© 2015 ibm corporation ibm security services building a security operations center engin Özbay ibm...

© 2015 IBM Corporation

IBM Security ServicesBuilding a Security Operations Center

Engin ÖzbayIBM Security, Turkey

[email protected]


IBM Security Systems

22 © 2015 IBM Corporation22

Security operations in a changing environment


IBM Security Services

3

The current environment is putting new demands on security operations

Social BusinessBlurring “Social” Identities

Social BusinessBlurring “Social” Identities

New Business Models, New Technologies

New Business Models, New Technologies

Cloud / Virtualization

Large existing IT infrastructures with a globalized workforce,

3rd party services, and a growing

customer base

Velocity of ThreatsVelocity of Threats

Evolving RegulationsEvolving Regulations

-

•

Potential Impacts

Malware infection Loss of productivity Data LeakageData or Device

Loss or TheftRegulatory Fines$$$$$$

Mobile Collaboration / BYOD



Why do we build operational security controls & capabilities?

Reduce enterprise risk. Protect the business.

Move from reactive response to proactive mitigation.

Increase visibility over the environment.

Meet compliance/regulatory requirements.



5

What is a Security Operations Center, or SOC?

A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce security risk

Security Operations Centers (SOC) are designed to:

– protect mission-critical data and assets

– prepare for and respond to cyber emergencies

– help provide continuity and efficient recovery

– fortify the business infrastructure

The SOC’s major responsibilities are:

– Monitor, Analyze, Correlate & Escalate Intrusion Events

– Develop Appropriate Responses; Protect, Detect, Respond

– Conduct Incident Management and Forensic Investigation

– Maintain Security Community Relationships

– Assist in Crisis Operations



6

The SOC ….

Must demonstrate compliance with regulations

Protect intellectual property and ensure privacy properly

Manage security operations effectively and efficiently

Provide real-time insight into the current security posture of your organization

Provide security intelligence and the impact of threats on the organization

Enable your organization to know who did what, when - and prove it (evidence)

Security operations centers must be responsive to the evolving threats and provide management the information and control that it needs

But it’s not that simple...



7

Designing and building a SOC requires a solid understanding of the business’ needs and the resources that IT can deploy

Multiple stakeholders, processes and technologies to consider

An operational process framework

Physical space requirements and location

Personnel skills: Security analysts, shift leads, SOC managers

In-house staff Partners Outsourced ProvidersPeople

Process

Technology

Log Management Compliance Reporting Event Correlation Threat Reporting

Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking

Threat Analysis Compliance Mgmt

SLA Mgmt

Risk AssessmentChange Mgmt

Vulnerability Mgmt Identity & Access Incident Mgmt

CustomersIn-house staff Partners Outsourced ProvidersPeople

Process

Technology




SLA Mgmt



Customers



There is no app for that…

Log Integrity Firewall IDPSBrand

Monitoring

Device Management

Security Monitoring

Incident Escalation

Incident Response

Compliance Management Correlation Rules

Security Intelligence

Policy Management

ApplicationMonitoring

OFF

ON

Client Success Undefined >

Functionality

ON

ON

ONOFF

OFF

OFF

In-House OutsourceCo-Deliver

People

Technology Scope

Compliance & Reporting >

Escalations & Notifications >

DLPIdentity &Access

….Don’t be a FOOL and think you just need to buy a TOOL



9

Building a Security Operations Center involves multiple domains

• Do you need 24x7x365 staff?

• What are the skills needed?

• Where do you get staff?

• What about training?

• How do you keep staff?

• Metrics to measure performance

• Capacity planning

• What does the plan look like?

• How do we measure progress and goals?

• What is the optimal design of core processes? (eg. incident management, tuning, etc.)

• Process and continual improvement

• SIEM architecture & use cases

• Log types and logging options

• Platform integrations; ticketing governance, big data

• Web services to integrate them

• Technology should improve effectiveness and efficiency

• Dashboard visibility and oversight

• Policy, measurement and enforcement

• Integrated governance that balances daily operations with strategic planning

• Ministry objectives

• Informing stakeholders

• Informing employees

People Process

Technology Governance / Metrics

IBM Confidential



SOC Models




The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC.

Charter

Governance

Strategy

Build a dedicated securityoperations capability

Cross-functional(IT, Business, Audit, etc.)

3+ year cycle, prioritiesset by enterprise

Technology or serviceonly

Self governed (IT Security)

Budget based,12 month planning cycleM

issi

on

& S

tra

teg

y

Tools

Use Cases

ReferentialData

SIEM, ticketing, portal/dashboard, Big Data

Tailored rules based onrisk & compliance drivers

Required data, used toprioritize work

SIEM tool only

Standard rulesMinimal customization

Minimal importance,Secondary priority

Te

chn

olo

gy

Measures

Reporting

Cross-functional, efficiency,quality, KPI/SLO/SLA

Metrics, analytics,scorecards, & dashboards

Silos, ticket/technologydriven

Ticket/technology driven

Op

era

tion

sM

an

ag

em

en

t

Proactive.Visible.

Anticipatethreats.Mitigate

risks.

Detect &react tothreats.

Legacy SOC Optimized SOC



12

Threat Response

Adv. Event Analysis

Escalations

Incident Mgmt.

Threat Response

Adv. Event Analysis

Escalations

Incident Mgmt.

SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography

Unstructured (Big Data) Asset & Data Classifications Threat Intelligence

SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography

Unstructured (Big Data) Asset & Data Classifications Threat Intelligence

Threat Monitoring

Threat Analysis

Impact Analysis

Threat Monitoring

Threat Analysis

Impact Analysis

SOC Service Delivery Management

Service Level Management Operational Efficiency Service Reporting Escalation



SOC Platform Components

Security Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules

SOC Platform Components

Security Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules

Security Analytics & Incident Reporting


Cyber-Security Command Center (CSCC)

Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings

Cyber-Security Command Center (CSCC)

Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings

SO

CG

ov

ern

an

ce

SO

CT

ec

hn

olo

gy


Incident Hunting PM Use Case Recommendations


Incident Hunting PM Use Case Recommendations

Admin Support Services

Tool Integration

Rule Admin


Tool Integration

Rule Admin

CSIRT Management

Corp. Incident Response

Table-top Exercises

CSIRT Management

Corp. Incident Response

Table-top Exercises

SIEMTicketing & Workflow

PortalIntegration Tools (e.g. Web Srvcs)

Reporting / Dashboard

Big Data

Threat Triage

Investigations

Incident Triage

Threat Triage

Investigations

Incident Triage

IBM Security Operations Operating Model

SO

CO

pe

rati

on

s

Corporate

Business Units

Legal

Audit

Corporate

Business Units

Legal

Audit

IT Operations

Incident Mgmt

Problem Mgmt

Change Mgmt

Release Mgmt

IT Operations

Incident Mgmt

Problem Mgmt

Change Mgmt

Release Mgmt

Business Operations

Business Ops

Investigations

Public Relations

Legal / Fraud

Business Operations

Business Ops

Investigations

Public Relations

Legal / Fraud

Architecture &Projects


Emergency

Response

Emergency

Response

IT OperationsIT Operations

Legend

SOC

IT / Corp



13

We understand that an effective SOC has the right balance of People, Process and Technology components

In-house staff Partners Outsourced ProvidersPeople

Process

Technology


Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking


SLA Mgmt



Customers



14

It starts with the right people …In-house staff Partners Outsourced ProvidersPeople

Process

Technology




SLA Mgmt




Process

Technology




SLA Mgmt



Customers

In-house staff Partners Outsourced ProvidersPeopleCustomers

The SOC is only as good as its people, and upfront planning for the unique people management aspects of a 24x7 security centric organization will provide significant long term returns.

Points of Consideration:

SOC staff have a specialized skill set and experienced staff are often difficult to find

Training is expensive, time consuming, and improves marketability of staff. Compensation strategies must be evaluated accordingly.

Retention of staff is difficult in a non-security centric organization due to continuous need for updated training, lack of expansive career path options, and burn-out.

Beyond analysts for 24x7 coverage, other supporting functions must be considered:

- System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision



The SOC organization is organized around the standard plan, build and run model

SOC Organization ChartGovernance

IILLUSTRATIVE



A responsibility matrix for all SOC roles should be defined across each SOC service.

IILLUSTRATIVE

SOC Analyst: Monitoring

SOC Analyst: Triage

SOC Analyst: Response


Analyst

Security Incident Handler

(Certified)

SOC Tools Admin

SOC ManagerSecurity Forensic Analyst

IT Security Admin

IT Operations CERT

Security Monitoring R C A

Incident Triage C R C A

Incident Response C C R C R A R I

Delivery Management A I

Use Case Design C C C R C A C C

Log Source Acquisition R C R A C C

Service Testing & Tuning R A I I

Custom Playbook Development C C C R C C A C C

Operations Training C C C R C A

Security Intelligence Analysis C C C A C C C

Security Intelligence Briefings A C C C

Use Case Reccomendations C C C A C C C

SIEM Admininstration R A I I

Contextual Data Management C R A C C

Log Source Management C R A C C

Log Source Heartbeat Monitoring C R A C C

Security Reporting C C C C C A C I

Effi ciency Reporting C C C A C I

Financial Reporting C C C C A I

Enterprise Incident Management C A

Forensics Investigation C C C C C A C C

Policy Violation Handling C C C C A C

Reporting Services

Optional Services

Core Security Services

Deployment Services


Services

Administrative Services



Responsibilities

•Monitoring of security events received through alerts from SIEM or other security tools•Review alerts escalated by end users•Handel end user and security services consumer initiated incidents and initiating trouble tickets – Sev 4 tickets•Performing Level 1 triage of incoming issues ( initial assessing the priority of the event, initial determination of incident to determine risk and damage or appropriate routing of security or privacy data request)•Monitoring of alert and downstream dependencies health (logger, client agents, etc)•Responsible for troubleshooting agents and logs required for reporting when not reporting to alerting systems•Intake intelligence actions from Intelligence teams and ticket for appropriate operators for tool policy or tool setting tuning•Provide limited incident response to end users for low complexity security incidents•Notifying appropriate contact for security events and response•Takes an active part in the resolution of incidents, even after they are escalated•Work assigned ticket queue•Understanding and exceeding all tasked SLA commitments•Track and report on closure of tickets per SLAs•Escalating issues to Tier II or management when necessary•Provide daily and weekly metrics for security and vulnerability incidents•24/7 Shift work required

Experience and Skills

•Process and Procedure adherence•General network knowledge, TCP/IP Troubleshooting•Ability to trace down an endpoint on the network based on ticket information •Familiarity with system log information and what it means•Understanding of common network services (web, mail, DNS, authentication)•Knowledge of host based firewalls, Anti-Malware, HIDS •General Desktop OS and Server OS knowledge•TCP/IP, Internet Routing, UNIX & Windows NT •Strong analytical and problem

Training

•Required: Security Essentials – SEC401 (optional GSEC certification)•Computer Forensic Investigation – Windows In-Depth - FOR408•Recommended: Security Incident Handling and Forensic - FOR 508

Sample Job Description: Triage Analyst

IILLUSTRATIVE



18

Leveraging tested integrated processes ….In-house staff Partners Outsourced ProvidersPeople

Process

Technology




SLA Mgmt




Process

Technology




SLA Mgmt



Customers

SOC processes must be documented, consistently implemented, and based upon existing standards / governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant regulatory requirements.


The SOC’s mission must be clearly defined – Incident discovery, CERT, etc.

SOCs differ from NOCs, and an alarm does not always equate to action.

Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially actionable threat intelligence.

Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or mature.

Process


SLA Mgmt





19

Built on a solid technology platformIn-house staff Partners Outsourced ProvidersPeople

Process

Technology




SLA Mgmt




Process

Technology




SLA Mgmt



Customers

Technology


Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking

Technology for a SOC build is the foundation on which the organization demonstrates the ability to provide security continuously, even under times of duress such as persistent attack, natural disaster, facilities failure, etc.


SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due to their overall complexity

The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration

Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc

The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the technology landscape



SOC Strategies & Approaches




21 IBM and Client Confidential

Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints

Business Requirements

Centralized Decentralized

Single Global SOCCSCC Combined with SOCLowest CostEasiest to Manage

Multiple SOC’s (Geo. / BU)Single Global CSCC

High CostMore Difficult to Manage

Technical Requirements

Standard Highly Customized

Simple PlatformLowest Cost to Implement/OperateGood Risk Mgmt CapabilitiesEasy to Scale OperationsModerate Detail on Threats

Complex PlatformHigh Cost to Implement/OperateExcellent Risk Mgmt Capabilities

More Expensive to Scale OperationsRich Detail on Threats

Risk Tolerance

Externally Managed Internally Managed

30-90 Day ImplementationLowest Cost to Implement/OperateNot Core to BusinessLeverage Industry Best Practices

Long Implementation Lead TimeHigh Cost to Implement/Operate

Core to BusinessFrequent Independent Reviews

Financial Constraints

Low Cost High Cost

Lowest Cost to ImplementLowest Cost to Operate

Highest Cost to ImplementHighest Cost to Operate



Threat Response

Adv. Event AnalysisEscalations

Incident Mgmt.

Threat Response

Adv. Event AnalysisEscalations

Incident Mgmt.

SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence

SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence

Threat Monitoring

Threat AnalysisImpact Analysis

Threat Monitoring

Threat AnalysisImpact Analysis





SOC Platform ComponentsSecurity Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules

SOC Platform ComponentsSecurity Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules



Cyber-Security Command Center (CSCC)Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings

Cyber-Security Command Center (CSCC)Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings

SO

CG

ov

ern

an

ce

SO

CT

ec

hn

olo

gy

Security IntelligenceIncident Hunting Use Case Management

Security IntelligenceIncident Hunting Use Case Management


Tool IntegrationRule Admin


Tool IntegrationRule Admin

CSIRT Management

Corp. Incident ResponseTable-top Exercises

CSIRT Management

Corp. Incident ResponseTable-top Exercises

SIEMTicketing & Workflow

PortalIntegration Tools (e.g. Web Srvcs)

Reporting / Dashboard

Big Data

Threat Triage

InvestigationsIncident Triage

Threat Triage

InvestigationsIncident Triage

IBM Security Operations Operating Model: MSSP Hybrid

SO

CO

pe

rati

on

s

Corporate

Business UnitsLegalAudit

Corporate

Business UnitsLegalAudit

IT OperationsIncident MgmtProblem Mgmt Change MgmtRelease Mgmt

IT OperationsIncident MgmtProblem Mgmt Change MgmtRelease Mgmt

Business OperationsBusiness OpsInvestigations

Public RelationsLegal / Fraud

Business OperationsBusiness OpsInvestigations

Public RelationsLegal / Fraud



EmergencyResponse

EmergencyResponse

OT OperationsOT Operations

Legend

SOC

IT / Corp

MSSP



Getting Started

Develop a Strategy then a Plan




24

To get started, the organization should consider the following questions in establishing its objectives

What is the primary purpose of the SOC?

What are the specific tasks assigned to the SOC? (e.g., threat intelligence, security device management, compliance management, detecting insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.)

Who are the consumers of the information collected and analyzed by the SOC? What requirements do they have for the SOC?

Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the rest of the organization?

What types of security events will eventually be fed into the SOC for monitoring?

Will the organization seek an external partner to help manage the SOC?



The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle.

• Define the mission

• Assess current operations and capabilities

• Define future environment

• Develop roadmap for action

People and Governance

Processes and Practices

Technology

• Laying the foundation of capabilities

• Designing effective staffing models and supporting processes / technology

• Conducting training and testing

• Implementing tracking and reporting capabilities

• Leveraging acquired knowledge and experience

• Instituting formal feedback and review mechanisms

• Driving further value from the technology

• Expanding business coverage and functions

• Tuning and refinement

• Business aligned threat management and metrics

• Drive for best practices

• Integrated operations with improved communications

• Seek opportunities for cost takeout

• Continuous improvement

Design & BuildDesign & Build Run & EnhanceRun & Enhance OptimizeOptimize

• Educational, share best practices

• Table-top, guidedSOC maturityassessments

• Set high-level vision

• Develop next steps roadmap for action

WorkshopWorkshop

AssessmentAssessment

StrategyStrategy



Security Operations Optimization Consulting Offerings

SOC / SIEM Workshop

• Review security policies and SOC/SIEM mission/charter• Review IBM SOC / SIEM Operating Model Point of View • Review components needed to implement security operation center• Platform Arch., processes, organization, metrics/reporting, governance• Discuss best practices for each components and industry trends• Develop client feedback report

SOC Maturity Assessment Workshop

SOC/SIEMStrategy and Program Mobilization

• Review security policies and SOC/SIEM mission/charter• Conduct detailed current environment by component area; Platform Arch.,

processes, organization, metrics/reporting, governance• Review current and planned SOC/SIEM projects/initiatives• Asses current environment vs. Maturity Model, est. future state target• Identify and prioritize gaps and opportunities for improvement• Identify SOC scenarios and tailor the decision model• Finalize transformation states, service improvements, finalize strategy• Identify initiatives, group into projects, develop roadmap (timeline)

Name DescriptionSample Duration &

Details

• 1-5 Days• Workshop Readout

Deliverable

• Review security policies and SOC/SIEM mission/charter• Assess client environment against IBM SOC / SIEM Maturity Model• Establish future state target maturity by component• Analyze current and future targets vs. industry maturity benchmarks• Identify gaps, opportunities for improvement, prioritize improvements• Develop preliminary recommendations for SOC program

• 1-5 Days• Maturity Assessment

Deliverable

• 4-6 Weeks• Maturity Assessment

Deliverable• Component baselines• Sample Phase 1 work plan



Security Operations Optimization Consulting Offerings

Use Case /Rule (UCR)Assessment

• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review Use Case Models and rule architecture and design• Identify gaps, opportunities for improvement• Prepare high level Use Case / Rule recommendations

Use Case /Rule UCR Strategy

Security OperationsCenterReporting Strategy

• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review current metrics, operational/executive reports• Identify gaps, opportunities for improvement• Identify target state, prioritize improvements, finalize SOC Rpt. strategy

• 4-8 Weeks• Assessment Report

• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review Use Case Models and rule architecture and design• Identify gaps, opportunities for improvement• Identify UCR scenarios and tailor the decision model• Identify target state, prioritize improvements, finalize UCR strategy

• 4-8 Weeks• Use Case Assessment

and Strategy Deliverable

• 6-12 Weeks• Security Operations

Assessment and Strategy Deliverable

Name DescriptionSample Duration &

Details



Security Operations Optimization – Design / Deploy

SOC/SIEM Design

• Develop Macro / Micro Design for Security Operation Center• Key scope elements; platform, process, organization, reports, governance• Data source logical/physical scope and integration architecture• Develop use case and rule macro and micro design• Develop SOC operational model, logical/physical platform architecture• Finalize SOC process scope, context diagram, core/non-core processes• Develop organization conceptual/logical model (roles), governance model• Develop key metrics, reporting architecture, report list• Product selection decision model and preliminary recommendations (opt.)• Finalize SOC / SIEM Macro and Micro Design Deliverables

• 2-3 Months• SOC/SIEM design method• Design phase method/plan• Workshop decks/schedules• Key scope element

baselines• SOC capacity modeling tool

SOC/SIEMImplementation

• Prepare SOC implementation plan, conduct SOC build, test, deployment• Key scope elements; platform, process, organization, reports,

governance• Execute procurement for selected products, services (opt.)• Finalize MSS implementation plan and build, test and deploy MSS (opt.)• Build, test and deploy data sources, integration API’s• Build, test, deploy use cases and conduct rule tuning• Build, test and deploy SOC processes, metrics, SLA’s/SLO’s, Ops

Manual• Build, test and deploy organization design, role descriptions• Build, test and deploy metrics, reports and executive dashboards• Build, test and deploy SOC governance processes• Conduct transition; Proof of Concept, Pilot Op’s, Simulated Live Op’s• Security Operation Center Go-Live, Update Phase N Design Plan

Name Description

• 4-6 Months• Implementation method/plan• MSS build, test, deploy plans• Workshop decks/schedules• Use case / rule frameworks• Key scope element

baselines• SOC capacity modeling tool• PoC, pilot, sim. live ops. plan

Sample Duration & Details



29

Helping organizations with their SOC requirements is a core element of IBM’s 10 essential practices required to effectively manage risk

Proactive

Au

tom

ate

dM

an

ua

l

Reactive

Proficient

Basic

Optimized

Maturity based approachMaturity based approach7. Address new complexity

of cloud and virtualization

6. Control network access and assure resilience

1. Build a risk aware culture and management system

2. Manage security incidents with intelligence

3. Defend the mobile and social workplace

5. Automate security “hygiene”

4. Secure services, by design

10. Manage the identity lifecycle

9. Secure data and protect privacy

8. Manage third party security compliance

Essential PracticesEssential Practices

Security

intelligence

Security

intelligence



30

IBM Research

IBM can provide unmatched global coverage and security awareness.

