Presentation for CA World 2007 in Las Vegas on the topic of integrating SIEM with the SOC. This was the evolution of a previous presentation.

1. Best Practices for Building a Security Operations Center: Untangling the Mess Created by Multiple Security Solutions SS102SN Security Information Management Track CA Blue R0 G132 B201 CA Green R51 G158 B53 CA Dark Blue R0 G132 B201 CA Dark Green R51 G158 B53 CA Light Blue R0 G132 B201 CA Light Green R51 G158 B53 CA Gray R106 G105 B100 CA Tint Gray 30 R218 G218 B203 CA Tint Gray 10 R246 G246 B246

5. SIEM Overview

6. Security Needs to be Managed SSO Access Management Authentication Policy Management Reporting Web Services Password Management Authorization Provisioning Virus Protection Asset Discovery & Classification Event Collection Anti-Spam Spyware Prevention Gateway Protection Firewall Protection Malware Protection Scan & Clean Proactive Management Federation Forensics Compliance Mapping Correlation Vulnerability Assessment

10. SOC Stakeholders Security Analyst (sometimes IT Administrator) Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Manager Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Officer Compliance oriented reporting that reflects current status against the organization ’s key security objectives CIO Dashboard and/or reports that reflect organizational risk status and security trends Auditor Report interface to key security metrics

12. SOC v. NOC

13. IT Security Silos Other Network Perimeter Application Sales Network Perimeter Application HR Network Perimeter Application

14. Breaking down the IT Security Silos Other Sales HR

17. What ’s in a SOC What is it? What does it do? What ’s a good one and what’s a bad one? Is it worth the time/money?

18. Where Does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Workflow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival

24. Best Practices Where to look for how to do this right

25. The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk

26. COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …

27. SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…

29. An Example An example of a SOC and NOC working together the right way

31. The CA Portfolio

32. Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis EITM Common Services and MDB Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation

33. Discovery through Remediation Risk Management, Compliance, Event and Information Management, and Forensics Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management EITM Common Services and MDB Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager

35. Questions & Answers