Building a Cyber Security Operations Center



Similar documents
Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Update On Smart Grid Cyber Security

The Comprehensive National Cybersecurity Initiative

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cyber Security Operations Center (CSOC) for Critical Infrastructure Protection

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Obtaining Enterprise Cybersituational

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

National Security & Homeland Security Councils Review of National Cyber Security Policy. Submission of the Business Software Alliance March 19, 2009

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Working with the FBI

Actions and Recommendations (A/R) Summary

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Q1 Labs Corporate Overview

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

FIVE PRACTICAL STEPS

Advanced Threat Protection with Dell SecureWorks Security Services

Thomas J. Schlagel Chief Information Officer, BNL

Cybersecurity Enhancement Account. FY 2017 President s Budget

Report on CAP Cybersecurity November 5, 2015

SCAC Annual Conference. Cybersecurity Demystified

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Cyber Security Risks for Banking Institutions.

A Cyber Security Integrator s perspective and approach

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

REVOLUTIONIZING ADVANCED THREAT PROTECTION

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

EnCase Endpoint Security Product Overview

i Network, Inc Technology Solutions, Products & Services Providing the right information, to the right customer, at the right time.

What is Security Intelligence?

Protecting against cyber threats and security breaches

Cyber Incident Response

Defending Against Data Beaches: Internal Controls for Cybersecurity

North American Electric Reliability Corporation (NERC) Cyber Security Standard

2015 Michigan NASCIO Award Nomination. Cyber Security Initiatives: Michigan Cyber Disruption Response Strategy

We Prevent Breaches (and surprises) Intelligent Prevention

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

McAfee Security Architectures for the Public Sector

CGI Cyber Risk Advisory and Management Services for Insurers

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Cyber Insurance: How to Investigate the Right Coverage for Your Company

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Into the cybersecurity breach

Professional Services Overview

(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative

CYBER SECURITY INFORMATION SHARING & COLLABORATION

NIST Cybersecurity Framework & A Tale of Two Criticalities

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Persistence Mechanisms as Indicators of Compromise

CYBERSECURITY EXAMINATION SWEEP SUMMARY

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Personal Security Practices of the CAO

How To Protect Your Network From Attack From A Network Security Threat

DoD Strategy for Defending Networks, Systems, and Data

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

Adopting a Cybersecurity Framework for Governance and Risk Management

High End Information Security Services

Manned Information Security

Spyders Managed Security Services

The Emergence of Security Business Intelligence: Risk

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Post-Access Cyber Defense

Department of Homeland Security Federal Government Offerings, Products, and Services

GEARS Cyber-Security Services

Ecom Infotech. Page 1 of 6

Cyber Watch. Written by Peter Buxbaum

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Enterprise Security Tactical Plan

Symantec Cyber Security Services: DeepSight Intelligence

Application Security 101. A primer on Application Security best practices

OCIE Technology Controls Program

ORGANIZADOR: APOIANTE PRINCIPAL:

Microsoft s cybersecurity commitment

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

Technology Infrastructure Services

Managing the Unpredictable Human Element of Cybersecurity

FFIEC Cybersecurity Assessment Tool

WHITE PAPER. Attack the Attacker HOW A MANAGED SECURITY SERVICE IMPROVES EFFICIENCY AND SAVES COST

How To Buy Nitro Security

Overcoming Five Critical Cybersecurity Gaps

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Transcription:

Building a Cyber Security Operations Center Kevin Charest, Chief Information Security Officer, U.S. Department of Health and Human Services Allison Miller, Senior Director of InfoSec Response Team, UnitedHealth Group Damir Matanic, Senior Manager, Information Security Threat Response, Blue Cross and Blue Shield of IL, TX, NM, OK, MT Tom Baltis, Deputy Chief Information Security Officer, Blue Cross and Blue Shield of IL, TX, NM, OK, MT HITRUST Health Information Trust Alliance

Advancing Agency Security Operations Kevin Charest Ph.D., HHS CISO April 2014

Advancing Agency Security Operations Overview Security Operations Considerations Security Ops Components Advancement through Optimization CSO In Motion Recommendations Advancing Agency Security Operations 5/13/14 Page 63

Security Operation Considerations Technical Capabilities IT Operations Security Engineering Business Resources Internal Obstacles Internal Support Contracting Budget Advancing Agency Security Operations 5/13/14 Page 64

Security Operation Components Traditional SOC/CSIRC Components: Security Monitoring Intrusion Detection/Prevention Systems Anti-Virus Data Loss Prevention Vulnerabilities Incident Tracking Vulnerability Management Vulnerability Mitigation Incident Management Communications and Reporting Event and incident investigations Incident Handling Incident Analysis Incident Response Vulnerability Handling Vulnerability Analysis Vulnerability Response Forensics Analysis Evidence Handling Evidence Analysis Penetration Testing Components are Agency specific. 5/13/14 Advancing Agency Security Operations Page 65

FOC and Optimization Goal: Advancement through Optimization In an effort to optimize operations, we conducted a gap analysis to develop recommendations. Where Strategy and Tactics Converge. This approach promotes: Risk based decision making. Prioritizes and resolves security deficiencies. Creates a security foundation with measureable security improvement. We wanted Strategic and Tactical Recommendations to drive momentum. Optimization is an Enduring Process Operational Reports Operational Data Security Capabilities Security Foundation Strategic Decisions Tactical Short-term & long-term Advancing Agency Security Operations 5/13/14 Page 66

HHS Cybersecurity Operations Momentum Develop plan and focus intensity. Identify issues: service goals, objectives, resources. 1 2 Immediate Issues Strategic Recommendations Prioritize top 3-5 issues and develop a timeline for each. Clearly articulate the achievements to the program. 3 4 Strategic Recommendation Benefits Tactical Recommendations Define tasks with descriptions that need immediate execution. CSO realigned their capabilities to services. 5 Service Recommendations 6 Recommendations Project Plan Develop project plan and ensure team buy-in. Capture how the recommendations will enhance the program. 7 Program Enhancements Advancing Agency Security Operations 5/13/14 Page 67

HHS Cybersecurity Operations In Motion Data Sources Processes Real-time Monitoring OpDiv Reporting and Information Sharing HHS IOCs Mercury HSIN Closed Research Partner Agencies Open Research Monitoring Correlation Encrypt tool feed files Two man rule De-duplicate and whitelisting Department-wide Cyber IR process Taxonomy code mapping Incident Reporting (internal/external) Incident Handling process Automated push of new feed files Scripts normalize data Advancing Agency Security Operations 5/13/14 Page 68

HHS Cybersecurity Operations In Motion Delivering Value Automation of threat feeds improves our detection of nefarious activity and reduces our turn around time on notifying the OpDiv IRTs. Routine review of capabilities and processes drives efficiencies into normal operations that enhances our support to our customers. Conduct anomaly and threat research and investigations to detect OpDiv or Department-wide targeted threats. Maintain up to date on nation state and transnational cyber actor Tactics, Techniques, and Procedures (TTPs) used for awareness and feed into our Department-wide tool(s). Many of CSIRCs goals and objectives align with the Comprehensive National Cybersecurity Initiative s (CNCI) established in the National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23). Senior Management Reporting Management and IRT Reporting Advancing Agency Security Operations 5/13/14 Page 69

HHS Cybersecurity Operations Recommendations Recommendations to create optimal security postures Conduct an analysis of your program at least once a year. Develop Department-wide Incident Response documentation. Develop Security Operations Information Sharing relationships with other Organizations. Fuse traditional intelligence information with security monitoring and reporting information. Strive to find technical efficiencies through the use of new technologies. Advancing Agency Security Operations 5/13/14 Page 70

Questions Kevin Charest Ph.D., CISSP, PMP Chief Information Security Officer U.S. Department of Health and Human Services Email: Kevin.Charest@hhs.gov Driving secure solutions through innovation and sustainable business practices 5/13/14 Advancing Agency Security Operations Page 71

Cyber Threat Management Capabilities Overview and Key Lessons Learned HITRUST 2014 Health Cyber Security Summit Damir Matanic, Senior Manager, Information Security Threat Response Tom Baltis, Deputy Chief Information Security Officer Blue Cross and Blue Shield of Illinois, Blue Cross and Blue Shield of Montana, Blue Cross and Blue Shield of New Mexico, Blue Cross and Blue Shield of Oklahoma, and Blue Cross and Blue Shield of Texas, divisions of Health Care Service Corporation, a Mutual Legal Reserve Company, and Independent Licensee of the Blue Cross and Blue Shield Association

Our Enterprise Our Customers Fourth largest US payer, serving nearly 14 Million members with $55B in annual revenue Our Accolades Gartner Security Innovation Award, CSO40 Award, Information Week 500 Our Strategy Balanced market presence with group, retail, and government focus Our Presence 60 office locations worldwide Our People More than 24,000 employees and contractors Our IT Environment Over 400 custom, COTS, cloud-based, mobile, and SOA-based business applications 73

Our Cyber Threat Management Program 74 24/7 enterprise coverage Close integration with Physical Security, Legal, and Compliance departments Nine dedicated fulltime resources 24/7 on-site monitoring Avg. raw security events per year: 52,000,000,000 Avg. correlated events per year: 36,000 Uses internal and external sources of IOC data (e.g. FS-ISAC) Incorporates 0-day vulnerabilities from internal risk assessments and vendor notifications Incident Response Dynamic Tuning Forensic Analysis Security Event Analysis Security Intel Redundant, dedicated labs with isolated networks Mobile device forensic capabilities State of the art tools: Encase Enterprise, AccessData FTk, Cellebrite, FRED SC Proof of concept implementation to measure business value Leverages industry and crossindustry relationships, and proprietary sources and methods

75 Lessons Learned Design the incident investigation process to decompose the entire kill chain of an incident, enabling a comprehensive set of recommendations to address vulnerabilities and control gaps that have contributed to each incident phase. Develop specific response methodologies for each type of threat scenario. This allows for a plug and play response that is more agile than a single, all encompassing methodology. Perform live Red Team tests of cyber threat management capabilities in addition to paper-based simulations. Tabletop exercises are insufficient to accurately evaluate the effectiveness of your capabilities. Quick Tips: Staffing Strategy The most effective cyber threat management organizations are staffed with dedicated teams of professionals possessing deep skills in incident response, digital forensics, executive communications and relationship building. In order to identify and select these resources, implement a rigorous, multidisciplinary interview process, and weigh work experience more heavily than certifications.

Lessons Learned Continued Where appropriate, deviate from conventionally held IT best practices to ensure availability of tools and preserve integrity of investigations. For example, integrating evidence collection tools with enterprise technology solutions may put evidence at risk of tampering. Partner with other cyber security teams to take advantage of their specialized knowledge and economies of scale. For example, leverage resources from the risk analysis and vulnerability research teams to reverse engineer malware. Share cyber threat knowledge within and across industries, and collaborate with your peers. The evolving threat landscape has created an environment where a single organization is no longer able to effectively manage many cyber threats. 76 Quick Tips: Relationships Don t underestimate the power of relationships in your investigations. At least 50% of your information will come from people who know and trust you. Incorporate data feeds from HR, Compliance, the helpdesk and other organizations into your threat intelligence and investigation capabilities.

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information