top 10 tips for effective soc/noc collaboration or integration

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Top 10 Tips for Achieving EffectiveSecurity + Operations CollaborationSridhar KarnamSecurity Product MarketingHP Enterprise Security

Amy FeldmanOperations Product MarketingHP Software


Agenda

• Is SOC/ NOC collaboration a big deal?

• Challenges• Top 10 Tips for effective SOC/

NOC collaboration• Summary


Is SOC/ NOC collaboration a big deal?


Organizational and security leadership is under immense pressure

Security awareness at board level

CISOChief Information Security Officer sits at heart of the enterprise security response

SIMPLE CONTROLS 97% OF DATA BREACHES

COULD HAVE BEEN AVOIDED

CYBER THREAT56% ORGANIZATIONS

HAVE BEEN THE TARGET OF NATION-STATE CYBER ATTACK

INCREASING COST PRESSURES 11% OF TOTAL IT

BUDGET SPENT ON SECURITY


Riskier enterprises + advanced attackers = more attacks

Threat landscape

Virtualization

State funded

Anonymous

Cloud

LulzSec

Mobile/BYOD

New technologies

Hactivists

Attacks24 millions40 millions95 millions101 millions130 millions


No effective way…to understand and prioritize risk

The IT operations problem

Breaches continue… even though they have hundreds of security solutions available

Silo’d products… don’t learn or share information

Limited context…a gap between IT operations and security constrains potential actions


SOC/NOC collaboration

- Align business with IT

- Secure IT Operations

- IT GRC, SIEM, ITIL

- Optimize resources

Unified data with context from security, operations, service, and risk


SOC/NOC collaboration challenges

• Simplify un-structured data

• Comprehensive log management

• Secure applications

• Unified data

• 360° secure network defense• Change management without risk

• Manual correlation of security threats

• Centralized approach

• Resource optimization

• Consolidated view


Top 10 tips for better SOC/NOC collaboration


Single view of security, operations, and IT GRC

Tip 1: Consolidated view


Seamless integration of security and IT operation tools – no point solutions

Tip 2: Centralized approach

Understandcontext Act

Proactive risk reduction

SECURITYUser ProvisioningIdentity & Access MgmtDatabase EncryptionAnti-Virus, EndpointFirewall, Email Security

See everything

IT OPERATIONSUser ManagementApp Lifecycle MgmtInformation MgmtOperations MgmtNetwork Mgmt

Seeeverything


Log management approach to unify collection, search, and reporting of machine data

Tip 3: Comprehensive log management

• Collection complete visibility

• Analyze events in real time to deliver insight

• Search quickly to simplify IT

• IT GRC & Security in a single tool

• Reporting on log data

• IT operations through monitoring & alerting

Machine Data

Monitoring & alerting

Log Collection

Search

AnalysisDashboard

IT GRC


Cross-correlation of events provide security context and avoids false positives

Tip 4: Event correlation

Correlation:• Connect roles, responsibilities,

identities, history, and trends to detect business risk violations

• Pattern recognition• Anomaly detection • The more you collect, the

smarter it gets

Hardware

Software People

Process


Monitor network activities for malicious activity through IPS and log management

Tip 5: 360° secure network defense and management

• IPS (Intrusion prevention system) protects your vulnerable applications and data from harmful attacks

• Dynamic analytics and policy deployment with real time network management data

• Network events and log analysis to proactively address threats

NetworkDefenseSystem

IPS data

Log data

Network events

Plug-n-play


Develop immunity for threats right through development of applications

Tip 7: Confidently deliver secure applications

Automated code testingTesting of code during

development for security vulnerability

App runtime testingSecurity testing of 3rd party

or open source applications

• Automated testing• Part of SDLC

• Test any apps• Threat detection

without source code

Manual review

• Manual expert audit• Reduce false positives

Security experts

444


Add digital vaccination to prevent against new and zero-day threats

Tip 6: Change management without risk

• Digital vaccination against threats through IPS

• Reputation database of known threats

• Advanced security intelligence

APPAPP

APP


Time (Event Time)

name

DeviceVendor

DeviceProduct CategoryBehavior

CategoryDeviceGroup

CategoryOutcome

CategorySignificance

6/17/2009 12:16:03

Deny Cisco PIX /Access /Firewall /Failure /Informational/

Warning

6/17/2009 14:53:16

Drop Checkpoint Firewall-1/VPN-1 /Access/Start /Firewall /Failure /Informational/

Warning

Convert all machine data into common format for search, report, and retention

Tip 8: Unified data

Benefit: Single data for searching, indexing, reporting, and archiving

Jun 17 2009 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outsideJun 17 2009 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dst xxx.xxx.10.2 service ms-sql-m proto udp rule 49

Raw machine data

Unified data


Simplify searching, reporting, forensics, and correlation through search tool

Tip 9: Simplify un-structured data

• Simplify forensics and investigation through a search tool

• Easily search and report on historical data

• Retention of logs as per regulatory compliance

• Pre-packaged content for security and GRC

• Feed unified data into event correlation engine


Collaboration enables resource optimization, rotation, and sharing for faster ROI

Tip 10: Resource optimization

Shared tools

• Seamlessly integrated tools

• Single vendor as opposed to multiple point solutions

• Enhanced user experience

Shared Knowledge

• Bi-directional information

• Unified and contextual data

• Efficient operation

Shared talent pool

• Job rotation

• Process focused

• Empowered IT practitioners

Distribute investment across SOC and NOC to realize faster ROI


Summary


How we help our customers (SOC/NOC integration)3 days to generate IT GRC report through logsNow with HP, get a consolidated view of IT GRC, security, and operations in 2 minutes giving a 99% improvement32 weeks to run a IT auditNow with HP, audit ready log data can be searched within 2 days giving a 99+% improvement

8 hours to fix a new IT incidentNow with HP, search years worth of log data with annotations in 5 minutes to find resolution giving 99% improvement

10 days to investigate and respond to a data breachNow with HP, forensics takes less than 5 minutes giving a 99+% improvement

3 weeks to fix a threat vulnerabilityNow with HP, built threat immune and respond to new threats in 2 minutes giving a 99+% improvement


Download HP ArcSight Logger trial software

• Free downloadable software

• Collect up to 750 MB of log data per day

• Store up to 500 GB of uncompressed logs

• Access to most enterprise features for a full 12 months

• Standard HP ArcSight community support (Protect 724)

HP.COM/GO/LOGGER

http://www.hp.com/go/logger


HP.COM/GO/LOGGER


Dedicated HP Software track sessions, HP and partner exhibits, demos, and keynotes

Las Vegas (On-Demand…NOW)

Watch recordings of:

• General Sessions• Track Sessions• Breakout Sessions• Press Conferences

Frankfurt (4-6 December 2012)

Join over 10,000 enterprise IT leaders

• Breakthrough innovations • Emerging trends• New best practices• Key IT and business strategies


A recording of today’s event may be viewed in our “Library of On-Demand Events”:www.hp.com/go/it

Participate in HP Software’s “Community of IT Professionals”:www.hp.com/go/swcommunity

Join HP Software’s “LinkedIn group”:www.hp.com/go/linkedin

Additional resources

http://www.hp.com/go/it

http://www.hp.com/go/it

http://www.hp.com/go/swcommunity

http://www.hp.com/go/swcommunity

http://www.hp.com/go/linkedin

http://www.hp.com/go/linkedin


Thank You!

If you have any additional comments or questions,or would like to receive a .pdf copy of today’s presentation, please contact:

Scott ArmaniniExecutive Producer, HP Software Web [email protected]/go/IT

http://www.hp.com/go/IT

http://www.hp.com/go/IT

top 10 tips for effective soc/noc collaboration or integration

Technology