Solution Briefing. Integrating the LogLogic API with NSN s Remediation & Escalation Mgmt. System

Transcription

1 Solution Briefing Integrating the LogLogic API with NSN s Remediation & Escalation Mgmt. System Tim Larson August 2009

2 Introduction Nokia Siemens Network s environment Company: Leading provider of mobile phone network gear, employing 65,000 people in over 120 countries. Network: Large-scale manufacturing systems with vendor and customer access and supported by numerous service provider organizations. Tim Larson IT Security Consultant BSIE, MBA, CISA Message: Knowing How. - This message addresses the fact that in today s world, it s no longer only about what resources (people, process, products, partners) you possess - it s about HOW to make the best use of them. Company Confidential 1

3 IT is missing IT level reporting and management of problems Current state: - there is NO IT wide problem management, only bits and pieces in various organizations, e.g. CERT Process (for security related vulnerabilities & incidents), Service Provider escalation management process, asset ownership, SLA Management process Company Confidential 2

4 Business Problem/Regulatory Concerns What is the change in the world that has brought this issue to the forefront? Virtualization within the enterprise. Utilizing multiple vendors and technologies internal and external. Centralized auditing of how incidents are handled. What is the scale of the problem? MTTR (Mean Time To Remediate) an incident was increasing. No risk-based plan for remediation. Only a manual process for tracking performance of SLA s (Service Level Agreements). Limited automation for auditing how incidents are handled (as required for SOX testing). Low level of connectivity on the part CERT team members and service providers doing remediation. No commercial tools for leveraging investment in security products like LogLogic, Qualys, idefense and Source Fire with internal stakeholders. How has your organization dealt with this problem in the past? Maintained manual standalone solutions and offered a minimal amount of stakeholder process integration. What are the cultural concerns? International Data Privacy laws relevant to local jurisdictions Involvement of Corp Sec., HR, Legal Communication with Worker s Council members Handling of sensitive information transferring outside the EU Monitoring enterprise Integrity Company Confidential 3

5 Solution Strategy What exactly were you trying to resolve? Consolidation of information from multiple systems while ensuring that high priority incidents are worked based on risk factor (security severity and asset classification). How did you approach problem? Discovering and changing processes, assessing and implementing technologies, convince management to address the problem in parallel with the technology deployment plan. Formula for Success = 50% process integration + 25% technology integration + 25% over come internal resistance What was the high-level Goal? - Actionable Security Intelligence Integrate SOC Security Data (Vulnerability, Log data and Attack data) Integrate distributed sources of relevant Asset Data Develop a CERT workbench for Remediation & Escalation Mgmt Enable SLA Performance Monitoring and centralized IT Auditing Prepare for Adaptive Remediation and Escalation Enable Enterprise Integrity Develop a Real-Time Event Management Application Company Confidential 4

6 The Challenge and the Promise Integration of Remediation & Escalation Processes NSN CERT Ticket Handling Process Version updated August 5,2008 SPs (SIS, HP, Nokia, IBM) MSSP NSN CERT Other source of Incident information Incident handling Verification & Analysis Create OTRS Ticket Update SP ticket HP, SIS,Nokia,Xerox Inform NSN CERT NSN CERT duty-officer MSSP / SOC Monitoring & Alerting Incident Handling Remediation Valid NSN incident No Update OTRS ticket MSSP Portal Create a SP ticket Vuln is in MP/ SC Inform NSN CERT Possible Incident Detected No Incident handling Counter measure Case assigned to CERT & MSSP Update OTRS ticket Update MSSP Ticket Create MSSP Ticket Approve to close SP ticket Level 4-5 Event Inform NSN CERT More SP remediation needed? No Std Conf mismatch, Update OTRS ticket Incident handling Remediation verification Level 1-3 Event No Define new controls in MP / Std Config Implementation Review/update MP/Std Conf NSN System Designer MSSP Portal Report Company Confidential 5

7 CERT s Centralized Workbench (REMS) Company Confidential 6

8 Correlating Security Knowledge, Escalate to Service Provider(s) Security Knowledgebase Log Logic Data Qualys Vuln Report CERT Incident -001 Tickets SP Support Incident 001-#2 SP #2 Incident 001-#2 DNS Tool Report Service Mgt Report NSN Asset Report Qualys Asset Report SP #3 Incident 001-#3 Cost Code Report SOC Asset Report SP Asset Report IP Block Report SP Asset Report Centralized Workbench for CERT Company Confidential 7

9 Integrated Solution: REM tool and LogLogic How did we leverage our deployment of Log Logic? Centralized log management used by SOC and MSSP analyst teams Log file Request Tool for stakeholders for network troubleshooting Audit tool for IT Auditors Secure storage for forensic investigations by Corp Sec and CERT Company Confidential 8

10 Solution Specifics What steps did you take to solve the problem? Requirements Gathering, Process Discovery, Solution Concept, Coding, User Acceptance, Documentation, Deployment, Enhancements Roadmap TIG team (Technology Integration Group). SIG team. (Stakeholder Integration Group) Weekly team review meetings with one common project manager. Created the REM System (REMS workbench) to solve integration gap What resources did you employ while solving the problem? Who was involved? All Stakeholders (HR, Legal, LOB, CERT, SOC team) Did you use outside consultants? Company Confidential 9

11 Integrating TIG & SIG Project Teams Project #1 Conduct interviews, gather findings, complete Arch design, financial impact analysis Technology Vendor meetings to review product capabilities Process Model Phase 2 & 3 Responsibilities & Deliverables Resource/Responsibility Allocation: Revised: Nov. 15, 2008 Present Gap Analysis Final Report & Overview of Phase # 2 Define SOW, time and cost for Phase # 2 Prepare Detail Project Plan for Phase # 2 SG approval Phase 2 starts here Kick-Off Meeting with Stakeholders Preimplementation Project Planning Milestone review Structure has to be in place. Phase # 2 SOW & costs SG approval Re-define Phaset # 2 SOW and costs Communication Kit Action Item Tracker Change Mgmt Plan Dev LM Std. Define Deployment Plan Business Case Scope, Risk Acceptance criteria Team TIG Shared Team SIG Process flow has to be precise. Audit/Scan Findings Compliance Reqmts Asset Ownership, Risk Impact dbase TIG = Technology Integration Team SIG = Stakeholder Integration Team Stakeholders = XYZ, SOC/ MSSP, SP s Team Collaboration is essential. Review BIA Inv. Critical Assets Communication Kit IR Implementation Plan LMS IR Processes Incident Mgmt Reqmts Deployment Planning Phase Action Item Tracker Approve Arch design Log Source Validation; Cap Plan Logging Facilities Reqmts; USE Case Solution Dev and Testing Communication Kit Action Item Tracker Conduct Pilot Test Plan Log Analysis process End User Docs Log Analysis Reqmts Service Support Doc Reporting Reqmts Test Plan for LMS Communication Kit Integration Plan Ticketing System Solution Deployment SG approval Action Item Tracker Implementation Plan Test Performance, validation testing Install TAS modules Pilot Qualys Create Final Deliverables Communication Kit Action Item Tracker Collect, Forward, alerts, correllate, report Integrate with ESM Install technology Pilot IDS Build, install custom App log connectors Install technology Define Log Reqmts Communication Kit Knowledge Transfer Training, Workshops Operational docs Hand Over docs Company Confidential 10

12 Use Case 1: Classification of informational assets Company Confidential 11

13 Information Asset (Container) Classification and Mapping to Asset Ownership Company Confidential 12

14 Mapping Attack & Vulnerability Data to Asset Data to Asset Ownership Information Company Confidential 13

15 Prioritization of Remediation based of Risk Factor Security Severity Rating = IDS + VMS + LMS Risk Factor = Security Severity Rating + Asset Class Value Escalation based on Risk Factor and Internal Controls Alignment with Business Requirements (SLA monitoring) Company Confidential 14

