Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
How to power up your SOC training to improve detection, investigation, and response
Dan Kaplan
Content Marketing, Google Cloud SecOps
May 19, 2022

Whether you are triaging alerts or probing a full-blown incident, security operations center personnel must first ask questions, from “Is this a real alert” all the way to “How did the adversary exfiltrate data?”

Formulating questions and then applying what data the SOC has at its disposal to answer them are foundational skills for doing sound detection and response work. But there is a secret sauce to the process that may be less apparent to some.

Agatha Christie, the famous detective author and best-selling novelist of all time, wrote in one of her most popular works of fiction, “Murder at Vigarage”:  “Intuition is like reading a word without having to spell it out. A child can't do that because it has had so little experience. A grown-up person knows the word because they've seen it often before.”

Download "The Future of the SOC" Paper from Google Cloud and Deloitte

Of all the top traits the best investigators embody – curiosity, patience, persistence – perhaps the most important is one which many may mistakenly attribute to instinct: knowing when to persevere and when to pivot.

Yet for virtually all of them, deciding which path to traverse is less about intuition and more about data-driven proof points, something that can only be acquired through experience. In other words, what may look like a sixth sense is likely the product of far more habit than hunch.

The same truth lies in the SOC. To cement the instinct of when to stay on track and when to switch gears when tracing a threat, training is far and away the most obvious solution, especially during a time when your SOC success story remains very much about your people, despite the significant challenges they face, from alert volume to talent shortages.

Google Cloud Principal Security Strategist Dave Herrald recently joined the Cloud Security Podcast with Anton Chuvakin and Tim Peacock to share some wisdom about how to make training effective in the SOC, one big factor in keeping your team – especially earlier-career analysts – operating efficiently and feeling engaged. Here is some of his advice.

Make the Training Realistic

Creating as real-world scenarios as possible is a no-brainer when it comes to training in any domain. But the question is, how do you do it right, especially when there are so many variables that can limit a drill or exercise from coming across as sincere to the participants. How can you achieve this in an artificial environment?

1. Create a lab that represents, at a smaller scale, the environment you’re trying to protect

Data is integral to any SOC investigation, so you’ll want to make sure training replicates real-world threats in as realistic a manner as possible, from log sources and IP addresses to traffic patterns and indicators of compromise.

2. Procure legitimate vendor “gear” that represents what you have in your environment

It is best to practice on the tools you are actually using, such as SIEM, SOAR and threat intelligence. After all, these are the technologies that you will heavily rely on to help in your detection and response effort– and if you’re not familiar with using them, it can significantly slow you down.

3. Use a “golden image” from an endpoint

These are pre-configured virtual machine templates that represent what an end-user (one of the likeliest vectors to introduce something malicious into your environment) might be working on every day.

4. Purchase cloud services

With workloads migrating to the public cloud in droves, so is the magnitude rise of malicious attacks and user errors. Yet many SOC teams are struggling to implement effective cloud security controls, despite the technology’s allure. You will want to practice on what your organization’s tech spend is preaching.

5. Run real exploits (with proper isolation) and ensure telemetry you collect is what you encounter in real world

Generating “dummy” data that you program may be suitable in some instances (like triggering a simple rule) but when you’re trying to train personnel to pivot through related data sources, it becomes difficult to make duplicate data, such as IP addresses in multiple sources, match up.

Consider the Pros – and Cons – of Competition

Competition can be incredibly useful, especially because it can serve as a motivator and force the mind to consider all the things at play during an investigation, including cognitive biases. Yet leaders need to be aware of the downside of competition as well. For some, it can be a demotivator if they lack the confidence or even desire to be a “ninja” in the SOC. For others, it may be that the content of the contest doesn’t interest them because of their skill or career level.

Implement Scenarios That Embrace DEI

Security experts agree and studies have shown that a more diverse team – hailing from different backgrounds and bringing a wide variety of life experiences – makes an organization’s security posture stronger. A SOC team with diverse backgrounds brings distinctive perspectives, different ways of analyzing problems and novel approaches to finding solutions. This same equitable approach should apply to the education used to train SOC teams, as scenarios can easily become non-inclusive quagmires if organizers fail to consider DEI principles in the language and characters used in drills.

Learn how to fight cybercrime at Google speed with Chronicle Security analytics threat hunting & detection platform. Join the Chronos Challenge!

Threat Detection Secops

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page