Security Intelligence & Operations Centres (SIOC) BUILT CONSULTED ON 29+ expertise 60+ experience SIOCS methodology SIOCS 1. Help customers establish a Security Intelligence capability that can monitor, analyse and escalate significant information security events to protect the confidentiality, integrity and availability of the information technology enterprise; 2. Ensure HP ArcSight customers are successful with the product by assisting in providing the right people skills, building the right processes and delivering effective technology; and 3. Add value to the customer’s organization by using metrics to track effectiveness of controls and use intelligence to proactively protect against attack.
HP SIOC Consultants Background 1. Built and ran Microsoft’s SOC 2. Built and ran IBM’s Managed Security Service Provider SOC 3. Built and ran Verizon’s Managed Security Service Provider SOC 4. Built and ran Symantec’s Managed Security Service Provider SOC 5. Built and ran the SIOC for Europe’s largest Software-as-a-Service business
ArcSight Is the Only Solution SIEM - Security Information & Event Management ArcSight Platform A comprehensive platform for monitoring modern threats and risks • Capture any data from any system Including Apps –SAP, others • Manage and store every event • Analyze events in real time • Identify unusual behavior at user level • Respond quickly to prevent loss
Cover a lot of products Access and Identity Data Security Integrated Security NBAD Policy Management Vulnerability Mgmt Anti-Virus Firewalls Log Consolidation Network Management Router Web Cache Applications Honeypot Mail Filtering Network Monitoring Security Management Web Filtering Content Security Host IDS/IPS Mail Server Net Traffic Analysis Switch Web Server Database Network IDS/IPS Mainframe Operating System VPN Wireless
Accounts Correlation Look all IDs: email address, badge ID, phone extension Different events are attached to activity of the person Each event is attached to field “who it is” to understand his activity and behavior Accounts Identity rjackson 348924323 firstname.lastname@example.org Robert Jackson robertj rjackson_dba 510-555-1212 7
HP ArcSight ThreatDetector – Profile activity • Early detection • Different methods to detect good and bad behavior • Look into typical people: insider, angry admin, intruder • Allows to create new patterns of behavior • Immediately checks all previous events on detected pattern of behavior
Key Benefits of “In-house” Operations Maintain end-to-end control of security processes and data; increased monitoring efficiency Business requirements are incorporated into solution Ability to expand security/compliance footprint easily (at no or little additional cost) Creates the platform for a security monitoring and reporting Mission: Monitor, recognize, and escalate significant information security events to protect the confidentiality, integrity and availability of the information technology enterprise.
Main questions before building SOC. Why? What business issues will SOC resolve? What exact tasks does SOC process? (block attacks from Internet, compliance to PCI DSS, insider activity detection, incident handling and etc) Who will receive information from SOC? Who is sponsor of SOC project? Who responsible for this project inside organization? What he expects from SOC? What events should be collected inside SOC?
Example of using SOC (from a customer) Malware spread detection Monitor VIP (top managers) devices Windows servers control Monitor IPS Monitor Active Directory Compliance PCI: reporting and alerting Monitor data leakage (DLP) Monitor privileged users
What are Security Operations? Escalation TECHNOLOGY 5 Customers PEOPLE 2 1 Incident Handler Level 1 Level 2 6 Case closed 4 Enginee 3 r PROCESS
People in SOC Olympic Games Russia Kazan July 2013
Establish the Right Skills Career Progression Roles Training Security Intelligence Information Security Bootcamp • Manager ArcSight Training • Level-1 Analyst • ArcSight ESM Operations • Level-2 Analyst • ArcSight ESM Security Analyst • SIEM Content Specialist • ArcSight ESM Use Case Foundations Key Organizations SANS Institute • Incident Manager • GIAC Certified Intrusion Analyst (GCIA) • Forensic Analyst • GIAC Certified Incident Handler (GCIH) • SIEM Engineer On-the-Job Training & Mentoring
SOC Methodology HP Security Intelligence & Operations Consulting have a proven methodology for building and operating a security intelligence and operations capability • Assess customer’s business requirements and capability compared with security operations best practices. ASSESS DESIGN • Design people, process and technology to deliver business objectives and provide a SOC practice roadmap to best practice. • Manage measurable, repeatable and continually improved security operations. MATURE MANAGE • Mature the customer’s capability to provide continual improvements in efficiency and risk coverage
Security Intelligence • Proactive research into new threats and risks to your organisation • The only team with end-to-end vision and situational awareness • Feedback on control effectiveness • Monitoring of threat agent channels for upcoming attacks
SOC Cost Components Labor Direct Storage SOC Analysts (24x7x365) High performance RAID 1+0 SAN, 1-10+ Terabytes SOC Manager (Driven by data retention requirements and events/day) SIEM Engineer (Administration and Content Development) Services Education and Training for SOC Personnel ESM Professional Services Installation Labor Indirect Long term engineering or content development services Security Device Management (Device: Analyst = 20:1 – 60:1) IT Support Services (3rd party ticketing systems, network Incident Response Team infrastructure, annualize IT business processes, etc.) Software Systems Management Services (Availability, backup / recovery, ArcSight ESM w/ High Availability Failover capacity / performance, system administration) Connectors Threat Intelligence Subscription Full Consoles / Web Consoles Compliance Insight Packages Facilities Maintenance and Support Hardened and secure datacenter location Hardware (5 yr amortization schedule) SOC facility ESM Servers Wall mountable screens or projectors Database Servers Telecommunications – Phone / IP Phone Connector Appliances Power and HVAC Workstations w/ dual monitor displays and Laptops Uninterruptible power supplies (UPS) Maintenance
Use Cases Use Case Primary Data Sources Alert Criteria Action Botnet activity Firewall, IDS, Proxy, Mail, Threat Connection to or from known Display in analyst active channel Intelligence malicious host or domain Virus outbreak Antivirus 3 viruses detected with same name in Page desktop team / display in 10 minutes dashboard Successful attack / malicious IDS/IPS, Vulnerability Targeted asset exhibits vulnerability, Page server team / display in active code relevance=10 channel / display in dashboard SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within specified Display in analyst active channel time frame Phishing Threat Intelligence, Firewall, IDS, Connection to or from known Display in analyst active channel Proxy, Mail malicious host or domain Unauthorized remote access VPN, Applications Successful VPN authentication from a Display in analyst active channel / non domain member Page network team New vulnerability on DMZ host Vulnerability New vulnerability identified on publicly Email daily report to vulnerability accessible host team Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, exploit, Email daily suspicious user activity brute force, etc.) report to level 1 Statistical anomaly IDS, Firewall, Proxy, Mail, VPN, Moving average variation of X Display alerts in situational Web Server magnitude in specified time frame awareness dashboard New pattern of activity IDS, Firewall, Proxy, Mail, VPN, Previously unseen pattern detected Display in analyst active channel Web Server
Ensure the Operations are Repeatable Event Management Subtle Event Detection Triage Data Visualization Cal outs Pattern Analysis Case Management Reporting Crisis Response Analyst Comments Daily Operations Incident Summary Shift Schedule Threat Reports Monitoring Incident Management Problem and Change Incident Research Shift Turn-Over Focused Monitoring Daily Operations Cal Incident Response Training Intrusion Analysis Training plans Event Analysis Skil s Development tracking Threat Intelligence Information Fusion BC/DR Business Continuity Plan Disaster Recovery Plan Process Improvement Design Maturity Assessments Developing Use Cases Project Methodology User and Asset Modeling Knowledgebase (wiki) Configuration Management Compliance SIEM Architecture Internal Compliance Data Feed Integration Compliance Support System Administration Metrics Access Management Reporting KPIs Maintenance and Upgrades Infrastructure Performance Operational Efficiencies
Workflow: Merging people, process & technology Categories SIEM Priority Levels 0-2 3-4 5-6 7-8 9-10 Legend Unauthorized Root/Admin Access A A A C1 C1 C1: Critical callout –15 min C2: Urgent callout –30 min Unauthorized User Access A A I2 C2 C1 C3: Routine callout –2 hr I2: Urgent investigation Attempted Unauthorized Access A A A I3 C3 I3: Routine investigation T1: Critical ticket opened Successful Denial of Service A A I2 C2 C1 T2: Urgent ticket opened T3: Routine ticket opened Policy Violation A A T3 T2 T1 A: Active monitoring Reconnaissance A A A I3 I2 Malware Infection A A T3 T2 C2
Security Operations Maturity Assessment SOMM Level Name Description Level 0 Incomplete Operational elements do not exist Level 1 Performed Reliant on people and relationships, not standardized nor repeatable Business goals are met and operational tasks are repeatable Level 2 Managed Many SOCs run successfully for some period of time at this maturity level. Missing aspects often include continual improvement and demonstrated ROI. Operations are well-defined, subjectively evaluated, and flexible. Level 3 Defined Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and changing threat landscape without excessive overhead in processes. Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and proactively improved. Level 4 Measured Appropriate for a managed service provider environment where financial penalties result from inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging threats and requires dedicated staff to sustain the maturity level. All processes are tightly constrained and continually measured for deficiencies, variation, and are continually improved. Level 5 Optimizing Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and static environment.
Security Operations Maturity Assessment People 1.57 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as General 1.75 criteria for member evaluation. The opportunity exists to develop an overall training program that includes a defined structure for Training 1.55 analyst on boarding and continual growth through the career of the analyst. Certifications 1.00 Lack of overall industry certifications possessed by the team. The feeder pool to hire analysts is reasonable, yet the experience and background of some of the Experience 1.70 analysts is questionable. A skills assessment program should be adopted and leveraged to improve training plans and the Skill Assessments 1.69 overall skills composition of the group. There is an opportunity to develop career progression plans and to help guide analysts into senior Career Path 1.69 positions within the SOC or internally within the company. Conducting an organizational climate survey is encouraged in order to collect feedback and Leadership 1.77 incorporate it into the leadership function. Process 1.26 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC Mission 1.27 and to internal groups within the organization. There are several opportunities to further develop operational processes and metrics to measure Operational Process 1.66 operational efficiencies. Efforts to centralize a knowledge management solution for security analysts are currently Analytical Process 1.15 underway. SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture Business Process 0.89 metrics and track operational efficiencies Technology 2.38 SIEM meets current business needs. A Test environment does exist, which means that content SIEM Monitoring 2.45 and data feed on boarding does/can go through a proper testing cycle. Architecture 1.95 Document data flow diagrams for troubleshooting purposes. Correlation 2.56 Event management metrics are captured and used to track events monitored. A wide range of technologies are monitored, giving the SOC wider visibility against attack Monitored Technologies 2.22 vectors. ILM 2.61 Data retention and protection policies adhere to company policies. Overall SOMM Level 1.74
Security Operations Maturity Assessment Average SOMM By Vertical Financial 2.25 Retail 2.35 Technology 1.60 Government 1.98 Utility 1.50 Telco 2.27 MSSP 2.40
Pragmatic Roadmap for Improvement Phase I Phase II Phase III (Interim (Dedicated (Mature Security Capability) Operations) Operations) Coverage Part-time Dedicated 8x5 24x7x365 resources as Virtual off-hours available Staffing No dedicated staff 1 dedicated analyst, 12 FTE 1 dedicated SIEM engineer Incident 1-5 per week 5-10 per week 10-20 per week Escalations Use Cases 10 25 100+ Events per 200 500 1000 second (EPS) Target 90 days 180 days 2 years Timeframe
Thank you Denis Batrankov Solution Architect email@example.com