1 IBM Security Summit 2017

Value and maximizing operational efficiency of your SOCFOR DISCUSSION AT THE SECURITY SUMMIT

Jaeho Choi

April 2017

Associate Partner, IBM Security Europe

Agenda

• IBM security strategy

• Trends

• Functional model of a SOC

• Maturity criteria for a SOC

• Summary

• Q&A

3 IBM Security Summit 2017

LEADin strategic domains

Security Transformation ServicesManagement Consulting | Systems Integration | Managed Security

Security Research and Threat Intelligence

Security Operations and Response Information Risk and Protection

IBM Security Strategy

Cloud Security Mobile Security

Identity Governance and Access Management

Data

Protection

Application

Security

Advanced Fraud

Prevention

Incident Response

Security Intelligence and Analytics

Vulnerability and

Patch Management

Endpoint and

Network Protection

User Behavior

Analytics

SUPPORTthe CISO agenda Cloud

Mobile andInternet of Things

ComplianceMandates

SkillsShortage

AdvancedThreats

Cloud CollaborationCognitive

ACCELERATEwith key innovation

Trends

5 IBM Security Summit 2017

We see the industry making significant investments to transform security operational capabilities as a result of board level mandates.

• The transformation targets most companies have established provide for a rapid increase in maturity through a phased implementation of the operational best-practices.

• The current state maturity level averages an industry baseline of 1.8 showing major opportunities for transformation across the key Security Operations dimensions.

• The planned target state for companies will increase the industry future state maturity level to 3.8 targeting major and rapid transformation in all areas of Security Operations capabilities.

IBM Client SOC Maturity Current & 12-18 Month Plans

IBM recommends building a foundational capability in SOC functions to a

defined maturity level of 3.0. From that position, additional maturation ca

n be attained where required.Notes: Current through midyear 2016. Industry is defined as IBM clients who have part

icipated in the SOC maturity assessment exercise and does not designate a specific m

arket or industry vertical.

6 IBM Security Summit 2017

Enterprise-wide requirements are changing the dynamics of a SOC capability

Reactive

Legacy “Craftsman” SOC Optimized “Factory” SOC

CharterBuild a dedicated security

operations capabilityTechnology or service

only

GovernanceCross-functional

(IT, Business, Audit, etc.)Self governed (IT Security)

Strategy3+ year cycle, priorities

set by enterpriseBudget based,

12 month planning cycle

Mis

sio

n &

Str

ate

gy

ToolsSIEM, ticketing, portal/

dashboard, Big DataSIEM tool only

Use CasesTailored rules based on

risk & compliance driversStandard rules

Minimal customization

ReferentialData

Required data, used toprioritize work

Minimal importance,Secondary priority

Arc

hit

ectu

re &

Tec

hn

olo

gy

MeasuresCross-functional, efficiency,

quality, KPI/SLO/SLASilos, ticket/technology

driven

ReportingMetrics, analytics,

scorecards, & dashboardsTicket/technology drivenO

per

atio

ns

Man

agem

ent

IntelligenceIntegrated, Actionable,

Guides investigation & responseSegregated, Non-Actionable

Pro-active

Maturity

7 IBM Security Summit 2017

Emerging trends in SOC

• SOC is evolving into the Enterprise threat management center

• Migration from low value to high value use cases

• Dimensional data increases the resolution of security incidents

• Convergence of Risk Data (Integrated enterprise risk management platform)

• Measure and communicate the value of security services (Dashboards)

• Predictive security analytics pilot are now underway

• Active Defense - SOCs will automate threat response and prevention activities

• Add a Security Integration function to minimize preventable security incidents

8 IBM Security Summit 2017

A large portion of the SOC spend is on use cases, SIEM rules, and related activities

• 30-35% of annual SOC spend supports new data, use cases, rules, reporting

• Average cost of operationalizing a new use case ranges from $20K-$50K

• Average time needed to identify, design, develop, test, implement and tune a new use case and its supporting SIEM rules is measured in weeks or months

• SOC and the security team must track the value of use case portfolio

Use cases and supporting SIEM rules are the key drivers for activity in the SOC

9 IBM Security Summit 2017

SOC maturity criteria is divided into 5 primary domains

Metrics & Analytics

Organization

Process & Procedures

Architecture & Tech

Governance

• Structure

• Staffing

• Role definition

• Sourcing

• Education

• Dashboard

• Operational reports

• Efficiency metrics

• SLA / KPI

Ma

turity

crite

ria

• SIEM platform architecture / platform integration

• Ticketing

• Data sources / use cases / data analytics

• Core SOC processes (triage, incident handling etc) and documentation

• Security intelligence processes

• SIEM administration

• Process integration

• Security policy

• Strategy

• Governance and sponsorship

• Cost model

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU