actual case of ap soc operational excellence - · use cases / rules standard rules, minimal...

1 IBM Security Summit 2017

Actual Case of AP SOC Operational Excellence

April 18, 2017Deepraj Emmanuel DattAP Solution Design LeaderIBM Security Services


Agenda

• Customer Overview• The IBM Differentiation• SOC Operational Excellence• Next Steps• Q/A


Customer Overview


Further enhancement of current cybersecurity protection mechanisms

inline with current cybersecurity threat

landscape

Legacy Security Monitoring capabilities, not built to scale to give visibility of the current

security posture

Inability to quickly respond to security

incidents with the lack of integration to a

global security intelligence source

No orchestrated strategy, governance

and execution of security operations,

with reduced agility in dealing with critical security incidents

Customer Overview

INDUSTRY: Financial Services

BACKGROUND: This organization is one of the oldest banks in Asia and is its country's most profitable third largest bank, with a market capitalization ($7.7B) With over 12000 employees, the bank aims to drive an identity as a dynamic and versatile establishment that caters to a wide spectrum of customers from different parts of society.


Key Considerations

• How do you capture and record security event sources, security intelligence, and application logs? Can you do any analysis or tracking on this data?

• What is your Incident Response process, and the communication flows?

• How do you staff your SOC, and are the skills in line with the type of research and analysis that team would need to do?

• Do you have any Forensic or rapid response capabilities?

• What metrics and measurements do you capture and report to Senior management, is there a dashboard or roll up of key risks/performance indicators (KRI/KPI’s) ?

• How do new applications, businesses, 3rd parties, or technology projects get put into the SIEM and tracked. How is the data capture defined and rationalized?

• What security intelligence services do you subscribe to, and how do you leverage their feeds and communicate out to the organization?


The IBM Differentiation


Fundamental Principles Driving Design of SOC

Traditional Model Transformed Model

Security Model based onDefense in Depth

Security Model based onRapid Detection + Rapid Response

Security OperationsSteady State and Reactive

Security OperationsElastic and Agile

Governance Risk ComplianceIT and Compliance Focused

Governance Risk ComplianceEnterprise Risk Management

Functional DomainsIT, OT, Communication, Physical Silos

Functional DomainsConverged

Security AnalysisManual and Fragmented

Security AnalysisAnalytics and Intelligence


SIEMSecurity Information and Event Monitoring & Management

Go

vern

ance

, Ris

k M

anag

eme

nt

&

Co

mp

lian

ce (

GR

C)

SOCCyber Security Operations Center

Incident Forensics Analytics

Security IntelligenceIncident Response (CIRT)

Threat Intelligence& Early-Warning

Sensor Data Log Data Event Data

Infrastructure Data Communications Physical Applications

Critical Success FactorMove away from traditional defense-in-depth models towards rapid detection and response


Client Side Attacks

Botnets

Buffer Overflow Attacks

Distributed Denial of Service (DDoS)

SQL Injection

Backdoors

Cross-site Scripting (XSS)

Malicious Content

Protocol Tunneling

Reconnaissance

Trojans

Worms

Exploit Toolkits

Peer-to-Peer Networks

Cataloging, analyzing and researching vulnerabilities since 1997

Providing zero-day threat alerts and exploit triage to IBM customers worldwide

X-Force Helps Keep Customers Ahead of the Threat

IBM Security Operations Centersand Security Products

Sharing real-time andanonymized threat intelligence

Building threat intelligence from collaborative data sharing across thousands of clients

Analyzing malware and fraud activity from 270M+ Trusteer-protected endpoints

IBM X-Force - Expert Analysis and Threat Intelligence


monitored countries (MSS)

service delivery experts

devices under contract+

endpoints protected+

events managed per day+

IBM Security by the Numbers+

+

IBM Security - Global Reach


X-Force Incident Response & Proactive Services

Incident and Breach Response

Forensic Analysis

IRIS Vision Retainer

X-Force Remediation

Breach Remediation

Strategic Remediation & Implementation

X-Force Intelligence Services

“Intelligence Operationalization” training

Threat Intelligence Analysts

Education Services

X-Force Intelligence Collective

Cyber Watson

X-Force Exchange

Threat & Region Research Malware AnalysisIndustry Research

“Operationalization Intelligence” package

Active Threat Assessment

IR Program Development & Training

Tabletop & Scenario Testing

Managed Detection and Response

Agile Incident Management

Resilient / EDR Solutions

X-Force Incident Response and Intelligence Services (IRIS)


SOC Component SOC 1.0 SOC 2.0

Mission Detect & react to threats Anticipate threats and mitigate risks

Charter Install a SIEM tool, subscribe to MSSPBuild a dedicated org, team & processes, integrate MSSP

Governance Self governed (IT Security) Cross Functional (IT, HR, Legal, Audit)

SOC Management Reactive and ad-hoc (Craftsman) Operations Management (Factory)

Strategy 12 month cycle, budget based 3 year plan, priorities set by business

Implementation One time projectQuarterly phases, address new threats, utilize new technologies and capabilities

Log Sources Success based on quantity Focus on quality, value to risk reduction

Intelligence Feed subscription, ad-hoc analysisDaily analysis, used to develop use cases/rules, security posture recommendations

Contextual DataMinimal importance, secondary priority

Required data, used to prioritize work

Use Cases / Rules Standard rules, minimal tailoring Tailored/custom rules, based on risk management

Tools SIEM tool HA SIEM, Workflow/Ticketing, Portal, Big Data

Metrics Basic open/closed tickets Efficiency (PCE), quality, SLA/SLOs, etc.

Reporting Ticket based, operational Metrics, scorecards, executive dashboards

SOC 2.0


External Structured Data

VendorSubscriptions

AssociationSubscriptions

Business Intelligence

SIEM

Correlations Rules

Referential Data

Security Alerts

Normalization

Log Archiving

Vulnerability Data

Ticketing & Workflow

Incident Tracking

Workflow Automation

Integrations / API

Big Data / Security Intelligence Analytics

Hadoop/EDW

Data Loading Tools

Data Analysis Tools

Active Defense

Honeypot

Fingerprinting

Beacons / Watermarks

Asset Information

Dashboard / Portal

Business Intel Tool

Data Warehouse

Reporting & Dashboards

Vulnerability DB

Asset DB

Network Hierarchy

Obfuscation

Cloning

Disinformation

Risk Impact Analysis

Structure & Geo

Data Classification

Collection

Intelligence Data

Forensics

Contextual Data

Internal Structured DataSecurityDevices

Infrastructure Servers

Desktops

Apps & Databases

IAMSystems

STIXXML

TBD

Threat Intel Workbench

TBD

Internal External

Industry ISAC

CERT Open Source

Security Blogs

Trust GroupsSocial Media

Govt Alerts

CERT

Email

File Share

Social Media

Unstructured Data

13

SOC Platform - Reference Architecture


Security Monitoring

Incident Triage

Incident Response

Deployment Services

SIEM Administration

Use Case Design

Srvc Testing & Tuning

Custom Procedure Dev

Operations Training

Core Security Services

Log Src Management

Log Source Acquisition

Enterprise Incident Mgmt

Forensics Investigation

Policy Violation Handling

Security Reporting

Efficiency Reporting

Financial Reporting

Sec-Intel Analysis

Sec-Intel Briefings

Use Case Mgmt

Log Src Heartbeat Mon

Contextual Data Mgmt

Delivery Management

Intelligence Services

Reporting ServicesAdmin Services Optional Services

14

Security Operations Service Catalog


Assess Security Operations Maturity

Capability Maturity Model (CMM)

1

2

3Defined: Processes are

documented, standardized

and integrated into all

processes for the organization

4

5

Managed: Detailed

measures of the process and

its outputs are collected,

quantitatively understood and

controlled

Optimizing: Continuous pr

ocess improvement is enabled

by quantitative feedback from

the processes

Reactive Proactive

Man

ual

Au

tom

ate

d

Initial: Process is ad hoc,

even chaotic. Few processes

are defined, and success

depends on individual effort

and heroics

Repeatable: Basic project

management processes are

established and process

discipline is in place to repeat

earlier successes

Security Operations - Maturity Model


Determine Critical Gaps & Prioritize Actions

Inform Prioritized Action Plans and Strategic Roadmaps

Security Operations Posture Reviews and Maturity Gap Analyses

Gap Analysis & Strategic Roadmap


Timeline (6-8 weeks) Timeline (14-16 weeks) Ongoing

Methodology for SOC Build and Run


SOC Operational Excellence


Board of Directors

Enterprise Steering Committee

Executive Steering Committee

Security Operations

Security Operations CenterSe

curi

ty In

telli

gen

ce T

eam

Tier 3Escal.

Tier 2Triage

Tier 1Mon

Enterprise ITHR

LegalFraudAudit

Annual

Quarterly

Monthly

Weekly

Daily

Reporting & Meetings

OrganizationalStrategy Layer

SecurityStrategy

Layer

SecurityPlanning

Layer

SecurityOperations

Layer

Bu

sin

ess

Un

its

Governance

A complete governance program includes all stakeholders and defines the required communications, reporting and escalation procedures.

Security Operations Governance Model


Dashboard

Offenses

Log Activity

Network Activity

Assets

Investigation

Reports

Administration

An integrated, unified view delivered on a single dashboard


Operational Visibility


SOC Management Dashboard


Utilizing a kill-chain view of security incidents allows for complete understanding of the effectiveness of your controls, which control processes can be improved, which control processes are ineffective and prioritize which controls should be implemented.

Security Incident Post Mortem Scorecards


IBM

IRIS

IBM

Secu

rity

Opera

tions

Centre

(on a

nd o

ff s

ite)

Tools

(IBM

and C

ust

om

er)

SecurityEvent

Detection

IncidentDetection &Recording

IncidentClassification

& Initial Support

Cust

om

er/

MSS

IR T

eam

Infra +

App

Serv

ice P

rovi

ders

(EM

A/M

SS /

3rd

Part

y)

IBM

Gove

rnance

and O

pera

tional

IR T

eam

esc

ala

tes

Contain andForensic Analysis Incident

Closure

Remediation and Recovery

Report withRemediation

Strategy

Test

Investigation Support

ERS Invokedand Starts

Initial Triage

Overall Incident Case Management

Incident Response and Forensic Tools (IBM IRIS tools)

Configuration Database and Ticketing System

Ownership and Oversight

Incident Investigation and Recovery Support

Incident Database and Problem/Known Error Database

Escalation and Validation of

Incident

Incident Response Process Integration

Security Incident Management Framework


SOC Analyst:

Monitoring

SOC Analyst:

Triage

SOC Analyst:

Response

Security

Intelligence

Analyst

Security

Incident

Handler

(Certified)

SOC Tools

AdminSOC Manager

Security

Forensic

Analyst

IT Security

AdminIT Operations CERT

Security Monitoring R C A

Incident Triage C R C A

Incident Response C C R C R A R I

Delivery Management A I

Use Case Design C C C R C A C C

Log Source Acquisition R C R A C C

Service Testing & Tuning R A I I

Custom Playbook Development C C C R C C A C C

Operations Training C C C R C A

Security Intelligence Analysis C C C A C C C

Security Intelligence Briefings A C C C

Use Case Reccomendations C C C A C C C

SIEM Admininstration R A I I

Contextual Data Management C R A C C

Log Source Management C R A C C

Log Source Heartbeat Monitoring C R A C C

Security Reporting C C C C C A C I

Efficiency Reporting C C C A C I

Financial Reporting C C C C A I

Enterprise Incident Management C A

Forensics Investigation C C C C C A C C

Policy Violation Handling C C C C A C

Reporting

Services

Optional Services

Core Security

Services

Deployment

Services

Security

Intelligence

Services

Administrative

Services

25

SOC RACI Matrix


Next Steps

27 IBM Security Summit 2017 2

7

Initial agreement of the organisation’scurrent security operations posture, and capabilities.

Potential goals for the target security operations maturity required in the organization to be successful.

How security operations capabilities are implemented in the business through Technology, Process, People, Metrics & Governance.

Better understanding of how a holistic security operations improvement program can reduce business risk.

Linkages to IBM Security Framework and capabilities

Recommended solutions & approaches to improve security operation

Note: Workshop conclusions will need further validation

Next Steps - Security Operations Maturity Workshop


Q/A

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

FOLLOW US ON:

THANK YOU

actual case of ap soc operational excellence - · use cases / rules standard rules, minimal...

Documents