Hi, everybody. Ed Amoroso here, and in this video, I want to talk to you about a facility concept that exists in most companies now, certainly bigger ones. It's called the security operations center, and I go to tell you that if you work, say, in the military or in a big place, a big bank, there is nothing more exciting than walking into a physical facility where, perhaps, data is rendered up on screens, on wall boards, and there's people working, doing analysis, threat hunters working together, scurrying around on the floor, comparing notes on their analysis activity. It really gets the adrenaline up. I first started seeing this sort of thing in telecommunications kind of in the '80s, and I loved it. I thought that just the imagery and the excitement and the adrenaline of being able to collect all this data and make real time decisions was perfect for cyber. So I personally was very involved in kind of the evolution of the design of security operations centers have been doing for many, many, many years and know a lot about how it works and how you actually do something like this. Now let me give you a couple of elements of, more or less, how a SOC works and what you would experience if you were in such a thing. Now as we've talked about the concept of collecting data, having lots and lots of data from which we try to derive intelligence is absolutely essential to the cybersecurity puzzle, right? We've said, "Yeah, we want arbitrating components like firewalls. And yeah, we want to be preventive like with cryptography. But if that stuff breaks, I want to watch what's happening and take action if my preventive activity has not worked." So you were monitoring, you're watching. So the data comes in, and you're doing some sort of analysis based on this. Now, most security operations centers think of what they're doing in kind of two dimensions. There's internal information, so if you're a SOC for a bank, then there's data that's coming directly from the infrastructure that you control as a bank. It's your firewalls, your system, your logs, your applications, all your stuff, and you can think of that as private, right? That's not something that you're out spilling out on the Internet although a lot of people talk about the idea of sharing threat information, that's for another discussion. But you have internal logs and records of data. But correspondingly, you also have external data that you're pulling from the Internet, that you're pulling from your vendors, that you might be learning from customers. In fact, you may be pulling it from your third parties. You could have suppliers, vendors, all these other companies that help you in the support of your mission. So a SOC has to pull things internally and make sense out of it, externally and make sense. And what we refer to that as, the term we use to refer to that is all-source data collection and correlation. Let me say that again. When I'm pulling internal and pulling external, we refer to that as all-source. Okay, you see that term a lot in the context of security operation design. Another term you see sometimes is fusion, where I'm fusing things that are coming from different sources, a big fusion center is one where data with differing characteristics, differing attributes is put together into a common data model along the lines of what we saw when we studied the way a security information event management system, a SIM, works. So all these things are so symbiotic, data collection, internal, external. You probably have a lot of signatures that are embedded into the operations of a SOC, and you're going to also clearly be doing management by exception. The little diagram that we show for you, the icon shows some wallboard with a little scribbles there, and typically, the scribbles are things that'll show predicted behavior, and when we see deviations from the norm, we take action from the floor of a security operation center. I want to encourage any of you if you're getting into cybersecurity as a discipline, working in a security operation center is something that everyone should have the experience of if you want to be well-balanced in your understanding of cyber. Just the idea of learning to collect data and to make real time decisions about what you see sharpens your understanding of how cybersecurity systems work and also sharpens your understanding of the way computing and technology works. I could think of no better, say, internship for a young person. And if you can get your hands on that kind of internship, by all means, go do it. And the bigger the place, the better because fusion centers tend to be better when there is more data. Again, that's such a fundamental statement, let me say it again. Fusion centers generate better and derive better threat intelligence when there is more data than less, right? If I know that it's raining in this town and that town, but I know nothing else, and I want to make some broad statement about weather, well, that I just know about this town and that town. But if I had data from every town in every state in every country, the weather, I can make amazingly accurate statements about whether I can see patterns, I can see shifts. So the more data, the better, internal, external, fuse it all together, drive it in a SIM, make real time decisions. Very exciting work, and I hope that you have the experience at some point in your career to work in an active and vibrant security operations center. I'll see you in the next video.
