SQRRL ENTERPRISE Building the Modern Security Operations Center (SOC)

Similar documents

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Intelligence Driven Security

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Concierge SIEM Reporting Overview

Niara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined

Towards Threat Wisdom

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

What s New in Security Analytics Be the Hunter.. Not the Hunted

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Under the Hood of the IBM Threat Protection System

The session is about to commence. Please switch your phone to silent!

Modern Approach to Incident Response: Automated Response Architecture

Caretower s SIEM Managed Security Services

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

The SIEM Evaluator s Guide

Choosing Between Managed Security Services or In-house SIEM? Consider the Benefits of both!

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

Discover & Investigate Advanced Threats. OVERVIEW

Detect & Investigate Threats. OVERVIEW

Cyber Security Operations Center (CSOC) for Critical Infrastructure Protection

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Security Analytics for Smart Grid

Don t let your SIeM become your Nightmare!

Performing Advanced Incident Response Interactive Exercise

IT Security Strategy and Priorities. Stefan Lager CTO Services

Good Guys vs. the Bad Guys: Can Big Data Tools Counteract Advanced Threats?

CONTINUOUS MONITORING THE MISSING PIECE TO SECURITY OPERATION (SOC) TODAY

Best Practices to Improve Breach Readiness

Emerging Technologies & the State of the SOC. John Kindervag, Vice President and Principal Analyst

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

End-user Security Analytics Strengthens Protection with ArcSight

Keynote: Cyber Intelligence and Cyber Security Overview

A Love Affair: Cyber Security, Big-data and Risk

Detecting Anomalous Behavior with the Business Data Lake. Reference Architecture and Enterprise Approaches.

Security strategies to stay off the Børsen front page

WHITE PAPER: THREAT INTELLIGENCE RANKING

RSA Security Anatomy of an Attack Lessons learned

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Advanced Threats: The New World Order

IBM QRadar Security Intelligence April 2013

AMPLIFYING SECURITY INTELLIGENCE

Accenture Cyber Security Transformation. October 2015

RAVEN, Network Security and Health for the Enterprise

LANGuardian for Healthcare Networks

Click to edit Master title style. How To Choose The Right MSSP

How to Choose the Right Security Information and Event Management (SIEM) Solution

Comprehensive Security with Splunk and Cisco

Meeting Federal Information Assurance (IA) Monitoring Requirements with SecureVue

Personal Security Practices of the CAO

Managed Security Service Providers vs. SIEM Product Solutions

Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study

MANAGED SECURITY SERVICES (MSS)

FROM PRODUCT TO PLATFORM

Logging In: Auditing Cybersecurity in an Unsecure World

How Shared Security Intelligence Can Better Stop Targeted Attacks

Situational Awareness A Discussion

WhatWorks in Detecting and Blocking Advanced Threats:

The webinar will begin shortly

IBM: An Early Leader across the Big Data Security Analytics Continuum Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

The Future of the Advanced SOC

Data Science Transforming Security Operations

How To Create Situational Awareness

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

VISIBLY BETTER RISK AND SECURITY MANAGEMENT

ESG Threat Intelligence Research Project

State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Software that provides secure access to technology, everywhere.

Analysis of the Global Security Information and Event Management (SIEM) and Log Management (LM) Market All Information Becomes Actionable

Securing your IT infrastructure with SOC/NOC collaboration

WHEN THE HUNTER BECOMES THE HUNTED HUNTING DOWN BOTNETS USING NETWORK TRAFFIC ANALYSIS

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Italy. EY s Global Information Security Survey 2013

High End Information Security Services

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

TOP INNOVATIONS FOR CYBERSECURITY

Using SIEM for Real- Time Threat Detection

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Evaluating, choosing and implementing a SIEM solution. Dan Han, Virginia Commonwealth University

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

A Primer on Cyber Threat Intelligence

The Art of Modern Threat Defense. Paul Davis Director, Advanced Threats Security Solution Architects

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

SIEM 2.0: AN IANS INTERACTIVE PHONE CONFERENCE INTEGRATING FIVE KEY REQUIREMENTS MISSING IN 1ST GEN SOLUTIONS SUMMARY OF FINDINGS

MANAGED SECURITY SERVICES (MSS)

IBM Security IBM Corporation IBM Corporation

Symantec Cyber Security Services: DeepSight Intelligence

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

The Five W's of SOC Operations. Kevin

How To Buy Nitro Security

Practical Threat Intelligence. with Bromium LAVA

Transcription:

Target. Hunt. Disrupt. SQRRL ENTERPRISE Building the Modern Security Operations Center (SOC)

WHAT ARE WE TALKING ABOUT TODAY? Who I Am Defining the SOC Functions of a SOC Do you even need a SOC? Organization and Staffing of a SOC SOC Workflow SOC Technology Hunting with Linked Data 2015 Sqrrl All Rights Reserved 2

WHY LISTEN TO ME? Over 15 years information security experience Ph.D. from SecLab at UC Davis Proposed a SOC for Department of Energy Implementation Lead for the SOC of a large Federal agency Consulted on information security to multiple Federal organizations and commercial clients 2015 Sqrrl All Rights Reserved 3

WHAT IS A SOC? (Information) Security Operations Center What a SOC Usually Looks Like What a SOC Should Look Like Vs. Public domain image from NASA, no endorsement implied 2015 Sqrrl All Rights Reserved 4

WHAT DOES A SOC DO? Extended SOC Functions Vulnerability Management Core SOC Functions Threat Intelligence Communications / Education Insider Monitoring Receive Reports Incident Detection SOC Hunting Engineering Incident Handling Incident Response Alert Processing Forensics 2015 Sqrrl All Rights Reserved 5

DO YOU NEED A SOC? You are a target almost anything of value can be targeted by an attacker Cost: Instrumentation, Engineering, Staffing, Management Add-ons, Economies of Scale Build or Buy or Hybrid? See: Trost, Pulling Up Your SOCs: Best Practices for Building and Operating a Security Operations Center (SOC), Interop Las Vegas 2015 2015 Sqrrl All Rights Reserved 6

WHO WORKS IN A SOC? Flat, wide, and all-encompassing model CIO / CSO CISO SOC Manager Call Center Lead Detection Lead Hunting Lead Threat Lead Engineering Lead Incident Response Lead Forensics Lead Comm / Ed Lead Insider Lead Tier-1 Analysts Tier-2 Analysts Tier-3 Analysts Threat Analysts Engineers Incident Responders Forensic Analysts Trainers Insider Analysts Comm Specialists 2015 Sqrrl All Rights Reserved 7

WHO WORKS IN A SOC? Distributed enterprise model CIO / CSO CISO Comm Lead SOC Manager Site Lead Education Lead Comm Specialists Call Center Lead Detection Lead Hunting Lead Threat Lead Engineering Lead Incident Response Lead Forensics Lead Insider Lead Trainers Tier-1 Analysts Tier-2 Analysts Tier-3 Analysts Threat Analysts Engineers Incident Responders Forensic Analysts Insider Analysts 2015 Sqrrl All Rights Reserved 8

WHO WORKS IN A SOC? Nested duties model CIO / CSO CISO SOC Manager Call Center Lead Incident Detection and Response Lead Advanced Analysis Lead Comm & Ed Lead Tier-1 Analysts Tier-2 Analysts Incident Responders Insider Analysts Threat Lead Hunters Trainers Threat Analysts Engineers Comm Specialists Forensic Analysts 2015 Sqrrl All Rights Reserved 9

WHO WORKS IN A SOC? Hybrid model CIO / CSO CISO SOC Manager Call Center MSSP Advanced Analysis Lead Site Leads Comm & Ed Lead Receive Reports Incident Detection Hunters Incident Responders Trainers Threat Intelligence Engineers Insider Analysts Comm Specialists Forensic Analysts 2015 Sqrrl All Rights Reserved 10

HOW DOES A SOC GET WORK DONE? Or, how I learned to stop worrying and love the process. Call Center Processes Internal Incident Report External Incident Report Internal Inquiry Detection Processes Malware Detection Zeus Alerts Custom Alert X Shift Changes Act Observe Decide Orient 2015 Sqrrl All Rights Reserved 11

WHAT DOES A PROCESS Tools LOOK LIKE? Some are linear, others not so much. ONITOR TECT ALYZE IAGE SPOND 1) Don t tru literature has tran buzzwo 2) Pilot too vendor b 3) Tool com MUST!! (Trost, 2015) 2015 Sqrrl All Rights Reserved 12

HOW MANY PROCESSES DO I NEED? As many as it takes for your staff to be comfortable and operate in a repeatable manner. Use CMMI as a guide, not a bible: Cheat sheet: Define Process Evaluate Process Execute Process 2015 Sqrrl All Rights Reserved 13

WHAT CAN TECHNOLOGY DO FOR US? After all, it got us into this mess 2015 Sqrrl All Rights Reserved 14

SOC TOOLS Priority Function Tools SANS Top 20 Core Receive Reports Ticketing System; Call Management System 18 Core Alert Processing SIEM, Log Management System, Packet Capture, IDS 14 Core Threat Hunting Linked Data Analysis, Behavioral Analytics 14 Core Incident Handling Ticketing System 18 Core Threat Intelligence Threat Management System Core Engineering SIEM, IDS, Health Monitoring 14 Extended Insider Monitoring SIEM, Log Management System, Host Loggers 16 Extended Incident Response State Capture Tools, System Inspection Tools 18 Extended Forensics Log Management System, System Forensics Software, Reverse Engineering Systems Extended Vulnerability Management Extended Communications / Education Vulnerability Management System, Patch Management System 4 Communications Management System, Course Creation Software 9 2015 Sqrrl All Rights Reserved 15

THREAT HUNTING REQUIREMENTS Linked Data + User and Entity Behavior (Contextual) Analytics Linked Data Use of ontologies to fuse together disparate datasets into common data models Graph query language and visualizations Petabyte scale Fast ad hoc querying and hypothesis testing + Behavioral Analytics Various types of anomaly detection and machine learning techniques to flag outlier devices and users Links as features for analytics Alignment to kill chain methodology Signature-less 2015 Sqrrl All Rights Reserved 16

HUNTING WITH LINKED DATA ANALYSIS Different techniques, different perspectives 2015 Sqrrl All Rights Reserved 17

EXPLICIT LINKS ARE STATED 1999-03-29T13:01:38-0500 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153 Cr4RV91FD8iPXBuoT6 SMTP 1 MD5 text/x-c - 0.000000 T F 1522-0 0 F - 6d01739d1d56c64209098747a5756443 - - - 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1 delta.peach.mil <hamishs@delta.peach.mil> <tierneyr@goose.eyrie.af.mil> Mon, 29 Mar 1999 08:01:38-0400 - tierneyr@goose.eyrie.af.mil - <19990329080138.CAA2048> - Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI- SVR4)\x09id: CAA2048; Mon, 29 Mar 1999 08:01:38-0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F Fz892b2SFbpSayzLyl F 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty) 2015 Sqrrl All Rights Reserved 18

MODELING THE DATA 2015 Sqrrl All Rights Reserved 19

TRANSITIVE CLOSURE 2015 Sqrrl All Rights Reserved 20

BRINGING IT ALL TOGETHER 2015 Sqrrl All Rights Reserved 21

QUESTIONS? Target. Hunt. Disrupt.