BUILDING AND MAINTAINING SOC

Similar documents
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

locuz.com SOC Services

SIEMLESS THREAT MANAGEMENT

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

RSA NetWitness Suite Respond in Minutes, Not Months

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

From Managed Security Services to the next evolution of CyberSoc Services

RSA ADVANCED SOC SERVICES

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Traditional Security Solutions Have Reached Their Limit

Security Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response

Reducing the Cost of Incident Response

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Protecting organisations from the ever evolving Cyber Threat

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Incident Response Agility: Leverage the Past and Present into the Future

White Paper. How to Write an MSSP RFP

RSA INCIDENT RESPONSE SERVICES

NEXT GENERATION SECURITY OPERATIONS CENTER

RSA INCIDENT RESPONSE SERVICES

Securing Your Digital Transformation

Security Terminology Related to a SOC

Integrated, Intelligence driven Cyber Threat Hunting

Click to edit Master title style. DIY vs. Managed SIEM

Nebraska CERT Conference

May the (IBM) X-Force Be With You

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017

SIEM Solutions from McAfee

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Managed Endpoint Defense

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

How to Write an MSSP RFP. White Paper

<Partner Name> <Partner Product> RSA Ready Implementation Guide for. Rapid 7 Nexpose Enterprise 6.1

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

BUILT TO STOP BREACHES. Cloud-Delivered Endpoint Protection

to Enhance Your Cyber Security Needs

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

THREAT HUNTING REPORT

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

Simplify, Streamline and Empower Security with ISecOps

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Reinvent Your 2013 Security Management Strategy

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

ISE North America Leadership Summit and Awards

KEDAYAM A KAAPAGAM MANAGED SECURITY SERVICES. Kaapagam Technologies Sdn. Bhd. ( T)

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

How Vectra Cognito enables the implementation of an adaptive security architecture

Cyber Security Technologies

PROTECTION FOR WORKSTATIONS, SERVERS, AND TERMINAL DEVICES ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

esendpoint Next-gen endpoint threat detection and response

Global Response Centre (GRC) & CIRT Lite. Regional Cyber security Forum 2009, Hyderabad, India 23 rd to 25 th September 2009

Background FAST FACTS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Cloud and Cyber Security Expo 2019

TRUE SECURITY-AS-A-SERVICE

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Incorporating Hunt Teams To Defend Your Enterprise

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

ForeScout Extended Module for Splunk

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Upgrade your SOC with Security Analytics and Orchestration

Deception: Deceiving the Attackers Step by Step

THREAT HUNTING REPORT

4/13/2018. Certified Analyst Program Infosheet

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

deep (i) the most advanced solution for managed security services

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Position Title: IT Security Specialist

Evolution Of Cyber Threats & Defense Approaches

Make IR Effective with Risk Evaluation and Reporting

SIEMLESS THREAT DETECTION FOR AWS

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Designing and Building a Cybersecurity Program

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Managed Security Services - Endpoint Managed Security on Cloud

Consolidation Committee Final Report

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Symantec Security Monitoring Services

50+ Incident Response Preparedness Checklist Items.

empow s Security Platform The SIEM that Gives SIEM a Good Name

One Hospital s Cybersecurity Journey

Incident Response Services

Unlocking the Power of the Cloud

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Transcription:

BUILDING AND MAINTAINING SOC Digit Oktavianto KOMINFO 7 December 2016 digit dot oktavianto at gmail dot com 1 Digit Oktavianto

Profile in 1 Page Currently working as a Security Architect Professional Certifications: Specialization and Interest : Certified Ethical Hacker, EC Council GIAC Certified Incident Handler (GCIH) IBM Qradar Security Analyst Cyber Security Operation Center Threat Hunting DFIR Malware Analysis Cyber Defense Operation Threat Intelligence OSINT Incident Handling and Incident Response Active Defense and Continuous Monitoring More than 5 years in Information Security Field 2 Digit Oktavianto

SECURITY OPERATION CENTER Organization faces many challenges in protecting its data and IT infrastructure. Organization is experiencing compromises on a daily basis. The threats are real and increasing, and now include sophisticated Advanced Persistent Threats. A security operations center provides centralized and consolidated cyber security incident prevention, detection and response capabilities. Security operations functions : Security monitoring Cyber security incident response management Threat and vulnerability management Security device management and maintenance 3 Digit Oktavianto

WHY NEED SOC Because a firewall and IDS are not enough Center of all information security operations It provides : Continuous Monitoring Detection Protection and Prevention Response capabilities against threats, remotely exploitable vulnerabilities and real-time incidents on the networks Works with CERT (Computer Emergency Response Team) / IR Team to create comprehensive infrastructure for managing security operations 4 Digit Oktavianto

CYBER SECURITY MONITORING AND INCIDENT MANAGEMENT 5 Digit Oktavianto

CORE COMPONENT TECHNOLOGY 6 Digit Oktavianto

So, If I Buy All of the Technologies, will I have a SOC? BIG NO!!!!!!!!!! SOC involves PEOPLE and PROCESS which are in fact MORE IMPORTANT than tools 7 Digit Oktavianto

