Developing a Mature Security Operations Center

Similar documents
Cybersecurity: Mission integration to protect your assets

Into the cybersecurity breach

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

CyberSecurity Solutions. Delivering

Mike Smart Cyber Strategist & Enterprise Security Solutions, EMEA. Cyber: The Catalyst to Transform the Security Program

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Middle Class Economics: Cybersecurity Updated August 7, 2015

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

CYBER SECURITY TRAINING SAFE AND SECURE

REQUEST FOR INFORMATION

Advanced Threat Protection with Dell SecureWorks Security Services

Continuous Network Monitoring

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Microsoft s cybersecurity commitment

Working with the FBI

Defending Against Data Beaches: Internal Controls for Cybersecurity

An Overview of Large US Military Cybersecurity Organizations

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Cybersecurity: What CFO s Need to Know

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record

INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL

Cybersecurity on a Global Scale

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

Reliable, Repeatable, Measurable, Affordable

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

RETHINKING CYBER SECURITY

What is Management Responsible For?

Address C-level Cybersecurity issues to enable and secure Digital transformation

State Governments at Risk: The Data Breach Reality

White Paper on Financial Industry Regulatory Climate

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

DoD Strategy for Defending Networks, Systems, and Data

STATEMENT OF. Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration

National Cyber Security Policy -2013

Cyber R &D Research Roundtable

SECURITY. Risk & Compliance Services

Security & privacy in the cloud; an easy road?

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

L evoluzione del Security Operation Center tra Threat Detection e Incident Response & Management

Enterprise Security Tactical Plan

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

How To Write A National Cybersecurity Act

Future Threat Landscape - How will technology evolve and what does it mean for cyber security?

INFRAGARD.ORG. Portland FBI. Unclassified 1

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

Application Security 101. A primer on Application Security best practices

HP Fortify Software Security Center

RETHINKING CYBER SECURITY

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

OFFICE OF ENTERPRISE TECHNOLOGY SERVICES QUARTERLY REPORT ON

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Lessons from Defending Cyberspace

Cyber Security Risk Management

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

Cybersecurity Enhancement Account. FY 2017 President s Budget

Establishing a State Cyber Crimes Unit White Paper

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Statement of Gil Vega. Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer. U.S. Department of Energy

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Qatar Computer Emergency Team

Who s Doing the Hacking?

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Defending against modern threats Kruger National Park ICCWS 2015

(BDT) BDT/POL/CYB/Circular

2011 Forrester Research, Inc. Reproduction Prohibited

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Cybersecurity Converged Resilience :

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

IT-CNP, Inc. Capability Statement

SYMANTEC CYBERV ASSESSMENT SERVICE OVER THE HORIZON VISIBILITY INTO YOUR CYBER RESILIENCE MORE FOCUS, LESS RISK.

Cisco Security Optimization Service

Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com

The cyber security imperative. Protect your organization from cyber threats

Cybersecurity and internal audit. August 15, 2014

Nanci Knight IBM Academic Initiative Ecosystem Development Relationship Manager West Region cell:

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Cybersecurity The role of Internal Audit

The Senior Executive s Role in Cybersecurity. By: Andrew Serwin and Ron Plesco.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

GAO. INFORMATION SECURITY Persistent Weaknesses Highlight Need for Further Improvement

GEARS Cyber-Security Services

Intelligence Driven Security

Transcription:

Developing a Mature Security Operations Center

Introduction Cybersecurity in the federal government is at a crossroads. Each month, there are more than 1.8 billion attacks on federal agency networks, and that number is on the rise. 1 From corporate espionage to attacks by foreign governments and cyber criminals, the threat environment is greater than ever. At the same time, federal systems are becoming more embedded in the mission, making any downtime or disruption a critical event. For every agency, the first line of defense is their Security Operations Center (SOC). Today, many government SOCs focus on reactive security, responding to incidents as they occur, diagnosing attacks and plugging leaks. This vital function must persist, but it only represents one of the three functions of a modern SOC s maturity. This white paper will address each of these stages, discussing the latest best practices in the operation of SOCs, from incident response to predictive and intelligence capabilities. Additionally, the paper will underscore the growing importance of SOCs in the enterprise, showcasing their emerging role as a clearing house for all security-related information. 1 Erika Lovley, Cyber attacks explode in Congress, Politico, March 5, 2013. Incident Response and Recovery In just one recent two-year span, the Pentagon s Cyber Crime Center reported more than 100 instances of hackers actively infiltrating networks at government agencies and military contractors. 2 Agencies can no longer assume that their networks are secure. A formalized plan for detecting, responding and recovering from cyber incidents is paramount in today s threat environment. That s why incident response and recovery has become the foundation of every SOC s security playbook. In order to effectively respond to security incidents, agencies must dedicate significant time to planning and resource allocation. Because cyber incidents tend to follow the same pattern of lifecycle development, SOCs should take a lifecycle approach to building their incident response processes depicted in figure 1 below. The distinct phases of the lifecycle build upon one another. For example, in the planning stage, the SOC should develop a common vocabulary that will enable all stakeholders to 2 Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, January 2013. KCG Experience Over 12 years of corporate experience executing cyber security programs Executed over 600 security assessments across Federal agencies and commercial companies Recognized experts and frequent thought leaders speaking at conferences such as OWASP AppSec USA 2011, ISC2 Security Congress, DHS Software Assurance Forum, and many more Responsible for implementing major DHS component s first Computer Security Incident Response Team and Focused Operations capability including establishment of the reporting procedures with DHS US- CERT, reverse engineering, and malware analysis support Trusted advisor to CISOs throughout the commercial sector and federal agencies in implementing and maturing cyber programs One of only 9 companies to received initial Third Party Assessment Organization (3PAO) designation for providing security assessment services to private sector cloud providers

Figure 1: SOC Lifecycle Approach to Incident Response intelligence, vulnerability data and risk correlation information to build a holistic picture of the cyber environment. Agencies should leverage information from both classified and unclassified sources to pinpoint threat indicators. These might include attacks directed at different parts of their own agency, or against another federal department or economic sector. categorize an attack appropriately. Mapping categories to responses will speed the next steps down the line, such as containment and remediation. Communication plays a key role in the incident lifecycle. SOCs are central to coordinating information during an incident, from providing stakeholder outreach to securing law enforcement cooperation. Common factors to consider should include: What are our plans for failover to backup systems? How do we ensure continued operations during incident recovery? How do we collect and store information during an event for later use in developing post-incident lessons learned? In addition to restoring any service disruptions, recovery operations should also focus on determining what changes need to be made to prevent future attacks. This may include establishment of more restrictive settings in network infrastructure appliances, more detailed logging in compromised systems, or improved detection capabilities. Agencies should prepare for repeated attacks on the same system, or similar attacks launched against adjacent systems in the same or similar networks. Once established, agencies should exercise incident response and recovery practices through real world events and simulated attacks at least semi-annually. One leader in this area is the DoD, which since 2011 has included cyber attacks in its war games and military exercises. Cyber Intelligence and Predictive Capabilities Federal networks face threats from foreign intelligence agencies, criminal organizations, hackers and cyber activists. With so many attack vectors, a reactive posture is no longer adequate. Instead, SOCs must transition to a proactive risk management approach. By integrating continuous monitoring into its security toolkit and using cyber intelligence capabilities, SOCs can stay ahead of threats and address incidents before they become breaches. To do this, SOCs must be able to connect the dots, aggregating threat For example, recently both Apple and Facebook have had their networks compromised by a sophisticated attack that directed employees to an infected developer website. 3 Proactive SOCs would consider this attack vector and review policies to prevent a similar incident within their network. These might include adding infected websites to the agency s black-list, reducing administrative privileges, and communicating details on the threat to agency leadership. SOCs might also send a memo to potentially vulnerable stakeholders employees, asking for greater vigilance and reiterating bestpractices to prevent a breach. 3 Nicole Perlroth, Apple Computers Hit by Sophisticated Cyber Attack, The New York Times, Feb.19, 2013.

SOCs as the Operational Security Clearinghouse Figure 2: SOC as a Security Clearinghouse As SOCs mature, they must become each agency s security clearinghouse, a place where decision-makers can turn to as the authoritative source for all security data. The model isn t unprecedented in cybersecurity. Since 2005, the National Institute of Standards and Technology has maintained a National Vulnerability Database (NVD), serving as the authoritative source for publicly-known vulnerabilities. In effect, SOCs need to serve the same function as the NVD within their own agency. In this model, SOCs gather intelligence on security and feed it back to the rest of the enterprise through a security dashboard. The use of dashboards increases accessibility and improves the decision-making process, particularly in times of crisis. Moreover, as the owner of all security-related data, SOCs are positioned to draw on the full spectrum of cyber information in assessing and predicting future events. This continuous feedback loop enriches defensive strategies and strengthens an agency s cyber readiness. Conclusion Today, U.S. intelligence leaders now designate a cyber attack as the number one threat facing the country, ahead of the risks posed by terrorism and rogue nations. Defending against this persistent but amorphous threat will not be easy. As adversaries employ increasingly sophisticated tactics, agencies across the government will need to adapt their processes and internal procedures. SOCs remain one of the most potent weapons in this fight, but their role must evolve. Agencies should expand the scope of their SOC s mission from reactive security to proactive intelligence. Agencies should also elevate SOCs to serve as the central clearinghouse for security information. By establishing sound processes at every level and arming decision-makers with the information they need, agencies will be better equipped to meet the next cyber challenge. KCG Overview Headquartered in Northern Virginia, Knowledge Consulting Group (KCG) is an award-winning information assurance services firm with expertise in providing cybersecurity services support. KCG s role is often that of an independent trusted advisor to our client base. Organizations within the Department of Homeland Security (DHS), the Department of Justice (DOJ), the Department of Defense (DoD), the Intelligence Community (IC) and the commercial xector utilize KCG as an independent advisor providing cybersecurity support

services. Our experience includes Security Operations, Incident Management, Focused Operations, Compliance, Risk Assessment, Independent Verification and Validation, Security Testing and Evaluation, Penetration Testing and Security Governance support services. KCG is composed of over 250 professionally certified IT security engineers. Approximately 95 percent of KCG s engineers hold cybersecurity professional certifications in areas including but not limited to CISSP, CISM, CISA, CGEIT, SANS GIAC Certified Incident Handler, GIAC Certified Penetration Tester, Certified Ethical Hacker, EnCase Certified Examiner and ArcSight Certified Security Analyst. Over 94 percent of KCG s security engineers hold active clearances, and 80% are cleared at the Top Secret level or higher. Our Project Management infrastructure includes recruiting, finance, contract management, human resources and security processing. Our experience includes over 2,500 deliverables developed on time and within budget and having met or exceeded all client expectations. Our success is a direct result of our proactive approach to service delivery and project management. Cybersecurity as a Core Capability KCG is focused purely on cybersecurity as its core capability. With cybersecurity contracts at over 20 agencies and commercial customers, KCG has proven expert capabilities in successfully delivering information security solutions across the full spectrum of cybersecurity including compliance, operations, governance and risk management. Leveraging 12 years of corporate experience, KCG developed a Chief Information Security Officer (CISO) Framework that provides a formalized approach to developing and evolving security programs in today s changing threat and regulatory environment. KCG takes advantage of our experience and methodologies to meet service demands, as well as contribute innovation and best practices. The diagram represents our CISO Framework and the core capabilities and service offerings we bring to bear to secure and protect your enterprise. KCG s capability of delivering high levels of information security support is validated by our notable accomplishments which include the following: One of the nine initial FedRAMP accredited Third Party Assessment Organizations (3PAOs) for accrediting cloud service providers (CSPs) under the GSA FedRAMP program; Implementing NIST-based Risk Management program for the world s largest security company; Implementing continuous monitoring services throughout the federal government in line with evolving legislative and regulatory requirements; Serving as a trusted advisor providing management consulting expertise in cybersecurity to CISOs throughout the federal government and commercial sector; and Serving as a trusted team partner for major SOCs including JSOC, FBI ESOC, ICE SOC and independent oversight authority for TSA SOC. KCG also maintains a direct approach to Focused Operations and Penetration Testing/Analysis. KCG s Cyber Attack & Penetration (CAPD) Division delivers specialized expertise to high-end security

assessments, penetration testing, application security and forensics. This division harnesses the collective capabilities across KCG in supporting both federal agencies and Fortune 500 companies such General Electric, Lockheed-Martin, Booz Allen Hamilton and many more. KCG s CAPD solutions professionals are renowned experts with pedigrees from boutique companies such as @stake (authors of L0phtcrack), Neohapsis and Symantec. KCG was recently selected as the premier provider of penetration testing services supporting Rapid7 and Metasploit team s professional services to its customers. In addition, KCG has formed partnerships with top tier application security providers such as Veracode, providing static and dynamic source code and binary analysis. Contact For more information about developing a mature SOC, and how KCG can help your organization, contact: Paul Nguyen, CISSP, CISA, CGEIT Vice President, Cyber Solutions pnguyen@knowledgecg.com Tel 703-467-2000 x108 Fax 703-547-0322 KCG maintains resolute commitment to the success of each of our clients. We accomplish that through the use of disciplined project management methodologies, highly skilled professional resources, proven assessment methodologies, and transparent visibility into the status of the work being done. With our core capability in the delivery of exceptional security services, our clients benefit from ISO Certification linked to our assessment methodologies, highly skilled resources that have executed over 600 assessments and our relationship-based customer support model.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information