Best Practices for Building a Security Operations Center Untangling the Mess Created by Multiple Security Solutions Michael Nickle, CA Technology Services

SIEM Overview

Security Needs to be Managed SSO Access Management Authentication Policy Management Reporting Web Services Password Management Authorization Provisioning Virus Protection Asset Discovery & Classification Event Collection Anti-Spam Spyware Prevention Gateway Protection Firewall Protection Malware Protection Scan & Clean Proactive Management Federation Forensics Compliance Mapping Correlation Vulnerability Assessment

SOC Clients Dashboard and/or reports that reflect organizational risk status and security trends CIO Report interface to key security metrics Auditor Compliance oriented reporting that reflects current status against the organization’s key security objectives Security Officer Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Manager Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Analyst (sometimes IT Administrator)

SOC v. NOC

IT Security Silos Other Network Perimeter Application Sales Network Perimeter Application HR Network Perimeter Application

Breaking down the IT Security Silos Other Sales HR

What’s in a SOC What is it? What does it do? What’s a good one and what’s a bad one? Is it worth the time/money?

Where does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Worklfow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival

Best Practices Where to look for how to do this right

The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk

COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …

SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…

An Example An example of a SOC and NOC working together the right way

The CA Portfolio

Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics EITM Common Services and MDB Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation

Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics Desktop and Server Management Enterprise and System Management EITM Common Services and MDB e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager Threat Management Identity and Access Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation

Questions?