Setting up an Security Operations Center (SOC) A step by step approach

Transcription

1 Setting up an Security Operations Center (SOC) A step by step approach Abdul Rahman Mohamed VP, IT Strategy, Risk & Delivery Group IT, Malaysia Airlines 07 November 2012

2 My apology. I am standing between you and home sweet home. I ll be On-Time.

3 About the speaker 19 years of experience Was CISSP and CISM Oil and Gas, Banking and Consultancy IT Strategy & Transformation, Governance, Risk & Security, IT Service Delivery, Project Management

4 We are here to share our experience In setting up an internal SoC, as well as its journey and evolution Its value to our business The lesson learned DISCLAIMER: It works for us.

5 Allow me to introduce the Air Travel Industry.

6 The Airline industry is glamorous, and a quick way to lose money.. How do you become a millionaire? First, become a Billionaire, then you run an Airline Sir Richard Branson

7 Group IT is the enabler and IT partner of THE PREFFERED PREMIUM CARRIER People First, Data Centers (incl MHNet, SITA, Enrich) Bergen Stockholm Oslo Helsinki Aberdeen Sandefjord Stavenger Glasgow Edinburgh Gothenburg Belfast Teesside Copenhagen Dublin Leeds Amsterdam Manchester London Frankfurt Brussels Vienna Milan Munich Geneva Barcelona Madrid mil Pax /annum (2010/11) Over 90 Stations (MW,FY,MH) 20K Staff Rome Windhoek, NAMIBIA Johannesburg Athens Harare, ZIMBABWE Victoria Falls, ZIMBABWE Port Elizabeth Figures per December 2011 Durban Maseru, LESOTHO East London Bahrain Doha Dar es Salaam TANZANIA Maputo MOZAMBIQUE Gaborone, BOTSWANA Muscat Mauritius Tashkent Colombo Yangon Beijing Inch on Seoul Kansai Tokyo Nagoya Fukuoka Shanghai Guangzhou Hong Kong Hanoi Manila Bangkok Siem Reap Phnom Penh Phuket Cebu Langkawi Ho Chi Minh Penang KUALA LUMPUR Medan Kota Kinabalu Singapore Kuching Jakarta Surabaya Denpasar Perth Broome Darwin 56 applications 16K IT Devices 45 FTEs Over 12 Key IT Partners Cairns Townsville Hamilton Island Mackay (out of 84) Rockhampton Fraser Coast Sunshine Coast Brisbane Gold Coast Ballina Byron Coffs Coast Adelaide Newcastle Sydney MelbourneCanberra Launceston Hobart

8 Lets get to the actual presentation

9 The steps that we took in establishing the SoC. Find the right resources Find the business value of your SoC Get the Sponsors and know your stakeholders Begin with the end in mind Start small Leverage Can pause but keep evolving Marketecture

10 1 In any endeavors, we have to have the right resource for the job that meet the following criteria: Committed to Integrity; Committed to Performance and Committed to Change. Jeff Immelt CEO, GE

11 There is no such thing as an IT project, there is only business project Paul Coby Ex CIO British Airways

12 Else You syok sendiri i Abdul Rahman Mohamed Future CIO

13 2 We established the SoC for the airline business. Alignment with corporate strategies and Business Transformation Plan (BTP2): No compromise on safety and security Serve Customer, Make Money, Save Money Compliance with regulatory requirements (local and international) e.g. Anti Trust/Competition Law, Data Privacy, PCI, National Cyber Security Policy (NCSP) Increase in IT Outsourcing activity and the need for near realtime transparency

14 3 People First, The projects was actually owned by Corporate Security but funded by IT. Board Safety and Security Committee Management Committee IT Service Delivery Operations Group IT IT Strategy & Governance Info/IT Security Information Risk & Security CSSHE* Corporate Security Risk Mgmt Business Assurance Corp. Services Risk Advisory Services SITO*** SACC** Security Assurance Audit & Business Advisory IT Security Operations Corp. Security Corp. Risk & Governance * Corporate Safety, Security, Health & Environment ** Security Assurance Control Center *** Strategic IT Outsourcing

15 There are external stakeholders as well. Board Safety and Security Committee Management Committee IT Service Delivery Operations Group IT IT Strategy & Governance Info/IT Security Information Risk & Security CSSHE* Corporate Security Risk Mgmt Business Assurance Corp. Services Risk Advisory Services SITO*** SACC** Security Assurance Audit & Business Advisory IT Security Operations Corp. Security Corp. Risk & Governance * Corporate Safety, Security, Health & Environment ** Security Assurance Control Center *** Strategic IT Outsourcing

16 4 People First, Once we established the business justification, i we would envision the end in mind.

