Business Case Components

Transcription

1 How to Build A SOC

2 Agenda Mission Business Case Components Regulatory requirements SOC Terminology Technology Components Events categories Staff Requirements Organiza>on s Considera>ons Training Requirements Staff Opera>ons Plans Overall SOC Infrastructure Design Facili>es & Building Requirements Processes and Procedures Diagram Social Media Profile

3 Mission All successful teams need a unifying sense of purpose to help mo>vate team members, priori>ze work, and respond effec>vely to the changing needs of the business. Time spent in this phase of planning will benefit the SOC long- term. Prior to building a SOC, organiza>ons must answer the following ques>ons: What needs will the SOC meet for the organiza>on? What are the specific tasks assigned to the SOC? (e.g., detec>ng asacks from the Internet, monitoring PCI compliance, detec>ng insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.) Who are the consumers of the informa>on collected and analyzed by the SOC? What requirements do they hope to impose on the SOC? Who is the ul>mate project sponsor for the SOC? Who will sell the SOC to the rest of the organiza>on? What requirements will he or she levy on the SOC? What types of security events will eventually be fed into the SOC for monitoring?

4 Business Case Components Facili>es: Furniture, computer equipment, special badging requirements, power, HVAC, telephony SOC Labor: Security analysts, shi[ leads, SOC managers Suppor>ng Labor: Network support, system support, database support, telephony support, security device management (if not performed by the SOC) Educa>on and Training: Classes, conferences, con>nuing educa>on Threat intelligence subscrip>ons: Up- to- the- minute informa>on on the latest threats Monitoring technology: Hardware, so[ware, storage, and implementa>on services Addi>onal technologies: Problem and change management, , knowledge sharing Recovering these costs is a much tougher problem to solve. The following list outlines some common approaches in jus>fying the expense of a SOC: Cost avoidance: Building the SOC will cost far less than not detec>ng, preven>ng, and responding to asacks. Cost efficiencies: Chances are that many of the SOC processes or technologies can help automate func>ons already taking place within the organiza>on. By accep>ng a new data feed and producing automated repor>ng, a SOC can o[en save the organiza>on money by reducing manual effort. Cost sharing: In many cases, other groups are currently tasked with the responsibili>es outlined for the future SOC. Are those groups willing to outsource these responsibili>es to the SOC? Having other organiza>ons help to foot the bill can minimize the overall impact to all. Revenue /Cost Recovery: Can SOC services be offered to customers either internal or external? There is more work in determining separa>on of informa>on among customers, pricing models, and other business aspects, but actual revenue (or cost recovery in the case of internal customers) is a powerful argument where SOC services can be leveraged to perform security services for other organiza>ons.

5 SOC Terminology Security defense center (SDC)" Security Intelligence Center (SIC)" Cyber Security Center (CSC)" Threat Defense Center (TDC)" Security Intelligence and Operations Center (SIOC) " Infrastructure Protection Centre (IPC)" Cyber Security Operations Centre (CSOC)

6 Regulatory requirements Establishing and opera>ng a SOC is expensive and difficult, IN SOME INSTANCES ITS COST EXCEEDS $4 USD. 1. Protec>ng sensi>ve data such online & e services, Ecommerce, Banking, Egovernment, Online transac>ons 2. Complying with industry rules such as PCI DSS 3. Complying with government rules, such as CESG GPG53

7 SOC Regulatory Requirements

8 Technology Components

9 Technology Components Security Events & Informa>on Management Network Discovery Vulnerability Assessment Governance, Risk & Compliance Website Assessments Monitoring Systems Applica>ons & Database Scanners Penetra>on Tes>ng Tools Intrusion Detec>on Tools Intrusion Preven>on Tools Log management Tools Network Behaviour Analysis tools DDOS & DOS Service Monitoring tools Wireless Intrusion Preven>on Systems NGFW Next Genera>on Firewall s Enterprise An>virus, An>spyware Malware Analysis Kit Unified threat Management Infrastructure Servers, Storage, Network, Cabling, End Users, Virtualisa>on, PC s & Monitors, Videowall PCOIP PC over IP connec>vity Mul>ple Networks Access & Security An> Phishing Service Converged Surveillance IP Network Cameras, Masts, VMS, Cabling, Infrastructure, Connec>vity Iden>ty & Access Management IAM & SSO, Physical Access Control Test Lab Data Centre Requirements Command & Control Centre design & requirements

10 SOC Events Categories CAT 0 Exercise/Network Defense Tes>ng CAT 1 Successful unauthorized Access CAT 2 Denial of service CAT 3 Successful installa>on or post- install beaconing of malicious code CAT 4 Improper Usage CAT 5 Scans/probes/ASempted Access CAT 6 Inves>ga>on

11 Staffing Requirements Opera;ons Shi[ Managers Team Leads Management Escala>ons Incident Handlers Execu>ve Support External En>>es such as Government, law enforcement Technical GIAC GCIA Engineers Researchers Cryptography CISSP SME s Forensics Network Engineers

12 Organiza>ons Considera>ons

13 Organiza>on's Considera>ons In some instances an org may need more than one SOC, or a NOC & SOC deployed. Deployments may be on a con>nent or global scale or within same campus depending on requirements. NOC will be responsible in such cases for monitoring overall network infrastructure while SOC is responsible for protec>ng networks.

14 Training Components Formal training should include the SANS (System Administra>on and Network Security) Intrusion Detec>on in Depth training module and the GCIA (GIAC Cer>fied Intrusion Analyst) cer>fica>on. This is the industry standard in training analysts in the fundamentals of TCP/IP, TCP/IP monitoring tools, and skills associated with advanced intrusion analysis. On- the- job training programs should provide an overview of important informa>on security concepts, training on specific intrusion detec>on tools in use, analy>cal processes and procedures, and effec>ve communica>on techniques. The SOC analyst will be required to effec>vely communicate and brief all levels of engineers and senior management during >mes of extreme stress, thus training in managing comba>ve communica>on is invaluable. This training should also include the hierarchy of communica>on methods. Learning when to page, call, e- mail or assign a >cket is a cri>cal skill. Addi>onally, it is important that any analyst learn to communicate in concise well- wrisen papers and e- mails. SOC managers should create a program that has aspiring analysts wri>ng analy>cal papers and then presen>ng their findings to their peers to hone wrisen and verbal communica>on skills.

15 Staff Opera>on Plans Staffing plans will evolve directly out of the needs of the mission. Is the SOC a virtual en>ty where events are collected, analyzed, alerted, and reported? Must the SOC have full- >me personnel to monitor consoles, analyze, alert, and report? Or, does the SOC need full staffing twenty- four hours a day, 7 days a week, all year round? These mission needs will dictate the staffing models that must be implemented.

16 Overall SOC Infrastructure Design

17 Process & Procedures Overflow

18 Ihab Ali Social Media Profile hap://blogs.forbes.com/people/ ihabali/