Discover and read the best of Twitter Threads about #SOC
Most recents (24)
đšđNEW PAPERđđš
A new study from Colorado State University's Dept. of Soil & Crop Sciences & the Graduate Degree Program in Ecology found âthat #regenerative practicesâincluding integrating crop & livestock systemsâwere successful as long-term #CarbonStorage solutions.â
𧔠1/7
A new study from Colorado State University's Dept. of Soil & Crop Sciences & the Graduate Degree Program in Ecology found âthat #regenerative practicesâincluding integrating crop & livestock systemsâwere successful as long-term #CarbonStorage solutions.â
𧔠1/7
Researchers conducted a âglobal systematic meta-analysis of the effects of #regenerative management practices on Soil Organic Carbon (#SOC), Particulate Organic Carbon (#POC) & Mineral-Associated Organic Carbon (#MAOC) in cropland.â
2/
2/
A #SOC analyst picks up an alert and decides not to work it.
In queuing theory, this is called âwork rejectionââand itâs quite common in a SOC.
TL;DR - âWork rejectionâ is not always bad, but it can be measured and the data can help improve performance. More details in the đ§”..
In queuing theory, this is called âwork rejectionââand itâs quite common in a SOC.
TL;DR - âWork rejectionâ is not always bad, but it can be measured and the data can help improve performance. More details in the đ§”..
A couple of work rejection plays out in the SOC. The most common:
An analyst picks up an alert that detects a *ton* of benign activity. Around the same time, an alert enters the queue that almost *always* finds evil. A decision is made...
An analyst picks up an alert that detects a *ton* of benign activity. Around the same time, an alert enters the queue that almost *always* finds evil. A decision is made...
The analyst rejects the alert that is likely benign for an alert that is more likely to find evil.
Letâs assume the analyst made the right call. They rejected an alert that was likely benign to work an alert that was evil. Work rejection resulted in effective #SOC performance.
Letâs assume the analyst made the right call. They rejected an alert that was likely benign to work an alert that was evil. Work rejection resulted in effective #SOC performance.
Security Operation Center - Certifications to #SOC
1. Microsoft SC-200 Course (FREE)
lnkd.in/dbCn3k4n
2. Splunk Courses (FREE)
lnkd.in/d_dZNduf
3. AttackIQ Mitre ATT&CK Courses (FREE)
lnkd.in/dcfmSPEJ
1/2
#infosec #thesecureedge #soc
1. Microsoft SC-200 Course (FREE)
lnkd.in/dbCn3k4n
2. Splunk Courses (FREE)
lnkd.in/d_dZNduf
3. AttackIQ Mitre ATT&CK Courses (FREE)
lnkd.in/dcfmSPEJ
1/2
#infosec #thesecureedge #soc
4. Fortinet Courses (FREE)
lnkd.in/dmmkZ-tH
5. Awesome OSINT Courses (FREE)
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings (FREE)
lnkd.in/dhjwx_5h
7. Cybrary Trainings (FREE)
cybrary.it
lnkd.in/dmmkZ-tH
5. Awesome OSINT Courses (FREE)
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings (FREE)
lnkd.in/dhjwx_5h
7. Cybrary Trainings (FREE)
cybrary.it
What does a #SOC tour look like when the team is remote?
TL;DR - Not a trip to a room with blinky lights - but instead a discussion about mission, mindset, ops mgmt, results and a demo of the tech and process that make our SOC âGoâ.
SOC tour in the đ§”...
TL;DR - Not a trip to a room with blinky lights - but instead a discussion about mission, mindset, ops mgmt, results and a demo of the tech and process that make our SOC âGoâ.
SOC tour in the đ§”...
Our SOC tour starts with a discussion about mission. I believe a key ingredient to high performing teams is a clear purpose and âWhyâ.
Whatâs our mission? It's to protect our customers and help them improve.
Whatâs our mission? It's to protect our customers and help them improve.
Our mission is deliberately centered around problem solving and being a strategic partner for our customers. Notice that there are zero mentions of looking at as many security blinky lights as possible. Thatâs intentional.
Thereâs no more strategic thing than defining where you want to get to and measuring it.
Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if youâre there or not.
