Security operations centre (SOC) architecture: a holistic approach March 2016

Transcription

1 Security operations centre (SOC) architecture: a holistic approach March 2016

2 Agenda 1. How do you know what to protect? 2. How do you know when you re compromised? 3. Start lean, and improve on a continuous basis Security Operations Centre (SOC) Architecture March

3 How do you know what to protect? Business Process Vison Mission Values Data Governance Data classification policy Data ownership Risk management & appetite Policy Framework IT & Sec Architecture IT applications IT system & platforms Network & Interfaces Data At rest (end point, cloud) In transit Security Operations Centre (SOC) Architecture March

4 Regulatory requirements and internal classification guidelines Policy Framework Regulatory requirements to be considered: Data protection law (EU GDPR) Financial market regulation Industry standards PCI-DSS Etc. Identify crown jewels (PID/CID and IP) Identifiable personal data Identifiable client data Intellectual property Security Operations Centre (SOC) Architecture March

5 Data classification on data level: Discover segregate restricted from unrestricted Data classification Identify data with CID restrictions in data stores - Applications, instances, systems - DBs, logfiles etc. Scanning factory Restricted Data Un-restricted Data Segregation of data (app. & infra.) Client identifying data C Security classification Dev/test/prod (no CID) Client identifying data A & B Security classification C1 & C2 Dev/test/prod (CID) Service class 1 no critical data (no PID / CID / IP) Service class 2 semi-critical data (company owned) Service class 3 (high cost option) critical data legal restrictions Data obfuscation Anonymization, masking, encryption, hashing, etc., where possible In country / on premises Location agnostic and cloud ready Security Operations Centre (SOC) Architecture XXXX-XXXXXX-XX-X March

6 An SOC requires integrated operating models to fuse and share information Traditional SOC services Isolated capabilities Emerging SOC services Malware analysis Intrusion analysis IR/countermeasures Logging, monitoring & event management Security incident management Data analytics Tactical intelligence coordination Sensor enrichment TVM Incident Security Strategy response & Planning Insider threat monitoring Internal investigations Fraud monitoring Forensic analysis Vulnerability management Security analysts 24x7 Sensor management Compliance testing Security testing Additional services Countermeasure coordination Security engineering and change management Threat Digital and brand Vulnerability protection Evaluation Vulnerability scanning Penetration testing Perimeter protection Brand monitoring Disconnected insight in a noisy environment, due to disjointed, compartmentalised and insufficient data and analysis techniques Phishing analysis External countermeasures A robust threat analysis capability built on shared insights, data and research, that fuses insights from, and supports action by, multiple disparate stakeholders with a common mission Security Operations Centre (SOC) Architecture March

7 The emerging SOC requires an organisation to view transformation from different perspectives Emerging SOC services: tactical intelligence coordination Malware analysis Intrusion analysis IR/countermeasures Tactical Intelligence coordination Data analytics TVM Incident Security Strategy response & Planning Insider threat monitoring Internal investigations Fraud monitoring Assessment and realignment of human capital Sensor enrichment Forensic analysis Security analysts 24x7 Sensor management Compliance testing Countermeasure coordination Security engineering and Change management Digital Threat brand protection Vulnerability Evaluation Vulnerability scanning Penetration testing Perimeter protection Vision and operating model Brand monitoring Phishing analysis External countermeasures Technology framework tactical intelligence coordination Security Operations Centre (SOC) Architecture March

8 A threat intelligence enrichment framework is based on the following process: Intel collection Intel fusion and analytics Sensor enrichment Security analytics Reporting and collaboration Intelligence is aggregated from a firmspecific set of sources, including internal network data, social media, paid- and opensource threat feeds, and incident response and data security tools. Using technologies, a database of risk indicators fusing threat and risk indicators specific to the client is created. The collected data is compared to the indicators in the database, signalling potential risk. Once these potential risk indicators are identified, we develop workflows and technology pathways to automate detection of the indicators. Support for analytical processes, improving logging practices and real-time analysis of security alerts to find both the micro level risks as well as the broader strategic threats to the organisation. Building on the information and analysis, define immediate incident response actions and further steps for future mitigation and reporting, involving stakeholders across the organisation. Security Operations Centre (SOC) Architecture March

9 Building a threat intelligence management capability in line with an organisation s business imperatives is an iterative process. Defining a pilot overlay to introduce quick wins and put the concepts into practice can help build organisational momentum Security Operations Centre (SOC) Architecture March

10 Leveraged to develop a model for enhanced intelligence enrichment and analytics. Security Operations Centre (SOC) Architecture March

11 Target operating model Next Gen SOC: threat intelligence is an essential part Our perspective relies three core capabilities for a next-generation SOC: traditional eyes on glass monitoring, advanced security analytics, system and log collection & integration. These are informed by a wide range of security intelligence feeds both internal and external to the organisation. They allow the organisation to make quicker and more information decisions. In many cases, the firm can take proactive preventative measures or at least shorten the time between breach and response. Threat vector data Vulnerability data Eyes on glass monitoring Informed leadership Critical asset inventories External data Open source Advanced security analytics Engineering integration & collection management Incident response Proactive response Universe of data Processing/enriching Analysis Security Operations Centre (SOC) Architecture March

12 SOC models and threat intel sharing Inner Circle Gov CERT (MELANI) Law enforcement Government level Contributing External sources and feeds CH relevant threat intel Finance industry Power grid Critical Infrastructure Transportation & telecom Sharing Organisation A Organisation B Organisation C Organisation n Extended circle Organisation with a mature SOC Subscription MSSP 1 MSSP 2 Security vendor 1 Security vendor 2 Others Etc. Managed security service providers and vendors Security Operations Centre (SOC) Architecture March

13 Summary and next steps 1. Each SOC has a unique maturity level, a specific environment to support and a dedicated operation model. 2. To protect enterprise and personal data, they need to be identified and classified (PCI-DSS/data protection law) 3. Threat intelligence sharing means: a) technical interfaces but also b) sharing of social engineering practices with industry alignment 4. Threat intel sharing means all (or at least a core group) have to contribute to enrich 5. The adaptation of global feeds needs to be done just once and then shared among all 6. The main challenge remains to apply threat intelligence to the specific enterprise, to analyse root causes and improve continuously Security Operations Centre (SOC) Architecture March

14 This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers AG, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it All rights reserved. In this document, refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.