How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence...
Transcript of How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence...
![Page 1: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/1.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How to build a successful SOC Marcel Hoffmann, Manager Cyber Defense Center Operations
![Page 2: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/2.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Agenda
What is the Cyber Defense Center? The challenge Our solution • Technology • People • Process
Lessons learned
![Page 3: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/3.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
What is the CDC?
HP’s internal Security Operation Center
The biggest test environment for HP
security technologies
A live showcase for customers and partners
![Page 4: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/4.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
What is the CDC?
![Page 5: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/5.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The challenge
![Page 6: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/6.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
SOC Engagement Matrix
Cobble Build
Optimize
Reactive Proactive
Non-existing
Pre-existing
Optimize Rebuild
![Page 7: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/7.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Challenges
Build ArcSight infrastructure In 9 months • Sustain 3 billion EPD and more • Fulfil HA/DR requirements • Ready for compliance
Complete physical construction In 6 months • Design state-of-the-art watch floor • Allow customer briefings
Hire and train 16 analysts In 3 months • Develop training program • Get everybody GCIA certified
Start 24x7 operations By November 2013 • Perform security monitoring • Operate security mailbox and hotline
![Page 8: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/8.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Our solution
![Page 9: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/9.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
Security Operations
Technology Process
Network & system owners Incident
handler
Case closed
Escalation People
Level 1 Level 2
Engineer
1
Firewall
Network IDS/IPS
Web server Proxy
ESM server
3
4
5
6
2
Threat intel
Business
7
![Page 10: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/10.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Manufacturing success stories
Security Operations
Security Operation Center
Event feeds Threat intelligence
Success story
Event Alert Incident
Raw events
Content
Rules
Correlation
False positives
Incident
Triage
Incident Mgmt
Investigation R&D
Quality assurance
External departments
Platform
Normalization/ categorization
Storage
![Page 11: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/11.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
Technology
Security Operation Center
Event feeds Threat intelligence
Event Alert Incident
Raw events
Content
Rules
Correlation
Platform
Normalization/ categorization
Storage
![Page 12: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/12.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
3 phase approach
SOC 3.0 Secure the business
SOC 2.0 Secure the application
SOC 1.0 Secure the perimeter
• Archieve compliance • Reduce potential
impact
• Detect insider threat • Detect fraud • Gain predictable intelligence
• Reduce attack surface
• Leverage threat intelligence HP TippingPoint
![Page 13: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/13.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
ArcSight architecture Global ESM Tier
Correlation ESM Tier
Relay Connector Tier
API Connector Tier
Active Stack Standby Stack
Compliance BU Stacks
![Page 14: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/14.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
People
Security Operation Center
Event Alert Incident
Content
Content Engineer
Level-1 Analyst
Level-1 Analyst
Incident Mgmt
Incident Responder Manager
Level-2 Analyst
Platform
Platform Engineer
![Page 15: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/15.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
Staffing
18+4 Intrusion Analysts 24x7 coverage, 10 hours/shift, 3 shifts/day 7 Incident Responders 6 Dedicated Senior Engineers 3 Managers 1 Senior Department Manager
Certifications held by CDC staff: Senior CDC staff have over a combined 80 years InfoSec experience Extensive, customized 3-month training tailored to analysts’ strengths
• SANS GCIA
• SANS GCFW
• SANS GCFE
• SANS GCIH
• CISSP
• CCNA
• AESA
• AEIA
![Page 16: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/16.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
Shift schedule
Early shift 3x L1
5:00 – 15:00
Mid shift 3x L1
10:00 – 20:00
Rotation every two months New shift pairing every month
Night shift 3x L1
19:30 – 5:30 5h 0.5h 0.5h
Su Mo Tu We Th Fr Sa
Front Front Front Front
Back Back Back Back Front
Back
Purple = Overlap time
![Page 17: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/17.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Hiring and training
Candidate backgrounds • College graduates • Administrators • Tier-2/Tier-3 support
Focused on the analytical mindset
Analyst training • Technical knowledge • Tacit knowledge transfer • Shadowing
Emphasis on individual training
![Page 18: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/18.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Process
Security Operation Center
Event feeds Threat intelligence
Success story
Event Alert Incident
Raw events
Content
False positives
Incident Mgmt
External departments
Platform
![Page 19: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/19.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
Process framework
Subtle event detection
Reporting
Incident management Intrusion analysis
Design
Configuration management
System administration
Event management
Daily operations
Training
BC/DR
Compliance
Process improvement
Metrics
Service Management Business Unit On-boarding
Analytical Process Operational Process Technology Process Business Process Business Extended
16 processes 40+ procedures
Business The effort to run a security operation as a business - finance, metrics, service levels, etc.
Technology Technical details associated with the technology deployment, configuration and architecture
Analytical The intelligence and discipline
used to collect information and use it to determine the discrete
risk to an organization
Operational The daily tasks and
tempo associated with effective
security operations
![Page 20: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/20.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
Reporting and metrics
Security Operation Center
Security systems Threat intelligence
Success story
Event Alert Incident
Raw events
Content
Rules
Correlation
False positives
Incident
Triage
Incident Mgmt
Investigation R&D
Quality assurance
External departments
Platform
Normalization/ categorization
Storage
![Page 21: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/21.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lessons learned
![Page 22: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/22.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Technology
Own the whole stack • Use appliances where possible • Do not use standard builds • Start with the deployment immediately
Do not forget compliance • ArcSight is an important part of audits • Incorporate compliance requirements from the start • Consider extended data retention requirements
Minimize your number of ESM servers • Cross-correlation between ESM difficult • Content synchronization difficult • Avoid multi-tier architecture as long as possible
Lessons learned
![Page 23: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/23.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
People
Prefer contract-to-hire for analysts • Start with experienced analysts • Extends the retention period
ArcSight Engineers are a critical hire • Essential position already in the beginning • 2-5 years of experience required
Maximize analyst retention • Encourage participation • Create a career path • Give performance feedback
Continuous training • Use shift overlaps for weekly training • Develop your own training
Lessons learned
![Page 24: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/24.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Process
Define a mission statement • Clear statement to avoid “feature creep” • Avoid secondary/tertiary tasks
Measure success • Document success stories • Show progress to leadership • Perform maturity audits
Facilitate communication • Daily or weekly news summaries • Persistent chat rooms • Solid shift turnover procedures
Keep feedback loops intact • Analyst feedback important for content tuning • Analysis and case quality feedback • Threat intel fidelity feedback
Lessons learned
![Page 25: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/25.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
How to make it successful
Conclusion
Gain attention Avoid gaps in the assembly line Measure quantitative and qualitative KPIs Make it “their” SOC
![Page 26: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/26.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
For more information
Attend these sessions
• BB3055 - 5G/SOC: How the world's most advanced SOCs are leading the way
• BB3269 - Analysts assemble! Tips for successful security analyst recruitment, assessment, and retention
After the event
• Download the whitepaper at: http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA4-6169ENW
• Learn about our SOC maturity assessments: http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA4-4144ENW
Your feedback is important to us. Please take a few minutes to complete the session survey.
![Page 27: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/27.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BB3270 Speaker Marcel Hoffmann
Please give me your feedback
![Page 28: How to build a successful SOC - Hewlett Packard … Operation Center Event feeds Threat intelligence Success story Event Alert Incident Raw events Content Rules Correlation False positives](https://reader034.fdocuments.in/reader034/viewer/2022052609/5b05ed657f8b9a93418c0fde/html5/thumbnails/28.jpg)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you