Presentations and Recordings of Find Yourself in the Future
Total Page:16
File Type:pdf, Size:1020Kb
Find Yourself in the Future Program presents A Day in the Life of a Cybersecurity Professional Kiran S Narayan Harshitha HH Jun Hui Ng Vinay Prabhakar Joshua McCloud SOC Manager SOC Analyst SOC Analyst SOC Engineer National Cybersecurity Officer A Day in the Life… Cisco SOC © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 CISCO 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000USERS 01100111 01110010VENDOR 01100101 ORGS 01100001 01110100ADMIN 00100000 ACCOUNTS 01100111 01110010SERVICE 01101111 ACCOUNTS 01110101 01110000 00100000 01110100 01101111138,771 00100000 01110111 011011112690 01110010 01101011 001000004474 01100110 0110111113,096 01110010 00100000 00111010 LANDSCAPE 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 What We Protect 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000COUNTRIES 01100111 01110010 01100101CITIES 01100001 01110100 00100000OFFICES 01100111 01110010DATA 01101111 CENTERS 01110101 01110000 00100000 01110100 01101111102 00100000 01110111 01101111343 01110010 01101011 00100000600 01100110 01101111 0111001013 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000ACQUISITIONS 01100111 01110010EXTRANET 01100101 PARTNERS 01100001 01110100 00100000CSP 01100111 01110010BUSINESS 01101111 GROUPS 01110101 01110000 00100000 01110100 011011118 (AVG 00100000 YR) 01110111 01101111318 01110010 01101011 00100000296 01100110 0110111113,899 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 01100011 01101001 01110011 01100011 01101111 43,67200100000 0110001183,782 01110011 01101001 01110010 01110100 00100000 01101001 01110011 00100000 01100001 00100000INFRA DEVICES 01100111 01110010 01100101ENDPOINTS 01100001 01110100 00100000MOBILES 01100111 01110010 LABS01101111 01110101 01110000 00100000 01110100 01101111194,875 00100000 01110111 01101111127,454 01110010 01101011 0010000073,162 01100110 01101111 011100102370 00100000 00111010 01100011 01101001 01110011 01100011 01101111 00100000 01100011 01110011 01101001 01110010 01110100 00100000 01101001 01110011 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential00100000 01100001 00100000 01100111 01110010 01100101 01100001 01110100 00100000 01100111 01110010 01101111 01110101 01110000 00100000 01110100 01101111 00100000 01110111 01101111 01110010 01101011 00100000 01100110 01101111 01110010 00100000 00111010 Security Operations Center (SOC) Reduce the risk of business loss as Proactive Threat Assessment a result of cybersecurity incidents. Security Architecture Mitigation Planning Incident Trending with Analysis Prevent Monitor Investigate Respond Incident Detection and Response © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CSIRT SOC Structure RESEARCH 51 15 5 Analysis Investigations Threat Intel Endpoint Network Infra Application User Device Case Collab Intel Logs Logs Logs Logs Attribution Operations Tools Tools Feeds 30 Engineering Operations + Development © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CORPORATECORPORATE HOMEHOME CLOUDCLOUD XNETXNET CSPCSP CORPORATECORPORATE HOMEHOME CLOUDCLOUD XNETXNET CSPCSP ENDPOINT NETWORK INFRASTRUCTURE SERVICESSERVICESSERVICES & & & ENDPOINTENDPOINTENDPOINTENDPOINTENDPOINT NETWORKNETWORKNETWORKNETWORKNETWORK INFRASTRUCTUREINFRASTRUCTUREINFRASTRUCTUREINFRASTRUCTURE APPLICATIONSERVICESAPPLICATION & APPLICATIONAPPLICATIONAPPLICATIONAPPLICATION USERUSERUSER NGIPSNGIPSNGIPSNGIPS UserUSER NGIPS ISE WEB SERVERS ISEISEISEISE IDENTITY WEBWEB SERVERSSERVERS SERVERS IDENTITYIDENTITY WINDOWS SERVERS ENDPOINT LOGGING ISE WEB SERVERS WINDOWSWINDOWSWINDOWS SERVERS SERVERS SERVERS ENDPOINTENDPOINTENDPOINT LOGGING LOGGING LOGGING IDENTITY ESAESAESA WINDOWS SERVERS HARDWARE ENDPOINT LOGGING ESAESA HARDWAREHARDWAREHARDWARE ESA HardwareHARDWARE WSAWSAWSAWSA WSA AMPAMP LINUXLINUX SERVERS SERVERS SCCM SCCM CASPERCASPER AMPAMPAMP LINUXLINUX SERVERS SERVERS OSQUERY SCCMSCCM CASPERCASPER OSQUERYOSQUERYOSQUERY AMP LINUX SERVERS OS OS SCCM CASPER THREATGRIDTHREATGRID OSOS OSQUERY THREATGRIDTHREATGRIDTHREATGRID OSOS THREATGRID DNSPDNSPDNSPDNS PDNSNETFLOW LOCAL APP NETFLOWNETFLOWNETFLOW LOCALLOCAL APPAPP NETFLOWDLP LOCALApp APP DLPDLPDLP DLP CRiTSCRiTS & &TIP TIP CRITSCRiTSCRiTS & && TIP TIPTIP STORAGE AUTORUN & SYSMON STORAGE AUTORUNAUTORUN && SYSMONSYSMON CRiTS & TIP STORAGESTORAGE AUTORUN & SYSMON STORAGE EVENTEVENT CORRELATIONCORRELATION © 2019 Cisco and/or its affiliates. All rights reserved. Security Cisco ConfidentialEVENTEVENTEVENT Technology CORRELATION CORRELATIONCORRELATION Stack Cybersecurity Analyst – Harshitha My Journey • Cybersecurity course in University • A lot of self study • Internship with Cisco My Role © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Phishing Investigation of email with subject “Worthy of Trade – Part 2!” Incident Source Investigation Issue Recording Conclusion Email Notification External Check GIR Spam email could be an initial source for Splunk Analysis an APT attack and requires remediation. Blackhole Email Removal Detect Respond My Journey – Jun Hui My journey into CSIRT • Unsure what I wanted to do • Cybersecurity Internship • Certifications Ideal background / traits Skills • IT Familiarity (networking, OS, etc) • Coding familiarity • Cybersecurity familiarity © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential CSIRT Cisco Career Path Senior Investigator (Grade 11) Analyst Tech Lead Investigator II (Grade 10) (Grade 10) Senior Analyst Investigator I (Grade 8 & 9) (Grade 9) Analyst II Analyst Track Experience Investigator Track (Grade 6) Analyst I 0 to 4 years -- Analyst II 4 to 6 years -- Analyst I Senior Analyst 6 to 8 years Investigator I (Grade 4) Technical Lead 9 to 10 years Investigator II Architect 10+ years Senior Investigator © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Q&A © 2019 Cisco and/or its affiliates. All rights reserved. Cisco