Building Security Operation Center

18,298 views

Published on

Building Security Operation Center
Denis Batrankov
Solution Architect

Published in: Technology
1 Comment
30 Likes
Statistics
Notes
No Downloads
Views
Total views
18,298
On SlideShare
0
From Embeds
0
Number of Embeds
156
Actions
Shares
0
Downloads
2,201
Comments
1
Likes
30
Embeds 0
No embeds

No notes for slide

Building Security Operation Center

  1. 1. Building Security Operation Center Denis Batrankov Solution Architect bdv@hp.com
  2. 2. ©2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Why HP speaks about it
  3. 3. Security Intelligence & Operations Centres (SIOC) BUILT 29+ SIOCS expertise experience methodology CONSULTED ON 60+ SIOCS 1. Help customers establish a Security Intelligence capability that can monitor, analyse and escalate significant information security events to protect the confidentiality, integrity and availability of the information technology enterprise; 2. Ensure HP ArcSight customers are successful with the product by assisting in providing the right people skills, building the right processes and delivering effective technology; and 3. Add value to the customer’s organization by using metrics to track effectiveness of controls and use intelligence to proactively protect against attack.
  4. 4. HP SIOC Consultants Background 1. Built and ran Microsoft’s SOC 2. Built and ran IBM’s Managed Security Service Provider SOC 3. Built and ran Verizon’s Managed Security Service Provider SOC 4. Built and ran Symantec’s Managed Security Service Provider SOC 5. Built and ran the SIOC for Europe’s largest Software-as-a-Service business
  5. 5. SIEM - Security Information & Event Management ArcSight Is the Only Solution ArcSight Platform A comprehensive platform for monitoring modern threats and risks • Capture any data from any system Including Apps –SAP, others • Manage and store every event • Analyze events in real time • Identify unusual behavior at user level • Respond quickly to prevent loss
  6. 6. Cover a lot of products Access and Identity Anti-Virus Applications Content Security Database Data Security Firewalls Honeypot Network IDS/IPS Host IDS/IPS Integrated Security Log Consolidation Mail Filtering Mail Server Mainframe NBAD Network Management Network Monitoring Net Traffic Analysis Policy Management Security Management Router Web Cache Web Filtering Switch Vulnerability Mgmt Web Server Operating System VPN Wireless
  7. 7. 7 Accounts Correlation Look all IDs: email address, badge ID, phone extension Different events are attached to activity of the person Each event is attached to field “who it is” to understand his activity and behavior rjackson 348924323 jackson@arc.com robertj rjackson_dba 510-555-1212 Accounts Robert Jackson Identity
  8. 8. HP ArcSight ThreatDetector – Profile activity • Early detection • Different methods to detect good and bad behavior • Look into typical people: insider, angry admin, intruder • Allows to create new patterns of behavior • Immediately checks all previous events on detected pattern of behavior
  9. 9. Key Benefits of “In-house” Operations  Maintain end-to-end control of security processes and data; increased monitoring efficiency  Business requirements are incorporated into solution  Ability to expand security/compliance footprint easily (at no or little additional cost)  Creates the platform for a security monitoring and reporting Mission: Monitor, recognize, and escalate significant information security events to protect the confidentiality, integrity and availability of the information technology enterprise.
  10. 10. Main questions before building SOC. Why?  What business issues will SOC resolve?  What exact tasks does SOC process? (block attacks from Internet, compliance to PCI DSS, insider activity detection, incident handling and etc)  Who will receive information from SOC?  Who is sponsor of SOC project? Who responsible for this project inside organization? What he expects from SOC?  What events should be collected inside SOC?
  11. 11. Example of using SOC (from a customer) Malware spread detection Windows servers control Monitor Active Directory Monitor data leakage (DLP) Monitor VIP (top managers) devices Monitor IPS Compliance PCI: reporting and alerting Monitor privileged users
  12. 12. What are Security Operations? TECHNOLOGY PROCESS Customers Incident Handler Case closed Escalation PEOPLE Level 1 Level 2 Enginee r 1 3 4 2 5 6
  13. 13. People in SOC Olympic Games Russia Kazan July 2013
  14. 14. Establish the Right Skills Career Progression Roles Training Security Intelligence • Manager • Level-1 Analyst • Level-2 Analyst • SIEM Content Specialist Key Organizations • Incident Manager • Forensic Analyst • SIEM Engineer Information Security Bootcamp ArcSight Training • ArcSight ESM Operations • ArcSight ESM Security Analyst • ArcSight ESM Use Case Foundations SANS Institute • GIAC Certified Intrusion Analyst (GCIA) • GIAC Certified Incident Handler (GCIH) On-the-Job Training & Mentoring
  15. 15. SOC Methodology • Assess customer’s business requirements and capability compared with security operations best practices. • Design people, process and technology to deliver business objectives and provide a practice roadmap to best practice. • Manage measurable, repeatable and continually improved security operations. • Mature the customer’s capability to provide continual improvements in efficiency and risk coverage HP Security Intelligence & Operations Consulting have a proven methodology for building and operating a security intelligence and operations capability SOC ASSESS DESIGN MATURE MANAGE
  16. 16. Security Intelligence • Proactive research into new threats and risks to your organisation • The only team with end-to-end vision and situational awareness • Feedback on control effectiveness • Monitoring of threat agent channels for upcoming attacks
  17. 17. SOC Cost Components Labor Direct SOC Analysts (24x7x365) SOC Manager SIEM Engineer (Administration and Content Development) Education and Training for SOC Personnel Labor Indirect Security Device Management (Device: Analyst = 20:1 – 60:1) Incident Response Team Software ArcSight ESM w/ High Availability Failover Connectors Full Consoles / Web Consoles Compliance Insight Packages Maintenance and Support Hardware (5 yr amortization schedule) ESM Servers Database Servers Connector Appliances Workstations w/ dual monitor displays and Laptops Uninterruptible power supplies (UPS) Storage High performance RAID 1+0 SAN, 1-10+ Terabytes (Driven by data retention requirements and events/day) Services ESM Professional Services Installation Long term engineering or content development services IT Support Services (3rd party ticketing systems, network infrastructure, annualize IT business processes, etc.) Systems Management Services (Availability, backup / recovery, capacity / performance, system administration) Threat Intelligence Subscription Facilities Hardened and secure datacenter location SOC facility Wall mountable screens or projectors Telecommunications – Phone / IP Phone Power and HVAC Maintenance
  18. 18. Build-a-SOC
  19. 19. Staff Rota
  20. 20. Use Cases Use Case Primary Data Sources Alert Criteria Action Botnet activity Firewall, IDS, Proxy, Mail, Threat Intelligence Connection to or from known malicious host or domain Display in analyst active channel Virus outbreak Antivirus 3 viruses detected with same name in 10 minutes Page desktop team / display in dashboard Successful attack / malicious code IDS/IPS, Vulnerability Targeted asset exhibits vulnerability, relevance=10 Page server team / display in active channel / display in dashboard SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within specified time frame Display in analyst active channel Phishing Threat Intelligence, Firewall, IDS, Proxy, Mail Connection to or from known malicious host or domain Display in analyst active channel Unauthorized remote access VPN, Applications Successful VPN authentication from a non domain member Display in analyst active channel / Page network team New vulnerability on DMZ host Vulnerability New vulnerability identified on publicly accessible host Email daily report to vulnerability team Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, exploit, brute force, etc.) Email daily suspicious user activity report to level 1 Statistical anomaly IDS, Firewall, Proxy, Mail, VPN, Web Server Moving average variation of X magnitude in specified time frame Display alerts in situational awareness dashboard New pattern of activity IDS, Firewall, Proxy, Mail, VPN, Web Server Previously unseen pattern detected Display in analyst active channel
  21. 21. Event funnel 2 750 events = 31.25 EPAH
  22. 22. Analyst Effectiveness Week Raw Correlated Analysts Raw / Analyst Correlated / Analyst Week 1 38,697,210 97,922 10 3,869,721 9,792.20 Week 2 60,581,457 66,102 10 6,058,146 6,610.20 Week 4 55,585,228 19,116 10 5,558,523 1,911.60 Week 5 55,917,976 23,755 10 5,591,798 2,375.50 Week 6 54,044,928 18,340 10 5,404,493 1,834.00 Week 7 59,840,026 18,340 10 5,984,003 1,834.00 Week 8 72,364,038 33,866 10 7,236,404 3,386.60 Week 9 71,964,115 30,927 10 7,196,412 3,092.70 Week 10 71,500,000 28,900 10 7,150,000 2,890.00 Week 11 59,600,000 19,300 10 5,960,000 1,930.00 Week 12 51,200,000 11,400 10 5,120,000 1,140.00 Week 13 67,600,000 17,600 10 6,760,000 1,760.00 Week 14 76,600,000 30,000 10 7,660,000 3,000.00 Week 15 75,300,000 22,000 10 7,530,000 2,200.00 Week 16 69,200,000 17,000 10 6,920,000 1,700.00 Week 17 97,800,000 17,800 10 9,780,000 1,780.00 Week 18 108,500,000 11,500 10 10,850,000 1,150.00 Week 19 183,200,000 5,600 10 18,320,000 560.00 Week 20 182,400,000 5,100 10 18,240,000 510.00 Week 21 170,000,000 4,800 10 17,000,000 480.00 Week 22 182,400,000 7,600 10 18,240,000 760.00 Week 23 219,000,000 11,300 10 21,900,000 1,130.00 Week 24 168,800,000 8,100 10 16,880,000 810.00 Week 25 151,500,000 6,876 10 15,150,000 687.60 Week 26 170,500,000 7,813 10 17,050,000 781.30 Week 27 165,300,000 28,247 10 16,530,000 2,824.70 Week 28 161,500,000 4,569 10 16,150,000 456.90 Week 29 186,700,000 6,164 10 18,670,000 616.40 Week 30 173,600,000 5,632 10 17,360,000 563.20 Average 112,454,999 20,195 11,245,500 2,020 Median 76,600,000 17,600 7,660,000 1,760 Weekly Analysis of Events per Analyst y = 589551x + 2E+06 - 5,000,000 10,000,000 15,000,000 20,000,000 25,000,000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 Raw Events / Analyst y = -150.3x + 4274 (2,000.00) - 2,000.00 4,000.00 6,000.00 8,000.00 10,000.00 12,000.00 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 Correlated Events / Analyst
  23. 23. The Cyber Killchain
  24. 24. Ensure the Operations are Repeatable BC/DR  Business Continuity Plan  Disaster Recovery Plan Process Improvement  Maturity Assessments  Project Methodology  Knowledgebase (wiki) Compliance  Internal Compliance  Compliance Support Metrics  Reporting KPIs  Infrastructure Performance  Operational Efficiencies Event Management  Triage  Callouts  Case Management  Crisis Response Daily Operations  Shift Schedule  Monitoring  Problem and Change  Shift Turn-Over  Daily Operations Call Training  Training plans  Skills Development tracking Subtle Event Detection  Data Visualization  Pattern Analysis Reporting  Analyst Comments  Incident Summary  Threat Reports Incident Management  Incident Research  Focused Monitoring  Incident Response Intrusion Analysis  Event Analysis  Threat Intelligence Information Fusion Design  Developing Use Cases  User and Asset Modeling Configuration Management  SIEM Architecture  Data Feed Integration System Administration  Access Management  Maintenance and Upgrades
  25. 25. Improve processes CMMI - Capability Maturity Model® Integration
  26. 26. Workflow: Merging people, process & technology Categories SIEM Priority Levels 0-2 3-4 5-6 7-8 9-10 Unauthorized Root/Admin Access A A A C1 C1 Unauthorized User Access A A I2 C2 C1 Attempted Unauthorized Access A A A I3 C3 Successful Denial of Service A A I2 C2 C1 Policy Violation A A T3 T2 T1 Reconnaissance A A A I3 I2 Malware Infection A A T3 T2 C2 Legend  C1: Critical callout –15 min  C2: Urgent callout –30 min  C3: Routine callout –2 hr  I2: Urgent investigation  I3: Routine investigation  T1: Critical ticket opened  T2: Urgent ticket opened  T3: Routine ticket opened  A: Active monitoring
  27. 27. Analytical Tools
  28. 28. Analytical Tools: Visualisation
  29. 29. Analytical Tools
  30. 30. 3
  31. 31. 3 Monthly Executive Brief
  32. 32. ©2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice SOC Maturity Assessment Establish the baseline, pragmatic plan for improvement
  33. 33. Security Operations Maturity Assessment SOMM Level Name Description Level 0 Incomplete Operational elements do not exist Level 1 Performed Reliant on people and relationships, not standardized nor repeatable Level 2 Managed Business goals are met and operational tasks are repeatable Many SOCs run successfully for some period of time at this maturity level. Missing aspects often include continual improvement and demonstrated ROI. Level 3 Defined Operations are well-defined, subjectively evaluated, and flexible. Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and changing threat landscape without excessive overhead in processes. Level 4 Measured Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and proactively improved. Appropriate for a managed service provider environment where financial penalties result from inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging threats and requires dedicated staff to sustain the maturity level. Level 5 Optimizing All processes are tightly constrained and continually measured for deficiencies, variation, and are continually improved. Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and static environment.
  34. 34. Security Operations Maturity Assessment People 1.57 General 1.75 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as criteria for member evaluation. Training 1.55 The opportunity exists to develop an overall training program that includes a defined structure for analyst on boarding and continual growth through the career of the analyst. Certifications 1.00 Lack of overall industry certifications possessed by the team. Experience 1.70 The feeder pool to hire analysts is reasonable, yet the experience and background of some of the analysts is questionable. Skill Assessments 1.69 A skills assessment program should be adopted and leveraged to improve training plans and the overall skills composition of the group. Career Path 1.69 There is an opportunity to develop career progression plans and to help guide analysts into senior positions within the SOC or internally within the company. Leadership 1.77 Conducting an organizational climate survey is encouraged in order to collect feedback and incorporate it into the leadership function. Process 1.26 Mission 1.27 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC and to internal groups within the organization. Operational Process 1.66 There are several opportunities to further develop operational processes and metrics to measure operational efficiencies. Analytical Process 1.15 Efforts to centralize a knowledge management solution for security analysts are currently underway. Business Process 0.89 SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture metrics and track operational efficiencies Technology 2.38 SIEM Monitoring 2.45 SIEM meets current business needs. A Test environment does exist, which means that content and data feed on boarding does/can go through a proper testing cycle. Architecture 1.95 Document data flow diagrams for troubleshooting purposes. Correlation 2.56 Event management metrics are captured and used to track events monitored. Monitored Technologies 2.22 A wide range of technologies are monitored, giving the SOC wider visibility against attack vectors. ILM 2.61 Data retention and protection policies adhere to company policies. Overall SOMM Level 1.74
  35. 35. Security Operations Maturity Assessment Average SOMM By Vertical Financial 2.25 Retail 2.35 Technology 1.60 Government 1.98 Utility 1.50 Telco 2.27 MSSP 2.40
  36. 36. Pragmatic Roadmap for Improvement Phase I (Interim Capability) Phase II (Dedicated Operations) Phase III (Mature Security Operations) Coverage Part-time resources as available Dedicated 8x5 Virtual off-hours 24x7x365 Staffing No dedicated staff 1 dedicated analyst, 1 dedicated SIEM engineer 12 FTE Incident Escalations 1-5 per week 5-10 per week 10-20 per week Use Cases 10 25 100+ Events per second (EPS) 200 500 1000 Target Timeframe 90 days 180 days 2 years
  37. 37. Thank you Denis Batrankov Solution Architect bdv@hp.com

×