Versions Compared

Old Version 2

changes.mady.by.user George Vetticaden

Saved on

compared with

New Version Current

changes.mady.by.user George Vetticaden

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In order to understand the needs and requirements of SOC users for Metron, we are going to use this page to collect questions to ask SOC users.two audiences:

  1. SOC users - Security Analysts and Investigators
  2. CISO executives - executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program 

The below is the process that will be followed to create final questionnaire:

  1. The community is providing feedback via the following apache metron mailing thread http://mail-archives.apache.org/mod_mbox/incubator-metron-dev/201512.mbox/browser. on customer survey . If you have input to this for this questionnaire, please send via this thread.
  2. Feedback from the thread in (1) will be added to this wiki page.
  3. On 12/21, the questions from this wiki will be used to create a formal survey via Survey Monkey, Google form, or something similar
    4. The final survey will be published for anyone to send out.
  4. .
  5. Folks then can create surveys and send to their respective  customers/user base.
  6. The community can submit scrubbed feedback back into the community.

Running List of Questions for the Survey/Questionnaire for Security Analysts Audience

IdentifierQuestion
Q1What are key challenges and limitations of the current SIEM and security analytics tools that you use today?
Q2

How would you prioritize the challenges today with the existing security tooling you use:

  • To many alerts. There are no prioritization of alerts or the prioritization's/risk based alerts that are in use are not accurate or helpful to help me identify on what to focus on.
  • There are too many tools that I need to learn
  • I don't have a centralized view of my data
  • Most of my alerts are false positive
  • Managing static rules are too cumbersome. 
  • I have too many manual tasks. 
  • I cannot ingest and store all security/telemetry data based on cost. 
  • I need to discover bad stuff quicker
  • Other
Q3In your day to day activities, what types of data sources(logs, pcap, ldap user info, netflow, bro etc..) do you work with the most?
Q4Are there data sources that your current tools don't support that if did have access to it, it would allow you to do your job more effectively?
Q5What types of automated and real-time enrichment would you like to see on the raw data that would allow you to do your job more effectively?
Q6

What third party intel feeds do you find most valuable that lead to credible threats?

Q7What third party intel feeds are you not using that you would like the platform to provide?
Q8

What elements of your data are you not getting the adequate threat intel feeds for?

Q9

Please provide a redacted dump of common correlation rules that you use the most? (e.g: if you see ip from geo-region A with domain that was registered in the last 3 days, then alert), 30 failed logged attempts in the last 30 minutes..).

Q10

What are other actions you would like to perform on the data in real-time (outside of enrichment, cross reference of intel feeds)?

Q11If the analytics tool only provided a single panel, what will be critical things you want to see?
Q12What are 3 of the most important KPIs (metrics, Key Performance Indicators) that you would like see on that single panel?
Q13

What deails would you expect an alert to contain?

Q14

Which way of filtering/search for events would be your preferred one?

  • I want to write a query to find what I'm looking for
  • I prefer clicking with my mouse to select/deselect types of data I want to find
  • A and B
  • Other

 

Running List of Questions for the Survey/Questionnaire for CISO Audience

IdentifierQuestionSubmitted By
Q1

What specific use cases and cyber security domain problems are you trying to solve with Metron?

Dave Hirko

Q2

How would you prioritize, in terms of importance, the use cases and challenges below that the SOC is tasked to solve:

  • Malware Detection & Lateral Movement
  • Suspicious Behavior: User, Device, & Application
  • Fraud Detection
  • Account Hijacking & Privileged Account Abuse
  • IP Theft & Data Exfiltration
  • Virtual Container & Cloud Asset Compromise

 

Dave Hirko

 

Action Items: Group use cases by industry...

Q3What are key challenges and limitations of the current SIEM and security analytics tools that you use today?George Vetticaden
Q4

How would you prioritize the challenges today with the existing security tooling you use:

  • To many alerts. There are no prioritization of alerts or the prioritization's/risk based alerts that are in use are not accurate or helpful to help me identify on what to focus on.
  • There are too many tools that I need to learn
  • I don't have a centralized view of my data
  • Most of my alerts are false positive
  • Managing static rules are too cumbersome. 
  • I have too many manual tasks. 
  • I cannot ingest and store all security/telemetry data based on cost. 
  • I need to discover bad stuff quicker
  • Other

 

George Vetticaden
Q5

What analytical and/or correlation capabilities and features would you like Metron to support for the data:

  • You currently collect
  • You plan to collect in the future
David HirkoQ6

How would you rate your SOC’s data science and analytical capabilities today?

