Spyders Managed Security Services

Transcription

1 Spyders Managed Security Services

2 To deliver world-class Managed Security Services, Spyders must maintain and invest in a strong Security Operations Centre (SOC) capability. Spyders SOC capability is built on a foundation of industry best practice procedures, processes, policies, and enabling technology. Our team of experienced and certified security analysts deliver a suite of advanced security services, and leverage strong technology partnerships to deliver value for clients. Each Spyders Managed Security Service offerings include the following SOC services / features: 24X7X365 Technical Helpdesk Support Security Monitoring Network Monitoring Incident Management Change Management Configuration Management Device Management Technology Lifecycle Management Compliance & Threat Reporting & Monthly Meetings On-demand Professional Services Incident Forensic Services Service Level Agreement (SLA) Spyders Risk Mitigation Centre (RMC) is staffed with full time permanent Level I and II security analyst that provide continuous monitoring, proactive management, and 24X7X365 technical support for clients. Third level support for escalations and complex issue resolution is provided by Spyders IT security and network engineering team. Should a service disruption, technical issue, suspicious activity of security violation occur, clients can contact Spyders helpdesk at any time. Spyders certified and experienced security analysts follow incident response procedures to appropriately address any security issues and work diligently to resolve technical issues to ensure adherence to client service level agreements (SLA s). For each incident, a trouble ticket is created by the Risk Mitigation Centre detailing the event, severity, relevance and magnitude of the correlated event. Tickets are shared with all required parties, and are only closed once the necessary remediation steps have been completed. Spyders maintains the highest level partnerships with technology vendors. This enables the Risk Mitigation Centre to access advanced vendor technical support staff and senior engineering staff that can be called on to efficiently and effectively resolve client issues. The RMC closely monitors the deployed security systems for suspicious activity and uses network monitoring tools to confirm the health of each security system. Each system is configured to generate alerts and events that are sent to the Risk Mitigation Centre. Security analysts conduct event monitoring by reviewing these alerts, events and offenses. Each one is investigated to determine if it is a false positive or true attack. If the event is confirmed to be a legitimate threat, the RMC assigns a severity level to the incident and follows the appropriate incident response procedure Spyders Inc. 2

3 defined in the client RMC manual. If it is a false positive that persists, tuning of the SIEM, firewall or IDS devices is conducted to eliminate the noise and focus on alerts and events that may pose real threats. On a daily basis security system vitals are checked to ensure optimal operation of the security technology. As new threats emerge clients can be confident they are being protected. The RMC is equipped with early warning detection services that provide security analysts with notifications on the latest security threats, malware trends, and system vulnerabilities. Early warning systems such as Secunia, US- Cert, SANS ISC, and reputational intelligence services provide detailed and up-to-date notifications for vulnerabilities discovered in software applications and hardware platforms. These resources deliver breaking news that affects the information security landscape. Network outages and network performance problems can have significant impact on an enterprise s day-to-day operations and can leave clients exposed to potential attacks. Monitoring network devices is critical to maintaining the health and integrity of the network. Spyders qualified Risk Mitigation Centre (RMC) security analysts proactively monitors the network devices 24x7x365 through network management tools and a variety of methods, including console checks, Ping, network probe, port checks, and by querying the standard SNMP MIBs implemented by vendors. This visibility enables Spyders to detect the failed elements that may interrupt network connectivity, impact performance or availability of the network. Action is taken quickly when a device is down or performance may be impacted. Following Spyders incident management process, the severity of the incident is assessed, an investigation is conducted and the issue is resolved in collaboration with the client. Spyders monitors network availability and performance of physical and logical managed systems, supporting the Layer 2 and Layer 3 network elements that may form part of the security perimeter. These are the underlying devices that provide end-to-end connectivity and security of the network. Interruption to or unusual activity on these systems can be the first indication of malicious network activity, as well as being a potential indicator for a system fault that could impact service. A number of key health indicators and network performance metrics are reviewed by Spyders. When combined with application and system level metrics, this data provides a deeper and more thorough understanding of the impact of increased network activity in a client s environment. The RMC uses a professional ticketing system and network monitoring technology to monitor availability, performance, events and configuration across layers and platforms for each managed service client. The network monitoring platform provides the RMC with the following capabilities: Application, Network and Systems Monitoring and Management Alerting and Automatic Remediation System Log Monitoring and Event Management Automated Inventory Discovery and Change Tracking Data Collection via SNMP, SSH, WMI, JMX and Syslog Virtual and Cloud Infrastructure Monitoring and Management Alerting via and SNMP Integration with Configuration Management Tools VMware ESX monitoring Highly customizable backend that can be modified to meet specific client needs Spyders Inc. 3

4 Spyders' Risk Mitigation Centre follows the ITIL industry standard network security incident response lifecycle process to ensure attacks on corporate assets are quickly and efficiently detected, contained, and remediated. The lifecycle includes all activities from incident monitoring to prevention. MONITOR The RMC continuously monitors security alerts from network monitoring systems, intrusion detection systems, security information and event management systems, and early warning systems. DETECT Analysts investigate every security alert generated to verify the legitimacy of the alert. If the activity is suspicious, RMC analysts assign a severity level to the incident, and follow the incident response process flow, which includes client and management notification. A trouble ticket is opened for each investigation. CONTAIN To minimize the exposure or damage that can be caused, analysts contain the incident by implementing changes to eliminate the attacker's means of access, removing affected devices / systems from the network. INFORM Analysts coordinate and provide technical and management teams with updates and responses, which can involve instructions to further contain, resolve, or mitigate the incident and actions to recover affected systems. The RMC provides stakeholders with regular updates on the detected incident and the status of remediation efforts regularly. CORRECT An incident post mortem analysis is conducted to identify weaknesses in the security architecture or system configuration. A root cause analysis document is prepared and circulated detailing the root cause of the incident, incident data, post mortem analysis, lessons learned and changes required. PREVENT To mitigate the risk of future incidents, system or architecture changes are implemented. Spyders invokes the change management process, and obtains the necessary approvals needed to implement the changes. Changes are tested to verify the same security incident cannot be repeated post change. A change management workflow and procedures are clearly defined upon onboarding of any new Managed Security Service client. Clients either follow Spyders change management process and procedures, or provide change procedures and related documents for their established process. The Risk Mitigation Centre follows ITIL based change management procedures. All changes include a well-defined roll-back plan, and must be approved by Spyders Security Operations Manager and the client Change Advisory Board. Where possible, changes are tested in Spyders Test and Integration lab. Urgent and non-urgent change management process flows outline the actions, decisions and roles involved in each process. Spyders Inc. 4

5 Client Config. Manager Spyders Change Manager Spyders Tester Spyders Change Builder Spyders Change Management Process Non-Urgent Change Process = B Build Change, Back-out & Test Plan per RFC No Test Change (Where possible) Test Successful? Yes Notify Client of Test Success Change Successful? Yes Review Change Measure Change Success Coordinate & Implement Change No Notify Client & Confirm Decision to Fix or Back-out Change Successful? Yes Notify Client Coordinator & helpdesk, Close Spyders RFC Fix or Implement Back-out plan No Initial Update to Logs & Notify Users Update Users & Logs Update Change Log and Associate new RFC with Old Close RFC in Log Reporting is a critical component of Spyders Managed Security Services. Reports are designed to present information in alignment with IT security and compliance objectives, and provide relevant information in the most appropriate format for each objective. Spyders reports provide clients with relevant information about security incidents, threats, vulnerabilities, IT compliance, and changes. These reports help clients gain the meaningful insights and new perspectives they need to answer questions and make better security decisions. They provide clients with point-in-time snapshots as well as historical trending data across multiple security metrics. Typical reports include security, performance and availability metrics, a summary of the security events, results of investigations, and both actionable and strategic recommendations to address issues and improve security. When clients are on-boarded, Spyders security specialists work with each client to design reports that address their specific requirements and goals. Spyders Inc. 5

6 Reports are reviewed monthly with clients via in person meeting or conference call. Monthly State of Security meetings allow the RMC to review pertinent information about threats, attacks, and vulnerabilities and give clients the opportunity to ask questions. These meetings provide an opportunity for the team to discuss Spyders recommended remediation and develop action plans to mitigate IT security risks. Spyders performs service, asset and configuration management as part of every managed service. This includes: Regular backups of managed systems, Reviews of new releases of firmware and patches for managed devices, Tracking of managed systems and patch level through a CMDB, Back-ups of Configuration Items immediately before and after performing patches or changes, and monitoring of Configuration Items. Configuration Items are routinely backed up and validated, with a safe copy of the configuration stored in an off-site location at Spyders to support disaster-recovery activities. Spyders routinely monitors vendor releases, and vulnerability information for Configuration Items. Critical patch releases and important updates are planned and scheduled to be applied to managed systems as soon as they are discovered. Device management includes all software patches and system upgrades required to ensure optimal operation of the IT security software and hardware. Spyders aim is to keep systems up-to-date and implement the latest fixes and patches as they become available from the vendors. The Risk Mitigation Centre ensures the timely and safe patching and upgrade of systems to address detected vulnerabilities, address system bugs or enable enhanced functionality. This is only done once the RMC is sure that nothing else will be affected. A key element of the service is the quality assurance and reliability we build in as standard. All patches and upgrades strictly follow the change management process. Unless otherwise agreed to with the MSS client, Spyders applies its patch management policy to all managed devices. Spyders patch management process includes: creating and maintaining a system inventory, monitoring for vulnerabilities, remediation, and threats, prioritizing vulnerability remediation, testing and deploying patches, and finally verifying the patch. Spyders' Risk Mitigation Center routinely performs minor maintenance updates on all managed technology components to ensure service stability and security. Minor Maintenance Windows do not have any impact on the availability of services. Major Maintenance Windows are reserved for updates to software or hardware that could potentially cause service disruptions or outages. Spyders communicates with clients whenever a Major Maintenance Window is needed. Typically these windows are used to apply major firmware or software updates, to implement major changes to device configurations, and to perform hardware related maintenance. Emergency maintenance windows can occur if there is a critical severity issue detected in one or more technology components that requires immediate remediation. Emergency maintenance Spyders Inc. 6

