Ca world 2007 SOC integration

1,486 views

Published on

Presentation for CA World 2007 in Las Vegas on the topic of integrating SIEM with the SOC. This was the evolution of a previous presentation.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,486
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Session #: Title
  • Ca world 2007 SOC integration

    1. 1. Best Practices for Building a Security Operations Center: Untangling the Mess Created by Multiple Security Solutions SS102SN Security Information Management Track CA Blue R0 G132 B201 CA Green R51 G158 B53 CA Dark Blue R0 G132 B201 CA Dark Green R51 G158 B53 CA Light Blue R0 G132 B201 CA Light Green R51 G158 B53 CA Gray R106 G105 B100 CA Tint Gray 30 R218 G218 B203 CA Tint Gray 10 R246 G246 B246
    2. 2. Abstract <ul><li>Ensuring compliance and delivering business continuity through operational efficiencies and enablement are the goals of a well-designed Security Operations Center but are rife with challenges. This presentation uncovers strategies for how you can collect, analyze and effectively respond to millions of event messages through a cohesive security information management system. The discussion covers end-to-end security information management (including collection, analysis, remediation, reporting and forensics), provides recommendations for culturalizing the knowledge of internal vulnerabilities and network exploits, overviews how you can help your organization demonstrate compliance with industry and regulatory standards using a security information management system, and previews workflow processes that bridge the gap between the security operations center and the network operations center. </li></ul>
    3. 3. Biography <ul><li>Michael Nickle, CISSP CA, Inc. </li></ul><ul><ul><li>Mr. Nickle is the Global Solution Director for SIEM and Access Management products at CA helping clients select the appropriate solutions and services to meet their technology objectives. He has worked with a wide variety of CA clients including Merck, USDA, BNP Paribas, Canon, Eircom and government of British Columbia. </li></ul></ul>
    4. 4. Agenda <ul><ul><li>SIEM Overview </li></ul></ul><ul><ul><li>SOC v. NOC </li></ul></ul><ul><ul><li>What ’s in a SOC </li></ul></ul><ul><ul><li>Best Practices </li></ul></ul><ul><ul><li>An Example </li></ul></ul><ul><ul><li>CA Portfolio (Brief) </li></ul></ul><ul><ul><li>Conclusion </li></ul></ul>
    5. 5. SIEM Overview
    6. 6. Security Needs to be Managed SSO Access Management Authentication Policy Management Reporting Web Services Password Management Authorization Provisioning Virus Protection Asset Discovery & Classification Event Collection Anti-Spam Spyware Prevention Gateway Protection Firewall Protection Malware Protection Scan & Clean Proactive Management Federation Forensics Compliance Mapping Correlation Vulnerability Assessment
    7. 7. Top Business Issues and Drivers <ul><ul><li>Reduce Risk and Downtime </li></ul></ul><ul><ul><li>Ease Administrative Overhead </li></ul></ul><ul><ul><li>Identify People and Responsibilities </li></ul></ul><ul><ul><li>Determine Escalation Path </li></ul></ul><ul><ul><li>Support Audit and Compliance Objectives </li></ul></ul><ul><ul><li>Provide Incident Response and Recovery </li></ul></ul>
    8. 8. Security Information Management Current Problems <ul><li>Compliance - Monitor and validate regulatory compliance </li></ul><ul><ul><li>Business Continuity </li></ul></ul><ul><ul><ul><li>Proactively contain the increasing threats and vulnerabilities </li></ul></ul></ul><ul><ul><li>Operational Efficiencies and Enablement </li></ul></ul><ul><ul><ul><li>Manage millions of events (reduce noise) and manage key security threats for business critical assets </li></ul></ul></ul><ul><ul><ul><li>Align security to business </li></ul></ul></ul>The Solution <ul><li>Collect, Analyze & Respond through Security Information Management </li></ul><ul><ul><li>End-to-end Security Information Management: Collection through analysis, remediation, reporting and forensics </li></ul></ul><ul><ul><li>Establish Knowledge of Internal Vulnerabilities and Network Exploits </li></ul></ul><ul><ul><li>Help Demonstrate Compliance with Industry and Regulatory Standards </li></ul></ul><ul><ul><li>Bridge the gap between SOC and NOC </li></ul></ul>
    9. 9. SIM Functions <ul><li>Collect </li></ul><ul><ul><li>Asset Discovery </li></ul></ul><ul><ul><li>Asset Value Classification </li></ul></ul><ul><ul><li>Events & Information Collection </li></ul></ul><ul><li>Analyze </li></ul><ul><ul><li>Correlation, Predictive Analysis & Anomaly Detection </li></ul></ul><ul><ul><li>Vulnerability Risk Analysis </li></ul></ul><ul><ul><li>Forensic Analysis </li></ul></ul><ul><ul><li>Incident Categorization </li></ul></ul><ul><ul><li>Centralized Policy Management </li></ul></ul>From Discovery through Resolution <ul><li>Respond </li></ul><ul><ul><li>Alerting </li></ul></ul><ul><ul><li>Automated Trouble Ticketing </li></ul></ul><ul><ul><li>Workflow </li></ul></ul><ul><ul><li>Corrective Actions & Remediation Recommendations </li></ul></ul>
    10. 10. SOC Stakeholders Security Analyst (sometimes IT Administrator) Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Manager Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Officer Compliance oriented reporting that reflects current status against the organization ’s key security objectives CIO Dashboard and/or reports that reflect organizational risk status and security trends Auditor Report interface to key security metrics
    11. 11. Remember… Business and Technology Drivers SIM Is A Strategic Business Requirement Risk Management, Compliance, Event and Information Management, and Forensics Technology Drivers <ul><li>More Applications </li></ul><ul><li>More Events </li></ul><ul><li>More Threats </li></ul><ul><li>More People </li></ul><ul><li>More Incidents </li></ul><ul><li>More Management </li></ul>Business Drivers <ul><li>Regulatory Compliance </li></ul><ul><li>Risk Management </li></ul><ul><li>Asset Protection </li></ul><ul><li>Costs Containment </li></ul><ul><li>Service Continuity </li></ul><ul><li>Business Enablement </li></ul>
    12. 12. SOC v. NOC
    13. 13. IT Security Silos Other Network Perimeter Application Sales Network Perimeter Application HR Network Perimeter Application
    14. 14. Breaking down the IT Security Silos Other Sales HR
    15. 15. Top Technical Issues <ul><ul><li>Increase Speed of Aggregation and Correlation </li></ul></ul><ul><ul><li>Maximize Device and System Coverage </li></ul></ul><ul><ul><li>Improve Ability to Respond Quickly </li></ul></ul><ul><ul><li>Deliver 24 x 7 Coverage (this doesn ’t have to be done by the SOC!) </li></ul></ul><ul><ul><li>Support for Federated and Distributed Environments </li></ul></ul><ul><ul><li>Provide Forensic Capabilities </li></ul></ul><ul><ul><li>Ensure Intelligent Integration between SOCs and NOCs </li></ul></ul>
    16. 16. SOC / NOC <ul><li>SOC and NOC / stand-alone </li></ul><ul><ul><li>Decide if the SOC is 24 X 7 – it doesn ’t have to be </li></ul></ul><ul><ul><li>Delineate responsibilities </li></ul></ul><ul><li>SNOC / Integrated </li></ul><ul><ul><li>If you don ’t have a “checks-and-balances” mandate, this makes sense </li></ul></ul><ul><ul><li>The SOC here assumes IT has absorbed “security” as a function, and “security professionals” tend to act as an overlay </li></ul></ul><ul><li>Integration to the rest of the Enterprise </li></ul><ul><ul><li>Keep in mind the integration with the rest of the business </li></ul></ul>
    17. 17. What ’s in a SOC What is it? What does it do? What ’s a good one and what’s a bad one? Is it worth the time/money?
    18. 18. Where Does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Workflow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival
    19. 19. What Does a Security Operations Center Do? <ul><li>Enables organizations to clearly understand: </li></ul><ul><ul><li>Who has access to what within their IT environment? </li></ul></ul><ul><ul><li>What is happening in that environment? </li></ul></ul><ul><ul><li>What actions need to be taken based on this information? </li></ul></ul><ul><li>Some important things it does not do: </li></ul><ul><ul><li>Replace remediation </li></ul></ul><ul><ul><li>By-pass change management </li></ul></ul><ul><ul><li>Centralized policy management </li></ul></ul>
    20. 20. The 3 (main) functions of a SOC <ul><li>The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency </li></ul><ul><li>What does the SOC do? </li></ul><ul><ul><li>Real-time monitoring / management </li></ul></ul><ul><ul><ul><li>Aggregate logs </li></ul></ul></ul><ul><ul><ul><li>Aggregate more than logs </li></ul></ul></ul><ul><ul><ul><li>Coordinate response and remediation </li></ul></ul></ul><ul><ul><ul><li>“ Google Earth” view from a security perspective </li></ul></ul></ul><ul><ul><li>Reporting / Custom views </li></ul></ul><ul><ul><ul><li>Security Professionals </li></ul></ul></ul><ul><ul><ul><li>Executives </li></ul></ul></ul><ul><ul><ul><li>Auditors </li></ul></ul></ul><ul><ul><ul><li>Consistent </li></ul></ul></ul><ul><ul><li>After-Action Analysis </li></ul></ul><ul><ul><ul><li>Forensics </li></ul></ul></ul><ul><ul><ul><li>Investigation </li></ul></ul></ul><ul><li>Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability </li></ul><ul><li>Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency </li></ul>
    21. 21. Prioritization and Remediation <ul><li>Act on what ’s most relevant to the business first! </li></ul><ul><ul><li>Gather asset data </li></ul></ul><ul><ul><li>Gather business priorities </li></ul></ul><ul><ul><li>Understand the business context of an incident </li></ul></ul><ul><li>Break down the IT silos </li></ul><ul><ul><li>Coordinate response </li></ul></ul><ul><ul><li>Inform all relevant parties of an incident </li></ul></ul><ul><ul><li>Work with existing ticketing / workflow systems </li></ul></ul><ul><li>Threat * Weakness * Business Value = Risk </li></ul><ul><li>Proactively address BUSINESS RISK </li></ul>
    22. 22. Investigations and Forensics <ul><ul><li>Being able to investigate and manipulate data </li></ul></ul><ul><ul><li>Visualization </li></ul></ul><ul><ul><li>Post event correlation </li></ul></ul><ul><ul><li>Managing by case / incident </li></ul></ul><ul><ul><li>Chain of custody </li></ul></ul><ul><ul><li>Integrity of data </li></ul></ul>
    23. 23. Analogy to record keeping <ul><ul><li>Primary / Secondary logs Some logs are more important than others – how are these identified, marked and maintained? </li></ul></ul><ul><ul><li>Archival procedures </li></ul></ul><ul><ul><li>Conscious policy on maintenance of logs and procedures for “destruction” </li></ul></ul><ul><ul><li>Retention of data </li></ul></ul><ul><ul><li>“ Reproduce-ability” of information! </li></ul></ul>
    24. 24. Best Practices Where to look for how to do this right
    25. 25. The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk
    26. 26. COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …
    27. 27. SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…
    28. 28. Don ’t reinvent! Copy! <ul><ul><li>Work with others in your industry/sector e.g. Financial Institutions working together on common problems </li></ul></ul><ul><ul><li>Follow an established model – there are published best practices and processes out there </li></ul></ul><ul><ul><li>Work with others not in your industry – other Enterprises who aren ’t competitors often face the same sorts of problems </li></ul></ul>
    29. 29. An Example An example of a SOC and NOC working together the right way
    30. 30. Results <ul><li>Atos Origin </li></ul><ul><ul><li>Secure Olympic Games network with eTrust Security Command Center </li></ul></ul><ul><ul><li>Protect integrity of times and scores </li></ul></ul><ul><ul><li>Correlate events to actions </li></ul></ul><ul><ul><li>Integration with eTrust Vulnerability Manager </li></ul></ul><ul><ul><li>More than 10,000 assets </li></ul></ul>Customer Results Integration of Network & Systems Management UNIX SysLogs 65,000 events* Windows SysLogs 1,036,800 events* IDS and Access Logs 1,100,000 events* Firewall 787,000 events* Antivirus 12,000 events* Events Correlated Events Distinctive Security Issues Incidents Requiring Action 8 24 15,000 3 Million
    31. 31. The CA Portfolio
    32. 32. Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis EITM Common Services and MDB Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation
    33. 33. Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management EITM Common Services and MDB Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager
    34. 34. Summary <ul><ul><li>A Security Operations Center is the keystone of an organization ’s security management program </li></ul></ul><ul><ul><li>Multiple organizational and technical issues should be considered in planning or evaluating a SOC </li></ul></ul><ul><ul><li>The potential benefits of a SOC are enormous </li></ul></ul>
    35. 35. Questions & Answers
    36. 36. Related Sessions <ul><li>SG117SN Homeland Security – Cyber Security preparedness and Incident Response </li></ul><ul><li>SS104SN Customer Case Study: Euriware </li></ul><ul><li>SS106SN What ’s New in the Security Command Center Reporting and Analysis Pack </li></ul>
    37. 37. Exhibition Center <ul><li>Related CA and Partner Technology </li></ul><ul><ul><li>Computer Associates </li></ul></ul><ul><ul><ul><li>SECSE012 - SIM: Complete Integrated Solution </li></ul></ul></ul><ul><ul><ul><li>SECSE009 - SCC: Reporting and Analysis </li></ul></ul></ul><ul><ul><li>Exhibition Center Tours </li></ul></ul><ul><ul><ul><li>Sign up at Information Desk Booth 453 </li></ul></ul></ul>
    38. 38. CA Technology Services and   Education <ul><li>Hear how CA ’s learning solutions can help you meet your business objectives </li></ul><ul><ul><li>Visit CA Education in the Exhibition Center in Booth 439, visit ca.com/education or call us at 1-800-237-9273 </li></ul></ul><ul><li>Learn how CA Technology Services can help your business </li></ul><ul><ul><li>Visit the CA Technology Services stations in the exhibition center or on the web at ca.com/services </li></ul></ul>
    39. 39. Session Evaluation Form <ul><ul><li>After completing your session evaluation form ... </li></ul></ul><ul><ul><li>... place it in the basket at the back of the room. </li></ul></ul><ul><ul><li>Please left justify the session number </li></ul></ul>

    ×