A 𧔠on #SOC strategy / metrics:
Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if youâre there or not.
A 𧔠on #SOC strategy / metrics:
Before we hired our first #SOC analyst or triaged our first alert, we defined where we wanted to get to; what great looked like.
Hereâs [some] of what we wrote:
Hereâs [some] of what we wrote:
We believe that a highly effective SOC:
1. leads with tech; doesnât solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, âare we getting better, or worse?â
1. leads with tech; doesnât solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, âare we getting better, or worse?â
Security Operation Center - Certifications to #SOC
1. Splunk Courses (FREE)
lnkd.in/d_dZNduf
2. Fortinet Courses (FREE)
lnkd.in/dmmkZ-tH
3. AttackIQ Mitre Att&ck Courses (FREE)
lnkd.in/dcfmSPEJ
1/2
#infosec #thesecureedge
1. Splunk Courses (FREE)
lnkd.in/d_dZNduf
2. Fortinet Courses (FREE)
lnkd.in/dmmkZ-tH
3. AttackIQ Mitre Att&ck Courses (FREE)
lnkd.in/dcfmSPEJ
1/2
#infosec #thesecureedge
4. Microsoft SC-200 Course (FREE)
lnkd.in/dbCn3k4n
5. Awesome OSINT Courses (FREE)
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings (FREE)
lnkd.in/dhjwx_5h
7. Cybrary Trainings (FREE)
cybrary.it
lnkd.in/dbCn3k4n
5. Awesome OSINT Courses (FREE)
lnkd.in/dTCaCf-u
6. CSILinux Forensic Trainings (FREE)
lnkd.in/dhjwx_5h
7. Cybrary Trainings (FREE)
cybrary.it
ZEIT MACHT MĂGLICHKEIT
ÂŻ\_(ă)_/ÂŻ - + â #
#Psy
#Soc
#Cyb
#Bio
..................................................
ÂŻ\_(ă)_/ÂŻ - + â #
#Psy
#Soc
#Cyb
#Bio
..................................................
MYZELT EUCH #LuhCon22
#LiberalPaternalism wird fĂŒr #Commonism was fĂŒr #Caputalism das #empire des guten hirten hie nieden auf erden war (so?)
#PaternalismSucks
die liste der paternalisten?
- ich nannte sie #dickhÀuter. leider (so?)
dissent.is/nzz-wikipedia
#LiberalPaternalism wird fĂŒr #Commonism was fĂŒr #Caputalism das #empire des guten hirten hie nieden auf erden war (so?)
#PaternalismSucks
die liste der paternalisten?
- ich nannte sie #dickhÀuter. leider (so?)
dissent.is/nzz-wikipedia
DIE METAPHER #ZwingliFilm
die liste der paternalisten:
#POLITIK
rolle: ?
#WISSENSCHAFT
rolle: ?
#WIRTSCHAFT
rolle: ?
#MASSENMEDIEN
rolle: ?
#KĂNSTE
rolle: ?
#BILDUNGSINSTITUTIONEN
rolle: ?
srf.ch/audio/kontext/⊠min32 @SRF
die liste der paternalisten:
#POLITIK
rolle: ?
#WISSENSCHAFT
rolle: ?
#WIRTSCHAFT
rolle: ?
#MASSENMEDIEN
rolle: ?
#KĂNSTE
rolle: ?
#BILDUNGSINSTITUTIONEN
rolle: ?
srf.ch/audio/kontext/⊠min32 @SRF
CURRENT WRITINGS @sms2sms (August 2022)
Anamnesis: #Caputalism
- dissent.is/caputalism
Diagnosis: #DefaultChange
- dissent.is/defaultchange
Prognosis: #LiberalPaternalism
- dissent.is/liberalpaternaâŠ
Therapy: #Commonism
- dissent.is/commonism/
WORK IN PROGRESS
thread 1/n
Anamnesis: #Caputalism
- dissent.is/caputalism
Diagnosis: #DefaultChange
- dissent.is/defaultchange
Prognosis: #LiberalPaternalism
- dissent.is/liberalpaternaâŠ
Therapy: #Commonism
- dissent.is/commonism/
WORK IN PROGRESS
thread 1/n
(Science; german: Wissenschaft as "Wissen schaffen")
The workflow of my knowledge production strictly follows the idea of science:
"explicate the implicit" & search intensively for critique.
More in my book: DIE FORM DER UNRUHE #dfdu volume 2, Junius Verlag Hamburg, 2010
The workflow of my knowledge production strictly follows the idea of science:
"explicate the implicit" & search intensively for critique.
More in my book: DIE FORM DER UNRUHE #dfdu volume 2, Junius Verlag Hamburg, 2010
1/6
#StateHypocrisy #StateRacism
âWhen itâs one rule for yourâsâŠ
You have no right to be uptight
when we pull you up on youâ - (#SOC)
#StateHypocrisy #StateRacism
âWhen itâs one rule for yourâsâŠ
You have no right to be uptight
when we pull you up on youâ - (#SOC)
2/6
During his visit to #Rwanda, Johnson was asked by reporters whether Ukrainians will be sent to the East African nation if they enter the UK undocumented or by irregular routes:
During his visit to #Rwanda, Johnson was asked by reporters whether Ukrainians will be sent to the East African nation if they enter the UK undocumented or by irregular routes:
3/6
âSo Iâm afraid the answer is I suppose, yes, in theory that could happen but I think itâs very unlikely.â
inews.co.uk/news/politics/âŠ
âSo Iâm afraid the answer is I suppose, yes, in theory that could happen but I think itâs very unlikely.â
inews.co.uk/news/politics/âŠ
DIE SOZIOLOGIE STECKT IN EINER THEORIEKRISE.
@LuhmannArchiv 1. satz in #SozialeSysteme #sosy 1984 @suhrkamp
@LuhmannArchiv 1. satz in #SozialeSysteme #sosy 1984 @suhrkamp
@LuhmannArchiv @suhrkamp bin auf der suche - hÀndisch! - wo #NiklasLuhmann zum 1. mal den satz abgepresst hat:
KOMMUNIKATION KOMMUNZIERT
- nicht menschen
(any help?)
beginne etzt mit #SoSy (um nicht #SS tippen zu mĂŒssen)
sein register schickt mich fĂŒr #kommunikation auf seite 66
GOTT STEH MIR BEI
KOMMUNIKATION KOMMUNZIERT
- nicht menschen
(any help?)
beginne etzt mit #SoSy (um nicht #SS tippen zu mĂŒssen)
sein register schickt mich fĂŒr #kommunikation auf seite 66
GOTT STEH MIR BEI
@LuhmannArchiv @suhrkamp #KOMMUNIKATION TIEFER LEGEN #SoSy seite 66
KOMMUNIKATION ERMĂGLICHT DURCH SICH-BESCHRĂNKEN SICH SELBST
KOMMUNIKATION ERMĂGLICHT DURCH SICH-BESCHRĂNKEN SICH SELBST
[1/8]
#NationalityAndBordersBill #SOC
Please keep in mind the #BordersBill is back in parliament on Monday, and theyâre due to vote on thisâŠ
THREAD:
Has the Ukraine crisis transformed Britainâs approach to refugees?
#NationalityAndBordersBill #SOC
Please keep in mind the #BordersBill is back in parliament on Monday, and theyâre due to vote on thisâŠ
THREAD:
Has the Ukraine crisis transformed Britainâs approach to refugees?
[2/8]
Considering this government won the last election based on their Brexit promise to âtake back controlâ of our borders -
âOne of this governmentâs central ideas is to be tough on immigration and asylum and next week itâll bring back to
Considering this government won the last election based on their Brexit promise to âtake back controlâ of our borders -
âOne of this governmentâs central ideas is to be tough on immigration and asylum and next week itâll bring back to
[3/8]
#NationalityAndBordersBill , but for now, itâs having to show that Britain is open to the people who need our helpâ
On one hand the government has been determined to hang on to a visa system which explains why they have been extremely sluggish in setting up their processes
#NationalityAndBordersBill , but for now, itâs having to show that Britain is open to the people who need our helpâ
On one hand the government has been determined to hang on to a visa system which explains why they have been extremely sluggish in setting up their processes
1/6 đ§”
save0urcitizenships.wordpress.com
#NationalityAndBordersBill #SOC
Bill of barriers for Child citizenship:
The fee for a child registering as a British citizen currently stands at ÂŁ1012 and the home office confirms that the cost of registration to be
only ÂŁ372.
save0urcitizenships.wordpress.com
#NationalityAndBordersBill #SOC
Bill of barriers for Child citizenship:
The fee for a child registering as a British citizen currently stands at ÂŁ1012 and the home office confirms that the cost of registration to be
only ÂŁ372.
