Proactive Security Monitoring From Security watch to the independent SOC organization. November 22 nd 2012, Marek Deml

Transcription

1 Proactive Security Monitoring From Security watch to the independent SOC organization November 22 nd 2012, Marek Deml

2 Core steps Security watch SOC Deloitte Česká republika

3 Security watch Situation to manage Heterogeneous environment worldwide in three core data centers and 190 countries servers, desktops, 400+ applications Threat management Vulnerability management Deloitte Česká republika

4 Security Watch Process: Objectives and Approach Objectives In time Coordinated With priority Proactively Approach 24x5 monitoring Global presence and involvement of local experts Consistent criticality prioritization Timely patch and virus alerting Main features Alerts published on Security Watch alert portal Automatic notification for new and updated alerts to contacts in IT service organization and different BUs served by IT organization Deloitte Česká republika

5 Security Alert Management and Escalation Touch Points Security advisory 1 Modify Alert Categories Establish Common Patch Mng. Policy and SLA Security advisory 2 Security advisory xx 1. Initial assessment and evaluation of advisories 2. Alert approval 3. Alert distribution 4. Alert implementation and monitoring Inputs from Users/BUs ALL BUs Company Major Software and Platform List Alert Distribution List Repository Establish Process to Maintain DLs Establish Major SW List and Process to Maintain it Deloitte Česká republika

6 Security Watch Process 1. Initial assessment and evaluation of advisories Security advisory 1 Security advisory 2 Security advisory xx Inputs from Users/ BUs Duty CISO org person to check security advisories against the systems used Alert received No advisory Alert reviewed by CISO org person on duty to initially determine priority of alert Major Software and Platform List Send message next shift and cc all CISO org non-activity Does CISO org person has technical knowledge to assess? No SME Review required SME List Yes Complete alert and forward to duty CISO org person for review Alert priority proposal by CISO org person Deloitte Česká republika

7 Security Watch Process 2. Alert approval Alert priority proposal by CISO organization CISO org member creates alert, assign alert number, store for publishing Maintenance Emergency/Critical/ Maintenance/Notification priority Upgraded / downgraded alert resubmission Approved as Maintenance/Notification Proposal Emergency/Critical Alert send for approval to CISO and 1 other CISO org person Alert send for approval to CISO and Board Member followed by phonecall, contact must be made within 4 hours Prepared as Emergency Approved Not Approved Alert upgrade/downgrade or revocation Alert revoked Approved Approved as Critical Not Approved Revoked alerts repository Approved as Emergency Emergency/Critical/ Maintenance/Notification Alert ready to be released Downgraded and approved as critical Deloitte Česká republika

8 Security Watch Process Priority flow in time VULNERABILITY NOTIFICATION (INTERNAL) MAINTENANCE SECURITY PATCH ALERT RELEASED CRITICAL SECURITY PATCH ALERT RELEASED EMERGENCY SECURITY PATCH ALERT RELEASED critical vulnerability announced patch announced virus/worm availability announced virus/worm spreading worldwide and Company is already impacted, or very likely to be time Deloitte Česká republika

9 Security Watch Process Alert categories in detail Level Priority Criteria Action Deadline to Implement Decision- / Approval Authority A EMERGENCY - Malware exploiting the vulnerability is spreading inside Company network or is very likely to be - Released on ad-hoc basis B CRITICAL Public exploit or Malware exists - Rated critical by vendor - Software widely used in Company environment - Released on ad-hoc basis C MAINTENANCE - Rated at least moderately critical by vendor - Software widely used in Company environment - Released on monthly basis Top priority intervention supersedes all other ISor business priorities Action must be performed within the shortest possible time (out-ofband of regular maintenance window) Needs to be planned and performed within reasonable, agreed time in regular maintenance window 1-3 days CISO and Board member 1 Approval dateline: within 4hr 4-30 days CISO & CISO org member 2 Approval dateline: within 24hr 1-3 months CISO & CISO org member 3 Approval dateline: Before 20 th of the month D NOTIFICATION None. Use as needed. None. Only qualified early warnings N/A CISO organization Deloitte Česká republika

10 Security Watch Process Alert Approval: Review and Approval Flow EMERGENCY - RED 1. Draft alerts ed to approval authority for approval 2. Follow up with phone call to approval authority 3. Alerts released by CISO once approval received CRITICAL - YELLOW 1. Draft alerts ed to approval authority 2. Alerts released by CISO within 24 hours once approval received MAINTENANCE GREEN, NOTIFICATION - WHITE 1. Draft alerts prepared and stored on shared drive/portal, to be released on 25 th day of the month or as needed 2. Shared drive/portal is accessible by approval; authority for review 3. Alerts released by CISO organization on target date by CISO organization if no comments received Deloitte Česká republika

11 Security Watch Process 3. Alert distribution Emergency/Critical/ Maintenance/Notification Alert ready to be released Emergency/Critical/ Maintenance/Notification priority Maintenance/Notification Batch of alerts published on Alert portal on 25 th of month or as needed and notification sent to Alert Distribution List Emergency/Critical Alert published on Alert portal immediately and notification sent to Alert Distribution List Alert Distribution List Repository Alert Distribution List Repository Deloitte Česká republika

12 Security Watch Process 3. Alert distribution BU Security Contacts List Repository Maintenance Process BU Master contact Country IT Regular update BU Master contact Regular Update Repository Maintenance BU Master contact CISO org Alert Distribution list repository BU Master contact Regular update cycle: Quarterly BU Master contact Deloitte Česká republika

13 Security Watch Process 4. Alert Implementation and Monitoring Alert must be implemented within its implementation deadline as stated in it, change management principles must apply Regular monitoring of alert implementation must be set up in all entities including escalations for not implemented alerts in time Alert compliance reporting should be set up on regular basis to make sure appropriate steps done in follow up activities Deloitte Česká republika

14 Security Operating Centre (SOC) SOC business case introduction SOC Objective Project: Implementing SOC in the follow the sun model (24x7) Deloitte Česká republika

15 Security Operating Centre (SOC) SOC business case introduction, status before Downtimes due to internal security issues Reactive security access to incidents Missing central management No CIRT in place Business expectation: Impact of future attacks to be negated Technology packages were purchased in order to protect their business. Services to be managed to a level that the company will not be impacted by an attack which they have paid for a service to mitigate Deloitte Česká republika

16 Security Operating Centre (SOC) SOC Objective Effective Information Security Incident Response Management To monitor system logs to see unauthorised activity on client networks and systems from both internal systems and external systems. To be alerted and act upon network or system Information Security Incidents. To actively manage the malware (virus, bot, etc.) threat. To fix a critical audit issue and create a more secure environment for ourselves and our customers. To protect the business Deloitte Česká republika

17 SOC Responsibilities for the project Global information security CISO organisation Design and development Owner Build Local Information security managers EMEA, AP, AM Review Build Support CISO org and SAO Secure Access Operation EMEA, AP, AM Run 2 nd level support, Review SOC procedures, Support SOC organization Manage non-standard changes SOC organisation EMEA, AP, AM Run 1 st level support Implement SOC process and procedures, Run SOC operations Manage pre-approved change Deloitte Česká republika

18 SOC Implementation Stages worldwide Stage 1 Basic operations EMEA Focused on handling security incidents related to Malware (virus, worms, bots etc.) Development of Basic Operation process and procedure in EMEA, to be duplicated to AP and AM Stage 2 Basic operations with Follow the Sun in EMEA, AP, AM Focused on handling security incidents related to Malware (virus, worms, bots etc.) Duplicate SOC Basic Operation from EMEA to AP and AM SOC Basic Operation run in EMEA to AP and AM in Follow The Sun Stage 3 Enhanced operations with Follow the Sun in EMEA, AP, AM Enhance handling of security incidents to include misconfigurations, misuse and suspicious activities Deloitte Česká republika

19 SOC - Implementation Stage 1 Basic operations EMEA EMEA Region NIPS Focused on handling security incidents related to Malware (virus, worms, bots etc.) Development of Basic Operation process and procedure in EMEA, to be duplicated to AP and AM NIPS Events Monitored Security Incidents: Malware EMEA DC SOC Basic Operation Mode 8hr x 5 days No coverage for weekends or public holiday Deloitte Česká republika

20 SOC - Implementation Stage 2 Basic operations with Follow the Sun in EMEA, AP, AM Focused on handling security incidents related to Malware (virus, worms, bots etc.) Duplicate SOC Basic Operation from EMEA to AP and AM SOC Basic Operation run in EMEA to AP and AM in Follow The Sun SOC Basic Operation in Follow The Sun Model EMEA Region NIPS AM Region NIPS AP Region NIPS NIPS Events NIPS Events NIPS Events Handover Handover EMEA Monitored Security Incidents: Malware AM Monitored Security Incidents: Malware Handover AP Monitored Security Incidents: Malware - SOC Basic Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - EMEA SOC Monitor AM and AP during EMEA shift - Monitored Security Incidents: Malware - SOC Basic Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - AM SOC Monitor EMEA and AP during AM shift - Monitored Security Incidents: Malware - SOC Basic Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - AP SOC Monitor EMEA and AM during AP Shift - Monitored Security Incidents: Malware Deloitte Česká republika

21 SOC - Implementation Stage 3 Enhanced operations with Follow the Sun in EMEA, AP, AM Enhance handling of security incidents to include misconfigurations, misuse and suspicious activities. SOC Enhanced Operation in Follow The Sun Model EMEA Region NIPS AM Region NIPS AP Region NIPS NIPS Events NIPS Events NIPS Events Handover Handover EMEA SOC Monitored Security Incidents: Malware, Misconfiguration, Suspicious Activities - SOC Enhanced Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - EMEA SOC Monitor AM and AP during EMEA shift - Monitored Security Incidents: Malware, Misconfigurations, Suspicious Activities AM SOC Monitored Security Incidents: Malware, Misconfiguration, Suspicious Activities - SOC Enhanced Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - AM SOC Monitor EMEA and AP during AM shift - Monitored Security Incidents: Malware, Misconfigurations, Suspicious Activities Handover AP SOC Monitored Security Incidents: Malware, Misconfiguration, Suspicious Activities - SOC Enhanced Operation Mode - 8hr x 5 days - No coverage for weekends or public holiday - AP SOC Monitor EMEA and AM during AP Shift - Monitored Security Incidents: Malware, Misconfigurations, Suspicious Activities Deloitte Česká republika

22 SOC Technologies used Each new technology was added into SOC as separated project task IBM NIPS and Site Protector console and database (Core) Darknet (Botnet C&C communication) Antivirus NAC Specific System logs Security NIPS Darknet Antivirus Logs NAC Specific System Logs Security SOC Monitoring Core Component Additional Component Deloitte Česká republika

23 SOC Processes developed and implemented Phase I. SOC High Level Security Event Handling Process SOC Security Incident Handling Procedure For Malware (Focusing on Malware related security incidents) SOC Security Incident Exemption Process SOC NIPS Policy management for phase I Phase II. SOC Follow the Sun and Handover Process SOC Security Event signatures Review and Evaluation Process SOC Global NIPS Policy management for phase II Phase III SOC Global NIPS Policy management for phase III SOC Security Incident Handling Procedure for Misconfiguration SOC Security Incident Handling Procedure for Suspicious Activities SOC Security Incident Handling Procedure for Uncategorized Security Incidents Deloitte Česká republika

24 SOC Global NIPS policy Why Key features of Global NIPS Policy Management of Global NIPS Policy NIPS Security Event Signature Assessment Methodology Typical conditions for enabling security event signature in Monitor and Block mode Typical conditions for enabling security event signature in Monitor mode only Typical conditions for not enabling the Security event signature NIPS Security Event Signature Evaluation and Approval Process Normal situation Emergency situation NIPS Filter Approval Process NIPS Policy Implementation Compliance Check Process Deloitte Česká republika

25 SOC Global NIPS policy Design 1 SOC Implement CISO Organization Global NIPS Policy SOC Implement SOC Implement + EA Local Filter/Exemption Global NIPS Policy Global NIPS Policy Global NIPS Policy + AM Local Filter/Exemption + AP Local Filter/Exemption EMEA SOC AM SOC AP SOC 5 NIPS Policy Implementation Compliance Check Process Deloitte Česká republika

26 SOC Global NIPS policy - Important parameters assessed Security Event name and Severity - vendor ISS XPU and Type - vendor Default ISS NIPS Action (in Block Mode) - vendor NIPS To Enable CISO organization and SOC NIPS to Block - CISO organization and SOC NIPS to Quarantine (Set type = Quarantine Worm only) - CISO organization and SOC Client severity - CISO organization Known Threat/Remark - CISO organization and SOC Category - CISO organization MS Alert - vendor Security watch Alert - CISO organization Added/Modifed in Version - CISO organization Next Review Date - CISO organization Deloitte Česká republika

27 Questions? Marek Deml

28 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms Deloitte Czech Republic