Profile picture
, 11 tweets, 3 min read
My Authors
Read all threads
A lot of SOCs struggle to adopt case management tools they've acquired and implemented. One reason is that orgs can't decide if they want a tool to support existing processes or if they want a tool to define their processes. 1/
One story is that orgs often have poorly defined processes so they acquire a tool that directly or indirectly provides workflows. But, the org wants to cling to some facets of what they're already doing. The new tech limits that, so they never fully embrace it. 2/
Another story is that orgs acquire something that is more of an infinitely customizable sandbox, but they are unable to implement their own processes because they are so ill-defined. The org thought they had strong workflows but the tool reveals they don't, so it languishes. 3/
Ideally you have strong reliable workflows that a tool supports. Not everyone is going to be there, so an awareness of what you have, work works, and where gaps are is the next best thing. You want to understand where the tool provides customization and where it limits it. 4/
Said another way w/ examples:

If you buy ServiceNow and hope it'll define workflow for you, you're gonna have a bad time. If you buy Exabeam and want to customize it to facilitate your well-established workflow, you're gonna have a bad time. You have to know where you're at. 5/
You can substitute many vendors both commercial and free in those slots, so I'm not picking on these folks specifically. 6/
I do think case management is one of the weaker solution areas in infosec for a number of reasons. Obviously there's the tacit and metacognitive knowledge issues. But also, many security vendors tack it on to existing tools with little thought. 7/
At the same time, the sandbox stye tools are difficult to work with, often requiring full time staff to develop or configure them. They are often made to cover so many broad use cases they cover few specific ones very well. 8/
I think @TheHive_Project is probably the best thing going in this space right now. It's simple, focused, and somewhat customizable. Lots of potential. 9/
There's LOTS of room for new ideas in this space. However...

1. It probably doesn't come from SIEM
2. It probably doesn't come from SOAR
3. It never fully gets there without major industry shifts towards tackling the tacit knowledge problem.

10/
And because I know I'll get asked, the most successful setups I've seen that are the most accessible are:
- Using @TheHive_Project out of the box
- Using @Jira along with @Confluence wiki integration.

11/
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Chris Sanders

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @chrissanders88 see all

Profile picture
Chris Sanders
@chrissanders88
One of the most common questions analysts ask me -- what do I do when I get stuck in an investigation? This happens to everyone, especially when you're inexperienced. Let's talk about that... 1/
First of all, how do you know when you're stuck? You can usually tell when you start:
- Looking at the same data over and over
- Wading through data aimlessly
- Become more easily distracted by other things
These things all lead to various forms of anxiety or doubt. Not fun. 2/
I teach 5 primary strategies for dealing with being stuck in Investigation Theory.

First, draw our your timeline. The timeline is at the heart of investigative findings. By writing it out, you can more easily spot gaps to focus your questioning. 3/
Read 10 tweets
Profile picture
Chris Sanders
@chrissanders88
I had a good question in my talk last night "What works better, having dedicated threat hunters or splitting that responsibility with existing analysts?"

Here are some thoughts I shared... 1/
I'll start by saying that I've seen it work well both ways, and it often depends mostly on the individuals and management. Anyone who tells you there is only one good way to structure that function probably hasn't been exposed to enough of it.

That said... 2/
If I'm running the SOC, all analysts have at least one more task beyond just reviewing alerts -- malware reversing, sig dev, intel, threat hunting, etc. That's critical for cognitive task diversity and also does amazing things for retention. 3/
Read 7 tweets
Profile picture
Chris Sanders
@chrissanders88
Here's the truth -- most of the underperforming analysts I see have the potential to do well, but they are limited by their managers or lack of support from their organization. 1/
Here are the top 5 manager/org factors I see holding analysts back:
- Lack of critical data sources
- No culture of learning
- Poor relationships with IT teams
- Misaligned manager/analyst priorities
- Too much managerial capitulation to strong personalities
2/
The unfortunate part about these things is most managers know and acknowledge them. They just pass the buck and make excuses. It's a lack of ownership and everyone suffers. But, here's the thing... 3/
Read 10 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!