Rothke secure360 building a security operations center (soc)


Published on

Presentation from Ben Rothke at Secure360 2010 - Building a Security Operations Center (SOC)

Published in: Technology, Business

Rothke secure360 building a security operations center (soc)

  1. 1. Building a Security Operations Center (SOC) 1 Ben Rothke, CISSP, PCI QSA Senior Security Consultant BT Global Services
  2. 2. Agenda 2 Introduction Need for a Security Operations Center (SOC) Components of an effective SOC Deciding to insource or outsource the SOC SOC requirements Q/A
  3. 3. About me 3 Senior Security Consultant – BT Global Services Certifications: CISSP, CISM, PCI QSA, CISA, CCO, SITA, Dad IT sector since 1988 and information security since 1994 Frequent writer and speaker Author - Computer Security: 20 Things Every Employee Should Know
  4. 4. Current Security Challenges 4 Onslaught of security data from disparate systems, platforms and applications Numerous point solutions (antivirus, firewalls, IDS/IPS, ERP, access control, IdM, SSO, etc.) Millions of messages daily Attacks becoming more frequent and sophisticated Regulatory compliance issues place increasing burden on systems and network administrators
  5. 5. Current Climate 5 Most organizations inadequately prepared to deal with intrusions and security incidents Address issue only after a serious breach occurs When incident occurs, decisions made in haste, which reduces ability to: Understand extent and source of incident Protect sensitive data contained on systems Protect systems/networks and their ability to continue operating as intended and recover systems Collect information to understand what happened. Without such information, you may inadvertently take actions that can further damage your systems Support legal investigations and forensics
  6. 6. Current SOC Climate 6 In recent years, the complexity of managing a SOC has increased exponentially Security operations is not just about perimeter threats anymore Array of hundreds of event sources - firewalls, IPS, IDS, proxy information, applications, identity management, database, router, switch, merchant/PCI, physical security devices and more SOC’s are aggregation points of tens of millions of daily events that must be monitored, logged, analyzed and correlated
  7. 7. Why do you need a SOC? 7 Designed to be nucleus of all your information and Internet security operations Provides: Continuous prevention Protection Detection Response capabilities against threats, remotely exploitable vulnerabilities and real-time incidents on your networks Works with CIRT to create comprehensive infrastructure for managing security ops
  8. 8. SOC Benefits 8 Speed of response time Malware can spread throughout the Internet in minutes or even seconds, potentially knocking out your network or slowing traffic to a crawl Consequently, every second counts in identifying these attacks and negating them before they can cause damage Ability to recover from a DDoS attack in a reasonable amount of time
  9. 9. Integrated SOC 9 IBM
  10. 10. SOC Functions 10 Real-time monitoring / management Aggregate logs Aggregate data Coordinate response and remediation Reporting Executives Auditors Security staff Post-incident analysis Forensics Investigation
  11. 11. SOC Requirements 11 Trained staff Good management Adequate budget Typically, only largest companies have resources to build and staff a dedicated SOC Good processes Integration into incident response
  12. 12. SOC Planning 12 Full audit of existing procedures, including informal and ad-hoc Independent consultants to advise on industry best practices Planning of location, resources, training programs, etc. But plans change; don’t try to prepare everything ahead of time Sometimes best approach is not clear until you have actually started But plans change; don’t try to prepare everything ahead of time Sometimes best approach is not clear until you have actually started Build it like an aircraft carrier Change built into the design
  13. 13. SIM Tool 13 Many SOC benefits come from good SIM tool Consolidates all data and analyzes it intelligently Provides visualization into environment SOC is inefficient if overwhelmed with data SIM and configuring it is key Define requirements first Choose SIM that’s flexible and agile, plus: Priority determination Real-time correlation Cross-device correlation Audit and compliance Track and escalate according to threat level
  14. 14. SIM Automation 14 IDS/IPS Firewalls/VPNs Routers Business Applications Access Control Databases Web Servers Network O/S Desktops Others 3 Million Messages Received 186,000 Alerts Processed 180 Tickets Analyzed 3 Direct SOC analyst handled
  15. 15. Challenge of SIM & Automation 15 A well-configured SIM can automate much of the SOC process. But… “The more advanced a control system is, so the more crucial may be the contribution of the human operator” Ironies of Automation - Lisanne Bainbridge Don’t get caught in the hype that a SIM can replace SOC analysts
  16. 16. SOC Setup 16 Recruitment Skill sets required for broad range of technologies Determine at what stage to bring staff on board, and in what quantity Training plan Infrastructure Create procedures on how you can ensure your availability and ability to work, even in an outage Determine where the SOC should be located With IT Security, NOC, elsewhere?
  17. 17. SOC Development 17 Procedures must be continually revised, as technologies advance, and experience shows how to improve As the team develops, more skilled work can be taken on, and range of services expanded Good for team morale, as well as providing a better service SOC runbook must be kept updated, and be tightly revision controlled Kept in central location so old versions cannot circulate
  18. 18. Which SOC? 18 Outsourced BT Managed Security Solutions (formerly BT Counterpane), Symantec, SecureWorks, Solutionary, WiPro, Tata, Savvis, McAfee, Verizon (Cybertrust / Ubizen), Orange, Integralis, Verizon, Sprint, EDS, Qwest iQ Managed Security Service, Unisys and more Centralized group within enterprise Corporate SOC
  19. 19. Outsourced SOC 19 Advantages Disadvantages Avoid capital expenses – it’s their hardware & Contractors will never software know your environment Often cheaper than in- like internal employees house Sending jobs outside Less potential for organization can lower collusion between morale monitoring team and Lack of capital retention attacker Risk of external data Good security people are mishandling difficult to find Unbiased SLA
  20. 20. Outsourced SOC – General Questions 20 1. What is its reputation? 2. Who are its customers? 3. Does it already service customers in my industry? 4. Does it service customers my size? 5. How long have its customers been with it? 6. What is its cancellation/non-renew rate?
  21. 21. Outsourced SOC – Staffing Questions 21 1. What is the experience of its staff? 2. Does it hire reformed hackers? 3. Are background checks performed on all new employees? 4. Does it use contractors for any of its services? 5. Are personnel held to strict confidentiality agreements? 6. What is the ratio of senior engineers to managed clients? 7. What certifications are held by senior/junior staff? 8. What is its employee turnover rate?
  22. 22. Outsourced SOC – Stability Questions 22 1. Is it stable? 2. Does it have a viable business plan? 3. How long has it been in business? 4. Positive signs of growth from major clients? 5. Consistent large account wins / growing revenue? 6. What is its client turnover rate? 7. What are its revenue numbers? • If private and unwilling to share this information, ask for percentages rather than actual numbers 8. Will it provide documentation on its internal security policies and procedures?
  23. 23. Outsourced SOC - Sizing / Costs 23 Must provide services for less than in-house solutions would cost Can spread out investment in analysts, hardware, software, facilities over several clients How many systems will be monitored? How much bandwidth is needed? Potential tax savings Convert variable costs (in-house) to fixed costs (services)
  24. 24. Outsourced SOC – Performance Metrics 24 Must provide client with an interface providing detailed information Services being delivered How their security posture relates to overall industry trends Provide multiple views into the organization Various technical, management and executive reports Complete trouble ticket work logs and notes
  25. 25. Outsourced SOC – SLA’s 25 Well-defined SLA’s processes and time periods within which they will respond to any security need. SLA should include specific steps to be taken Procedures the company takes to assure that the same system intrusions do not happen again Guarantee of protection against emerging threats Recovers losses in the event service doesn’t deliver as promised Commitments for initial device deployment, incident response/protection, requests for security policy & configuration changes, acknowledgement of requests
  26. 26. Outsourced SOC - Transitioning 26 Ensure adequate knowledge transfer Create formal service level performance metrics Establish a baseline for all negotiated service levels Measure from the baseline, track against it, adjusting as necessary. Create internal CIRT Identify key events and plan the response Hold regular transition & performance reviews Be flexible Schedule formal review to adjust SLA’s after 6 months of service operation and periodically thereafter.
  27. 27. Outsourced SOC – Termination 27 All outsourcing contracts must anticipate the eventual termination at the end of the contract and plan for an orderly in-house transition or a transition to another provider Develop an exit strategy Define key resources, assets and process requirements for continued, effective delivery of the services formerly provided by the outgoing provider
  28. 28. Internal SOC Advantages 28 Disadvantages • Knows environment • Larger up-front better than a third-party investment • Solutions are generally • Higher pressure to easier to customize show ROI quickly • Potential to be most • Higher potential for efficient collusion between analyst and attacker • Most likely to notice correlations between • Less likely to recognize groups large-scale, subtle patterns that include • Better tool pricing – multiple groups higher volume
  29. 29. Internal SOC - Questions 29 1. Does your staff have the competencies (skills and knowledge) to manage a SOC? 2. How do you plan to assess if they really do have those competencies? 3. Are you willing to take the time to document all of the SOC processes and procedures? 4. Who’s going to develop a training program? 5. Who’s going to design the physical SOC site? 6. Can you hire and maintain adequate staff levels?
  30. 30. Internal SOC Success Factors 30 1. Trained staff 2. Good management 3. Adequate budget 4. Good processes 5. Integration into incident response If your organization can’t commit to these five factors, do not build an internal SOC – it will fail Will waste money and time and create false sense of security If you need a SOC but can’t commit to these factors, strongly consider outsourcing
  31. 31. SOC Mistakes 31 Huge waste of money False sense of security Miss active attacks Compliance issues and violations Much more likely to violate privacy laws Federal / State EU Privacy Directives SOC success ultimately dependent on quality of SOC staff Staff success ultimately dependent on quality of SOC manager
  32. 32. SOC Analysts 32 Good SOC analysts hard to find, hard to keep Have combination of technical knowledge and technical aptitude Hire experienced SOC analysts Pay them well You get what you pay for Skill sets • Directories • Operating system proficiency • Routers/switches/firewalls • Network protocols • Programming • Chain of custody issues • Databases • Ethics • IDS • Corporate policy • Investigative processes • Services • Applications • Multiple hardware platforms • and much more • Attacks
  33. 33. SOC Analysts - Qualities 33 Extremely curious Ability & desire to find answers to difficult problems and situations Abstract thinker Can correlate IDS incidents and alerts in real-time Ethical Deals with low-level details while keeping big-picture view of situation Can communicate to various groups that have very different requirements Responds well to frustrating situations
  34. 34. SOC Analyst Burnout 34 SOC analysts can burnout Have a plan to address this Extensive training Bonuses Promotions Management opportunities Job rotation
  35. 35. SOC Management 35 Management and supervision of a SOC is a key factor to ensure its efficiency While analysts, other staff, hardware and software are key elements, a SOC’s ultimate success is dependant on a competent SOC manager. Inadequate/poor management has significant consequences, from process performance decrements, to incidents being missed or incorrectly handled
  36. 36. SOC Processes 36 SOC heavily process-driven Processes work best when documented in advance Usability and workflow critical Documentation Adequate time must be given to properly document many different SOC functions Corporate networks and SOC are far too complex to be supported in an ad-hoc manner Documentation makes all the difference
  37. 37. SOC Processes ToC 37
  38. 38. SOC Metrics 38 Measured by how quickly incidents are: Identified Addressed Handled Must be used judiciously Don’t measure base performance of an analyst simply on the number of events analyzed or recommendations written
  39. 39. Additional references 39
  40. 40. Conclusions 40 Building a SOC is complex SOC is the foundation of your organization’s security management program Multiple organizational and technical issues should be considered when planning and evaluating a SOC Potential benefits of a SOC are enormous Planning and requirements definition are crucial But if you do this right, your security benefits will be immense
  41. 41. Thanks for attending - Q/A 41 Ben Rothke, CISSP PCI QSA Senior Security Consultant BT Professional Services