Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.
Collaboration with a service provider may be a good choice to improve your company's security operations department efficiently and cost-effectively. Outsourced SOC services can be an important part of your company's information security program when properly established and maintained. To guarantee that your company obtains the best services, extensively evaluate SOC service providers in India.
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.
Optimizing Security Operations: 5 Keys to SuccessSirius
Organizations are suffering from cyber fatigue, with too many alerts, too many technologies, and not enough people. Many security operations center (SOC) teams are underskilled and overworked, making it extremely difficult to streamline operations and decrease the time it takes to detect and remediate security incidents.
Addressing these challenges requires a shift in the tactics and strategies deployed in SOCs. But building an effective SOC is hard; many companies struggle first with implementation and then with figuring out how to take their security operations to the next level.
Read to learn:
--Advantages and disadvantages of different SOC models
--Tips for leveraging advanced analytics tools
--Best practices for incorporating automation and orchestration
--How to boost incident response capabilities, and measure your efforts
--How the NIST Cybersecurity Framework and CIS Controls can help you establish a strong foundation
Start building your roadmap to a next-generation SOC.
Modern SIEMs support many different business and technical use cases, including security, compliance, big data analytics, IT operations, and others. However, this does not mean that any SIEM solution will satisfy your unique business and technical needs. Not all SIEMs are built equally or optimally to support all use cases, so it’s important to begin your SIEM evaluation by defining your specific use cases or goals.
How to Raise Cyber Risk Awareness and Management to the C-SuiteSurfWatch Labs
Who's responsible for cybersecurity at your organization? The accountability for cybersecurity has shifted to the C-Suite, and it's needs to become part of the overall business strategy.
In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
SOC 3.0: strategic threat intelligence May 2016Sarah Bark
A next generation SOC service which is capable of analysing metadata from dynamic data sources (social media, the dark web, etc) in real-time, when combined with business-centric data, enables the organisation to forecast threats, steer future security spend and direct business decisions. SOC 3.0 services are now becoming available that put next generation threat intelligence within the reach of the SME. Jamal Elmellas, Technical Director, Auriga, outlines how threat intelligence via an and outsourced SOC can be used by the enterprise to anticipate and mitigate cyber attacks.
SOC presentation- Building a Security Operations CenterMichael Nickle
Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
Netmagic helps you decide whether building a security operation center (SOC) or outsourcing it to an expert, is a better option to meet your organization's requirements.
Netmagic helps you decide whether building a security operation center (SOC) or outsourcing it to an expert, is a better option to meet your organization's requirements.
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Ben Rothke
Deployment Strategies for Effective Encryption - Presentation by Ben Rothke given at the Computer Forensics Show & Conference - April 19-20, 2010New York, NY
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
2. About me…
Ben Rothke, CISSP, CISM, CISA
Manager - Information Security - Wyndham
Worldwide Corp.
All content in this presentation reflect my views
exclusively and not that of Wyndham Worldwide
Author - Computer Security: 20 Things Every
Employee Should Know (McGraw-Hill)
Write the Security Reading Room blog
https://365.rsaconference.com/blogs/securityreading
2
3. Agenda
Introduction
Need for a Security Operations Center (SOC)
Components of an effective SOC
Deciding to insource or outsource the SOC
Outsourced SOC = MSSP
SOC requirements
Q/A
3
5. Current information security challenges
Onslaught of security data from disparate
systems, platforms and applications
numerous point solutions
(AV, firewalls, IDS/IPS, ERP, access
control, IdM, SSO, etc.)
millions / billions of messages daily
attacks becoming more frequent / sophisticated
regulatory compliance issues place increasing
burden on systems and network administrators
5
6. Why do you need a SOC?
because a firewall and IDS are not enough
nucleus of all information security operations
provides
continuous prevention
protection
detection
response capabilities against threats, remotely
exploitable vulnerabilities and real-time incidents on
your networks
works with CIRT to create comprehensive
infrastructure for managing security operations
6
7. SOC benefits
speed of response time
malware can spread throughout the Internet in
minutes or even seconds, potentially knocking out
your network or slowing traffic to a crawl
consequently, every second counts in identifying
these attacks and negating them before they can
cause damage
ability to recover from a DDoS attack in a
reasonable amount of time
7
8. Integrated SOC
8
NIDS Network A/V
IBM
Mainframe
RAS
Web Applications
Mail
Firewall
Databases
Boundary Points/
Network Nodes
DMZ / External Facing Access Middleware / Directories Internal Resources
Security
Management
Network
Management
ManagedDevicesLayer
VPN Servers
Data Integration
Presentation
Layer
Data Acquisition Layer
Event Correlation Layer
(HTTP/S, SNMP, SMTP, Syslog, API, XML, Logfile, custom)
Routers
Compliance
Management
Internet
Event Correlation Engine
Analysis and Filtering
Event Enrichment
Workflow Automation
Integration with other systems
EventCorrelationLayer
Ethical Hacking
Data
Security Event
Correlation
Intelligence
Services (ISAC)
System /
Network
Events
Problem
Management
Asset / Change
Management
Policy
Management
Reports
10. SOC planning
full audit of existing procedures, including
informal and ad-hoc
planning of location, resources, training
programs, etc.
plans change; don’t try to prepare everything
ahead of time
sometimes best approach is not clear until you have
actually started
build it like aircraft carrier - change built into design
10
11. SIM/SIEM/SEM tools
Many SOC benefits come from good SIM tool
consolidates all data and analyzes it intelligently
provides visualization into environment
Choose SIM that’s flexible and agile, plus:
track and escalate according to threat level
priority determination
real-time correlation
cross-device correlation
audit and compliance
11
12. Challenge of SIM & automation
A well-configured SIM can automate much of the
SOC process. But…
“The more advanced a control system is, so the
more crucial may be the contribution of the
human operator”
Ironies of Automation - Lisanne Bainbridge
discusses ways in which automation of industrial processes may
expand rather than eliminate problems with the human operator
don’t get caught in the hype that a SIM can
replace good SOC analysts
no secret that they can’t
12
13. Which SOC?
Outsourced
Symantec, SecureWorks
(Dell), Solutionary, WiPro, Tata, CenturyLink
(Savvis, Qwest), McAfee, Verizon (Cybertrust /
Ubizen), Orange, Integralis, Sprint, EDS, AT&T, Unisy
s, VeriSign, BT Managed Security Solutions
(Counterpane), NetCom Systems and more
Centralized group within enterprise
Corporate SOC
13
14. In-house SOC vs. outsourced MSSP
14
The Business Case for Managed Security Services Managed Security Services Providers vs. SIEM Product Solutions
http://www.solutionary.com/dms/solutionary/Files/whitepapers/MSSP_vs_SIEM.pdf
15. Define the SOC requirements
define specific needs for the SOC within the
organization
what specific tasks will be assigned to the SOC?
detecting external attacks, compliance
monitoring, checking for insider abuse, incident
management, etc.
who will use the data collected and analyzed by
the SOC?
what are their requirements?
who will own and manage the SOC?
types of security events will be fed into the SOC
15
16. Internal SOC
16
Advantages Disadvantages
dedicated staff
knows environment better
than a third-party
solutions are generally
easier to customize
potential to be most
efficient
most likely to notice
correlations between
internal groups
logs stored locally
• larger up-front investment
• higher pressure to show
ROI quickly
• higher potential for
collusion between analyst
and attacker
• less likely to recognize
large-scale, subtle patterns
that include multiple groups
• can be hard to find
competent SOC analysts
17. Internal SOC - Questions
1. does your staff have the competencies (skills
and knowledge) to manage a SOC?
2. how do you plan to assess if they really do
have those competencies?
3. are you willing to take the time to document all
of the SOC processes and procedures?
4. who’s going to develop a training program?
5. who’s going to design the physical SOC site?
6. can you hire and maintain adequate staff
levels?
17
18. Internal SOC success factors
1. Trained staff
2. good SOC management
3. adequate budget
4. good processes
5. integration into incident response
If your organization can’t commit to these five
factors, do not build an internal SOC – it will fail
will waste money and time and create false sense of security
if you need a SOC but can’t commit to these
factors, strongly consider outsourcing
18
19. Outsourced SOC
19
Advantages Disadvantages
avoid capital expenses – it’s their
hardware & software
exposure to multiple customers in
similar industry segment
often cheaper than in-house
less potential for collusion between
monitoring team and attacker
good security people are difficult to
find
unbiased
potential to be very scalable &
flexible
expertise in monitoring and SIM
tools
SLA
• contractors will never know your
environment like internal employees
• sending jobs outside the
organization can lower morale
• lack of dedicated staff to a single
client
• lack of capital retention
• risk of external data mishandling
• log data not always archived
• log data stored off-premises
• lack of customization
• MSSP standardize services to gain
economies of scale in providing
security services to myriad clients
20. Outsourced SOC – general questions
1. Can I see your operations manual?
2. what is its reputation?
3. who are its customers?
4. does it already service customers in my
industry?
5. does it service customers my size?
6. how long have its customers been with it?
7. what is its cancellation/non-renew rate?
8. how do they protect data and what is the level
of security at their SOC?
20
21. Outsourced SOC – staffing questions
1. what is the experience of its staff?
2. does it hire reformed hackers?
3. are background checks performed on all new
employees?
4. does it use contractors for any of its services?
5. are personnel held to strict confidentiality agreements?
6. what is the ratio of senior engineers to managed
clients?
7. what certifications are held by senior/junior staff?
8. what is its employee turnover rate?
21
22. Outsourced SOC – stability questions
1. Is it stable?
2. does it have a viable business plan?
3. how long has it been in business?
4. positive signs of growth from major clients?
5. consistent large account wins / growing revenue?
6. what is its client turnover rate?
7. what are its revenue numbers?
If private and unwilling to share this information, ask for
percentages rather than actual numbers
8. will it provide documentation on its internal security
policies and procedures?
22
23. Outsourced SOC - sizing / costs
should provide services for less than in-house
solution
can spread out investment in analysts,
hardware, software, facilities over several clients
how many systems will be monitored?
how much bandwidth is needed?
potential tax savings
Convert variable costs (in-house) to fixed costs
(services)
23
24. Outsourced SOC – performance metrics
must provide client with an interface providing
detailed information
services being delivered
how their security posture relates to overall industry
trends
provide multiple views into the organization
various technical, management and executive
reports
complete trouble ticket work logs and notes
24
25. Outsourced SOC – SLA’s
well-defined SLA’s are critical
processes and time periods within which they will
respond to any security need.
SLA should include specific steps to be taken
procedures the company takes to assure that the
same system intrusions do not happen again
guarantee of protection against emerging threats
recovers losses in the event service doesn’t deliver as
promised
commitments for initial device deployment, incident
response/protection, requests for security policy &
configuration changes, acknowledgement of requests
25
26. Outsourced SOC - Transitioning
ensure adequate knowledge transfer
create formal service level performance metrics
establish a baseline for all negotiated service levels
measure from the baseline, track against it, adjusting
as necessary.
create internal CIRT
identify key events and plan the response
hold regular transition & performance reviews
be flexible
schedule formal review to adjust SLA’s after 6 months
of service operation and periodically thereafter
26
27. Outsourced SOC – Termination
all outsourcing contracts must anticipate the
eventual termination at the end of the contract
plan for an orderly in-house transition or a
transition to another provider
develop an exit strategy
define key resources, assets and process
requirements for continued, effective delivery of the
services formerly provided by the outgoing provider
27
28. Outsourcing: don’t just trust - verify
Call Saturday night 2AM
Who’s answering? Do they sound competent?
Reports
Are they to your liking? Can they create complex
reports?
Set off a few alarms
Are they calling/alerting you in a timely manner?
True process for real-time threat analysis?
Or simply a glorified reporting portal that looks
impressive
28
29. Mike Rothman on MSSP
We have no illusions about the amount of effort required to
get a security management platform up and running, or what it
takes to keep one current and useful.
Many organizations have neither the time nor the resources to
implement technology to help automate some of these key
functions.
So they are trapped on the hamster wheel of pain, reacting
without sufficient visibility, but without time to invest in gaining
that much-needed visibility into threats without diving deep
into raw log files.
A suboptimal situation for sure, and one that usually triggers
discussions of managed services in the first place.
29
http://securosis.com/blog/managed-services-in-a-security-management-2.0-world November 2011
30. SOC analysts
Good SOC analysts hard to find, hard to keep
Have combination of technical knowledge and
technical aptitude
hire experienced SOC analysts
pay them well
you get what you pay for
30
32. SOC analyst - qualities
extremely curious
ability to find answers to difficult problems / situations
abstract thinker
can correlate IDS incidents and alerts in real-time
ethical
deals with low-level details while keeping big-
picture view of situation
can communicate to various groups that have
very different requirements
responds well to frustrating situations
32
33. SOC analyst burnout
SOC analysts can burnout
have a plan to address this
extensive training
bonuses
promotions
management opportunities
job rotation
33
34. SOC management
management and supervision of a SOC is a key
factor to ensure its efficiency
while analysts, other staff, hardware and
software are key elements, a SOC’s ultimate
success is dependent on a competent SOC
manager.
inadequate/poor management has significant
consequences
from process performance decrements, to incidents
being missed or incorrectly handled
34
35. SOC processes and procedures
SOC heavily process-driven
processes work best when documented in
advance
usability and workflow critical
documentation
adequate time must be given to properly document
many different SOC functions
corporate networks and SOC are far too complex to
be supported in an ad-hoc manner
documentation makes all the difference
35
37. SOC metrics
measured by how quickly incidents are:
identified
addressed
handled
must be used judiciously
don’t measure base performance of an analyst
simply on the number of events analyzed or
recommendations written
37
40. Apply
obtain management commitment to a SOC
ensuring adequate staffing and budget
define your SOC requirements
decide to have SOC in-house or outsourced
in-house – create detailed and customized processes
outsourced – ensure their process meets your
requirements
create process to ensure SOC is effective and
providing security benefits to the firm
40
41. Ben Rothke, CISSP CISM
Manager – Information Security
Wyndham Worldwide
Corporation
www.linkedin.com/in/benrothke
www.twitter.com/benrothke
www.slideshare.net/benrothke
41