Getting SecOps Foundations Right with Techniques, Tactics, and Procedures Zero (TTP0)

TTP0 is a new community project created by SecOps (Security Operations) practitioners for SecOps practitioners. Just like a blueprint is required to design, build and operate any facility, TTP0 provides the starting point for building or assessing a security program from the ground up. It focuses on resetting the basics of a security program to ensure a solid foundation. SecOps requires a vision, strategy, and tactical abilities to guide the team and thought leadership to demonstrate effectiveness. Is this guidance a governance or regulation requirement, risks evaluation or leader preference? In this talk, Rob Gresham and Ismael Valenzuela will discuss how TTP0 provides the foundation from mission, vision and strategy to aid you in determining which technique is best for the organization, while focusing on individual tactical capabilities along with the procedures that synchronize operations with the business. Using a modular, Lego-based approach,  we will prove how TTP0 can provide the necessary building blocks to design, build and operate from a 2 man SOC team to a 1,000 person SOC entity!

Slides:


Disrupting the Disruptors: How to Threat Hunt Like a Pro

Read my article on how to threat hunt like a pro on Recorded Future’s blog:

https://www.recordedfuture.com/cyber-threat-hunting/

Here’s an excerpt of this article:

As the saying goes, the best defense is a good offense. When it comes to cybersecurity, that means shifting from merely responding to intrusions and attacks to actively searching out threats and destroying them. Having the capacity and know-how to make this stance shift is a key element of a mature information security operations center (SOC), says Ismael Valenzuela, who recently gave a presentation on threat hunting at RFUN 2017.

Valenzuela has worked in cybersecurity for decades and has been a member of the Foundstone team at McAfee for six years, performing incident response in the United States, Europe, and the Middle East. He is also a SANS-certified instructor who has taught classes on continuous monitoring, forensics, and security operations for the past seven years.

During his presentation, Valenzuela talked extensively about the difference between incident response and threat hunting, focusing on the qualities that a SOC needs to effectively hunt threats and some of the challenges they face, as well as what he called the three big “knows” that every SOC should focus on: knowing your enemy, knowing your network, and knowing your tools. He concluded his talk with a look at how automation, artificial intelligence, and machine learning are impacting the field, arguing that they are ultimately just new tools that can supplement, but never replace, a team of experienced humans.