Is your security operations center TTP0?

If you need surgery, you want the surgeon that other doctors want to do their surgery. You want a surgeon who has been there, done that, and taken names. You don’t want a surgeon who is doing their first few surgeries or has too many negative outcomes. The surgeon you want is the one other surgeons want to learn from.

With that in mind, I recently ran into a long-time cybersecurity friend, Carric Dooley, whom I’ve known going on 15 years. We both worked at Foundstone doing penetration testing and penetration testing education. We both worked together at Microsoft after Foundstone.

Carric is a surgeon’s surgeon. He’s the whitehat hacker that other whitehat hackers want to be around and work with. He’s not only very good at what he does and is well-loved by his co-workers, but he understands the challenges of running a business while getting the very best, right-sized computer defense better than most.

I hadn’t seen Carric in years when I stumbled across his new company, Indelible LLC. It focuses on building and improving security operations centers (SOCs), with the people who have been there and done that. I thought I knew a lot about SOCs, but within a few minutes Carric was schooling me like I was baby who only knew what SOC stood for. Indelible is trying to better educate all computer security professionals in security operations as well as improve all SOCs, using both its own commercial offerings and through the creation and support of TTP0.

What is TTP0?

TTP0 is a new community forum that stands for tactics, tools and procedures. The zero stands for Tier 0. Security professionals talk about computer security in the terms of Tier 0, Tier 1, Tier 2 and Tier 3. Tier 0 is your most critical infrastructure, servers, and the crown jewels of your organization, including the computer security and personnel that protect all the rest. Tier 1 and Tier 2 terms represent the ordinary, less critical servers and sources. Tier 3 covers the regular, non-privileged workstations and users. TTP0 encompasses all the computer security “tradecraft” being used to create and operate a Tier 0 computer security operation, in particular a Tier 0 SOC.

TTP0 was founded by seasoned experts, including Carric, to focus on the topic of security operations and how to do it right. It is a new effort to create a community for those wishing to build, assess, optimize or understand what a SOC should do, how people are doing it successfully, and how to measure it. The desire is to provide guidance and content to everyone with an interest in security operations, from the CISO looking to build one to the SOC analyst looking to grow their skill set and career opportunity.

TTP0 is a chance to hang out and learn from the best. These are professionals who have been there and done that. If you’re trying to build a new SOC or improve an already existing one, it can’t hurt to check out TTP0.

Carric says more simply, “TTP0 is basically OWASP for SOCs.” OWASP (Open Web Application Security Project) was founded in 2001 as a community effort to better secure web applications. It did. Tens of thousands of programmers and educational programs have learned from, and contributed to, OWASP. Much of what we do by default to secure web programming came from OWASP. Carric and his friends are trying to do the same with security operations.

TTP0 scenarios

As examples, TTP0 is especially good at getting answers and information in the following types of scenarios:

• I’m a CISO tasked with building a great SOC, but I don’t know where to begin.
• I’m trying to improve my company’s threat intelligence program, but I’m not even sure where to start.
• I need a world-class threat hunting program NOW!

If you have one of these needs, then TTP0 is for you. TTP0 and its practitioners can help you to more quickly bridge the gap from “I don’t know much about those subjects” to “Hey, I have a world-class SOC, threat intelligence and threat hunting program now.” TTP0 offers free education, step-by-step guides, templates, and programming to get you started. Even if you think you already have a world-class SOC, it can’t hurt to check out TTP0 to make sure you didn’t miss anything.

TTP0 resources

If you’re new to TTP0, but interested, I recommend these resources:

• One of the first presentations on TTP0 by SANS instructor, Ismael Valenzuela and Rob Gresham
• TTP0 on Github, a curated list of related information and resources
• TTP0 on Twitter

Like many other successful open source, community-based computer security initiatives, it has both a free (TTP0) version and commercially supported alternative (Indelible), which supports the free arm. Many users want the expertise and formal support that a commercial organization offers beyond the free instance. Think Snort and Sourcefire, Nessus and Tenable, and Bro and Corelight. Although it doesn’t always guarantee success, in my 30 years of experience, usually when a free initiative is supported by a commercial arm, the free stuff is more likely to thrive and be updated. Both communities benefit.

Carric said he and Indelible’s founders work hard to share, for free, the hard lessons they’ve learned in the trenches over the years. For instance, Carric said that one of the biggest mistakes he sees with his work with CISOs starting to build their own SOCs is that they often don’t have a clear vision of what their overall goals are to start with. He frequently sees them ordering what they think is the best-in-class software that they saw at some conference for their security operations without really knowing if it’s right for their specific needs.

“Set the vision and goals first and then work backwards from there,” Carric says. “If you do that you will have a guide for choosing everything from right products to whether or not you build or buy the constituent components. That seems intuitive when you say it out loud, but I have seen multiple customers that started with choosing a SIEM (security information event monitor) first, instead of the other way around. That is how you wind up finding yourself $12 million dollars into a SOC that doesn’t actually do anything useful. But if you do it the right way, you can build the SOC from the ground up with the right skills, tools, and processes.” Words of wisdom.

If you’re in the business of security operations (e.g., SOC, threat intelligence, threat hunting), it can’t hurt to check out TTP0. It’s quickly gaining advocates.