Why You Need SOC?

29 April 2019

1

2 © 2018 IBM Corporation

Cost of a Data Breach Study – Highest Data breach cost , Per capita cost by industry sector

2

Why your existing Security Control Never Enough? Are you sure about your defensive cyber security equipment like firewall, IPS/IDS, Antivirus? Is this equipment enough to keep your company truly safe?

You need to have someone, something and some process, which can keep your security perimeter constantly updated against new and evolving threats around the clock.

Defensive equipment keeps out Threat only you have it configured to keep out. But what about the New Threat we don’t know about?

Security Operation Center Functional

4

Core Component of Security Operation Center

- Console the cyber/information security incident management- Command Center to Monitor, Detect, Alert and Response- Knowledge Center for cyber/information security awareness and Threat Intelligence- Co-ordinate Center for External party (Internal and External Org.)- Comply with Law, Regulation and compliance

- Technology : IT Infra, SOC room, SIEM- People : SOC team, Expertise team - Process : Incident Response Framework

IDENTIFY DETECT RESPONSE IMPROVE

Main Objective of Security Operation Center

The Problem with Traditional Security Operation Center

5

• Source Event from InternalLog and Network Traffic

• Lack of Event Filtering

• Incident Response Tracking

Internal visibility

•Default Detection Rule, No Tuning and Improving

•No Customize Use Case Design

• Lack of Updating Threat Knowledge database.

• Ineffective IOC analytic.

Human Threat Monitor/Detect/Analysis

•Manually response

•Delay and error

• Ad-hoc Incident Response

•No Drill or Exercise

Manual Incident Response

• I need a solution that isn’t a siloed tool that adds to the complexity of

security operations

• One that snaps on to the existing security infrastructure

• Simplifies the overly complex security operations

• gives visibility into higher priority risks and threats from insiders

• delivers fast time to insider threat detection

• streamlines investigation to pinpoint threat sources and effective

remediation

• consolidates and leverages existing security data and repositories

• can be acquired, deployed and utilized with the ease of an App from a App

Store

RemediationInvestigation and Impact AssessmentIncident TriageDays

to Weeks

7

RemediationInvestigation and

Impact AssessmentIncident Triage

Minutesto Hours

- Increase Visibility - Solid Identification

(Use Case/Event Filter)

- External Threat Intelligence Sources

- Artifactual Intelligence (AI) Analytic

- Incident Response Playbook

- Automate Response Platform

RemediationInvestigation and Impact AssessmentIncident TriageDays

to Weeks

• Threat Intelligence• AI for cyber security• Automate Monitor/Detect/Response

Cognitive SOC

(Cyber) Threat Intelligence

8

Cyber threat intelligence (CTI) is an area of cybersecurity that focuses on the collection and analysis of information about current and potential attacks that threaten the safety of an organization or its assets.

Advisory, Bulletin, Exploit, Malware DB, Blacklist IP/Spammer/BotNet

SOC KM, Bulletin (Dynamic)

Threat Intelligence Provider :

- Choose Threat Intelligence Provider based-on Business Threat Modeling - Implement Threat Intelligence Feed/Console- Linkup Threat Intelligence to SIEM- (Optional) Build Own Threat Intelligence- Share/Join into Same Sector TI

ICEBERG of Cyber Security Knowledge

• Industry publications

• Forensic information

• Threat intelligence

commentary

• Analyst reports

• Conference presentations

• News sources

• Newsletters

• Tweets

• Wikis

A universe of security knowledge

Dark to your defenses

Typical organizations leverage only 8% of this content*

Human Generated Knowledge

TraditionalSecurity Data

security eventsviewed each day200K+

security researchpapers / year 10K

securityblogs / year720K

security relatednews articles / year180K

reported softwarevulnerabilities 75K+

• Security events and alerts

• Logs and configuration data

• User and network activity

• Threat and vulnerability feeds

1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013

IBM Watson for Cyber Security

*IBM intends to deliver in the future as a QRadar app

IBM Watsonfor cyber security

Corpus of Knowledge

Threat databases

Research reports

Security textbooks

Vulnerability disclosures

Popular websites

Blogs and social activity

Other

Human Generated

Security Knowledge

Sourced by IBM Security

Security events

User activity

Configuration information

Vulnerability results

System and app logs

Security policies

Other

Enterprise

Security AnalyticsCorrelated enterprise data

QRadar Advisor with Watson for Cyber Security unlocks a new partnership between security analysts and their technology

