Tales from the Black Hat NOC: The Stages of Security Adolescence (Part 1)

Aug 10, 2016 | by Scott Carter

Maturity is often spoken of in the security community as a binary value - "Customer X is mature," "Customer Y is immature..." This notion was not dispelled at Black Hat where one vendor after another claimed, "Evolve your security. Buy our product and stop breaches today!"

But we know that maturity is not binary, and neither is a good security strategy. Just like adolescent teens, there is a maturation process that all organizations must go through before they can move past the squeaky voices and body odor. And even when we think we are past it, a few more troublesome moments will pop up without warning, anyways.

As with teenagers, the Black Hat NOC went through a maturation process - but in our case, we had just a single week to evolve. The Black Hat network provided a unique opportunity and challenge for the RSA NetWitness team. Essentially, it forced us into the role of an "immature" NOC. It compounded the same problem that our customers face on a daily basis - and provided us with just a single week to try and solve it. How do you secure a rapidly changing environment that you don't understand?

Follow along as we reveal a few of our pimples and the actions we took in an effort to grow up.

Stages of Security Adolescence

Physical Development (Day 1 - 2)

*By mid-adolescence, if not sooner, most youngsters' physiological growth is complete. And they are ready to have babies. Security babies? Anyway, we were right on track, physical growth and network setup complete for Black Hat.

  • Racked and stacked equipment
  • RSA Netwitness configured
    • Software updates, security configurations, tap configurations etc
  • Network collection started

Intellectual Development (Day 3-4)

  • Monitored classes
    • Concept of network layout - we could investigate or report on a per classroom basis
    • Very little incite into assets

*"Most enter adolescence perceiving the world around them in concrete terms: Things are either right or wrong." Sound familiar? The lack of business driven security (maturity) was highlighted beyond belief in a network where malware downloads were considered the norm. What is a security analyst to do when identifying malware doesn't improve organizational security?!

Incidents in a typical network - Distractions on the Black Hat network.

We easily could have played the proverbial whack-a-mole into eternity as we chased down cryptolocker, angler exploit kits, web scans, and ICMP tunneling, just to name a few. And this is what we did at first... as adolescent analysts, how could we not chase that squirrel?

RSA Netwitness Alert Sample from Black Hat - Scantastic?

Black Hat Analyst #1, Sean Ennis, reacting to the stream of alerts

And therein laid the challenge (or - opportunity?) - in a single week, we needed to complete a professional services install, understand, tune, and monitor a brand new network, provide summary reporting and analysis, and tear down. Considering that Black Hat 2016 was the first Black Hat NOC that many of us had participated in, there was much to learn. Could we take the problem our customers have struggled with for years, a lack of context and business understanding, and "grow up" in a single, chaotic week?

They tell me our readers are as distracted as we were - meaning this post will remain "to be continued..." for now. But don't fret, tune back, and we'll continue the discussion on the Black Hat NOC's growth towards security maturity, soon.

Sincerely,
Your RSA Black Hat NOC Volunteers

Author: Scott Carter

Category: RSA Fundamentals

Keywords: Bizurity, Black Hat, Black Hat 2016, Black Hat NOC, RSA Advanced SOC Solution, RSA Netwitness, RSA Security Analytics, Security Context, Threat Detection