Mahmoud Yassin Lead Security Eng. SOC& NOC National Bank of Abu Dhabi SOC & BUSINESS DRIVEN CYBER THREATS
Jun 08, 2015
Mahmoud Yassin
Lead Security Eng. SOC& NOC
National Bank of Abu Dhabi
SOC & BUSINESS DRIVEN CYBER THREATS
v Business Today
v What's business affect on security community
v Cyber threats and Business target
v new trends in cyber threats
v Approach to target new cyber threats
v Security management in Dynamic environment
v SOC or OPSOC
v Recommended Action for SOC in New Threats
BUSINESS TODAY
TODAY’S BUSINESS CLIMATE
• Running a business in the 21st Century isn’t easy! • Security Regulations are abound
• 62% of companies spend more on compliance than protection*
• Evolution of technology and business demands has resulted in highly diverse environments
• Managing increasing number of vulnerabilities in the face of sophisticated threats
• Difficulties in aligning People, Process and Technology • Challenges in leveraging security knowledge and business
process
*Source: Riren
84% Agree innovation is critical to success in the new economy
Business & technology approach needs to be more flexible to meet changing customer needs
92% Believe business cycles will continue to be unpredictable in coming few years
8 out of 10
IT SPRAWL HAS BUSINESS AT THE BREAKING POINT
Business innovation throttled to 30% • Time to revenue • Cost of lost time, effort, opportunity • Unpredictable business cycles
70% captive in operations and maintenance • Rigid & aging infrastructure • Application & information complexity • Inflexible business processes
Security is framework for ALL
TOMORROW’S BUSINESS WILL BE BUILT ON A CONVERGED INFRASTRUCTURE
6
Power & cooling
Management software
Network
Servers Storage
Virtualized • Resilient • Orchestrated • Optimized • Modular and Secure
• Any application, anywhere • Flex resources on demand • Unlock productivity • Predictable continuity of service • Faster time to business value
Unleash the potential
Building on what you have today All on secure Platform
TODAY BUSINESS & INFORMATION SECURITY
Pre 1980’s 1980’s-1990’s 2000s 2010’s
SECURITY AND BUSINESS INFRASTRUCTURE D
iver
sity
of I
T an
d S
ecur
ity
Mainframes
Business security incorporated into the system Mainframe Centralized
Security
Client / Server Security begins to diverge as systems become more
distributed
Client Server Security is client base
Multi-Tier Application Architecture
Traditional application development complicates
security visibility
Web application security
Vendors Partners
Clients
Business Cloud
Business demands strain IT and Security in the light of
diversity
Cloud
Business Cloud
SECURITY WORRIES • I worry about a hacker gaining access to our Oracle data base and coping social security
numbers • I worry about, a converged network, if the network goes down you loose both voice and
data, increasing the risk and worry • I worry about staff, I can't protect the network from internal sabotage, disgruntled network
administrators, IT personal, etc • I worry about new computers being plugged into the network after they have been off net • I worry about the new wide range of handheld IP devices which people plug in at will from
near and far flung locations • I worry about security in public cloud • I Worry about Virtual environment it have 60 % of my server power • I worry about employees working at home bridging networks via WLANs opening up
access to our network
Source: Nick Lippis, Trusted Networks Symposium
GETTING THERE
v Technical / Tactical q “Build Success Early” q Risk Management q Define Threats Landscape
v Management “Organize and Architect” o Information Security Management
Framework
v Business Management o “Balanced Approach to the Business” o Security Services Management
v Technical / Strategic “Actionable Foundation” o Integrated Security Operations Capability o Network Access Control
Establish meaningful, early-win Risk Approach
Align People & Process to meet multiple Regulations
Increase technical visibility, command and control
Employ metrics to measure against the business goals
SECURITY PAIN
• Security investments based on ROSI • Executives growing weary
• Less talk, more revenue
• Diminishing expectations of security investments • “More money? What did you do with the last check?”
• Constant deluge of “new” security problems • Regulatory compliance challenges • Cultural challenges inside and outside IT • Cyber Security & Advanced Persistence threat
CYBER THREATS AND BUSINESS TARGET
Extortion Loss of intellectual property/data Potential for disruption • As part of cyber conflict
(i.e. Estonia) • As target of cyber protest
(i.e. anti-globalization) Potential accountability for misuse (i.e. botnets) Potential for data corruption Terrorism
CYBER RISKS ARE AN INCREASING THREAT TO SOURCES OF ENTERPRISE CAPABILITY AND BRAND COMPETITIVENESS
13
Now
Now
Emerging
Now
• Phishing and pharming driving increased customer costs, especially for financial services sector
• DDOS extortion attacks • National security information/export controlled
information • Sensitive competitive data • Sensitive personal/customer data • E-Business and internal administration • Connections with partners • Ability to operate and deliver core services • Reputational hits; legal accountability • Impact operations or customers through data
• DDOS and poisoning attacks • Focused attacks coordinated with physical
attacks
MASS-SCALE HACKING
14
• It's ROI focused.. • It's not personal. Automated attacks against mass targets, not specific individuals.
• It's multilayer. Each party involved in the hacking process has a unique role and uses a different financial model.
• It's automated. Botnets exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware and manipulate search engine results.
• Common attack types include:
• Data theft or SQL injections. • Business logic attacks.
• Denial of service attacks. Source: Amichai Shulman
RECENT INCIDENTS: RISE OF THE PROFESSIONALS
15
• Estonia: As part of unrest and pro-Russian riots in Tallinn, the Internet-embracing nation undergoes massive online attacks from ethnic Russians
• Zeus Trojan: Zeus Trojan, capable of defeating the one-time password systems used in the finance sector, targets commercial bank accounts and has gained control of more than 3 million computers, just in the US
• Stuxnet : Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems,[1] it is the first discovered malware that spies on and subverts industrial systems,[2] and the first to include a programmable logic controller (PLC) rootkit.[3][4]
NEW TRENDS IN CYBER THREATS
CYBER SECURITY
17
Are you the next Victim?
BEFORE 2009
18
2010 - THE YEAR HACKING BECAME A BUSINESS
19
2010 was the year hacking stopped being a hobby and became a lucrative profession practiced by underground of computer software developers and sellers.
It was the year when cyber-criminals targeted everything from MySpace to Facebook.
Are you one of the victim in June?
WE ARCHIVED 1,419,202 WEB-SITES DEFACE-MENTS
Source : trend Micro
Attacks by month Year 2010 Jan 53,915 Feb 57,867 Mar 73,712 Apr 95,078 May 83,182 Jun 81,865 Jul 87,364 Aug 63,367 Sep 185,741 Oct 194,692 Nov 258,355 Dec 184,064
Total 1,419,202
20
HACKING AS BUSINESS
21
Hacking isn't a kid's game anymore
It had price …$$$...
The Black Market USD
Trojan program to steal online account information $980-$4,900
Credit card number with PIN $490
Billing data, including account number, address, Social Security number, home address, and birth date
$78-$294
Driver's license $147
Birth certificate $147
Social Security card $98
Credit card number with security code and expiration date $6-$24
PayPal account logon and password $6
Data source: Trend Micro
HACKING AS SERVICES
22
v DDoS attacks
The price usually depends on the attack time:
1 hour - US$10-20 (depends on the seller) 2 hours - US$20-40 1 day - US$100
+ 1 day - From US$200 (depends on the complexity of the job) It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.
v Spam Hosting: US$200
Dedicated spam server US$500 10,000,000 Mails per day US$600 SMS spam (per message) US$0.2
ICQ (1,000,000) US$150 v Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be
detected even by the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?)
v Rapid Share premium accounts: (Server hosting)
1 month - US$5, 2 months - US$8, 3 months - US$12, 6 months - US$18, 1 year - US$28
HACKING AS ORGANIZED CRIME
23
Cyber Criminals have become an organized bunch.
they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.
Software as a Service for criminals
Attackers use sophisticated trading interfaces to classify the stolen accounts by the FTP server’s country of origin and the compromised site’s Google page ranking. This information enables attackers to determine cost of the compromised FTP credentials for resale to cybercriminals or to leverage themselves in an attack against the more prominent Web sites.
Malware that encrypts data and then demands money to provide the decryption key – FileFixPro
YEAR 2011
24
Date Site 2011-04-04 Anonymous Engages in Sony DDoS Attacks Over GeoHot PS3 Lawsuit 2011-04-20 Sony PSN Offline 2011-04-26 PSN Outage caused by Rebug Firmware 2011-04-26 PlayStation Network (PSN) Hacked 2011-04-27 Ars readers report credit card fraud, blame Sony 2011-04-28 Sony PSN hack triggers lawsuit Sony says SOE Customer Data Safe 2011-05-02 Sony Online Entertainment (SOE) hacked SOE Network Taken Offline 2011-05-03 Sony Online Entertainment (SOE) issues breach notification letter 2011-05-05 Sony Brings In Forensic Experts On Data Breaches 2011-05-06 Sony Networks Lacked Firewall, Ran Obsolete Software: Testimony 2011-05-07 Sony succumbs to another hack leaking 2,500 "old records" 2011-05-14 Sony resuming PlayStation Network, Qriocity services 2011-05-17 PSN Accounts still subject to a vulnerability 2011-05-18 Prolexic rumored to consult with Sony on security 2011-05-20 Phishing site found on a Sony server 2011-05-21 Hack on Sony-owned ISP steals $1,220 in virtual cash 2011-05-22 Sony BMG Greece the latest hacked Sony site 2011-05-23 LulzSec leak Sony's Japanese Websites 2011-05-23 PSN breach and restoration to cost $171M, Sony estimates 2011-05-24 Sony says hacker stole 2,000 records from Canadian site (Sony Erricson) 2011-06-02 LulzSec versus Sony Pictures 2011-06-02 Sony BMG Belgium (sonybmg.be) database exposed 2011-06-02 Sony BMG Netherlands (sonybmg.nl) database exposed 2011-06-02 Sony, Epsilon Testify Before Congress 2011-06-03 Sony Europe database leaked 2011-06-05 Latest Hack Shows Sony Didn't Plug Holes 2011-06-05 Sony Pictures Russia (www.sonypictures.ru) databases leaked 2011-06-06 LulzSec Hackers Post Sony Computer Entertainment Developer Network (SCE Devnet) 2011-06-06 LulzSec hits Sony BMG, leaks internal network maps> 2011-06-08 Sony Portugal latest to fall to hackers 2011-06-08 Spoofing lead to fraud via shopping coupons at Sonisutoa / My Sony Club (Google Translation) 2011-06-11 Spain Arrests 3 Suspects in Sony Hacking Case 2011-06-20 SQLI on sonypictures.fr 2011-06-23 Class Action Lawsuit Filed Against Sony/SCEA 2011-06-28 Sony CEO asked to step down on heels of hacking fiasco
2011-07-06 Hackers posts fake celebrity stories on Sony site
SONY Cases - April-June 2011
Anonymous leaks Bank of America e-mails
Hong Kong Stock Exchange Website Hacked, Impacts Trades
Lulz Security hackers target Sun website
CYBER CRIME AND CYBER ESPIONAGE ARE HAVING REAL IMPACTS
25
• Estimated $1 Trillion of intellectual property stolen each year (Gartner & McAfee, Jan 2010)
• Cybercrime up 63% in 2011 (McAfee)
• Topped $20 Billion at financial institutions
• Reported cyber attacks on U.S. government computer networks climbed 40% in 2011
• RAS Breaches workers breached (March 2011)
• DigiNotar Bankrupt (2011)
Source: Report of the CSIS Commission on Cyber security for the 44th Presidency
RSA BREACH March 11, 2011-‐Breach detected not public • Thursday March 17, 2011 story broke
• Threat Intelligence Commi@ee Call • Friday March 18, 2011
• Cyber UCG call • NCI call with DHS • Threat Intelligence Commi@ee Call w/RSA
• FS-‐ISAC Membership Call w/RSA • NCI call
• MiMgaMon Report Working Group Calls • MiMgaMon Report
75% OF ATTACKS OCCUR THROUGH WEB APPLICATIONS - GARTNER
27
v Approximately 66 vulnerabilities per website were found for a total of 210,000 vulnerabilities over the scanned population.
v 50% of the websites with instances of high vulnerabilities were susceptible to SQL Injection while 42% of these websites were prone to Cross Site Scripting. Other serious vulnerabilities include Blind SQL Injection, Cross Site Scripting, CRLF Injection and HTTP response splitting, as well as script source code disclosure.
