Carson Zimmerman (Microsoft, US)
Carson Zimmerman is currently a Cyber Security Operations Center (CSOC) engineering team lead with Microsoft. He has worked in and around CSOCs for about 15 years, holding roles in the CSOC ranging from tier 1 analyst to architect. Previously with MITRE, Carson wrote "Ten Strategies of a World-Class Cybersecurity Operations Center," which can be downloaded for free at http://bit.ly/1sKCOH9. He received a BS in Computer Engineering from Purdue University and an MS in Information Systems from George Mason University.
In this talk, Carson will decompose key metrics for the CSOC, with three consumers in mind: the CSOC itself, executives above the CSOC, and CSOC customers. The presenter will provide example metrics used by leading, mature CSOCs, and point out along the way where those metrics can boost positive outcomes when used wisely, or drive negative outcomes when used poorly. The audience will be able to directly apply these metrics and methods presented in this talk to their own shops. By measuring and reporting in this manner, overall CSOC performance, executive engagement, and customer engagement should improve.
Last Update: November 13th, 2019
Size: 2.78 Mb
Désirée SacherFrancesco ChiariniMark ZajicekDésirée Sacher (Finanz Informatik, DE), Francesco Chiarini (Standard Chartered Bank, PL), Logan Wilkins (Cisco), Mark Zajicek (Carnegie Mellon University, US)
Désirée Sacher - SOC Security Architect at Finanz Informatik. Experienced Security Architect with a demonstrated history of working in the information technology and services industry. Skilled in Security Analysis, Threat Intelligence, Network Forensics, Networking, and Security Systems Products. Strong information technology professional with a Bachelor focused in Science ZFH in Information Technology from ZHAW (eh. HSZ-T).
Francesco Chiarini - Global Threat Management, Incident Response & Cyber Resilience Director at PepsiCo. Passionate about CSIRT processes and everything involving security incidents, 15 years’ experience in IT and information security. Prior to PepsiCo, has worked at Symantec and Hewlett-Packard and is actively engaged with international and local communities promoting incident response and leadership (ISSA Poland, CSO Council Poland, EC-Council). Francesco leads the FIRST Retail members group as well as FIRST Poland members group.
Logan Wilkins - Engineering Manager Computer Security Incident Response Team (CSIRT). Logan Wilkins has over 25 years of software development and information security experience. He has worked in academic, research and corporate settings, specializing in DevSecOps management, data science and information security. Logan currently manages Cisco's CSIRT Engineering Delivery team, which is responsible for Security Monitoring and Incident Response systems development and deployment.
Mark Zajicek is a Member of the Technical Staff in the CERT Division at the Software Engineering Institute, located at Carnegie Mellon University (Pittsburgh, Pennsylvania, USA). Mark’s current work is focused on helping other organizations to build and assess their own computer security incident response team (CSIRT) or incident management capability. As a member of the CERT CSIRT Development and Training team, Mark is responsible for providing guidance to new and existing CSIRTs, worldwide. Mark has co-developed a variety of documents and training materials, and he is an instructor for a suite of several courses that provide training for CSIRT managers and technical staff and for organizations that are building or evaluating an insider threat program. Previously, Mark was the Daily Operations team leader for the CERT Coordination Center (CERT/CC), after having joined the CERT/CC’s incident handling staff in 1992. Prior to joining the CERT/CC, he also helped support the CERT/CC during its initial start-up in 1988.
During this session, you will receive an overview of the proposal for new FIRST guidelines related to security incident timeline and timing metrics. Measuring efficacy of an incident response team, as well as the extended IT team’s performance, is perceived as a key factor for many CSIRT leaders. At the same time, there seem to be no shared consensus within the community on what security incident timing framework to use. This lack, ultimately hinders CSIRT teams to align to a well-reputed community guideline as well as benchmarking within trusted peer groups. This work tries to mitigate this gap and sets a roadmap for future improvements.