Cyber Security Operations: Building or Outsourcing

Similar documents
Evolution Of Cyber Threats & Defense Approaches

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

IBM Security Strategy

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

The Role of Security Monitoring & SIEM in Risk Management

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

ALERT LOGIC FOR HIPAA COMPLIANCE

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Advanced Threat Protection with Dell SecureWorks Security Services

Defending Against Cyber Attacks with SessionLevel Network Security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

SIEM Implementation Approach Discussion. April 2012

CYBER SECURITY OPERATIONS CENTRE

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

After the Attack: RSA's Security Operations Transformed

INSIDE A CYBER SECURITY OPERATIONS CENTRE

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Changing the Enterprise Security Landscape

RSA Security Anatomy of an Attack Lessons learned

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

How To Create Situational Awareness

Intelligence Driven Security

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Do not forget the basics!!!!!

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Security Analytics for Smart Grid

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

RSA Security Analytics

Integrating MSS, SEP and NGFW to catch targeted APTs

Unified Security, ATP and more

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Vulnerability Management

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Breaking the Cyber Attack Lifecycle

Unstructured Threat Intelligence Processing using NLP

Into the cybersecurity breach

Incident Response. Six Best Practices for Managing Cyber Breaches.

CALNET 3 Category 7 Network Based Management Security. Table of Contents

integrating cutting-edge security technologies the case for SIEM & PAM

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Defending Against Data Beaches: Internal Controls for Cybersecurity

Enterprise Cybersecurity: Building an Effective Defense

How To Integrate Intelligence Based Security Into Your Organisation

Under the Hood of the IBM Threat Protection System

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Modern Approach to Incident Response: Automated Response Architecture

Cyber Security Operations Center (CSOC) for Critical Infrastructure Protection

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015


Protecting Your Organisation from Targeted Cyber Intrusion

Glasnost or Tyranny? You Can Have Secure and Open Networks!

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Doris Yang Vectra Networks, Inc. June 16, 2015 The World Ahead

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Advanced Threats: The New World Order

Incident Response 101: You ve been hacked, now what?

Dealing with Big Data in Cyber Intelligence

Things To Do After You ve Been Hacked

The Next Generation Security Operations Center

The Changing Nature of Risk and the Role of Big Data

Post-Access Cyber Defense

GRC & Cyber Security Conference - Bringing the Silos Together ISACA Ireland 3 Oct 2014 Fahad Ehsan

IBM Security IBM Corporation IBM Corporation

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Protecting against cyber threats and security breaches

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Swordfish

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

A New Perspective on Protecting Critical Networks from Attack:

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cybersecurity Strategic Talent Management. March, 2012

Bridging the gap between COTS tool alerting and raw data analysis

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Caretower s SIEM Managed Security Services

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

Information Security Services

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Transcription:

Cyber Security Operations: Building or Outsourcing Michael Levin, Optum Stephen Moore, Anthem Jeff Schilling, Armor

Introduction Michael J. Levin, JD, CISSP, EnCE, GLEG, GSLC Director of Cyber Defense for Optum Former Director of Security Design and Innovation with U.S. Dept. Health and Human Services, Senior Associate with Deloitte, and Investigative Counsel with U.S. Office of Special Counsel https://www.linkedin.com/in/michaellevin/

Cyber Defense Provides Cyber Security Services to UnitedHealth Group, monitoring security for over 150,000 endpoints Cyber Defense consists of Security Operations Center Cyber Forensic Investigations Persistent Threat Analysis Cyber Intelligence Services Active Cyber Defense Data Analytics and Security Innovation

Cyber Defense Structure CD Director SOC CFI PTA CIS ACD DASI

Magnitude of Security Data Monitoring 150,000 end nodes results in: ~2 TB of raw logs each day 1.5 Billion Network, Security, and End Point events daily (17,000 a second) This requires 24 hour, in house, security analyst support

Security Operations Center Utilizing the SIEM and manual analysis the SOC reduces the 1.5 billion daily events, to an average of 50 security incidents each day. On average, 20 incidents are escalated daily to CFI for advanced Incident Response and investigation. Raw Logs Network, Security, Host Based Events Security Incidents

Manpower Investigative Teams SOC 24/7 support across 3 shifts, 28 analysts, approx. 1 analyst per 5,000 end nodes CFI 13 Incident Responders, approx. 1 per 10,000 end nodes PTA 7 Security Hunters, sufficient manpower and experience to effectively hunt within the enterprise for unidentified threats. CIS 9 Intelligence Analysts, No easy rule to determined team size, rather gauged on output and success.

In-House vs Outsourcing Pros: Organizational Data maintained within org. Better organizational knowledge, access, and expertise, all inhouse No contract re-negotiation or arguments when specific security work is needed Immediate Incident Response activity Cons: Significant initial capital investment Upfront and on-going talent acquisition and retention

Options for building a SOC Jeff Schilling, CSO Armor

Great guide Carson Zimmerman MITRE Free!!!

The security process PROTECT Defense technologies such as DDOS mitigation, IPRM, WAF, etc. Threat intelligence feeds our rules engines, making intelligence systems smarter over time RECOVER Automation technologies to perform necessary cleaning measures and/or update policies and rules engines in real-time Precise processes and trained personnel to remove compromises and secure against repeat attacks CYBER & PHYSICAL SECURITY DETECT Detection technologies (e.g., AV/AM, FIM, SIEM and log correlation) tuned to the behaviors of real threat actors Experienced personnel on hand 24x7x365 differentiating real security events from false positives RESPOND Technologies to limit blast radius and prevent spread (e.g., hypervisor-based firewalls) Experienced personnel trained in preventative measures Proactive processes in place for notifying customers and other relevant parties (e.g., law enforcement agencies where appropriate)

The threat s process 1 2 3 4 5 6 7 RECONNAISSANCE WEAPONIZATION DISTRIBUTION & STRATEGY EXPLOITATION PERSIST/LATERAL MOVEMENT COMMAND & CONTROL ACTION ON TARGET Open source research Social network research Port scan, IP sweep Google research Combine the exploit tool with the method Phishing email Website drive by SQL inject script Infected Word Doc or PDF is opened Java script exploited in browser Command line SQL inject Registry Key changed Privilege Escalation Look for open connections Malware or compromised system reaches out for instructions Search the target Destroy or disrupt Package and prepare for and exfil data

Options SOC completely insourced Big Security budget Access to both technology and talent Defendable architecture SOC partially insourced partially outsourced Most likely solution Tuned to your team s technical capabilities and skills SOC completely outsourced Smaller, less complex environment

Assessing your capabilities TALENT TECHNOLOGY TECHNIQUES

Functions to assess Security OperaCon Center Threat Intelligence IndicaCons and Warnings Incident Response and Forensics Security Infrastructure Management Vulnerability Threat Management ü Threat assessment ü Threat Intel data analysis ü TradecraL analysis ü Threat trending ü Custom signature wricng ü Advanced Threat HunCng ü PenetraCon tescng ü Real Cme monitoring Triage Incident EscalaCon Incident Handling Call Center ü Memory analysis ü Host analysis ü Network analysis ü Malware Rev Eng Containment EradicaCon Security device mgt ü Security control sig mgt ü Security device patching Security device availability Managing CMDB ü Scanning the environment ü IdenCfying vulnerabilices RemediaCon/patch mgt

QUESTIONS?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information