Security Analytics

• Data correlation

• Pattern identification

• Thresholds

• Policies

• Anomaly detection

• Prioritization

SECURITY ANALYSTS

SECURITY ANALYTICS

QRadarAdvisor

• Alerts

• Security Events and anomalies

• User activity

• Vulnerabilities

• Configuration

• Other

• Threat identification

• Additional indicators

• Relationships

• Evidence

Watson ForCyber Security

12

Cognitive Security Operation Center

Essential CSOC Conceptual

13

Technology Leader

Best Practice ProcessProfessional People

Cognitive Security Operation Center

People External/Internal Context Party

- Prepare Co-ordinate interface to support Internal/External Context

- Define Competency, Role & Responsibility for Offence/Defense Team

SOC Manager

L3:Threat Response Analyst

L2:Threat Triage Analyst

L1: Threat Monitoring Analyst

SOC/SIEM Engineer

Red Team

Threat Hunter/Intelligence AnalystSecurity Arch.

- Clearly Career Path

L1 L2 L3

SOC Eng.

Th. Intel

Red Team

SOC Mng

Sec Arch.

Cognitive Security Operation Center

15

Technology

SIEM

Multiple Src.- Event/Log- Network - Endpoint- Vulnerability- Cloud

Use-case Orch.

Automate IR

Playbook Tracking

Playbook Orch.

Automate Response

Cyber Range/Drill

Pentest/VA

Forensic

Drill Playbook

Cyber Range Platform

Cyber Range Courseware

Physical

DC DR

Physical Ctl.

- Physical Security

Email/Msg Sys.

Service Desk

Ticket Sys.

Console Portal

KM Sys.

- Provision Service Desk Solution

IDENTIFY DETECT RESPONSE IMPROVE

- SOC components: IDENTIFY, DETECT, RESPONSE, IMPROVE

Infrastructure

Security Device

Endpoint Sec. SOC PC.

Network Device

Virtualization

Patch Mgt.

Backup Sys.

- SOC Infra: Defense In Depth Concept Design

Sandbox

Threat Intelligence

AI/ML

Threat Detect Tracking

Predictive Analytic

Incident Response Console

Cognitive Security Operation CenterProcess IDENTIFY

DETECT

RESPONSE

IMPROVE

- Product Incident Response Policy/Procedure

A.16 Information security incident management

- Define Operation Framework with improvement concept

- Exercise, Tuning, Improve and Update

Threat Modeling Use-case design

Deploy use-caseAnomaly/Prediction AnalyticThreat Detection ProcedureThreat Intelligence/HuntingAI/ML Analytic

IR PlaybookForensic Procedure Co-ordinate Procedure

Cyber Range Incident Response DrillUpdate Use-case/playbookTraining and AwareThreat Intel Bulletin

17

SECUREiNFO:

Cyber Security Operation Center Service

SERViCE PORTFOLiO

Cyber Security Risk Assessment

• Penetration Testing

• Compliance Audit • Security Gap

Assessment

• Compliance Audit

Managed Security Service (MSS)

• CSOC Service : Threat

Monitoring-Analysis-Response-Improve

• Incident Response (Manual/Automate)

• Threat Intelligence/Hunting

• CSOC

Improvement/Turnkey

Cyber Security Consultant

• Security Advisory Services

• Security Staff Outsourcing

• Security Solution deployment

and Integration

Security Education and Enablement

• Professional Security

Training

• Customized Security

Workshop

18

SECUREiNFO: Essential CSOC Conceptual

19

- AI Watson for cyber Security Technology - Global Threat Intelligence capability

Technology Leader Best Practice ProcessProfessional People

- 24x7 CSOC Operation Staffs

- Emergency Response Team - Professional Cyber Security Team

IDENTIFY DETECT

RESPONSE IMPROVE

- Global CSOC Standard and Framework- Use Case Design and Tuning- Incident Response Playbook

Key Feature : SOC SECUREiNFOAI for

Cyber Security

Effective and Accuracy Incident Analytic and Monitoring with Leader World-class AI

Cognitive Threat

Intelligence

Improve SOC visibility and proactive monitoring with Cyber Threat Intelligence Big Data.

Incident

Management Portal

Automated and Adaptive Remediation with Leader Incident Response Platform

Integrated Multi-

Source

Provide Security Service such as Emergency Response, SOC Consultant, SOC Assessment, SOC Drill, SOC Improvement and SOC Staff Outsource

Incident

Response Platform

We provide Incident Response Management System based on Global SOC framework of IBM Security Service