The document discusses lessons learned from building a cybersecurity operation center at DU Telecom, highlighting key findings such as the prevalence of forensic evidence in breaches and critical security metrics. It emphasizes the importance of identifying high-value targets and understanding the threat landscape while also focusing on advanced monitoring and detection strategies. Additionally, it outlines recommendations for setting security KPIs, identifying assets, and building use cases for proactive incident detection.

1. SESSION ID:SESSION ID:
#RSAC
Tamer El Refaey
What We’ve Learned Building a Cyber
Security Operation Center: du Case
Study
AIR-T11
Senior Director, Security Monitoring and Operations
du Telecom, UAE

2. 84%
of breaches had available
forensic evidence*
1,400 Log sources
4,000 Events per second
72 SIEM correlation rules
Source: Verizon 2012 data breach investigation report

3. The
Approach

4. Prioritize
The Efforts
Business impact
assessment
Critical business
processes
Confidential
data
Credential
repositories
Compliance
requirements
High value
targets

5. Recognize
The Threats
Data leakage
Denial of service
Web defacement
Loss of revenue
Malicious insider
Malware infection

6. Understand
The Environment
Business processes Vendors and partners
Expected
activities
Security policiesIdentity and access
information
Privilege access
confinement

7. Enhance
Security Visibility
Advanced endpoint
visibility
Database activity
monitoringOpen source
intelligence
User behavior
analytics

8. Search
For Digital Crumbs
SIEM Advanced Security
tools
Hunting
User awareness

9. Measure
The Performance
Detection time
Response time
Successful breaches
Detection method
Weaknesses
Phase of detection
Visibility status

10. The
Outcome

11. #RSAC
Visibility Vs Quality
2013 2014 2015 2016
Number of detected incidents Vs
number of SIEM rules
Detected incidents SIEM rules
2013 2014 2015 2016
Trend of alert quality
% of incidents Vs alerts

12. #RSAC
Detection time
74%
82%
81%
86%
2013 2014 2015 2016
% of incidents detected within
24 hrs from initial attempt
19.6
12.4
10.9
18.0
2013 2014 2015 2016
Average number of days to
detect an incident

13. #RSAC
Phase of incident detection
Reconnaisance Attack delivery Host
exploitation
Binary
installtion
C&C Local
compromise
Internal recon Lateral
movement
Establish
persistance
Action
% of incident detection by HP kill chain phase
2013 2014 2015 2016

14. #RSAC
What’s after detection?
<1.5hrs
Time between incident response and containment
<4hrs <8hrs <24hrs >7 days1–7 days
<1.5hrs
Time between compromise and detection
<4hrs <8hrs <24hrs >7 days1–7 days
<1.5hrs
Time between detection and start of incident response
<4hrs <8hrs <24hrs >7 days1–7 days

15. What We
Learned

16. Insider
threat

17. Context
Identity
Access details
Job role
Vulnerabilities
Compliance
status
Threat score
True positive
score
Geolocation
Employment
status
OOO status
IP reputation

18. Hunting
User behavior
analytics
Known IOCs
Experience
Endpoint visibility

19. Suspicion

20. Automation
User notifications
Evidence collection
Response actions
Periodic reports

21. #RSAC
Automation Sample

22. Deterrence
Reduces noise
Insider threats

23. Show your
work

24. #RSAC
Dashboard_Video_v3.0

25. #RSAC
Apply what we discussed
Next week you should:
Decide the appropriate security KPIs for your organization and what their targets
should be
In the first three months following this presentation you should:
Identify critical assets, processes, and high value targets within your organization
Understand what the major threats you are concerned about are
Know your environment and what its good state is
Within six months you should:
Build different use cases that would look for IOCs in your environment
Select the security intelligence solutions that you would consider to implement