Friday, April 17, 2020

From my Gartner Blog - New Research: Open Source Tools!

After finishing the wave of research that covered pentesting, monitoring use cases, SOAR and TI, I’m excited to start research for a net new document covering an exciting topic rarely covered in Gartner research: Open source tools! The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek. What I’d like to cover in this new paper is:

  • Why is the tool being used? Why not a commercial alternative?
  • How is it being used? What is the role of the tool in the overall security operations toolset, what are the integrations in place?
  • How much effort was put to implement the tool? What about maintaining it?
  • Is it just about using it or is there some active participation on the development of tool as well?
  • What are requirements to get value from this tool? Skills? Anything specific in terms of infrastructure, or processes?

It is a fascinating topic, which bring a high risk of scope creep, so the lists of questions answered and tools covered are still quite fluid.

In the meantime, it would be nice to hear stories from the trenches; what are you using out there? Why? Was that picked just because it was free (I know, TCO, etc, but the software IS free….) ? Or is it a cultural aspect of your organization? Do you believe it is actually better than the commercial alternatives? Why?

Lots of questions indeed. Please help me provide some answers 🙂

The post New Research: Open Source Tools! appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2Kbxglh
via IFTTT

Thursday, April 9, 2020

From my Gartner Blog - Developing and Maintaining Security Monitoring Use Cases

My favorite Gartner paper has just been updated to its 3rd version! “How to Develop and Maintain Security Monitoring Use Cases” was originally published in 2016 as a guidance framework for organizations trying to identify what their security tools should be looking for, and how to turn these ideas into signatures, rules and other content. This update brings even more ATT&CK references and a new batch of eye candy graphics! So much different than the original Visio built graphics!

This is the anchor diagram from the doc, summarizing our framework:

Some nice quotes from doc:

“Some organizations create too much process overhead around use cases — agility and predictability are required. Processes must not be too complex because security monitoring requires fast and constant changes to align with evolving threats.”

“The efficiency and effectiveness of security monitoring are directly related to the appropriate implementation and optimization of the right use cases on the right security monitoring tools.”

“Do not simply enable everything that comes with the tools. A considerable part of that content may not be aligned with the organization’s priorities, or may not be applicable to its environment.”

“Make use case development similar to agile software development by being able to quickly implement or modify a use case to adapt to changing threat and business conditions.”

I hope you enjoy it, and let me know if you have the framework implemented in your organization. Please don’t forget to provide feedback about the paper here.

Next wave of research is about Open Source tools for threat detection and response, in parallel with interesting stuff on Breach and Attack Simulation.

The post Developing and Maintaining Security Monitoring Use Cases appeared first on Augusto Barros.



from Augusto Barros https://ift.tt/2JQhigf
via IFTTT