setting up an security operations center (soc) –a step by ... · people first, performance now...
Post on 11-Mar-2020
0 Views
Preview:
TRANSCRIPT
People First,Performance Now
Ministry of Science,Technology and Innovation
Setting up an Security Operations Center (SOC) – A step by step approachAbdul Rahman MohamedAbdul Rahman MohamedVP, IT Strategy, Risk & DeliveryGroup IT, Malaysia Airlines
07 November 2012
People First,Performance Now
Ministry of Science,Technology and Innovation
My apology…. I am standing between you and home sweet home. I’ll be On-Time.
People First,Performance Now
Ministry of Science,Technology and Innovation
About the speaker…
• 19 years of experience• 19 years of experience• Was CISSP and CISM• Oil and Gas, Banking and
Consultancy• IT Strategy & Transformation,
Governance, Risk & Security, IT Service Delivery, Project ManagementManagement
People First,Performance Now
Ministry of Science,Technology and Innovation
We are here to share our experience…
• In setting up an internal SoC, as well as its journey and evolution
• Its value to our business• The lesson learned
• DISCLAIMER: It works for us.
People First,Performance Now
Ministry of Science,Technology and Innovation
Allow me to introduce the Air Travel Industry….
People First,Performance Now
Ministry of Science,Technology and Innovation
The Airline industry is glamorous, and a quick way to lose money…..
“How do you become a millionaire ?
First become a BillionaireFirst, become a Billionaire, then you run an Airline” – Sir Richard Branson
People First,Performance Now
Ministry of Science,Technology and Innovation
Group IT is the enabler and IT partner of THE PREFFERED PREMIUM CARRIER…
StockholmBergen
2 + 6 Data Centers
(incl MHNet, SITA, Enrich)
2 + 6 Data Centers
(incl MHNet, SITA, Enrich)
RomeMadrid
Barcelona
Geneva MilanBrussels
FrankfurtLondon
Leeds
GothenburgStavenger
OsloStockholm
Helsinki
Copenhagen
Bergen
SandefjordAberdeen
Teesside
Manchester
Edinburgh
DublinBelfast
Glasgow
Amsterdam
SeoulInch’on
Tashkent
ViennaMunich
Beijing
56applications
56applications
M il
Bahrain
Muscat
Athens
Madrid
Yangon
Seoul
Tokyo
Nagoya
Kansai
Hanoi
Inch’on
Doha
FukuokaShanghai
Hong Kong
Beijing
Guangzhou
16K IT Devices16K
IT Devices14-15 mil Pax /annum
(2010/11)
14-15 mil Pax /annum
(2010/11)
Kota Kinabalu
Manila
Cebu
Dar es Salaam
Medan
Phuket
Jakarta
LangkawiPenang
Bangkok Siem Reap
Ho Chi Minh
Singapore
Colombo
Phnom Penh
KUALA LUMPUR
Kuching
Over 90 Stations(MW,FY,MH)
Over 90 Stations(MW,FY,MH)
45 FTEs45
FTEs
Surabaya
G ld C
Sunshine CoastFraser CoastRockhampton
MackayHamilton IslandTownsville
Cairns
BrisbaneDurban
Windhoek, NAMIBIA
Harare, ZIMBABWE
Victoria Falls, ZIMBABWE
MaputoMOZAMBIQUE
TANZANIA
JohannesburgGaborone, BOTSWANA
DenpasarDarwin
BroomeMauritius
Over 12 Key IT Partners
(out of 84)
Over 12 Key IT Partners
(out of 84)20K Staff20K Staff
CanberraSydney
NewcastleCoffs Coast
Ballina ByronGold Coast
Port Elizabeth East London
Maseru, LESOTHOPerth
AdelaideMelbourne
Launceston Hobart
Figures per December 2011
People First,Performance Now
Ministry of Science,Technology and Innovation
Lets get to the actual presentation
People First,Performance Now
Ministry of Science,Technology and Innovation
The steps that we took in establishing the SoC….
• Find the right resources • Find the business value of your SoC•Get the Sponsors and know your stakeholders
• Begin with the end in mind• Begin with the end in mind• Start small• LeverageLeverage• Can pause but keep evolving• “Marketecture”
People First,Performance Now
Ministry of Science,Technology and Innovation
In any endeavors, we have to have the right resource for the job that meet the following criteria:
1
“Committed to Integrity; Committed to Performance and
Committed to Change.”
Jeff ImmeltCEO GECEO, GE
People First,Performance Now
Ministry of Science,Technology and Innovation
“There is no such thing as an IT project there is only business project”project, there is only business project
Paul CobyPaul CobyEx CIO British Airways
People First,Performance Now
Ministry of Science,Technology and Innovation
“Else… You syok di i”sendiri”
Abdul Rahman MohamedFuture CIO
People First,Performance Now
Ministry of Science,Technology and Innovation
We established the SoC for the airline business….2
• Alignment with corporate strategies and Business Transformation Plan (BTP2):
• No compromise on safety and security• No compromise on safety and security• Serve Customer, Make Money, Save
Money
• Compliance with regulatory requirements (local and international) e.g. Anti Trust/Competition Law, Data Privacy, PCI, National Cyber Security Policy (NCSP)y, , y y y ( )
• Increase in IT Outsourcing activity and the need for near realtime transparency
People First,Performance Now
Ministry of Science,Technology and Innovation
The projects was actually owned by CorporateThe projects was actually owned by Corporate Security but funded by IT….
Board Safety and Security Committee
3
Group IT CSSHE*
Management Committee
Board Safety and Security Committee
Corp.
Risk AdvisoryServices
IT Service Delivery
CSSHE
Info/IT
Services
Cor
pora
teSe
curit
yIT Strategy & Governance
Information Risk & Security
Risk MgmtSecurity
Operations
Business Assurance
Audit & BusinessAdvisory
SITO***
Corp. Security Corp. Risk &G
IT SecurityOperations
SACC** Security Assurance
Corp. Security GovernanceOperations* Corporate Safety, Security, Health & Environment** Security Assurance Control Center*** Strategic IT Outsourcing
People First,Performance Now
Ministry of Science,Technology and Innovation
There are external stakeholders as well….
Board Safety and Security Committee
Group IT CSSHE*
Management Committee
Board Safety and Security Committee
Corp.
Risk AdvisoryServices
IT Service Delivery
CSSHE
Info/IT
Services
Cor
pora
teSe
curit
yIT Strategy & Governance
Information Risk & Security
Risk MgmtSecurity
Operations
Business Assurance
Audit & BusinessAdvisory
SITO***
Corp. Security Corp. Risk &G
IT SecurityOperations
SACC** Security Assurance
Corp. Security GovernanceOperations* Corporate Safety, Security, Health & Environment** Security Assurance Control Center*** Strategic IT Outsourcing
People First,Performance Now
Ministry of Science,Technology and Innovation
O bli h d h b i j ifi iOnce we established the business justification, we would envision the end in mind….
4
People First,Performance Now
Ministry of Science,Technology and Innovation
This is half of your journey….
People First,Performance Now
Ministry of Science,Technology and Innovation
We started our journey with a 5 year vision….