David Hirko
Q7Q6

Does your SOC have any plans to enhance its data science and analytical capabilities now or in the future?

David Hirko
Q8Q7

What data retention capabilities do you require Metron to support?

David HirkoQ8Q9

What compliance regimes, if any, does your SOC tools and capabilities need to comply with to support the needs of your business?

David Hirko
Q10What are the key challenges with the collection, ingestion and storage of telemetry data with your current security tooling?George Vetticaden
Q11

What security/telemetry sources are important to stream into Metron Security Data Lake Platform? Supporting a device on the Metron platform means providing:

  • agent to collect data from the source
  • parser to parse the device data format into a normalized dataset
George Vetticaden
Q12Q9

What type of enrichment would you like to do to the security telemetry data? (e.g: Geo, Whois)

George Vetticaden
Q13Q10What type of enrichment capabilities does your current security tooling NOT provide? Is enrichment of the data in real-time a critical requirement? Is storing the enriched and raw data a critical requirement?
George VetticadenQ11Q14

What are the different threat intel feeds you subscribe to (public, private, tec..)? Which vendor do you get the feed from and what is the format. Supporting an out of the box threat intel feed means the following supporting parsers for the intel feed to persist the feed store in normalized form.

George Vetticaden
Q15Q12What are critical requirements for threat intel feed integration with Metron? For example, is cross referencing your threat intel feeds against the original and enriched telemetry data a critical requirement?
George VetticadenQ13Q16What are the critical functions you would like to perform on the streaming security telemetry data as its coming in real-time in as opposed to after it lands?George VetticadenQ17Most the major security/SIEM vendors claim to have capabilities that reduce and prioritize the number of alerts. What has been your experience with these capabilities? Are risk/priority based correlation engines working to reduce the number of alerts? What are the challenges that you are experiencing? What are key requirements/capabilities that you would like to see in a next-gen correlation engine in Metron?
Q14Do you envision Metron replacing your SIEM solution or complimenting it?George Vetticaden

Context for the Questions Above

  1. Q1, Q2 - It would be interesting to understand the higher level use case domain problems SOC’s are potentially trying to solve with Metron before delving into specific data sources.  Use cases drive data sources.  For example, we are focused on APT’s, which then flows down to specific data sources we would instrument and parse, UI visualizations and analytics. Perimeter defense is a different domain that Metron can solve, but then flows down to different data sources, UI visualizations, etc.  We saw one customer use OpenSOC for log aggregation.  One idea here is maybe have a list of use cases and have the users prioritize their needs as part of the survey.
  2. Q5 - Metron currently has zero-to-limited analytical capabilities.  Its more data acquisition, aggregation, filter, storage, and visualization.  We are very interested to understand more about the SOC’s data analysis requirements (James has mentioned a correlation engine for the roadmap a few times which is relevant here).
  3. Q6, Q7 - The Metron UI has been geared for operational analysis vs analytical analysis (I don’t count wireshark as analytical).  We have one progressive customer who is starting to bring very capable data scientists into the SOC to enhance the typical SOC operational analysts.  Again, this organizational dynamic in the SOC plays out to Metron in terms of incorporating things like Apache Zeppelin versus just making Kibana/Banana incrementally better.  Would definitely like to know what customer’s are doing on this front from a SOC staffing and/or organizational perspective.
  4. Q8 - One customer wanted to store collected data for their enterprise for 18 months on the OpenSOC/Metron HDFS cluster in order to support more advanced analytics.  It would be interesting to understand data retention requirements and policies.  Soon there will be more rigid compliance implications for storing data that helps uncover
  5. Q9 - Cybersecurity and its various domains are going to be regulated more and more. There are going to be  more reporting requirements for enterprise companies in terms of sharing cyber related events. The SOC is going to play a larger role with respect to compliance, which could have implications related to Metron technical features or prioritization.

...