5G/SOC: Inside the world’s most advanced SOCsh41382. · •People, process, and technology •Accelerated success: •Mature project methodology •Best practices •Extensive intellectual
Post on 14-Jun-2018
217 Views
Preview:
Transcript
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
5G/SOC: Inside the world’s most advanced SOCs James Blake, Practice Manager EMEA HP Security Intelligence & Operations Consulting
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
HP Security Intelligence & Operations Consulting
The best in the world at building state-of-the-art security operations capabilities/ cyber defense programs Experience: • 45+ SOC builds • 105+ SOC assessments • 50+ SIOC consultants worldwide • Over 250 years of cumulative SOC experience
Solution approach: • People, process, and technology • Accelerated success: • Mature project methodology • Best practices • Extensive intellectual capital
Founded: 2007
SIOC services
http://hp.com/go/sioc
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“SIEM implementations often fail to deliver full value — not due to ‘broken tools,’ but due to broken processes and practices by the organization that owns and operates the SIEM tool.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“Getting to higher maturity stages requires work — with no shortcuts that are known to be effective across organizations. Ongoing commitment of people and also commitment to process improvements are baseline requirements for that.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
HP Security Intelligence & Operations Consulting
The best in the world at building state-of-the-art security operations capabilities/ cyber defense programs Experience: • 45+ SOC builds • 105+ SOC assessments • 50+ SIOC consultants worldwide • Over 250 years of cumulative SOC experience
Solution approach: • People, process, and technology • Accelerated success: • Mature project methodology • Best practices • Extensive intellectual capital
Founded: 2007
SIOC services
http://hp.com/go/sioc
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
Y
Everyone SOC
CIRT IT OPS
Prepare
(Detect) Investigate
Contain
Eradicate
Recover
Lessons learned
Incident
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
People, process, technology
Technology Process
Network & system owners Incident
handler
Case closed
Escalation People
Level 1 Level 2
Content author
1
Firewall Router Intrusion detection
Applications Proxy server
ESM server
3 4
5
6
Audit & CxO
7
2
Threat intelligence
Hunt team
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cyber Defense Center (CDC) Security Operations Center (SOC) Threat Operations Center (TOC) Security Defense Center (SDC) Cyber Security Intelligence Response Center (C-SIRC)
Threat Management Center (TMC) Security Intelligence and Operations Center (SIOC) Security Intelligence and Threat Handlers (SITH) Security Threat and Intelligence Center (STIC)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“If an organization does not have some tuning (initial and ongoing) process to adapt an SIEM tool to a changing environment, the chances of getting the value equivalent to SIEM software purchase price are minuscule.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
1G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
1G/SOC: 1970s-1995
Birth of the Internet: businesses not connected, or via slow connections Nuisance programs and minimally impacting malicious code Information security tools appear Military and governments start to build SOCs and CERTs
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
LOG LOG LOG
Firewalls IDS Network equipment
1G/SOC data feeds
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13
1G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
2G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
2G/SOC: 1996-2001 Malware outbreaks & intrusion detection MSSPs begin to offer SOC as a service to customers SIEM concepts are introduced
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
2G/SOC data feeds
Firewalls IDS Network equipment
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
2G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
192.168.0.23:43987 203.45.65.201:1433 SQL Injection Attack 23Mar10 1930:003 user=jones
Where is this coming from?
traceroute
What are these systems called?
nslookup
What is the timing on this? traffic analysis What does this person do?
address book
Is this port open?
port scan What is it used for?
port lookup
Is this a correctly crafted attack?
payload
How does this attack work? signature details What else is going on?
contemporary events
2G/SOC log analytical process
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
3G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
3G/SOC: 2002-2005
Botnets, cybercrime, intrusion prevention, and compliance Largest companies in specific industries create SOCs internally
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
3G/SOC data feeds
Intelligence feeds Vulnerability scanning
Server and desktop OS
Firewalls/ VPN IDPS Databases
Network equipment
System health information
Web traffic Anti-virus
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
3G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
192.168.0.23:43987 203.45.65.201:1433 SQL Injection Attack 23Mar10 1930:003 user=jones
Where is this coming from?
traceroute
What are these systems called?
nslookup
What is the timing on this? traffic analysis What does this person do?
address book
Is this port open?
port scan What is it used for?
port lookup
Is this a correctly crafted attack?
payload
How does this attack work? signature details What else is going on?
contemporary events
3G/SOC log analytical process
Is this IP doing anything else? other logs
What is installed on this system? asset inventory
Has this been going on long?
historical context
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
4G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
4G/SOC: 2006-2013
Hacktivism, intellectual property theft, advanced persistent threat Wide adoption of continuous security monitoring as breaches fill headlines
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
4G/SOC data feeds Network equipment
Vulnerability scanning Anti-virus
Business context Physical infrastructure
System health information
Web traffic Intelligence feeds Directory
services
Firewalls/ VPN Idps Databases Applications Server and
desktop OS
Identity management
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
4G/SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
192.168.0.23:43987 203.45.65.201:1433 SQL Injection Attack 23Mar10 1930:003 user=jones
Where is this coming from?
traceroute
What are these systems called?
nslookup
What is the timing on this? traffic analysis
What does this person do?
address book
Is this port open?
port scan What is it used for?
port lookup
Is this a correctly crafted attack?
payload
How does this attack work? signature details What else is going on?
contemporary events
4G/SOC log analytical process
Is this IP doing anything else? other logs
What is installed on this system? asset inventory
Has this been going on long?
historical context
Is this a known bad guy?