PHASE 1 PHASE 2 PHASE 3 PHASE 4
• Policy AlignmentLink with Corp Security
• Comprehensive viewLink dashboard to external/ic
y • Corp Info Security Policy Information Security
• Integrate with corporate
PHASE 1Assurance and visibility to
Business
PHASE 2Integration to Business
PHASE 3Optimized for Stakeholder’s
Confidence in IT Controls
PHASE 4Integration to Corporate GRC
• IT Compliance Mgmt • Sec Incident & Event
Mgmt
• Link with Corp Security dashboard
• Link dashboard to external/ service providerPo
li • Information Security Dashboard
• Content Security Services• Svc Provider assessment• IT Risk Management
• Info Leakage Prevention• Digital Rights Mgmt• Identity & Access Mgmtes
s /
Tech
corporate GRC framework
Mgmt• Threat Vulnerability Mgmt• Assurance testing
• Awareness: Classroom
• IT Risk Management• IT Assets Mgmt
• Handbook, Video
• Identity & Access Mgmt• Info Retention & e-
Discovery
• E-Awareness, Portal
Proc
e TePe
ople
• Certification
• Assurance of control effectiveness
• Integration with corporate security
• Integration of security processes and technologysu
lts /
enef
itsP
• Transparency• Visibility
• Information Security visible at Corp. Security
business objectives • Obtain stakeholder’s confidenceR
es Be
People First,Performance Now
Ministry of Science,Technology and Innovation
I li hi l d BIn reality, not everything goes as planned…. But stick to it
PHASE 1 PHASE 2 PHASE 3 PHASE 4
• Policy AlignmentLink with Corp Security
• Comprehensive viewLink dashboard to external/ic
y • Corp Info Security Policy Information Security
• Integrate with corporate
PHASE 1Assurance and visibility to
Business
PHASE 2Integration to Business
PHASE 3Optimized for Stakeholder’s
Confidence in IT Controls
PHASE 4Integration to Corporate GRC
• IT Compliance Mgmt • Sec Incident & Event
Mgmt
• Link with Corp Security dashboard
• Link dashboard to external/ service providerPo
li • Information Security Dashboard
• Content Security Services• Svc Provider assessment• IT Risk Management
• Info Leakage Prevention• Digital Rights Mgmt• Identity & Access Mgmtes
s /
Tech
corporate GRC framework
Mgmt• Threat Vulnerability Mgmt• Assurance testing
• Awareness: Classroom
• IT Risk Management• IT Assets Mgmt
• Handbook, Video
• Identity & Access Mgmt• Info Retention & e-
Discovery
• E-Awareness, Portal
Proc
e TePe
ople
• Certification
• Assurance of control effectiveness
• Integration with corporate security
• Integration of security processes and technologysu
lts /
enef
itsP
• Transparency• Visibility
• Information Security visible at Corp. Security
business objectives • Obtain stakeholder’s confidenceR
es Be
People First,Performance Now
Ministry of Science,Technology and Innovation
We start small and called our SoC – Security AssuranceControl Center (SACC) using “Subscription on-site”5
Security Assurance Control Center
Assurance Monitoring Assurance Testing Unplanned Assuranceg
oard
PolicyCompliance
g
st
Internal &External
Penetration testS i IT S i
p
eem
ent Additional Device
For Monitoring
g &
Das
hbo
Threat & Vulnerability Management
S it dule
of T
es
Network Services Attestation
Station IT Security Posture
fPric
e A
gre
Additional TestingServices
Forensic
Rep
ortin
g SecurityEvent Management
IncidentR
Sche
d
Web Application code assurance
SocialEngineering ch
edul
e of
Forensicservices
Other securityservices
Response EngineeringDrill Sc By man day rate
People First,Performance Now
Ministry of Science,Technology and Innovation
We did not own the tools, license, resources and servers.We own the information and results only.
Security Assurance Control Center
Assurance Monitoring Assurance Testing Unplanned Assuranceg
oard
PolicyCompliance
g
st
Internal &External
Penetration testS i IT S i
p
eem
ent Additional Device
For Monitoring
g &
Das
hbo
Threat & Vulnerability Management
S it dule
of T
es
Network Services Attestation
Station IT Security Posture
fPric
e A
gre
Additional TestingServices
Forensic
Rep
ortin
g SecurityEvent Management
IncidentR
Sche
d
Web Application code assurance
SocialEngineering ch
edul
e of
Forensicservices
Other securityservices
Response EngineeringDrill Sc By man day rate
A it i li d ll iti lAssurance monitoring ensures compliance and all critical devices at HQ and stations are sufficiently protected
Assurance Monitoring
d
PolicyC li
IBM
iMac iMac
& D
ashb
oard Compliance
Threat & Vulnerability Management
latigid latigidlatigid
latigid
latigid
iMac
Rep
ortin
g &
SecurityEvent Management
IncidentIncidentResponse
ITIT Helpdesk Threat
MgmtCenter
A t ti i t id th it i f thAssurance testing is to provide the security view from the perpetrators for security improvements
Assurance Testing
Internal &Tester
f Tes
t
Internal &External
Penetration test
Station IT Security Posture
IBM
latigid latigidlatigid
iMac
iMac
iMac
Sche
dule
of
Network Services Attestation
Web Application code assurance
latigid
latigidSocialEngineering
Drill
Tester
People First,Performance Now
Ministry of Science,Technology and Innovation
We also leverage on other’s capabilities, locally…6
MoU between Malaysia Airlines and CyberSecurity Malaysia
People First,Performance Now
Ministry of Science,Technology and Innovation
We also leverage on other’s capabilities, internationally.
MoU between Malaysia Airlines and Tata Consultancy Services
People First,Performance Now
Ministry of Science,Technology and Innovation
A ti d li did f t iAs mentioned earlier, we did pause for certain capabilities but we continue to evolve into IT Control Tower
7
Control Tower
Security Assurance Control CenterIT Control Tower
Assurance Monitoring
d
PolicyCompliance
Assurance Testing
Internal &External
Penetration test
Unplanned Assurance
men
t
Additional DeviceFor Monitoring
RealITy Dashboard Reports
Support Teams
port
ing
& D
ashb
oard
Threat & Vulnerability Management
SecurityEvent Management Sc
hedu
le o
f Tes
t
Network Services Attestation
Web Application code assurance
Station IT Security Posture
dule
of P
rice
Agre
em
Additional TestingServices
Forensicservices
Support Teams All Vendors
ESM
MH
MTM
IT ISS
Re
IncidentResponse
code assurance
SocialEngineering
Drill
Sche
d
Other securityservices
By man day rate
M Team
Mail Team
M Team
S Team
Security Team
People First,Performance Now
Ministry of Science,Technology and Innovation
IT Control Tower uses more comprehensive tools whichIT Control Tower uses more comprehensive tools which focuses on end to end IT services including Security and Compliance
People First,Performance Now
Ministry of Science,Technology and Innovation
T lk h lk i ll i lk hTalk the walk is equally important to walk the talk… We need to “marketecture”.8
• We communicate our findings to• Board Safety and Security Committee - Quarterly• Accountable Managers Meeting - QuarterlyAccountable Managers Meeting Quarterly• IT Management – Monthly
• Participate in Cyberdrills with MKN and CyberSecurity Malaysiap y y y y
• Repels targeted attacks on Malaysia Airlines on 1 July 2012 (16 hours)
f f G C G• Visits from fellow GLCs and Government agencies
People First,Performance Now
Ministry of Science,Technology and Innovation
IT Security Index Global Threat and Vulnerability Virus Protection IndexIT Security Index y
Overall VPI -98.93 %Overall - Low Overall - Low
Status as on : July 2012 Report Status as on : July 2012 ReportStatus based on : July 2012 Report
SPAM Filt i I d IT Security Policy Compliance IT S it I id tSPAM Filtering Index IT Security Policy Compliance IT Security Incidents
Overall SFI – 81.6 % Overall IT SPC – 87.81 % Overall - Medium
Status based on : July 2012 Report Status as on : July 2012 ReportStatus as on : July 2012 Report
People First,Performance Now
Ministry of Science,Technology and Innovation
W d d f h I f i S iWe were awarded for the Information Security project of the year 2009
People First,Performance Now
Ministry of Science,Technology and Innovation
We were awarded for the IT Visionary Award forAsia South 2008
People First,Performance Now
Ministry of Science,Technology and Innovation
I 2010 l f h li i i i iIn 2010, as a result of the earlier initiatives, we won more awards… It is nice to be appreciated.
• CIO of the year• CIO of the year• Deputy Minister
Award• Information Security y
projects of the year –PCI-DSS
People First,Performance Now
Ministry of Science,Technology and Innovation
As a Recap…
• Find the right resources • Find the business value of your SoC• Get the Sponsors and know your stakeholders• Begin with the end in mind• Start small but shout big• Start small but shout big• Leverage• Can pause but keep evolvingCan pause but keep evolving• “Marketecture”
People First,Performance Now
Ministry of Science,Technology and Innovation
Thank youThank you
top related