discover best of show 2016 - hewlett packard enterprise...current phase 1 phase 2 phase 3 timeline 6...
TRANSCRIPT
![Page 1: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/1.jpg)
Discover Best of Show 2016
Lee Whatford – Principal Consultant – Security Intelligence and Operations
February, 2016
![Page 2: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/2.jpg)
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Empowerthe data-drivenorganization
Protect yourdigital enterprise
Protect your most prized digital assets whether they are on premise, in the cloud or in between.
![Page 3: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/3.jpg)
Managing risk in today’s digital enterprise
Rapid transformation of enterprise IT
Shift to hybrid
Mobile connectivity
Big data explosion
Cost and complexity of regulatory pressures
Compliance
Privacy
Data protection
Increasingly sophisticated cyber attacks
More sophisticated
More frequent
More damaging
![Page 4: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/4.jpg)
Proactively detect & respond to threats to minimize damage
Recover
Protect
Detect and Respond
Business Outcomes
Help reduce time-to-breach-resolution with a
tight coupling of analytics, correlation, and
orchestration
Establish situational awareness to find and
shut down threats at scale
24*7*365 security monitoring
Threat intelligence and advanced
threat analytics
Proactive incident response
Testing and training of key personnel
and crisis planning
![Page 5: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/5.jpg)
State Of Security OperationsWhite Paper 2016
5
![Page 6: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/6.jpg)
6
![Page 7: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/7.jpg)
Maturity and Capability Levels
Maturity & Capability LevelsAssessment Methodology
Quantitative assessment of
business, people, process,
and technology components
Framework based on
Carnegie Mellon Software
Engineering Institute’s
Capability Maturity Model for
Integration
(SEI-CMMI)
Aggregate target of 3.00 for
commercial organizations
Minimal ad
hoc execution
to meet
business
requirements
Incomplete Performed Managed Defined Measured
Operational
elements do
not exist
Operations
are well-
defined,
subjectively
evaluated,
and flexible
Operations
are
quantitatively
evaluated,
reviewed, and
proactively
improved
3.00
Business
goals are met
and
operational
tasks are
repeatable
Optimized
Operations
are focused
on
incremental
levels of
process
improvement
![Page 8: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/8.jpg)
SecOps Maturity Assessment
Business People Process Technology
Mission
Accountability
Sponsorship
Relationship
Deliverables
Vendor engagement
Facilities
General
Training
Certifications
Experience
Skill assessments
Career path
Leadership
General
Operational
processes
Analytical processes
Business processes
Technology
processes
General
Architecture
Data collection
Monitoring
Correlation
(54) (65) (65) (56)
![Page 9: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/9.jpg)
Maturity Assessment
0,00
0,50
1,00
1,50
2,00
2,50SOMM Level
Business
PeopleProcess
Tech
Company A
Average
Maturity
AssessmentScore Comments
Business 2.44Mission 1.86
Accountability 1.21
Sponsorship 2.18
Relationship 2.15
Deliverables 3.00
Vendor Engagement 2.67
Facilities 1.27
People 1.82General 1.98
Training 2.61
Certifications 1.58
Experience 2.00
Skill Assessments 0.88
Career Path 1.92
Leadership 1.50
Process 0.63General 2.01
Operational Process 1.67
Analytical Process 0.00
Business Process 0.00
Technology Process 0.00
Technology 2.60Architecture 1.54
Data Collection 3.69
Monitoring 1.50
Correlation 1.37
General 2.13
Overall SOM Level 1.69
Current Phase 1 Phase 2 Phase 3
Timeline 6 mos 1 yr 2 yr
SOMM
Target
1.6 2.0 2.5 3.0
Use Cases Logging Perimeter,
compliance
Insider Threat,
APT
Application
Monitoring
Staffing Ad hoc 4 x L1, 1x
L2
8 x L1, 2x L2 12 x L1, 2x L2, 2x
L3
Coverage 8x5 8x5 12x7 24x7
![Page 10: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/10.jpg)
Addressing The Threat
10
![Page 11: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/11.jpg)
Banking Sector Malware – Top 5 ThreatsTOP 5 Families
Confidential 11
Carbanak (RAT)– Phishing attack with Lure document
– Advanced Coding
– RCE protection
– VMWare identification
– Shell code dropper
– Stage2 – Carbanak malware family
– China attribution
CORESHELL / SHOPSTICK (RAT)– Phishing attack with Lure document
– Waterhole
– Advanced Coding
– VMWare identification
– Honey Pot identification
– Shell code dropper
– Stage2 – CORESHELL and or CHOPSTICK
– Russian attribution
Dyreza (RAT/Klogger)– Phishing attack with Lure document
– Shell code dropper
– Stage2 – CORESHELL and or CHOPSTICK
– China attribution
Dridex (BOTNET)– SPAM attack with:-
– Lure document
– Waterhole
– Macro dropper
– Stage2 – DRIDEX
– China attribution
– Widest Spread Trojan in banking
Zeus
Family variants
second most
seen
Dridex
More infection instances
than any other
CORESHELL/ CHOPSTICK
Carbanak
Dyreza
![Page 12: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/12.jpg)
B - A - T
Understanding The Three Key Pillars of Operational Security
Confidential 12
TECHNOLOGY
DATA
VULNERABILITY
RISK
BUSINESS IMPACT
ASSETS ($)
WHO?
WHY?
MODUS OPERANDI
Business
Dyreza
Asset Threat
If you know the enemy and know yourself you need not fear the results of a hundred battles…
![Page 13: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/13.jpg)
Risk Assessment
Defence in-depth Security Controls
Behavioral Analytics
Insider Misuse
Business Intelligence Adversarial Intelligence
Threat Assessment
Indicators Of Compromise
Adversary TTP(s)
Legitimate Access
IRAM – ISF
Internal Risk
registers
Risk Exceptions
Industry reports
Asset Modelling
Data Modelling
Mitre Tara
Threat Agent
Library
OS Intel
Attacker
motivation
U
S
E
C
A
S
E
S
Security
Controls
Events
Sources
Expected Usage
Trending
User Account usage
Bandwidth usage
Application usageMalicious intent
Peer comparison
Policy violation
Misconfiguration
Situational awareness
enhancement
Actors, Campaigns,
Certificates, Domains
(dns), Emails, Events,
Indicators, IP
addresses, PCAPs,
Raw Data, Samples,
Targets
Methods to prepare
for and execute
attacks
Use of tools by an
adversary
Activities used to
evade detection
The ultimate goal of
any attack is to
maintain persistent
access
Hijacking user
accounts
Hijacking remote
access services
Mapping the Threat
Confidential 13
![Page 14: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/14.jpg)
Sample PII Use Case
Confidential 14
![Page 15: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/15.jpg)
Use cases defined as a methodology• Layer point use cases in a attack life cycle allows
![Page 16: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/16.jpg)
Building Effective Security Operations
Confidential 16
![Page 17: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/17.jpg)
• Maximise Potential
Detect
• Repeatable Process
• Effective Skills
Identify• Information
• Information
• Information
Respond
• Expensive Resources
• Time Critical
Recover
Reduce Time = Reduce Costs
![Page 18: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/18.jpg)
![Page 19: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/19.jpg)
Business Priorities Fulfilled by 3 Key Components
![Page 20: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/20.jpg)
People, Process & Technology
20
Technology
ConnectorApplications
Mainframe
& Mid-rangeICS Physical Vulnerability
Scanning
Threat
Intelligence
Executives
IRTContent
Author
SIOC
Manager
People
Process
IDAM
DBMS
CMBD
Logging
Proxy
IDS.IPS
FirewallSwitches Routers
SIEM
Hunt
Team
Level 2Level 1
IT Ops
Audit & Compliance
Compliance
MiFiD, BASEL, Dodd Frank, Laundering, MAD, EMIR, REMIT, Solvency, AIFMD,
EUGDPR, PCI, etc & Ever Evolving
![Page 21: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/21.jpg)
Attaining The ‘Best’
Confidential 21
Assess and Design
Build Operate Transfer
SOC Maturity Assessment SIEM & Logger Install Content Refinement Transition Platform
Use Case Workshop Device Onboarding Monitoring Transition Use Cases
Roles & Responsibility Use Case Authoring Triage & Prioritisation Train Customer on HPE Roles
Skills Requirements Training Analytics & Subtle Event Detection
Skills Assessment Career ProgressionService Level Agreements
Metric & PKIs
SOC Knowledge Management
Processes and Procedure
Operational Technical
Analytical Business
Continuous Innovation
![Page 22: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/22.jpg)
Processes
Analytical
Technical
Operational
Business
Analytical
• Threat Intelligence
• Investigations
• Data Exploration
• Focused Monitoring
• Forensics
• Advanced Content
• Information Fusion
Technical• Architecture
• Data Flow
• Data Onboarding
• User Provisioning
• Access Controls
• Configuration Management
• Use Case Lifecycle
• Maintenance
• Health & Availability
• Backup & Restore
Technical
•Architecture
•Data Flow
•Data Onboarding
•User Provisioning
•Access Controls
•Configuration Management
•Use Case Lifecycle
•Maintenance
Operational
• Incident Management
• Roles & Responsibilities
• Scheduling
• Shift Turnover
• Case Management
• Crisis Response
• Problem & Change
• Employee Onboarding
• Training
• Skills Assessment
• Ops Status
Technical
•Architecture
•Data Flow
•Data Onboarding
•User Provisioning
•Access Controls
•Configuration Management
•Use Case Lifecycle
•Maintenance
Business
• Mission
• Sponsorship
• Service Commitment
•Metrics & KPIs
•Compliance
• Project Management
• Continual Improvement
• Knowledge Management
• BC / DR
![Page 23: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/23.jpg)
Resource Planning
Confidential 23
Analytical
Technical
Ops
Business
Analyst
Sourcing
Talent Pools
Selection –
Onboarding
Training and
Development
Staff Retention
Career
Development
Recycling
the Analyst
![Page 24: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/24.jpg)
Confidential
Resourcing Your SOC
Analytical
Technical
Ops
Business
Mindset
Background
Skills
Job Specs
Interviews
(Staffing Models)
Team and
Individual plans
Career Planning
Goals
Internal
Resource
Planning
24
![Page 25: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/25.jpg)
In House
SOC Manager
Ops Lead
Analysts
Engineer
Content
Hybrid
8*5 Monitoring
In House
OOH Monitoring
Off Site
Hybrid
24*7 Monitoring
Level 1 (Triage) Off Site
Hybrid
24*7 Monitoring
Level 1 and 2 (Triage) Off Site
Outsourced
24*7 Monitoring
Off Site
In House SIEM In House SIEM In House SIEMIn House / Offsite
SIEMOff Site SIEM
Your Options With HPE
Confidential 25
![Page 26: Discover Best of Show 2016 - Hewlett Packard Enterprise...Current Phase 1 Phase 2 Phase 3 Timeline 6 mos 1 yr 2 yr SOMM Target 1.6 2.0 2.5 3.0 Use Cases Logging Perimeter, compliance](https://reader036.vdocuments.us/reader036/viewer/2022071005/5fc1e5b5caeca76845201e60/html5/thumbnails/26.jpg)
If you know the enemy and know yourself you need not fear the results of a hundred battles…
uk.linkedin.com/in/leewhatford
26Confidential
Thank you