7 windows may be required due to server compromise or malware outbreaks and in other situations where changes, updates, and roll-backs need to be applied quickly and with little notice. Spyders account management team works closely with Managed Security Service clients to realize the full benefit of their security technology assets. With an accurate picture of how the IT security infrastructure may evolve over the next one, three, and five years, Spyders can correlate technology acquisition strategy with a financial model that will help client s make the most out of their investments. Spyders Security Technology Lifecycle Management (STLM) is a multi-phased approach that encompasses the planning, design, acquisition, implementation, and management of all elements comprising the client s managed IT security infrastructure throughout the life of the contract. Spyders in-depth technical knowledge, expert engineering and financial services feed into a solid business model that enables clients to proactively address systematic budgeting needs and longterm management of IT security infrastructures. STLM phases include: Assessment and identification of objectives and appropriate application of technology Technology acquisition specific to IT security infrastructure requirements Integration and implementation by certified security specialists Support services such as custom warranty and maintenance packages, help desk services, and systems monitoring Technology refresh to ensure upgrades are timely and relevant Asset disposition Spyders has a strong roster of security specialists with diverse skill sets that can be leveraged by MSS clients. Spyders qualified security consultants and engineers have strong consulting, design and technology integration skills across a broad portfolio. Professional Services are made available on-demand as part of the managed service contract by including a block of service days into the annual contract. Clients benefit from having expertise delivered by a partner that is familiar with their environment, but only incur the cost for the hours used to complete the project or resolve the issues at hand. Computer forensics investigation and reporting services can be delivered by Spyders security consultants. Spyders forensic services provide clients the option of having an impartial third party perform investigations their behalf. Spyders is equipped with a diverse set of skills and tools to facilitate and perform forensics investigations of client Information Technology Assets. This includes, but is not limited to, a review of logs, review of files and folders, review of stored Internet history, and data recovery. Tools that may be used include: Encase Forensic, Access Data FTK, Sans SIFT, Mandiant web historian, Magnet Forensic tools, TSK, and Kali (Backtrack). Standards-based processes are followed to perform gathering of evidence for investigations, which includes taking a forensic image of affected assets to create a workable copy of the data for investigations. Spyders adheres to, and maintains Chain of Custody for any investigated assets, in order to provide legally admissible proof for any criminal proceedings that may arise from the investigation. Spyders Inc. 7

8 Spyders dedicated Risk Mitigation Centre team understands the importance of service excellence. The RMC performs proactive monitoring of client devices through detailed checks, both manual and automated, to ensure that performance and availability of managed systems, security devices and perimeter Internet connections. Interruptions to availability or major performance issues are detected and escalated as per SLAs. Spyders quantifiable Service Level Agreements (SLAs) are tailored to best meet client needs and address support level preferences. Spyders SLA s address incident notification times, response and recovery times, system availability, system performance, change success, report content, report delivery, etc. Modifications to the standard offering can be made to provide extra features and faster response times for customers with more advanced needs. Spyders security notification response time SLA s are broken down in the table below. SLA Metrics Notification SLA Target for MTTR to take action within Severity 1 15 Minutes 30 minutes Severity 2 30 Minutes 4 hours Severity 3 60 Minutes 12 hours Spyders Risk Mitigation Centre holds the Canadian Industrial Security Directorate Facilities Security Clearance at the Secret Level. The facility employs a layered approach to logical security beginning with a redundant configuration of next-generation network firewalls at the perimeter. These firewalls provide the RMC with inline intrusion prevention and application blocking capabilities to ensure that only the protocols needed to manage client devices are allowed through to client networks. These firewalls provide a termination point for IPSec VPN tunnels to all client networks. Access to the firewalls is strictly enforced by a comprehensive set of administrative roles that help segregate configuration, reporting, and troubleshooting functions. Spyders propriety solution, IntelliGO, is used to distribute digital certificates to all Spyders managed devices to secure network access to the wireless, VPN and wired networks. All client managed service client communications are encrypted and the limited client data held on premises is maintained in secure databases. Spyders deploys all internal infrastructure in redundant, high availability pairs and utilizes a dual internet circuit environment with carrier diversity, and maintains high availability firewall and routing capabilities in addition to stacked switching infrastructure. The environment is designed to failover seamlessly between perimeter firewalls and ISPs. Redundant VPN tunnels to client environments are implemented to provide continuous management of client devices should a failover event occur. Spyders security analysts, engineers and management have been CPIC (Canadian Information Police Centre) verified and some hold federal government Secret Level security clearance. Spyders Inc. 8