Alternative Options for Outsourcing Aspects of Airport Operations
Cyber Security Operations: Building or Outsourcing
Transcript of Cyber Security Operations: Building or Outsourcing
© 2016 HITRUST Alliance.
Cyber Security Operations: Building or Outsourcing Michael Levin, Optum Stephen Moore, Anthem Jeff Schilling, Armor
© 2016 HITRUST Alliance.
Introduction
• Michael J. Levin, JD, CISSP, EnCE, GLEG, GSLC – Director of Cyber Defense for
Optum – Former Director of Security Design
and Innovation with U.S. Dept. Health and Human Services, Senior Associate with Deloitte, and Investigative Counsel with U.S. Office of Special Counsel
– https://www.linkedin.com/in/michaellevin/
© 2016 HITRUST Alliance.
Cyber Defense • Provides Cyber Security Services to UnitedHealth
Group, monitoring security for over 150,000 endpoints • Cyber Defense consists of
– Security Operations Center – Cyber Forensic Investigations – Persistent Threat Analysis – Cyber Intelligence Services – Active Cyber Defense – Data Analytics and Security Innovation
© 2016 HITRUST Alliance.
Magnitude of Security Data
• Monitoring 150,000 end nodes results in: – ~2 TB of raw logs each day – 1.5 Billion Network, Security, and End Point events
daily (17,000 a second) • This requires 24 hour, in house, security analyst
support
© 2016 HITRUST Alliance.
RawLogs
Network,Security,HostBasedEvents
SecurityIncidents
Security Operations Center • Utilizing the SIEM
and manual analysis the SOC reduces the 1.5 billion daily events, to an average of 50 security incidents each day.
• On average, 20 incidents are escalated daily to CFI for advanced Incident Response and investigation.
© 2016 HITRUST Alliance.
Manpower – Investigative Teams • SOC – 24/7 support across 3 shifts, 28 analysts, approx.
1 analyst per 5,000 end nodes • CFI – 13 Incident Responders, approx. 1 per 10,000 end
nodes • PTA – 7 Security Hunters, sufficient manpower and
experience to effectively hunt within the enterprise for unidentified threats.
• CIS – 9 Intelligence Analysts, No easy rule to determined team size, rather gauged on output and success.
© 2016 HITRUST Alliance.
In-House vs Outsourcing • Pros:
– Organizational Data maintained within org. – Better organizational knowledge, access, and expertise, all in-
house – No contract re-negotiation or arguments when specific security
work is needed – Immediate Incident Response activity
• Cons: – Significant initial capital investment – Upfront and on-going talent acquisition and retention
© 2016 HITRUST Alliance.
The security process PROTECT DETECT
RESPONDRECOVER
• Defense technologies such as DDOS mitigation, IPRM, WAF, etc.
• Threat intelligence feeds our rules engines, making intelligence systems smarter over time
• Detection technologies (e.g., AV/AM, FIM, SIEM and log correlation) tuned to the behaviors of real threat actors
• Experienced personnel on hand 24x7x365 differentiating real security events from false positives
• Technologies to limit blast radius and prevent spread (e.g., hypervisor-based firewalls)
• Experienced personnel trained in preventative measures
• Proactive processes in place for notifying customers and other relevant parties (e.g., law enforcement agencies where appropriate)
• Automation technologies to perform necessary cleaning measures and/or update policies and rules engines in real-time
• Precise processes and trained personnel to remove compromises and secure against repeat attacks
CYBER &PHYSICALSECURITY
© 2016 HITRUST Alliance.
The threat’s process
ACTION ON TARGET
Search the target Destroy or disrupt
Package and prepare for and exfil data
7
COMMAND & CONTROL
Malware or compromised system
reaches out for instructions
6
Registry Key changedPrivilege Escalation
Look for open connections
PERSIST/LATERAL MOVEMENT
5
Infected Word Doc or PDF is opened
Java script exploitedin browser
Command line SQL inject
EXPLOITATION
4
DISTRIBUTION & STRATEGY
Phishing emailWebsite drive bySQL inject script
3
WEAPONIZATION
Combine the exploit tool with the method
2
RECONNAISSANCE
Open source researchSocial network
researchPort scan, IP sweep
Google research
1
© 2016 HITRUST Alliance.
Options • SOC completely insourced
– Big Security budget – Access to both technology and talent – Defendable architecture
• SOC partially insourced partially outsourced – Most likely solution – Tuned to your team’s technical capabilities and skills
• SOC completely outsourced – Smaller, less complex environment
© 2016 HITRUST Alliance.
Functions to assess SecurityOperaCon
Center
ThreatIntelligence
IndicaConsandWarnings
IncidentResponseandForensics
SecurityInfrastructureManagement
VulnerabilityThreat
Managementü RealCmemonitoring§ Triage§ IncidentEscalaCon§ IncidentHandling§ CallCenter
ü Threatassessmentü ThreatInteldataanalysisü TradecraLanalysisü Threattrendingü CustomsignaturewriCngü AdvancedThreatHunCngü PenetraContesCng
ü Memoryanalysisü Hostanalysisü Networkanalysisü MalwareRevEng§ Containment§ EradicaCon
§ Securitydevicemgtü Securitycontrolsigmgtü Securitydevicepatching§ Securitydeviceavailability
§ ManagingCMDBü Scanningtheenvironmentü IdenCfyingvulnerabiliCes§ RemediaCon/patchmgt