Cyber Security Operations: Building or Outsourcing

Size: px

Start display at page:

Download "Cyber Security Operations: Building or Outsourcing"

Gabriel Reeves
7 years ago
Views:

1 Cyber Security Operations: Building or Outsourcing Michael Levin, Optum Stephen Moore, Anthem Jeff Schilling, Armor

2 Introduction Michael J. Levin, JD, CISSP, EnCE, GLEG, GSLC Director of Cyber Defense for Optum Former Director of Security Design and Innovation with U.S. Dept. Health and Human Services, Senior Associate with Deloitte, and Investigative Counsel with U.S. Office of Special Counsel

3 Cyber Defense Provides Cyber Security Services to UnitedHealth Group, monitoring security for over 150,000 endpoints Cyber Defense consists of Security Operations Center Cyber Forensic Investigations Persistent Threat Analysis Cyber Intelligence Services Active Cyber Defense Data Analytics and Security Innovation

4 Cyber Defense Structure CD Director SOC CFI PTA CIS ACD DASI

5 Magnitude of Security Data Monitoring 150,000 end nodes results in: ~2 TB of raw logs each day 1.5 Billion Network, Security, and End Point events daily (17,000 a second) This requires 24 hour, in house, security analyst support

6 Security Operations Center Utilizing the SIEM and manual analysis the SOC reduces the 1.5 billion daily events, to an average of 50 security incidents each day. On average, 20 incidents are escalated daily to CFI for advanced Incident Response and investigation. Raw Logs Network, Security, Host Based Events Security Incidents

7 Manpower Investigative Teams SOC 24/7 support across 3 shifts, 28 analysts, approx. 1 analyst per 5,000 end nodes CFI 13 Incident Responders, approx. 1 per 10,000 end nodes PTA 7 Security Hunters, sufficient manpower and experience to effectively hunt within the enterprise for unidentified threats. CIS 9 Intelligence Analysts, No easy rule to determined team size, rather gauged on output and success.

8 In-House vs Outsourcing Pros: Organizational Data maintained within org. Better organizational knowledge, access, and expertise, all inhouse No contract re-negotiation or arguments when specific security work is needed Immediate Incident Response activity Cons: Significant initial capital investment Upfront and on-going talent acquisition and retention

9 Options for building a SOC Jeff Schilling, CSO Armor

10 Great guide Carson Zimmerman MITRE Free!!!

11 The security process PROTECT Defense technologies such as DDOS mitigation, IPRM, WAF, etc. Threat intelligence feeds our rules engines, making intelligence systems smarter over time RECOVER Automation technologies to perform necessary cleaning measures and/or update policies and rules engines in real-time Precise processes and trained personnel to remove compromises and secure against repeat attacks CYBER & PHYSICAL SECURITY DETECT Detection technologies (e.g., AV/AM, FIM, SIEM and log correlation) tuned to the behaviors of real threat actors Experienced personnel on hand 24x7x365 differentiating real security events from false positives RESPOND Technologies to limit blast radius and prevent spread (e.g., hypervisor-based firewalls) Experienced personnel trained in preventative measures Proactive processes in place for notifying customers and other relevant parties (e.g., law enforcement agencies where appropriate)

12 The threat s process RECONNAISSANCE WEAPONIZATION DISTRIBUTION & STRATEGY EXPLOITATION PERSIST/LATERAL MOVEMENT COMMAND & CONTROL ACTION ON TARGET Open source research Social network research Port scan, IP sweep Google research Combine the exploit tool with the method Phishing Website drive by SQL inject script Infected Word Doc or PDF is opened Java script exploited in browser Command line SQL inject Registry Key changed Privilege Escalation Look for open connections Malware or compromised system reaches out for instructions Search the target Destroy or disrupt Package and prepare for and exfil data

13 Options SOC completely insourced Big Security budget Access to both technology and talent Defendable architecture SOC partially insourced partially outsourced Most likely solution Tuned to your team s technical capabilities and skills SOC completely outsourced Smaller, less complex environment

14 Assessing your capabilities TALENT TECHNOLOGY TECHNIQUES

15 Functions to assess Security OperaCon Center Threat Intelligence IndicaCons and Warnings Incident Response and Forensics Security Infrastructure Management Vulnerability Threat Management ü Threat assessment ü Threat Intel data analysis ü TradecraL analysis ü Threat trending ü Custom signature wricng ü Advanced Threat HunCng ü PenetraCon tescng ü Real Cme monitoring Triage Incident EscalaCon Incident Handling Call Center ü Memory analysis ü Host analysis ü Network analysis ü Malware Rev Eng Containment EradicaCon Security device mgt ü Security control sig mgt ü Security device patching Security device availability Managing CMDB ü Scanning the environment ü IdenCfying vulnerabilices RemediaCon/patch mgt

16 QUESTIONS?

Evolution Of Cyber Threats & Defense Approaches

Evolution Of Cyber Threats & Defense Approaches Antony Abraham IT Architect, Information Security, State Farm Kevin McIntyre Tech Lead, Information Security, State Farm Agenda About State Farm Evolution