Building Your Security Operations Center and Taking it to the Next Level

Similar documents
Cyber Risk Mitigation for Smart Cities

Shielding Enterprises from Evolving Cyber Attacks with a Digital Security Framework

The Threat Hunting Route to Predictive Cyber Security

Demystifying IaaS Adoption for Enterprise Applications

Big Data Capacity Planning: Achieving Right Sized Hadoop Clusters and Optimized Operations

Strengthening Privacy Protection with the European General Data Protection Regulation

Serverless Computing: A Compelling Opportunity for Today s Digital Enterprise

Transforming Railroad Asset Management: Going Smart with Predictive Maintenance

Landscape in the Making

Security Solutions SALES GUIDE. for Connectivity Data Center Applications & Content. Your JUNIPER NETWORKS dedicated Sales Team

Innovation Labs. White Paper. Accelerate Your Digital API Program

Data Protection: Your Choice Is Simple PARTNER LOGO

Continuity Logic Frontline Live

Getting the Most out of IoT with an Effective Data Lifecycle Management Strategy

Service Oriented Enterprise Architecture and Service Oriented Enterprise

n Explore virtualization concepts n Become familiar with cloud concepts

CA Top Secret r14 for z/os

n Learn how resiliency strategies reduce risk n Discover automation strategies to reduce risk

Data Governance Simplifying Machine Learning Model Deployment

Making Software Inclusive and Accessible

1 Enterprise Modeler

Gaining Ecommerce-like Simplicity within a Drone-As-A-Service Framework

Data Warehousing. Paper

Leveraging Meta Data Management: Powering Cognitive Automation in Clinical Trial Processes

Device-as-a-Service Model: Key to Workplace Transformation in the High Tech Industry

Multi-drone four-dimensional flight constraint management

Robots in the Back Office: The Future of Recruitment Enterprises

Architectural styles for software systems The client-server style

1100 Appliances. Big security for small branches. Datasheet: Check Point 1100 Appliances FEATURES BENEFITS GATEWAY SOFTWARE BLADES

1100 Appliances. Big security for small branches. Datasheet: Check Point 1100 Appliances FEATURES BENEFITS GATEWAY SOFTWARE BLADES

MANAGED! PREPARE TO BE FEATURES HANDHELD USER DISPLAYS. Specifications MEASUREMENT STABILIZATION INDICATOR

TruVu 360 User Community. SpectroCare. Enterprise Fluid Intelligence for Predictive Maintenance. TruVu 360 Product Information

Optimization for framework design of new product introduction management system Ma Ying, Wu Hongcui

What are Information Systems?

Intelligent Systems in Retail. Powered by Windows Embedded

Anti-addiction System Development Based on Android Smartphone. Xiafu Pan

CA InterTest for CICS r8.5

Panel for Adobe Premiere Pro CC Partner Solution

STRATEGIC. alliances & Services

Web OS Switch Software

CMSC Computer Architecture Lecture 12: Virtual Memory. Prof. Yanjing Li University of Chicago

Addressing SaaS Security

Task scenarios Outline. Scenarios in Knowledge Extraction. Proposed Framework for Scenario to Design Diagram Transformation

USER GUIDE FOR VENDOR LISTING DATASHEET

Innovative. Pharma-Tech Process Services is a high-energy, schedule-driven, technical service provider. Our innovative consulting services cover

Bike MS: 2013 Participant Center guide

Bike MS: 2014 Participant Center guide

How Deutsche Telekom protects customer data

CORD Test Project in Okinawa Open Laboratory

Design and Implementation of Integrated Testing Tool based on Metrics and Quality Assurance

System and Software Architecture Description (SSAD)

Chapter 4 Threads. Operating Systems: Internals and Design Principles. Ninth Edition By William Stallings

Software development of components for complex signal analysis on the example of adaptive recursive estimation methods.

ENTERPRISE ARCHITECTURE TRAINING COURSES to-tonex ( ) International: Fax:

Goals of the Lecture UML Implementation Diagrams

Oracle Process Manufacturing

BIKE MS: 2015 PARTICIPANT CENTER GUIDE

Isn t It Time You Got Faster, Quicker?

Baan Finance Financial Statements

Capabilities Briefing AAMCORE, Inc. SDVO Company

Anti Fraud Services Founding Member Associate Member of..

Air Force Data Reference Architecture and Platform

Ontology-based Decision Support System with Analytic Hierarchy Process for Tour Package Selection

JavaFX. JavaFX 2.2 Installation Guide Release 2.2 E August 2012 Installation instructions by operating system for JavaFX 2.

