Our community is adopting SOAR to speed up SOC processes. This leads to demonstrable improvements in response time, but is that enough? Can we ever get faster than the adversary? Is there a way to shift the advantage to the defender?
The makeup of this panel attempts to span different perspectives of what it means to scale network defenses and different realities or limitations that affect scalability. The intent is to offer a well-balanced multi-faceted perspective on using more scalable approaches to gain an advantage over the adversary, or at least narrow the gap. There will be plenty of time for Q&A because that is where the real potential of this panel lies – the ability to bring the participants into the conversation which in turn brings out more perspectives…and hopefully inspires individuals to come up with solutions.
Everyone keeps focusing on speed (or the lack thereof) in cyber operations. There is a desire to automate as much as possible, share as much as possible, and detect/respond as fast as possible – but it is unclear if this is going to have the impact or result that is desired. All of these need to be done, but how do you do them in a way that actually increases the effectiveness of operations (not just the efficiency)? How do you share threat intelligence that is consumable and usable by network defenders, in an automated manner? While current operations are overly reliant on human beings to make decisions there is a reason and need to have humans involved with the operations OODA loop. How can we shift operational processes and activities such that there is time to involve humans as appropriate and still impact the adversary? There is a need to think about scale when addressing cyber security operations – and discussing what that means and how to achieve it is an important first step.
For example: There are millions of IOCs associated with known malware, hundreds of vulnerabilities exploited by that malware, but only 10-20 ways in which the adversary uses that malware to achieve objectives. It seems that finding a way to share these techniques or procedures, develop detection mechanisms for them, and provide processes for investigating and mitigating instances would have a lot more impact on the adversary than blocking IOCs. But how do we share this type of information and how do we make it actionable? What scales with respect to network defense and cyber security operations?
The makeup of this panel attempts to span different perspectives of what it means to scale network defenses and different realities or limitations that affect scalability. The intent is to offer a well-balanced multi-faceted perspective on using more scalable approaches to gain an advantage over the adversary, or at least narrow the gap. There will be plenty of time for Q&A because that is where the real potential of this panel lies – the ability to bring the participants into the conversation which in turn brings out more perspectives…and hopefully inspires individuals to come up with solutions.
Key take-aways:
The intent of this panel is to inspire participants to think differently about threat intelligence, automation, and orchestration in the hopes of spawning new ideas and implementations that are more scalable for net defense.
