©2017 MFMER | slide-1

The Healthy SOC – A Case Study

Chad Sadosty - Senior Manager, Cybersecurity Operations CenterRichard Noel - Manager, MSSP, CSOC Tier 1

©2017 MFMER | slide-2

©2017 MFMER | slide-3

Agenda

• Bios / About Mayo Clinic

• Why do you need a SOC?

• SOC Take 1 – First Iteration

• SOC Stabilization

• SOC Take 2 – Transformation

• MSSP Engagement

• Use Cases

• Metrics

• Future SOC

©2017 MFMER | slide-4

Chad Bio

• USMC

• Mayo Clinic 17 years

• Help desk

• Desktop analyst

• Server admin

• Sever manager

• SOC Sr. Manager

©2017 MFMER | slide-5

Richy Bio

• More handsome than Chad, however shorter and chubbier.

• Started career in Security in 2002 at an MSSP

• From a NOC to a SOC

• Worked for Pharmaceutical company in Montreal

• Ran for Member of Parliament in 2011

• Enjoys going to Burning Man

• Moved to Rochester, Minnesota to work for Mayo!

©2017 MFMER | slide-6

About Mayo Clinic

• Mayo Clinic is an integrated group practice of medicine

• Our mission is to provide the best care to every patient every day through integrated clinical practice, education and research

©2017 MFMER | slide-7

About Mayo Clinic

Rochester,Minnesota

Scottsdale,Arizona

Jacksonville,Florida

©2017 MFMER | slide-8

Why do you need a SOC?

• To keep your feet warm, silly!

• Company Breach?

• News of a breach in your business vertical

• Watching the new of major brands being breached

• General Paranoia???

©2017 MFMER | slide-9

• Need for a SOC Identified

• Bought the Security things to do the Security stuff!

• Got a SIEM and threw all the logs at it

• Tried to use vendor defined alarms

• Re-aligned staff from IT and made them SOC staff

SOC Take 1 - In The Beginning….

©2017 MFMER | slide-10

We ended up with….

• Well intentioned staff with limited security knowledge

• Incident Response program documented, but not followed

• No training or process improvement

• Primarily focused on responding to phishing threats

• With lots of firefighting for other stuff

• Non-functioning SIEM. Insufficient tooling

©2017 MFMER | slide-11

SOC Take 1 - Stabilization

• Complete tear down of the SIEM• Only ingest logs that are required by use cases

• Re evaluate all the tools and how we use them

• Start to automate our Phishing process

• Formalize our Incident Response Program

• Train Staff

©2017 MFMER | slide-12

Incident Response Realignment

• Align to NIST 800-61 rev 2

• Include quarterly Table Top exercises

• Include a “Lessons Learned” process to integrate improvements

• Include integrations with other key departments

©2017 MFMER | slide-13

Incident Response Overview

©2017 MFMER | slide-14

SIEM Redeployment

• Original SIEM installation was burned to the ground and rebuild with significant assistance from the vendor.

• Log sources were rationalized to include only logs needed to fire alarms.

• No more logging everything just because.

©2017 MFMER | slide-15

SIEM Use Case – Initial Load

• Based on alarms from existing security tools to provide a single pane of glass

• Based on industry best practice – what are other SOC’s doing?

• And lots of good intentions…..

©2017 MFMER | slide-16

SOC Take 2 – What can we do better?

• Coverage only during business hours

• On-Call rotation for after hours support

• Flat staffing model

• Insufficient human resources

©2017 MFMER | slide-17

SOC Transformation – More Than Meets The Eye!

• Hybrid staffing model with internal SOC and managed security service provider (MSSP)

• Dedicated 24X7 security monitoring

• Refined business processes and established security monitoring use-cases

• Standardize documentation and templates

©2017 MFMER | slide-18

SOC Transformation – More Than Meets The Eye!

• Regular maintenance review and testing of incident response plan and SOC policies

• Mayo specific alarms, based on use cases, driven by business requirements, backed my policy and standards

©2017 MFMER | slide-19

Managed Security Services – Vendor Selection

• SOC Maturity a factor in selection process

• Most MSSP’s assume an immature SOC

• Mayo wanted to retain intellectual property of SIEM Alarms and SOP’s

• Needed more “Staff Backfill” of Tier 1 rather than the traditional MSSP model of Alarm Notification.

• MSSP needed to use Mayo provided tools

• No offshoring or storage of Mayo data off Mayo systems!

• SIEM as single pain of glass

©2017 MFMER | slide-20

Managed Security Services, Roles and Responsibilities

MSSP SHARED MAYO

Continuous Security

Monitoring; responds to all

security events

generated/reported

Monitoring and response

capabilities enhancement

SIEM, enterprise/operating

systems of all security tools

Configuration, maintenance,

etc

IT systems

All initial triage of security

alerts coming into SOC.

Follow the SOP to

investigate, escalate if

necessary or close.

Security event investigation

based on SOP

Tier 2+ escalations

SOC SOPs/run books

ownership

Incident response

©2017 MFMER | slide-21

Tiered Staffing, not Tired Staffing – Tier 1 MSSP

• Responds to SIEM alarms, triages and creates cases.

• Provides additional insight on threats by gathering relevant artifacts

• Escalates to Tier 2 for investigation OR escalates to SOC on-call for high severity cases

• Provides 24x7 coverage

©2017 MFMER | slide-22

Tiered Staffing, not Tired Staffing – Tier 1 Mayo

• Responds to Tier 1 general threats to Mayo Clinic, such as commodity malware and broad phishing campaigns

• Works with Tier 1 and 2 analysts to expand knowledge and capabilities

• Assists with Use Case, Alarm and SOP development, documentation and training

©2017 MFMER | slide-23

Tiered Staffing, not Tired Staffing – Tier 2

• Assists with tuning and development of detection signatures

• Performs investigations on escalated incidents

• Assists with Tier 1 and Tier 3 duties as needed

• Mentors Tier 1 engineers

©2017 MFMER | slide-24

Tiered Staffing, not Tired Staffing – Tier 3

• Acts as the IR subject matter expert

• Reverse engineering of Malware

• Leads forensic investigations and severity 1 and 2 incidents

• Mentor for Tier 1 and 2 employees

• Works with TI for attribution on high severity incidents

©2017 MFMER | slide-25

Key Elements for Success

• Leadership endorsement

• A framework to follow

• NIST

• Governance People/Process/Technology

• Policies

• Standards

• Documentation

• Charter

• Use cases

• SOPs

• Metrics

• After Action Reports

• Staff with the right training and skills

©2017 MFMER | slide-26

SOC Charter

• Provide a Mission Statement

• Identify Stakeholders

• Describe SOC Goals

• Event Management

• Incident Response

• Forensic Investigation

• Set out Tiered Staffing Model

©2017 MFMER | slide-27

Use Cases from Business Requirements

©2017 MFMER | slide-28

Use Cases

©2017 MFMER | slide-29

Use Case and Alarm Lifecycle

©2017 MFMER | slide-30

Metrics and KPIs

©2017 MFMER | slide-31

Metrics and KPIs

©2017 MFMER | slide-32

The Future

• Automation and Orchestration

• Integration with TH and TI

• Machine and user analytics

• Integration with other security and IT tools

• Use case request process

• Security in the cloud……

©2017 MFMER | slide-33

Questions