Avid Interplay Bundle

Going Mobile with. SYSPRO Espresso

Customer Portal Quick Reference User Guide

A Tool to Automate the Sizing of Application Process for SOA based Platform

OpenText RightFax Fax Server

UNIVERSITY OF MORATUWA

Optimizing Out-of-band Management

Politecnico di Milano Advanced Network Technologies Laboratory. Internet of Things. Projects

Workflow model GM AR. Gumpy. Dynagump. At a very high level, this is what gump does. We ll be looking at each of the items described here seperately.

SCAN INSPECT TRACK SOLVE

Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.

Contain known and unknown malware with leading Cisco Advanced Malware Protection (AMP) and sandboxing.

EDICOM has an undertaking with clients to comply with three key variables that guarantee the service quality:

SECURED OPTIMAL ROUTING BASED ON TRUST AND ENERGY MODEL IN WIRELESS SENSOR NETWORKS. Tamil Nadu, INDIA

Session Initiated Protocol (SIP) and Message-based Load Balancing (MBLB)

Elementary Educational Computer

The Birth of the Connected Platform

Oracle Balanced Scorecard

Oracle Process Manufacturing

Firewall and IDS. TELE3119: Week8

THE FUTURE IS EFFICIENT

Modeling a Software Architecture. Paolo Ciancarini

SFP1215W Forensic Pouch E V A L U A T I O N R E P O R T

Extending The Sleuth Kit and its Underlying Model for Pooled Storage File System Forensic Analysis

Τεχνολογία Λογισμικού

Loop Emulation Service Protocols over ATM. Enea LES-SIG-Bricks is a complete implementation of the Loop Emulation

BEA WebLogic Collaborate

MOTIF XF Extension Owner s Manual

BE Software Upgrades to ITALYCS 5. It s in the. Software

User s Guide. OMEGAMON XE for Oracle. Version 300 GC April 2002

Security and Communication. Ultimate. Because Intercom doesn t stop at the hardware level. Software Intercom Server for virtualised IT platforms

PayMobile. Features Overview

% Sun Logo for. X3T10/95-229, Revision 0. April 18, 1998

Improvement of the Orthogonal Code Convolution Capabilities Using FPGA Implementation

Custodial Integrator Automation Guide

Oracle Process Manufacturing

Transcription:

Buildig Your Security Operatios Ceter ad Takig it to the Next Level Abstract IT threats cotiue to evolve ad become more evasive, bleded, ad persistet, with attackers dig resourceful ways to avoid detectio ad breach security. The key to cyber defese is to develop Security Operatios Ceters (SOCs) that will evolve cotiuously to effectively couter such advaced attacks. This paper presets a comprehesive strategy for developig a extge SOC, alog with a systematic approach to effective maagemet.

Although most large eterprises have Security Operatios Ceters (SOCs), early 70% of security breaches are detected by exteral 1 agecies. Evolvig Security Threats As 2015 saw several high-pro le cyber security breaches 2 ivolvig JP Morga Chase ad Soy, amog others, eterprises are icreasigly focusig o developig ad maitaiig a robust Iformatio Security Operatios Ceter (SOC) to achieve that impeccable security. Most SOCs curretly focus o perimeter ad etwork threats, resultig i icomplete coverage ad limited ability to address security requiremets. This is compouded by: Impeded visibility ito security issues due to multiple teams workig i silos Lack of broader orgaizatioal participatio ad effective processes to support respose maagemet Shortage of skills ad attritio Three Steps to a Successful SOC Four key elemets go ito buildig a world-class SOC: people, processes, techology, ad itelligece (Figure 1). The wider the coverage of SOC across these four aspects, the more robust the security maagemet. People Process Techology Security aalysts Security icidet respoder ad foresics examiers Security techology egieerig team Threat itelligece specialist (threat huters) SOC maager Security evet maagemet: Log ad use cases maagemet Security icidet respose: Respose process ad plas Techology egieerig & operatios: ITIL icidet, chage, cofiguratio & release maagemet Protectio ad Detectio Techologies: Firewalls, AV, IDS/IPS, ATD/ATP, hoeypots or decoys, etc. Aalytical ad Correlatio Platforms: Security Aalytics, SIEM, VM, visualizatio tools Respose ad Remediatio Tools: ETDR, malware aalysis, foresics Orchestratio Tools: Workflow Maagemet, Respose Orchestratio, ad Case Maagemet Itelligece Strategic Itelligece Tactical Itelligece Operatioal Itelligece SOC Buildig Blocks Buildig a comprehesive SOC is a log-term iitiative. The followig three steps are critical to developig a effective SOC.

1. De e the strategy ad implemetatio pla. As security maagemet requiremets vary across orgaizatios, it is imperative to rst uderstad the eterprise s requiremets ad drivers for a SOC. Therefore, you eed to: Coduct a as-is assessmet to gai isight about the curret state, de e the target state, ad pla better to implemet effective solutios. Pla a phase-wise implemetatio with key objectives for each phase, as well as details of activities you eed to perform. 2. De e the key compoets. De e the techologies to be used i the SOC ad how they are to be itegrated. The, idetify iformatio ad evet sources, develop use cases, ad decide o the reportig structure. Techologies: The key techologies eeded for a SOC are listed i Table 1. These techologies ca be adopted based o where you are o the maturity curve. For example, i terms of detectio ad protectio, you ca start with basic security cotrols such as ativirus, itrusio detectio, proxies, ad rewalls), ad the move o to more ehaced techiques such as hoey pots ad edpoit threat detectio ad respose. Similarly, i terms of security aalytics, you ca rst esure you are reviewig security evet data, ad later iclude foresic-level iformatio. For service maagemet, you ca start with a simple work ow ad later add respose orchestratio for automatio. Types Detectio ad Protectio Techologies Next-geeratio firewalls Email security gateway Web security gateway Itrusio detectio/prevetio system Ativirus (etwork ad edpoit) Itegrity moitorig ad chage detectio Advaced threat detectio/prevetio Hoeypots ad decoys Edpoit threat detectio ad icidet respose Security aalytics ad icidet respose Security iformatio ad evet maagemet Data aalytics Malware aalysis (static ad dyamic) Host ad etwork foresics Visualizatio ad aalytics tools Orchestratio Workflow automatio Respose orchestratio Case maagemet Table 1: Iformatio Sources

Iformatio Sources: Next, orgaizatios should idetify the most relevat iformatio sources like: Security tools or devices such as ativirus systems, rewalls, ad web ad email security that geerate alerts ad evets for ay security issue detected. Idetity ad access maagemet (IAM) systems icludig a active directory ad IAM tools Key reports you should cosider are: A security risk dashboard that highlights big risk items, curret ope issues, ad overall security health Security evets treds, which cover issues related to access, vulerabilities, malware, itrusios, etc. Erichmet sources icludig iteral ad exteral data feeds that help uderstad the cotext ad evaluate a security icidet. Platform ad applicatio related iformatio Reportig ad Use Cases: After selectig the techologies ad iformatio sources, de e use cases ad reports. To arrive at these use cases, you should: Create a high-level threat pro le of the eviromet Set high-level detectio objectives, icludig evets of iterest (e.g., brute force attacks, data ex ltratio, etc.) ad the threshold for each Create reports that offer a view of overall traf c treds or attack patters to facilitate iformed decisios. To be effective, these reports should be Targeted to the recipiets Provide actioable isights for each stakeholder Have well-de ed key performace idicators (KPIS) ad key risk items (KRIS) for each lie item 3. Implemet the SOC. Compliace status, icludig top violators ad actios required Service maagemet reportig, icludig volumes hadled ad SLA performace The implemetatio phase icludes deploymet of the selected SOC tools ad techologies, co guratio of processes, ad creatio of a SOC team. Each techology has a differet topology, as de ed by the vedor. The most critical is the security aalytics layer, which gathers iformatio from various sources ad brigs additioal cotext from exteral ad iteral sources to deliver ef ciet ad actioable iformatio to the SOC team. Figure 2 shows our suggested model for security aalytics.

Compliace reports for regulatios ad iteral policy Security alerts, aalysis, ad icidet respose Itegratio with service maagemet tools for itegrated respose Moitorig of the etwork ad all applicatios across the etire ifrastructure Reportig Auditig!=! Foresics Alert/Correlatio Email Network moitorig Visibility Iteral Feeds Vulerability ad Asset Iformatio Idetity Iformatio Data Erichmet Security Aalytics Platform Data Erichmet Exteral Feeds Kow Bad IP Addresses, Domais, Hashes, etc. IOCs for Latest Threats Evet ad Data Data Sources Applicatios Network Edpoit Security Database Security Aalytics Model Role of Itelligece, Techology, ad Operatios Uits The core reaso why SOC is differet from other IT support fuctios is the ever-chagig ature of vulerabilities. The key aspects of SOC service operatios are depicted i Figure 3. Itelligece Gather itelligece o latest threats ad threat actors Egieerig Igest itelligece ito tools ad techologies for detectio/protectio Operatios Moitor ad respod to cyber security icidets SOC Operatioal Pyramid

The research ad itelligece uit: This uit should cotiuously research the latest threats ad vulerabilities ad de e the idicators of ew threats. Threat itelligece ivolves collectio, processig, ad cosumptio of iformatio (Figure 4). Rather tha rely solely o threat feeds, which geerally help i malware-speci c use cases oly, orgaizatios should esure cotiuous developmet of use cases or ew alerts to detect potetial threats. Collect Process Cosume Research ad feed gatherig IP reputatio Domai reputatio File hashes Vulerabilities ad exploits Threat actors Malware samples New threat IOCs Itelligece processig De-duplicatio Filterig Aalysis Validatio IOC developmet Threat Itelligece Processig Feeds cosumptio Watchlist ad lookup cofiguratio (perimeter devices, SIEM, VM, ad GRC tools) Notificatios ad alertig Tred aalysis ad reportig The techology ad egieerig uit: This uit implemets the use cases i productio. To esure the right use of security itelligece, orgaizatios eed to implemet ways to detect idicators of compromises (IOCs) withi the security tools. Aroud 35% of detectio comes from threat itelligece iformatio. The operatios ad respose uit: Eve a well-de ed ad desiged SOC may fail to operate effectively i the evet of too may false positives or false egatives. For ef ciet operatios, use a customized versio of the icidet respose framework de ed by the Natioal Istitute of 3 Stadards ad Techology (NIST), which advocates four steps to icidet respose: detectio, cotaimet, eradicatio, ad restoratio. The SOC team should take cotrol i the detectio, cotaimet, ad eradicatio phases for ef ciet threat detectio ad faster icidet respose. Implemetig Cotiuous Improvemet ad Trasformative Iitiatives Icreasig maturity i coverage, detectio, ad respose capabilities is the goal of a SOC. Figure 5 depicts a mature, effective SOC. To esure that security coverage is ot limited to perimeter ad security devices, orgaizatios eed to esure wider coverage that icludes a umber of geographies, busiess uits, use cases, ad techologies.

Coverage Compliace & Security Focus IT Ifrastructure, Platform, ad Database + + Busiess Applicatios ad Custom Sources Mai Detectio Basic Detectio + + Advaced Correlatio Ehaced Visibility Respose Defied but Ad-hoc + + Maaged & Measured Optimized & Automated SOC Maturity Model Security requires holistic visibility. To deliver moder use cases i a ext-geeratio SOC, the platform should support Big Data aalytics ad work ow-based respose capabilities. Aalysis of iformatio from various sources will evetually improve edpoit ad etwork visibility ad eable eterprises to facilitate advaced malware solutios. To improve respose maagemet, the rst phase is to de e the respose strategy ad documet the same for security aalysts. The measure resposes ad move to automated respose maagemet for higher quality ad operatioal ef ciecy. Coclusio Havig a comprehesive SOC ca ehace your ability to proactively detect, prevet, ad respod to security threats ad icidets. Give the rapidly evolvig digital ladscape ad ature of threats, techologies used i SOCs should be scalable ad iteroperable to esure effective ad ef ciet operatios. The process should be desiged with stakeholder accoutability ad commuicatios, ad associated mechaisms should be de ed as part of the processes. While it is imperative to build a SOC with the right mix of talet ad fuctioal attributes, ifrastructure, processes, ad techologies, cotiuous improvemet to achieve operatioal maturity should also be esured. Refereces [1] FireEye, Madiat 2015 Threat Report, accessed August 2016, https://www2. reeye.com/rs/ reye/images/rpt-m-treds-2015.pdf [2] Forbes, The Top 10 Security Breaches Of 2015 (Dec 31, 2015), accessed o Aug 3, 2016, http://www.forbes.com/sites/quora/2015/12/31/the-top-10-security-breaches-of- 2015/#30afc4694ff0 [3] NIST, Computer Security Icidet Hadlig Guide (Aug 2012), accessed Nov 2015, http://vlpubs.ist.gov/istpubs/specialpublicatios/nist.sp.800-61r2.pdf

About The Authors Tirath Sigh Tirath Sigh is part of the Maaged Security Services team withi the Eterprise Security ad Risk Maagemet (ESRM) busiess uit at Tata Cosultacy Services (TCS). Sigh has 12 years of experiece i buildig ad maagig Security Operatios Ceters. Cotact Visit TCS Eterprise Security ad Risk Maagemet services uit page for more iformatio Email: Global.esrm@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is TM delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2016 Tata Cosultacy Services Limited TCS Desig Services I M I 12 I 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback