Readiness, Response & Resilence: building out advance security operations Husam Al Saraf Solutions Principal Lead Turkey, Africa & Middle East #RSAemeaSummit 1
Traditional Security Operations Top Gaps People Inadequate security resources Threat, Content and Analysis specialization R&R not clearly defined No user awareness training for advanced threats Process Based on failed controls Ad hoc processes/ procedures No post-incident lessons learned Lack of Breach Management process/ procedures Technology SIEM-centric lacking: o Actionable Data Intel o o o o o Threat Intel Content Intel Analytics Intel Forensics capability Business & Risk context 2
Understanding the Breach Cycle 3
Advanced Security Operations Requirements 1. Business Alignment: What is the purpose and mission; does it align with the Business and have appropriate buy-in? 2. Risk Based: We should not apply equal risk and importance to all assets. Focus must be risk based such that the ASOC ensures all critical assets are within scope and its threats are well defined. 3. Defense-in-depth: Security needs to be layered and the Program needs to leverage the defenses of the various technologies and other programs and components of the organizations security program 4. Content Intelligence: We need to ensure that the ASOC has a data enrichment capability such that white noise is filtered out and the data that gets to the analysts is value-added 5. Analytic Intelligence: We need to be able to conduct forensics and have actionable intelligence for further analysis 6. Threat Intelligence: We need to be proactive; who are the adversaries and what are their attack vectors; which assets are they interested in? 7. Operations: We need an Operations and Incident Handling & Response capability tied up with a Breach management framework 8. Reporting (Maturity & Metrics): The organization needs a tracking capability to ensure that it is evolving as the business and threat landscape evolve. 4
RSA s Solution Framework 5
360 Degrees of Innovation (RSA Driving the ASOC Space) The Advanced Cyber Defense practice as part of RSA Global Services was granted U.S. Patent #8,782,784 B1 and assigned to EMC Corporation 6
Modular Program Readiness, Response & Resilience 7
RSA Advanced Cyber Defense (ACD) Overview Develop strategy and tactics for an Intelligent Driven Security Operations for reduced breach exposure time The portfolio of services offered by the RSA Advanced Cyber Defense practice cover: Readiness Includes a review of current strategy and capabilities, a maturity scorecard with peer comparisons, and a phased roadmap with remediation recommendations for achieving the target state Response Includes a rapid breach-response service and a service-level agreement (SLA)-based retainer service providing surge access to resources and expertise Resiliency Includes advice on building and improving an organization s SOC and on transforming the security organization from a reactive to a proactive, intelligence-driven security operations program 8
ACD Solutions Portfolio 9
How do we start? 10
Start with RSA ACD BRASS - Overview 11
Engagement Approach 12
Capability Maturity Modeling 13
ACD Services Team 14
BRASS Typical Service Timelines 15