A Recipe for Improving SecOps Detections

A Recipe for Improving SecOps Detections: Take Three Security Controls, add a Tablespoon of Threat Intelligence, and Let it Rise John Stoner (Google Cloud, US) John Stoner is a Global Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response, Detection Engineering and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST (CTI, Tech Colloquium), BSides (SF, Las Vegas), SANS Summits (DFIR, Threat Hunting, Cloud and SIEM), WiCyS, Way West Hacking Fest and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music." --- OK, it’s not that simple, but this talk is designed to identify a prescriptive approach to building detections. Purple teaming, adversary simulation/emulation and automated red teaming are all intended to help defenders to be better prepared. The problem is that these are more initiatives that many of us don’t have the time to undergo with all of the other requirements thrown at us.At the heart of these initiatives is the desire to help organizations build better detections that can handle threats more effectively. Rather than tie ourselves into knots around questions like “is it better to emulate or simulate or run an automated red team”, we need to focus on determining the threats that we need to detect in our environments that align with the actors targeting us.This talk provides attendees with a methodology around testing and validating detections to drive rule development in security operations. Testing cannot take place in a vacuum and should be executed in a representative target environment that includes an organization’s telemetry (EDR/sysmon, NDR/Zeek, for example). We will also examine the role that threat intelligence plays in determining how to prioritize and focus our detection development to the most relevant threats for an organization.This methodology should evolve into an on-going cycle and we will discuss how this ensures rules will continue to function with an added bonus of identifying if data is being ingested and normalized as expected. Finally we will walk through an example that applies this methodology.