Discover and read the best of Twitter Threads about #soc

Most recents (24)


A new study from Colorado State University's Dept. of Soil & Crop Sciences & the Graduate Degree Program in Ecology found “that #regenerative practices—including integrating crop & livestock systems—were successful as long-term #CarbonStorage solutions.”
🧵 1/7 Image
Researchers conducted a “global systematic meta-analysis of the effects of #regenerative management practices on Soil Organic Carbon (#SOC), Particulate Organic Carbon (#POC) & Mineral-Associated Organic Carbon (#MAOC) in cropland.”

They found that:
1️⃣ “no-till (NT) and cropping system intensification increase #SOC (11.3% and 12.4%, respectively), #MAOC (8.5% and 7.1%, respectively), and #POC (19.7% and 33.3%, respectively) in topsoil (0 to 20 cm), but not in subsoil (>20 cm).”
3/ Image
Read 8 tweets
A #SOC analyst picks up an alert and decides not to work it.

In queuing theory, this is called “work rejection”–and it’s quite common in a SOC.

TL;DR - “Work rejection” is not always bad, but it can be measured and the data can help improve performance. More details in the 🧵..
A couple of work rejection plays out in the SOC. The most common:

An analyst picks up an alert that detects a *ton* of benign activity. Around the same time, an alert enters the queue that almost *always* finds evil. A decision is made...
The analyst rejects the alert that is likely benign for an alert that is more likely to find evil.

Let’s assume the analyst made the right call. They rejected an alert that was likely benign to work an alert that was evil. Work rejection resulted in effective #SOC performance.
Read 10 tweets
Security Operation Center - Certifications to #SOC

1. Microsoft SC-200 Course (FREE)

2. Splunk Courses (FREE)

3. AttackIQ Mitre ATT&CK Courses (FREE)


#infosec #thesecureedge #soc
4. Fortinet Courses (FREE)

5. Awesome OSINT Courses (FREE)

6. CSILinux Forensic Trainings (FREE)

7. Cybrary Trainings (FREE)
Consider Following me @hetmehtaa for more...

Read 3 tweets
What does a #SOC tour look like when the team is remote?

TL;DR - Not a trip to a room with blinky lights - but instead a discussion about mission, mindset, ops mgmt, results and a demo of the tech and process that make our SOC “Go”.

SOC tour in the 🧵...
Our SOC tour starts with a discussion about mission. I believe a key ingredient to high performing teams is a clear purpose and “Why”.

What’s our mission? It's to protect our customers and help them improve. Image
Our mission is deliberately centered around problem solving and being a strategic partner for our customers. Notice that there are zero mentions of looking at as many security blinky lights as possible. That’s intentional.
Read 14 tweets
There’s no more strategic thing than defining where you want to get to and measuring it.

Strategy informs what "great" means, daily habits get you started (and keep you going) and measurements tell you if you’re there or not.

A 🧵 on #SOC strategy / metrics:
Before we hired our first #SOC analyst or triaged our first alert, we defined where we wanted to get to; what great looked like.

Here’s [some] of what we wrote:
We believe that a highly effective SOC:

1. leads with tech; doesn’t solve issues w/ sticky notes
2. automates repetitive tasks
3. responds and contains incidents before damage
4. has a firm handle on capacity v. loading
5. is able to answer, “are we getting better, or worse?”
Read 19 tweets
Security Operation Center - Certifications to #SOC

1. Splunk Courses (FREE)

2. Fortinet Courses (FREE)

3. AttackIQ Mitre Att&ck Courses (FREE)


#infosec #thesecureedge
4. Microsoft SC-200 Course (FREE)

5. Awesome OSINT Courses (FREE)

6. CSILinux Forensic Trainings (FREE)

7. Cybrary Trainings (FREE)
Consider Following me @hetmehtaa for more...

Read 3 tweets

¯\_(ツ)_/¯ - + ≠ #






#LiberalPaternalism wird für #Commonism was für #Caputalism das #empire des guten hirten hie nieden auf erden war (so?)


die liste der paternalisten?
- ich nannte sie #dickhäuter. leider (so?)

die liste der paternalisten:

rolle: ?

rolle: ?

rolle: ?

rolle: ?

rolle: ?

rolle: ?… min32 @SRF
Read 27 tweets
(Science; german: Wissenschaft as "Wissen schaffen")

The workflow of my knowledge production strictly follows the idea of science:

"explicate the implicit" & search intensively for critique.

More in my book: DIE FORM DER UNRUHE #dfdu volume 2, Junius Verlag Hamburg, 2010
was wir von #AbyWarburg gelernt haben:…
Read 10 tweets
#StateHypocrisy #StateRacism

‘When it’s one rule for your’s…

You have no right to be uptight
when we pull you up on you’ - (#SOC) Image
During his visit to #Rwanda, Johnson was asked by reporters whether Ukrainians will be sent to the East African nation if they enter the UK undocumented or by irregular routes: Image
“So I’m afraid the answer is I suppose, yes, in theory that could happen but I think it’s very unlikely.”…
Read 6 tweets

@LuhmannArchiv 1. satz in #SozialeSysteme #sosy 1984 @suhrkamp
@LuhmannArchiv @suhrkamp bin auf der suche - händisch! - wo #NiklasLuhmann zum 1. mal den satz abgepresst hat:

- nicht menschen

(any help?)

beginne etzt mit #SoSy (um nicht #SS tippen zu müssen)

sein register schickt mich für #kommunikation auf seite 66

@LuhmannArchiv @suhrkamp #KOMMUNIKATION TIEFER LEGEN #SoSy seite 66

Read 38 tweets
#NationalityAndBordersBill #SOC

Please keep in mind the #BordersBill is back in parliament on Monday, and they’re due to vote on this…

Has the Ukraine crisis transformed Britain’s approach to refugees?
Considering this government won the last election based on their Brexit promise to “take back control” of our borders -

“One of this government’s central ideas is to be tough on immigration and asylum and next week it’ll bring back to
#NationalityAndBordersBill , but for now, it’s having to show that Britain is open to the people who need our help”

On one hand the government has been determined to hang on to a visa system which explains why they have been extremely sluggish in setting up their processes
Read 8 tweets
1/6 🧵
#NationalityAndBordersBill #SOC

Bill of barriers for Child citizenship:

The fee for a child registering as a British citizen currently stands at £1012 and the home office confirms that the cost of registration to be
only £372.
The remaining £640 is therefore money made above the delivery of the service. Therefore, this level of fees do not reflect the cost of registration. And subsequently, under this government’s watch,
people have been prevented from accessing the immigration system leading to exclusion and isolation for children who are denied citizenship due to these barriers in their way. Citizenship should be about cost,
Read 6 tweets
Once a month we get in front of our exec/senior leadership team and talk about #SOC performance relative to our business goals (grow ARR, retain customers, improve gross margin).

A 🧵on how we translate business objectives to SOC metrics. Image
As a business we want to grow Annual Recurring Revenue (ARR), retain and grow our customers (Net Revenue Retention - NRR) and improve gross margin (net sales minus the cost of services sold). There are others but for this thread we'll focus on ARR, NRR, and gross margin.
I think about growing ARR as the ability to process more work. It's more inputs. Do we have #SOC capacity available backed by the right combo of tech/people/process to service more work?

Things that feed more work: new customers, cross selling, new product launches.
/2 Image
Read 18 tweets
Julie Zhou's, "The Making of a Manager" had a big impact about how I think about management.

One of the key lessons is that managers should focus on three areas to achieve a high multiplier effect: purpose, people, and process.

Let's apply that lesson to make a #SOC manager..
Purpose: Be clear with your team about what success looks like - and create a team and culture that guides you there. Go through the exercise of articulating your teams purpose.

The "purpose" we've aligned on at Expel in our SOC: protect our customers and help them improve.
People: To get to where you want to go, what are the traits, skills, and experiences you need to be successful?

Traits (who you are)
Skills (what you know)
Experiences (what you've encountered/accomplished)

When we hire new SOC analysts, traits >> skills.
Read 4 tweets
Gathering my thoughts for a panel discussion tomorrow on scaling #SOC operations in a world with increasing data as part of the Sans #BlueTeamSummit.

No idea where the chat will take us, but luck favors the prepared. A 🧵 of random thoughts likely helpful for a few.
Before you scale anything, start with strategy. What does great look like? Are you already there and now you want to scale? Or do you have some work to do?

Before we scaled anything @expel_io we defined what great #MDR service looked like, and delivered it.
We started with the customer and worked our way back. What does a 10 ⭐ MDR experience look like?

We asked a lot of questions. When an incident happens, when do we notify? How do we notify? What can we tell a customer now vs. what details can we provide later?
Read 25 tweets
4 steps to scaling a #SOC:

1. Collect data, you won't know what it means
2. Collect data, *kind* of understand it
3. Collect data, understand it. Able to say: "This is what's happening, let's try changing *that*"
4. Operational control. "If we do *this*, *that* will happen"
What you measure is mostly irrelevant. It’s that you measure and understand what it means and what you can do to move your process dials up or down.
If you ask questions about your #SOC constantly (ex: how much analyst time do we spend on suspicious logins and how can we reduce that?) - progress is inevitable.

W/o constantly asking questions and answering them using data, scaling/progress is coincidental.
Read 5 tweets
egal wen ich frage
egal auf welchem weg
bald beginne ich zu telefonieren, briefe zu schreiben, brieftauben aufzuscheuchen...

finde niemand, welcher mir erklären mag, was @niklas_luhmann mit der #soziologWie? vernichtenden #kritik gemeint haben konnte ;-)

@DGSoziologie #dögs
m/eine #arbeitsthese:

was #PaulWatzlawick mit @LuhmannArchiv verbindet?

paul wie nikolaus hatten zu früh zu grosse erfolge und entwickelten nicht ihre frühen ideen weiter, sondern das, was rasch #applaus brachte... #soziologWie?
freue mich auf meine 1. arbeitswoche nach dem #sommerloch 2021
Read 11 tweets
Let's walkthrough an example:

This is a time series of alerts sent to the #SOC for triage since Jan 1. Counts are given at a daily granularity.

The overall trendline, plotted in grey, is showing a gradual increase, expected as we’ve onboarded new customers over the period.
We see a lot of variance at the end of Feb that continues into the beginning of Mar. This was due to a number of runaway alerts and some signatures that needed tweaking.

What’s most interesting is that the variance decreases after we released the suppressions features on Mar 17.
We believe this is due to analysts having more granular control of the system and it’s now easier than ever get a poor performing Expel alert back under control.
Read 6 tweets
2020 @expel_io incident stats tell a familiar story: a lot of commodity malware *still* being deployed via evil macros and zipped HTA / JS files.

This isn't a thread to tell you to block macros or associate WSH files with notepad (like PS), but questions to ask if you can't.
On blocking macros: If it were easy, everyone would do it.

But if you're a #SOC analyst, do you fire an alert when winword.exe spawns an unusual process like PS or regsvr32?

Can you create a macro that behaves like an evil one but is totally benign to test your alerting?
Can you use #EDR to understand which processes are almost never spawned from winword.exe? Or maybe ask which processes spawned from winword.exe initiate an external connection out? Can you fine tune your logic and deploy in BLOCK mode?

Yea, the evil macro ran but EDR stopped it.
Read 9 tweets
To the "do it all" IT folks or new #SOC analysts that need a little help - a thread for you.

Cheat sheets and example queries for Endgame, CS Falcon, ATP, and CbR using a recent incident as the starting point.

cc: thanks to @AshwinRamesh94 for the query work
Yesterday we stopped a #ransomware attack at a customer where initial entry was a remote admin connection from a 3p IT provider

- Attacker had admin
- Connected to host via ConnectWise (RDP)
- Opened CMD shell to open PS download cradle to deploy SODINOKIBI from hastebin[d]com
The attacker ransomed 1 host - but by removing access 6 min after the attack started - stopped it from becoming a much bigger issue.

Let's walk through a question or two we asked along the way using different EDR tech....
Read 15 tweets
La semana pasada me dejé pendiente hablar de respuesta ante incidentes en #ciberseguridad. Vamos a contar algunas cosas :). Lo primero las fases: preparación, detección, análisis, contención, erradicación, recuperación y lecciones aprendidas. Dentro hilo 1/n
La preparación se hace de forma previa a cualquier incidente, y lo ideal es conseguir que tu infraestructura sea capaz de recoger toda la info posible para que luego podamos resolver el incidente. Parece fácil de decir, pero en la realidad poca gente lo tiene 100% 2/n
... y en muchos casos te encuentras con un "logs qué?". Logs del proxy, firewall, IDS/IPS, correo, EventLog, etc ... son fundamentales para los detectives puedan investigar y localizar el problema con rapidez y exactitud.
Read 12 tweets
Folks! We return for #HOTrainees with the exciting #Day2 @myESMO #ESMO20 and some more #practice relevant studies in #breastcancer #ProstateCancer #lungcancer #GI, so sit back, relax and lets go through some data (#HO #trainee-style!) Shout out to @peters_solange @OncoAlert
1. #BreastCancer: We have #monarchE and #IMPassion031 hoping to hear from experts @ErikaHamilton9 @NicoleKuderer @DrSGraff @matteolambe @tmprowell @GeorgeSledge51 @VukovicPetra for more insights- please link to your discussions here for #trainees:
1. A) #monarchE: use of #abemiciclib in HR+, HER2-,high risk #EBC in addition to endocrine therapy.
Current #SOC: adjuvant ET (5-10 years)
#monarchE: #Abemaciclib + ET iDFS HR 0.747, here's a great summary by @ErikaHamilton9 for @OncoAlert :
Read 11 tweets
@myESMO #ESMO20 as a #trainee can be #overwhelming! So many good studies, some more #practicechanging then others, if you missed some and want to understand (albeit at a simplistic #trainee level), sit back, relax and enjoy as we go through some great data #ESMO20 @OncoAlert
1. #NSCLC: 2 major studies #ADAURA #CROWN for adjuvant #EGFRmNSCLC, and advanced #ALK+ experts can provide better perspective @JackWestMD @n8pennell @StephenVLiu @AMansfieldMD @CharuAggarwalMD @NarjustDumaMD @GlopesMd @DevikaDasMD @OncoAlert
1. A) #ADAURA: Stage IB-IIIA #resected #NSCLC with #EGFRm treated with #Osimertinib vs #placebo [SOC prior to this was adjuvant chemotherapy [cisplatin-based doublet based on #LACE metanalysis-] showed improvement in #DFS @NEJM…
Read 19 tweets
How do you measure #SOC quality? 🤔

1. ISO 2859-1 (#AQL) to determine sample size
2. #Python #Jupyter notebook to perform random selection
3. Check sheet to spot defects
4. Process runs every 24 hrs
5. (Digestible) #Metrics to improve

How'd we get there? Story in /thread
I'll break the thread down into four key points:

1. What we're solving for
2. Guiding principles
3. Our (current) solution
4. Quick recap

My goal is to share what's working for us and how we get there. But I'd love to hear from others. What's working for you?
What we're solving for: All work is high quality, not just incidents.

On a typical day in our #SOC we'll:
- Process Ms of alerts w/ detection engine
- Send 100s to analysts for human judgement

Those 100s of alerts result in:
- Tens of investigations
- Handful of incidents
Read 10 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!