DeepSight
Who owns this system? Are there any current changes?
ITAM
Are other sites seeing this?
DShield
Is this system vulnerable to this?
vulnerability scan What is the status
of this user?
IDAM
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
5G/SOC cyber defense future-proofed
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
10+ years of breaches
How we got here
Increased awareness Advancements in technology Increasing regulation Consumerization of IT
Threat level continues to rise
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
Subtle threat detection, hunt teams, counter-intel, anti-fragile, advanced analytics, big data
5G/SOC: 2013 - ?
278,000+ tweets
Every 60 seconds…
23,148 apps downloaded
400,710 ad requests
34,597 people are using Zinio
1,500 pings sent on PingMe
2000 lyrics played on Tunewiki
208,333 minutes of Angry Birds played
Mainframe Client/server The internet Mobile, social, Big Data & the cloud
PaperHost
SLI Systems
NetSuite
OpSource
Joyent
Hosting.com
Tata Communications
Datapipe
PPM
Alterian
Hyland
NetDocuments
NetReach
OpenText
Xerox
Microsoft
IntraLinks
Qvidian
Sage
SugarCRM
Volusion
Zoho
Adobe
Avid
Corel
Microsoft
Serif
Yahoo
CyberShift
Saba
Softscape
Sonar6
Ariba
Yahoo!
Quadrem
Elemica
Kinaxis
CCC
DCC
SCM ADP VirtualEdge
Cornerstone onDemand
CyberShift
Kenexa Saba
Softscape
Sonar6
Workscape
Exact Online
FinancialForce.com
Intacct NetSuite
Plex Systems
Quickbooks
eBay
MRM
Claim processing
Payroll
Sales tracking & marketing
Commissions Database
ERP
CRM
SCM
HCM
HCM
PLM
HP
EMC
Cost management
Order entry
Product configurator
Bills of material Engineering
Inventory
Manufacturing projects
Quality Control
SAP
Cash management
Accounts receivable Fixed assets Costing
Billing
Time and expense
Activity management Training
Time & attendance Rostering
Service
Data warehousing
IBM
Unisys
Burroughs
Hitachi
NEC Bull
Fijitsu
YouTube
Viber
Qzone
Amazon Web Services
GoGrid
Rackspace
LimeLight
Jive Software
salesforce.com
Xactly
Paint.NET
Business
Education Entertainment
Games
Lifestyle
Music
Navigation
News
Photo & Video
Productivity
Reference
Social Networking
Sport
Travel
Utilities
Workbrain
SuccessFactors
Taleo
Workday
Finance
box.net
Facebook LinkedIn
TripIt
Zynga
Zynga
Baidu
Yammer
Atlassian
Atlassian
MobilieIron SmugMug
SmugMug
Atlassian
Amazon
Amazon iHandy
PingMe
PingMe
Associatedcontent
Flickr
Snapfish
Answers.com
Tumblr.
Urban
Scribd. Pandora
MobileFrame.com
Mixi
CYworld
Renren
Yandex
Yandex
Heroku
RightScale
New Relic
AppFog
Bromium Splunk
CloudSigma
cloudability
kaggle
nebula
Parse
ScaleXtreme
SolidFire
Zillabyte
dotCloud
BeyondCore
Mozy
Fring Toggl
MailChimp
Hootsuite
Foursquare
buzzd
Dragon Diction
SuperCam
UPS Mobile
Fed Ex Mobile
Scanner Pro
DocuSign
HP ePrint
iSchedule
Khan Academy
BrainPOP
myHomework
Cookie Doodle
Ah! Fasion Girl
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32
5G/SOC
Acknowledge security threats are driven by human adversaries
Assume compromise
Anti-fragile enterprise – led by intelligence, not vulnerabilities
Interaction with peers; organizations readily share information
Hunt teams search large data sets to find threats and attack patterns we did not know about previously
Convergence of IT Security and IT Operations tools to facilitate better visibility
Data visualization drives how anomalies are discovered and researched
The SOC must align to the business and demonstrate meaningful value
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33
Discovery
Attack lifecycle
Research
Our enterprise
Their ecosystem
Infiltration
Capture
Exfiltration
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34
HP attack lifecycle – what can you actually detect?
Reconnaissance Weaponisation Delivery Exploitation Installation C2 Actions
External reconnaissance or anomalous
communication
Attack delivery Exploitation Installation C2
Local compromise
Internal reconnaissance
Lateral movement
Establish persistence
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 35
Organization
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
£85743 £84392 £101234 £62394 £81923 £76209
£2634453 £2545669 £2854883
£2134521 £2432459 £2378906
£0
£750000
£1500000
£2250000
£3000000
November December January February March April
Residual risk SOC OpEx Raw exposure
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37
Metric description: Measures the number of attacks at the business unit level that are either prevented or contained from causing further damage after initial detection. Frequency: Daily, weekly Usage: Drives situational awareness of bad actors and allows business units to enact countermeasures based on these bad actors.
2
2
1 Baggage
Ticketing
Checkin
High impact
Prevented attacks by Business Unit (January 7, 2013)
1
3
1
Baggage
Ticketing
Checkin
Moderate impact 1
1 4
Baggage
Ticketing
Checkin
Low impact
Contained attacks by Business Unit (January 7, 2013)
2
1 Baggage
Ticketing
High impact
1
2
Baggage
Checkin
Moderate impact
1 3
Baggage
Checkin
Low impact
KPI-002/003: Prevented & contained attacks (Business Unit)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38
Metric description: Measures the number of alerts an analyst must research every hour. Measured at both the team and analyst level. Frequency: Daily Usage: Drives workload balancing, staffing, and training plans.
Events per analyst per hour, 7 day rolling average (January 7, 2013)
By analyst (actuals, not average)
TM-003: Events per analyst per hour
8.09.0
10.011.012.013.014.0
Target
EPAH
0
5
10
15
Joe
Mary
JaneEP
AH
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39
Metric description: Measures the alerts where an analyst escalates to a higher tier analyst for additional support. This can indicate a training gap or poor use case design. Frequency: Weekly Usage: Drives analyst development plans and use case design.
Level 1 and level 2 escalations Weekly summary
By analyst
TM-007: Alerts requiring escalation to higher level of analysis
Tick
ets
Tick
ets
0
10
20
30
40
Level 1 Level 2
Total
Escalated
05
10152025
Mary Joe Jane
Total
Escalated
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40
Metric description: Measures the use cases where the recipient of the alert indicates the it was a false positive. Frequency: Daily Usage: Drives use case development and improvement along with the organizational commitment to quality.
Top 5 use cases with false positives 7 day rolling average
All use cases with false positives
TM-006: Top 5 uses cases where false positives reported
0%
5%
10%
15%
20%
SQL Injectionfrom Internal
Brute force SSHpassword attack
Connection topotential Zeus
host
Rogue accesspoint
Connection onport 8000-8002
Perc
enta
ge
repo
rted
0%
5%
10%
15%
20%
1/1/2013 1/2/2013 1/3/2013 1/4/2013 1/5/2013 1/6/2013 1/7/2013
Perc
enta
ge
repo
rted
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41
KPIs: Sample practices Key Performance Indicators - Executive Dashboard
ID Metric
November ‘13 December ‘13 Current period
Trend Status Daily mean
Daily high
Daily low
Daily mean
Daily high
Daily low
Daily mean
Daily high
Daily low
KPI-001 Threat Level 16 21 13 18 28 16 20 27 19 ▲
KPI-002 Prevented Attacks 7 9 3 13 23 7 13 16 5 --
KPI-003 Contained Attacks 19 21 17 17 19 8 13 17 8 ▼
KPI-004 Blacklisted Sources 7 8 6 13 13 12 17 20 16 ▲
KPI-005 Cases Opened 2 3 0 2 3 0 3 4 1 --
KPI-006 Case Backlog 7 8 6 13 15 10 17 20 16 ▲
KPI-007 Closed Cases 2 4 0 4 5 1 3 4 0 --
KPI-008 Case Resolution Time (Days) 2.3 4.3 1.2 2.6 6.1 1.3 2.8 8.1 1.4 ▲
KPI-009 Log Visibility (Perimeter) 80% 82% 74% 82% 84% 77% 85% 87% 82% ▲
KPI-010 Log Visibility (Internal) 25% 26% 24% 20% 22% 18% 15% 18% 13% ▼
2
2
2
2
2
1
1
2
1
2
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 42
Processes
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43
5G/SOC should break down silos
A/V App IAM DAM DLP WAF Host Perimeter
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
5G/SOC should measure your control effectiveness
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 45
Big data analysis
Hunt teams
Use cases: • Previously unseen connections from DMZ servers • Previously unseen connections from critical business servers • Previously unseen executables launching • Abnormal logins from service accounts • Abnormal logins from admin accounts
Select a subset of fields to save long term for analytical searches
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 46
For more information
Attend these sessions
• BB3260, State of Security Operations • BB3270, How to Build a Successful SOC • PN3578, Security Analytics Panel • TT3035, Bridging the gap: SOC and CSIRT • BB3101, The Next Big Thing
After the event
• Visit: http://hp.com/go/sioc Download the 5G/SOC Whitepaper Download the State of Security Operations
• Contact your sales rep
Your feedback is important to us. Please take a few minutes to complete the session survey.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 47
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session BB3055 Speaker James Blake
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you! jblake@hp.com +44 (0) 7917 558639 www.hp.com/go/5GSOC
top related