Upload
ignacio-cortez
View
220
Download
0
Embed Size (px)
Citation preview
8/10/2019 Bulding a SOC
1/41
Session ID:Session Classification:
Ben Rothke, CISSP CISMWyndham Worldwide Corp.
Building a Security Operations Center(SOC)
TECH-203 Advanced
8/10/2019 Bulding a SOC
2/41
About me
Ben Rothke, CISSP, CISM, CISAManager - Information Security - WyndhamWorldwide Corp.
All content in this presentation reflect my viewsexclusively and not that of Wyndham Worldwide
Author - Computer Security: 20 Things EveryEmployee Should Know (McGraw-Hill)
Write the Security Reading Room bloghttps://365.rsaconference.com/blogs/securityreading
2
8/10/2019 Bulding a SOC
3/41
Agenda
IntroductionNeed for a Security Operations Center (SOC)Components of an effective SOCDeciding to insource or outsource the SOC
Outsourced SOC = MSSP
SOC requirements
Q/A
3
8/10/2019 Bulding a SOC
4/41
Building a SecurityOperations Center
(SOC)
4
8/10/2019 Bulding a SOC
5/41
Current information security challenges
Onslaught of security data from disparatesystems, platforms and applications
numerous point solutions (AV, firewalls, IDS/IPS,ERP, access control, IdM, SSO, etc.)millions / billions of messages dailyattacks becoming more frequent / sophisticatedregulatory compliance issues place increasingburden on systems and network administrators
5
8/10/2019 Bulding a SOC
6/41
Why do you need a SOC?
because a firewall and IDS are not enoughnucleus of all information security operationsprovides
continuous prevention
protectiondetectionresponse capabilities against threats, remotelyexploitable vulnerabilities and real-time incidents onyour networks
works with CIRT to create comprehensiveinfrastructure for managing security operations
6
8/10/2019 Bulding a SOC
7/41
SOC benefits
speed of response timemalware can spread throughout the Internet inminutes or even seconds, potentially knocking outyour network or slowing traffic to a crawl
consequently, every second counts in identifying
these attacks and negating them before they cancause damageability to recover from a DDoS attack in a
reasonable amount of time
7
8/10/2019 Bulding a SOC
8/41
Integrated SOC
8
IBM
8/10/2019 Bulding a SOC
9/41
SOC functions
Real-time monitoring / managementaggregate logs
aggregate datacoordinate response and remediation
Reporting
executivesauditorssecurity staff
Post-incident analysisforensicsinvestigation
9
8/10/2019 Bulding a SOC
10/41
SOC planning
full audit of existing procedures, includinginformal and ad-hoc
planning of location, resources, trainingprograms, etc.plans change; dont try to prepare everythingahead of time
sometimes best approach is not clear until you haveactually started
build it like aircraft carrier - change built into design
10
8/10/2019 Bulding a SOC
11/41
SIM/SIEM/SEM tools
Many SOC benefits come from good SIM toolconsolidates all data and analyzes it intelligentlyprovides visualization into environment
Choose SIM thats flexible and agile, plus:track and escalate according to threat levelpriority determination
real-time correlationcross-device correlationaudit and compliance
11
8/10/2019 Bulding a SOC
12/41
Challenge of SIM & automation
A well-configured SIM can automate much of theSOC process. But
The more advanced a control system is, so themore crucial may be the contribution of thehuman operator
Ironies of Automation - Lisanne Bainbridgediscusses ways in which automation of industrial processes mayexpand rather than eliminate problems with the human operator
dont get caught in the hype that a SIM canreplace good SOC analystsno secret that they cant
12
8/10/2019 Bulding a SOC
13/41
Which SOC?
OutsourcedSymantec, SecureWorks (Dell), Solutionary, WiPro,Tata, CenturyLink (Savvis, Qwest), McAfee, Verizon(Cybertrust / Ubizen), Orange, Integralis, Sprint, EDS,
AT&T, Unisys, VeriSign, BT Managed SecuritySolutions (Counterpane), NetCom Systems and more
Centralized group within enterprise
Corporate SOC
13
8/10/2019 Bulding a SOC
14/41
In-house SOC vs. outsourced MSSP
14
The Business Case for Managed Security Services Managed Security Services Providers vs. SIEM Product Solutionshttp://www.solutionary.com/dms/solutionary/Files/whitepapers/MSSP_vs_SIEM.pdf
8/10/2019 Bulding a SOC
15/41
Define the SOC requirements
define specific needs for the SOC within theorganization
what specific tasks will be assigned to the SOC?detecting external attacks, compliance monitoring,checking for insider abuse, incident management, etc.
who will use the data collected and analyzed bythe SOC?
what are their requirements?who will own and manage the SOC?types of security events will be fed into the SOC
15
8/10/2019 Bulding a SOC
16/41
Internal SOC
16
Advantages Disadvantagesdedicated staff
knows environment betterthan a third-partysolutions are generallyeasier to customizepotential to be mostefficientmost likely to noticecorrelations betweeninternal groupslogs stored locally
larger up-front investment
higher pressure to showROI quickly
higher potential forcollusion between analystand attacker
less likely to recognizelarge-scale, subtle patternsthat include multiple groups
can be hard to findcompetent SOC analysts
8/10/2019 Bulding a SOC
17/41
Internal SOC - Questions
1. does your staff have the competencies (skillsand knowledge) to manage a SOC?
2. how do you plan to assess if they really dohave those competencies?
3. are you willing to take the time to document allof the SOC processes and procedures?
4. whos going to develop a training program?
5. whos going to design the physical SOC site?6. can you hire and maintain adequate staff
levels?
17
8/10/2019 Bulding a SOC
18/41
Internal SOC success factors
1. Trained staff 2. good SOC management3. adequate budget4. good processes
5. integration into incident responseIf your organization cant commit to these five factors,do not build an internal SOC it will fail
will waste money and time and create false sense of securityif you need a SOC but cant commit to thesefactors, strongly consider outsourcing
18
8/10/2019 Bulding a SOC
19/41
Outsourced SOC
19
Advantages Disadvantages avoid capital expenses its their
hardware & software exposure to multiple customers in
similar industry segment often cheaper than inhouse less potential for collusion between
monitoring team and attacker
good security people are difficult to find
unbiased potential to be very scalable &
flexible expertise in monitoring and SIM
tools SLA
contractors will never know your environment like internal employees
sending jobs outside the organization can lower morale
lack of dedicated staff to a single client
lack of capital retention
risk of external data mishandling log data not always archived log data stored off premises lack of customization
MSSP standardize services to gain economies of scale in providing security services to myriad clients
8/10/2019 Bulding a SOC
20/41
Outsourced SOC general questions
1. Can I see your operations manual?
2. what is its reputation?
3. who are its customers?4. does it already service customers in my
industry?5. does it service customers my size?6. how long have its customers been with it?
7. what is its cancellation/non-renew rate?8. how do they protect data and what is the level
of security at their SOC?20
8/10/2019 Bulding a SOC
21/41
8/10/2019 Bulding a SOC
22/41
Outsourced SOC stability questions
1. Is it stable?
2. does it have a viable business plan?
3. how long has it been in business?4. positive signs of growth from major clients?
5. consistent large account wins / growing revenue?
6. what is its client turnover rate?
7. what are its revenue numbers?
If private and unwilling to share this information, ask forpercentages rather than actual numbers
8. will it provide documentation on its internal securitypolicies and procedures?
22
8/10/2019 Bulding a SOC
23/41
Outsourced SOC - sizing / costs
should provide services for less than in-housesolution
can spread out investment in analysts,hardware, software, facilities over several clientshow many systems will be monitored?how much bandwidth is needed?potential tax savings
Convert variable costs (in-house) to fixed costs(services)
23
8/10/2019 Bulding a SOC
24/41
Outsourced SOC performance metrics
must provide client with an interface providingdetailed information
services being deliveredhow their security posture relates to overall industrytrends
provide multiple views into the organizationvarious technical, management and executivereportscomplete trouble ticket work logs and notes
24
8/10/2019 Bulding a SOC
25/41
Outsourced SOC SLAs
well-defined SLAs are criticalprocesses and time periods within which they will
respond to any security need.SLA should include specific steps to be takenprocedures the company takes to assure that the
same system intrusions do not happen againguarantee of protection against emerging threatsrecovers losses in the event service doesnt deliver aspromisedcommitments for initial device deployment, incidentresponse/protection, requests for security policy &configuration changes, acknowledgement of requests
25
8/10/2019 Bulding a SOC
26/41
Outsourced SOC - Transitioningensure adequate knowledge transfer create formal service level performance metrics
establish a baseline for all negotiated service levelsmeasure from the baseline, track against it, adjustingas necessary.
create internal CIRTidentify key events and plan the response
hold regular transition & performance reviews
be flexibleschedule formal review to adjust SLAs after 6 monthsof service operation and periodically thereafter
26
8/10/2019 Bulding a SOC
27/41
Outsourced SOC Termination
all outsourcing contracts must anticipate theeventual termination at the end of the contract
plan for an orderly in-house transition or atransition to another provider develop an exit strategy
define key resources, assets and processrequirements for continued, effective delivery of theservices formerly provided by the outgoing provider
27
8/10/2019 Bulding a SOC
28/41
Outsourcing: dont just trust - verifyCall Saturday night 2AM
Whos answering? Do they sound competent?
Reports Are they to your liking? Can they create complexreports?
Set off a few alarms Are they calling/alerting you in a timely manner?
True process for real-time threat analysis?Or simply a glorified reporting portal that looksimpressive
28
8/10/2019 Bulding a SOC
29/41
Mike Rothman on MSSP
We have no illusions about the amount of effort required toget a security management platform up and running, or what ittakes to keep one current and useful.
Many organizations have neither the time nor the resources toimplement technology to help automate some of these keyfunctions.
So they are trapped on the hamster wheel of pain, reactingwithout sufficient visibility, but without time to invest in gainingthat much-needed visibility into threats without diving deepinto raw log files.
A suboptimal situation for sure, and one that usually triggersdiscussions of managed services in the first place.
29
http://securosis.com/blog/managed-services-in-a-security-management-2.0-world November 2011
8/10/2019 Bulding a SOC
30/41
SOC analysts
Good SOC analysts hard to find, hard to keepHave combination of technical knowledge and
technical aptitudehire experienced SOC analysts
pay them well
you get what you pay for
30
8/10/2019 Bulding a SOC
31/41
SOC analyst skill sets
31
O/S proficiency network protocols
chain of custody issues ethics corporate policy services multiple hardware
platforms attacks
directories routers/switches/firewall
programming forensics databases IDS investigative processes applications and much more
8/10/2019 Bulding a SOC
32/41
SOC analyst - qualities
extremely curiousability to find answers to difficult problems / situations
abstract thinker can correlate IDS incidents and alerts in real-time
ethicaldeals with low-level details while keeping big-picture view of situation
can communicate to various groups that havevery different requirementsresponds well to frustrating situations
32
8/10/2019 Bulding a SOC
33/41
SOC analyst burnout
SOC analysts can burnouthave a plan to address this
extensive trainingbonusespromotionsmanagement opportunities
job rotation
33
8/10/2019 Bulding a SOC
34/41
SOC management
management and supervision of a SOC is a keyfactor to ensure its efficiency
while analysts, other staff, hardware andsoftware are key elements, a SOCs ultimatesuccess is dependent on a competent SOC
manager.inadequate/poor management has significantconsequences
from process performance decrements, to incidentsbeing missed or incorrectly handled
34
8/10/2019 Bulding a SOC
35/41
SOC processes and procedures
SOC heavily process-drivenprocesses work best when documented inadvanceusability and workflow critical
documentationadequate time must be given to properly documentmany different SOC functions
corporate networks and SOC are far too complex tobe supported in an ad-hoc manner documentation makes all the difference
35
8/10/2019 Bulding a SOC
36/41
Sample SOC runbook table of contents
36
8/10/2019 Bulding a SOC
37/41
SOC metrics
measured by how quickly incidents are:identified
addressedhandled
must be used judiciously
dont measure base performance of an analystsimply on the number of events analyzed orrecommendations written
37
8/10/2019 Bulding a SOC
38/41
Additional references
38
8/10/2019 Bulding a SOC
39/41
Apply
39
8/10/2019 Bulding a SOC
40/41
Apply
obtain management commitment to a SOCensuring adequate staffing and budget
define your SOC requirementsdecide to have SOC in-house or outsourced
in-house create detailed and customized processes outsourced ensure their process meets yourrequirements
create process to ensure SOC is effective andproviding security benefits to the firm
40
8/10/2019 Bulding a SOC
41/41
Ben Rothke, CISSP CISMManager Information SecurityWyndham WorldwideCorporation
www.linkedin.com/in/benrothkewww.twitter.com/benrothke
www.slideshare.net/benrothke
41