17 This is half of your journey.

18 We started our journey with a 5 year vision. PHASE 1 PHASE 2 PHASE 3 PHASE 4 Assurance and visibility to Business Integration to Business Optimized for Stakeholder s Confidence in IT Controls Integration to Corporate GRC icy Poli Proce ess / Te ech Corp Info Security Policy Information Security Dashboard IT Compliance Mgmt Sec Incident & Event Mgmt Threat Vulnerability Mgmt Assurance testing Policy Alignment Link with Corp Security dashboard Content Security Services Svc Provider assessment IT Risk Management IT Assets Mgmt Comprehensive view Link dashboard to external/ service provider Info Leakage Prevention Digital Rights Mgmt Identity & Access Mgmt Info Retention & e- Discovery Integrate with corporate GRC framework People Awareness: Classroom Handbook, Video E-Awareness, Portal Certification Res sults / Be enefits Assurance of control effectiveness Information Security visible at Corp. Security Integration with Integration of security corporate security processes and technology business objectives Obtain stakeholder s confidence Transparency Visibility

19 In reality, not everything goes as planned. But stick to it PHASE 1 PHASE 2 PHASE 3 PHASE 4 Assurance and visibility to Business Integration to Business Optimized for Stakeholder s Confidence in IT Controls Integration to Corporate GRC icy Poli Proce ess / Te ech Corp Info Security Policy Information Security Dashboard IT Compliance Mgmt Sec Incident & Event Mgmt Threat Vulnerability Mgmt Assurance testing Policy Alignment Link with Corp Security dashboard Content Security Services Svc Provider assessment IT Risk Management IT Assets Mgmt Comprehensive view Link dashboard to external/ service provider Info Leakage Prevention Digital Rights Mgmt Identity & Access Mgmt Info Retention & e- Discovery Integrate with corporate GRC framework People Awareness: Classroom Handbook, Video E-Awareness, Portal Certification Res sults / Be enefits Assurance of control effectiveness Information Security visible at Corp. Security Integration with Integration of security corporate security processes and technology business objectives Obtain stakeholder s confidence Transparency Visibility

20 5 People First, We start small and called our SoC Security Assurance Control Center (SACC) using Subscription on-site Security Assurance Control Center Assurance Monitoring Assurance Testing Unplanned Assurance Reporting & Dashbo oard Policy Compliance Threat & Vulnerability Management Security Event Management Incident Response Sched dule of Tes st Internal & External Penetration test Station IT Security Posture Network Services Attestation Web Application code assurance Social Engineering Drill Price Agre eement Sc chedule of Additional Device For Monitoring Additional Testing Services Forensic services Other security services By man day rate

21 We did not own the tools, license, resources and servers. We own the information and results only. Security Assurance Control Center Assurance Monitoring Assurance Testing Unplanned Assurance Reporting & Dashbo oard Policy Compliance Threat & Vulnerability Management Security Event Management Incident Response Sched dule of Tes st Internal & External Penetration test Station IT Security Posture Network Services Attestation Web Application code assurance Social Engineering Drill Price Agre eement Sc chedule of Additional Device For Monitoring Additional Testing Services Forensic services Other security services By man day rate

22 IBM d i g i t a l d i g i t a l d i g i t a l d i g i t a l d i g i t a l imac imac imac Assurance monitoring i ensures compliance and all critical devices at HQ and stations are sufficiently protected Assurance Monitoring Reporting & Dashboard Policy Compliance Threat & Vulnerability Management Security Event Management Incident Response IT Helpdesk Threat Mgmt Center

23 IBM d i g i t a l d i g i t a l d i g i t a l d i g i t a l d i g i t a l imac imac imac Assurance testing ti is to provide the security view from the perpetrators for security improvements Assurance Testing Internal & External Penetration test Tester f Test Station IT Security Posture Schedule of Network Services Attestation Web Application code assurance Social Engineering Drill Tester

24 6 We also leverage on other s capabilities, locally MoU between Malaysia Airlines and CyberSecurity Malaysia

25 We also leverage on other s capabilities, internationally. MoU between Malaysia Airlines and Tata Consultancy Services

26 7 People First, As mentioned earlier, we did pause for certain capabilities but we continue to evolve into IT Control Tower Security Assurance Control Center IT Control Tower Assurance Monitoring Assurance Testing Unplanned Assurance RealITy Dashboard Reports porting & Dashboard Re Policy Compliance Threat & Vulnerability Management Security Event Management Incident Response Schedule of Test Internal & External Penetration test Station IT Security Posture Network Services Attestation Web Application code assurance Social Engineering Drill Sched dule of Price Agreem ment Additional Device For Monitoring Additional Testing Services Forensic services Other security services By man day rate Security Team Support Teams All Vendors IT IS Team ESM Team TM Team MH Mail Team

27 IT Control Tower uses more comprehensive tools which focuses on end to end IT services including Security and Compliance

28 8 People First, Talk the walk is equally important to walk the talk We need to marketecture. We communicate our findings to Board Safety and Security Committee - Quarterly Accountable Managers Meeting - Quarterly IT Management Monthly Participate in Cyberdrills with MKN and CyberSecurity y Malaysia Repels targeted attacks on Malaysia Airlines on 1 July 2012 (16 hours) Visits from fellow GLCs and Government agencies

29 IT Security Index Global Threat and Vulnerability Virus Protection Index Overall - Low Overall - Low Overall VPI % Status as on : July 2012 Report Status as on : July 2012 Report Status based on : July 2012 Report SPAM Filtering i Index IT Security Policy Compliance IT Security Incidents Overall SFI 81.6 % Overall IT SPC % Overall - Medium Status based on : July 2012 Report Status as on : July 2012 Report Status as on : July 2012 Report

30 We were awarded d for the Information Security project of the year 2009

31 We were awarded for the IT Visionary Award for Asia South 2008

32 In 2010, as a result of the earlier initiatives, i i i we won more awards It is nice to be appreciated. CIO of the year CIO of the year Deputy Minister Award Information Security projects of the year PCI-DSS

33 As a Recap Find the right resources Find the business value of your SoC Get the Sponsors and know your stakeholders Begin with the end in mind Start small but shout big Leverage Can pause but keep evolving Marketecture

34 Thank you