Is Your SOC Flying Blind?, (Sun, Jun 3rd)

Is Your SOC Flying Blind?, (Sun, Jun 3rd):

After you have finished impressing your VIPs, what actionable information should be displayed in your SOC to help them respond to threats in your environment?

Consider spending time this week ensuring your SOC wall is populated with meaningful screens that add value to your SOC by asking these questions.

  • Which security controls are not sending data to your SOC?
  • Would your SOC know when your most critical systems stopped sending their logs?
  • What is the baseline of traffic volume in and out of your sensitive network zones?
  • What is the health status of your security agents?

Share what you find valuable on your SOC wall!

(Via SANS Internet Storm Center, InfoCON: green)

Typical mistakes of SOCs – forgetting the audience, not accommodating multiple audiences, and not providing content tailored to each audience. Metrics, analytics, dashboards, and reporting are every bit important as any other SOC function.

Ad hoc operations in the SOC can lead to pain | Me on IDG.TV

At CircleCityCon, CSO’s Steve Ragan chats with Paul Jorgensen, host of the PVC Security Podcast, about ad hoc processes within many security operations centers (SOCs) and how organizations can prevent these types of mistakes.

Source: Ad hoc operations in the SOC can lead to pain | IDG.TV

I relished talking with Steve Ragan at CircleCityCon in Indianapolis last weekend (Saturday 11 June 2016). He recorded us in a bite-sized elevator-pitch of a summary of a key point or two of my talk, “Top 10 Mistakes in Security Operations Centers, Incident Handling, and Incident Response”.

Yes, our first take failed. We were joined then by Chris Maddalena, my co-host from the PVC Security podcast. Chris couldn’t be bothered to join us for the redo, probably because he was busy winning the whole conference or something.

Not only was I moments away from my talk as Steve mentioned in the open; I left straight from my session to the airport en route to Tokyo for work. You can’t see my luggage lurking behind me in the video.

Many thanks to Steve and for having me on. It was fun, deja vu included.

p.s. – I think the rhyme in the title could have been exploited more #justsayin

Also on:

Presentation: Top 10 Mistakes in SOC, IH & IR from @CircleCityCon

Here is the PDF with speaker’s notes of my CircleCityCon 2016 talk: Top_10_SOC_CCC2016

The video of my talk is here.

I thoroughly enjoyed speaking at the conference. Thank you to the audience, who were fantastic. I would be remiss if I did not also thank the CCC organizers for bestowing the honor of speaking upon me.


Also on:

IBM Watson Summit 2016 Japan Talk: Building a Next Generation SOC on Hybrid Cloud

The event organizers honored me with an invitation to speak at the IBM Watson Summit 2016 here in Tokyo. My talk, Building a Next Generation SOC on Hybrid Cloud, was (I think) well received.

The talk covered many items: why we build these things called SOC; what is the next generation of SOC; how can we move toward it; how can we leverage a hybrid model and cloud tools to enable the transition. I can’t share the deck. The presentation was not recorded, though cameras captured me in action quite often. Glad I was looking sharp!

It’s been a while since I presented with simultaneous translation into another language. The translators were great. By all accounts they captured not only my words but a bit of my passion and energy.

I’m not sure how my audience received the message. Crowds didn’t up and leave. No one fell asleep, something of a victory for a 4PM talk on day 3. About 130 of an expected 200 showed up. All in all, I think it went well.

I wish there was a question and answer session or a time for Sato-san and me to answer questions one-on-one.

I want to thank my colleague, Sato Takuya, for introducing me and closing out the session. I wish I knew the names of the translators to talk them by name as well.

p.s. – If you are an event organizer and you chose lanyard-attached name tags, please print the information on both sides of the insert card!

Also on:

Me @ CircleCityCon, Talkin’ SOC

Dear Friends,

I’m honored to present at CircleCityCon 2016 on Saturday at 16:00 on “Top 10 Mistakes in Security Operations Centers, Incident Handling & Response” and how to avoid them (

I’m excited by the opportunity and can’t wait to see you there (tickets: Stop by and say ‘hi’!

I might just have a PVC Security cohort or two around, so don’t be surprised if a PVC Security podcast episode happens.

Also on:

Board of Directors – InfoSec Ostriches?

There’s no group of people in an organization who’s understanding of the value of Information Security (InfoSec) is more critical than the Board of Directors (BoD).

Dark Reading posted a thought provoking article about BoD and how they may think the company’s security posture is better than the reality.

Are they nothing more than InfoSec ostriches, burying their heads in the sand?

The author listed four items in support of this argument:

  1. Lack of baselines
  2. Overconfidence
  3. Don’t know about security incidents
  4. Don’t ask for metrics

I pose additions to the list.

I’d add a general lack of understanding. Boards often see InfoSec as overhead and not as core to the business. Every company is effectively open 24 by 7, whether as actually able to complete transactions (Retail, banking, etc.) or from a reputation perspective (Web site, social media, etc.). They don’t know the terms and acronyms (Security Operations Center [SOC], Security Event & Incident Management [SIEM], Virtual Private Network [VPN], Firewall, Identity & Access Management [IAM], Governance, Risk management & Compliance [GRC], etc.). Only the smart confident board members will ask.

Boards often don’t know or understand security projects, their objectives (what they mean to solve), and the positive impact to the business. This falls squarely on the Chief Security Officer (CSO) and/or the Chief Information Security Officer (CISO), but security managers and leaders can help with this, too.

BoD’s lack awareness of security risks. I find this most common in older companies that don’t possess a mature governance and oversight culture. The typical refrain is that “we’re flexible and move quickly; if we had a mature GRC with security-based risk management we’d lose that flexibility”.

Do you have anything to add to the list? What are some ways of combating the Board’s security ignorance?

Or do you completely disagree?

Over on PVCSec we discuss this topic. Check out the show.

Also on: