Building and Instrumenting the Next- Generation Security Operations Center Sponsored by
Webinar Logistics Optimize your experience today Enable pop-ups within your browser Turn on your system s sound to hear the streaming presentation Questions? Submit them to the presenters at anytime on the console Technical problems? Click Help or submit a question for assistance
Featured Speakers Our knowledgeable speakers today are: Moderator: Tim Wilson Editor in Chief Dark Reading Roselle Safran Co-founder & CEO Uplevel Security Chris Petersen Co-founder, SVP of Customer Care & CTO LogRhythm
BUILDING AND INSTRUMENTING THE NEXT-GENERATION SECURITY OPERATIONS CENTER OCTOBER 11 TH, 2016 Roselle Safran roselle.com
BACKGROUND Uplevel Security Executive Office of the President DHS/US-CERT Ernst & Young
PURPOSE OF A SECURITY OPERATIONS CENTER (SOC) A SOC protects the confidentiality, integrity and availability of the organization s information systems and assets. Prevent Respond Detect
NEXT-GENERATION SOC KEY CHARACTERISTICS A Next-Gen SOC uses a systematic approach to optimize the abilities of its people, the capabilities of technology, and the structure of processes to most effectively protect the confidentiality, integrity and availability of the organization s information systems and assets against an increasingly varied, adaptive and sophisticated set of adversaries. A Next-Gen SOC follows the TRAIL: Thoroughly scoped Resilient by design Automated to streamline Intelligence-driven Learning continuously
THOROUGHLY SCOPED Devised and assembled in a comprehensive and holistic manner
THOROUGHLY SCOPED: PEOPLE Tier 3 Insider Threat Tier 2 Other Business Units Tier 1
THOROUGHLY SCOPED: TECHNOLOGY Prevent Detect Respond ADVANCED Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management
THOROUGHLY SCOPED: PROCESSES Performance Metrics Managerial Operational etc. Policies IT use Retention etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond etc.
THOROUGHLY SCOPED * People - Analysts (Tiers 1, 2, 3) - Other business units - Insider threat * Technology - Foundational elements -- Prevention: email, network traffic, endpoint filter; vulnerability management; inventory management -- Detection: email, network traffic, endpoint monitor; log management -- Response: email, network traffic, endpoint investigate; centralized ticket/case management - Advanced elements layered on top * Processes - Define policies (IT use, retention, etc.) - Define playbooks (prevention, detection, response, etc.) - Define metrics (managerial, operational, etc.) - Define plans (incident response, business continuity, exercises, etc.)
RESILIENT BY DESIGN Structured to efficiently adapt to new and challenging tactical, operational and strategic situations
RESILIENT BY DESIGN: PEOPLE Tier 3 Engineering Tier 2 Red Team Insider Threat Other Business Units Tier 1
RESILIENT BY DESIGN: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Webserver Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management
RESILIENT BY DESIGN: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train all team members as new tech and info arrive Update playbooks and plans when adding tech and after assessments Performance Metrics Update Managerial Operational etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond etc. Assess Assess playbooks and plans with periodic exercises
RESILIENT BY DESIGN * People - Engineering - Red Team - 24x7 or follow the sun * Technology - Penetration testing - Full incident response lifecycle coverage (triage, investigate, remediate/mitigate) - Private cloud infrastructure - Modular approach to adding enterprise-specific technology -- Mobile device management -- Cloud filter and monitor -- Webserver filter -- Application, Database monitor -- Physical security monitor * Processes - Train all team members as new tech and info arrive - Assess playbooks and plans with periodic exercises - Update playbooks and plans when adding tech and after assessments - Implement technology
AUTOMATED TO STREAMLINE Utilizing machine capabilities in place of human involvement when applicable for productivity gains
AUTOMATED TO STREAMLINE: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Hunters
AUTOMATED TO STREAMLINE: TECHNOLOGY In Cloud Webserver Prevent Detect Respond ADVANCED Playbook Orch/Exe Response Tracking Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Sandbox Graph Analysis Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management
AUTOMATED TO STREAMLINE: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train Tier 1 Analysts for new roles Update metrics when adding tech Update playbooks when adding tech Performance Metrics Update Managerial Operational etc. Tech People Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation etc. Assess Assess automation tech periodically
* People - Tier 1 roles eliminated - Tier 1 Analysts move to advanced work - Hunters * Technology - Sandbox - Graph analysis - Playbook orchestration and execution - Response tracking * Processes - Train Tier 1 Analysts for new roles - Assess automation tech periodically - Update playbooks when adding tech - Update metrics when adding tech - Implement technology AUTOMATED TO STREAMLINE
INTELLIGENCE-DRIVEN Applying relevant, timely and actionable information to the appropriate aspects of operations
INTELLIGENCE-DRIVEN: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Threat Intel Hunters
INTELLIGENCE-DRIVEN: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Playbook Orch/Exe Response Tracking Webserver Threat Intel Management/Scoring/Report Generation Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Sandbox Graph Analysis Triage Email Traffic FOUNDATIONAL Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management
INTELLIGENCE-DRIVEN: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train TI analysts on gathering intel, rest of team on using TI Update playbooks and plans to include intel and info sharing programs Performance Metrics Update Managerial Operational etc. Tech People + Data Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation w/ intel etc. Assess Assess feeds and sources periodically
INTELLIGENCE-DRIVEN * People - Threat Intelligence Analysts * Technology - Threat intel management - Threat intel feed scoring/filtering/prioritizing - Threat intel report generation * Processes - Train TI analysts on gathering intel, rest of team on using TI - Assess feeds and sources periodically - Update playbooks and plans to include intel and info sharing programs - Implement technology
LEARNING CONTINUOUSLY Applying and expanding institutional knowledge in a constant feedback loop
LEARNING CONTINUOSLY: PEOPLE Tier 2 Tier 3 Engineering Red Team Insider Threat Other Business Units Tier 1 Threat Intel Innovation Hunters Internal Auditors
LEARNING CONTINUOSLY: TECHNOLOGY In Cloud Prevent Detect Respond ADVANCED Predictive Analytics Machine Learning Anomaly Identification Playbook Orch/Exe Response Tracking Webserver Heuristic Analysis Threat Intel Management/Scoring/Report Generation Remediate/Mitigate Pen Testing Cloud Mobile Device Management Cloud App/DB Phys Sec Baselining Sandbox Graph Analysis Triage FOUNDATIONAL Email Traffic Log Management Email Investigate Investigate Investigate Inventory Mgmt Vulnerability Scanning Patch Mgmt Email Alert/Case Management
LEARNING CONTINUOUSLY: PROCESSES Implement technology Implement Policies IT use Retention etc. Train Train all team members Update playbooks based on new learnings Performance Metrics Update Managerial Operational etc. Tech People + Data Plans Incident Response Business Continuity Exercises etc. Playbooks Prevent Detect Respond w/ automation w/ intel etc. Assess Assess and fine tune products regularly
* People - Innovation - Internal auditors * Technology - Baselining - Anomaly identification - Heuristic analysis - Machine learning - Predictive analytics * Processes - Train all team members - Assess and fine tune products regularly - Update playbooks based on new learnings - Implement technology LEARNING CONTINUOUSLY
THANK YOU! Roselle Safran Uplevel Security roselle.com
Data Breaches Can Be Avoided Advanced threats take their time and leverage the holistic attack surface Recon. and Planning Initial Planning Command and Control Lateral Movement Target Attainment Exfiltration, Corruption, Disruption Early neutralization stops cyber incidents and data breaches Company Confidential
Vigilance Requires Visibility at Every Vector User User User User User Holistic Attack Surface User User User User User User User User Company Confidential
Faster Detection & Response Reduces Risk Exposed to Threats Resilient to Threats MTTD & MTTR Months Weeks Days Hours Minutes MEAN TIME-TO-DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts MEAN TIME-TO-RESPOND (MTTR) The average time it takes to respond and ultimately resolve the incident As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced Company Confidential High Vulnerability Low Vulnerability
Threat Lifecycle Management Example Sources Collect & Generate Time to Detect Detect & Prioritize Qualify Time to Respond Investigate Neutralize Recover Example Sources Security Event Data Log & Machine Data Search Analytics Machine Analytics Assess threat to determine risk and whether full investigation is necessary Analyze threat to determine nature and extent of the incident Implement countermeasures to mitigate threat Cleanup Report Review Adapt Forensic Sensor Data Security Intelligence & Analytics Platform Company Confidential
LogRhythm Security Intelligence Maturity Model Delivering a Path to Success Timeframe Months Weeks Days Exposed to Threats Resilient to Threats Security Intelligence Maturity Levels Level 0: Blind Level 1: Minimally Complaint Level 2: Securely Compliant Level 3: Vigilant Level 4: Resilient MEAN-TIME-TO-DETECT (MTTD) Hours MEAN-TIME-TO-RESPOND (MTTR) Minutes Company Confidential Level 0 Level 1 Level 2 Level 3 Level 4 Greater threat resiliency is achieved at higher levels of security intelligence maturity
Questions? Submit questions to the presenters via the on-screen text box Moderator: Tim Wilson Editor in Chief Dark Reading Roselle Safran Co-founder & CEO Uplevel Security Chris Petersen Co-founder, SVP of Customer Care & CTO LogRhythm
Thank you for attending Please visit our sponsor and any of the resources below: Upcoming Events: http://darkreading.com/webinar_upcoming.asp Additional Resources: http://www.logrhythm.com/solutions/security/soc-platform/ https://logrhythm.com/pdfs/whitepapers/lr-security-intelligence-maturitymodel-ciso-whitepaper.pdf