discover best of show 2016 - hewlett packard enterprise...current phase 1 phase 2 phase 3 timeline 6...
TRANSCRIPT
Discover Best of Show 2016
Lee Whatford – Principal Consultant – Security Intelligence and Operations
February, 2016
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Empowerthe data-drivenorganization
Protect yourdigital enterprise
Protect your most prized digital assets whether they are on premise, in the cloud or in between.
Managing risk in today’s digital enterprise
Rapid transformation of enterprise IT
Shift to hybrid
Mobile connectivity
Big data explosion
Cost and complexity of regulatory pressures
Compliance
Privacy
Data protection
Increasingly sophisticated cyber attacks
More sophisticated
More frequent
More damaging
Proactively detect & respond to threats to minimize damage
Recover
Protect
Detect and Respond
Business Outcomes
Help reduce time-to-breach-resolution with a
tight coupling of analytics, correlation, and
orchestration
Establish situational awareness to find and
shut down threats at scale
24*7*365 security monitoring
Threat intelligence and advanced
threat analytics
Proactive incident response
Testing and training of key personnel
and crisis planning
State Of Security OperationsWhite Paper 2016
5
6
Maturity and Capability Levels
Maturity & Capability LevelsAssessment Methodology
Quantitative assessment of
business, people, process,
and technology components
Framework based on
Carnegie Mellon Software
Engineering Institute’s
Capability Maturity Model for
Integration
(SEI-CMMI)
Aggregate target of 3.00 for
commercial organizations
Minimal ad
hoc execution
to meet
business
requirements
Incomplete Performed Managed Defined Measured
Operational
elements do
not exist
Operations
are well-
defined,
subjectively
evaluated,
and flexible
Operations
are
quantitatively
evaluated,
reviewed, and
proactively
improved
3.00
Business
goals are met
and
operational
tasks are
repeatable
Optimized
Operations
are focused
on
incremental
levels of
process
improvement
SecOps Maturity Assessment
Business People Process Technology
Mission
Accountability
Sponsorship
Relationship
Deliverables
Vendor engagement
Facilities
General
Training
Certifications
Experience
Skill assessments
Career path
Leadership
General
Operational
processes
Analytical processes
Business processes
Technology
processes
General
Architecture
Data collection
Monitoring
Correlation
(54) (65) (65) (56)
Maturity Assessment
0,00
0,50
1,00
1,50
2,00
2,50SOMM Level
Business
PeopleProcess
Tech
Company A
Average
Maturity
AssessmentScore Comments
Business 2.44Mission 1.86
Accountability 1.21
Sponsorship 2.18
Relationship 2.15
Deliverables 3.00
Vendor Engagement 2.67
Facilities 1.27
People 1.82General 1.98
Training 2.61
Certifications 1.58
Experience 2.00
Skill Assessments 0.88
Career Path 1.92
Leadership 1.50
Process 0.63General 2.01
Operational Process 1.67
Analytical Process 0.00
Business Process 0.00
Technology Process 0.00
Technology 2.60Architecture 1.54
Data Collection 3.69
Monitoring 1.50
Correlation 1.37
General 2.13
Overall SOM Level 1.69
Current Phase 1 Phase 2 Phase 3
Timeline 6 mos 1 yr 2 yr
SOMM
Target
1.6 2.0 2.5 3.0
Use Cases Logging Perimeter,
compliance
Insider Threat,
APT
Application
Monitoring
Staffing Ad hoc 4 x L1, 1x
L2
8 x L1, 2x L2 12 x L1, 2x L2, 2x
L3
Coverage 8x5 8x5 12x7 24x7
Addressing The Threat
10
Banking Sector Malware – Top 5 ThreatsTOP 5 Families
Confidential 11
Carbanak (RAT)– Phishing attack with Lure document
– Advanced Coding
– RCE protection
– VMWare identification
– Shell code dropper
– Stage2 – Carbanak malware family
– China attribution
CORESHELL / SHOPSTICK (RAT)– Phishing attack with Lure document
– Waterhole
– Advanced Coding
– VMWare identification
– Honey Pot identification
– Shell code dropper
– Stage2 – CORESHELL and or CHOPSTICK
– Russian attribution
Dyreza (RAT/Klogger)– Phishing attack with Lure document
– Shell code dropper
– Stage2 – CORESHELL and or CHOPSTICK
– China attribution
Dridex (BOTNET)– SPAM attack with:-
– Lure document
– Waterhole
– Macro dropper
– Stage2 – DRIDEX
– China attribution
– Widest Spread Trojan in banking
Zeus
Family variants
second most
seen
Dridex
More infection instances
than any other
CORESHELL/ CHOPSTICK
Carbanak
Dyreza
B - A - T
Understanding The Three Key Pillars of Operational Security
Confidential 12
TECHNOLOGY
DATA
VULNERABILITY
RISK
BUSINESS IMPACT
ASSETS ($)
WHO?
WHY?
MODUS OPERANDI
Business
Dyreza
Asset Threat
If you know the enemy and know yourself you need not fear the results of a hundred battles…
Risk Assessment
Defence in-depth Security Controls
Behavioral Analytics
Insider Misuse
Business Intelligence Adversarial Intelligence
Threat Assessment
Indicators Of Compromise
Adversary TTP(s)
Legitimate Access
IRAM – ISF
Internal Risk
registers
Risk Exceptions
Industry reports
Asset Modelling
Data Modelling
Mitre Tara
Threat Agent
Library
OS Intel
Attacker
motivation
U
S
E
C
A
S
E
S
Security
Controls
Events
Sources
Expected Usage
Trending
User Account usage
Bandwidth usage
Application usageMalicious intent
Peer comparison
Policy violation
Misconfiguration
Situational awareness
enhancement
Actors, Campaigns,
Certificates, Domains
(dns), Emails, Events,
Indicators, IP
addresses, PCAPs,
Raw Data, Samples,
Targets
Methods to prepare
for and execute
attacks
Use of tools by an
adversary
Activities used to
evade detection
The ultimate goal of
any attack is to
maintain persistent
access
Hijacking user
accounts
Hijacking remote
access services
Mapping the Threat
Confidential 13
Sample PII Use Case
Confidential 14
Use cases defined as a methodology• Layer point use cases in a attack life cycle allows
Building Effective Security Operations
Confidential 16
• Maximise Potential
Detect
• Repeatable Process
• Effective Skills
Identify• Information
• Information
• Information
Respond
• Expensive Resources
• Time Critical
Recover
Reduce Time = Reduce Costs
Business Priorities Fulfilled by 3 Key Components
People, Process & Technology
20
Technology
ConnectorApplications
Mainframe
& Mid-rangeICS Physical Vulnerability
Scanning
Threat
Intelligence
Executives
IRTContent
Author
SIOC
Manager
People
Process
IDAM
DBMS
CMBD
Logging
Proxy
IDS.IPS
FirewallSwitches Routers
SIEM
Hunt
Team
Level 2Level 1
IT Ops
Audit & Compliance
Compliance
MiFiD, BASEL, Dodd Frank, Laundering, MAD, EMIR, REMIT, Solvency, AIFMD,
EUGDPR, PCI, etc & Ever Evolving
Attaining The ‘Best’
Confidential 21
Assess and Design
Build Operate Transfer
SOC Maturity Assessment SIEM & Logger Install Content Refinement Transition Platform
Use Case Workshop Device Onboarding Monitoring Transition Use Cases
Roles & Responsibility Use Case Authoring Triage & Prioritisation Train Customer on HPE Roles
Skills Requirements Training Analytics & Subtle Event Detection
Skills Assessment Career ProgressionService Level Agreements
Metric & PKIs
SOC Knowledge Management
Processes and Procedure
Operational Technical
Analytical Business
Continuous Innovation
Processes
Analytical
Technical
Operational
Business
Analytical
• Threat Intelligence
• Investigations
• Data Exploration
• Focused Monitoring
• Forensics
• Advanced Content
• Information Fusion
Technical• Architecture
• Data Flow
• Data Onboarding
• User Provisioning
• Access Controls
• Configuration Management
• Use Case Lifecycle
• Maintenance
• Health & Availability
• Backup & Restore
Technical
•Architecture
•Data Flow
•Data Onboarding
•User Provisioning
•Access Controls
•Configuration Management
•Use Case Lifecycle
•Maintenance
Operational
• Incident Management
• Roles & Responsibilities
• Scheduling
• Shift Turnover
• Case Management
• Crisis Response
• Problem & Change
• Employee Onboarding
• Training
• Skills Assessment
• Ops Status
Technical
•Architecture
•Data Flow
•Data Onboarding
•User Provisioning
•Access Controls
•Configuration Management
•Use Case Lifecycle
•Maintenance
Business
• Mission
• Sponsorship
• Service Commitment
•Metrics & KPIs
•Compliance
• Project Management
• Continual Improvement
• Knowledge Management
• BC / DR
Resource Planning
Confidential 23
Analytical
Technical
Ops
Business
Analyst
Sourcing
Talent Pools
Selection –
Onboarding
Training and
Development
Staff Retention
Career
Development
Recycling
the Analyst
Confidential
Resourcing Your SOC
Analytical
Technical
Ops
Business
Mindset
Background
Skills
Job Specs
Interviews
(Staffing Models)
Team and
Individual plans
Career Planning
Goals
Internal
Resource
Planning
24
In House
SOC Manager
Ops Lead
Analysts
Engineer
Content
Hybrid
8*5 Monitoring
In House
OOH Monitoring
Off Site
Hybrid
24*7 Monitoring
Level 1 (Triage) Off Site
Hybrid
24*7 Monitoring
Level 1 and 2 (Triage) Off Site
Outsourced
24*7 Monitoring
Off Site
In House SIEM In House SIEM In House SIEMIn House / Offsite
SIEMOff Site SIEM
Your Options With HPE
Confidential 25
If you know the enemy and know yourself you need not fear the results of a hundred battles…
uk.linkedin.com/in/leewhatford
26Confidential
Thank you