Security Operation Centers (SOCs) are the front line for incident detection, response, and escalation for organizations. Few security teams evaluate their SOC's tools, techniques and procedures (TTPs) are working to their expected SOC response - even fewer on live networks with their CISO's approval.
This HOWTO talk for security teams will cover a crawl/walk/run approach to build and execute live fire incidents to target your SOC's TTP abilities to detect, respond, and escalate. Techniques, lessons learned, and WAR stories will be discussed to how to select your exercises, determine expected outcomes, methods to measure results, coordinate for CISO sign off, and how to report lessons learned to improve your SOC's TTP response.
@DevSecOpsGeer Brian is the lead Information Security Engineer in the CyberDefense Branch at the United States Customs and Immigration Services (USCIS). He leads, engineers, and architects several of USCIS’s security efforts and represents USCIS as a hands-on SME in several working groups within DHS and Federal government on DevSecOps, Application Security, Cloud Migration & Security, Container Security, and CyberDefense operations best practices. Prior to USCIS, Brian brings his prior 17+ years of professional experiences in information security, risk management, IT Operations, system development & administration, & DFIR from the Department of Defense, healthcare, commercial, and academic sectors. He was a prior DoD SME representative in U.S. cybersecurity workforce development programs and operationalized machine-speed cyber threat information sharing between the five U.S. National Cyber Centers. He remains passionate about cybersecurity workforce development and information security education with non-profits and security researchers.