SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017

Similar documents
locuz.com SOC Services

Certified Information Security Manager (CISM) Course Overview

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

BUILDING AND MAINTAINING SOC

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

NEXT GENERATION SECURITY OPERATIONS CENTER

RSA ADVANCED SOC SERVICES

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Reinvent Your 2013 Security Management Strategy

Securing Your Digital Transformation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Security Technologies

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Designing and Building a Cybersecurity Program

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

INTELLIGENCE DRIVEN GRC FOR SECURITY

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Unlocking the Power of the Cloud

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Managed Endpoint Defense

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

MITIGATE CYBER ATTACK RISK

CCISO Blueprint v1. EC-Council

RSA IT Security Risk Management

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

The Resilient Incident Response Platform

White Paper. How to Write an MSSP RFP

Make IR Effective with Risk Evaluation and Reporting

Sustainable Security Operations

FOR FINANCIAL SERVICES ORGANIZATIONS

SecureVue. SecureVue

CISO as Change Agent: Getting to Yes

FDIC InTREx What Documentation Are You Expected to Have?

SIEM: Five Requirements that Solve the Bigger Business Issues

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

One Hospital s Cybersecurity Journey

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

SIEM Solutions from McAfee

Next Generation Policy & Compliance

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

How to Write an MSSP RFP. White Paper

Integrated, Intelligence driven Cyber Threat Hunting

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Managed Security Services - Endpoint Managed Security on Cloud

CA Security Management

How AlienVault ICS SIEM Supports Compliance with CFATS

Think Like an Attacker

Session ID: CISO-W22 Session Classification: General Interest

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Protecting organisations from the ever evolving Cyber Threat

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Incident Response Services

SOLUTION BRIEF Virtual CISO

Nebraska CERT Conference

CTI Capability Maturity Model Marco Lourenco

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Transforming IT: From Silos To Services

Security by Default: Enabling Transformation Through Cyber Resilience

WHITEPAPER. Enterprise Cyber Risk Management Protecting IT Assets that Matter

Cloud and Cyber Security Expo 2019

The Modern SOC and NOC

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Building and Instrumenting the Next- Generation Security Operations Center. Sponsored by

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Security and Privacy Governance Program Guidelines

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

TRUE SECURITY-AS-A-SERVICE

From Managed Security Services to the next evolution of CyberSoc Services

Symantec Security Monitoring Services

A Risk Management Platform

A Comprehensive Guide to Remote Managed IT Security for Higher Education

eplus Managed Services eplus. Where Technology Means More.

Adopting Modern Practices for Improved Cloud Security. Cox Automotive - Enterprise Risk & Security

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Cybersecurity Roadmap: Global Healthcare Security Architecture

Security Incident Management in Microsoft Dynamics 365

Enterprise GRC Implementation

Continuous protection to reduce risk and maintain production availability

to Enhance Your Cyber Security Needs

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Transcription:

SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017 1

Outline Organizational Security Concept Security Operations Center (SOC) Concept SOC Models SOC Architecture SOC Strategies & Approaches SOC Develop & Plan 2

Organizational Security Concept 3

The current environment is putting new demands on security operations New Business Models, New Technologies Velocity of Threats Mobile Collaboration / BYOD Cloud / Virtualization Social Business Blurring Social Identities Large existing IT infrastructures with a globalized workforce, 3 rd party services, and a growing customer base Evolving Regulations - Potential Impacts Data or Device Loss or Theft Malware infection Loss of productivity $$$ Regulatory Fines Data Leakage 4 4

Why do we build operational security controls & capabilities? Reduce enterprise risk. Protect the business. Move from reactive response to proactive mitigation. Increase visibility over the environment. Meet compliance/regulatory requirements. 5

The organization drives the Security Model

GRC Information & Event Mgmt. Data Security Identity, Entitlement, Access Application Security Cryptography Host Security Network Security Physical Security Security Technology Stack

Data Security Host Security Monitor and control data flows on network Interconnected hosts on network Establish secure channel Control hosts on network Network Security Use identity Retrieve access control Send security logs Detect security incidents Identity and Access Security Info & Event Management Monitor and control applications running on network Key management Crypto offload Application Security Cryptography Network Security, and its relationships to the stack

Security Operations Center (SOC) Concept 9

What is a Security Operations Center, or SOC? A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce security risk Security Operations Centers (SOC) are designed to: protect mission-critical data and assets prepare for and respond to cyber emergencies help provide continuity and efficient recovery fortify the business infrastructure The SOC s major responsibilities are: Monitor, Analyze, Correlate & Escalate Intrusion Events Develop Appropriate Responses; Protect, Detect, Respond Conduct Incident Management and Forensic Investigation Maintain Security Community Relationships Assist in Crisis Operations 10

Designing and building a SOC requires a solid understanding of the business needs and the resources that IT can deploy Multiple stakeholders, processes and technologies to consider Personnel skills: Security analysts, shift leads, SOC managers People In-house staff Partners Customers Outsourced Providers Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment Process Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt An operational process framework Log Management Compliance Reporting Event Correlation Threat Reporting Technology Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Physical space requirements and location 11

Building a Security Operations Center involves multiple domains People Process Do you need 24x7x365 staff? What are the skills needed? Where do you get staff? What about training? How do you keep staff? Metrics to measure performance Capacity planning Technology SIEM architecture & use cases Log types and logging options Platform integrations; ticketing governance, big data Web services to integrate them Technology should improve effectiveness and efficiency What does the plan look like? How do we measure progress and goals? What is the optimal design of core processes? (eg. incident management, tuning, etc.) Process and continual improvement Governance / Metrics Dashboard visibility and oversight Policy, measurement and enforcement Integrated governance that balances daily operations with strategic planning Ministry objectives Informing stakeholders Informing employees

CyberSecurity Operations Center Security Operations Center (SOC) term is being taken over by physical surveillance companies We re building a Cyber Security Operations Center (CSOC) that doesn t have any physical surveillance capability. It could be a component of a SOC in the future 13

(C)SOC vs. NOC Network Operations Center usually responsible for monitoring and maintaining the overall network infrastructure. Its primary function is to ensure uninterrupted network service. CSOC leverages security related network activity to refine security incidents response. CSOC and NOC should complement each other and work in tandem. 14

SOC Models 15

Operations Management Technology Mission & Strategy The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC. Legacy SOC Optimized SOC Charter Technology or service only Build a dedicated security operations capability Governance Self governed (IT Security) Cross-functional (IT, Business, Audit, etc.) Detect & react to threats. Strategy Tools Use Cases Referential Data Budget based, 12 month planning cycle SIEM tool only Standard rules Minimal customization Minimal importance, Secondary priority 3+ year cycle, priorities set by enterprise SIEM, ticketing, portal/ dashboard, Big Data Tailored rules based on risk & compliance drivers Required data, used to prioritize work Proactive. Visible. Anticipate threats. Mitigate risks. Measures Silos, ticket/technology driven Cross-functional, efficiency, quality, KPI/SLO/SLA Reporting Ticket/technology driven Metrics, analytics, scorecards, & dashboards 16

SOC Technology SOC Operations SOC Governance Security Operations Operating Model Cyber-Security Command Center (CSCC) Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings SOC Service Delivery Management Service Level Management Operational Efficiency Service Reporting Escalation Architecture & Projects Incident Hunting PM Security Intelligence Use Case Recommendations Security Analytics & Incident Reporting Corporate Business Units Legal Audit Business Operations Business Ops Investigations Public Relations Legal / Fraud Emergency Admin Support Services Tool Integration Rule Admin Threat Monitoring Threat Analysis Impact Analysis Threat Triage Investigations Incident Triage Threat Response Adv. Event Analysis Escalations Incident Mgmt. CSIRT Management Corp. Incident Response Table-top Exercises Response IT Operations Incident Mgmt Problem Mgmt Change Mgmt Release Mgmt SOC Platform Components Security Device Data Event Data (Int./Ext.) Event Patterns Correlation Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules SIEM Ticketing & Workflow Portal Integration Tools (e.g. Web Srvcs) Reporting / Dashboard Big Data IT Operations SOC Data Sources Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence SOC Legend IT / Corp

We understand that an effective SOC has the right balance of People, Process and Technology components People In-house staff Partners Customers Outsourced Providers Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment Process Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt Log Management Compliance Reporting Event Correlation Threat Reporting Technology Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking 18

The SOC organization is organized around the standard plan, build and run model SOC Organization Chart SOC / Security Intel Architect (Plan) SOC Delivery Manager Governance Security Intelligence Manager (Build / Plan) IT Op era tio ns IT Operations Incident Mgmt SOC Engineering Manager (Build) SOC Monitoring Tier 1 (Run) SOC Triage Tier 2 (Run) SOC Escalation Tier 3 (Run) Problem Mgmt Security System Administrator Senior Threat Analyst Senior Threat Response Analyst Incident Case Manager Change Mgmt Security Policy Administrator Threat Analyst Threat Response Mitigation Analyst (Reactive) Senior ERS Incident Response Technical Analyst Release Mgmt Device Administrator Threat Analyst Trainee Threat Response Remediation Analyst (Proactive) Device Mgmt 19

A responsibility matrix for all SOC roles should be defined across each SOC service. SOC Analyst: Monitoring SOC Analyst: Triage SOC Analyst: Response Security Intelligence Analyst Security Incident Handler (Certified) SOC Tools Admin SOC Manager Security Forensic Analyst IT Security Admin IT Operations CERT Security Monitoring R C A Core Security Services Incident Triage C R C A Incident Response C C R C R A R I Delivery Management A I Use Case Design C C C R C A C C Deployment Services Log Source Acquisition R C R A C C Service Testing & Tuning R A I I Custom Playbook Development C C C R C C A C C Operations Training C C C R C A Security Intelligence Services Security Intelligence Analysis C C C A C C C Security Intelligence Briefings A C C C Use Case Reccomendations C C C A C C C SIEM Admininstration R A I I Administrative Services Contextual Data Management C R A C C Log Source Management C R A C C Log Source Heartbeat Monitoring C R A C C Reporting Services Security Reporting C C C C C A C I Efficiency Reporting C C C A C I Financial Reporting C C C C A I Enterprise Incident Management C A Optional Services Forensics Investigation C C C C C A C C Policy Violation Handling C C C C A C 20

