Swarup Pattnaik#


Swarup is a cyber security practitioner with over 14 years of experience in building and enhancing cyber defense capabilities for large scale organizations from high tech to Start ups.He is currently overseeing design,development,implementation of solutions that detect malicious activities in cloud and hybrid networks.He enjoys solving pressing secops problems from alert fatigue to modernizing the soc processes for being efficient.

Talks (Eastern Timezone)#





Applying Risk scoring to Atomic Signals

In a traditional Security Monitoring Use Case Development framework, the detection signals are often written with limited criteria, lacking context of the entity or threat. This makes it challenging to correlate individual alerts, evaluate their impact and risk, and ultimately leads to a failure in detecting genuine threats and formulating effective response actions. To address this challenge, we will implement a risk scoring model that assigns scores to organizational assets, identities, entities, or custom attributes. This scoring will be based on a metric system using a simple formula that considers three variables: severity, impact on the asset or identity, and a risk modifier. The risk modifier takes into account factors such as admin user privileges, presence of an IOC (Indicator of Compromise), prevalence score of a binary, or a known attacker tool. By decorating the alerts with the calculated risk score and the factors that influenced it, along with additional metadata about the asset, identity, or other relevant data types, we can transform the alert information. This transformed alert data can then be utilized to develop detections based on exceeding a threshold score within a specified timeframe (e.g., x days or hours) for a specific object like a risk factor or an entity (e.g., hostname, IP, asset ID/name, username, etc.). Implementing this approach will result in high-fidelity detections that enable prioritization of triage and response efforts, ensuring a more effective and efficient security response.