© 2015 IBM Corporation
IBM Security ServicesBuilding a Security Operations Center
Engin ÖzbayIBM Security, Turkey
© 2012 IBM Corporation
IBM Security Systems
22 © 2015 IBM Corporation22
Security operations in a changing environment
© 2015 IBM Corporation
IBM Security Services
3
The current environment is putting new demands on security operations
Social BusinessBlurring “Social” Identities
Social BusinessBlurring “Social” Identities
New Business Models, New Technologies
New Business Models, New Technologies
Cloud / Virtualization
Large existing IT infrastructures with a globalized workforce,
3rd party services, and a growing
customer base
Velocity of ThreatsVelocity of Threats
Evolving RegulationsEvolving Regulations
-
•
Potential Impacts
Malware infection Loss of productivity Data LeakageData or Device
Loss or TheftRegulatory Fines$$$$$$
Mobile Collaboration / BYOD
© 2015 IBM Corporation
IBM Security Services
Why do we build operational security controls & capabilities?
Reduce enterprise risk. Protect the business.
Move from reactive response to proactive mitigation.
Increase visibility over the environment.
Meet compliance/regulatory requirements.
© 2015 IBM Corporation
IBM Security Services
5
What is a Security Operations Center, or SOC?
A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce security risk
Security Operations Centers (SOC) are designed to:
– protect mission-critical data and assets
– prepare for and respond to cyber emergencies
– help provide continuity and efficient recovery
– fortify the business infrastructure
The SOC’s major responsibilities are:
– Monitor, Analyze, Correlate & Escalate Intrusion Events
– Develop Appropriate Responses; Protect, Detect, Respond
– Conduct Incident Management and Forensic Investigation
– Maintain Security Community Relationships
– Assist in Crisis Operations
© 2015 IBM Corporation
IBM Security Services
6
The SOC ….
Must demonstrate compliance with regulations
Protect intellectual property and ensure privacy properly
Manage security operations effectively and efficiently
Provide real-time insight into the current security posture of your organization
Provide security intelligence and the impact of threats on the organization
Enable your organization to know who did what, when - and prove it (evidence)
Security operations centers must be responsive to the evolving threats and provide management the information and control that it needs
But it’s not that simple...
© 2015 IBM Corporation
IBM Security Services
7
Designing and building a SOC requires a solid understanding of the business’ needs and the resources that IT can deploy
Multiple stakeholders, processes and technologies to consider
An operational process framework
Physical space requirements and location
Personnel skills: Security analysts, shift leads, SOC managers
In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
© 2015 IBM Corporation
IBM Security Services
There is no app for that…
Log Integrity Firewall IDPSBrand
Monitoring
Device Management
Security Monitoring
Incident Escalation
Incident Response
Compliance Management Correlation Rules
Security Intelligence
Policy Management
ApplicationMonitoring
OFF
ON
Client Success Undefined >
Functionality
ON
ON
ONOFF
OFF
OFF
In-House OutsourceCo-Deliver
People
Technology Scope
Compliance & Reporting >
Escalations & Notifications >
DLPIdentity &Access
….Don’t be a FOOL and think you just need to buy a TOOL
© 2015 IBM Corporation
IBM Security Services
9
Building a Security Operations Center involves multiple domains
• Do you need 24x7x365 staff?
• What are the skills needed?
• Where do you get staff?
• What about training?
• How do you keep staff?
• Metrics to measure performance
• Capacity planning
• What does the plan look like?
• How do we measure progress and goals?
• What is the optimal design of core processes? (eg. incident management, tuning, etc.)
• Process and continual improvement
• SIEM architecture & use cases
• Log types and logging options
• Platform integrations; ticketing governance, big data
• Web services to integrate them
• Technology should improve effectiveness and efficiency
• Dashboard visibility and oversight
• Policy, measurement and enforcement
• Integrated governance that balances daily operations with strategic planning
• Ministry objectives
• Informing stakeholders
• Informing employees
People Process
Technology Governance / Metrics
IBM Confidential
© 2015 IBM Corporation
IBM Security Services
SOC Models
© 2012 IBM Corporation
© 2015 IBM Corporation
IBM Security Services
The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC.
Charter
Governance
Strategy
Build a dedicated securityoperations capability
Cross-functional(IT, Business, Audit, etc.)
3+ year cycle, prioritiesset by enterprise
Technology or serviceonly
Self governed (IT Security)
Budget based,12 month planning cycleM
issi
on
& S
tra
teg
y
Tools
Use Cases
ReferentialData
SIEM, ticketing, portal/dashboard, Big Data
Tailored rules based onrisk & compliance drivers
Required data, used toprioritize work
SIEM tool only
Standard rulesMinimal customization
Minimal importance,Secondary priority
Te
chn
olo
gy
Measures
Reporting
Cross-functional, efficiency,quality, KPI/SLO/SLA
Metrics, analytics,scorecards, & dashboards
Silos, ticket/technologydriven
Ticket/technology driven
Op
era
tion
sM
an
ag
em
en
t
Proactive.Visible.
Anticipatethreats.Mitigate
risks.
Detect &react tothreats.
Legacy SOC Optimized SOC
© 2015 IBM Corporation
IBM Security Services
12
Threat Response
Adv. Event Analysis
Escalations
Incident Mgmt.
Threat Response
Adv. Event Analysis
Escalations
Incident Mgmt.
SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
Threat Monitoring
Threat Analysis
Impact Analysis
Threat Monitoring
Threat Analysis
Impact Analysis
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Security Analytics & Incident Reporting
Security Analytics & Incident Reporting
Cyber-Security Command Center (CSCC)
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
Cyber-Security Command Center (CSCC)
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
SO
CG
ov
ern
an
ce
SO
CT
ec
hn
olo
gy
Security Intelligence
Incident Hunting PM Use Case Recommendations
Security Intelligence
Incident Hunting PM Use Case Recommendations
Admin Support Services
Tool Integration
Rule Admin
Admin Support Services
Tool Integration
Rule Admin
CSIRT Management
Corp. Incident Response
Table-top Exercises
CSIRT Management
Corp. Incident Response
Table-top Exercises
SIEMTicketing & Workflow
PortalIntegration Tools (e.g. Web Srvcs)
Reporting / Dashboard
Big Data
Threat Triage
Investigations
Incident Triage
Threat Triage
Investigations
Incident Triage
IBM Security Operations Operating Model
SO
CO
pe
rati
on
s
Corporate
Business Units
Legal
Audit
Corporate
Business Units
Legal
Audit
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
Business Operations
Business Ops
Investigations
Public Relations
Legal / Fraud
Business Operations
Business Ops
Investigations
Public Relations
Legal / Fraud
Architecture &Projects
Architecture &Projects
Emergency
Response
Emergency
Response
IT OperationsIT Operations
Legend
SOC
IT / Corp
© 2015 IBM Corporation
IBM Security Services
13
We understand that an effective SOC has the right balance of People, Process and Technology components
In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
© 2015 IBM Corporation
IBM Security Services
14
It starts with the right people …In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
In-house staff Partners Outsourced ProvidersPeopleCustomers
The SOC is only as good as its people, and upfront planning for the unique people management aspects of a 24x7 security centric organization will provide significant long term returns.
Points of Consideration:
SOC staff have a specialized skill set and experienced staff are often difficult to find
Training is expensive, time consuming, and improves marketability of staff. Compensation strategies must be evaluated accordingly.
Retention of staff is difficult in a non-security centric organization due to continuous need for updated training, lack of expansive career path options, and burn-out.
Beyond analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers, Management / Supervision
© 2015 IBM Corporation
IBM Security Services
The SOC organization is organized around the standard plan, build and run model
SOC Organization ChartGovernance
IILLUSTRATIVE
© 2015 IBM Corporation
IBM Security Services
A responsibility matrix for all SOC roles should be defined across each SOC service.
IILLUSTRATIVE
SOC Analyst: Monitoring
SOC Analyst: Triage
SOC Analyst: Response
Security Intelligence
Analyst
Security Incident Handler
(Certified)
SOC Tools Admin
SOC ManagerSecurity Forensic Analyst
IT Security Admin
IT Operations CERT
Security Monitoring R C A
Incident Triage C R C A
Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Service Testing & Tuning R A I I
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security Intelligence Briefings A C C C
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I
Contextual Data Management C R A C C
Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C
Security Reporting C C C C C A C I
Effi ciency Reporting C C C A C I
Financial Reporting C C C C A I
Enterprise Incident Management C A
Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C
Reporting Services
Optional Services
Core Security Services
Deployment Services
Security Intelligence
Services
Administrative Services
© 2015 IBM Corporation
IBM Security Services
Responsibilities
•Monitoring of security events received through alerts from SIEM or other security tools•Review alerts escalated by end users•Handel end user and security services consumer initiated incidents and initiating trouble tickets – Sev 4 tickets•Performing Level 1 triage of incoming issues ( initial assessing the priority of the event, initial determination of incident to determine risk and damage or appropriate routing of security or privacy data request)•Monitoring of alert and downstream dependencies health (logger, client agents, etc)•Responsible for troubleshooting agents and logs required for reporting when not reporting to alerting systems•Intake intelligence actions from Intelligence teams and ticket for appropriate operators for tool policy or tool setting tuning•Provide limited incident response to end users for low complexity security incidents•Notifying appropriate contact for security events and response•Takes an active part in the resolution of incidents, even after they are escalated•Work assigned ticket queue•Understanding and exceeding all tasked SLA commitments•Track and report on closure of tickets per SLAs•Escalating issues to Tier II or management when necessary•Provide daily and weekly metrics for security and vulnerability incidents•24/7 Shift work required
Experience and Skills
•Process and Procedure adherence•General network knowledge, TCP/IP Troubleshooting•Ability to trace down an endpoint on the network based on ticket information •Familiarity with system log information and what it means•Understanding of common network services (web, mail, DNS, authentication)•Knowledge of host based firewalls, Anti-Malware, HIDS •General Desktop OS and Server OS knowledge•TCP/IP, Internet Routing, UNIX & Windows NT •Strong analytical and problem
Training
•Required: Security Essentials – SEC401 (optional GSEC certification)•Computer Forensic Investigation – Windows In-Depth - FOR408•Recommended: Security Incident Handling and Forensic - FOR 508
Sample Job Description: Triage Analyst
IILLUSTRATIVE
© 2015 IBM Corporation
IBM Security Services
18
Leveraging tested integrated processes ….In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
SOC processes must be documented, consistently implemented, and based upon existing standards / governance frameworks. Procedures must take into consideration corporate security policy, business controls, and relevant regulatory requirements.
Points of Consideration:
The SOC’s mission must be clearly defined – Incident discovery, CERT, etc.
SOCs differ from NOCs, and an alarm does not always equate to action.
Processes must take into consideration evaluation and incorporation of a constantly changing stream of potentially actionable threat intelligence.
Best practices for incident investigation, response, and mitigation must be maintained and updated as technologies are added, change, or mature.
Process
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
© 2015 IBM Corporation
IBM Security Services
19
Built on a solid technology platformIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking
Technology for a SOC build is the foundation on which the organization demonstrates the ability to provide security continuously, even under times of duress such as persistent attack, natural disaster, facilities failure, etc.
Points of Consideration:
SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose, costly, and challenging to maintain due to their overall complexity
The number of disparate systems and volume of device / event data will typically require a dedicated IT staff for system administration
Capacity management can be challenge due to the need to support peak loads which may include DDoS, monthly batch processing, etc
The management and reporting systems must be flexible enough to accommodate process and security policy as well as changes in the technology landscape
© 2015 IBM Corporation
IBM Security Services
SOC Strategies & Approaches
© 2015 IBM Corporation
© 2015 IBM Corporation
IBM Security Services
21 IBM and Client Confidential
Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints
Business Requirements
Centralized Decentralized
Single Global SOCCSCC Combined with SOCLowest CostEasiest to Manage
Multiple SOC’s (Geo. / BU)Single Global CSCC
High CostMore Difficult to Manage
Technical Requirements
Standard Highly Customized
Simple PlatformLowest Cost to Implement/OperateGood Risk Mgmt CapabilitiesEasy to Scale OperationsModerate Detail on Threats
Complex PlatformHigh Cost to Implement/OperateExcellent Risk Mgmt Capabilities
More Expensive to Scale OperationsRich Detail on Threats
Risk Tolerance
Externally Managed Internally Managed
30-90 Day ImplementationLowest Cost to Implement/OperateNot Core to BusinessLeverage Industry Best Practices
Long Implementation Lead TimeHigh Cost to Implement/Operate
Core to BusinessFrequent Independent Reviews
Financial Constraints
Low Cost High Cost
Lowest Cost to ImplementLowest Cost to Operate
Highest Cost to ImplementHighest Cost to Operate
© 2015 IBM Corporation
IBM Security Services
Threat Response
Adv. Event AnalysisEscalations
Incident Mgmt.
Threat Response
Adv. Event AnalysisEscalations
Incident Mgmt.
SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
SOC Data SourcesLogs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
Threat Monitoring
Threat AnalysisImpact Analysis
Threat Monitoring
Threat AnalysisImpact Analysis
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Platform ComponentsSecurity Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
SOC Platform ComponentsSecurity Device Data Event Data (Int./Ext.) Event Patterns CorrelationAggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Security Analytics & Incident Reporting
Security Analytics & Incident Reporting
Cyber-Security Command Center (CSCC)Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
Cyber-Security Command Center (CSCC)Executive Security Intelligence Briefings Local Reg. Security Oversight SOC GovernanceConsolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
SO
CG
ov
ern
an
ce
SO
CT
ec
hn
olo
gy
Security IntelligenceIncident Hunting Use Case Management
Security IntelligenceIncident Hunting Use Case Management
Admin Support Services
Tool IntegrationRule Admin
Admin Support Services
Tool IntegrationRule Admin
CSIRT Management
Corp. Incident ResponseTable-top Exercises
CSIRT Management
Corp. Incident ResponseTable-top Exercises
SIEMTicketing & Workflow
PortalIntegration Tools (e.g. Web Srvcs)
Reporting / Dashboard
Big Data
Threat Triage
InvestigationsIncident Triage
Threat Triage
InvestigationsIncident Triage
IBM Security Operations Operating Model: MSSP Hybrid
SO
CO
pe
rati
on
s
Corporate
Business UnitsLegalAudit
Corporate
Business UnitsLegalAudit
IT OperationsIncident MgmtProblem Mgmt Change MgmtRelease Mgmt
IT OperationsIncident MgmtProblem Mgmt Change MgmtRelease Mgmt
Business OperationsBusiness OpsInvestigations
Public RelationsLegal / Fraud
Business OperationsBusiness OpsInvestigations
Public RelationsLegal / Fraud
Architecture &Projects
Architecture &Projects
EmergencyResponse
EmergencyResponse
OT OperationsOT Operations
Legend
SOC
IT / Corp
MSSP
© 2015 IBM Corporation
IBM Security Services
Getting Started
Develop a Strategy then a Plan
© 2015 IBM Corporation
© 2015 IBM Corporation
IBM Security Services
24
To get started, the organization should consider the following questions in establishing its objectives
What is the primary purpose of the SOC?
What are the specific tasks assigned to the SOC? (e.g., threat intelligence, security device management, compliance management, detecting insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.)
Who are the consumers of the information collected and analyzed by the SOC? What requirements do they have for the SOC?
Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the rest of the organization?
What types of security events will eventually be fed into the SOC for monitoring?
Will the organization seek an external partner to help manage the SOC?
© 2015 IBM Corporation
IBM Security Services
The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle.
• Define the mission
• Assess current operations and capabilities
• Define future environment
• Develop roadmap for action
People and Governance
Processes and Practices
Technology
• Laying the foundation of capabilities
• Designing effective staffing models and supporting processes / technology
• Conducting training and testing
• Implementing tracking and reporting capabilities
• Leveraging acquired knowledge and experience
• Instituting formal feedback and review mechanisms
• Driving further value from the technology
• Expanding business coverage and functions
• Tuning and refinement
• Business aligned threat management and metrics
• Drive for best practices
• Integrated operations with improved communications
• Seek opportunities for cost takeout
• Continuous improvement
Design & BuildDesign & Build Run & EnhanceRun & Enhance OptimizeOptimize
• Educational, share best practices
• Table-top, guidedSOC maturityassessments
• Set high-level vision
• Develop next steps roadmap for action
WorkshopWorkshop
AssessmentAssessment
StrategyStrategy
© 2015 IBM Corporation
IBM Security Services
Security Operations Optimization Consulting Offerings
SOC / SIEM Workshop
• Review security policies and SOC/SIEM mission/charter• Review IBM SOC / SIEM Operating Model Point of View • Review components needed to implement security operation center• Platform Arch., processes, organization, metrics/reporting, governance• Discuss best practices for each components and industry trends• Develop client feedback report
SOC Maturity Assessment Workshop
SOC/SIEMStrategy and Program Mobilization
• Review security policies and SOC/SIEM mission/charter• Conduct detailed current environment by component area; Platform Arch.,
processes, organization, metrics/reporting, governance• Review current and planned SOC/SIEM projects/initiatives• Asses current environment vs. Maturity Model, est. future state target• Identify and prioritize gaps and opportunities for improvement• Identify SOC scenarios and tailor the decision model• Finalize transformation states, service improvements, finalize strategy• Identify initiatives, group into projects, develop roadmap (timeline)
Name DescriptionSample Duration &
Details
• 1-5 Days• Workshop Readout
Deliverable
• Review security policies and SOC/SIEM mission/charter• Assess client environment against IBM SOC / SIEM Maturity Model• Establish future state target maturity by component• Analyze current and future targets vs. industry maturity benchmarks• Identify gaps, opportunities for improvement, prioritize improvements• Develop preliminary recommendations for SOC program
• 1-5 Days• Maturity Assessment
Deliverable
• 4-6 Weeks• Maturity Assessment
Deliverable• Component baselines• Sample Phase 1 work plan
© 2015 IBM Corporation
IBM Security Services
Security Operations Optimization Consulting Offerings
Use Case /Rule (UCR)Assessment
• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review Use Case Models and rule architecture and design• Identify gaps, opportunities for improvement• Prepare high level Use Case / Rule recommendations
Use Case /Rule UCR Strategy
Security OperationsCenterReporting Strategy
• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review current metrics, operational/executive reports• Identify gaps, opportunities for improvement• Identify target state, prioritize improvements, finalize SOC Rpt. strategy
• 4-8 Weeks• Assessment Report
• Review security policies and SOC/SIEM mission/charter• Review business/technical requirements, risk tolerance, cost constraints• Review Use Case Models and rule architecture and design• Identify gaps, opportunities for improvement• Identify UCR scenarios and tailor the decision model• Identify target state, prioritize improvements, finalize UCR strategy
• 4-8 Weeks• Use Case Assessment
and Strategy Deliverable
• 6-12 Weeks• Security Operations
Assessment and Strategy Deliverable
Name DescriptionSample Duration &
Details
© 2015 IBM Corporation
IBM Security Services
Security Operations Optimization – Design / Deploy
SOC/SIEM Design
• Develop Macro / Micro Design for Security Operation Center• Key scope elements; platform, process, organization, reports, governance• Data source logical/physical scope and integration architecture• Develop use case and rule macro and micro design• Develop SOC operational model, logical/physical platform architecture• Finalize SOC process scope, context diagram, core/non-core processes• Develop organization conceptual/logical model (roles), governance model• Develop key metrics, reporting architecture, report list• Product selection decision model and preliminary recommendations (opt.)• Finalize SOC / SIEM Macro and Micro Design Deliverables
• 2-3 Months• SOC/SIEM design method• Design phase method/plan• Workshop decks/schedules• Key scope element
baselines• SOC capacity modeling tool
SOC/SIEMImplementation
• Prepare SOC implementation plan, conduct SOC build, test, deployment• Key scope elements; platform, process, organization, reports,
governance• Execute procurement for selected products, services (opt.)• Finalize MSS implementation plan and build, test and deploy MSS (opt.)• Build, test and deploy data sources, integration API’s• Build, test, deploy use cases and conduct rule tuning• Build, test and deploy SOC processes, metrics, SLA’s/SLO’s, Ops
Manual• Build, test and deploy organization design, role descriptions• Build, test and deploy metrics, reports and executive dashboards• Build, test and deploy SOC governance processes• Conduct transition; Proof of Concept, Pilot Op’s, Simulated Live Op’s• Security Operation Center Go-Live, Update Phase N Design Plan
Name Description
• 4-6 Months• Implementation method/plan• MSS build, test, deploy plans• Workshop decks/schedules• Use case / rule frameworks• Key scope element
baselines• SOC capacity modeling tool• PoC, pilot, sim. live ops. plan
Sample Duration & Details
© 2015 IBM Corporation
IBM Security Services
29
Helping organizations with their SOC requirements is a core element of IBM’s 10 essential practices required to effectively manage risk
Proactive
Au
tom
ate
dM
an
ua
l
Reactive
Proficient
Basic
Optimized
Maturity based approachMaturity based approach7. Address new complexity
of cloud and virtualization
6. Control network access and assure resilience
1. Build a risk aware culture and management system
2. Manage security incidents with intelligence
3. Defend the mobile and social workplace
5. Automate security “hygiene”
4. Secure services, by design
10. Manage the identity lifecycle
9. Secure data and protect privacy
8. Manage third party security compliance
Essential PracticesEssential Practices
Security
intelligence
Security
intelligence
© 2015 IBM Corporation
IBM Security Services
30
IBM Research
IBM can provide unmatched global coverage and security awareness.
Security Operations Centers
Security Research Centers
Security Solution Development CentersSecurity Solution Development Centers
Institute for Advanced Security Branches
10B analyzed web pages and images
150M intrusion attempts daily
40M span and phishing attacks
46K documented vulnerabilities and millions of unique malware samples
20,000-plus devices under contract 3,300 GTS1 service delivery experts 3,700-plus MSS2 clients worldwide 20B-plus events managed per day 3,000-plus security patents 133 monitored countries (MSS)
Worldwide managed security services coverage
1IBM Global Technology Services (GTS); 2Managed Security Services (MSS)
IBM Security Services
IBM Confidential
Largest Bank in Canada improves security by establishing SOC & implementing monitoring tools and processes
Client Situation :
The client had engaged IBM to help them map out their security needs, include SOC strategy, architecture, analyzing and querying log, threat, vulnerability data (SIEM) and ongoing management. A few high-level issues were: -
Lack of any SOC model and strategy roadmap There were no trained SOC Operations team or staff No Security monitoring tool or processes for security incidents
IBM Solution :
IBM Security Services Team reviewed the client’s business and technical requirements, risk tolerance and cost constraints. After analyzing the requirements IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase implementations. Additionally the following high-level tasks were performed
Global Installation of the QRadar monitoring tool Archer Ticketing System implementation (security tickets) Designed the SOC Organization, Process, People Model SOC Capacity Modeling Hired and Trained the client’s SOC Staff (~12 resources) Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits: Reduced risks & costs associated with security incidents and data breaches Addressed compliance issues by establishing clear audit trails for incident
response Improved security posture with enterprise-wide security intelligence correlating
events from IT & business critical systems/applications.
Profile:
Largest Bank in Canada, 3rd largest in North America, top 10 globally. The bank serves 18 million clients and has 80,100 employees worldwide.
IBM Security Services
IBM Confidential
A global insurance company in United States improves security by establishing SOC & implementing monitoring tools and processes
Client Situation :
The client had made a board-level commitment to raise the visibility, effectiveness and efficiency of the global security program. A few high-level issues:
Multiple day delays in identifying threatsExtreme incident false positive ratios with current MSSP Labor intensive program, without clear lines of responsibilityMinimal security analytics & dashboards
IBM Solution :
IBM Security Services Team began with a full day SOC optimization workshop to educate the client program team, review and validate the client’s vision and strategy. After the workshop and recommendations, the client requested IBM’s support to help them plan, design and build the SOC including the following:
SOC Architecture developmentSIEM operationalization (ArcSight)Remedy Ticketing System implementation (security tickets)Designed the SOC organization including capacity modelsDeveloped best-practice core SOC process and created supporting documentation & artifacts & trained client staffImplemented Security Operational Reporting and Executive DashboardsManaged transition from previous MSSP to IBM Managed Services
Client Benefits: Reduced incident identification time from hours to minutes and streamlined
operations further reducing risks & associated costs & improved global security with end to end incident management
Created an industry leading view into the overall security position allowing them to better manage their entire environment
Profile:
Global property and casualty insurer.
Third largest insurer in the United States.
Fortune 100 company.
Operates in 900 location s distributed across 18 countries.
The company has 50,000+ employees worldwide.
IBM Security Services
IBM Confidential33
A global financial services company in UK improves security by transforming SOC from compliance to cyber threat monitoring
Client Situation :
The client had invested into a SOC that was focused on policy violation and wanted to expand the capabilities of their existing investment:
Compliance focused SOCSignificant challenges with existing technologySOC manpower outsourced to 3rd PartyMinimal security analytics & dashboards, non-existent Security Intelligence
IBM Solution :
IBM Security Services Team began with a 2 week SOC maturity assessment to gauge the client’s current and future capabilities and to review and validate the client’s vision and strategy. After the assessment, recommendations were presented to the client and IBM lead the transformation programme including:
Developed best-practice core SOC process and created supporting documentation & artifacts & trained client staffEstablish a Security intelligence functionAccelerate development and implementation of a Ticketing SystemReviewed the SOC organisation and identified improvementsDemonstrated the importance of capacity modellingImplemented Security Operational Reporting and Executive Dashboards
Client Benefits: Increased efficiency from the existing SOC staff handling more events in a defined
and repeatable way. Increased awareness of their own systems and future threats making use of
Security Intelligence Better able to understand and highlight the benefits of the SOC due to improved
metrics and reporting
Profile:
UK based financial services group.
Retail, commercial, wealth and asset management, international and insurance arms.
Operates in almost every community in the UK.
Over 100,000 employees (2014)
© 2015 IBM Corporation
IBM Security Services
Thank You
MerciGrazie
GraciasObrigad
oDank
e
Japanese
French
Russian
German
Italian
Spanish
PortugueseArabic
Simplified Chinese
Hindi
Slovenian
Thai
Korean
KöszönömHungarian
TackSwedish
DankieAfrikaans
ευχαριστώ
Спасибо
Greek
Hvala
Teşekkürler
© 2015 IBM Corporation
IBM Security Services
35
We leverage our SOC framework, which covers the multiple management dimensions of organizing and managing a SOC
© 2015 IBM Corporation
IBM Security Services
36
We include 14 key processes that encompass both the business and IT aspects
© 2015 IBM Corporation
IBM Security Services
37
Which leads to insightful analyses – e.g. Maturity Assessment
© 2015 IBM Corporation
IBM Security Services
38
IBM offers multiple options in our consulting offerings
Security Operations Center (SOC) Workshop– 1 day management workshop to establish goals and objectives for developing the SOC, identifying
stakeholders, types of threats monitored, and the management model
Security Operations Center (SOC) Assessment– Consulting assessment for clients that have en existing SOC but are looking for IBM to review their
capabilities and process maturity and make recommendations for improvements
Security Operations Center (SOC) Strategy Engagement– Consulting strategy engagement for clients who are seeking to develop a comprehensive strategy and plan to
implement a SOC that addresses both IT and the business for managing security and mitigating threats
Security Operations Center (SOC) Design / Build Project– Professional services to help clients design and build one or multiple SOC’s that meets the organization’s
needs for improved security intelligence and risk management– Components include.
• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)• Processes, Procedures, Guidelines (Define, develop and document, update existing)• Technology (Plan, design, deploy technology components, integrate feeds and other referential
sources)
© 2015 IBM Corporation
IBM Security Services
39
What you can expect as a result from a SOC implementation
Better understanding of how your security program reduces risk in operations and therefore business risk
Measurement of the real-time compliance of particular security controls in the organization
Insight into the current state of your security posture
Visibility of issues, hacks, infections and misuse that otherwise would require human discovery and correlation.
Easier measurements of compliance and audit effort reduction
© 2012 IBM Corporation
IBM Security Systems
4040 © 2015 IBM Corporation4040
IBM knows security
© 2015 IBM Corporation
IBM Security Services
41
IBM is recognized as a leader in Security Consulting
“IBM burst into the Leader category by demonstrating superb global delivery capabilities”“IBM burst into the Leader category by demonstrating superb global delivery capabilities”
© 2015 IBM Corporation
IBM Security Services
42
Leadership Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,
May 12, 2011, May 13, 2010, May 29, 2009. #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security
Information and Event Management Technology," Gartner, 12 May 2011)
Integration Integrated with 400+ products and vendor platforms SIEM, log management, network anomaly
detection, and risk management combined in a single console
Expertise Embedded 3rd party security feeds including
IBM X-Force Tight integration with InfoSphere Guardium
and IBM Identity Manager & Access Manager for optimized data & user security
Leadership Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,
May 12, 2011, May 13, 2010, May 29, 2009. #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security
Information and Event Management Technology," Gartner, 12 May 2011)
Integration Integrated with 400+ products and vendor platforms SIEM, log management, network anomaly
detection, and risk management combined in a single console
Expertise Embedded 3rd party security feeds including
IBM X-Force Tight integration with InfoSphere Guardium
and IBM Identity Manager & Access Manager for optimized data & user security
Why IBM SIEM Security Technology? Breadth, deep expertise, integration
© 2015 IBM Corporation
IBM Security Services
43
Business Challenge: A large European financial institution with multiple global locations was searching for best practices and assistance in creating an in-house, compliant and effective Security Operations Center. Compounding the challenge of the sheer magnitude of their operations was the complications surrounding several recent acquisitions that have not been fully integrated. The current operation was largely driven by SOX compliance requirements and resulted in diluting the effectiveness of the SOC with “unimportant” log sources.
Solution:A series of business and technical workshops were conducted to start the assessment as the client needed to refocus their operations on security, while retaining maintain regulatory compliance. These workshops then advanced to a full security operations design, integrating disparate business unit requirements, focusing analysis on important log sources, and reorganizing the department. Ultimately, the client chose to have IBM staff their new SOC, reducing the total number of hired staff and overall cost.
Benefits: Overall SOC costs were reduced and the resulting organization is more focused and effective.
Solution components:
IBM Q-Radar SIEM
IBM Security Services SOC Workshop & Design
IBM Security Services Professional Security Services
Client example - a large financial services company
© 2015 IBM Corporation
IBM Security Services
4444
Solution components:
IBM Security Services SOC Workshop
IBM Q-Radar
IBM Security Services Managed SIEM
Business Challenge: A large global pharmaceutical company with research locations scattered around the world faces the ongoing threats of industrial espionage and is frequently a target of hactivitists. Their current security operations is decentralized allowing each unit to “fend for themselves”. After some minor faults but no major incidents, the company has decided to centralize their security operations and create a holistic view of security across the entire organization.
Solution:A business and technical workshop was conducted to start the assessment and help the client envision the end-state should look like and how to initiate the centralization process. Leveraging a deployed IBM Q-Radar installation, the solution involves creating a two redundant SOC’s to centralize security intelligence and device management operations. These SOC’s will work cooperatively using the best-practice operational models derived from IBM MSS Global SOC’s providing a single, measurable view of security across their global operations.
Benefits: A centralized operational model allows the economies of scale to drive costs down, while improving the effectiveness of the security operations and threat intelligence sharing.
Client example –global pharmaceutical company
© 2012 IBM Corporation
IBM Security Systems
4545 © 2015 IBM Corporation4545
Thank you for your time!Questions and Answers
© 2015 IBM Corporation
IBM Security Services
46
Backup Pages
© 2015 IBM Corporation
IBM Security Services
47
Typical SOC Project Scope
Consult and Design Build Operate Maintain
SO
C P
rocesses
SO
C P
eop
leS
OC
Tech
nolo
gy
Client SOC Capability Transformation
• Architect & design SIEM solutions• Plan Use Cases• Map operations to regulatory and business requirements• Health check
• Install & configure SIEM solutions• Establish data feeds• Implement Use Cases• Build content• Design analyst workstations
• Deliver SOC Workshop• Perform SOC Maturity Assessment
• Deliver SOC Workshop• Perform SOC Maturity Assessment
• Identify stakeholders • Define roles, responsibilities, and job descriptions• Design staffing models• Develop training plans• Help hire the right staff or complement existing teams
• Deliver training: on the job, intrusion analysis, and Technology solutions.• Analyst coaching• Developing key organizational linkages
• Build Wiki framework for agile documentation approach• Build new and integrate existing processes and procedures• Align SOC operations across the enterprise
• Operate and maintain SIEM solutions• Implement dashboards• Develop operational and business reports• Investigate using advanced analytics• Manage incidents via cases• Integrate threat intelligence
• Implement incident management process• Continue documentation and update as necessary• Implement process improvement program• Drive business through metrics• Manage risk and compliance
•Operate and Maintain SIEM •Maintain architecture and product documentation• Perform health check on SIEM environment at planned intervals• Perform capacity planning• Develop steady-state technology costs
• Perform SOC Maturity Assessment annually• Maintain and update SOC documentation• Evaluate, measure and improve processes
• Maintain dedicated SOC manager and analyst positions• Continue on-going boarding and training of new analysts as necessary
© 2015 IBM Corporation
IBM Security Services
48
Challenge 1: Detecting Threats
Potential Botnet Detected?This is as far as traditional SIEM can go
IRC on port 80?IBM Security QRadar QFlow detects a covert channel
Irrefutable Botnet CommunicationLayer 7 flow data contains botnet command control instructions
Application layer flow analysis can detect threats others miss
Security Intelligence
© 2015 IBM Corporation
IBM Security Services
49
Challenge 2: Consolidating Data SilosAnalyzing both flow and event data. Only IBM Security QRadar fully utilizes Layer 7 flows.
Reducing big data to manageable volumes
Advanced correlation for analytics across silos
1153571 : 1Data Reduction Ratio
Security Intelligence
© 2015 IBM Corporation
IBM Security Services
50
Challenge 3: Detecting Insider Fraud
Who?An internal user
Potential Data LossWho? What? Where?
What?Oracle data
Where?Gmail
Security Intelligence
Threat detection in the post-perimeter worldUser anomaly detection and application level visibility are critical
to identify inside threats
© 2015 IBM Corporation
IBM Security Services
51
Challenge 4: Better Predicting Risks to Your BusinessAssess assets with high-risk input manipulation vulnerabilities
Which assets are affected?How should I prioritize them?
What are the details?Vulnerability details, ranked by risk score
How do I remediate the vulnerability?
Security Intelligence
Pre-exploit Security IntelligenceMonitor the network for configuration and compliance risks,
and prioritize them for mitigation
© 2015 IBM Corporation
IBM Security Services
52
Challenge 5: Addressing Regulatory Mandates
Unencrypted TrafficIBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public networks
PCI compliance at risk?Real-time detection of possible violation
Security Intelligence
Compliance SimplifiedOut-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards
© 2015 IBM Corporation
IBM Security Services
53
Operational Overview
© 2015 IBM Corporation
IBM Security Services
54
Workshop & Roadmap
Project Timeline
30 days 3 months 6 months 9 months 1 year
• Detailed Support Planning• Governance Model
• Communications Plan
• Staff Onboarding & Training• Documented Process
SOC achieves 100% Operational Control
Steady State & Ongoing automation
Ongoing Maturation
Top Related