2024-10-22 –, Europe - Main Room
An MSSP SOC presents how after a complete change of team and processes - a CTI program was restarted from (nearly) scratch, thanks to an EU-supported project. The SOC Technical Product Manager/CTI project manager will share how plans don't always come to fruition, issues faced with starting a CTI process. By sharing lessons learnt and plans for improvement - we propose some basic but wholistic steps to start a CTI program.
After COVID, and with an almost completely new SOC team – some processes got left behind, some tools forgotten. What happens when your SOC completely falls outside of the CTI process? Where should you start when your CTI process doesn’t even exist? While CTI is understood to be expensive even for internal SOCs - as an MSSP SOC - we need to fund something that we cannot sell to customers. NRD CS was awarded a grant to build out their cyber threat intelligence maturity, but how does that actually work?
After a few months with a fancy new title, but still performing your old duties - you're finally handing off all your clients to your replacement, and are getting ready to jump into your new role. And then, here comes your CEO and SOC manager with news that they've just secured a public grant for a CTI program, and they want you to lead it. Part-time.
This talk explores managing every aspect of starting a CTI program from (nearly) scratch, where a completely new SOC team takes over old processes and tools. Where do you start when your CTI program doesn't even exist?
Our CTI development has already gone from being a CTI consumer with no practical application for the CTI, to a CTI consumer AND producer with standardized production, in addition to being a sharing community administrator. We will also present plans on increasing automation, quality of output, and more.
We'll present various challenged faced in kick-starting a CTI program, from what do when your MISP is full of false-positives, how to motivate analysts to contribute to the program, how to build a 'team' when you don't have dedicated staff. We also explore technical issues faced, from connecting separate SIEMs into a central location, impact of infrastructure changes to development work, just how hard hiring dedicated CTI specialists can be, JIRA automation pricing changes completely ruining our initial plans, and more.
In the end, we propose a basic plan comprised of a few simple steps and procedures that nearly anyone can implement to get a basic CTI program going.
Lukas V. Dagilis is a professionally trained artist, turned Cyber Security expert. At NRD Cyber Security, he works as a Technical Product Manager at the CyberSOC department - the largest MSSP in Lithuania. His job functions include continuous process improvement, data engineering and analysis, JIRA owner, EU-funded CTI project manager, CTI program lead, and more.