SOC Architecture 21

Why? We ve been collecting security related data for a number of years and needed a focal point to help us see the big picture Data from Security Reviews Vulnerability scans (push/pull) IPS/IDS data System logs We want to build a security history for a host 22

Why? The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy Preventing Network Based Attacks Preventing Host Based Attacks Eliminating Security Vulnerabilities Supporting Authorized Users Providing tools for Minimizing Business Loss 23

Where? OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow CSOC needs to be able to analyze and display this data quickly Data resides on separate, distributed servers CSOC pulls data from these servers as needed CSOC lives in the IT Security Office & Lab 24

What? Provides real-time view of the VT network s security status Provides info to assess risk, attacks, mitigation Provides metrics Executive Operational Incident 25

What? Event Generators (E boxes) Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active Directory servers, Remedy, vulnerability scanners, TACACS, application software Most are Polling Generators Generate specific event data in response to a specific action Example: IDS or firewall 26

What? Events Databases (D boxes) Provide basic storage, search and correlation tools for events collected and sent to the CSOC Vulnerability databases contain info about security breaches, etc. 27

What? Events Reactions (R boxes) SOC Console Used for internal analysis Real-time monitors (Snort, Base, IPS, Dshield) Incident Handling Remedy trouble ticket system Location tools Statistical analysis End User Portals Multi level reporting for various target audiences Sysadmin, management 28

What? Analysis Engines (A Boxes) Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc. Knowledge Base Engines (K boxes) Store security configs of critical assets, tips/tricks and effective solutions to previous problems Reaction and Report Engines (R boxes) Switches, routers, IPS and associated management tools 29

Security Operations Center (SOC) Access Management Automation & Integration of Security Operations 30

SOC Architecture 31

SOC Workflow 32

<Function> Security Operations Center Infrastructure v1.0 6/4/2008 Nessus Scan Results (PDF) User Initiated Scan User nmap Scanner ITSO Staff Daily Scan Nexpose Vulnerability Results Database Correlation & Report Generation text Acunetix Core Impact IP Ranges, Dept. Liaisons, DHCP, VPN, Modem Pool BASE Snort Sensors Central Syslog Servers Dshield Checknet Host Locator DB Remedy Green E boxes Blue D boxes Grey A boxes Yellow K boxes 33

SOC Strategies & Approaches 34

Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints Centralized Business Requirements Single Global SOC CSCC Combined with SOC Lowest Cost Easiest to Manage Standard Decentralized Multiple SOC s (Geo. / BU) Single Global CSCC High Cost More Difficult to Manage Highly Customized Technical Requirements Simple Platform Lowest Cost to Implement/Operate Good Risk Mgmt Capabilities Easy to Scale Operations Moderate Detail on Threats Complex Platform High Cost to Implement/Operate Excellent Risk Mgmt Capabilities More Expensive to Scale Operations Rich Detail on Threats Externally Managed Internally Managed Risk Tolerance 30-90 Day Implementation Lowest Cost to Implement/Operate Not Core to Business Leverage Industry Best Practices Long Implementation Lead Time High Cost to Implement/Operate Core to Business Frequent Independent Reviews Low Cost High Cost Financial Constraints Lowest Cost to Implement Lowest Cost to Operate Highest Cost to Implement Highest Cost to Operate 35

SOC Develop & Plan 36

To get started, the organization should consider the following questions in establishing its objectives What is the primary purpose of the SOC? What are the specific tasks assigned to the SOC? (e.g., threat intelligence, security device management, compliance management, detecting insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.) Who are the consumers of the information collected and analyzed by the SOC? What requirements do they have for the SOC? Who is the ultimate stakeholder for the SOC? Who will sell the SOC to the rest of the organization? What types of security events will eventually be fed into the SOC for monitoring? Will the organization seek an external partner to help manage the 37 SOC?

The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle. Introduction Educational, share best practices Table-top, guided SOC maturity assessments Set high-level vision Develop next steps roadmap for action Assessment Strategy Define the mission Assess current operations and capabilities Define future environment Develop roadmap for action Design & Build Laying the foundation of capabilities Designing effective staffing models and supporting processes / technology Conducting training and testing Implementing tracking and reporting capabilities Run & Enhance People and Governance Processes and Practices Technology Leveraging acquired knowledge and experience Instituting formal feedback and review mechanisms Driving further value from the technology Expanding business coverage and functions Tuning and refinement Optimize Business aligned threat management and metrics Drive for best practices Integrated operations with improved communications Seek opportunities for cost takeout Continuous improvement 38

Refrences IBM Security Services Meadowville Technology Park, Chesterfield County, Virginia Carl Hill, President, www.gtscloud.com Paladion Co, paladion.net Randy Marchany, VA Tech IT Security Office and Lab 39

Thank you for your time! Questions and Answers 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback