Isc2conferancepremay15final
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Isc2conferancepremay15final

on

  • 149 views

 

Statistics

Views

Total Views
149
Views on SlideShare
135
Embed Views
14

Actions

Likes
0
Downloads
1
Comments
0

2 Embeds 14

http://www.linkedin.com 10
https://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Isc2conferancepremay15final Presentation Transcript

  • 1. SOC & BUSINESS DRIVEN CYBER THREATSMahmoud YassinLead Security Eng. SOC& NOCNational Bank of Abu Dhabi
  • 2. v  Business Todayv  Whats business affect on security communityv  Cyber threats and Business targetv  new trends in cyber threatsv  Approach to target new cyber threatsv  Security management in Dynamic environmentv  SOC or OPSOCv  Recommended Action for SOC in New Threats
  • 3. BUSINESS TODAY
  • 4. TODAY’S BUSINESS CLIMATE •  Running a business in the 21st Century isn’t easy! •  Security Regulations are abound •  62% of companies spend more on compliance than protection* •  Evolution of technology and business demands has resulted in highly diverse environments •  Managing increasing number of vulnerabilities in the face of sophisticated threats •  Difficulties in aligning People, Process and Technology •  Challenges in leveraging security knowledge and business process *Source: Riren
  • 5. IT SPRAWL HAS BUSINESS ATTHE BREAKING POINT Business innovation throttled to 30% •  Time to revenue •  Cost of lost time, effort, opportunity •  Unpredictable business cycles 70% captive in operations and maintenance •  Rigid & aging infrastructure •  Application & information complexity •  Inflexible business processes 92% 84% 8 out of 10 Believe business cycles will continue to Agree innovation is critical to Business & technology approach be unpredictable in coming few years success in the new economy needs to be more flexible to meet changing customer needs
  • 6. TOMORROW’S BUSINESS WILL BE BUILT ONA CONVERGED INFRASTRUCTURE Security is framework for ALL Unleash the potential Storage Servers •  Any application, anywhere •  Flex resources on demand •  Unlock productivity •  Predictable continuity of service •  Faster time to business value Power & Network cooling Building on what you have today All on Management secure Platform software Virtualized • Resilient • Orchestrated • Optimized • Modular and Secure 6
  • 7. TODAY BUSINESS & INFORMATION SECURITY
  • 8. SECURITY AND BUSINESS INFRASTRUCTURE Vendors Partners Business Cloud Business Cloud Clients Cloud Business demands strain ITDiversity of IT and Security and Security in the light of diversity Multi-Tier Application Traditional application Architecture Web application security development complicates security visibility Security begins to diverge Client Server Security is Client / Server as systems become more client base Mainframes distributed Mainframe Centralized Business security Security incorporated into the system Pre 1980’s 1980’s-1990’s 2000s 2010’s
  • 9. SECURITY WORRIES •  I worry about a hacker gaining access to our Oracle data base and coping social security numbers •  I worry about, a converged network, if the network goes down you loose both voice and data, increasing the risk and worry •  I worry about staff, I cant protect the network from internal sabotage, disgruntled network administrators, IT personal, etc •  I worry about new computers being plugged into the network after they have been off net •  I worry about the new wide range of handheld IP devices which people plug in at will from near and far flung locations •  I worry about security in public cloud •  I Worry about Virtual environment it have 60 % of my server power •  I worry about employees working at home bridging networks via WLANs opening up access to our network Source: Nick Lippis, Trusted Networks Symposium
  • 10. GETTING THERE v Technical / Tactical q  “Build Success Early”Establish meaningful, early-win q  Risk ManagementRisk Approach q  Define Threats Landscape v ManagementAlign People & Process to “Organize and Architect”meet multiple Regulations o  Information Security Management Framework v Technical / StrategicIncrease technical visibility, “Actionable Foundation”command and control o  Integrated Security Operations Capability o  Network Access Control v Business ManagementEmploy metrics to measure o  “Balanced Approach to the Business”against the business goals o  Security Services Management
  • 11. SECURITY PAIN •  Security investments based on ROSI •  Executives growing weary •  Less talk, more revenue •  Diminishing expectations of security investments •  “More money? What did you do with the last check?” •  Constant deluge of “new” security problems •  Regulatory compliance challenges •  Cultural challenges inside and outside IT •  Cyber Security & Advanced Persistence threat
  • 12. CYBER THREATS AND BUSINESS TARGET
  • 13. CYBER RISKS ARE AN INCREASING THREAT TO SOURCES OFENTERPRISE CAPABILITY AND BRAND COMPETITIVENESS Extortion •  Phishing and pharming driving increased Now customer costs, especially for financial services sector •  DDOS extortion attacks Loss of intellectual •  National security information/export controlled property/data information •  Sensitive competitive data •  Sensitive personal/customer data Now Potential for disruption •  E-Business and internal administration •  As part of cyber conflict •  Connections with partners (i.e. Estonia) •  Ability to operate and deliver core services •  As target of cyber protest (i.e. anti-globalization) Potential accountability for •  Reputational hits; legal accountability Emerging misuse (i.e. botnets) Potential for data corruption •  Impact operations or customers through data Terrorism •  DDOS and poisoning attacks •  Focused attacks coordinated with physical Now attacks 13
  • 14. MASS-SCALE HACKING •  Its ROI focused.. •  Its not personal. Automated attacks against mass targets, not specific individuals. •  Its multilayer. Each party involved in the hacking process has a unique role and uses a different financial model. •  Its automated. Botnets exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results. •  Common attack types include: •  Data theft or SQL injections. •  Business logic attacks. •  Denial of service attacks. Source: Amichai Shulman 14
  • 15. RECENT INCIDENTS: RISE OF THE PROFESSIONALS •  Estonia: As part of unrest and pro-Russian riots in Tallinn, the Internet- embracing nation undergoes massive online attacks from ethnic Russians •  Zeus Trojan: Zeus Trojan, capable of defeating the one-time password systems used in the finance sector, targets commercial bank accounts and has gained control of more than 3 million computers, just in the US •  Stuxnet : Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems,[1] it is the first discovered malware that spies on and subverts industrial systems,[2] and the first to include a programmable logic controller (PLC) rootkit.[3][4] 15
  • 16. NEW TRENDS IN CYBER THREATS
  • 17. CYBER SECURITY Are you the next Victim? 17
  • 18. BEFORE 2009 18
  • 19. 2010 - THE YEAR HACKING BECAME A BUSINESS 2010 was the year hacking stopped being a hobby and became a lucrative profession practiced by underground of computer software developers and sellers. It was the year when cyber-criminals targeted everything from MySpace to Facebook. Are you one of the victim in June? 19
  • 20. WE ARCHIVED 1,419,202 WEB-SITES DEFACE-MENTS Attacks by month   Year 2010   Jan   53,915   Feb   57,867   Mar   73,712   Apr   95,078   May   83,182   Jun   81,865   Jul   87,364   Aug   63,367   Sep   185,741   Oct   194,692   Nov   258,355   Dec   184,064   Total 1,419,202 Source : trend Micro 20
  • 21. HACKING AS BUSINESS Hacking isnt a kids game anymore It had price …$$$... The Black Market USD Trojan program to steal online account information $980-$4,900 Credit card number with PIN $490 Billing data, including account number, address, Social Security $78-$294 number, home address, and birth date Drivers license $147 Birth certificate $147 Social Security card $98 Credit card number with security code and expiration date $6-$24 PayPal account logon and password $6 21 Data source: Trend Micro
  • 22. HACKING AS SERVICESv  DDoS attacks The price usually depends on the attack time: 1 hour - US$10-20 (depends on the seller) 2 hours - US$20-40 1 day - US$100 + 1 day - From US$200 (depends on the complexity of the job) It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.v  Spam Hosting: US$200 Dedicated spam server US$500 10,000,000 Mails per day US$600 SMS spam (per message) US$0.2 ICQ (1,000,000) US$150v  Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?)v  Rapid Share premium accounts: (Server hosting) 1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28 22
  • 23. HACKING AS ORGANIZED CRIMECyber Criminals have become an organized bunch. they use peer-to-peer payment systems just like theyre buying and selling on eBay, and theyre not afraid to work together.Software as a Service for criminals Attackers use sophisticated trading interfaces to classify the stolen accounts by the FTP server’s country of origin and the compromised site’s Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites.Malware that encrypts data and then demands money to provide the decryption key – FileFixPro 23
  • 24. YEAR 2011 Date   Site   2011-04-04   Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit   2011-04-20   Sony PSN Offline   SONY Cases - April-June 2011 2011-04-26   2011-04-26   2011-04-27   PSN Outage caused by Rebug Firmware   PlayStation Network (PSN) Hacked   Ars readers report credit card fraud, blame Sony   2011-04-28   Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe   2011-05-02   Sony Online Entertainment (SOE) hacked SOE Network Taken Offline   2011-05-03   Sony Online Entertainment (SOE) issues breach notification letter   Anonymous leaks Bank of America 2011-05-05   2011-05-06   2011-05-07   Sony Brings In Forensic Experts On Data Breaches   Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony   Sony succumbs to another hack leaking 2,500 "old records"   e-mails 2011-05-14   2011-05-17   2011-05-18   Sony resuming PlayStation Network, Qriocity services   PSN Accounts still subject to a vulnerability   Prolexic rumored to consult with Sony on security   2011-05-20   Phishing site found on a Sony server   2011-05-21   Hack on Sony-owned ISP steals $1,220 in virtual cash   2011-05-22   Sony BMG Greece the latest hacked Sony site   2011-05-23   LulzSec leak Sonys Japanese Websites  Lulz Security hackers target Sun website 2011-05-23   2011-05-24   2011-06-02   PSN breach and restoration to cost $171M, Sony estimates   Sony says hacker stole 2,000 records from Canadian site (Sony Erricson)   LulzSec versus Sony Pictures   2011-06-02   Sony BMG Belgium (sonybmg.be) database exposed   2011-06-02   Sony BMG Netherlands (sonybmg.nl) database exposed   2011-06-02   Sony, Epsilon Testify Before Congress   Hong Kong Stock Exchange Website 2011-06-03   2011-06-05   2011-06-05   Sony Europe database leaked   Latest Hack Shows Sony Didnt Plug Holes   Sony Pictures Russia (www.sonypictures.ru) databases leaked   Hacked, Impacts Trades 2011-06-06   2011-06-06   2011-06-08   LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet)   LulzSec hits Sony BMG, leaks internal network maps>   Sony Portugal latest to fall to hackers   2011-06-08   Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation)   2011-06-11   Spain Arrests 3 Suspects in Sony Hacking Case   2011-06-20   SQLI on sonypictures.fr   24 2011-06-23   Class Action Lawsuit Filed Against Sony/SCEA  
  • 25. CYBER CRIME AND CYBER ESPIONAGE ARE HAVING REALIMPACTS •  Estimated $1 Trillion of intellectual property stolen each year (Gartner & McAfee, Jan 2010) •  Cybercrime up 63% in 2011 (McAfee) •  Topped $20 Billion at financial institutions •  Reported cyber attacks on U.S. government computer networks climbed 40% in 2011 •  RAS Breaches workers breached (March 2011) •  DigiNotar Bankrupt (2011) 25 Source: Report of the CSIS Commission on Cyber security for the 44th Presidency
  • 26. RSA  BREACH   March  11,  2011-­‐Breach  detected  not  public   •  Thursday  March  17,  2011  story  broke   •  Threat  Intelligence  Commi@ee  Call   •  Friday  March  18,  2011   •  Cyber  UCG  call     •  NCI  call  with  DHS   •  Threat  Intelligence  Commi@ee  Call  w/RSA   •  FS-­‐ISAC  Membership  Call  w/RSA   •  NCI  call   •  MiMgaMon  Report  Working  Group  Calls   •  MiMgaMon  Report  
  • 27. 75% OF ATTACKS OCCUR THROUGH WEBAPPLICATIONS - GARTNERv  Approximately 66 vulnerabilities per website were found for a total of 210,000 vulnerabilities over the scanned population.v  50% of the websites with instances of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure. Web Security Risk are Growing • Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database. • Sources: http://www.acunetix.com/news/security-audit-results.htm 27
  • 28. VISIBILITY OF ADVANCED PERSISTENCE THREATS -- Invisible -- Source from : Douwe.Leguit@govcert.nl April 2010 28
  • 29. TODAY’S THREAT LANDSCAPE Undetected Attacks External Attacks Vulnerabilities and compromised Trojans, viruses, worms, phishing .. machines may lay dormant for Not protected by firewalls. Requires months, awaiting an attacker to IPS exploit them. Requires vulnerability Intrusion Vulnerability awareness and end-point intelligence. Prevention Assessment Network Intelligence User Intelligence Network Network Behavior Access Porous Perimeter Analysis (NBA) Information Leakage Control (NAC) Every machine a peering point Point-point VPNs + desktop and Laptops carry infection past mobile internet connections firewalls. Requires IDS provide ample opportunity. Requires compliance monitoring and enforcement
  • 30. APPROACH TO TARGET NEW CYBER THREATS
  • 31. ENTERPRISE SECURITY ARCHITECTURE End Point Security Network System Data Application Security Security Security Security Operational Security Physical / Data Center Security Personnel Security Security Management 31
  • 32. THE ENTERPRISE TODAY - MOUNTAINS OF DATA, MANYSTAKEHOLDERS Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized False Positive Service Detection Reduction IP Leakage Web server Web cache & proxy logsUser Monitoring activity logs SLA Monitoring Content management logs Switch logs IDS/IDP logs VA Scan logs Router logs Windows Windows logs VPN logs domain logins Firewall logs Wireless access logs Linux, Unix, Oracle Financial Windows OS logs Logs Mainframe Client & file logs DHCP logs server logs San File VLAN Access Access & Control logs Database Logs Logs 32 Sources from RSA
  • 33. SECURITY MANAGEMENT IN DYNAMICENVIRONMENT
  • 34. RISK BASE APPROACH FOR SECURITY MANAGEMENTRisk Management : The Business Modelv  Security is relative: - Many risks and Many solutionsv  Security is everyone’s Businessv  Security is a process - Things fail all the timev  Variety of options: - Accept the risk - Mitigate the risk with People/Procedure/Technology - Transfer the risk 34
  • 35. STEPS FOR BETTER SECURITYStep 1 : Know your risks Internal Regulatory And And External Compliance Threats Force Business ROSI System Cost of Doing Data(Return on Security Asset Business Investment) Application Vulnerability and Process -  Risk Assessment / Compliance Assessment -  Vulnerability Assessment -  Web Application Assessment / PenTest 35
  • 36. STEPS FOR BETTER SECURITYStep 2 : Visualize your situation System Monitoring Logs Intelligent and Consolidation Correlation SIEM Security Information & Event Solution Management SOC Security Operation Center Incident Management ITIL Process 36
  • 37. STEPS FOR BETTER SECURITY Step 3 : Knowing your enemy’s behavior You need an Investigation Tools •  for pervasive visibility into content and behavior •  Providing precise and actionable intelligence 37
  • 38. WHAT’S IN A SOC What is it? What does it do? What’s a good one and what’s a bad one? Is it worth the time/money?
  • 39. TOP TECHNICAL ISSUES •  Increase Speed of Aggregation and Correlation •  Maximize Device and System Coverage •  Improve Ability to Respond Quickly •  Deliver 24 x 7 Coverage (this doesn’t have to be done by the SOC!) •  Support for Federated and Distributed Environments •  Provide Forensic Capabilities •  Ensure Intelligent Integration between SOCs and NOCs
  • 40. SOC FRAMEWORKIndustry Standards and Service Delivery Tools Web Portal Best Practices (Helpdesk, Monitoring, Mgmt., (Operational Reporting, Windows Configuration, Automation/ (ITIL, BS7799/ISO17799, Advisories) (24x7, 8x5, 12x7 ) SANS, CERT) Workflow) Security Center of Excellence Command Center Knowledgebase (Test bed, Technology (Incident & Problem Mgmt.,Innovation, Knowledge Mgmt., Testing, Product evaluation) Trainings ) Infra. Mgmt. Stream Security Mgmt. StreamProgram Management Device Supervision Security (Performance, Incident, Monitoring People Resource (Customer interface, Monitoring) (cross skilling, rotation, Escalation mgmt., Strategic training, ramp-up and scale assistance, Operational supervision, quality control) Security Change down) Device Operations (Change, Vendor Mgmt., Installation, Configuration) Security Advisory Incident Management Service Delivery Operational Models (Onsite, Near Shore and (SOC and ODC) Offshore) Reporting
  • 41. SOC OR OPERATIONAL SOC… Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database Report Baseline Alert/Correlation Asset Ident. Forensics Compliance Operations Security Operations Access Control Access Control Enforcement Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt. Malicious Software False Positive Reduction Policy Enforcements Real-time Monitoring User Monitoring & Management Unauthorized Network Service Detection Environmental & Transmission Security More… All the Data Log Management Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required …For Compliance & Security Operations
  • 42. THE 3 (MAIN) FUNCTIONS OF A SOC •  The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency •  What does the SOC do? 1.  Real-time monitoring / management •  Aggregate logs •  Aggregate more than logs •  Coordinate response and remediation •  “Google Earth” view from a security perspective 2.  Reporting / Custom views •  Security Professionals •  Executives •  Auditors •  Consistent 3.  After-Action Analysis •  Forensics •  Investigation •  Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability •  Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
  • 43. PRIORITIZATION AND REMEDIATION •  Deal with what’s most relevant to the business first! •  Gather asset data •  Gather business priorities •  Understand the business context of an incident •  Break-down the IT silos •  Coordinate responses •  Inform all who need to know of an incident •  Work with existing ticketing / workflow systems •  Threat * Weakness * Business Value = Risk •  Deal with BUSINESS RISK
  • 44. SOC AND BUSINESS EXPECTATION Historical Todays Scenario Business Oriented Technology Based Services IT Risk Management •  IT Risk Dashboard Monitoring & Management : •  Sustaining Enterprise Security •  Firewalls Control •  IDS/IPS •  Meeting Industry Process •  VPN Concentrators •  Antivirus Compliance Driven •  Content-Filtering •  Security Control Assessment •  Enforcing enterprise security policies •  Log Management •  Incident Management •  Audits
  • 45. SOC ANATOMY ü Conduct tests to verify control is ü Monitor environment continuously for effective new threats & vulnerabilities ü  Report residual risk ü Analyze risk is acceptable ü Management signoff for residual risk 5 5 Monitor & & Monitor Verify Control Analyze Verify Control Analyze 66 effectiveness effectiveness ü Identify Business units & servicesü Verify control mechanism 44 Identify & Identify & ü Identify Applicable Regulationsü Control recommendation & Define ü Discover & Classify Assets IT Risk Proactive Define benefit analysis ü Assign Values to assetsü Prepare/Modify Risk Mitigation Risk Management IT Risk ü Define Policies , procedures , Risk Plan Mitigation Management 1 standards & Guidelinesü Execute mitigation Plan / Mitigation 1 ü Establish process Implement new controls Threats & ü Identify Threat sources Threats & Vulnerability ü Identify Potential threats 3 Impact Analysis Impact & Risk identification Vulnerability ü Scan Assets for vulnerabilities ü Analyze Likelihood of threat 3 Analysis & determination identification ü Prioritize Vulnerabilities exploitation Risk 2 ü Identify existing Control mechanism ü Identify Magnitude of impact on determination 2 ü Review existing mitigation plan business ü Review Procedures & process ü Prioritize Risks ü  Review existing control mechanism
  • 46. SOLUTION MAPPING TO SOC SERVICES Threats & Vulnerability Impact Analysis & Risk Monitor & identification(Zero Day Risk Determination Mitigation Analyze Attack Detection) • Vulnerability Assessment • Penetration Testing • Infrastructure Assessment Service • Recommendation of Security Control • Implementation of Security controls • Security Device Management • End User Security Control • 24x7 Monitoring of security events • Enterprise Incidence Response • Enterprise Risk Dashboard • Compliance Reports • Etc, etc
  • 47. SOC ARCHITECTURE Data-Center 1 To Other Business Units Data-Center n SERVER FARM SERVER FARM Corporate WAN SERVER FARM SERVER FARM Storage Storage SOC Centralized Management L2 Risk Monitoring L3 Portal L1 •  Threat Analysis -  Risk Mitigation Plan •  Risk Assessment -  Control Verification •  Manage Performance •  Performance Monitoring -  Compliance impact •  Manage Availability •  Security Monitoring analysis •  Trend analysis and Reporting •  Availability Monitoring -  Manage new requirements •  Compliance Management •  Scheduled Reporting Support Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
  • 48. PROACTIVE SOC APPROACH Security Analytics Logs Security Operations & Management Event Correlation Proactive Intelligence Forensics Incident Mgmt Reports & Problem Mgmt Statistics Infrastructure Assessment Service Release Mgmt Vulnerability Assessment Change Mgmt & Penetration Testing Knowledgebase Configuration Mgmt Vulnerability Management Customized Advisories Standards –service Customer BSI 15000, ITIL, Technical support etc. ISO, ISO27001
  • 49. PEOPLE, PROCESS, OR TECHNOLOGY PROBLEM?
  • 50. SOC OPERATIONAL MODEL (PEOPLE) L3: Security Incident SOC Service Delivery Structure Managers -  Incident Handling & Closure -  Service Mgmt. Reporting -  Compliance impact analysis L2: Security Analysts -  Manage new requirements -  Performance Mgmt. -  Problem Mgmt. -  Change & Release Mgmt. -  Incident Analysis & Validation -  Configuration Mgmt. -  Vulnerability Assessment & -  Service Level Mgmt. Remediation support -  Availability & Continuity Mgmt. -  Device mgmt. tasks -  Trend monitoring & analysis L1: Security Operators -  Vulnerability Impact Analysis -  Escalation Management -  Compliance reporting SOC Operations -  Security Event Managers Monitoring -  Incident Detection & SOC Management Team 1st level analysis -  Resource management, skill -  Routine development maintenance & -  Operational process operational tasks Improvement -  Operational -  Program Escalation reporting Management Knowledgebase/ Threat -  Customer Management Security Portal Alert & Advisory -  SOC Incident Management SOC Engineering SOC Security Vendor Management COEs -  Management of SOC tool -  Technical Support -  Threat A&A -  Administration of SOC security configuration -  Incident Escalation -  Innovation -  Implementation projects -  Enhancement to SOC tools -  Product Support -  Benchmarks -  Compliance Mgmt. -  Architecture design of SOC -  Trainings -  Reuse Component/solutions -  Incident Mgmt. -  Transformation Projects for -  Enhancement projects SOC
  • 51. SOC Operational model (process) Network SOC Industry Sources Tool Foot Print Dashboard view via portal Firewalls N F C O I N I T E O R N L E SD R HEWLETT PACKARD R L G M T E L I A E L A I N L R G I T E I I E E Z N O N G R E N C E S IDS Agent Manager Asset Asset Syslogs Alerts & normalize Vulnerability Criticality SNMP log data Raw log data Information & Action Real Time Normalised Alerts Real Time Security Analysis Alert Management Consolidated Logs Response & Remote management from -SOC Management
  • 52. SOC OPERATIONAL MODEL (TECHNOLOGY) Baseline Correlated Report Realtime Interactive Integrated Incident Alerts Forensics Query Analysis Mgmt. Event Explorer Analyze Manage Collect Collect Collect UDS Windows Netscreen Cisco Juniper Microsoft Trend Micro Device Device Server Firewall IPS IDP ISS Antivirus Supported Devices Legacy
  • 53. SOC KEY DIFFERENTIATION AREAS
  • 54. INTEGRATED CMDB CMDB Data•  Configuration Management Database (CMDB) features: •  Connectors sync data with external systems Config Work Items Items •  Create, update, and view CIs •  Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users Relationships •  Automatically track CI change history •  Service definition and mapping Integrated | Efficient | Business
  • 55. WHAT OUR CUSTOMER DATA TELLS US 21% is everything 22% are how-to else combined related – poor / (“unclassified” or improper ‘other’) operations of the environment 33% were due to Installation issues 48% Operational issues account Misconfiguration for 76% of Critical Situations (CritSits) 67% POST installation ‘changes’ 6% due to KNOWN bugs- 3% already fixed NEW bugs
  • 56. INCIDENT MANAGEMENTKEEP USERS AND DATA CENTER SERVICES UP AND RUNNING, AND RESTORESERVICE QUICKLY •  Process workflows •  Escalations •  Notifications •  Customizable templates •  Knowledge & History •  Automatic incident creation •  Desired Configuration Monitor (DCM) errors •  Operations Manager alerts •  Inbound Email •  Portal
  • 57. CASE MANAGEMENTENABLES ORGANIZATIONS TO IDENTIFY AND TRACK PROBLEMS •  Problem creation from similar incidents or Attacks •  Link Incidents and Change requests to problem •  Auto resolution of Incidents linked to the Problem
  • 58. CHANGE MANAGEMENTMINIMIZE ERRORS AND REDUCE RISK•  Typical Change Models •  Standard, Major, Emergency… •  Review and Manual activities•  Customizable Templates•  Workflows and Notifications•  Analyst Portal •  Approvals via Web•  Relate Change Requests to Incidents, Problems and Configuration Items
  • 59. VULNERABILITY MANAGEMENT PROCESS 1. DISCOVERY (Mapping) 2. ASSET 6. VERIFICATION PRIORITISATION (Rescanning) (and allocation) 5. REMEDIATION 3. ASSESSMENT (Treating Risks) (Scanning) 4. REPORTING (Technical and Executive)
  • 60. INVESTIGATIONS AND FORENSICS •  Being able to investigate and manipulate data •  Visualization •  Post-event correlation •  Managing by case / incident •  Chain of custody •  Integrity of data
  • 61. SCENECRIME SCENE CRIME SCENE CRIME SCENE 61
  • 62. II. CISRT -  Organization decision of building a team based on size and ROSI -  Compose team or select members who can escalate and do initial necessary action. -  Train the team based on situations and scenarios the most common -  Acquire the required tools 62
  • 63. Q&AMahmoud.yassin@nbad.commyassin75@gmail.com THANK YOU 15/05/2012 63