Security operations centre (SOC) architecture: a holistic approach March 2016

Similar documents
Cyber security Building confidence in your digital future

Italy. EY s Global Information Security Survey 2013

Technology Risk Management Are you ready?

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Cybersecurity The role of Internal Audit

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

4th Annual ISACA Kettle Moraine Spring Symposium

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

PwC s Advanced Threat and Vulnerability Management Services

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Defending against modern cyber threats

Intelligence Driven Security

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

SIEM Implementation Approach Discussion. April 2012

Cyber security Building confidence in your digital future

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Addressing Cyber Risk Building robust cyber governance

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Cyber Security Compliance

Integrating MSS, SEP and NGFW to catch targeted APTs

Caretower s SIEM Managed Security Services

IBM QRadar Security Intelligence April 2013

CFIR - Finance IT 2015 Cyber security September 2015

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Cybersecurity and internal audit. August 15, 2014

1. Understanding Big Data

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Payment Card Industry Data Security Standard

2012 North American Managed Security Service Providers Growth Leadership Award

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Teradata and Protegrity High-Value Protection for High-Value Data

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

CYBER SECURITY SERVICES PWNED

Accenture Cyber Security Transformation. October 2015

Securing and protecting the organization s most sensitive data

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Security Analytics for Smart Grid

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

How To Buy Nitro Security

Implementation of Big Data and Analytics Projects with Big Data Discovery and BICS March 2015

Symantec Enterprise Security: Strategy and Roadmap Galin Grozev

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Compliance & Internal Audit Collaboration

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Gaining and Maintaining Support for a SOC. Jim Goddard Executive Director, Kaiser Permanente

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

How To Create An Insight Analysis For Cyber Security

Lot 1 Service Specification MANAGED SECURITY SERVICES

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Rashmi Knowles Chief Security Architect EMEA

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Report on CAP Cybersecurity November 5, 2015

Data Science Transforming Security Operations

20+ At risk and unready in an interconnected world

The Value of Vulnerability Management*

1 Introduction Product Description Strengths and Challenges Copyright... 5

THE WORLD IS MOVING FAST, SECURITY FASTER.

Using SIEM for Real- Time Threat Detection

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Advanced Threat Protection with Dell SecureWorks Security Services

Agio Remote Monitoring and Management

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Information & Asset Protection with SIEM and DLP

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

The promise and pitfalls of cyber insurance January 2016

REVOLUTIONIZING ADVANCED THREAT PROTECTION

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cyber intelligence exchange in business environment : a battle for trust and data

Solutions Brochure. Security that. Security Connected for Financial Services

IBM Security Intelligence Strategy

Cybersecurity and Privacy Hot Topics 2015

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Transcription:

www.pwc.com Security operations centre (SOC) architecture: a holistic approach March 2016

Agenda 1. How do you know what to protect? 2. How do you know when you re compromised? 3. Start lean, and improve on a continuous basis Security Operations Centre (SOC) Architecture March 2016 2

How do you know what to protect? Business Process Vison Mission Values Data Governance Data classification policy Data ownership Risk management & appetite Policy Framework IT & Sec Architecture IT applications IT system & platforms Network & Interfaces Data At rest (end point, cloud) In transit Processed @ Security Operations Centre (SOC) Architecture March 2016 3

Regulatory requirements and internal classification guidelines Policy Framework Regulatory requirements to be considered: Data protection law (EU GDPR) Financial market regulation Industry standards PCI-DSS Etc. Identify crown jewels (PID/CID and IP) Identifiable personal data Identifiable client data Intellectual property Security Operations Centre (SOC) Architecture March 2016 4

Data classification on data level: Discover segregate restricted from unrestricted Data classification Identify data with CID restrictions in data stores - Applications, instances, systems - DBs, logfiles etc. Scanning factory Restricted Data Un-restricted Data Segregation of data (app. & infra.) Client identifying data C Security classification Dev/test/prod (no CID) Client identifying data A & B Security classification C1 & C2 Dev/test/prod (CID) Service class 1 no critical data (no PID / CID / IP) Service class 2 semi-critical data (company owned) Service class 3 (high cost option) critical data legal restrictions Data obfuscation Anonymization, masking, encryption, hashing, etc., where possible 0483-123456-01-0 In country / on premises Location agnostic and cloud ready Security Operations Centre (SOC) Architecture XXXX-XXXXXX-XX-X March 2016 5

An SOC requires integrated operating models to fuse and share information Traditional SOC services Isolated capabilities Emerging SOC services Malware analysis Intrusion analysis IR/countermeasures Logging, monitoring & event management Security incident management Data analytics Tactical intelligence coordination Sensor enrichment TVM Incident Security Strategy response & Planning Insider threat monitoring Internal investigations Fraud monitoring Forensic analysis Vulnerability management Security analysts 24x7 Sensor management Compliance testing Security testing Additional services Countermeasure coordination Security engineering and change management Threat Digital and brand Vulnerability protection Evaluation Vulnerability scanning Penetration testing Perimeter protection Brand monitoring Disconnected insight in a noisy environment, due to disjointed, compartmentalised and insufficient data and analysis techniques Phishing analysis External countermeasures A robust threat analysis capability built on shared insights, data and research, that fuses insights from, and supports action by, multiple disparate stakeholders with a common mission Security Operations Centre (SOC) Architecture March 2016 6

The emerging SOC requires an organisation to view transformation from different perspectives Emerging SOC services: tactical intelligence coordination Malware analysis Intrusion analysis IR/countermeasures Tactical Intelligence coordination Data analytics TVM Incident Security Strategy response & Planning Insider threat monitoring Internal investigations Fraud monitoring Assessment and realignment of human capital Sensor enrichment Forensic analysis Security analysts 24x7 Sensor management Compliance testing Countermeasure coordination Security engineering and Change management Digital Threat brand protection Vulnerability Evaluation Vulnerability scanning Penetration testing Perimeter protection Vision and operating model Brand monitoring Phishing analysis External countermeasures Technology framework tactical intelligence coordination Security Operations Centre (SOC) Architecture March 2016 7

A threat intelligence enrichment framework is based on the following process: Intel collection Intel fusion and analytics Sensor enrichment Security analytics Reporting and collaboration Intelligence is aggregated from a firmspecific set of sources, including internal network data, social media, paid- and opensource threat feeds, and incident response and data security tools. Using technologies, a database of risk indicators fusing threat and risk indicators specific to the client is created. The collected data is compared to the indicators in the database, signalling potential risk. Once these potential risk indicators are identified, we develop workflows and technology pathways to automate detection of the indicators. Support for analytical processes, improving logging practices and real-time analysis of security alerts to find both the micro level risks as well as the broader strategic threats to the organisation. Building on the information and analysis, define immediate incident response actions and further steps for future mitigation and reporting, involving stakeholders across the organisation. Security Operations Centre (SOC) Architecture March 2016 8

Building a threat intelligence management capability in line with an organisation s business imperatives is an iterative process. Defining a pilot overlay to introduce quick wins and put the concepts into practice can help build organisational momentum Security Operations Centre (SOC) Architecture March 2016 9

Leveraged to develop a model for enhanced intelligence enrichment and analytics. Security Operations Centre (SOC) Architecture March 2016 10

Target operating model Next Gen SOC: threat intelligence is an essential part Our perspective relies three core capabilities for a next-generation SOC: traditional eyes on glass monitoring, advanced security analytics, system and log collection & integration. These are informed by a wide range of security intelligence feeds both internal and external to the organisation. They allow the organisation to make quicker and more information decisions. In many cases, the firm can take proactive preventative measures or at least shorten the time between breach and response. Threat vector data Vulnerability data Eyes on glass monitoring Informed leadership Critical asset inventories External data Open source Advanced security analytics Engineering integration & collection management Incident response Proactive response Universe of data Processing/enriching Analysis Security Operations Centre (SOC) Architecture March 2016 11

SOC models and threat intel sharing Inner Circle Gov CERT (MELANI) Law enforcement Government level Contributing External sources and feeds CH relevant threat intel Finance industry Power grid Critical Infrastructure Transportation & telecom Sharing Organisation A Organisation B Organisation C Organisation n Extended circle Organisation with a mature SOC Subscription MSSP 1 MSSP 2 Security vendor 1 Security vendor 2 Others Etc. Managed security service providers and vendors Security Operations Centre (SOC) Architecture March 2016 12

Summary and next steps 1. Each SOC has a unique maturity level, a specific environment to support and a dedicated operation model. 2. To protect enterprise and personal data, they need to be identified and classified (PCI-DSS/data protection law) 3. Threat intelligence sharing means: a) technical interfaces but also b) sharing of social engineering practices with industry alignment 4. Threat intel sharing means all (or at least a core group) have to contribute to enrich 5. The adaptation of global feeds needs to be done just once and then shared among all 6. The main challenge remains to apply threat intelligence to the specific enterprise, to analyse root causes and improve continuously Security Operations Centre (SOC) Architecture March 2016 13

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers AG, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. 2016. All rights reserved. In this document, refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information