Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Similar documents
Security. Made Smarter.

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

RiskSense Attack Surface Validation for IoT Systems

RSA NetWitness Suite Respond in Minutes, Not Months

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

External Supplier Control Obligations. Cyber Security

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Cloud and Cyber Security Expo 2019

MITIGATE CYBER ATTACK RISK

Cyber Resilience. Think18. Felicity March IBM Corporation

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Cyber Security Technologies

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

Incident Response Agility: Leverage the Past and Present into the Future

RSA IT Security Risk Management

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Transforming Security from Defense in Depth to Comprehensive Security Assurance

RSA ADVANCED SOC SERVICES

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

The Resilient Incident Response Platform

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

A Risk Management Platform

Are we breached? Deloitte's Cyber Threat Hunting

CYBER RESILIENCE & INCIDENT RESPONSE

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

GDPR Update and ENISA guidelines

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

locuz.com SOC Services

Integrated, Intelligence driven Cyber Threat Hunting

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Readiness, Response & Resilence:

CompTIA Cybersecurity Analyst+

A Practical Guide to Efficient Security Response

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

Getting Security Operations Right with TTP0

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

Securing Your Digital Transformation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

CERT Development EFFECTIVE RESPONSE

IBM services and technology solutions for supporting GDPR program

Reinvent Your 2013 Security Management Strategy

Prescriptive Security Operations Centers. Leveraging big data capabilities to build next generation SOC

HOLISTIC NETWORK PROTECTION: INNOVATIONS IN SOFTWARE DEFINED NETWORKS

GDPR: An Opportunity to Transform Your Security Operations

NIST Special Publication

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Designing and Building a Cybersecurity Program

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cylance Axiom Alliances Program

Managed Endpoint Defense

MEETING ISO STANDARDS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

4/13/2018. Certified Analyst Program Infosheet

Unlocking the Power of the Cloud

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Surfacing Critical Cyber Threats Through Security Intelligence

Building a Threat-Based Cyber Team

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Department of Management Services REQUEST FOR INFORMATION

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Qualys Cloud Platform

CYBERSECURITY MATURITY ASSESSMENT

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

RSA INCIDENT RESPONSE SERVICES

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

8 Must Have. Features for Risk-Based Vulnerability Management and More

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

RSA INCIDENT RESPONSE SERVICES

Security Operations 2018: What is Working? What is Not.

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Building Successful Threat Intelligence Programs

Traditional Security Solutions Have Reached Their Limit

Operationalizing the Three Principles of Advanced Threat Detection

Jens Thonke, EVP, Cyber Security Services Jyrki Rosenberg, EVP, Corporate Cyber Security CORPORATE SECURITY

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

NEXT GENERATION SECURITY OPERATIONS CENTER

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

The New Era of Cognitive Security

Security by Default: Enabling Transformation Through Cyber Resilience

The Cognito automated threat detection and response platform

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Securing Digital Transformation

Transcription:

Building and Instrumenting the Next- Generation Security Operations Center Sponsored by

Webinar Logistics Optimize your experience today Enable pop-ups within your browser Turn on your system s sound to hear the streaming presentation Questions? Submit them to the presenters at anytime on the console Technical problems? Click Help or submit a question for assistance

Featured Speakers Our knowledgeable speakers today are: Moderator: Tim Wilson Editor in Chief Dark Reading Roselle Safran Co-founder & CEO Uplevel Security Chris Petersen Co-founder, SVP of Customer Care & CTO LogRhythm

BUILDING AND INSTRUMENTING THE NEXT-GENERATION SECURITY OPERATIONS CENTER OCTOBER 11 TH, 2016 Roselle Safran roselle.com

BACKGROUND Uplevel Security Executive Office of the President DHS/US-CERT Ernst & Young

PURPOSE OF A SECURITY OPERATIONS CENTER (SOC) A SOC protects the confidentiality, integrity and availability of the organization s information systems and assets. Prevent Respond Detect

