I find it crazy that I’ve not seen this before, but I got linked today over to the MITRE Ten Strategies of a World-Class Cybersecurity Operations Center free book (pdf). Holy crap this is awesome. The rather large first section talks about building a SOC and the various considerations that go into it. And then the top 10 strategies build on that foundation to further guide the growth of the SOC.

Every section has wonderful nuggets of truth like this one in strategy #5 (Favor staff qualify over quantity):

Analysts must be free to analyze. It is indeed true that Tier 1 analysts have more structure in their daily routine for how they find and escalate potential intrusions. However, those in upper tiers must spend a lot of their time finding activities that just “don’t look right” and figuring out what they really are and what to do about them. Overburdening analysts with process and procedure will extinguish their ability to identify and evaluate the most damaging intrusions.

Honestly, this might be my second favorite technical book, up there with The Practice of System and Network Administration (Limoncelli).

I still have a few months left for 2018, but I feel like I’ve been pretty successful already with my goals on the year. This is really year 2 of me specifically tracking my career growth and learning. In 2017, I earned two offense/red team certifications, and this year I earned one defensive and one forensics certification, amongst other learning accomplishments. So, largely for my own benefit, here’s my summary on the year of the important stuff.

training and career goals for 2018

• keep doors of learning open for both blue (defense) and red (offense) sides of the field – This isn’t a goal so much as a lifestyle statement, but I feel like I’m on track here. Even as I plan to alternate learning year over year, I’m keeping both sides in mind every year. I ultimately want to make sure my offense, defense, and forensics can all test and improve the others.
• balance career growth opportunities along with actual learning – Going well on this! My enthusiasm has gone up quite a bit, and with the exception of the CCNA CyperOps cert, everything has been chosen for learning opportunities and not marketability. I think this pendulum will continue to swing permanently over towards learning as I get older and need certs and letters less.
• balance of work-driven and self-led growth learning opportunities. – Even without leaning on corporate support financially, I feel like I’m achieving this. Like other items, this is less an item to satisfy and more of a theme or lifestyle statement to keep at the top of my yearly goals. I also try to keep a balance of formal and informal learning tasks.

structured learning/training/events

• Cisco CCNA Cyber Ops course/certification (2 exams: 210-250/210-255) – completed in March and lasts 3 years. Keeping this depends entirely on what Cisco wants to do with this line. Did I learn much from this? I actually did, but it was also all pretty basic to me and easy to approach, consume, and test on. I honestly would not have done this had it not been free. The biggest benefit is now knowing where this fits into my recommendations for other students and newbies, and it’s a pretty good cert for someone looking at an analyst/SOC role.
• SANS FOR508 (May 11-16 San Diego) + NetWars – completed in May. Absolutely loved my time on site in the course and studying later for my first SANS/GIAC endeavor. I purposely aimed at something challenging that was going to put me into some deeper waters (memory analysis), and I couldn’t be happier for it. Participating in NetWars was amazing, and set up my only remaining engagement yet this year: SANS CDI.
• GIAC GCFA certification exam passed – completed in September and lasts 4 years. I likely won’t need to sweat renewals for this for a while, as I have a backlog of SANS courses I want to take, and certs I’ll opt into testing for. Overall, loved this process, and having an exam as an excuse to study more really made the material sink in and click for me. This is also an example of me stepping a little bit outside my comfort zone, as I’ve never done forensics like this before. I have a deep Windows administration and security background, but much of these methods and materials was a new approach for me.
• Maintain CISSP – Completed, of course.
• spunk .conf 2018 – Completed in October. Not only my first time at a Splunk event, but honestly, I think this is my first vendor-specific conference in my career. I really enjoyed this con, even if I didn’t actually learn a ton. But, I think I’ve learned how one should approach such a con like this, i.e. come with questions to start a discussion with vendors and subject matter experts or fellow attendees as needed.
• BSidesIowa, SecureIowa, SecDSM – Kept up with the annual cons and the monthly SecDSM meetings this year so far. A bit of a softball in terms of goals, but I find it is important to keep a ling item for cons, local and remote, to stay current on.
• SANS CDI Netwars ToC – Decided to opt into doing this as I may not get the chance again. Occurs in mid-December and I’m all set up to attend.