2/6
The remaining ÂŁ640 is therefore money made above the delivery of the service. Therefore, this level of fees do not reflect the cost of registration. And subsequently, under this governmentâs watch,
The remaining ÂŁ640 is therefore money made above the delivery of the service. Therefore, this level of fees do not reflect the cost of registration. And subsequently, under this governmentâs watch,
3/6
people have been prevented from accessing the immigration system leading to exclusion and isolation for children who are denied citizenship due to these barriers in their way. Citizenship should be about cost,
people have been prevented from accessing the immigration system leading to exclusion and isolation for children who are denied citizenship due to these barriers in their way. Citizenship should be about cost,
Once a month we get in front of our exec/senior leadership team and talk about #SOC performance relative to our business goals (grow ARR, retain customers, improve gross margin).
A đ§”on how we translate business objectives to SOC metrics.
A đ§”on how we translate business objectives to SOC metrics.
As a business we want to grow Annual Recurring Revenue (ARR), retain and grow our customers (Net Revenue Retention - NRR) and improve gross margin (net sales minus the cost of services sold). There are others but for this thread we'll focus on ARR, NRR, and gross margin.
/1
/1
I think about growing ARR as the ability to process more work. It's more inputs. Do we have #SOC capacity available backed by the right combo of tech/people/process to service more work?
Things that feed more work: new customers, cross selling, new product launches.
/2
Things that feed more work: new customers, cross selling, new product launches.
/2
Julie Zhou's, "The Making of a Manager" had a big impact about how I think about management.
One of the key lessons is that managers should focus on three areas to achieve a high multiplier effect: purpose, people, and process.
Let's apply that lesson to make a #SOC manager..
One of the key lessons is that managers should focus on three areas to achieve a high multiplier effect: purpose, people, and process.
Let's apply that lesson to make a #SOC manager..
Purpose: Be clear with your team about what success looks like - and create a team and culture that guides you there. Go through the exercise of articulating your teams purpose.
The "purpose" we've aligned on at Expel in our SOC: protect our customers and help them improve.
The "purpose" we've aligned on at Expel in our SOC: protect our customers and help them improve.
People: To get to where you want to go, what are the traits, skills, and experiences you need to be successful?
Traits (who you are)
Skills (what you know)
Experiences (what you've encountered/accomplished)
When we hire new SOC analysts, traits >> skills.
Traits (who you are)
Skills (what you know)
Experiences (what you've encountered/accomplished)
When we hire new SOC analysts, traits >> skills.
Gathering my thoughts for a panel discussion tomorrow on scaling #SOC operations in a world with increasing data as part of the Sans #BlueTeamSummit.
No idea where the chat will take us, but luck favors the prepared. A 𧔠of random thoughts likely helpful for a few.
No idea where the chat will take us, but luck favors the prepared. A 𧔠of random thoughts likely helpful for a few.
Before you scale anything, start with strategy. What does great look like? Are you already there and now you want to scale? Or do you have some work to do?
Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
We started with the customer and worked our way back. What does a 10 â MDR experience look like?
We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
4 steps to scaling a #SOC:
1. Collect data, you won't know what it means
2. Collect data, *kind* of understand it
3. Collect data, understand it. Able to say: "This is what's happening, let's try changing *that*"
4. Operational control. "If we do *this*, *that* will happen"
1. Collect data, you won't know what it means
2. Collect data, *kind* of understand it
3. Collect data, understand it. Able to say: "This is what's happening, let's try changing *that*"
4. Operational control. "If we do *this*, *that* will happen"
What you measure is mostly irrelevant. Itâs that you measure and understand what it means and what you can do to move your process dials up or down.
If you ask questions about your #SOC constantly (ex: how much analyst time do we spend on suspicious logins and how can we reduce that?) - progress is inevitable.
W/o constantly asking questions and answering them using data, scaling/progress is coincidental.
W/o constantly asking questions and answering them using data, scaling/progress is coincidental.
egal wen ich frage
egal auf welchem weg
...
bald beginne ich zu telefonieren, briefe zu schreiben, brieftauben aufzuscheuchen...
finde niemand, welcher mir erklÀren mag, was @niklas_luhmann mit der #soziologWie? vernichtenden #kritik gemeint haben konnte ;-)
@DGSoziologie #dögs
egal auf welchem weg
...
bald beginne ich zu telefonieren, briefe zu schreiben, brieftauben aufzuscheuchen...
finde niemand, welcher mir erklÀren mag, was @niklas_luhmann mit der #soziologWie? vernichtenden #kritik gemeint haben konnte ;-)
@DGSoziologie #dögs
m/eine #arbeitsthese:
was #PaulWatzlawick mit @LuhmannArchiv verbindet?
paul wie nikolaus hatten zu frĂŒh zu grosse erfolge und entwickelten nicht ihre frĂŒhen ideen weiter, sondern das, was rasch #applaus brachte... #soziologWie?
was #PaulWatzlawick mit @LuhmannArchiv verbindet?
paul wie nikolaus hatten zu frĂŒh zu grosse erfolge und entwickelten nicht ihre frĂŒhen ideen weiter, sondern das, was rasch #applaus brachte... #soziologWie?
freue mich auf meine 1. arbeitswoche nach dem #sommerloch 2021
Let's walkthrough an example:
This is a time series of alerts sent to the #SOC for triage since Jan 1. Counts are given at a daily granularity.
The overall trendline, plotted in grey, is showing a gradual increase, expected as weâve onboarded new customers over the period.
This is a time series of alerts sent to the #SOC for triage since Jan 1. Counts are given at a daily granularity.
The overall trendline, plotted in grey, is showing a gradual increase, expected as weâve onboarded new customers over the period.
We see a lot of variance at the end of Feb that continues into the beginning of Mar. This was due to a number of runaway alerts and some signatures that needed tweaking.
Whatâs most interesting is that the variance decreases after we released the suppressions features on Mar 17.
Whatâs most interesting is that the variance decreases after we released the suppressions features on Mar 17.
We believe this is due to analysts having more granular control of the system and itâs now easier than ever get a poor performing Expel alert back under control.
2020 @expel_io incident stats tell a familiar story: a lot of commodity malware *still* being deployed via evil macros and zipped HTA / JS files.
This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
On blocking macros: If it were easy, everyone would do it.
But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?
Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?
Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
Can you use #EDR to understand which processes are almost never spawned from winword.exe? Or maybe ask which processes spawned from winword.exe initiate an external connection out? Can you fine tune your logic and deploy in BLOCK mode?
Yea, the evil macro ran but EDR stopped it.
Yea, the evil macro ran but EDR stopped it.
To the "do it all" IT folks or new #SOC analysts that need a little help - a thread for you.
Cheat sheets and example queries for Endgame, CS Falcon, ATP, and CbR using a recent incident as the starting point.
cc: thanks to @AshwinRamesh94 for the query work
Cheat sheets and example queries for Endgame, CS Falcon, ATP, and CbR using a recent incident as the starting point.
cc: thanks to @AshwinRamesh94 for the query work
Yesterday we stopped a #ransomware attack at a customer where initial entry was a remote admin connection from a 3p IT provider
- Attacker had admin
- Connected to host via ConnectWise (RDP)
- Opened CMD shell to open PS download cradle to deploy SODINOKIBI from hastebin[d]com
- Attacker had admin
- Connected to host via ConnectWise (RDP)
- Opened CMD shell to open PS download cradle to deploy SODINOKIBI from hastebin[d]com
The attacker ransomed 1 host - but by removing access 6 min after the attack started - stopped it from becoming a much bigger issue.
Let's walk through a question or two we asked along the way using different EDR tech....
Let's walk through a question or two we asked along the way using different EDR tech....
