。
And with that being said, Shilpa, back over to you.

說到這裡，希爾帕，回到你的話題。
Thank you so much, Andy.

非常感謝，安迪。
Thank you very much for an informative session and our attendees share the same sentiments.

非常感謝你提供了一場內容豐富的會議，我們的與會者也有同感。
Before we begin with the Q&A part, I would like to inform all the attendees that this session is in sync with EC council certification, CSA, maps to the SOC analyst role, and even with the CSA certification is eligible for $13,000 plus job with an average salary of $85,000.

在開始問答部分之前，我想告訴所有與會者，本環節與 EC 委員會認證 CSA 同步，映射到 SOC 分析師的角色，即使獲得 CSA 認證，也有資格獲得 13,000 美元以上的工作，平均工資為 85,000 美元。
If you're interested to learn more about our programs, do let us know in the poll that's going to be conducted now.

如果您有興趣進一步瞭解我們的項目，請在現在進行的投票中告訴我們。
Let us know your preferred mode of training and we will reach out to you soon.

請告訴我們您喜歡的培訓方式，我們會盡快與您聯繫。
So Randy, shall we start with the Q&A?

蘭迪，我們開始問答好嗎？
Absolutely.

當然可以。
Okay.

好的
Our first question is, what is the RACI matrix by Shivaraman?

我們的第一個問題是，希瓦拉曼的 RACI 矩陣是什麼？
So the RACI or the RACI, it's a matrix of who's responsible, who is accountable, who is consulted and who is informed.

是以，RACI 或 RACI 是一個矩陣，包含了誰負責、誰負責、誰被諮詢以及誰被告知。
And you basically break down processes that you have to work.

基本上，你必須分解工作流程。
Something as basic as incident response, who is responsible for that?

像事件響應這樣基本的事情，由誰來負責？
The SOC is.

SOC 是
Who is accountable for that?

誰對此負責？
The SOC is.

SOC 是
Who is consulted?

徵求誰的意見？
Other groups could be IT, could be legal, et cetera.

其他小組可能是信息技術小組，也可能是法律小組，等等。
And informed could be the CTO as an example.

舉例來說，首席技術官就可以提供這方面的資訊。
There's lots of examples online for that to give you some ideas, but it's important to have that.

網上有很多這方面的例子，可以給你提供一些想法，但重要的是要有這樣的想法。
If anything taught us that it was the conviction of the former Uber CISO last summer.

如果說有什麼讓我們明白了這一點，那就是去年夏天前 Uber CISO 的定罪。
Thank you, Randy, for answering that question.

謝謝你，蘭迪，謝謝你回答了這個問題。
Next question is, when we say five-minute SLI, is it at first level incident responder or like Tire 1 by Gullen?

下一個問題是，當我們說五分鐘 SLI 時，是指一級事故響應者還是像 Gullen 的輪胎 1 那樣？
Well, that was an example.

這只是一個例子。
It can be anything.

它可以是任何東西。
Your SLA could be, for the same thing, it could be 15 minutes or an hour.

對於同一件事，您的服務水平協議可能是 15 分鐘或 1 小時。
There tend to be various types of SLAs and that really gets into contract discussions and that varies from, or potentially contract discussions, and it varies from customer to customer.

通常會有各種類型的服務水平協議（SLAs），這就真正涉及到合同討論，而這又因客戶而異，或可能涉及到合同討論。
But the idea is either if it's internal at the organizational level across departments, directorates, and the C-suite, there's an understanding of how we respond and that's communicated or it's with customers and that's communicated as well.

但我們的想法是，如果是在組織內部，跨部門、跨部門上司和跨部門首席執行官，我們就會了解如何應對，並進行溝通；如果是與客戶溝通，也會進行溝通。
Thank you, Randy.

謝謝你，蘭迪。
Our next question is, would love to have some guidance on open source SIEM, EDR, XDR, NDR tools, as well as some affordable options by Gerhard.

我們的下一個問題是，希望 Gerhard 就開源 SIEM、EDR、XDR、NDR 工具以及一些經濟實惠的選擇提供一些指導。
Product discussions.

產品討論。
I'm not going to have a great answer for that because I get to focus on operations for the first time ever here at Syntax and not engineering.

我不會有一個很好的答案，因為我在 Syntax 第一次專注於營運，而不是工程。
I have a fantastic engineering counterpart director and I am not completely up to date on giving that.

我有一位非常出色的工程對口主任，但我還沒有完全瞭解他的工作。
There are a few options.

有幾種選擇。
You just got to dig into the, and see where the, some of those have gotchas as far as how potential licensing goes.

你只需深入研究，看看其中一些在潛在許可方面存在的問題。
But if it's on GitHub, chances are, yeah, it takes some research, but you will come away after probably several hours with the basic answers.

但如果是在 GitHub 上，那麼很有可能，是的，這需要一些研究，但大概幾個小時後，你就會得到基本的答案。
You'll have it narrowed down to a few options for EDR or for SIEM, because there are not a lot of options.

你可以將範圍縮小到 EDR 或 SIEM 的幾個選項，因為可選項並不多。
Thank you, Randy, for answering that question.

謝謝你，蘭迪，謝謝你回答了這個問題。
Our next question is, what is your suggestion on creating an incident ticket in ITSM for every alert triggering in SIEM?

我們的下一個問題是，對於在 SIEM 中觸發的每個警報，您建議在 ITSM 中創建一個事件票據？
Do you think it's the right approach or do we have to log on, log an incident ticket only for those alerts which are investigation worthy?

您認為這種方法正確嗎？還是說我們必須登錄，只為那些值得調查的警報記錄一張事件記錄單？
Secondly, what metrics do you suggest we prepare to showcase SOC performance to CISO?

其次，您建議我們準備哪些指標來向 CISO 展示 SOC 的績效？
Okay, so, and I've dealt with and encountered extremes.

好吧，我也遇到過極端的情況。
So sending any alerts as an ITSM incident from SOC is not really beneficial.

是以，將任何警報作為 ITSM 事件從 SOC 發送並無實際益處。
So that's, and that's why I was specific in saying the SOC escalates anything that comes in, whether it's from ITSM or from the instrumented enterprise environment.

所以，這就是為什麼我特別強調，無論是來自 ITSM 還是來自企業環境儀表，SOC 都會將任何資訊上報。
The SOC must characterize it, whether manually or automatically or some combination thereof, as a security incident.

SOC 必須將其定性為安全事件，無論是人工定性還是自動定性，或是兩者的結合。
That should most certainly be an ITSM incident, preferably automated.

這當然應該是 ITSM 事件，最好是自動化事件。
So that, because what you end up with is you end up with alert fatigue rapidly, particularly from security devices.

這樣一來，你就會很快產生警報疲勞，尤其是來自安全設備的警報。
If anything, security devices tend to be, shall we say, chatty.

如果說有什麼不同的話，那就是安全設備往往很健談。
We don't want to send 100,000 events per day to ITSM as alerts, for instance.

例如，我們不想每天向 ITSM 發送 100,000 個事件作為警報。
That's very easy to do even in fairly small environments.

即使在相當小的環境中，這也很容易做到。
So you want to process it.

所以你要處理它。
So one of the things you have to consider during the lifecycle maturity of your SOC and looking at the SLAs, whether contractually or internal agreements, they need to be reasonable.

是以，在 SOC 的生命週期成熟度和 SLA（服務水平協議）方面，無論是合同還是內部協議，都需要考慮合理性。
Five minutes may be completely unreasonable if you have a SOC of three people working eight to five.

如果你的 SOC 有三個人，朝八晚五，五分鐘可能完全不合理。
Maybe it's six hours, maybe it's 12 hours, probably not five minutes.

也許是 6 小時，也許是 12 小時，也許不是 5 分鐘。
So there has to be a process in there.

是以，這裡面必須有一個過程。
And again, it's not fair to a tier one analyst to say this is an incident versus it is a probable incident and then escalated internally to a tier two SOC, for instance.

再說一遍，一級分析師說這是一個事件，而不是一個可能的事件，然後在內部升級到二級 SOC 等，這對一級分析師是不公平的。
So that comes with maturity.

所以，這是成熟的表現。
That's a nightmare, sending all of your alerts as tickets.

把所有警報都作為票據發送，這簡直就是噩夢。
And the second part, totally lost my train of thought.

至於第二部分，我完全沒了思路。
What was the second part?

第二部分是什麼？
Thank you, Randy, for answering the question.

謝謝你，蘭迪，謝謝你回答了我的問題。
Our next question is, could you please tell us some SIEM tools and techniques used at industry level so that as SOC L1 must be learned before entering into the industry by Pradeep?

我們的下一個問題是，能否請 Pradeep 告訴我們一些在行業層面使用的 SIEM 工具和技術，以便作為 SOC L1 在進入行業之前必須學習？
Okay, I will tell you like I tell my students when I teach different courses.

好吧，我會像我教不同課程時對學生說的那樣告訴你。
Learn one of the following in any order.

以任意順序學習下列內容之一
Learn Azure Sentinel, learn Splunk, learn Elastic.

學習 Azure Sentinel、學習 Splunk、學習 Elastic。
Learn one of them well enough to do queries, to build a dashboard, do enough qualitative analysis to build a representative dashboard.

學好其中一項，就足以進行查詢、建立儀表盤、進行足夠的定性分析以建立一個有代表性的儀表盤。
Perfect example I also give is build a dashboard and, you know, it's for your customer, this fictitious customer, and have a VM fire off something that is or looks like PSExec.

我還舉了一個很好的例子，就是建立一個儀表盤，你知道，這是為你的客戶（這個虛構的客戶）而建的，然後讓虛擬機發射一些類似或看起來像 PSExec 的東西。
That one always makes the hair on the back of my neck stand up, regardless if it's legitimate or not.

無論是否合法，這一句總能讓我脖子後面的汗毛豎起來。
So that is a tool that is either actually PSExec, which is basically a remote administration Windows tool, or it is something masquerading as that.

是以，這個工具要麼實際上是 PSExec，基本上就是一個遠程管理 Windows 的工具，要麼就是偽裝成 PSExec 的工具。
That is a common TTP that is used by bad guys.

這是壞人慣用的 TTP。
So that's an easy thing to dig into, and you'll learn a bit about a SIEM.

是以，這是一個很容易挖掘的東西，你會學到一些關於 SIEM 的知識。
You'll learn a bit about doing queries, such as, you know, SPL and Splunk, build a basic dashboard, and contextualize so you understand.

您將學習一些查詢方法，如 SPL 和 Splunk，建立一個基本的儀表盤，並將上下文聯繫起來以便理解。
So as a hiring manager, it's important to me to understand that you know why you did something, and the so what of what was done.

是以，作為招聘經理，重要的是讓我瞭解你為什麼要做某件事，以及做了什麼。
You can talk through that, not just make a pretty dashboard.

你可以說清楚，而不僅僅是做一個漂亮的儀表盤。
So great question.

問得好
Thank you, Randy, for answering that question.

謝謝你，蘭迪，謝謝你回答了這個問題。
Our next question is, what is your opinion on having an incident severity calculator?

我們的下一個問題是，您如何看待事故嚴重性計算器？
What would be the right criteria to be considered for developing this calculator by Amir?

阿米爾開發這個計算器的正確標準是什麼？
Well, that is going to be something that needs tuning continually, just because, again, such as PSExec FireResolve doesn't mean it's actually an incident.

同樣，PSExec FireResolve 並不意味著這就是真正的事件。
It could just be an alert.

這可能只是一個警報。
So you have to dig into things such as detection engineering.

是以，你必須深入研究檢測工程等問題。
Are they obfuscating the fact, are they just saying, oh, it's this process, but it's running from your Chrome browser?

他們是否在混淆事實，是否只是說，哦，是這個進程，但它是在你的 Chrome 瀏覽器上運行的？
That's not PSExec.

這不是 PSExec。
That's malware, fileless malware.

這是惡意軟件，無文件惡意軟件。
So something as simple as that.

就這麼簡單。
And again, this goes back to doing a basic OSINT, open-source intelligence-based investigation.

這又回到了基本的 OSINT，即基於公開來源情報的調查。
And it could just be on yourself, your own organization, to say, I'm in these market verticals.

這可能只是你自己，你自己的組織，說，我在這些垂直市場中。
These are my NAICS codes.

這些是我的 NAICS 代碼。
I'm in manufacturing, and I'm in healthcare.

我從事製造業，也從事醫療保健行業。
Okay, well, these are the actors that tend to operate in there.

好吧，這些都是在裡面活動的演員。
So I want to prioritize alerting and eventing and potential incident processing on these lower-level CVEs.

是以，我希望優先對這些較低級別的 CVE 進行警報、事件和潛在事件處理。
Maybe you have Qualys or Rapid7 or any other vulnerability scanner.

也許你有 Qualys 或 Rapid7 或其他漏洞掃描儀。
You enrich that event processing with more contextualized data to say, oh, well, this CVE is lower-level.

你可以用更多的上下文數據來豐富事件處理，比如說，哦，這個 CVE 級別較低。
It's a low, but it's higher for us because, contextually, this is how things tend to look based upon actor campaigns.

這是一個低點，但對我們來說是一個高點，因為從上下文來看，這是演員競選活動的情況。
So you don't have to have an Intel team to do this.

是以，你不必擁有一支英特爾團隊也能做到這一點。
As a leader, spend a weekend, do some research, and come up with a basic set.

作為領導者，花一個週末的時間，做一些研究，拿出一套基本的方案。
You don't have to try and solve all your problems and go for 80% Pareto principle at play always.

你不必試圖解決所有問題，也不必總是追求 80% 的帕累託原則。
Great question.

問得好
Thank you, Randy.

謝謝你，蘭迪。
Our next question is, what is the best recommendation MSSSP SOC can give to client for brute-force attack on accounts even having MFA applied?

我們的下一個問題是，MSSSP SOC 可以向客戶提供哪些最佳建議，以應對對已應用 MFA 的賬戶的暴力破解攻擊？
Bye, Valit.

再見，瓦利特
Well, that landscape constantly changes.

那麼，這種情況會不斷變化。
You have a lot of different vectors.

你有很多不同的載體。
Let's say you're using Azure Active Directory.

假設您使用的是 Azure Active Directory。
There are controls you can put in place, and some of those vary depending on the level of service.

您可以採取一些控制措施，其中一些措施因服務水平而異。
Is it a P1, is it a P2, et cetera, to help with that?

是 P1，還是 P2，等等，以幫助解決這個問題？
You know, the unrealistic travel is useful.

要知道，不切實際的旅行還是很有用的。
Geoblocking, in general, is not very useful.

一般來說，地理封鎖的作用不大。
There are these things called VPNs and zombies and the Tor network.

有一種東西叫 VPN、殭屍和 Tor 網絡。
So that has limited runway, if you will.

是以，如果你願意，它的跑道是有限的。
Other things that you can do and should look at are advertisement networks, ad networks.

您還可以而且應該關注廣告網絡、廣告網絡。
They're also called malvertisement networks for a good reason.

它們被稱為惡意廣告網絡是有道理的。
There is not really much vetting on the provenance and pedigree of the code that is uploaded there.

對上傳到這裡的代碼的來源和血統並沒有什麼審查。
So it is a common transport for malware.

是以，它是一種常見的惡意軟件傳輸工具。
Has been for years.

多年來一直如此。
That has not changed.

這一點沒有改變。
So how do you handle that?

那麼你是如何處理的呢？
Something as simple as blocking ad networks as well.

屏蔽廣告網絡也很簡單。
So there's quite a lot, and you always have to look at different ways to do it.

是以，我們需要做的事情有很多，而且我們總是需要尋找不同的方法。
But depending on your environment, there are definitely ways to do it.

但根據你的環境，肯定有辦法做到這一點。
You know, obviously, you have to look at your supply chain.

很明顯，你必須審視你的供應鏈。
I mean, I showed you the Okta breach from last summer, the LastPass breach.

我的意思是，我向你們展示了去年夏天的 Okta 外洩事件和 LastPass 外洩事件。
The list goes on and on.

這樣的例子不勝枚舉。
It's not a question of if but when for compromises and breaches.

對於洩密和洩密事件來說，不是 "是否 "的問題，而是 "何時 "的問題。
Again, pragmatic, how do you do the best you can?

還是那句話，務實，如何做到最好？
So great question.

問得好
Thank you.

謝謝。
Thank you, Randy.

謝謝你，蘭迪。
Next question is, would you say that diamond model of intrusion analysis may probably be suitable in the establishment of SOC?

下一個問題是，您是否認為鑽石入侵分析模型可能適用於建立 SOC？
At least in a basic form, you don't have to devote a whole lot of time to it.

至少在基本形式上，你不必為此投入大量時間。
It helps you characterize what's going on at the initial stages.

它可以幫助你描述初始階段發生的事情。
Before you dive into something such as the kill chain and or going directly into MITRE ATT&CK.

在您深入研究諸如殺傷鏈或直接進入 MITRE ATT&CK 之前。
There's reasons to do any of those, but from an organization standpoint and building processes on how you do things, yeah.

做這些事情都是有原因的，但從組織的角度以及如何建立做事流程的角度來看，是的。
Just do the basics and just characterize those few key points as best you can.

只要做好最基本的工作，並儘可能描述這幾個關鍵點的特徵即可。
Thank you, Randy.

謝謝你，蘭迪。
We'll take last two questions for the day.

我們將回答今天的最後兩個問題。
Our next question is, any best open source threat intelligence for SOC?

我們的下一個問題是，有沒有針對 SOC 的最佳開源威脅情報？
Yeah, I'm trying to remember any of them off the top of my head.

是的，我正在努力回憶其中的任何一個。
As far as threat feeds go, data feeds, they exist.

至於威脅反饋、數據反饋，它們是存在的。
I know Alienware got bought out.

我知道 Alienware 被收購了。
That's the only one I can think of, not Alienware, but AlienVault, I think it is.

這是我能想到的唯一一個，不是 Alienware，應該是 AlienVault。
They got bought out, I think, by Dell, but that's an available source.

我想，他們被戴爾收購了，但這是一個可用的來源。
The important thing about threat intelligence is it's not information, it's data.

威脅情報的重要意義在於它不是資訊，而是數據。
The SOC is responsible for building threat products, just as it's responsible for building any other security operations-related products.

SOC 負責構建威脅產品，就像它負責構建任何其他與安全操作相關的產品一樣。
We have to process it.

我們必須處理它。
We have to contextualize it, and frankly, we have to filter it because we get a lot of not necessarily useful information.

我們必須根據具體情況加以分析，坦率地說，我們必須對其進行過濾，因為我們會得到很多不一定有用的資訊。
I wouldn't say it's bad information, but contextually irrelevant.

我不會說這是壞資訊，但與背景無關。
That happens more often than not.

這種情況經常發生。
So sifting through that is something that you have to do on an iterative basis.

是以，你必須反覆篩選。
Everything I've talked about today, I didn't use the A word, agile.

我今天講的所有內容，都沒有用到 "敏捷 "這個詞。
This is all DevSecOps.

這就是 DevSecOps。
That's what all of this conversation has been today, so good question.

這就是今天所有談話的主題，問得好。
Thank you, Randy, so much for answering that question.

蘭迪，非常感謝你回答這個問題。
We'll take the last question for the day.

我們將回答今天的最後一個問題。
Can you explain more on SOC playbook and SOC runbook?

您能詳細解釋一下 SOC playbook 和 SOC runbook 嗎？
Can I see a sample SOC playbook and a sample of SOC runbook?

我能否查看 SOC 操作手冊樣本和 SOC 運行手冊樣本？
I unfortunately do not have the time to show examples.

很遺憾，我沒有時間舉例說明。
So the basic difference between a play and a runbook and how you would want to construct them is the playbook you want to build out as the overarching response to how you handle, let's say, just a campaign.

是以，遊戲和運行手冊之間的基本區別，以及你想如何構建它們，是你想建立的遊戲手冊，作為你如何處理比方說，只是一個活動的總體響應。
You know, this APT group is doing this particular campaign.

你知道，這個 APT 組織正在進行這項特殊的活動。
We're bucketizing all of the intelligence and detections and automations in this, and the associated runbooks are go pull this information in, enrich from this source.

我們將所有的智能、檢測和自動化都集中在這裡，相關的運行手冊將從這個源頭獲取和豐富這些資訊。
It's the discrete tasks that you want to go do.

這是你想去做的分散任務。
Go shell into this console and scrape this information back and bring it in.

進入這個控制檯的外殼，把這些資訊搜刮回來並導入。
Pull this data feed, that kind of thing.

調取這些數據，諸如此類。
That way, the idea is you have consistency in your runbooks, and as you build out the playbooks, you can pick and choose.

這樣做的目的是讓你的運行手冊保持一致，而當你建立遊戲手冊時，你可以隨意挑選。
You know, I'm going to the automation and organization store.

你知道，我要去自動化和組織商店。
I'm going to put these things in my playbook, you know, basket, and I'm going to build this product.

我要把這些東西放進我的遊戲手冊裡，你知道，籃子裡，然後我要打造這個產品。
That way, you can scale.

這樣，你就可以擴大規模。
Everything we do has to have an idea and thought to scaling, whether it's scaling up or scaling down.

無論是擴大規模還是縮小規模，我們所做的每一件事都必須有一個擴大規模的想法和思路。
Typically, it's not down, so it lets us be more agile and try to be more proactive in defending at machine speed.

通常情況下，它不會宕機，是以可以讓我們更加靈活，並嘗試以機器速度更加主動地進行防禦。
But hopefully, that gives you at least a basic breakdown of how to go and approach that.

但我希望，這至少能讓你對如何去做有一個基本的瞭解。
Thank you so much, Randy.

非常感謝，蘭迪。
Thank you again to our wonderful speaker for answering those questions and for the great presentation and knowledge shared with our global audiences.

再次感謝我們出色的演講者回答了這些問題，並與我們的全球閱聽人分享了精彩的演講和知識。
It was a pleasure to have you with us, and we are looking for more and more sessions with you.

很高興您能與我們合作，我們期待與您有更多的合作。
Before we conclude the webinar, would you like to give a small message to our audiences?

在網絡研討會結束之前，您想給我們的聽眾說幾句話嗎？
Yes, and thank you, Shilpa.

是的，謝謝你，希爾帕。
I've enjoyed it.

我很喜歡。
So, again, it's important to be pragmatic, plan where you can, understand you have to react often, and from vectors that we often don't know, sometimes we do.

所以，還是那句話，務實很重要，能計劃的就計劃，要知道你必須經常做出反應，而且反應的載體往往是我們不知道的，但有時我們知道。
So, and as a leader, it's very important that we work with our team, we regulate, and don't, as far as not burning our folks out, you know, we're trying to solve problems, and it's very important as a leader to work with your team and really set them up for success, empower them, and part of that comes from defining what they do and what they don't do.

是以，作為一名領導者，與團隊合作、規範管理、不把員工累垮是非常重要的，要知道，我們正在努力解決問題，作為一名領導者，與團隊合作，真正為他們的成功做好準備，賦予他們權力是非常重要的，而這其中的一部分就是要明確他們做什麼，不做什麼。
Thank you so much, Randy, for the message to our audiences.

蘭迪，非常感謝你向我們的聽眾傳遞信息。
Before we end the session, I would like to announce our next CyberTalk session, Incident Response Planning, Preparing for Network Security Bridges, which is scheduled for July 5, 2023.

在會議結束之前，我想宣佈我們的下一期 CyberTalk 會議--"事件響應規劃，為網絡安全橋樑做好準備"--定於 2023 年 7 月 5 日舉行。
This session is an expert presentation by Mez D. Guzman, cybersecurity leader.

本環節由網絡安全領導者 Mez D. Guzman 作專家演講。
To register for the session, please do go visit our website, www.eccu.edu, CyberTalks.

如需報名參加會議，請訪問我們的網站 www.eccu.edu, CyberTalks。
The link is given in the chat section.

鏈接在哈拉部分提供。
Hope to see you all on July 5th.

希望能在 7 月 5 日見到大家。
With this, we end the session.

至此，會議結束。
You may now disconnect your lines.

現在可以斷開線路。
Thank you.

謝謝。
Thank you so much, Randy.

非常感謝，蘭迪。
Thank you.

謝謝。
Pleasure having you.

很高興見到你
Thank you.

謝謝。