WSC Blog
Blog Home All Blogs
Search all posts for:   


View all (13) posts »

Why Didn't We Catch It?

Posted By Tammy Torbert, Saturday, August 22, 2015

If you've spent any time working in a Security Operations Center (SOC) whether as an analyst, engineer, or incident responder, there is nothing worse than getting asked by your manager "Why Didn't We Catch It?"  The "It" is some incident or badness that occurred in the environment you are supposed to be monitoring or protecting.

Imagine a situation where a denial of service event occurred, but this was detected by the customer realizing that there site was responding as expected.  For security teams, having the customer tell you there is an incident typically means the SOC missed something they should have seen.  I was brought in to take a look at the Security Information and Event Management (SIEM) tool and see what was available leading up to the event.  Ultimately, I didn't find much to indicate a denial of service, that doesn't mean there was nothing there, it just means I didn't see anything obvious.  Next up, I start working with the networking and security engineers.  I need to understand how traffic flowed, what devices would have inspected the traffic, and what could possibly tell me something happened.  This is where understanding networking and how routers, switches, firewalls and IDS tools work.  I realized that there were a few devices that had security controls on them, whether it was the intrusion detection sensor, the router, or the firewall.  I then had to work with the team to decipher the configurations, make sure that traffic was moving to security tools that could have caught the attack, make sure that the right policies were in place to detect the attack, and make sure that logging levels were appropriate.

Ultimately, if you plan to work on the defensive/detection side of security, it's vital to have a broad knowledge set.  My knowledge of networking and a variety of security tools give me instant credibility in the room.  The best security people for defense/detect are those that understand how things work, but also how things should work together.  You don't have to be able to configure the router, but understanding how it will handle traffic will be helpful.  Defense/detect roles are challenging because the wide breadth of knowledge you'll need, but it's also a great starting point to security specializations, like reverse engineering, forensics, or security engineering. 

Tags:  analysis  SOC 

Share |
Permalink | Comments (0)