NEXT-GENERATION SOC KEY CHARACTERISTICS A Next-Gen SOC uses a systematic approach to optimize the abilities of its people, the capabilities of technology, and the structure of processes to most effectively protect the confidentiality, integrity and availability of the organization s information systems and assets against an increasingly varied, adaptive and sophisticated set of adversaries. A Next-Gen SOC follows the TRAIL: Thoroughly scoped Resilient by design Automated to streamline Intelligence-driven Learning continuously

THOROUGHLY SCOPED Devised and assembled in a comprehensive and holistic manner

THOROUGHLY SCOPED: PEOPLE Tier 3 Insider Threat Tier 2 Other Business Units Tier 1

THOROUGHLY SCOPED: TECHNOLOGY Prevent Detect Respond ADVANCED Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management

THOROUGHLY SCOPED: PROCESSES Performance Metrics Managerial Operational etc. Policies IT use Retention etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond etc.

THOROUGHLY SCOPED * People - Analysts (Tiers 1, 2, 3) - Other business units - Insider threat * Technology - Foundational elements -- Prevention: email, network traffic, endpoint filter; vulnerability management; inventory management -- Detection: email, network traffic, endpoint monitor; log management -- Response: email, network traffic, endpoint investigate; centralized ticket/case management - Advanced elements layered on top * Processes - Define policies (IT use, retention, etc.) - Define playbooks (prevention, detection, response, etc.) - Define metrics (managerial, operational, etc.) - Define plans (incident response, business continuity, exercises, etc.)

RESILIENT BY DESIGN Structured to efficiently adapt to new and challenging tactical, operational and strategic situations

RESILIENT BY DESIGN: PEOPLE Tier 3 Engineering Tier 2 Red Team Insider Threat Other Business Units Tier 1

RESILIENT BY DESIGN: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Webserver Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management

RESILIENT BY DESIGN: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train all team members as new tech and info arrive Update playbooks and plans when adding tech and after assessments Performance Metrics Update Managerial Operational etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond etc. Assess Assess playbooks and plans with periodic exercises

RESILIENT BY DESIGN * People - Engineering - Red Team - 24x7 or follow the sun * Technology - Penetration testing - Full incident response lifecycle coverage (triage, investigate, remediate/mitigate) - Private cloud infrastructure - Modular approach to adding enterprise-specific technology -- Mobile device management -- Cloud filter and monitor -- Webserver filter -- Application, Database monitor -- Physical security monitor * Processes - Train all team members as new tech and info arrive - Assess playbooks and plans with periodic exercises - Update playbooks and plans when adding tech and after assessments - Implement technology

AUTOMATED TO STREAMLINE Utilizing machine capabilities in place of human involvement when applicable for productivity gains

AUTOMATED TO STREAMLINE: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Hunters

AUTOMATED TO STREAMLINE: TECHNOLOGY In Cloud Webserver Prevent Detect Respond ADVANCED Playbook Orch/Exe Response Tracking Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Sandbox Graph Analysis Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management

AUTOMATED TO STREAMLINE: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train Tier 1 Analysts for new roles Update metrics when adding tech Update playbooks when adding tech Performance Metrics Update Managerial Operational etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation etc. Assess Assess automation tech periodically

* People - Tier 1 roles eliminated - Tier 1 Analysts move to advanced work - Hunters * Technology - Sandbox - Graph analysis - Playbook orchestration and execution - Response tracking * Processes - Train Tier 1 Analysts for new roles - Assess automation tech periodically - Update playbooks when adding tech - Update metrics when adding tech - Implement technology AUTOMATED TO STREAMLINE

INTELLIGENCE-DRIVEN Applying relevant, timely and actionable information to the appropriate aspects of operations

INTELLIGENCE-DRIVEN: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Threat Intel Hunters

INTELLIGENCE-DRIVEN: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Playbook Orch/Exe Response Tracking Webserver Threat Intel Management/Scoring/Report Generation Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Sandbox Graph Analysis Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management

INTELLIGENCE-DRIVEN: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train TI analysts on gathering intel, rest of team on using TI Update playbooks and plans to include intel and info sharing programs Performance Metrics Update Managerial Operational etc. Tech People + Data Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation w/ intel etc. Assess Assess feeds and sources periodically

INTELLIGENCE-DRIVEN * People - Threat Intelligence Analysts * Technology - Threat intel management - Threat intel feed scoring/filtering/prioritizing - Threat intel report generation * Processes - Train TI analysts on gathering intel, rest of team on using TI - Assess feeds and sources periodically - Update playbooks and plans to include intel and info sharing programs - Implement technology

LEARNING CONTINUOUSLY Applying and expanding institutional knowledge in a constant feedback loop

LEARNING CONTINUOSLY: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Threat Intel Innovation Hunters Internal Auditors

LEARNING CONTINUOSLY: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Predictive Analytics Machine Learning Anomaly Identification Playbook Orch/Exe Response Tracking Webserver Heuristic Analysis Threat Intel Management/Scoring/Report Generation Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Baselining Sandbox Graph Analysis Triage FOUNDATIONAL Email Traffic Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management

LEARNING CONTINUOUSLY: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train all team members Update playbooks based on new learnings Performance Metrics Update Managerial Operational etc. Tech People + Data Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation w/ intel etc. Assess Assess and fine tune products regularly

* People - Innovation - Internal auditors * Technology - Baselining - Anomaly identification - Heuristic analysis - Machine learning - Predictive analytics * Processes - Train all team members - Assess and fine tune products regularly - Update playbooks based on new learnings - Implement technology LEARNING CONTINUOUSLY

THANK YOU! Roselle Safran Uplevel Security roselle.com

Data Breaches Can Be Avoided Advanced threats take their time and leverage the holistic attack surface Recon. and Planning Initial Planning Command and Control Lateral Movement Target Attainment Exfiltration, Corruption, Disruption Early neutralization stops cyber incidents and data breaches Company Confidential

Vigilance Requires Visibility at Every Vector User User User User User Holistic Attack Surface User User User User User User User User Company Confidential

Faster Detection & Response Reduces Risk Exposed to Threats Resilient to Threats MTTD & MTTR Months Weeks Days Hours Minutes MEAN TIME-TO-DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN TIME-TO-RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Company Confidential High Vulnerability Low Vulnerability

Threat Lifecycle Management Example Sources Collect & Generate Time to Detect Detect & Prioritize Qualify Time to Respond Investigate Neutralize Recover Example Sources Security Event Data Log & Machine Data Search Analytics Machine Analytics Assess threat to determine risk and whether full investigation is necessary Analyze threat to determine nature and extent of the incident Implement countermeasures to mitigate threat Cleanup Report Review Adapt Forensic Sensor Data Security Intelligence & Analytics Platform Company Confidential

LogRhythm Security Intelligence Maturity Model Delivering a Path to Success Timeframe Months Weeks Days Exposed to Threats Resilient to Threats Security Intelligence Maturity Levels Level 0: Blind Level 1: Minimally Complaint Level 2: Securely Compliant Level 3: Vigilant Level 4: Resilient MEAN-TIME-TO-DETECT (MTTD) Hours MEAN-TIME-TO-RESPOND (MTTR) Minutes Company Confidential Level 0 Level 1 Level 2 Level 3 Level 4 Greater threat resiliency is achieved at higher levels of security intelligence maturity

Questions? Submit questions to the presenters via the on-screen text box Moderator: Tim Wilson Editor in Chief Dark Reading Roselle Safran Co-founder & CEO Uplevel Security Chris Petersen Co-founder, SVP of Customer Care & CTO LogRhythm

Thank you for attending Please visit our sponsor and any of the resources below: Upcoming Events: http://darkreading.com/webinar_upcoming.asp Additional Resources: http://www.logrhythm.com/solutions/security/soc-platform/ https://logrhythm.com/pdfs/whitepapers/lr-security-intelligence-maturitymodel-ciso-whitepaper.pdf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback