Building, Maturing & Rocking a Security Operations Center

Similar documents
Intelligence Driven Security

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

The Five W's of SOC Operations. Kevin

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Planning, Deploying, and Managing an Enterprise Project Management Solution

ITIL: Service Operation

Best Practices to Improve Breach Readiness

Logging In: Auditing Cybersecurity in an Unsecure World

Changing the Enterprise Security Landscape

The Modern Service Desk: How Advanced Integration, Process Automation, and ITIL Support Enable ITSM Solutions That Deliver Business Confidence

SIEM Implementation Approach Discussion. April 2012

HP Service Manager software

Italy. EY s Global Information Security Survey 2013

Caretower s SIEM Managed Security Services

How To Create Situational Awareness

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

BOARD OF GOVERNORS MEETING JUNE 25, 2014

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Access Rights Management. Only much Smarter.

After the Attack: RSA's Security Operations Transformed

Decision Maker's Guide - Evaluation Checklist for ITSM Solutions High Level Requirements

The fast track to top skills and top jobs in cyber. Guaranteed.

Risk Analytics for Cyber Security

IBM Security Strategy

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Cybersecurity Awareness for Executives

Cyber Security Operations: Building or Outsourcing

HP and netforensics Security Information Management solutions. Business blueprint

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

High End Information Security Services

Hewlett Packard Enterprise connects with SharePoint Driving communication and collaboration helps HPE maximize the value of employees

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Best Practices for Building a Security Operations Center

PNMsoft Sequence Ticketing Solution (PSTS)

The SIEM Evaluator s Guide

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

ALERT LOGIC FOR HIPAA COMPLIANCE

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Corporate Security Intelligence Services

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Health Data Analytics (HDA) Build the organizational capabilities to create value from HDA

Don t let your SIeM become your Nightmare!

How to Define SIEM Strategy, Management and Success in the Enterprise

MassMutual Cyber Security. University of Massachusetts Internship Opportunities Within Enterprise Information Risk Management

Securing your IT infrastructure with SOC/NOC collaboration

Customer Profile. The client was concerned that time-consuming systems upkeep would hamper the goals of both IT and the organization itself.

Defending against modern cyber threats

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

What is SharePoint Adoption? How did we get here? Defining the Enterprise Application. Building the Foundation. Maximizing Technology

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Practical Threat Intelligence. with Bromium LAVA

Leveraging Regulatory Compliance to Improve Cyber Security

August Investigating an Insider Threat. A Sensage TechNote highlighting the essential workflow involved in a potential insider breach

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

North American Electric Reliability Corporation (NERC) Cyber Security Standard

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

Case Study Meru Networks

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Der Weg, wie die Verantwortung getragen werden kann!

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Metrics that Matter Security Risk Analytics

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

ADDENDUM 4 TO APPENDIX 3 TO SCHEDULE 3.3

Creating Service Desk Metrics

Implementing ITIL with Kaseya Tools

Incident Response. Six Best Practices for Managing Cyber Breaches.

How To Manage A Project Management Information System In Sharepoint

Continuous Network Monitoring

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

IBM Security Intelligence Strategy

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

F G F O A A N N U A L C O N F E R E N C E

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

Report on CAP Cybersecurity November 5, 2015

Oracle Business Intelligence EE. Prab h akar A lu ri

MANAGED SERVICES PROVIDER. Dynamic Solutions. Superior Results.

Advanced Cyber Threats Demand a New Privileged Account Security Model Date: June 2013 Author: Jon Oltsik, Senior Principal Analyst

Accenture Cyber Security Transformation. October 2015

PCI DSS Reporting WHITEPAPER

White Paper. PCI Guidance: Microsoft Windows Logging

SANS Top 20 Critical Controls for Effective Cyber Defense

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Appendix A-2 Generic Job Titles for respective categories

Become a hunter: fi nding the true value of SIEM.

Payment Card Industry Data Security Standard

Strategic Identity Management for Industrial Control Systems

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Vulnerability Management

Vistara Lifecycle Management

Threat Intelligence Platforms: The New Essential Enterprise Software

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Transcription:

Building, Maturing & Rocking a Security Operations Center Brandie Anderson Sr. Manager, Global Cyber Security Threat & Vulnerability Management Hewlett-Packard

Agenda To be or Not to be What is a SOC? Use Case Creation People Process & Procedure Documentation Workflow Metrics I don t want to grow up Rocking a SOC Questions 2

To be or Not to be Building a SOC is a business decision Organization size Compliance factors Reduce the impact of an incident ROI Proactive reaction 3

Through people, processes and technology, a SOC is dedicated to detection, investigation, and response of log events triggered through security related correlation logic What is a SOC? 4

ArcSight Correlation 5

91% of Targeted Attacks Start with Spear-phishing Email Use Case Creation Large-Scale Water Holing Attack Campaigns Hitting Key Targets Microsoft's Patch Tuesday Leaves Out Crucial Internet Explorer Fix Adobe Data Breach Exposes Military Passwords 6

People 7

Roles and Responsibilities Level-1 and Level-2 Analysts Operations Lead Incident Handler SEIM Engineer Content Developer SOC Manager Security Device Engineers System Administrators Network Administrators Physical Security Staffing Models Establishing coverage Determining the right number of resources 8x5 = Min 2 Analyst w/ on-call 12x5/7 = Min 4-5 Analysts w/on-call 24x7 = Min 10-12 Analysts Finding the right skills Ensuring on-shift mentoring Continuous improvement Resource Planning 8

Training Information security basics On-the-job training SEIM training SANS GCIA and GCIH Career development Avoiding burnout Providing challenges Outlining career progression Exactly how do I get from level 1 to level 2 to lead, etc Skill assessments Certifications 9

Operational Analytical Business & Technology Process & Procedure Call Out Case Management Event Handling Monitoring On-boarding Shift Log Shift Turn Over Triage Event Analysis Incident Response Reporting Research Threat Intelligence Access Management Architecture Compliance DR/BCP Process Improvement Use Cases 10

Documentation Repository Choices Pro Pro Microsoft SharePoint Approved by Policy Already deployed, supported both internal & by Microsoft Integrates with Active Directory & MS Office Allows for Calendars, Task Assignment, Notifications, Document Revision Tracking Wiki Con Open Source Editor utilizes Markup Language (HTML-like) Easy to Search Malleable Revision Control Plugins allow extensive customization Con Complicated to use Typically hard to find information (search) Not very flexible No real revision File Shares control Pro Everyone has MS Office Open Source Not Vendor supported Con Everyone knows how to use a file share Does not require specific technology knowledge Cluttered Overlap of information Nearly impossible to search for information Requires someone in charge of upkeep No revision control 11

12

Rule Fires Queued Event Incident Level 1 Triage Level 2 Workflows Case SOC Level 1 Triage Investigating Level 2 Investigating Departmental Organizational Engineering Filter/Tuning Close Events Closed Incident Response or Ticket 13

Metrics How many events are coming in? Raw Events How many data endpoints are collected / monitored How may different types of data How many use cases What is coming out? Correlated Events Incidents / Cases How quickly are things handled? Event recognition Event escalation Event resolution Further defined Per hour/day/week/month Per analyst Per hour of day/ per day of week Incident / case category / severity 14

Understand the 80/20 rule Leverage metrics Expand senior leader dashboard view Institute CMM methodology Monitor organizational health Increase complexity Maturing 15

According to the book Pragmatic Security Metrics Applying Metametrics to Information Security*, an information security version of the Capability Maturity Model (CMM) looks loosely like this: Level 1: Ad hoc: information security risks are handled on an entirely informational basis. Processes are undocumented and relatively unstable. Level 2: Repeatable but intuitive: there is an emerging appreciation of information security. Security processes are not formally documented, depending largely on employee s knowledge and experience. CMM Example Level 3: Defined process: information security activities are formalized throughout the organization using policies, procedures, and security awareness. Level 4: Managed and measurable: information security activities are standardized using policies, procedures, defined and assigned roles and responsibilities, etc., and metrics are introduced for routing security operations and management purposes. Level 5: Optimized: Metrics are used to drive systematic information security improvements, including strategic activities. *Brotby & Hinson, 2013 p. 47 CMM Capability Maturity Model is registered to Carnegie Mellon University 16

Recovery Lessons Learned Eradication Rocking It Preparation Identification Containment 17

Questions

Thank you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information