Value and maximizing operational efficiency of your SOCSecurity Operations dimensions. •The...
Transcript of Value and maximizing operational efficiency of your SOCSecurity Operations dimensions. •The...
1 IBM Security Summit 2017
Value and maximizing operational efficiency of your SOCFOR DISCUSSION AT THE SECURITY SUMMIT
Jaeho Choi
April 2017
Associate Partner, IBM Security Europe
Agenda
• IBM security strategy
• Trends
• Functional model of a SOC
• Maturity criteria for a SOC
• Summary
• Q&A
3 IBM Security Summit 2017
LEADin strategic domains
Security Transformation ServicesManagement Consulting | Systems Integration | Managed Security
Security Research and Threat Intelligence
Security Operations and Response Information Risk and Protection
IBM Security Strategy
Cloud Security Mobile Security
Identity Governance and Access Management
Data
Protection
Application
Security
Advanced Fraud
Prevention
Incident Response
Security Intelligence and Analytics
Vulnerability and
Patch Management
Endpoint and
Network Protection
User Behavior
Analytics
SUPPORTthe CISO agenda Cloud
Mobile andInternet of Things
ComplianceMandates
SkillsShortage
AdvancedThreats
Cloud CollaborationCognitive
ACCELERATEwith key innovation
Trends
5 IBM Security Summit 2017
We see the industry making significant investments to transform security operational capabilities as a result of board level mandates.
• The transformation targets most companies have established provide for a rapid increase in maturity through a phased implementation of the operational best-practices.
• The current state maturity level averages an industry baseline of 1.8 showing major opportunities for transformation across the key Security Operations dimensions.
• The planned target state for companies will increase the industry future state maturity level to 3.8 targeting major and rapid transformation in all areas of Security Operations capabilities.
IBM Client SOC Maturity Current & 12-18 Month Plans
IBM recommends building a foundational capability in SOC functions to a
defined maturity level of 3.0. From that position, additional maturation ca
n be attained where required.Notes: Current through midyear 2016. Industry is defined as IBM clients who have part
icipated in the SOC maturity assessment exercise and does not designate a specific m
arket or industry vertical.
6 IBM Security Summit 2017
Enterprise-wide requirements are changing the dynamics of a SOC capability
Reactive
Legacy “Craftsman” SOC Optimized “Factory” SOC
CharterBuild a dedicated security
operations capabilityTechnology or service
only
GovernanceCross-functional
(IT, Business, Audit, etc.)Self governed (IT Security)
Strategy3+ year cycle, priorities
set by enterpriseBudget based,
12 month planning cycle
Mis
sio
n &
Str
ate
gy
ToolsSIEM, ticketing, portal/
dashboard, Big DataSIEM tool only
Use CasesTailored rules based on
risk & compliance driversStandard rules
Minimal customization
ReferentialData
Required data, used toprioritize work
Minimal importance,Secondary priority
Arc
hit
ectu
re &
Tec
hn
olo
gy
MeasuresCross-functional, efficiency,
quality, KPI/SLO/SLASilos, ticket/technology
driven
ReportingMetrics, analytics,
scorecards, & dashboardsTicket/technology drivenO
per
atio
ns
Man
agem
ent
IntelligenceIntegrated, Actionable,
Guides investigation & responseSegregated, Non-Actionable
Pro-active
Maturity
7 IBM Security Summit 2017
Emerging trends in SOC
• SOC is evolving into the Enterprise threat management center
• Migration from low value to high value use cases
• Dimensional data increases the resolution of security incidents
• Convergence of Risk Data (Integrated enterprise risk management platform)
• Measure and communicate the value of security services (Dashboards)
• Predictive security analytics pilot are now underway
• Active Defense - SOCs will automate threat response and prevention activities
• Add a Security Integration function to minimize preventable security incidents
8 IBM Security Summit 2017
A large portion of the SOC spend is on use cases, SIEM rules, and related activities
• 30-35% of annual SOC spend supports new data, use cases, rules, reporting
• Average cost of operationalizing a new use case ranges from $20K-$50K
• Average time needed to identify, design, develop, test, implement and tune a new use case and its supporting SIEM rules is measured in weeks or months
• SOC and the security team must track the value of use case portfolio
Use cases and supporting SIEM rules are the key drivers for activity in the SOC
9 IBM Security Summit 2017
SOC maturity criteria is divided into 5 primary domains
Metrics & Analytics
Organization
Process & Procedures
Architecture & Tech
Governance
• Structure
• Staffing
• Role definition
• Sourcing
• Education
• Dashboard
• Operational reports
• Efficiency metrics
• SLA / KPI
Ma
turity
crite
ria
• SIEM platform architecture / platform integration
• Ticketing
• Data sources / use cases / data analytics
• Core SOC processes (triage, incident handling etc) and documentation
• Security intelligence processes
• SIEM administration
• Process integration
• Security policy
• Strategy
• Governance and sponsorship
• Cost model
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU