The document discusses building a security operations center (SOC) and provides information on why an organization would build a SOC, how to establish the necessary skills and processes, and technology solutions like HP ArcSight that can be used. It describes how HP consultants have experience building SOCs for major companies and can help customers establish an effective SOC to monitor for security events, ensure compliance, and protect the organization. It provides details on how to structure a SOC, including defining roles and processes, implementing a security information and event management (SIEM) system, and establishing performance metrics to improve over time.

1. Building
Security Operation Center
Denis Batrankov
Solution Architect
bdv@hp.com

2. ©2013 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Why HP speaks about it

3. Security Intelligence & Operations Centres (SIOC)
BUILT
29+
SIOCS
expertise
experience
methodology
CONSULTED ON
60+
SIOCS
1. Help customers establish a Security Intelligence capability that can monitor, analyse and escalate
significant information security events to protect the confidentiality, integrity and availability of the
information technology enterprise;
2. Ensure HP ArcSight customers are successful with the product by assisting in providing the right
people skills, building the right processes and delivering effective technology; and
3. Add value to the customer’s organization by using metrics to track effectiveness of controls and use
intelligence to proactively protect against attack.

4. HP SIOC Consultants Background
1. Built and ran Microsoft’s SOC
2. Built and ran IBM’s Managed Security Service Provider SOC
3. Built and ran Verizon’s Managed Security Service Provider SOC
4. Built and ran Symantec’s Managed Security Service Provider SOC
5. Built and ran the SIOC for Europe’s largest Software-as-a-Service business

5. SIEM - Security Information & Event Management
ArcSight Is the Only Solution
ArcSight Platform
A comprehensive platform for monitoring
modern threats and risks
• Capture any data from any system
Including Apps –SAP, others
• Manage and store every event
• Analyze events in real time
• Identify unusual behavior at user level
• Respond quickly to prevent loss

6. Cover a lot of products
Access and Identity
Anti-Virus
Applications
Content Security
Database
Data Security
Firewalls
Honeypot
Network IDS/IPS
Host IDS/IPS
Integrated Security
Log Consolidation
Mail Filtering
Mail Server
Mainframe
NBAD
Network Management
Network Monitoring
Net Traffic Analysis
Policy Management
Security Management
Router Web Cache
Web Filtering
Switch
Vulnerability Mgmt
Web Server
Operating System VPN Wireless

7. 7
Accounts Correlation
Look all IDs: email address, badge ID, phone extension
Different events are attached to activity of the person
Each event is attached to field “who it is” to understand his activity and behavior
rjackson
348924323
jackson@arc.com
robertj
rjackson_dba
510-555-1212
Accounts
Robert
Jackson
Identity

8. HP ArcSight ThreatDetector – Profile activity
• Early detection
• Different methods to detect good and bad
behavior
• Look into typical people: insider, angry admin,
intruder
• Allows to create new patterns of behavior
• Immediately checks all previous events on
detected pattern of behavior

9. Key Benefits of “In-house” Operations
 Maintain end-to-end control of security processes and data; increased
monitoring efficiency
 Business requirements are incorporated into solution
 Ability to expand security/compliance footprint easily (at no or little
additional cost)
 Creates the platform for a security monitoring and reporting
Mission: Monitor, recognize, and escalate
significant information security events to
protect the confidentiality, integrity and
availability of the information technology
enterprise.

10. Main questions before building SOC.
Why?
 What business issues will SOC resolve?
 What exact tasks does SOC process? (block attacks from Internet,
compliance to PCI DSS, insider activity detection, incident handling
and etc)
 Who will receive information from SOC?
 Who is sponsor of SOC project? Who responsible for this project
inside organization? What he expects from SOC?
 What events should be collected inside SOC?

11. Example of using SOC
(from a customer)
Malware spread detection
Windows servers control
Monitor Active Directory
Monitor data leakage (DLP)
Monitor VIP (top managers) devices
Monitor IPS
Compliance PCI: reporting and alerting
Monitor privileged users

12. What are Security Operations?
TECHNOLOGY
PROCESS
Customers
Incident
Handler
Case closed
Escalation
PEOPLE
Level 1 Level 2
Enginee
r
1
3
4
2
5
6

13. People in SOC
Olympic
Games
Russia Kazan
July 2013

14. Establish the Right Skills
Career Progression
Roles Training
Security Intelligence
• Manager
• Level-1 Analyst
• Level-2 Analyst
• SIEM Content Specialist
Key Organizations
• Incident Manager
• Forensic Analyst
• SIEM Engineer
Information Security Bootcamp
ArcSight Training
• ArcSight ESM Operations
• ArcSight ESM Security Analyst
• ArcSight ESM Use Case Foundations
SANS Institute
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Incident Handler (GCIH)
On-the-Job Training & Mentoring

15. SOC Methodology
• Assess customer’s business requirements
and capability compared with security
operations best practices.
• Design people, process and technology to
deliver business objectives and provide a
practice roadmap to best practice.
• Manage measurable, repeatable and
continually improved security operations.
• Mature the customer’s capability to provide
continual improvements in efficiency and risk
coverage
HP Security Intelligence & Operations Consulting have a proven methodology for building and
operating a security intelligence and operations capability
SOC
ASSESS DESIGN
MATURE MANAGE

16. Security Intelligence
• Proactive research into new threats and risks to your organisation
• The only team with end-to-end vision and situational awareness
• Feedback on control effectiveness
• Monitoring of threat agent channels for upcoming attacks

17. SOC Cost Components
Labor Direct
SOC Analysts (24x7x365)
SOC Manager
SIEM Engineer (Administration and Content Development)
Education and Training for SOC Personnel
Labor Indirect
Security Device Management (Device: Analyst = 20:1 – 60:1)
Incident Response Team
Software
ArcSight ESM w/ High Availability Failover
Connectors
Full Consoles / Web Consoles
Compliance Insight Packages
Maintenance and Support
Hardware (5 yr amortization schedule)
ESM Servers
Database Servers
Connector Appliances
Workstations w/ dual monitor displays and Laptops
Uninterruptible power supplies (UPS)
Storage
High performance RAID 1+0 SAN, 1-10+ Terabytes
(Driven by data retention requirements and events/day)
Services
ESM Professional Services Installation
Long term engineering or content development services
IT Support Services (3rd party ticketing systems, network
infrastructure, annualize IT business processes, etc.)
Systems Management Services (Availability, backup / recovery,
capacity / performance, system administration)
Threat Intelligence Subscription
Facilities
Hardened and secure datacenter location
SOC facility
Wall mountable screens or projectors
Telecommunications – Phone / IP Phone
Power and HVAC
Maintenance

18. Build-a-SOC

19. Staff Rota

20. Use Cases
Use Case Primary Data Sources Alert Criteria Action
Botnet activity Firewall, IDS, Proxy, Mail, Threat
Intelligence
Connection to or from known
malicious host or domain
Display in analyst active channel
Virus outbreak Antivirus 3 viruses detected with same name in
10 minutes
Page desktop team / display in
dashboard
Successful attack / malicious
code
IDS/IPS, Vulnerability Targeted asset exhibits vulnerability,
relevance=10
Page server team / display in active
channel / display in dashboard
SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within specified
time frame
Display in analyst active channel
Phishing Threat Intelligence, Firewall, IDS,
Proxy, Mail
Connection to or from known
malicious host or domain
Display in analyst active channel
Unauthorized remote access VPN, Applications Successful VPN authentication from a
non domain member
Display in analyst active channel /
Page network team
New vulnerability on DMZ host Vulnerability New vulnerability identified on publicly
accessible host
Email daily report to vulnerability
team
Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, exploit,
brute force, etc.)
Email daily suspicious user activity
report to level 1
Statistical anomaly IDS, Firewall, Proxy, Mail, VPN,
Web Server
Moving average variation of X
magnitude in specified time frame
Display alerts in situational
awareness dashboard
New pattern of activity IDS, Firewall, Proxy, Mail, VPN,
Web Server
Previously unseen pattern detected Display in analyst active channel

21. Event funnel
2
750 events = 31.25 EPAH

22. Analyst Effectiveness
Week Raw Correlated Analysts Raw / Analyst Correlated / Analyst
Week 1 38,697,210 97,922 10 3,869,721 9,792.20
Week 2 60,581,457 66,102 10 6,058,146 6,610.20
Week 4 55,585,228 19,116 10 5,558,523 1,911.60
Week 5 55,917,976 23,755 10 5,591,798 2,375.50
Week 6 54,044,928 18,340 10 5,404,493 1,834.00
Week 7 59,840,026 18,340 10 5,984,003 1,834.00
Week 8 72,364,038 33,866 10 7,236,404 3,386.60
Week 9 71,964,115 30,927 10 7,196,412 3,092.70
Week 10 71,500,000 28,900 10 7,150,000 2,890.00
Week 11 59,600,000 19,300 10 5,960,000 1,930.00
Week 12 51,200,000 11,400 10 5,120,000 1,140.00
Week 13 67,600,000 17,600 10 6,760,000 1,760.00
Week 14 76,600,000 30,000 10 7,660,000 3,000.00
Week 15 75,300,000 22,000 10 7,530,000 2,200.00
Week 16 69,200,000 17,000 10 6,920,000 1,700.00
Week 17 97,800,000 17,800 10 9,780,000 1,780.00
Week 18 108,500,000 11,500 10 10,850,000 1,150.00
Week 19 183,200,000 5,600 10 18,320,000 560.00
Week 20 182,400,000 5,100 10 18,240,000 510.00
Week 21 170,000,000 4,800 10 17,000,000 480.00
Week 22 182,400,000 7,600 10 18,240,000 760.00
Week 23 219,000,000 11,300 10 21,900,000 1,130.00
Week 24 168,800,000 8,100 10 16,880,000 810.00
Week 25 151,500,000 6,876 10 15,150,000 687.60
Week 26 170,500,000 7,813 10 17,050,000 781.30
Week 27 165,300,000 28,247 10 16,530,000 2,824.70
Week 28 161,500,000 4,569 10 16,150,000 456.90
Week 29 186,700,000 6,164 10 18,670,000 616.40
Week 30 173,600,000 5,632 10 17,360,000 563.20
Average 112,454,999 20,195 11,245,500 2,020
Median 76,600,000 17,600 7,660,000 1,760
Weekly Analysis of Events per Analyst
y = 589551x + 2E+06
-
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Raw Events / Analyst
y = -150.3x + 4274
(2,000.00)
-
2,000.00
4,000.00
6,000.00
8,000.00
10,000.00
12,000.00
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Correlated Events / Analyst

23. The Cyber Killchain

24. Ensure the Operations are Repeatable
BC/DR
 Business Continuity Plan
 Disaster Recovery Plan
Process Improvement
 Maturity Assessments
 Project Methodology
 Knowledgebase (wiki)
Compliance
 Internal Compliance
 Compliance Support
Metrics
 Reporting KPIs
 Infrastructure Performance
 Operational Efficiencies
Event Management
 Triage
 Callouts
 Case Management
 Crisis Response
Daily Operations
 Shift Schedule
 Monitoring
 Problem and Change
 Shift Turn-Over
 Daily Operations Call
Training
 Training plans
 Skills Development tracking
Subtle Event Detection
 Data Visualization
 Pattern Analysis
Reporting
 Analyst Comments
 Incident Summary
 Threat Reports
Incident Management
 Incident Research
 Focused Monitoring
 Incident Response
Intrusion Analysis
 Event Analysis
 Threat Intelligence
Information Fusion
Design
 Developing Use Cases
 User and Asset Modeling
Configuration Management
 SIEM Architecture
 Data Feed Integration
System Administration
 Access Management
 Maintenance and Upgrades

25. Improve processes
CMMI - Capability Maturity Model® Integration

26. Workflow: Merging people, process & technology
Categories SIEM Priority Levels
0-2 3-4 5-6 7-8 9-10
Unauthorized Root/Admin Access A A A C1 C1
Unauthorized User Access A A I2 C2 C1
Attempted Unauthorized Access A A A I3 C3
Successful Denial of Service A A I2 C2 C1
Policy Violation A A T3 T2 T1
Reconnaissance A A A I3 I2
Malware Infection A A T3 T2 C2
Legend
 C1: Critical callout –15 min
 C2: Urgent callout –30 min
 C3: Routine callout –2 hr
 I2: Urgent investigation
 I3: Routine investigation
 T1: Critical ticket opened
 T2: Urgent ticket opened
 T3: Routine ticket opened
 A: Active monitoring

27. Analytical Tools

28. Analytical Tools: Visualisation

29. Analytical Tools

30. 3

31. 3
Monthly Executive Brief

32. ©2013 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
SOC Maturity Assessment
Establish the baseline,
pragmatic plan for improvement

33. Security Operations Maturity Assessment
SOMM Level Name Description
Level 0 Incomplete Operational elements do not exist
Level 1 Performed Reliant on people and relationships, not standardized nor repeatable
Level 2 Managed
Business goals are met and operational tasks are repeatable
Many SOCs run successfully for some period of time at this maturity level. Missing aspects often
include continual improvement and demonstrated ROI.
Level 3 Defined
Operations are well-defined, subjectively evaluated, and flexible.
Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet
business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and
changing threat landscape without excessive overhead in processes.
Level 4 Measured
Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and
proactively improved.
Appropriate for a managed service provider environment where financial penalties result from
inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging
threats and requires dedicated staff to sustain the maturity level.
Level 5 Optimizing
All processes are tightly constrained and continually measured for deficiencies, variation, and are
continually improved.
Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and
static environment.

34. Security Operations Maturity Assessment
People 1.57
General 1.75 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as
criteria for member evaluation.
Training 1.55 The opportunity exists to develop an overall training program that includes a defined structure for
analyst on boarding and continual growth through the career of the analyst.
Certifications 1.00 Lack of overall industry certifications possessed by the team.
Experience 1.70 The feeder pool to hire analysts is reasonable, yet the experience and background of some of the
analysts is questionable.
Skill Assessments 1.69 A skills assessment program should be adopted and leveraged to improve training plans and the
overall skills composition of the group.
Career Path 1.69 There is an opportunity to develop career progression plans and to help guide analysts into senior
positions within the SOC or internally within the company.
Leadership 1.77 Conducting an organizational climate survey is encouraged in order to collect feedback and
incorporate it into the leadership function.
Process 1.26
Mission 1.27 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC
and to internal groups within the organization.
Operational Process 1.66 There are several opportunities to further develop operational processes and metrics to measure
operational efficiencies.
Analytical Process 1.15 Efforts to centralize a knowledge management solution for security analysts are currently
underway.
Business Process 0.89 SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture
metrics and track operational efficiencies
Technology 2.38
SIEM Monitoring 2.45 SIEM meets current business needs. A Test environment does exist, which means that content
and data feed on boarding does/can go through a proper testing cycle.
Architecture 1.95 Document data flow diagrams for troubleshooting purposes.
Correlation 2.56 Event management metrics are captured and used to track events monitored.
Monitored Technologies 2.22 A wide range of technologies are monitored, giving the SOC wider visibility against attack
vectors.
ILM 2.61 Data retention and protection policies adhere to company policies.
Overall SOMM Level 1.74

35. Security Operations Maturity Assessment
Average SOMM By Vertical
Financial 2.25
Retail 2.35
Technology 1.60
Government 1.98
Utility 1.50
Telco 2.27
MSSP 2.40

36. Pragmatic Roadmap for Improvement
Phase I
(Interim
Capability)
Phase II
(Dedicated
Operations)
Phase III
(Mature Security
Operations)
Coverage Part-time
resources as
available
Dedicated 8x5
Virtual off-hours
24x7x365
Staffing No dedicated staff 1 dedicated analyst,
1 dedicated SIEM
engineer
12 FTE
Incident
Escalations
1-5 per week 5-10 per week 10-20 per week
Use Cases 10 25 100+
Events per
second (EPS)
200 500 1000
Target
Timeframe
90 days 180 days 2 years

37. Thank you
Denis Batrankov
Solution Architect
bdv@hp.com