BENEFIT OF HAVING SOC Security Operation Center can satisfy compliance regulatory and enhance security capability for organization. These can range from self-service solutions that require clients to view their own incident alerts in a portal to full-service solutions that will proactively alert clients when security incidents occur. Benefits of partnering with an MSSP for maintaining Security Operation Center are : Access to security expertise, research and threat intelligence. Efficient process, procedure, and workflow to improve time in remediation and mitigation security issues. Saving time on building team and setup infrastructure for developing proper SOC Cross-device and cross-vendor correlation to improve security awareness and reduce risk. 8 Digit Oktavianto

SOC EXPECTATIONS : Watch and protect the infrastructure Monitor Network Traffic, watching for anomalies Protect Users Internal and External Threat detection Alert and Escalate Internal and External Threat mitigation 9 Digit Oktavianto

SOC EXPECTATIONS :.and also Monitor Users Systems Configuration Data Loss Prevention Forensics Analysis Threat modeling 10 Digit Oktavianto

SOCMISSION 1. Prevention. 2. Monitoring, detection, and analysis. 3. Response and Mitigation 4. Providing situational awareness and reporting. 5. Engineering and operating CND technologies. 11 Digit Oktavianto

Prevention of cybersecurity incidents through proactive: Continuous threat analysis SIM + SEM = SIEM Network and host scanning for vulnerabilities Vulnerability Management. Countermeasure deployment coordination NIPS & HIPS AV / NGAV Endpoint Detection & Response WAF BDS ( breach detection systems) + SWG (proxy) NGFW / UTM Security policy and architecture consulting. 3rd party engangement MISSIONS #1 12 Digit Oktavianto

MISSIONS #2 Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources SIEM Near Real Time (there must be a delay). Correlation & Rule based. Security Analytics (threat hunting) Finding needle in a stack of needles (security big data) Historical 13 Digit Oktavianto

MISSIONS #3 Response by coordinating resources and directing use of timely and appropriate countermeasures. Usually referred as incident handling & response. Quarantine (damage control) Block Activity. Deactivate Account. Remediate. Re-image. Virus scan Continue Watching. Refer to Outside Party. Browse Phone a friend 14 Digit Oktavianto

MISSIONS #4 Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations 15 Digit Oktavianto

MISSIONS #5 Engineering and operating CND technologies FW Endpoint Protection IPS BDS (Breach Detection System) Secure Web Gateway Email Security SIEM Packet Sniffer Security Analytics 16 Digit Oktavianto

SOCBUILDING BLOCKS 17 Digit Oktavianto

SOC Organization Chart PEOPLE 18 Digit Oktavianto

SOC Organization Chart : SOC Manager SOC Analyst Level 1 Level 2 Incident Handler / Responder Forensic Malware Analyst Threat Hunter PEOPLE 19 Digit Oktavianto

SOCORGANIZATION BEST PRACTICE 20 Digit Oktavianto

PROCESS SOC processes are broken up into the four main categories : Business processes : Document all the administrative and management components that are required to effectively operate a SOC. Technology processes : Maintain all the information relating to system administration, configuration management and conceptual design. Operational processes : Document the mechanics of the daily operations, like shift schedules and turn-over procedures. Analytical processes : Encompass all activities designed to detect and better understand malicious events. 21 Digit Oktavianto

PROCESS Define Business Process Procedure SOP for Incident Handling Define Technology Process SOP for Changes Management SOP for Problem Management (troubleshooting) SOP for Deployment SIEM 22 Digit Oktavianto

PROCESS Define Operational Process Shift Staff Schedule Personnel Shift Reporting SLA for Incident Response SLA for recommendation and solution for security threat ticket Defining Analytical Process SOC Workflow (Ticketing, Analysis Security Events, Escalation, Response, etc) Security Incident Procedure Flow Reporting Document for Customer 23 Digit Oktavianto

TECHNOLOGY Modern SOC Tools SOC Weapon Triad LOGS: Log analysis -SIEM NETWORK: Network traffic analysis (NTA and/or NFT) ENDPOINT: Endpoint activity analysis EDR Analytics UEBA / UBA (User Behavior Analysis) and other security analytics Threat intelligence Incident Respond and Forensic Tools 24 Digit Oktavianto

MODERNSOC MODEL? 25 Digit Oktavianto

FAMILY OF SOC SERVICES Select SOC own processes: 1. Alert triage 2. Use case content management / detection engineering 3. Threat hunting Select SOC process dependencies: 1. Security incident response 2. IT Change management 3. IT Asset management 26 Digit Oktavianto

MAINTAINING SOC Staff Schedule Transfer / Update Knowledge Lab Exercise and Use Case Expanding / Upgrading Technology 27 Digit Oktavianto

SOC USE CASE 28 Digit Oktavianto

SOCCHALLENGES Trying to build a SOC with limited resources (people, tools, budget) Sole focus on alert pipeline; no deeper analysis apart from processing alerts that are shown to analysts Not enough visibility tools; sole focus on SIEM Vendor dependencies (Especially the Core System : SIEM) Trying to provide SOC services from a NOC/Help Desk Different Point of View / Mindset from NOC to SOC Not working to retain staff and not having a staff retention strategy 29 Digit Oktavianto

SOCCHALLENGES Most of SOC in Indonesia still adopt REACTIVE Approach instead of PROACTIVE Approach (Threat Hunting and Threat Intelligence) SOC Needs visibility down to the Host Level (Endpoint) 30 Digit Oktavianto

31 Digit Oktavianto

FINISH Q &A 32 Digit Oktavianto

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback