Security Operations Centers in Action Why? Why Now? How? Matthew Gardiner, Sr. Manager, RSA 1
How to Improve IT Security? Apply What Our Ancestors Knew ~1000 Years Ago! 2
The Need for a Balanced Defensive Approach is Clear How well would a preventive only approach work? Prevention Remediation Monitoring 3
Defensive Command Center = SOC/CIRC To Manage Detection & Investigations & Response SOC/CIRC 4
Moving to Present Day SOC/CIRC Is Now Critical to Improving Your Cyber Defenses 5
Why Have A SOC/CIRC Now? Threats Regularly Overcome Preventive Controls 1 TARGETED SPECIFIC OBJECTIVE 2 STEALTHY 3 INTERACTIVE LOW AND SLOW HUMAN INVOLVEMENT System Intrusion Attack Begins Cover-Up Discovery Leap Frog Attacks Cover-Up Complete TIME Dwell Time Response Time 1 Decrease Dwell Time Attack Identified 2 Speed Response Time Response 6
How to Think About Your CIRC Maturity? Cliché Alert 7
How to Think About Your CIRC Maturity? 3 Interdependent Factors People Process Technology 8
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response 9
How to Think About Your CIRC Maturity? Part Timers Process? Limited Visibility Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response 10
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response Full Timers Critical Assets Visibility & Context 11
How to Think About Your CIRC Maturity? Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response Specialized Team Cont. Improvement CIRC Tech. Platform 12
What Does a Mature CIRC Look Like? Tier 2 Analyst Tier 1 Analyst Analysis & Tools Support Analyst Threat Intelligence Analyst SOC Manager 13
How to Improve Your CIRC Maturity? People Focus on creating a couple CIRC rockstars Specialize from there as you staff-up Use service providers judiciously to fill gaps RSA provides an analyst training & MSSP enablement program Processes Create them, document them, learn from actual incidents, adjust them, repeat Simulate an incident & your response Measure your CIRC! RSA Advanced Cyber Defense can help here! 14
Technology: RSA Provides Broad CIRC Platform SharePoint Incident Mgmt. Breach Mgmt. SOC Program Mgmt. RSA Security Operations Management Threat Intelligence Management IT Security Risk Mgmt. Windows Clients/Servers File Servers RSA Security Analytics Databases NAS/SAN RSA Data Discovery Enabled by RSA DLP ANALYTICS RSA ECAT Endpoints RSA Live Intelligence Threat Intelligence Rules Parsers Alerts Feeds Apps Directory Services Reports and Custom Actions 15
This session is largely pulled from this WP http://www.emc.com/collateral/white-papers/h12651-wp-critical-incident-response-maturity-journey.pdf 16
Some Suggested Follow-On Actions Attend the following sessions in the Advanced SOC track Get my white paper It is free! Use the assessment framework to benchmark your CIRC Check out the following industry analysts Gartner Anton Chuvakin & Neil Macdonald Forrester Rick Holland Securosis Mike Rothman ESG Jon Olstik Come visit RSA in Boston Can meet directly with the EMC CIRC management! 17
THANK YOU 18
Assessing Incident Response Maturity Ad hoc Incident Response Operational Thrashing People Inadequate staffing - Everyone is a potential incident responder Processes Is there a process? Roles & Responsibilities? Lessons Learned? Technology Limited visibility & understanding -> Endless re-imaging Emerging Security Organization People Have >0 full-time incident responders Processes Prioritize responses based on high value assets Technology Focused on improving visibility & context Key Force in Security Defense People IR team highly specialized with clearly defined roles (see next slide) Processes Operates with clear governance/run books Technology Have integrated portfolio of CIRC specific tools 20
How to Think About Your CIRC Maturity? Part Timers Process? Limited Visibility Incident Response as an Emerging Organization Incident Response as a Key Force in security Ad Hoc Incident Response Full Timers Critical Assets Visibility & Context Specialized Team Proc. Improvement CIRC Tech. Platform 21