16 Risk Management Reporting on Alignment of Service Providers to NSN Goals Company Confidential 15

17 Use Case 2. Rogue system in datacenter 1) 2:00AM Qualys API scan report of IP address in Munich datacenter; IP address does not appear in REMS consolidated Asset database. 2) IP address does not appear in REMS consolidated Asset database, therefore reported as Rogue IP address and alert sent to CERT duty officer. 3) REMS triggers DNS Look-up to identify IP address for CERT duty officer. 4) REMS triggers ticket to VeriSign SOC to be on the alert for this IP address in Munich. 5) REMS triggers LogLogic API to search for systems rogue IP address. 6) CERT notifies IT Security NOC and Service Provider of condition. 7) Audit trail of activities are recorded & time-stamped automatically within REMS. Company Confidential 16

18 Process Automation Remediation and Escalation Process Diagram Version updated August 15,2008 SEM SOC Analyst Remediation Partners Other source of Incident information SEM Data SP ticket Update SP ticket MSSP / SOC Monitoring & Alerting Incident Handling Remediation Create a SP ticket Vuln is in MP/ SC or Exception Incident Update REMS More SP handling Valid incident ticket remediation Verification No needed? Automate & Analysis the ticket escalation system SOC define No No Incident handling exception Create REMS Countermeasure Approve to Ticket,exception close SP ticket SOC duty-officer SOC Portal Inform SOC Possible Incident Detected Create SOC Ticket Level 4-5 Event Inform SOC Automate tracking of remediation processes SOC ticket system Incident handling Remediation verification Level 1-3 Event Collaborate with SOC to define new controls in MP / Std Config Implementation Review/update MP/Std Conf Std Conf mismatch, Update REMS REMS ticket Ticket Update REMS Engineering ticket system Automate integration Case of assigned Asset to data and Log data Inform SOC exception SOC Update Ticket Portal Report Automate the Integration of Qualys Vuln and asset data No Company Confidential 17

19 Communications with Partners Corporate Security Service Providers & External partners IT Security IT Regions CERT/SOC Knowledge base IT Auditors IT Operations SP-1 SP-2 Internal Customers VeriSign Industry SIRT Legal Risk Management Human Resources Physical Security Finance Company Confidential 18

20 Overview of Financial Benefit Company Confidential 19

21 Summary of Results What was the final result? Utilized commercial security technology solutions; developed in-house integrated solution for automating the remediation and escalation management of IDS incident and vulnerability tickets. How did it work out? An automated, integrated approach to REM which benefited client by protected access to and storage of sensitive data enabled organization to reduce IT Operational costs reduced risks to business critical assets increased CERT and Service Provider effectiveness and efficiency facilitated a risk-based plan for remediation and escalation management enabled tracking of REM processes and monitoring of SLA obligations enabled enterprise integrity thru continous internal controls monitoring How much time did it take? Six months Industry Analysis feedback? a road you traveled more successfully than folks like ArcSight and RSA. Stakeholder feedback? All is better as the tool is a really good solution Company Confidential 20

22 Lessons Learnt Engage with stakeholders (internal and external to your organization) Enable API level integration of upstream and downstream internal systems Integrate business process and provide automated workflow Integrate a dedicated ticketing solution Integrate project teams Integrate auditing requirements to ensure incidents are handled properly Provide Actionable Intelligence into the SOC by de-stovepiping feeds Enable enterprise Integrity, and realize that The Automation of REM processes provides IT Security a clean slate in terms of utilization of resources. Company Confidential 21

23 Contact Information Thanks Contact Information Tim Larson Company Confidential 22

24 FMO Integrate REMS with the Impact Value of Business Critical Information Assets We re looking for the Business Impact Value in the process where the confidentiality, integrity or availability of your application or platform is endangered. Four Measures of Impact F,O,C,E Company Confidential 23