building security operation center
DESCRIPTION
Building Security Operation Center Denis Batrankov Solution ArchitectTRANSCRIPT
©2013 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Why HP speaks about it
Security Intelligence & Operations Centres (SIOC)
BUILT
29+SIOCS
expertise
experience
methodology
CONSULTED ON
60+SIOCS
1. Help customers establish a Security Intelligence capability that can monitor, analyse and escalatesignificant information security events to protect the confidentiality, integrity and availability of the information technology enterprise;
2. Ensure HP ArcSight customers are successful with the product by assisting in providing the right people skills, building the right processes and delivering effective technology; and
3. Add value to the customer’s organization by using metrics to track effectiveness of controls and use intelligence to proactively protect against attack.
HP SIOC Consultants Background
1. Built and ran Microsoft’s SOC
2. Built and ran IBM’s Managed Security Service Provider SOC
3. Built and ran Verizon’s Managed Security Service Provider SOC
4. Built and ran Symantec’s Managed Security Service Provider SOC
5. Built and ran the SIOC for Europe’s largest Software-as-a-Service business
SIEM - Security Information & Event Management
ArcSight Is the Only Solution
ArcSight Platform
A comprehensive platform for monitoring
modern threats and risks
• Capture any data from any system
Including Apps –SAP, others
• Manage and store every event
• Analyze events in real time
• Identify unusual behavior at user level
• Respond quickly to prevent loss
Cover a lot of products
Access and Identity
Anti-Virus
Applications
Content Security
Database
Data Security
Firewalls
Honeypot
Network IDS/IPS
Host IDS/IPS
Integrated Security
Log Consolidation
Mail Filtering
Mail Server
Mainframe
NBAD
Network Management
Network Monitoring
Net Traffic Analysis
Policy Management
Security Management
Router Web Cache
Web Filtering
Switch
Vulnerability Mgmt
Web Server
Operating System VPN Wireless
7
Accounts Correlation
Look all IDs: email address, badge ID, phone extension
Different events are attached to activity of the person
Each event is attached to field “who it is” to understand his activity and behavior
rjackson
348924323
robertj
rjackson_dba
510-555-1212
Accounts
Robert
Jackson
Identity
HP ArcSight ThreatDetector – Profile activity
• Early detection
• Different methods to detect good and bad
behavior
• Look into typical people: insider, angry admin,
intruder
• Allows to create new patterns of behavior
• Immediately checks all previous events on
detected pattern of behavior
Key Benefits of “In-house” Operations
Maintain end-to-end control of security processes and data; increased
monitoring efficiency
Business requirements are incorporated into solution
Ability to expand security/compliance footprint easily (at no or little
additional cost)
Creates the platform for a security monitoring and reporting
Mission: Monitor, recognize, and escalate
significant information security events to
protect the confidentiality, integrity and
availability of the information technology
enterprise.
Main questions before building SOC.
Why?
What business issues will SOC resolve?
What exact tasks does SOC process? (block attacks from Internet,
compliance to PCI DSS, insider activity detection, incident handling
and etc)
Who will receive information from SOC?
Who is sponsor of SOC project? Who responsible for this project
inside organization? What he expects from SOC?
What events should be collected inside SOC?
Example of using SOC
(from a customer)
Malware spread detection
Windows servers control
Monitor Active Directory
Monitor data leakage (DLP)
Monitor VIP (top managers) devices
Monitor IPS
Compliance PCI: reporting and alerting
Monitor privileged users
What are Security Operations?
TECHNOLOGY
PROCESS
Customers
Incident Handler
Case closed
Escalation
PEOPLE
Level 1 Level 2
Enginee
r
1
3
4
2
5
6
Establish the Right Skills
Career ProgressionRoles Training
Security Intelligence
• Manager
• Level-1 Analyst
• Level-2 Analyst
• SIEM Content Specialist
Key Organizations
• Incident Manager
• Forensic Analyst
• SIEM Engineer
Information Security Bootcamp
ArcSight Training
• ArcSight ESM Operations
• ArcSight ESM Security Analyst
• ArcSight ESM Use Case Foundations
SANS Institute
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Incident Handler (GCIH)
On-the-Job Training & Mentoring
SOC Methodology
• Assess customer’s business requirements
and capability compared with security
operations best practices.
• Design people, process and technology to
deliver business objectives and provide a
practice roadmap to best practice.
• Manage measurable, repeatable and
continually improved security operations.
• Mature the customer’s capability to provide
continual improvements in efficiency and risk
coverage
HP Security Intelligence & Operations Consulting have a proven methodology for building and
operating a security intelligence and operations capability
SOC
ASSESS DESIGN
MATURE MANAGE
Security Intelligence
• Proactive research into new threats and risks to your organisation
• The only team with end-to-end vision and situational awareness
• Feedback on control effectiveness
• Monitoring of threat agent channels for upcoming attacks
SOC Cost ComponentsLabor Direct
SOC Analysts (24x7x365)
SOC Manager
SIEM Engineer (Administration and Content Development)
Education and Training for SOC Personnel
Labor Indirect
Security Device Management (Device: Analyst = 20:1 – 60:1)
Incident Response Team
Software
ArcSight ESM w/ High Availability Failover
Connectors
Full Consoles / Web Consoles
Compliance Insight Packages
Maintenance and Support
Hardware (5 yr amortization schedule)
ESM Servers
Database Servers
Connector Appliances
Workstations w/ dual monitor displays and Laptops
Uninterruptible power supplies (UPS)
Storage
High performance RAID 1+0 SAN, 1-10+ Terabytes
(Driven by data retention requirements and events/day)
Services
ESM Professional Services Installation
Long term engineering or content development services
IT Support Services (3rd party ticketing systems, network
infrastructure, annualize IT business processes, etc.)
Systems Management Services (Availability, backup / recovery,
capacity / performance, system administration)
Threat Intelligence Subscription
Facilities
Hardened and secure datacenter location
SOC facility
Wall mountable screens or projectors
Telecommunications – Phone / IP Phone
Power and HVAC
Maintenance
Use CasesUse Case Primary Data Sources Alert Criteria Action
Botnet activity Firewall, IDS, Proxy, Mail, Threat
Intelligence
Connection to or from known
malicious host or domain
Display in analyst active channel
Virus outbreak Antivirus 3 viruses detected with same name in
10 minutes
Page desktop team / display in
dashboard
Successful attack / malicious
code
IDS/IPS, Vulnerability Targeted asset exhibits vulnerability,
relevance=10
Page server team / display in active
channel / display in dashboard
SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within specified
time frame
Display in analyst active channel
Phishing Threat Intelligence, Firewall, IDS,
Proxy, Mail
Connection to or from known
malicious host or domain
Display in analyst active channel
Unauthorized remote access VPN, Applications Successful VPN authentication from a
non domain member
Display in analyst active channel /
Page network team
New vulnerability on DMZ host Vulnerability New vulnerability identified on publicly
accessible host
Email daily report to vulnerability
team
Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, exploit,
brute force, etc.)
Email daily suspicious user activity
report to level 1
Statistical anomaly IDS, Firewall, Proxy, Mail, VPN,
Web Server
Moving average variation of X
magnitude in specified time frame
Display alerts in situational
awareness dashboard
New pattern of activity IDS, Firewall, Proxy, Mail, VPN,
Web Server
Previously unseen pattern detected Display in analyst active channel
Analyst Effectiveness
Week Raw Correlated Analysts Raw / Analyst Correlated / Analyst
Week 1 38,697,210 97,922 10 3,869,721 9,792.20
Week 2 60,581,457 66,102 10 6,058,146 6,610.20
Week 4 55,585,228 19,116 10 5,558,523 1,911.60
Week 5 55,917,976 23,755 10 5,591,798 2,375.50
Week 6 54,044,928 18,340 10 5,404,493 1,834.00
Week 7 59,840,026 18,340 10 5,984,003 1,834.00
Week 8 72,364,038 33,866 10 7,236,404 3,386.60
Week 9 71,964,115 30,927 10 7,196,412 3,092.70
Week 10 71,500,000 28,900 10 7,150,000 2,890.00
Week 11 59,600,000 19,300 10 5,960,000 1,930.00
Week 12 51,200,000 11,400 10 5,120,000 1,140.00
Week 13 67,600,000 17,600 10 6,760,000 1,760.00
Week 14 76,600,000 30,000 10 7,660,000 3,000.00
Week 15 75,300,000 22,000 10 7,530,000 2,200.00
Week 16 69,200,000 17,000 10 6,920,000 1,700.00
Week 17 97,800,000 17,800 10 9,780,000 1,780.00
Week 18 108,500,000 11,500 10 10,850,000 1,150.00
Week 19 183,200,000 5,600 10 18,320,000 560.00
Week 20 182,400,000 5,100 10 18,240,000 510.00
Week 21 170,000,000 4,800 10 17,000,000 480.00
Week 22 182,400,000 7,600 10 18,240,000 760.00
Week 23 219,000,000 11,300 10 21,900,000 1,130.00
Week 24 168,800,000 8,100 10 16,880,000 810.00
Week 25 151,500,000 6,876 10 15,150,000 687.60
Week 26 170,500,000 7,813 10 17,050,000 781.30
Week 27 165,300,000 28,247 10 16,530,000 2,824.70
Week 28 161,500,000 4,569 10 16,150,000 456.90
Week 29 186,700,000 6,164 10 18,670,000 616.40
Week 30 173,600,000 5,632 10 17,360,000 563.20
Average 112,454,999 20,195 11,245,500 2,020
Median 76,600,000 17,600 7,660,000 1,760
Weekly Analysis of Events per Analyst
y = 589551x + 2E+06
-
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Raw Events / Analyst
y = -150.3x + 4274
(2,000.00)
-
2,000.00
4,000.00
6,000.00
8,000.00
10,000.00
12,000.00
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Correlated Events / Analyst
Ensure the Operations are Repeatable
BC/DR
Business Continuity Plan
Disaster Recovery Plan
Process Improvement
Maturity Assessments
Project Methodology
Knowledgebase (wiki)
Compliance
Internal Compliance
Compliance Support
Metrics
Reporting KPIs
Infrastructure Performance
Operational Efficiencies
Event Management
Triage
Callouts
Case Management
Crisis Response
Daily Operations
Shift Schedule
Monitoring
Problem and Change
Shift Turn-Over
Daily Operations Call
Training
Training plans
Skills Development tracking
Subtle Event Detection
Data Visualization
Pattern Analysis
Reporting
Analyst Comments
Incident Summary
Threat Reports
Incident Management
Incident Research
Focused Monitoring
Incident Response
Intrusion Analysis
Event Analysis
Threat Intelligence
Information Fusion
Design
Developing Use Cases
User and Asset Modeling
Configuration Management
SIEM Architecture
Data Feed Integration
System Administration
Access Management
Maintenance and Upgrades
Workflow: Merging people, process & technology
Categories SIEM Priority Levels
0-2 3-4 5-6 7-8 9-10
Unauthorized Root/Admin Access A A A C1 C1
Unauthorized User Access A A I2 C2 C1
Attempted Unauthorized Access A A A I3 C3
Successful Denial of Service A A I2 C2 C1
Policy Violation A A T3 T2 T1
Reconnaissance A A A I3 I2
Malware Infection A A T3 T2 C2
Legend
C1: Critical callout –15 min
C2: Urgent callout –30 min
C3: Routine callout –2 hr
I2: Urgent investigation
I3: Routine investigation
T1: Critical ticket opened
T2: Urgent ticket opened
T3: Routine ticket opened
A: Active monitoring
©2013 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
SOC Maturity Assessment
Establish the baseline,
pragmatic plan for improvement
Security Operations Maturity Assessment
SOMM Level Name Description
Level 0 Incomplete Operational elements do not exist
Level 1 Performed Reliant on people and relationships, not standardized nor repeatable
Level 2 Managed
Business goals are met and operational tasks are repeatable
Many SOCs run successfully for some period of time at this maturity level. Missing aspects often
include continual improvement and demonstrated ROI.
Level 3 Defined
Operations are well-defined, subjectively evaluated, and flexible.
Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet
business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and
changing threat landscape without excessive overhead in processes.
Level 4 Measured
Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and
proactively improved.
Appropriate for a managed service provider environment where financial penalties result from
inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging
threats and requires dedicated staff to sustain the maturity level.
Level 5 Optimizing
All processes are tightly constrained and continually measured for deficiencies, variation, and are
continually improved.
Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and
static environment.
Security Operations Maturity AssessmentPeople 1.57
General 1.75Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as
criteria for member evaluation.
Training 1.55The opportunity exists to develop an overall training program that includes a defined structure for
analyst on boarding and continual growth through the career of the analyst.
Certifications 1.00 Lack of overall industry certifications possessed by the team.
Experience 1.70The feeder pool to hire analysts is reasonable, yet the experience and background of some of the
analysts is questionable.
Skill Assessments 1.69A skills assessment program should be adopted and leveraged to improve training plans and the
overall skills composition of the group.
Career Path 1.69There is an opportunity to develop career progression plans and to help guide analysts into senior
positions within the SOC or internally within the company.
Leadership 1.77Conducting an organizational climate survey is encouraged in order to collect feedback and
incorporate it into the leadership function.
Process 1.26
Mission 1.27The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC
and to internal groups within the organization.
Operational Process 1.66There are several opportunities to further develop operational processes and metrics to measure
operational efficiencies.
Analytical Process 1.15Efforts to centralize a knowledge management solution for security analysts are currently
underway.
Business Process 0.89SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture
metrics and track operational efficiencies
Technology 2.38
SIEM Monitoring 2.45SIEM meets current business needs. A Test environment does exist, which means that content
and data feed on boarding does/can go through a proper testing cycle.
Architecture 1.95 Document data flow diagrams for troubleshooting purposes.
Correlation 2.56 Event management metrics are captured and used to track events monitored.
Monitored Technologies 2.22A wide range of technologies are monitored, giving the SOC wider visibility against attack
vectors.
ILM 2.61 Data retention and protection policies adhere to company policies.
Overall SOMM Level 1.74
Security Operations Maturity Assessment
Average SOMM By Vertical
Financial 2.25
Retail 2.35
Technology 1.60
Government 1.98
Utility 1.50
Telco 2.27
MSSP 2.40
Pragmatic Roadmap for Improvement
Phase I
(Interim
Capability)
Phase II
(Dedicated
Operations)
Phase III
(Mature Security
Operations)
Coverage Part-time
resources as
available
Dedicated 8x5
Virtual off-hours
24x7x365
Staffing No dedicated staff 1 dedicated analyst,
1 dedicated SIEM
engineer
12 FTE
Incident
Escalations
1-5 per week 5-10 per week 10-20 per week
Use Cases 10 25 100+
Events per
second (EPS)
200 500 1000
Target
Timeframe
90 days 180 days 2 years