La semana pasada me dejé pendiente hablar de respuesta ante incidentes en #ciberseguridad. Vamos a contar algunas cosas :). Lo primero las fases: preparación, detección, anålisis, contención, erradicación, recuperación y lecciones aprendidas. Dentro hilo 1/n
La preparaciĂłn se hace de forma previa a cualquier incidente, y lo ideal es conseguir que tu infraestructura sea capaz de recoger toda la info posible para que luego podamos resolver el incidente. Parece fĂĄcil de decir, pero en la realidad poca gente lo tiene 100% 2/n
... y en muchos casos te encuentras con un "logs qué?". Logs del proxy, firewall, IDS/IPS, correo, EventLog, etc ... son fundamentales para los detectives puedan investigar y localizar el problema con rapidez y exactitud.
Folks! We return for #HOTrainees with the exciting #Day2 @myESMO #ESMO20 and some more #practice relevant studies in #breastcancer #ProstateCancer #lungcancer #GI, so sit back, relax and lets go through some data (#HO #trainee-style!) Shout out to @peters_solange @OncoAlert
1. #BreastCancer: We have #monarchE and #IMPassion031 hoping to hear from experts @ErikaHamilton9 @NicoleKuderer @DrSGraff @matteolambe @tmprowell @GeorgeSledge51 @VukovicPetra for more insights- please link to your discussions here for #trainees:
1. A) #monarchE: use of #abemiciclib in HR+, HER2-,high risk #EBC in addition to endocrine therapy.
Current #SOC: adjuvant ET (5-10 years)
#monarchE: #Abemaciclib + ET iDFS HR 0.747, here's a great summary by @ErikaHamilton9 for @OncoAlert :
Current #SOC: adjuvant ET (5-10 years)
#monarchE: #Abemaciclib + ET iDFS HR 0.747, here's a great summary by @ErikaHamilton9 for @OncoAlert :
@myESMO #ESMO20 as a #trainee can be #overwhelming! So many good studies, some more #practicechanging then others, if you missed some and want to understand (albeit at a simplistic #trainee level), sit back, relax and enjoy as we go through some great data #ESMO20 @OncoAlert
1. #NSCLC: 2 major studies #ADAURA #CROWN for adjuvant #EGFRmNSCLC, and advanced #ALK+ experts can provide better perspective @JackWestMD @n8pennell @StephenVLiu @AMansfieldMD @CharuAggarwalMD @NarjustDumaMD @GlopesMd @DevikaDasMD @OncoAlert
1. A) #ADAURA: Stage IB-IIIA #resected #NSCLC with #EGFRm treated with #Osimertinib vs #placebo [SOC prior to this was adjuvant chemotherapy [cisplatin-based doublet based on #LACE metanalysis- pubmed.ncbi.nlm.nih.gov/18506026/] showed improvement in #DFS @NEJM nejm.org/doi/full/10.10âŠ
How do you measure #SOC quality? đ€
1. ISO 2859-1 (#AQL) to determine sample size
2. #Python #Jupyter notebook to perform random selection
3. Check sheet to spot defects
4. Process runs every 24 hrs
5. (Digestible) #Metrics to improve
How'd we get there? Story in /thread
1. ISO 2859-1 (#AQL) to determine sample size
2. #Python #Jupyter notebook to perform random selection
3. Check sheet to spot defects
4. Process runs every 24 hrs
5. (Digestible) #Metrics to improve
How'd we get there? Story in /thread
I'll break the thread down into four key points:
1. What we're solving for
2. Guiding principles
3. Our (current) solution
4. Quick recap
My goal is to share what's working for us and how we get there. But I'd love to hear from others. What's working for you?
1. What we're solving for
2. Guiding principles
3. Our (current) solution
4. Quick recap
My goal is to share what's working for us and how we get there. But I'd love to hear from others. What's working for you?
What we're solving for: All work is high quality, not just incidents.
On a typical day in our #SOC we'll:
- Process Ms of alerts w/ detection engine
- Send 100s to analysts for human judgement
Those 100s of alerts result in:
- Tens of investigations
- Handful of incidents
On a typical day in our #SOC we'll:
- Process Ms of alerts w/ detection engine
- Send 100s to analysts for human judgement
Those 100s of alerts result in:
- Tens of investigations
- Handful of incidents