unstructured learning/self-study

• Metasploit Unleashed Course (OffSec) – incomplete. I admit, this isn’t a big deal, and I’m just being stubborn at this point in keeping it on my TO-DO list. But it’s here, and some weekend I’ll just knock it away. (It’s not like this is updated and current anyway…)
• finish LinuxAcademy RHCSA/LFCSA courses – All of the completed items stole time away from this and reduced its priority. Even if I still don’t get to this in 2018, it’s going to be a thing in 2019 for me as well.
• SLAE-> CTP/OSCE (tentative, or just prep) – I knew it would be super aggressive and difficult to maintain sanity and also prep for this path, and I’m not surprised I have not even started it. It’s still on the list for possible late 2018 inclusion, or another lower priority in 2019.
• HTB VIP Progress/Habit – Completed. I got back into HTB with a vengeance after realizing my offense skills were rusty during the SANS NetWars event this past spring. My goal was to hit 50% completion in HTB, shake off the attacker rust, and just build a small habit to keep with it. But, after getting going, I met some folks on the platform and got help when I needed it to achieve 50% completion by July, and 100% completion by August.
• Burp Suite improvement/growth – Doing HTB got me good practice and experience with Burp, but I want to consider this only about 25% done, and something to continue working on.
• Web Hacking 101 book – Haven’t started it yet.
• Python (+scapy) improvement/growth – on hold, I still need to figure out how I want to tackle this
• PowerShell improvement/refresher – on hold, I still need to figure out how I want to tackle this
• CTF participation (as it fits in) – This was definitely the lowest priority of the year, so I feel even my minor work here completes it.
• survive at work (work topics) – Completed!

improvement topics

• incorporate Feedly, Pocket, Discord, Slack in day-to-day habits – I feel mostly completed on this one, with the very notable exception of the things piling up in Pocket.
• expand OneNote use – Successful in moving from EverNote to OneNote.
• work on better anonymity online/VPN service for personal use – I don’t feel I really started this.

A week ago I flew down to Orlando, Florida to attend Splunk .conf18. In thinking back on this, I have to say this is the very first vendor-specific conference I think I’ve ever attended in my 15 years in IT. Based on who you ask, the con itself had 7500-9500 attendees in its largest event to date. That’s pretty impressive! I attended as many talks as I could, and I left pretty happy with the content I consumed. The talks and slides are all available online for consumption.

Day 0 – Sunday
My goals for this day were just to get to Orlando and settled into the hotel and do some recon of the grounds and environment. On the plane, listened to some Darknet Diaries; finally finding some time to do some podcasts! Took some time to hit the Boardwalk on the ground and already get sick of the heat and humidity.

Day 00 – Monday
Goal today was to get registered for the con! The line was super quick, even at 10:30am with the masses to get checked in, get a badge, pick up the backpack/water bottle freebie, and then pick up the freebie hoodie. Beyond that, this day was pretty casual until the evening.

First Timer Orientation talk – This was a nice intro to the con, even though the room was moved and I didn’t hear about it until a co-worker texted me. I guess I need to click update notices in the event app! (Come on, I’m in security, I don’t click accept/download buttons unless I have to.) Also, this was the only talk that I attended with a drink-in-hand speaker. (I’m not a huge drinker or want others to drink, but to me, this still sets a tone and statement for the sort of partially or fully informal a venue may be. This is why I like smaller cons over larger vendor ones.)

Welcome Soiree – This was a neat way to get people to the vendor floor: an evening event with free food and alcohol stations throughout the vendor floor. Scoped out vendors, splunk experts, projects, and plenty of swag. And I will admit, I evaluate vendor booths on three things: 1) whether I know and like them as a product/company and want to say hi, 2) whether I want some of their swag or not (either for me or to give away to others), and 3) whether I want to buy them (and I’m not a purchasing approver, so that’s pretty much no one). I had fun down here, though someone kept turning on music every now and then and it was ridiculously loud.

Day 1 – Tuesday
Visionary and Roadmap Keynote + Breakfast – For the morning keynotes, buses took us to ESPN Arena where we picked up breakfast bags before taking seats. After the talk, I don’t think the bus crews were ready for the flood of people, and organization broke down pretty hard on one side of the venue, but we all got back in decent time (albeit later than intended due to the overlong keynote).
Security Super Session: Splunk Security Vision and Roadmap

Security Super Session: Splunk Security Vision and Roadmap – A strong, high-level look at Splunk and using it for security operations. Not much to say on this one. The diagrams are wonderful (and would be used in several talks I’d see over the course of the con) for designing your security operations around.

Find and Seek – Real-time Asset Discovery and Identity Attribution Using Splunk – I didn’t actually see this talk. Tuesday was the one day where I was all over the grounds for various talks, and required buses to get me places in time, and the buses were still a little chaotic. I was on time getting to this talk, but after about 15 minutes after the start time, we were all still waiting outside the room. Thankfully, it was right next to a sandwich distribution station, so I just left with my lunch to eat elsewhere. I’ll have to catch this recording later.

Let’s Get Hands-On with Splunk Enterprise Security, Splunk Phantom, and Real Boss of the SOC Data – This was the one “laptop required” talk I attended, and honestly one could have been just fine sitting back and watching along. This session had several hundred people in it, and as such you have to expect them to move on and not wait for anyone, and move on they did! Thankfully, this is the introduction talk for a broader and slower workshop for security people to get from Splunk throughout 2019. As it was, I really enjoyed getting hands-on a bit with some practice data for finding attacks. The data itself was used in the BOTS competition the previous evening. While I’m new with Splunk, it’s these hands-on demos and doing actual things with the data that get me excited, rather than high-level, perfect-situation statements.

Threat Hunting and Anomaly Detection with Splunk UBA – I really liked this talk and speaker. While nothing about Splunk and anomalies and hunting were new to me, I really loved the best/worst practices examples. That’s the sort of detailed, technical stuff that I eat up, rather than non-filling high-level statements.

Pub Crawl – Similar to the soiree from the previous night, only with craft beer stations and less food overall. Other than the alcohol and snacks, I didn’t really need a second round through the vendor hall.

House of Blues – We also got invites to a party at the House of Blues. The music was just passable, but it was an excellent buffet, and I got a chance to sample the infamous Voodoo Shrimp (which was basically forgettable, to me). The best part was just getting another evening without a food bill!

Day 2 – Wednesday
Product and Technology Keynote – I’m not a huge breakfast person, and I found out you can watch the keynotes online, so I didn’t even bother heading out to see this one live. I opted to stay near the hotels and not fight lines for a latte.

Hacking Your SOEL: SOC Automation and Orchestration – I love technical talks, less so high level ones. But if there is one talk that I’d recommend that is high level about SOEL, and SOAR, and SOC automation, I’d point people to this one. The speaker just plain made sense of all of this. Sure, it was high level, but also detailed enough to formulate a roadmap for the future on the topic. One of the more solid talks I attended.

Attack Surface Reduction: Using Splunk to Spot the Security Flaws in your Network – The description for this was probably reflective of a longer talk that got cut down. This talk ended up being basically a firewall review 101 session, but using Splunk to view your logs for activity on firewall rules under review. I did learn just one thing from this: monitor for sessions that hang, i.e. no endpoint listens on the target port anymore. I probably would have done that, but I think it’s important to keep that situation in mind. The rest was really pretty newbie material.

Which brings me to one of my main challenges: Finding the right level of talk for the topic. For instance, I’m a newbie with Splunk, but security concepts I’m very deep with, both defense and offense. I would love to have known this talk would be at a newer level of security, as I would have avoided it. This would apply to some of the threat hunting and SOC automation talks, which sometimes felt like they were just saying the same high level things over and over without a ton of deeper substance (i.e. for people less senior than I). This might not be a con issue, as it might just be my inaccuracy with using the con properly, i.e. less talks, more 1-on-1 and breakout discussions.

Cops and Robbers: Simulating the Adversary to Test your Splunk Security Analytics – Came into this very interested, but also skeptical on why the heck I’d want to spend time automating attacks like I’m some QA team. But this talk made a great case for why you do this, and how you approach it, particularly with Phantom and some other tools. Looks very cool for use on an internal testing team that evaluates not only internal response and controls, but also can test security products and even do some training exercises with your Splunk teams.

WMI – The Hacker’s Chocolate to their Powershell Peanut Butter – Probably the deepest technical talk I saw at the con dealing with attackers using WMI, WinRM, and Powershell in modern attacks, often going fileless, and how you could use Splunk and general logging to hunt these compromises down. I really enjoyed it, and was a great reflection on the Splunk security research arm.

Monitoring and Mitigating Insider Threat Risk with Splunk Enterprise and Splunk UBA – As a Splunk newbie, I wanted a mix of talks on some of their products and how I can wrap my security team around them and my own priorities and goals. This was a good talk about implementing insider threat detection using Splunk UBA. I’ll likely revisit this again as we start our own projects on this in the coming quarters.

Search Party! At Universal Islands of Adventure – Such an absolutely fun time having the park to ourselves to avoid lines and endless children in order to ride Hogwarts Express, Harry Potter’s Forbidden Journey, and the Jurassic Park river ride. The Express was super fun, and Forbidden Journey ride absolutely awesome, and the Jurassic Park ride a fun mess that stopped 3 times and ended up taking about 30 minutes to get through. The walk around the park was fun, though the back half through Marvel and the Comic Book zones were plenty unexciting compared to the other areas. Really wish we had more than 2-3 hours, but fun and free nonetheless!

Day 3 – Thursday
Guest Keynote: Steve Wozniak – I don’t really have a huge desire to listen to Woz; smart dude with lots of money and the ability to opine about technology. Fine. To make sure people made it to this talk, it was not broadcast like the other keynotes, so I just opted to skip.

Overall on this day, the food stations and snacks were far skimpier on this day. I still never had to visit the main food tents, but I definitely had to look for food myself otherwise.

“MAKE IT RAIN!” How to Save Money Monitoring, Managing, and Securing Your Cloud Using the Splunk App for AWS – By now, I know that I should expect high-level statements when I see CEO, CTO, or other high-level manager titles in the speaker list for a talk. And then a talk like this comes around to prove me wrong. (I’ve honed my stance on this to apply only to Splunk as a company itself when its higher-level managers speak.) This talk was an actionable demonstration of tying some important AWS logs into Splunk and showing how that is valuable for operations and even security. A slightly short talk, but really nice to sit through as someone new to Splunk, new to AWS, and subsequently new to doing them at one time.

From Threat Modeling to Automated Response – Identifying the Adversary and Dynamically Moving to Incident Response – Yet another talk about threat hunting and TTPs and adversary profiling. A good talk, but I don’t think it included anything that I didn’t already know.

If there’s anything in my year that will define it, it’ll be the prevalence of Kill Chains, Threat Profiling, and Threat Hunting. I can’t escape the same ol’ statements about them. I had it throughout the Cisco CCNA Cyber Ops course, the SANS FOR508 course, multiple talks at Splunk .conf, and beyond. I’ve long had a post waiting about how and why threat hunting is such a deal these days (it comes down to getting internal value and blending offense into the internal blue teams, plus trying to make sense of the new breeds of security tools that don’t just alarm on bad, but require human decision-making to piece together multiple things…).

Blueprints for Actionable Alerts – This apparently is a version of a talk done for several years, and it kinda feels like it. For some strange reason, I didn’t get much out of this, though on the surface I should have. It’s really a discussion in figuring out how to tackle an environment with 4000 alerts in a day, and reducing that piece by piece to be manageable and useful. I think everyone sort of does this their own way, which all sort of dance around the same gameplan.

Splunk P30X: Become a Lean, Mean, Splunkin’ Machine in 30 Days – Probably the best and most useful talk I attended at the con. The point is to have an actionable, lunch-hour plan to tackle and do various Splunk activities to culminate in being able to pass the Fundamentals exam at the end. I loved the actionable approach to this, as well as the follow-up activities the authors are releasing to support it that I can directly consume. Not only the 30-day plan, but also additional materials for newbies. Wonderful talk!

Day 4 – Friday
Nothing much exciting here, just a full day of getting back home.

Overall Thoughts
I loved the overall experience and benefits to going; it was fun, got to visit a fun park, and so on. This could double as a family vacation if you brings the family along. Next year, the con is in Vegas, and I’ll admit that has less appeal to me as a venue/area.

If I go again, and have others with me, I’ll lobby somewhat hard to get signed up for one of the competitions they hold, either Boss the of NOC or Boss of the SOC, where teams pour over and parse out data to answer questions about operations or security incidents, respectively.