AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class...
Transcript of AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class...
![Page 1: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Hanna Sicker CISM, CISSP
Building a World-Class Proactive Integrated Security & Network Operations Center SNOC
AIR-T11
Security & Network Operations SNOC Sr. Mgr.StubHub/eBay@snocgirl
![Page 2: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/2.jpg)
#RSAC
Operations Leaders (Security & Network)
![Page 3: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/3.jpg)
#RSAC
Service Unavailable…
![Page 4: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/4.jpg)
#RSAC
We Did it!
![Page 5: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/5.jpg)
#RSAC
SNOC Impact on Uptime & CSS
Year 2011 Year 2012 Year 2013 Year 2014 Year 2015
99.95% 99.97% 99.99%99.90%
98.00%CSS
* CSS: Customer Satisfaction Score
![Page 6: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/6.jpg)
#RSAC
How…
![Page 7: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/7.jpg)
#RSAC
Typical NOC & SOC Challenges
![Page 8: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/8.jpg)
#RSAC
How We Overcame the Challenges
![Page 9: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/9.jpg)
#RSACBreak the Rules Say “NO” to Traditional Tiered Model
![Page 10: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/10.jpg)
#RSAC
SNOC IRP (Incident Response Process)
Visibility Detection
Analysis Investigation
Response Remediation
SLA
Change Mgt.
Process
![Page 11: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/11.jpg)
#RSAC
IRP – Step 1
![Page 12: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/12.jpg)
#RSAC
IRP – Step 2
![Page 13: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/13.jpg)
#RSAC
IRP – Step 3
![Page 14: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/14.jpg)
#RSAC
Proactive Integrated SNOC Framework
Mgt.
Team
ToolsBIC Services
Reports Reinvest
Reco
gnize
Enable
![Page 15: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/15.jpg)
#RSAC
Building a Winning Team
![Page 16: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/16.jpg)
#RSAC
Detailed SNOC Framework – Team
Stage 1 • Quick impact - utilize the existing structure
Stage 2 • Optimize & emphasize on quality
Stage 3• Identify & hire talent
Stage 4 • Empower the team & remove the tiers
Stage 5 • Team development life cycle - TDLC
![Page 17: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/17.jpg)
#RSAC
Stage 1 – Quick Impact (2 mo.)
![Page 18: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/18.jpg)
#RSAC
Stage 2 – Optimize & Emphasize on Quality
![Page 19: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/19.jpg)
#RSAC
Stage 3 – Identify & Hire Talent
Round out the team puzzle
![Page 20: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/20.jpg)
#RSAC
Stage 4 – Empower the Team
![Page 21: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/21.jpg)
#RSAC
Stage 5 - Team Development Life Cycle - TDLC
Train MentorCoach
Hire Talent
Process
Cross Train
Enable
Engage
Quality
![Page 22: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/22.jpg)
#RSAC
Detailed SNOC Framework – Tools
Stage 1 • Utilize
Stage 2 • Optimize
Stage 3• Automate
![Page 23: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/23.jpg)
#RSAC
Finding the Right Tools
![Page 24: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/24.jpg)
#RSAC
SNOC Framework – BIC Services
Our Formula
BIC Services = Business Objectives = Customer Satisfaction Score (CSS) + Revenue ($) + Team Defined Goals (*APS)APS = Availability + Performance + Security
Quick results without initial Mgt support = Team + Existing Tools + Reports
![Page 25: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/25.jpg)
#RSAC
SNOC Framework – Management
Our Formula
Increased demonstrated value = increased Mgt support (IMS)
IMS = Recognition + Reinvestment
![Page 26: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/26.jpg)
#RSAC
Our Key to Success
![Page 27: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/27.jpg)
#RSAC
Team Characteristics
![Page 28: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/28.jpg)
#RSAC
Right Architecture - Security Layers
3rd Parties
TokenizationFraud detection
WAF Client reputationCustomized rulesBot detection
IDS IPS SIEMPacket capture
Bot detection
WAF
Vulnerability mgt. Fraud protection
Data Activity Monitoring Log mgt.
![Page 29: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/29.jpg)
#RSAC
Use Case – Reducing ATOs
![Page 30: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/30.jpg)
#RSAC
SNOC Benefits & Future Challenges
![Page 31: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/31.jpg)
#RSAC
Apply
If you are in the process of building a SOC, and you have an existing NOC, utilize your existing NOC team and transition them to become SNOC.
Recognize similar functions between NOC & SOC and combine them.
Before obtaining Mgt. commitment, focus on your team as the core component to build successful SNOC.
![Page 32: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/32.jpg)
#RSAC
Apply
When you add new members, focus on character and culture fit. Try to round out the team puzzle.
Do not pay for expertise; grow your own (entry level but highly motivated and trainable).
Lead from the front
Build alliances with other teams across all departments & learn from their key players.
![Page 33: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/33.jpg)
#RSAC
Apply
Understand your business goals, traffic and users.
Filter your traffic at the edge and protect at all layers.
Shield your data center - If your business does B2C then any cloud services who host businesses can be blocked. If your clients are within a specific geographic area, then block all other countries/areas that you do not do business with.
To reduce ATOs & attacks, create WAF rules based on your traffic & customers’ behavior.
![Page 34: AIR-T11 Building a World-Class Proactive Integrated ... · PDF fileBuilding a World-Class Proactive Integrated Security ... If you are in the process of building a SOC, and you have](https://reader031.fdocuments.in/reader031/viewer/2022030416/5aa225b47f8b9a1f6d8cda1f/html5/thumbnails/34.jpg)
#RSAC
Apply – Cont.
Utilize & optimize your and other teams’ existing tools.
If no tools are available, then automate processes using scripts written by one of your own or another team’s members.
Tune out false positive alerts and train the team to tune and modify the thresholds.
Check if the NOC has tools that are applicable for SOC usage. Example: If the NOC is using a network performance monitoring tools, check to see if the tools can perform full packet capture.