• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ca world 2007 SOC integration
 

Ca world 2007 SOC integration

on

  • 872 views

Presentation for CA World 2007 in Las Vegas on the topic of integrating SIEM with the SOC. This was the evolution of a previous presentation.

Presentation for CA World 2007 in Las Vegas on the topic of integrating SIEM with the SOC. This was the evolution of a previous presentation.

Statistics

Views

Total Views
872
Views on SlideShare
870
Embed Views
2

Actions

Likes
0
Downloads
3
Comments
0

2 Embeds 2

http://www.slashdocs.com 1
http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title

Ca world 2007 SOC integration Ca world 2007 SOC integration Presentation Transcript

  • Best Practices for Building a Security Operations Center: Untangling the Mess Created by Multiple Security Solutions SS102SN Security Information Management Track CA Blue R0 G132 B201 CA Green R51 G158 B53 CA Dark Blue R0 G132 B201 CA Dark Green R51 G158 B53 CA Light Blue R0 G132 B201 CA Light Green R51 G158 B53 CA Gray R106 G105 B100 CA Tint Gray 30 R218 G218 B203 CA Tint Gray 10 R246 G246 B246
  • Abstract
    • Ensuring compliance and delivering business continuity through operational efficiencies and enablement are the goals of a well-designed Security Operations Center but are rife with challenges. This presentation uncovers strategies for how you can collect, analyze and effectively respond to millions of event messages through a cohesive security information management system. The discussion covers end-to-end security information management (including collection, analysis, remediation, reporting and forensics), provides recommendations for culturalizing the knowledge of internal vulnerabilities and network exploits, overviews how you can help your organization demonstrate compliance with industry and regulatory standards using a security information management system, and previews workflow processes that bridge the gap between the security operations center and the network operations center.
  • Biography
    • Michael Nickle, CISSP CA, Inc.
      • Mr. Nickle is the Global Solution Director for SIEM and Access Management products at CA helping clients select the appropriate solutions and services to meet their technology objectives. He has worked with a wide variety of CA clients including Merck, USDA, BNP Paribas, Canon, Eircom and government of British Columbia.
  • Agenda
      • SIEM Overview
      • SOC v. NOC
      • What ’s in a SOC
      • Best Practices
      • An Example
      • CA Portfolio (Brief)
      • Conclusion
  • SIEM Overview
  • Security Needs to be Managed SSO Access Management Authentication Policy Management Reporting Web Services Password Management Authorization Provisioning Virus Protection Asset Discovery & Classification Event Collection Anti-Spam Spyware Prevention Gateway Protection Firewall Protection Malware Protection Scan & Clean Proactive Management Federation Forensics Compliance Mapping Correlation Vulnerability Assessment
  • Top Business Issues and Drivers
      • Reduce Risk and Downtime
      • Ease Administrative Overhead
      • Identify People and Responsibilities
      • Determine Escalation Path
      • Support Audit and Compliance Objectives
      • Provide Incident Response and Recovery
  • Security Information Management Current Problems
    • Compliance - Monitor and validate regulatory compliance
      • Business Continuity
        • Proactively contain the increasing threats and vulnerabilities
      • Operational Efficiencies and Enablement
        • Manage millions of events (reduce noise) and manage key security threats for business critical assets
        • Align security to business
    The Solution
    • Collect, Analyze & Respond through Security Information Management
      • End-to-end Security Information Management: Collection through analysis, remediation, reporting and forensics
      • Establish Knowledge of Internal Vulnerabilities and Network Exploits
      • Help Demonstrate Compliance with Industry and Regulatory Standards
      • Bridge the gap between SOC and NOC
  • SIM Functions
    • Collect
      • Asset Discovery
      • Asset Value Classification
      • Events & Information Collection
    • Analyze
      • Correlation, Predictive Analysis & Anomaly Detection
      • Vulnerability Risk Analysis
      • Forensic Analysis
      • Incident Categorization
      • Centralized Policy Management
    From Discovery through Resolution
    • Respond
      • Alerting
      • Automated Trouble Ticketing
      • Workflow
      • Corrective Actions & Remediation Recommendations
  • SOC Stakeholders Security Analyst (sometimes IT Administrator) Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Manager Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Officer Compliance oriented reporting that reflects current status against the organization ’s key security objectives CIO Dashboard and/or reports that reflect organizational risk status and security trends Auditor Report interface to key security metrics
  • Remember… Business and Technology Drivers SIM Is A Strategic Business Requirement Risk Management, Compliance, Event and Information Management, and Forensics Technology Drivers
    • More Applications
    • More Events
    • More Threats
    • More People
    • More Incidents
    • More Management
    Business Drivers
    • Regulatory Compliance
    • Risk Management
    • Asset Protection
    • Costs Containment
    • Service Continuity
    • Business Enablement
  • SOC v. NOC
  • IT Security Silos Other Network Perimeter Application Sales Network Perimeter Application HR Network Perimeter Application
  • Breaking down the IT Security Silos Other Sales HR
  • Top Technical Issues
      • Increase Speed of Aggregation and Correlation
      • Maximize Device and System Coverage
      • Improve Ability to Respond Quickly
      • Deliver 24 x 7 Coverage (this doesn ’t have to be done by the SOC!)
      • Support for Federated and Distributed Environments
      • Provide Forensic Capabilities
      • Ensure Intelligent Integration between SOCs and NOCs
  • SOC / NOC
    • SOC and NOC / stand-alone
      • Decide if the SOC is 24 X 7 – it doesn ’t have to be
      • Delineate responsibilities
    • SNOC / Integrated
      • If you don ’t have a “checks-and-balances” mandate, this makes sense
      • The SOC here assumes IT has absorbed “security” as a function, and “security professionals” tend to act as an overlay
    • Integration to the rest of the Enterprise
      • Keep in mind the integration with the rest of the business
  • What ’s in a SOC What is it? What does it do? What ’s a good one and what’s a bad one? Is it worth the time/money?
  • Where Does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Workflow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival
  • What Does a Security Operations Center Do?
    • Enables organizations to clearly understand:
      • Who has access to what within their IT environment?
      • What is happening in that environment?
      • What actions need to be taken based on this information?
    • Some important things it does not do:
      • Replace remediation
      • By-pass change management
      • Centralized policy management
  • The 3 (main) functions of a SOC
    • The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency
    • What does the SOC do?
      • Real-time monitoring / management
        • Aggregate logs
        • Aggregate more than logs
        • Coordinate response and remediation
        • “ Google Earth” view from a security perspective
      • Reporting / Custom views
        • Security Professionals
        • Executives
        • Auditors
        • Consistent
      • After-Action Analysis
        • Forensics
        • Investigation
    • Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability
    • Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
  • Prioritization and Remediation
    • Act on what ’s most relevant to the business first!
      • Gather asset data
      • Gather business priorities
      • Understand the business context of an incident
    • Break down the IT silos
      • Coordinate response
      • Inform all relevant parties of an incident
      • Work with existing ticketing / workflow systems
    • Threat * Weakness * Business Value = Risk
    • Proactively address BUSINESS RISK
  • Investigations and Forensics
      • Being able to investigate and manipulate data
      • Visualization
      • Post event correlation
      • Managing by case / incident
      • Chain of custody
      • Integrity of data
  • Analogy to record keeping
      • Primary / Secondary logs Some logs are more important than others – how are these identified, marked and maintained?
      • Archival procedures
      • Conscious policy on maintenance of logs and procedures for “destruction”
      • Retention of data
      • “ Reproduce-ability” of information!
  • Best Practices Where to look for how to do this right
  • The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk
  • COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …
  • SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…
  • Don ’t reinvent! Copy!
      • Work with others in your industry/sector e.g. Financial Institutions working together on common problems
      • Follow an established model – there are published best practices and processes out there
      • Work with others not in your industry – other Enterprises who aren ’t competitors often face the same sorts of problems
  • An Example An example of a SOC and NOC working together the right way
  • Results
    • Atos Origin
      • Secure Olympic Games network with eTrust Security Command Center
      • Protect integrity of times and scores
      • Correlate events to actions
      • Integration with eTrust Vulnerability Manager
      • More than 10,000 assets
    Customer Results Integration of Network & Systems Management UNIX SysLogs 65,000 events* Windows SysLogs 1,036,800 events* IDS and Access Logs 1,100,000 events* Firewall 787,000 events* Antivirus 12,000 events* Events Correlated Events Distinctive Security Issues Incidents Requiring Action 8 24 15,000 3 Million
  • The CA Portfolio
  • Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis EITM Common Services and MDB Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation
  • Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management EITM Common Services and MDB Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager
  • Summary
      • A Security Operations Center is the keystone of an organization ’s security management program
      • Multiple organizational and technical issues should be considered in planning or evaluating a SOC
      • The potential benefits of a SOC are enormous
  • Questions & Answers
  • Related Sessions
    • SG117SN Homeland Security – Cyber Security preparedness and Incident Response
    • SS104SN Customer Case Study: Euriware
    • SS106SN What ’s New in the Security Command Center Reporting and Analysis Pack
  • Exhibition Center
    • Related CA and Partner Technology
      • Computer Associates
        • SECSE012 - SIM: Complete Integrated Solution
        • SECSE009 - SCC: Reporting and Analysis
      • Exhibition Center Tours
        • Sign up at Information Desk Booth 453
  • CA Technology Services and   Education
    • Hear how CA ’s learning solutions can help you meet your business objectives
      • Visit CA Education in the Exhibition Center in Booth 439, visit ca.com/education or call us at 1-800-237-9273
    • Learn how CA Technology Services can help your business
      • Visit the CA Technology Services stations in the exhibition center or on the web at ca.com/services
  • Session Evaluation Form
      • After completing your session evaluation form ...
      • ... place it in the basket at the back of the room.
      • Please left justify the session number