《Devo - Cloud Native Security Conference.pptx》由会员分享,可在线阅读,更多相关《Devo - Cloud Native Security Conference.pptx(28页珍藏版)》请在三个皮匠报告上搜索。
1、Mapping Motives Tells a Story:Mapping Motives Tells a Story:JOSHUA SMITHJOSHUA SMITHSecurity Content EngineerDAVID WOLFDAVID WOLFSecurity Innovation Researcher Analysis of 2,000 Enterprise Cloud Detections About Devo SciSec Innovation Research Methods and Scope Findings by Theme1.Automated SOC2.Augm
2、ented Analyst3.Alert Management Takeaways and Lessons LearnedSession ContentSession Content1 1.Automated SOC ControlsAutomated SOC ControlsDetectiveCorrectivePreventative MISSION:MISSION:*Reported#1 analyst pain point from Devo annual SOC Performance Report Assess Prioritize gaps Tune defensesRESEAR
3、CH PROCESS:RESEARCH PROCESS:RESEARCH THEMESRESEARCH THEMES:Assess Defensive CoverageIdentify High Priority GapsTune and Acquire New DefensesAbout Devo About Devo SciSecSciSec and Innovation and Innovation2 2.Augmented AnalystAugmented AnalystEmpoweredEnabledEducated3.Alert Management3.Alert Manageme
4、nt*CustomizableReusableAcross vendor productsConduct security research on emerging threats and customer security problems to deliver novel security use cases.Team-Detections Engineers-ML/AI Data Scientists-Security Researchers-QATechnology-Detections(product content)-ML models-Test infrastructure(ve
5、ndor products)-Cloud providers(AWS,GCP,Azure)About Devo About Devo SciSecSciSec Research Lab Research LabDevo SciSec security researchers:Analyzed cloud SIEM detections from more than 300 enterprises and MSPs that have active,firing alerts.Applied novel machine learning(ML)and natural language proce
6、ssing(NLP)to alert metadata in order to map detections to MITRE ATT&CK and Zero Trust Architecture.Explored further ML and NLP methods to analyze cloud alert metadata as a corpus in order to map attacker motives and stories using semantic relationships.6035 alerts used in analysis(15141 alerts in sa
7、mple)-Sample period:1 August-31 December 2022398 SIEMs(Devo domains)with out-of-the-box(OOTB)alerts deployedEnterprises span industries,including:-MSSPs,financial services,retail,technology,education,and operational technology(manufacturing,hospitals,transportation,etc.)-Federal and defense-related
8、detections are not in scopeMethodsMethodsScopeScopeResearch Methods and ScopeResearch Methods and ScopeScope:MITRE ATT&CKScope:MITRE ATT&CK Cloud Matrix:Infrastructure and Workspace Controls Cloud Matrix:Infrastructure and Workspace ControlsThe cloud alerts used in this research mapped to MITRE ATT&
9、CK Cloud Matrix Tactics and Techniques46%54%In Scope(n=6,035)Out of Scope(n=7,152)58%42%Mapped to MITRE ATT&CK(n=3,507)Detections used in final analysis vs removed from sampleDetections mapped to MITRE ATT&CK frameworkDetections mapped to Zero Trust Architecture framework91%9%Mapped to Zero Trust(n=
10、5,496)Not Mapped(n=539)31%69%Managed by MSP(n=1,879)17%83%Cloud Detections(n=1,018)Detections by alert management responsibilityDetections based on cloud providers vs traditional enterprise detectionsOut-of-the-box detections vs custom-crafted detections75%25%OOTB Detections(n=4,532)Custom Detection
11、s(n=1,503)41%31%28%10,000+Employees(n=34)1,000-9,999 Employees(n=26)1,000 Employees(n=23)30%22%16%14%8%5%5%FinServ(n=1,264)Technology(n=919)OT(n=659)Retail(n=564)Services(n=332)Media(n=221)Education(n=197)Number of employees per enterprise(excludes MSSPs)Detections per enterprise vertical(excludes M
12、SPs)Detections per enterprise location62%28%6%4%United States(n=3,767)Europe(n=1,683)Asia Pacific(n=354)Canada(n=231)Scope in Graph FormScope in Graph Form1.Automated SOC1.Automated SOCCloud SOC defenders are relying on out-of-the-box detections(84%)and only 60%as likely to build custom SIEM alerts
13、compared to enterprise defenders Source:2022 Devo State of the Cloud SOC Detections ReportAutomated SOC:OOTB Key to Cloud ControlAutomated SOC:OOTB Key to Cloud Control16%Custom Detections84%Out-of-the-box Detections73%Out-of-the-box Detections27%Traditional Detections59%41%Amazon AWS+another cloud
14、providerAmazon AWS-only26%23%51%50%+Cloud Detections25-49%Cloud Detections25%Cloud DetectionsEnterprise SOCs with Amazon AWS are often defending another cloud(59%)For 1 in 4 enterprise SOCs defending cloud assets,cloud detections comprise a majority(50%+)of the SIEM detection stackSource:CISA Zero T
15、rust Maturity ModelSource:2022 Devo State of the Cloud SOC Detections ReportAutomated SOC:Automated SOC:Cloud Control Coverage94.8%92.9%92.8%80.7%80.1%73.8%68.4%54.6%5.2%7.1%7.2%19.3%19.9%26.2%31.6%45.4%0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%80.0%90.0%100.0%OT/ICSTechnologyServicesEducationFinancial
16、 ServicesMediaRetailMSPOOTB DetectionsCustom DetectionsManaged Security Service Providers(MSSPs)are more likely than enterprises to craft custom detections.Overall,84%of enterprise detections are OOTB,compared to only 55%of MSSP detections.Automated SOC:OOTB vs Custom SIEM AlertsAutomated SOC:OOTB v
17、s Custom SIEM AlertsAutomated SOCAutomated SOC1.Out-of-the-box detections are the key to cloud SOC automation2.Cloud is a major control area and often a majority of automated SIEM alertsTOP TAKEAWAYS:TOP TAKEAWAYS:2.Augmented Analyst2.Augmented Analyst0.00%5.00%10.00%15.00%20.00%25.00%30.00%Labeling
18、 alerts shows gaps in cloud coverage.Overall,Cloud SOC analysts have less visibility at the start and end of the MITRE ATT&CK chain compared to enterprise defenders(12.1%vs 22.1%)(12.1%vs 22.1%)TA0001TA0001Initial AccessTA0002TA0002ExecutionTA0003TA0003PersistenceTA0004TA0004Privilege EscalationTA00
19、05TA0005Defense EvasionTA0006TA0006Credential AccessTA0007TA0007DiscoveryTA0008TA0008Lateral MovementTA0009TA0009CollectionTA00010TA00010ExfiltrationTA00040TA00040ImpactCloud Cloud DetectionsDetections4,87%0,29%28,17%13,47%12,45%12,35%12,61%2,84%2,51%1,58%8,87%Enterprise Enterprise DetectionsDetecti
20、ons6,97%6,29%13,54%15,39%11,34%15,16%11,46%5,65%1,12%2,10%10,98%Augmented Analyst:MITRE ATT&CK VisibilityAugmented Analyst:MITRE ATT&CK Visibility54%19%10%17%DeviceNetworkIdentityOtherMost SOC detections focus on Zero Trust Device and Network activity(74%)Zero Trust Device and Network activity(74%)w
21、ith far fewer controls based on User Identity,Application Workloads,and DataUser Identity,Application Workloads,and DataAugmented Analyst:Zero TrustAugmented Analyst:Zero Trust47%19%16%5%5%3%3%2%EndpointCloudFirewallAuthWebProxyDomainsNetworkDetections based on the three most common types(endpoint d
22、evice protection,cloud logs,and firewall solutions)are the basis for most enterprise SOC controls(83%of detections)Augmented Analyst:Device ProtectionAugmented Analyst:Device Protection57%35%8%Amazon AWS Microsoft Azure and Office365Google GCP and WorkspacesCloud SOC defenders are focusing most dete
23、ctive controls on AWS(57%)Augmented Analyst:Cloud controlsAugmented Analyst:Cloud controls1.Cloud SOC analysts need support via specialized detections to defend multiple clouds,especially for enterprises on AWS 2.Cloud SOC analysts need more visibility at the start and end of the MITRE ATT&CK chainT
24、OP TAKEAWAYS:TOP TAKEAWAYS:Augmented AnalystAugmented Analyst3.Alert Management3.Alert ManagementAlert Management:Alert Management:Devo SOC Performance ReportDevo SOC Performance ReportAlert management is the#1 pain point and area for improvement reported by high-performing SOCs(87%):SOC analyst sta
25、ff report alert management as#1 area in need of support(63%):Alert Management:Alert Management:Zero Trust FrameworkZero Trust FrameworkSource:CISA Zero Trust Maturity Model,20210.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%Most Cloud SOC detections focus on Zero Trust Visibility and Workloads(79%)Z
26、ero Trust Visibility and Workloads(79%)while traditional Enterprise SOC detections are focused on Device and Network activity(83%)Device and Network activity(83%)DeviceDeviceVisibilityVisibilityNetworkNetworkWorkloadWorkloadIdentityIdentityDataDataCloud Cloud DetectionsDetections6,23%63,58%3,94%15,7
27、5%9,43%1,07%Enterprise Enterprise DetectionsDetections62,29%4,91%20,82%0,57%10,33%1,09%Alert Management:Alert Management:Zero TrustZero Trust“Banks are technology companies with a banking license”Many Bank CEOs Cloud is most prominent as a ratio of detections in Financial Services and Technology(27%
28、)Financial Services and Technology(27%)27.78%27.09%21.28%17.91%7.29%7.11%5.72%4.98%72.22%72.91%78.72%82.09%92.71%92.89%94.28%95.02%0.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%80.00%90.00%100.00%FinSvcsTechnologyRetailOT/ICSMSPEducationServicesMediaCloudEnterpriseAlert Management:Alert Management:
29、Cloud Detections MatterCloud Detections MatterAmazon Web Services(AWS)Amazon Web Services(AWS)Logging and eventsVisibility and alertingAutomationSecure storageCustomGoogle Cloud Provider(GCP)Google Cloud Provider(GCP)Admin Activity audit logsData Access audit logsSystem Event audit logsPolicy Denied
30、 audit logsMicrosoft AzureMicrosoft AzureActivity logsAzure Resource logsAzure Active Directory reportingVirtual machines and cloud servicesAzure Storage AnalyticsNetwork security group(NSG)flow logsApplication insightProcess data/security alertsAlert Management:Current Auditing Options by Cloud Ven
31、dorAlert ManagementAlert Management1.Out-of-the-box detections are the key to cloud SOC automation2.Cloud is a major control area and often a majority of automated SIEM alertsTOP TAKEAWAYS:TOP TAKEAWAYS:1.1.Cloud is Big:Cloud is Big:Cloud is a big part of the enterprise detection stack,and enterpris
32、es are increasingly defending multiple cloud infrastructure and workspace providers2.2.Augment the Analyst:Augment the Analyst:Analysts need alerts that are augmented with rich metadata like MITRE ATT&CK tactics and techniques3.3.The 5 Kinds of Detection:The 5 Kinds of Detection:Help analysts by map
33、ping alerts to a control area:Cloud,Network,Device,Identity,Other4.4.OOTB for the Win:OOTB for the Win:Cloud controls are different OOTB strategy is the way to go5.5.Use a Strategy:Use a Strategy:Mapping detections to frameworks increases interoperability and ease of alert managementLessons LearnedLessons Learned:THANK YOUTHANK YOU