SOC presentation- Building a Security Operations Center

38,468 views

Published on

Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.

Published in: Technology
20 Comments
76 Likes
Statistics
Notes
No Downloads
Views
Total views
38,468
On SlideShare
0
From Embeds
0
Number of Embeds
101
Actions
Shares
0
Downloads
440
Comments
20
Likes
76
Embeds 0
No embeds

No notes for slide

SOC presentation- Building a Security Operations Center

  1. 1. Best Practices for Building a Security Operations Center Untangling the Mess Created by Multiple Security Solutions Michael Nickle, CA Technology Services
  2. 2. SIEM Overview
  3. 3. Security Needs to be Managed SSO Access Management Authentication Policy Management Reporting Web Services Password Management Authorization Provisioning Virus Protection Asset Discovery & Classification Event Collection Anti-Spam Spyware Prevention Gateway Protection Firewall Protection Malware Protection Scan & Clean Proactive Management Federation Forensics Compliance Mapping Correlation Vulnerability Assessment
  4. 4. Top Business Issues and Drivers <ul><li>Reduce Risk and Downtime </li></ul><ul><li>Enhance Threat Control and Prevention </li></ul><ul><li>Ease Administrative Overhead </li></ul><ul><li>Identify People and Responsibilities </li></ul><ul><li>Determine Escalation Path </li></ul><ul><li>Support Audit and Compliance Objectives </li></ul><ul><li>Provide Incident Response and Recovery </li></ul>
  5. 5. Security Information Management <ul><li>Collect, Analyze & Respond through Security Information Management </li></ul><ul><ul><li>End-to-end Security Information Management: Collection through analysis, remediation, reporting and forensics </li></ul></ul><ul><ul><li>Establish Knowledge of Internal Vulnerabilities and Network Exploits </li></ul></ul><ul><ul><li>Help Demonstrate Compliance with Industry and Regulatory Standards </li></ul></ul><ul><ul><li>Bridge the gap between SOC and NOC </li></ul></ul>The Solution <ul><li>Compliance – </li></ul><ul><li>Monitor and validate regulatory compliance </li></ul><ul><li>Business Continuity – </li></ul><ul><ul><li>Proactively contain the increasing threats and vulnerabilities </li></ul></ul><ul><li>Operational Efficiencies and Enablement – </li></ul><ul><ul><li>Manage millions of events (reduce noise) and manage key security threats for business critical assets </li></ul></ul><ul><ul><li>Align security to business </li></ul></ul>Current Problems
  6. 6. SIM Functions <ul><li>Collect </li></ul><ul><ul><li>Asset Discovery </li></ul></ul><ul><ul><li>Asset Value Classification </li></ul></ul><ul><ul><li>Events & Information Collection </li></ul></ul><ul><li>Analyze </li></ul><ul><ul><li>Correlation, Predictive Analysis & Anomaly Detection </li></ul></ul><ul><ul><li>Vulnerability Risk Analysis </li></ul></ul><ul><ul><li>Forensic Analysis </li></ul></ul><ul><ul><li>Incident Categorization </li></ul></ul><ul><ul><li>Centralized Policy Management </li></ul></ul>From Discovery through Resolution <ul><li>Respond </li></ul><ul><ul><li>Alerting </li></ul></ul><ul><ul><li>Automated Trouble Ticketing </li></ul></ul><ul><ul><li>Workflow </li></ul></ul><ul><ul><li>Corrective Actions & Remediation Recommendations </li></ul></ul>
  7. 7. SOC Clients Dashboard and/or reports that reflect organizational risk status and security trends CIO Report interface to key security metrics Auditor Compliance oriented reporting that reflects current status against the organization’s key security objectives Security Officer Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Manager Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Analyst (sometimes IT Administrator)
  8. 8. Remember… Business and Technology Drivers SIM Is A Strategic Business Requirement Risk Management, Compliance, Event and Information Management, and Forensics Technology Drivers <ul><li>More Applications </li></ul><ul><li>More Events </li></ul><ul><li>More Threats </li></ul><ul><li>More People </li></ul><ul><li>More Incidents </li></ul><ul><li>More Management </li></ul>Business Drivers <ul><li>Regulatory Compliance </li></ul><ul><li>Risk Management </li></ul><ul><li>Asset Protection </li></ul><ul><li>Costs Containment </li></ul><ul><li>Service Continuity </li></ul><ul><li>Business Enablement </li></ul>
  9. 9. SOC v. NOC
  10. 10. IT Security Silos Other Network Perimeter Application Sales Network Perimeter Application HR Network Perimeter Application
  11. 11. Breaking down the IT Security Silos Other Sales HR
  12. 12. Top Technical Issues <ul><li>Increase Speed of Aggregation and Correlation </li></ul><ul><li>Maximize Device and System Coverage </li></ul><ul><li>Improve Ability to Respond Quickly </li></ul><ul><li>Deliver 24 x 7 Coverage (this doesn’t have to be done by the SOC!) </li></ul><ul><li>Support for Federated and Distributed Environments </li></ul><ul><li>Provide Forensic Capabilities </li></ul><ul><li>Ensure Intelligent Integration between SOCs and NOCs </li></ul>
  13. 13. SOC / NOC <ul><li>SOC and NOC / stand-alone </li></ul><ul><ul><li>Decide if the SOC is 24 X 7 – it doesn’t have to be </li></ul></ul><ul><ul><li>Delineate responsibilities </li></ul></ul><ul><li>SNOC / Integrated </li></ul><ul><ul><li>If you don’t have a “checks-and-balances” mandate, this makes sense </li></ul></ul><ul><ul><li>The SOC here assumes IT has absorbed “security” as a function, and “security professionals” tend to act as an overlay </li></ul></ul><ul><li>Integration to the rest of the Enterprise </li></ul><ul><ul><li>Keep in mind the integration with the rest of the business </li></ul></ul>
  14. 14. What’s in a SOC What is it? What does it do? What’s a good one and what’s a bad one? Is it worth the time/money?
  15. 15. Where does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Worklfow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival
  16. 16. What Does a Security Operations Center Do? <ul><li>Enables organizations to clearly understand: </li></ul><ul><ul><li>Who has access to what within their IT environment? </li></ul></ul><ul><ul><li>What is happening in that environment? </li></ul></ul><ul><ul><li>What actions need to be taken based on this information? </li></ul></ul><ul><li>Some important things it does not do </li></ul><ul><ul><li>Replace remediation </li></ul></ul><ul><ul><li>By-pass change management </li></ul></ul><ul><ul><li>Centralized policy management </li></ul></ul>
  17. 17. The 3 (main) functions of a SOC <ul><li>The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency </li></ul><ul><li>What does the SOC do? </li></ul><ul><ul><li>Real-time monitoring / management </li></ul></ul><ul><ul><ul><li>Aggregate logs </li></ul></ul></ul><ul><ul><ul><li>Aggregate more than logs </li></ul></ul></ul><ul><ul><ul><li>Coordinate response and remediation </li></ul></ul></ul><ul><ul><ul><li>“ Google Earth” view from a security perspective </li></ul></ul></ul><ul><ul><li>Reporting / Custom views </li></ul></ul><ul><ul><ul><li>Security Professionals </li></ul></ul></ul><ul><ul><ul><li>Executives </li></ul></ul></ul><ul><ul><ul><li>Auditors </li></ul></ul></ul><ul><ul><ul><li>Consistent </li></ul></ul></ul><ul><ul><li>After-Action Analysis </li></ul></ul><ul><ul><ul><li>Forensics </li></ul></ul></ul><ul><ul><ul><li>Investigation </li></ul></ul></ul><ul><li>Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability </li></ul><ul><li>Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency </li></ul>
  18. 18. Prioritization and Remediation <ul><li>Deal with what’s most relevant to the business first! </li></ul><ul><ul><li>Gather asset data </li></ul></ul><ul><ul><li>Gather business priorities </li></ul></ul><ul><ul><li>Understand the business context of an incident </li></ul></ul><ul><li>Break-down the IT silos </li></ul><ul><ul><li>Coordinate responses </li></ul></ul><ul><ul><li>Inform all who need to know of an incident </li></ul></ul><ul><ul><li>Work with existing ticketing / workflow systems </li></ul></ul><ul><li>Threat * Weakness * Business Value = Risk </li></ul><ul><li>Deal with BUSINESS RISK </li></ul>
  19. 19. Investigations and Forensics <ul><li>Being able to investigate and manipulate data </li></ul><ul><li>Visualization </li></ul><ul><li>Post-event correlation </li></ul><ul><li>Managing by case / incident </li></ul><ul><li>Chain of custody </li></ul><ul><li>Integrity of data </li></ul>
  20. 20. Analogy to record keeping <ul><li>Primary / Secondary logs Some logs are more important than others – how are these identified, marked and maintained? </li></ul><ul><li>Archival procedures </li></ul><ul><li>Conscious policy on maintenance of logs and procedures for “destruction” </li></ul><ul><li>Retention of data </li></ul><ul><li>Reproduce-ability of information! </li></ul>
  21. 21. Best Practices Where to look for how to do this right
  22. 22. The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk
  23. 23. COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …
  24. 24. SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…
  25. 25. Don’t re-invent! Copy! <ul><li>Work with others in your industry/sector e.g. Financial Institutions working together on common problems </li></ul><ul><li>Follow an established model – there are published best practices and processes out there </li></ul><ul><li>Work with others not in your industry – other Enterprises who aren’t competitors often face the same sorts of problems </li></ul>
  26. 26. An Example An example of a SOC and NOC working together the right way
  27. 27. Results <ul><li>Atos Origin </li></ul><ul><ul><li>Secure Olympic Games network with eTrust Security Command Center </li></ul></ul><ul><ul><li>Protect integrity of times and scores </li></ul></ul><ul><ul><li>Correlate events to actions </li></ul></ul><ul><ul><li>Integration with eTrust Vulnerability Manager </li></ul></ul><ul><ul><li>More than 10,000 assets </li></ul></ul>Customer Results Integration of Network & Systems Management UNIX SysLogs 65,000 events* Windows SysLogs 1,036,800 events* IDS and Access Logs 1,100,000 events* Firewall 787,000 events* Antivirus 12,000 events* Events Correlated Events Distinctive Security Issues Incidents Requiring Action 8 24 15,000 3 Million
  28. 28. The CA Portfolio
  29. 29. Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics EITM Common Services and MDB Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation
  30. 30. Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics Desktop and Server Management Enterprise and System Management EITM Common Services and MDB e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager Threat Management Identity and Access Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation
  31. 31. Conclusion <ul><li>A Security Operations Center is the keystone of an organization’s security management program </li></ul><ul><li>Multiple organizational and technical issues should be considered in planning or evaluating a SOC </li></ul><ul><li>The potential benefits of a SOC are enormous </li></ul><ul><li>Download the free whitepaper, Best Practices for Building a Security Operations Center , for an in-depth examination. </li></ul>
  32. 32. Questions?

×