Discover Best of Show 2016

Lee Whatford – Principal Consultant – Security Intelligence and Operations

February, 2016

Transformto a hybrid

infrastructure

Enableworkplace

productivity

Empowerthe data-drivenorganization

Protect yourdigital enterprise

Protect your most prized digital assets whether they are on premise, in the cloud or in between.

Managing risk in today’s digital enterprise

Rapid transformation of enterprise IT

Shift to hybrid

Mobile connectivity

Big data explosion

Cost and complexity of regulatory pressures

Compliance

Privacy

Data protection

Increasingly sophisticated cyber attacks

More sophisticated

More frequent

More damaging

Proactively detect & respond to threats to minimize damage

Recover

Protect

Detect and Respond

Business Outcomes

Help reduce time-to-breach-resolution with a

tight coupling of analytics, correlation, and

orchestration

Establish situational awareness to find and

shut down threats at scale

24*7*365 security monitoring

Threat intelligence and advanced

threat analytics

Proactive incident response

Testing and training of key personnel

and crisis planning

State Of Security OperationsWhite Paper 2016

5

6

Maturity and Capability Levels

Maturity & Capability LevelsAssessment Methodology

Quantitative assessment of

business, people, process,

and technology components

Framework based on

Carnegie Mellon Software

Engineering Institute’s

Capability Maturity Model for

Integration

(SEI-CMMI)

Aggregate target of 3.00 for

commercial organizations

Minimal ad

hoc execution

to meet

business

requirements

Incomplete Performed Managed Defined Measured

Operational

elements do

not exist

Operations

are well-

defined,

subjectively

evaluated,

and flexible

Operations

are

quantitatively

evaluated,

reviewed, and

proactively

improved

3.00

Business

goals are met

and

operational

tasks are

repeatable

Optimized

Operations

are focused

on

incremental

levels of

process

improvement

SecOps Maturity Assessment

Business People Process Technology

Mission

Accountability

Sponsorship

Relationship

Deliverables

Vendor engagement

Facilities

General

Training

Certifications

Experience

Skill assessments

Career path

Leadership

General

Operational

processes

Analytical processes

Business processes

Technology

processes

General

Architecture

Data collection

Monitoring

Correlation

(54) (65) (65) (56)

Maturity Assessment

0,00

0,50

1,00

1,50

2,00

2,50SOMM Level

Business

PeopleProcess

Tech

Company A

Average

Maturity

AssessmentScore Comments

Business 2.44Mission 1.86

Accountability 1.21

Sponsorship 2.18

Relationship 2.15

Deliverables 3.00

Vendor Engagement 2.67

Facilities 1.27

People 1.82General 1.98

Training 2.61

Certifications 1.58

Experience 2.00

Skill Assessments 0.88

Career Path 1.92

Leadership 1.50

Process 0.63General 2.01

Operational Process 1.67

Analytical Process 0.00

Business Process 0.00

Technology Process 0.00

Technology 2.60Architecture 1.54

Data Collection 3.69

Monitoring 1.50

Correlation 1.37

General 2.13

Overall SOM Level 1.69

Current Phase 1 Phase 2 Phase 3

Timeline 6 mos 1 yr 2 yr

SOMM

Target

1.6 2.0 2.5 3.0

Use Cases Logging Perimeter,

compliance

Insider Threat,

APT

Application

Monitoring

Staffing Ad hoc 4 x L1, 1x

L2

8 x L1, 2x L2 12 x L1, 2x L2, 2x

L3

Coverage 8x5 8x5 12x7 24x7

Addressing The Threat

10

Banking Sector Malware – Top 5 ThreatsTOP 5 Families

Confidential 11

Carbanak (RAT)– Phishing attack with Lure document

– Advanced Coding

– RCE protection

– VMWare identification

– Shell code dropper

– Stage2 – Carbanak malware family

– China attribution

CORESHELL / SHOPSTICK (RAT)– Phishing attack with Lure document

– Waterhole

– Advanced Coding

– VMWare identification

– Honey Pot identification

– Shell code dropper

– Stage2 – CORESHELL and or CHOPSTICK

– Russian attribution

Dyreza (RAT/Klogger)– Phishing attack with Lure document

– Shell code dropper

– Stage2 – CORESHELL and or CHOPSTICK

– China attribution

Dridex (BOTNET)– SPAM attack with:-

– Lure document

– Waterhole

– Macro dropper

– Stage2 – DRIDEX

– China attribution

– Widest Spread Trojan in banking

Zeus

Family variants

second most

seen

Dridex

More infection instances

than any other

CORESHELL/ CHOPSTICK

Carbanak

Dyreza

B - A - T

Understanding The Three Key Pillars of Operational Security

Confidential 12

TECHNOLOGY

DATA

VULNERABILITY

RISK

BUSINESS IMPACT

ASSETS ($)

WHO?

WHY?

MODUS OPERANDI

Business

Dyreza

Asset Threat

If you know the enemy and know yourself you need not fear the results of a hundred battles…

Risk Assessment

Defence in-depth Security Controls

Behavioral Analytics

Insider Misuse

Business Intelligence Adversarial Intelligence

Threat Assessment

Indicators Of Compromise

Adversary TTP(s)

Legitimate Access

IRAM – ISF

Internal Risk

registers

Risk Exceptions

Industry reports

Asset Modelling

Data Modelling

Mitre Tara

Threat Agent

Library

OS Intel

Attacker

motivation

U

S

E

C

A

S

E

S

Security

Controls

Events

Sources

Expected Usage

Trending

User Account usage

Bandwidth usage

Application usageMalicious intent

Peer comparison

Policy violation

Misconfiguration

Situational awareness

enhancement

Actors, Campaigns,

Certificates, Domains

(dns), Emails, Events,

Indicators, IP

addresses, PCAPs,

Raw Data, Samples,

Targets

Methods to prepare

for and execute

attacks

Use of tools by an

adversary

Activities used to

evade detection

The ultimate goal of

any attack is to

maintain persistent

access

Hijacking user

accounts

Hijacking remote

access services

Mapping the Threat

Confidential 13

Sample PII Use Case

Confidential 14

Use cases defined as a methodology• Layer point use cases in a attack life cycle allows

Building Effective Security Operations

Confidential 16

• Maximise Potential

Detect

• Repeatable Process

• Effective Skills

Identify• Information

• Information

• Information

Respond

• Expensive Resources

• Time Critical

Recover

Reduce Time = Reduce Costs

Business Priorities Fulfilled by 3 Key Components

People, Process & Technology

20

Technology

ConnectorApplications

Mainframe

& Mid-rangeICS Physical Vulnerability

Scanning

Threat

Intelligence

Executives

IRTContent

Author

SIOC

Manager

People

Process

IDAM

DBMS

CMBD

Logging

Proxy

IDS.IPS

FirewallSwitches Routers

SIEM

Hunt

Team

Level 2Level 1

IT Ops

Audit & Compliance

Compliance

MiFiD, BASEL, Dodd Frank, Laundering, MAD, EMIR, REMIT, Solvency, AIFMD,

EUGDPR, PCI, etc & Ever Evolving

Attaining The ‘Best’

Confidential 21

Assess and Design

Build Operate Transfer

SOC Maturity Assessment SIEM & Logger Install Content Refinement Transition Platform

Use Case Workshop Device Onboarding Monitoring Transition Use Cases

Roles & Responsibility Use Case Authoring Triage & Prioritisation Train Customer on HPE Roles

Skills Requirements Training Analytics & Subtle Event Detection

Skills Assessment Career ProgressionService Level Agreements

Metric & PKIs

SOC Knowledge Management

Processes and Procedure

Operational Technical

Analytical Business

Continuous Innovation

Processes

Analytical

Technical

Operational

Business

Analytical

• Threat Intelligence

• Investigations

• Data Exploration

• Focused Monitoring

• Forensics

• Advanced Content

• Information Fusion

Technical• Architecture

• Data Flow

• Data Onboarding

• User Provisioning

• Access Controls

• Configuration Management

• Use Case Lifecycle

• Maintenance

• Health & Availability

• Backup & Restore

Technical

•Architecture

•Data Flow

•Data Onboarding

•User Provisioning

•Access Controls

•Configuration Management

•Use Case Lifecycle

•Maintenance

Operational

• Incident Management

• Roles & Responsibilities

• Scheduling

• Shift Turnover

• Case Management

• Crisis Response

• Problem & Change

• Employee Onboarding

• Training

• Skills Assessment

• Ops Status

Technical

•Architecture

•Data Flow

•Data Onboarding

•User Provisioning

•Access Controls

•Configuration Management

•Use Case Lifecycle

•Maintenance

Business

• Mission

• Sponsorship

• Service Commitment

•Metrics & KPIs

•Compliance

• Project Management

• Continual Improvement

• Knowledge Management

• BC / DR

Resource Planning

Confidential 23

Analytical

Technical

Ops

Business

Analyst

Sourcing

Talent Pools

Selection –

Onboarding

Training and

Development

Staff Retention

Career

Development

Recycling

the Analyst

Confidential

Resourcing Your SOC

Analytical

Technical

Ops

Business

Mindset

Background

Skills

Job Specs

Interviews

(Staffing Models)

Team and

Individual plans

Career Planning

Goals

Internal

Resource

Planning

24

In House

SOC Manager

Ops Lead

Analysts

Engineer

Content

Hybrid

8*5 Monitoring

In House

OOH Monitoring

Off Site

Hybrid

24*7 Monitoring

Level 1 (Triage) Off Site

Hybrid

24*7 Monitoring

Level 1 and 2 (Triage) Off Site

Outsourced

24*7 Monitoring

Off Site

In House SIEM In House SIEM In House SIEMIn House / Offsite

SIEMOff Site SIEM

Your Options With HPE

Confidential 25

If you know the enemy and know yourself you need not fear the results of a hundred battles…

lee.whatford@hpe.com

uk.linkedin.com/in/leewhatford

26Confidential

Thank you