actual case of ap soc operational excellence - · use cases / rules standard rules, minimal...
TRANSCRIPT
1 IBM Security Summit 2017
Actual Case of AP SOC Operational Excellence
April 18, 2017Deepraj Emmanuel DattAP Solution Design LeaderIBM Security Services
2 IBM Security Summit 2017
Agenda
• Customer Overview• The IBM Differentiation• SOC Operational Excellence• Next Steps• Q/A
4 IBM Security Summit 2017
Further enhancement of current cybersecurity protection mechanisms
inline with current cybersecurity threat
landscape
Legacy Security Monitoring capabilities, not built to scale to give visibility of the current
security posture
Inability to quickly respond to security
incidents with the lack of integration to a
global security intelligence source
No orchestrated strategy, governance
and execution of security operations,
with reduced agility in dealing with critical security incidents
Customer Overview
INDUSTRY: Financial Services
BACKGROUND: This organization is one of the oldest banks in Asia and is its country's most profitable third largest bank, with a market capitalization ($7.7B) With over 12000 employees, the bank aims to drive an identity as a dynamic and versatile establishment that caters to a wide spectrum of customers from different parts of society.
5 IBM Security Summit 2017
Key Considerations
• How do you capture and record security event sources, security intelligence, and application logs? Can you do any analysis or tracking on this data?
• What is your Incident Response process, and the communication flows?
• How do you staff your SOC, and are the skills in line with the type of research and analysis that team would need to do?
• Do you have any Forensic or rapid response capabilities?
• What metrics and measurements do you capture and report to Senior management, is there a dashboard or roll up of key risks/performance indicators (KRI/KPI’s) ?
• How do new applications, businesses, 3rd parties, or technology projects get put into the SIEM and tracked. How is the data capture defined and rationalized?
• What security intelligence services do you subscribe to, and how do you leverage their feeds and communicate out to the organization?
7 IBM Security Summit 2017
Fundamental Principles Driving Design of SOC
Traditional Model Transformed Model
Security Model based onDefense in Depth
Security Model based onRapid Detection + Rapid Response
Security OperationsSteady State and Reactive
Security OperationsElastic and Agile
Governance Risk ComplianceIT and Compliance Focused
Governance Risk ComplianceEnterprise Risk Management
Functional DomainsIT, OT, Communication, Physical Silos
Functional DomainsConverged
Security AnalysisManual and Fragmented
Security AnalysisAnalytics and Intelligence
8 IBM Security Summit 2017
SIEMSecurity Information and Event Monitoring & Management
Go
vern
ance
, Ris
k M
anag
eme
nt
&
Co
mp
lian
ce (
GR
C)
SOCCyber Security Operations Center
Incident Forensics Analytics
Security IntelligenceIncident Response (CIRT)
Threat Intelligence& Early-Warning
Sensor Data Log Data Event Data
Infrastructure Data Communications Physical Applications
Critical Success FactorMove away from traditional defense-in-depth models towards rapid detection and response
9 IBM Security Summit 2017
Client Side Attacks
Botnets
Buffer Overflow Attacks
Distributed Denial of Service (DDoS)
SQL Injection
Backdoors
Cross-site Scripting (XSS)
Malicious Content
Protocol Tunneling
Reconnaissance
Trojans
Worms
Exploit Toolkits
Peer-to-Peer Networks
Cataloging, analyzing and researching vulnerabilities since 1997
Providing zero-day threat alerts and exploit triage to IBM customers worldwide
X-Force Helps Keep Customers Ahead of the Threat
IBM Security Operations Centersand Security Products
Sharing real-time andanonymized threat intelligence
Building threat intelligence from collaborative data sharing across thousands of clients
Analyzing malware and fraud activity from 270M+ Trusteer-protected endpoints
IBM X-Force - Expert Analysis and Threat Intelligence
10 IBM Security Summit 2017
monitored countries (MSS)
service delivery experts
devices under contract+
endpoints protected+
events managed per day+
IBM Security by the Numbers+
+
IBM Security - Global Reach
11 IBM Security Summit 2017
X-Force Incident Response & Proactive Services
Incident and Breach Response
Forensic Analysis
IRIS Vision Retainer
X-Force Remediation
Breach Remediation
Strategic Remediation & Implementation
X-Force Intelligence Services
“Intelligence Operationalization” training
Threat Intelligence Analysts
Education Services
X-Force Intelligence Collective
Cyber Watson
X-Force Exchange
Threat & Region Research Malware AnalysisIndustry Research
“Operationalization Intelligence” package
Active Threat Assessment
IR Program Development & Training
Tabletop & Scenario Testing
Managed Detection and Response
Agile Incident Management
Resilient / EDR Solutions
X-Force Incident Response and Intelligence Services (IRIS)
12 IBM Security Summit 2017
SOC Component SOC 1.0 SOC 2.0
Mission Detect & react to threats Anticipate threats and mitigate risks
Charter Install a SIEM tool, subscribe to MSSPBuild a dedicated org, team & processes, integrate MSSP
Governance Self governed (IT Security) Cross Functional (IT, HR, Legal, Audit)
SOC Management Reactive and ad-hoc (Craftsman) Operations Management (Factory)
Strategy 12 month cycle, budget based 3 year plan, priorities set by business
Implementation One time projectQuarterly phases, address new threats, utilize new technologies and capabilities
Log Sources Success based on quantity Focus on quality, value to risk reduction
Intelligence Feed subscription, ad-hoc analysisDaily analysis, used to develop use cases/rules, security posture recommendations
Contextual DataMinimal importance, secondary priority
Required data, used to prioritize work
Use Cases / Rules Standard rules, minimal tailoring Tailored/custom rules, based on risk management
Tools SIEM tool HA SIEM, Workflow/Ticketing, Portal, Big Data
Metrics Basic open/closed tickets Efficiency (PCE), quality, SLA/SLOs, etc.
Reporting Ticket based, operational Metrics, scorecards, executive dashboards
SOC 2.0
13 IBM Security Summit 2017
External Structured Data
VendorSubscriptions
AssociationSubscriptions
Business Intelligence
SIEM
Correlations Rules
Referential Data
Security Alerts
Normalization
Log Archiving
Vulnerability Data
Ticketing & Workflow
Incident Tracking
Workflow Automation
Integrations / API
Big Data / Security Intelligence Analytics
Hadoop/EDW
Data Loading Tools
Data Analysis Tools
Active Defense
Honeypot
Fingerprinting
Beacons / Watermarks
Asset Information
Dashboard / Portal
Business Intel Tool
Data Warehouse
Reporting & Dashboards
Vulnerability DB
Asset DB
Network Hierarchy
Obfuscation
Cloning
Disinformation
Risk Impact Analysis
Structure & Geo
Data Classification
Collection
Intelligence Data
Forensics
Contextual Data
Internal Structured DataSecurityDevices
Infrastructure Servers
Desktops
Apps & Databases
IAMSystems
STIXXML
TBD
Threat Intel Workbench
TBD
Internal External
Industry ISAC
CERT Open Source
Security Blogs
Trust GroupsSocial Media
Govt Alerts
CERT
File Share
Social Media
Unstructured Data
13
SOC Platform - Reference Architecture
14 IBM Security Summit 2017
Security Monitoring
Incident Triage
Incident Response
Deployment Services
SIEM Administration
Use Case Design
Srvc Testing & Tuning
Custom Procedure Dev
Operations Training
Core Security Services
Log Src Management
Log Source Acquisition
Enterprise Incident Mgmt
Forensics Investigation
Policy Violation Handling
Security Reporting
Efficiency Reporting
Financial Reporting
Sec-Intel Analysis
Sec-Intel Briefings
Use Case Mgmt
Log Src Heartbeat Mon
Contextual Data Mgmt
Delivery Management
Intelligence Services
Reporting ServicesAdmin Services Optional Services
14
Security Operations Service Catalog
15 IBM Security Summit 2017
Assess Security Operations Maturity
Capability Maturity Model (CMM)
1
2
3Defined: Processes are
documented, standardized
and integrated into all
processes for the organization
4
5
Managed: Detailed
measures of the process and
its outputs are collected,
quantitatively understood and
controlled
Optimizing: Continuous pr
ocess improvement is enabled
by quantitative feedback from
the processes
Reactive Proactive
Man
ual
Au
tom
ate
d
Initial: Process is ad hoc,
even chaotic. Few processes
are defined, and success
depends on individual effort
and heroics
Repeatable: Basic project
management processes are
established and process
discipline is in place to repeat
earlier successes
Security Operations - Maturity Model
16 IBM Security Summit 2017
Determine Critical Gaps & Prioritize Actions
Inform Prioritized Action Plans and Strategic Roadmaps
Security Operations Posture Reviews and Maturity Gap Analyses
Gap Analysis & Strategic Roadmap
17 IBM Security Summit 201717
Timeline (6-8 weeks) Timeline (14-16 weeks) Ongoing
Methodology for SOC Build and Run
19 IBM Security Summit 2017
Board of Directors
Enterprise Steering Committee
Executive Steering Committee
Security Operations
Security Operations CenterSe
curi
ty In
telli
gen
ce T
eam
Tier 3Escal.
Tier 2Triage
Tier 1Mon
Enterprise ITHR
LegalFraudAudit
Annual
Quarterly
Monthly
Weekly
Daily
Reporting & Meetings
OrganizationalStrategy Layer
SecurityStrategy
Layer
SecurityPlanning
Layer
SecurityOperations
Layer
Bu
sin
ess
Un
its
Governance
A complete governance program includes all stakeholders and defines the required communications, reporting and escalation procedures.
Security Operations Governance Model
20 IBM Security Summit 2017
Dashboard
Offenses
Log Activity
Network Activity
Assets
Investigation
Reports
Administration
An integrated, unified view delivered on a single dashboard
23 IBM Security Summit 2017
Utilizing a kill-chain view of security incidents allows for complete understanding of the effectiveness of your controls, which control processes can be improved, which control processes are ineffective and prioritize which controls should be implemented.
Security Incident Post Mortem Scorecards
24 IBM Security Summit 2017
IBM
IRIS
IBM
Secu
rity
Opera
tions
Centre
(on a
nd o
ff s
ite)
Tools
(IBM
and C
ust
om
er)
SecurityEvent
Detection
IncidentDetection &Recording
IncidentClassification
& Initial Support
Cust
om
er/
MSS
IR T
eam
Infra +
App
Serv
ice P
rovi
ders
(EM
A/M
SS /
3rd
Part
y)
IBM
Gove
rnance
and O
pera
tional
IR T
eam
esc
ala
tes
Contain andForensic Analysis Incident
Closure
Remediation and Recovery
Report withRemediation
Strategy
Test
Investigation Support
ERS Invokedand Starts
Initial Triage
Overall Incident Case Management
Incident Response and Forensic Tools (IBM IRIS tools)
Configuration Database and Ticketing System
Ownership and Oversight
Incident Investigation and Recovery Support
Incident Database and Problem/Known Error Database
Escalation and Validation of
Incident
Incident Response Process Integration
Security Incident Management Framework
25 IBM Security Summit 2017
SOC Analyst:
Monitoring
SOC Analyst:
Triage
SOC Analyst:
Response
Security
Intelligence
Analyst
Security
Incident
Handler
(Certified)
SOC Tools
AdminSOC Manager
Security
Forensic
Analyst
IT Security
AdminIT Operations CERT
Security Monitoring R C A
Incident Triage C R C A
Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Service Testing & Tuning R A I I
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security Intelligence Briefings A C C C
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I
Contextual Data Management C R A C C
Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C
Security Reporting C C C C C A C I
Efficiency Reporting C C C A C I
Financial Reporting C C C C A I
Enterprise Incident Management C A
Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C
Reporting
Services
Optional Services
Core Security
Services
Deployment
Services
Security
Intelligence
Services
Administrative
Services
25
SOC RACI Matrix
27 IBM Security Summit 2017 2
7
Initial agreement of the organisation’scurrent security operations posture, and capabilities.
Potential goals for the target security operations maturity required in the organization to be successful.
How security operations capabilities are implemented in the business through Technology, Process, People, Metrics & Governance.
Better understanding of how a holistic security operations improvement program can reduce business risk.
Linkages to IBM Security Framework and capabilities
Recommended solutions & approaches to improve security operation
Note: Workshop conclusions will need further validation
Next Steps - Security Operations Maturity Workshop
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU