Profile picture
J. @CxOSidekick
, 18 tweets, 4 min read Read on Twitter
A SOC that deals in Alerts is doomed. If it deals in 'high fidelity detection analytics' + can show ...
1) what's possible to detect that your tech teams + business MDs care about
2) by implication what gaps exist with existing tech (coverage / config)
... then in with a chance.
In practice what that means is defining 5 things that are highly interesting from a blue/red perspective, and where you would tolerate high false positives because if you see 'an activity' it's worth some precious analyst time to investigate ... for 2 reasons ...
1) To rule out that badness is happening
2) To understand if the analytic can be better tuned to remove the trigger to 'go look at this'
This is why I reject totally and utterly the concept of spending any time looking at critical alerts as defined by some random rules in some vendor tech. You can't justify your time and money to the people who fund you when you metricate that stuff.
But if you explain that you investigate 100% of 5 (or whatever) activities that would equate to revenue loss, and show how often those activities take analyst time, and how much analyst time they take... you have the start of a business case
Now, let's think about what that means for logs...
If you have a list of top 5 detections there will of course be caveats. You only know to detect what is known to you. For example where you have knowledge of what logs you need from past experience, or from IR. So your top 5 may be wrong in the grand scheme.
But you have to start somewhere. So starting with what you know is better that starting with what could happen maybe based on what vendors have told you, or stories told at conferences etc
Here's a good picture of what happens when you try and build a strategy that starts with what *could* happen.
An issue you may run into when forming a 'top #n' detections is that the logs you have push you closer to the wrong side of IR (i.e. you leave yourself a v short time to close the door before the horse bolts). This is ok. Because you can now explain that to your financiers...
... namely, the business units who are entrusting you with stopping badness. And hopefully adding value too while you do that.
If they would like to 'move to the left' in the timeline of detection (catch things earlier) then there is a cost to do that.
However rather than asking for that cost as an up front investment of money (and trust that you'll deliver value from what you spend) it's better to start with defining the best detections you can deliver with what you have.
It then becomes very obvious whether your 'top 5 deliverable detections' are in fact way down the list of priorities (e.g. numbers 15-20 not 1-5). However if it's the best you can do, that is reality.
Changing reality means changing the logs or changing the way you work with them.
And in turn once you've defined your detections and thoroughly investigated the best you can do with existing tech + config, you are in a much better position to know how best to change reality.
Tl:Dr ...
1) define top 5 things you would need to take action on if detected
2) define top 5 things you *can* take action on with detections you can build
3) define delta between the two + reasons for it
4) articulate how 'investigative' the actions you can take are
Once you can show how much further digging in 4) is necessary, you know how noisy your detection is and what kind of lag time there is when you take action (e.g. investigate / block / etc)
@threadreaderapp #unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to J.
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#n #unroll

More from @CxOSidekick see all

Profile picture
It's 100% true that you need technical expertise in a security team. There are also other things that need to come together for a team to improve how well protected their business is. One of those can be winning the opportunity to do the technical stuff that's needed.
In fact I think there are 8 key applied abilities that are vital in security

1. Systems thinking
2. Politic
3. Architecture / engineering mindset
4. Team creation and evolution
5. Product management
6. Project management
7. Data science
8. Coding
Systems thinking: Sec teams are usually implementing a complex system (lots of sec controls w/ interdependencies) within a complex system (the biz+its people/process/ tech inter-relationships). Ability to understand, share & build consideration of this into decisions is vital.
Read 11 tweets
Profile picture
@xaprb Some quick thoughts...

There are different scenarios for exec comms:
- Cyclical (e.g. annual reporting where format doesn't change)
- Periodic (e.g. on an issue that will last a few committee meetings)
- Ad hoc (e.g. random requests on key things)
- Crisis (new, short cycle)
@xaprb For each there are different formulas you can use. E.g. cyclical reporting may be
- what's our status on something pre-defined as important?
- is status good or bad?
- if bad do we have enough information to act or do we need more?
- if we act what is best cost decision?
@xaprb And there will be different levels of detail for each type of comms. For example in Crisis, you may be giving minute by minute updates. In cyclical the level of detail may be very deep (e.g. board reporting) but more analytical in style.
Read 9 tweets
Profile picture
@sachafaust One of the things that I find helpful is to use product management frameworks to look at effort and impact over time. Lots of things you 'should have' can take a lot of time to roll out and then don't give you the agility you want (e.g. in detection over custom data sets)...
@sachafaust ... which means the team needs to think about what will move the needle quickly in the short term while also laying the foundation to go from 1.0 to 2.0 of capability (vs waiting for 5.0 and never getting there).
@sachafaust Another product management tool is 'time boxing' for testing new ideas (either on red or blue) and that can be effective in limiting scope (which itself is another important part of testing assumptions under uncertainty).
Read 13 tweets

Related threads

Profile picture
Is there a future in old #tech? Of course there is - especially when it's still powering some of our most amazing inventions. Which brings me to the matter of today's #ThursdayThoughts topic:

How's your FORTRAN?
FORTRAN (in shouty caps) was released in 1957 as the world's first high-level programming language. It’s probably the longest lasting, with Fortran 2018 (no shouty caps) being its latest release. And it all started with a simple question: how do you simplify programming?
Programming early computers meant entering sequences of numerical codes, each representing a basic operation. It was time-consuming, prone to error and hard to spot mistakes. The codes needed also varied between computers. Basically it was a slog.
Read 16 tweets
Profile picture
Limiting Beliefs...

1) to upskill we need to hire externally vs. train internally
2) we’ll fail at X because we failed at X once before
3) we can’t innovate internally
4) [some group] can’t handle transparency
5) we can’t afford “good” developers/designers

(1/5) #teams
6) the team needs to start with training wheels
7) the best people have already left
8) we can’t prioritize w/o a solution in mind
9) they’re not management/leadership “material”
10) I need to do it myself for it to be done right

(2/5) #teams #limitingbeliefs
11) there’s no way we can all work together on that
12) this is too rough to show a user/customer
13) w/o supervision, they’ll just slack off
14) w/o a strict process, chaos will ensue
15) this decision is too high stakes to involve the team

(3/5) #teams #limitingbeliefs
Read 5 tweets
Profile picture
THREAD on biz, human rights and tech. 1/ On this 70th anniversary of the UDHR’s adoption by UNGA, connecting dots from UDHR to tech today. UDHR-> ICCPR-> UNGPs-> GNI Principles-> #tech company human rights commitments, infrastructure, and decisions. #UDHR: un.org/en/universal-d…
2/ UDHR is unique in modern int'l political system (post-1648) b/c rights declared inherent in all people based on human dignity, not derived from god, a king or the state. For provisions that we relate to the tech sector today, see Articles 12 (privacy) and 19 (free expression).
3/ In the ICCPR, as one of the UDHR's implementing treaties, see Articles 17 (privacy) and 19 (free expression), which we similarly relate to the tech sector today. #ICCPR: ohchr.org/EN/Professiona…
Read 23 tweets
Profile picture
Let's have our weekly #GlobalEChats and discuss the topic of #foodtech #delivery.

As #food is a necessity, it is natural that #entrepreneurs are lured into venturing in the F&B business. What more with #IR40, we often think of taking business one step ahead: by involving tech!
Now let's break this down into two types of niche within #fooddelivery and #fnb industry.

1. You own the restaurant and you are providing an additional delivery #service.

2. You don't own any restaurant and you are merely the delivery service.

The two are very different!
To help put points into perspective:

#1 is a classic example of pizza stores such as @DominosMY. Any #eatery can set up its own delivery system.

#2 is a rather new invention. Such examples would be @foodpanda_my and @GrabMY's GrabFood service!
Read 13 tweets
Profile picture
I’ve worked with lots of agile #teams, and some of the symptoms of a well functioning high-perfoming teams that I see are:

👇
They start their daily standups on time.
They tend to laugh a lot and have fun.
Read 86 tweets
Profile picture
My checkered history with NIH grant proposals: 1) First proposal was for a K award. Study section said I already had enough papers that I should instead apply for R award. Low agreement among reviewers evaluating the same NIH grant applications pnas.org/content/early/…
2) So I applied for an R award the following year. Study section said I did not have enough of a track record yet and should have applied for a K award.
3) Then applied for correlative studies for a proposed trial. Study section said trial was unlikely to accrue. Trial did accrue, correlative studies were done with non-NIH funding.
Read 8 tweets

Trending hashtags

#business #RedHenLexVA #US #Adams #KremlinAnnex #Wilkinson #abortions #HoneyPot #OpSecFail #Putin #DeepLearning #flooding #sustainability #FakeNews #Analytics #freedom #yourewelcome #filibuster #totalitarian #laptop #Cryptography #KeepLooking #ClintonFoundation #spliceosome #ItsTime

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!