Security Operations Centers

Security Research Centers

Security Solution Development CentersSecurity Solution Development Centers

Institute for Advanced Security Branches

10B analyzed web pages and images

150M intrusion attempts daily

40M span and phishing attacks

46K documented vulnerabilities and millions of unique malware samples

20,000-plus devices under contract 3,300 GTS1 service delivery experts 3,700-plus MSS2 clients worldwide 20B-plus events managed per day 3,000-plus security patents 133 monitored countries (MSS)

Worldwide managed security services coverage

1IBM Global Technology Services (GTS); 2Managed Security Services (MSS)


IBM Confidential

Largest Bank in Canada improves security by establishing SOC & implementing monitoring tools and processes

Client Situation :

The client had engaged IBM to help them map out their security needs, include SOC strategy, architecture, analyzing and querying log, threat, vulnerability data (SIEM) and ongoing management. A few high-level issues were: -

Lack of any SOC model and strategy roadmap There were no trained SOC Operations team or staff No Security monitoring tool or processes for security incidents

IBM Solution :

IBM Security Services Team reviewed the client’s business and technical requirements, risk tolerance and cost constraints. After analyzing the requirements IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase implementations. Additionally the following high-level tasks were performed

Global Installation of the QRadar monitoring tool Archer Ticketing System implementation (security tickets) Designed the SOC Organization, Process, People Model SOC Capacity Modeling Hired and Trained the client’s SOC Staff (~12 resources) Implemented SOC Operational Reporting and Executive Dashboards

Client Benefits: Reduced risks & costs associated with security incidents and data breaches Addressed compliance issues by establishing clear audit trails for incident

response Improved security posture with enterprise-wide security intelligence correlating

events from IT & business critical systems/applications.

Profile:

Largest Bank in Canada, 3rd largest in North America, top 10 globally. The bank serves 18 million clients and has 80,100 employees worldwide.


IBM Confidential

A global insurance company in United States improves security by establishing SOC & implementing monitoring tools and processes

Client Situation :

The client had made a board-level commitment to raise the visibility, effectiveness and efficiency of the global security program. A few high-level issues:

Multiple day delays in identifying threatsExtreme incident false positive ratios with current MSSP Labor intensive program, without clear lines of responsibilityMinimal security analytics & dashboards

IBM Solution :

IBM Security Services Team began with a full day SOC optimization workshop to educate the client program team, review and validate the client’s vision and strategy. After the workshop and recommendations, the client requested IBM’s support to help them plan, design and build the SOC including the following:

SOC Architecture developmentSIEM operationalization (ArcSight)Remedy Ticketing System implementation (security tickets)Designed the SOC organization including capacity modelsDeveloped best-practice core SOC process and created supporting documentation & artifacts & trained client staffImplemented Security Operational Reporting and Executive DashboardsManaged transition from previous MSSP to IBM Managed Services

Client Benefits: Reduced incident identification time from hours to minutes and streamlined

operations further reducing risks & associated costs & improved global security with end to end incident management

Created an industry leading view into the overall security position allowing them to better manage their entire environment

Profile:

Global property and casualty insurer.

Third largest insurer in the United States.

Fortune 100 company.

Operates in 900 location s distributed across 18 countries.

The company has 50,000+ employees worldwide.


IBM Confidential33

A global financial services company in UK improves security by transforming SOC from compliance to cyber threat monitoring

Client Situation :

The client had invested into a SOC that was focused on policy violation and wanted to expand the capabilities of their existing investment:

Compliance focused SOCSignificant challenges with existing technologySOC manpower outsourced to 3rd PartyMinimal security analytics & dashboards, non-existent Security Intelligence

IBM Solution :

IBM Security Services Team began with a 2 week SOC maturity assessment to gauge the client’s current and future capabilities and to review and validate the client’s vision and strategy. After the assessment, recommendations were presented to the client and IBM lead the transformation programme including:

Developed best-practice core SOC process and created supporting documentation & artifacts & trained client staffEstablish a Security intelligence functionAccelerate development and implementation of a Ticketing SystemReviewed the SOC organisation and identified improvementsDemonstrated the importance of capacity modellingImplemented Security Operational Reporting and Executive Dashboards

Client Benefits: Increased efficiency from the existing SOC staff handling more events in a defined

and repeatable way. Increased awareness of their own systems and future threats making use of

Security Intelligence Better able to understand and highlight the benefits of the SOC due to improved

metrics and reporting

Profile:

UK based financial services group.

Retail, commercial, wealth and asset management, international and insurance arms.

Operates in almost every community in the UK.

Over 100,000 employees (2014)



Thank You

MerciGrazie

GraciasObrigad

oDank

e

Japanese

French

Russian

German

Italian

Spanish

PortugueseArabic

Simplified Chinese

Hindi

Slovenian

Thai

Korean

KöszönömHungarian

TackSwedish

DankieAfrikaans

ευχαριστώ

Спасибо

Greek

Hvala

Teşekkürler



35

We leverage our SOC framework, which covers the multiple management dimensions of organizing and managing a SOC



36

We include 14 key processes that encompass both the business and IT aspects



37

Which leads to insightful analyses – e.g. Maturity Assessment



38

IBM offers multiple options in our consulting offerings

Security Operations Center (SOC) Workshop– 1 day management workshop to establish goals and objectives for developing the SOC, identifying

stakeholders, types of threats monitored, and the management model

Security Operations Center (SOC) Assessment– Consulting assessment for clients that have en existing SOC but are looking for IBM to review their

capabilities and process maturity and make recommendations for improvements

Security Operations Center (SOC) Strategy Engagement– Consulting strategy engagement for clients who are seeking to develop a comprehensive strategy and plan to

implement a SOC that addresses both IT and the business for managing security and mitigating threats

Security Operations Center (SOC) Design / Build Project– Professional services to help clients design and build one or multiple SOC’s that meets the organization’s

needs for improved security intelligence and risk management– Components include.

• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)• Processes, Procedures, Guidelines (Define, develop and document, update existing)• Technology (Plan, design, deploy technology components, integrate feeds and other referential

sources)



39

What you can expect as a result from a SOC implementation

Better understanding of how your security program reduces risk in operations and therefore business risk

Measurement of the real-time compliance of particular security controls in the organization

Insight into the current state of your security posture

Visibility of issues, hacks, infections and misuse that otherwise would require human discovery and correlation.

Easier measurements of compliance and audit effort reduction




IBM knows security



41

IBM is recognized as a leader in Security Consulting

“IBM burst into the Leader category by demonstrating superb global delivery capabilities”“IBM burst into the Leader category by demonstrating superb global delivery capabilities”



42

Leadership Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,

May 12, 2011, May 13, 2010, May 29, 2009. #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security

Information and Event Management Technology," Gartner, 12 May 2011)

Integration Integrated with 400+ products and vendor platforms SIEM, log management, network anomaly

detection, and risk management combined in a single console

Expertise Embedded 3rd party security feeds including

IBM X-Force Tight integration with InfoSphere Guardium

and IBM Identity Manager & Access Manager for optimized data & user security

Leadership Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,

May 12, 2011, May 13, 2010, May 29, 2009. #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security

Information and Event Management Technology," Gartner, 12 May 2011)

Integration Integrated with 400+ products and vendor platforms SIEM, log management, network anomaly

detection, and risk management combined in a single console

Expertise Embedded 3rd party security feeds including

IBM X-Force Tight integration with InfoSphere Guardium

and IBM Identity Manager & Access Manager for optimized data & user security

Why IBM SIEM Security Technology? Breadth, deep expertise, integration



43

Business Challenge: A large European financial institution with multiple global locations was searching for best practices and assistance in creating an in-house, compliant and effective Security Operations Center. Compounding the challenge of the sheer magnitude of their operations was the complications surrounding several recent acquisitions that have not been fully integrated. The current operation was largely driven by SOX compliance requirements and resulted in diluting the effectiveness of the SOC with “unimportant” log sources.

Solution:A series of business and technical workshops were conducted to start the assessment as the client needed to refocus their operations on security, while retaining maintain regulatory compliance. These workshops then advanced to a full security operations design, integrating disparate business unit requirements, focusing analysis on important log sources, and reorganizing the department. Ultimately, the client chose to have IBM staff their new SOC, reducing the total number of hired staff and overall cost.

Benefits: Overall SOC costs were reduced and the resulting organization is more focused and effective.

Solution components:

IBM Q-Radar SIEM

IBM Security Services SOC Workshop & Design

IBM Security Services Professional Security Services

Client example - a large financial services company



4444

Solution components:

IBM Security Services SOC Workshop

IBM Q-Radar

IBM Security Services Managed SIEM

Business Challenge: A large global pharmaceutical company with research locations scattered around the world faces the ongoing threats of industrial espionage and is frequently a target of hactivitists. Their current security operations is decentralized allowing each unit to “fend for themselves”. After some minor faults but no major incidents, the company has decided to centralize their security operations and create a holistic view of security across the entire organization.

Solution:A business and technical workshop was conducted to start the assessment and help the client envision the end-state should look like and how to initiate the centralization process. Leveraging a deployed IBM Q-Radar installation, the solution involves creating a two redundant SOC’s to centralize security intelligence and device management operations. These SOC’s will work cooperatively using the best-practice operational models derived from IBM MSS Global SOC’s providing a single, measurable view of security across their global operations.

Benefits: A centralized operational model allows the economies of scale to drive costs down, while improving the effectiveness of the security operations and threat intelligence sharing.

Client example –global pharmaceutical company




Thank you for your time!Questions and Answers



46

Backup Pages



47

Typical SOC Project Scope

Consult and Design Build Operate Maintain

SO

C P

rocesses

SO

C P

eop

leS

OC

Tech

nolo

gy

Client SOC Capability Transformation

• Architect & design SIEM solutions• Plan Use Cases• Map operations to regulatory and business requirements• Health check

• Install & configure SIEM solutions• Establish data feeds• Implement Use Cases• Build content• Design analyst workstations

• Deliver SOC Workshop• Perform SOC Maturity Assessment

• Deliver SOC Workshop• Perform SOC Maturity Assessment

• Identify stakeholders • Define roles, responsibilities, and job descriptions• Design staffing models• Develop training plans• Help hire the right staff or complement existing teams

• Deliver training: on the job, intrusion analysis, and Technology solutions.• Analyst coaching• Developing key organizational linkages

• Build Wiki framework for agile documentation approach• Build new and integrate existing processes and procedures• Align SOC operations across the enterprise

• Operate and maintain SIEM solutions• Implement dashboards• Develop operational and business reports• Investigate using advanced analytics• Manage incidents via cases• Integrate threat intelligence

• Implement incident management process• Continue documentation and update as necessary• Implement process improvement program• Drive business through metrics• Manage risk and compliance

•Operate and Maintain SIEM •Maintain architecture and product documentation• Perform health check on SIEM environment at planned intervals• Perform capacity planning• Develop steady-state technology costs

• Perform SOC Maturity Assessment annually• Maintain and update SOC documentation• Evaluate, measure and improve processes

• Maintain dedicated SOC manager and analyst positions• Continue on-going boarding and training of new analysts as necessary



48

Challenge 1: Detecting Threats

Potential Botnet Detected?This is as far as traditional SIEM can go

IRC on port 80?IBM Security QRadar QFlow detects a covert channel

Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions

Application layer flow analysis can detect threats others miss




49

Challenge 2: Consolidating Data SilosAnalyzing both flow and event data. Only IBM Security QRadar fully utilizes Layer 7 flows.

Reducing big data to manageable volumes

Advanced correlation for analytics across silos

1153571 : 1Data Reduction Ratio




50

Challenge 3: Detecting Insider Fraud

Who?An internal user

Potential Data LossWho? What? Where?

What?Oracle data

Where?Gmail


Threat detection in the post-perimeter worldUser anomaly detection and application level visibility are critical

to identify inside threats



51

Challenge 4: Better Predicting Risks to Your BusinessAssess assets with high-risk input manipulation vulnerabilities

Which assets are affected?How should I prioritize them?

What are the details?Vulnerability details, ranked by risk score

How do I remediate the vulnerability?


Pre-exploit Security IntelligenceMonitor the network for configuration and compliance risks,

and prioritize them for mitigation



52

Challenge 5: Addressing Regulatory Mandates

Unencrypted TrafficIBM Security QRadar QFlow saw a cleartext service running on the Accounting server

PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks

PCI compliance at risk?Real-time detection of possible violation


Compliance SimplifiedOut-of-the-box support for major compliance and regulatory standards

Automated reports, pre-defined correlation rules and dashboards



53

Operational Overview



54

Workshop & Roadmap

Project Timeline

30 days 3 months 6 months 9 months 1 year

• Detailed Support Planning• Governance Model

• Communications Plan

• Staff Onboarding & Training• Documented Process

SOC achieves 100% Operational Control

Steady State & Ongoing automation

Ongoing Maturation

© 2015 ibm corporation ibm security services building a security operations center engin Özbay ibm...

Documents

security analysts

current security posture

crisis operations

changing environment

business needs

rd party services

business infrastructure

evolving threats