Sourcefire Customer Case Study Nokia Siemens Networks: Creating Actionable Security Intelligence for Global IT Infrastructures

Transcription

1 Sourcefire Customer Case Study Nokia Siemens Networks: Creating Actionable Security Intelligence for Global IT Infrastructures Tim Larson Host Integrity Systems Inc. 1

2 Agenda Introduction of Case Study Business Problem Formula for Success Integration of Global Processes, Virtual Organizations, & Technology Benefits of Sourcefire Deployment Summary of Results Risk Management for IT Security 2

3 Introduction to Case Study Nokia Siemens Network s environment Company: Leading provider of mobile phone network gear, employing 65,000 people in over 120 countries. Network: Large-scale manufacturing systems with vendor and customer access and supported by numerous service provider organizations. Key Point: - This case study addresses the fact that in today s world, it s no longer only about what resources (people, process, products, partners) you possess - it s about Knowing How to make the best use of them. Creating Actionable Security Intelligence for Global IT Infrastructures 3

4 4 Three approaches to managing risk.

5 Analyst comments: The point is well-taken, according to Craig Roth, an analyst with Gartner Inc.'s Burton Group division and author of the recent report, "Building a Business Case for Collaboration Initiatives." As the business environment becomes more competitive, more global, and more cost-sensitive and responsive, the need for technologies that support collaboration is increasing. For many CIOs, breaking down information silos and forcing cooperation is the innovation that will lead to more innovation. The Vanguard Group is convinced that the social collaboration and communication tools her IT team is implementing and supporting will dramatically change corporate culture in concrete ways, such as compensation, as well as in ways we cannot even imagine. Implementation of Virtualized Enabled Collaboration 5

6 Business Problem/Regulatory Concerns What is the change in the world that has brought this issue to the forefront? Virtualization within the global enterprise. Utilizing multiple vendors and technologies internal and external. What are the regulatory concerns? International Data Privacy laws relevant to local jurisdictions Involvement of Corp Sec., HR, Legal Communication with Worker s Council members Handling of sensitive information transferring data to SOC located outside the EU What is the scope of the problem (The NEED)? No commercial tools for leveraging investment in security products like log management, vulnerability management, and intrusion management with upstream and downstream internal asset information systems. Creating Actionable Security Intelligence in a virtual global IT environment. 6

7 Formula for Success: What exactly were you trying to resolve (The NEED)? Optimizing business processes around the consolidation of information from multiple systems while ensuring that high priority incidents are worked based on risk factor (security severity and asset classification). How did you approach problem? Discovering and changing processes, assessing and implementing technologies, convince management to address the problem in parallel with the technology deployment plan. TIG and SIG teams. Formula for Success = 25% technology deployment + 50% process integration + 25% over come internal resistance to collaboration. 7

8 Creating Actionable Security Intelligence Data Center 1 SMC Data Center 3 SMC Data Center 2 SMC Data Center 4 SMC Data Center 6 SMC Data Center 5 SMC 8

9 Discover, Build, Promote Collaboration. Integration of Log Mgmt into the Incident Handling Process Version updated August 5,2008 Inform NSN CERT MSSP SOC/CERT Service Provides Other source of Incident information Incident handling Verification & Analysis Create OTRS Ticket Update SP ticket SP1, SP2,SP3,SP4 Inform NSN CERT SOC/CERT duty-officer MSSP / SOC Monitoring & Alerting Incident Handling Remediation Valid NSN incident No Yes Yes Update OTRS ticket MSSP Portal Create a SP ticket Vuln is in MP/ SC Inform NSN CERT Possible Incident Detected No Incident handling Counter measure Case assigned to CERT & MSSP Update OTRS ticket Yes Yes Update MSSP Ticket Yes Create MSSP Ticket Yes Approve to close SP ticket Level 4-5 Event More SP remediation needed? No Std Conf mismatch, Update OTRS ticket Incident handling Remediation verification Level 1-3 Event No Define new controls in MP / Std Config Implementation Review/update MP/Std Conf System Designer MSSP Portal Report Yes 9

10 Benefits of Solution Leveraged prior investments in technology Provide Actionable Intelligence into the organization by de-stove-piping data feeds NOC-SOC-Stakeholder collaboration Developed a common understanding with SP ers SOC visibility into Integrity of Service Providers Increased Productivity of Stakeholders Decreased MTTR to Risks Gave Security a clean-slate 10

11 Technology Deployment that drives Risk Mgmt Vulnerability Management Intrusion Management Vulnerability Information Service Log Management 11

12

13 Collection of Security Data

14 Processing Asset & Security Data

15 Risk Management Process

16 16 REMS logon page

17 Workbench (ipad) 4 Risk Management

18 What was the final result? Utilized commercial security technology solutions and developed a flexible modular solution for automating Risk Management. How did it work out? An automated, integrated approach to IT Security which benefits the client by: Integrated solution: People, Processes and Technologies Enabled organization to reduce IT Operational costs Reduced risks to Business Critical Assets Increased CERT and Service Provider effectiveness and efficiency Facilitated a risk-based plan for remediation and escalation management Provided a more cost-effective and timely solution How much time did it take? Six months (POC > Pilot > Production) Stakeholder feedback? Summary of Results All is better as the approach is a really good solution 18

19 Business Drivers and Challenges for IT Security Risk Management Allow more partners/collaborators into the network Move security closer to the Business Applications Can I identify abnormal access to applications? What are relevant security events? Who or what is really accessing the information? How do Application events impact the Service? Can we monitor inter-active legacy data flows? Correlate Sourcefire events with Application events. 19

20 20 Content is subject to NDA