• Sources: Computer Emergency Response Team Coordination Center (CERT/CC), National Vulnerability Database, Open-Source Vulnerability Database, and the Symantec Vulnerability Database.
• Sources: http://www.acunetix.com/news/security-audit-results.htm
Web Security Risk are Growing
VISIBILITY OF ADVANCED PERSISTENCE THREATS
28
Source from : [email protected] April 2010
-- Invisible --
TODAY’S THREAT LANDSCAPE
External Attacks Trojans, viruses, worms, phishing .. Not protected by firewalls. Requires IPS
Undetected Attacks Vulnerabilities and compromised machines may lay dormant for months, awaiting an attacker to exploit them. Requires vulnerability awareness and end-point intelligence.
Information Leakage Point-point VPNs + desktop and mobile internet connections provide ample opportunity. Requires compliance monitoring and enforcement
Porous Perimeter Every machine a peering point Laptops carry infection past firewalls. Requires IDS
Intrusion Prevention
Vulnerability Assessment
Network Behavior Analysis (NBA)
Network Access Control (NAC)
Network Intelligence User Intelligence
APPROACH TO TARGET NEW CYBER THREATS
31
ENTERPRISE SECURITY ARCHITECTURE
Network Security
System Security
Application Security
Data Security
Operational Security
Physical / Data Center Security
Personnel Security
End Point Security
Security Management
THE ENTERPRISE TODAY - MOUNTAINS OF DATA, MANY STAKEHOLDERS
32
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Windows logs
Wireless access logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs Mainframe
logs
Client & file server logs
Linux, Unix, Windows OS logs
Database Logs
Switch logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
Configuration Control Lockdown enforcement
Access Control Enforcement Privileged User Management
Malicious Code Detection Spyware detection
Real-Time Monitoring Troubleshooting
Unauthorized Service Detection
IP Leakage
False Positive Reduction
User Monitoring SLA Monitoring
Sources from RSA
SECURITY MANAGEMENT IN DYNAMIC
ENVIRONMENT
RISK BASE APPROACH FOR SECURITY MANAGEMENT
34
Risk Management : The Business Model v Security is relative:
- Many risks and Many solutions
v Security is everyone’s Business
v Security is a process - Things fail all the time
v Variety of options: - Accept the risk - Mitigate the risk with People/Procedure/Technology - Transfer the risk
STEPS FOR BETTER SECURITY
35
- Risk Assessment / Compliance Assessment
- Vulnerability Assessment
- Web Application Assessment / PenTest
Asset
System
Application and Process
Business Data
Asset
Regulatory And
Compliance Force
Internal And
External Threats
Vulnerability
Cost of Doing Business
ROSI (Return on Security
Investment)
Step 1 : Know your risks
STEPS FOR BETTER SECURITY
36
Security Operation Center SOC Incident Management
ITIL Process
SIEM Solution
Logs Consolidation
System Monitoring
Intelligent and Correlation
Security Information & Event Management
Step 2 : Visualize your situation
STEPS FOR BETTER SECURITY
37
Step 3 : Knowing your enemy’s behavior
You need an Investigation Tools
• for pervasive visibility into content and behavior
• Providing precise and actionable intelligence
WHAT’S IN A SOC What is it? What does it do? What’s a good one and
what’s a bad one? Is it worth the time/money?
TOP TECHNICAL ISSUES
• Increase Speed of Aggregation and Correlation
• Maximize Device and System Coverage
• Improve Ability to Respond Quickly
• Deliver 24 x 7 Coverage (this doesn’t have to be done by the SOC!)
• Support for Federated and Distributed Environments
• Provide Forensic Capabilities
• Ensure Intelligent Integration between SOCs and NOCs
SOC FRAMEWORK
Operational Models (SOC and ODC)
Industry Standards and Best Practices
(ITIL, BS7799/ISO17799, SANS, CERT)
Service Delivery (Onsite, Near Shore and
Offshore)
Service Delivery Windows
(24x7, 8x5, 12x7 )
Web Portal (Operational Reporting,
Advisories)
Knowledgebase (Incident & Problem Mgmt., Testing, Product evaluation)
Security Center of Excellence
(Test bed, Technology Innovation, Knowledge Mgmt.,
Trainings )
Tools (Helpdesk, Monitoring, Mgmt.,
Configuration, Automation/Workflow)
Command Center
Security Advisory
Reporting
Device Operations
(Change, Vendor Mgmt., Installation, Configuration)
Security Change
Incident Management
Infra. Mgmt. Stream Security Mgmt. Stream
Device Supervision (Performance, Incident,
Monitoring)
Security Monitoring People Resource
(cross skilling, rotation, training, ramp-up and scale
down)
Program Management (Customer interface,
Escalation mgmt., Strategic assistance, Operational
supervision, quality control)
SOC OR OPERATIONAL SOC…
Compliance Operations Security Operations Access Control
Configuration Control Malicious Software
Policy Enforcements User Monitoring & Management
Environmental & Transmission Security
Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Monitoring Unauthorized Network Service Detection More…
All the Data Log Management
Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information
No agents required
Server Engineering Business Ops. Compliance Audit Application & Database Network Ops. Risk Mgmt. Security Ops. Desktop Ops.
Report Alert/Correlation
Incident Mgmt. Log Mgmt.
Asset Ident. Forensics
Baseline
…For Compliance & Security Operations
THE 3 (MAIN) FUNCTIONS OF A SOC • The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency
• What does the SOC do?
1. Real-time monitoring / management
• Aggregate logs
• Aggregate more than logs
• Coordinate response and remediation
• “Google Earth” view from a security perspective
2. Reporting / Custom views
• Security Professionals
• Executives
• Auditors
• Consistent
3. After-Action Analysis
• Forensics
• Investigation
• Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability
• Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
PRIORITIZATION AND REMEDIATION
• Deal with what’s most relevant to the business first! • Gather asset data • Gather business priorities • Understand the business context of an incident
• Break-down the IT silos • Coordinate responses • Inform all who need to know of an incident • Work with existing ticketing / workflow systems
• Threat * Weakness * Business Value = Risk • Deal with BUSINESS RISK
SOC AND BUSINESS EXPECTATION
Technology Based Services Monitoring & Management :
• Firewalls • IDS/IPS • VPN Concentrators • Antivirus • Content-Filtering
Business Oriented IT Risk Management
• IT Risk Dashboard • Sustaining Enterprise Security
Control • Meeting Industry Process
Compliance Driven
• Security Control Assessment • Enforcing enterprise security
policies • Log Management • Incident Management • Audits
Historical Today's Scenario
SOC ANATOMY
ü Identify Business units & services ü Identify Applicable Regulations ü Discover & Classify Assets ü Assign Values to assets ü Define Policies , procedures ,
standards & Guidelines ü Establish process
ü Identify Threat sources ü Identify Potential threats ü Scan Assets for vulnerabilities ü Prioritize Vulnerabilities ü Identify existing Control mechanism ü Review existing mitigation plan ü Review Procedures & process
ü Analyze Likelihood of threat exploitation
ü Identify Magnitude of impact on business
ü Prioritize Risks ü Review existing control mechanism
ü Verify control mechanism ü Control recommendation &
benefit analysis ü Prepare/Modify Risk Mitigation
Plan ü Execute mitigation Plan /
Implement new controls
ü Conduct tests to verify control is effective
ü Report residual risk ü Management signoff for residual risk
ü Monitor environment continuously for new threats & vulnerabilities ü Analyze risk is acceptable
Identify & Define
IT Risk Management
Threats & Vulnerability identification
2
Impact Analysis & Risk
determination
3
Risk Mitigation
4
Verify Control effectiveness
5 Monitor & Analyze 6
1 Proactive
IT Risk Management
Threats & Vulnerability identification
2
Impact Analysis &
Risk determination
3
Risk Mitigation
4
Verify Control effectiveness
5 Monitor & Analyze 6
Identify & Define
1
SOLUTION MAPPING TO SOC SERVICES
• Vulnerability Assessment • Penetration Testing • Infrastructure Assessment Service • Recommendation of Security Control • Implementation of Security controls • Security Device Management • End User Security Control • 24x7 Monitoring of security events • Enterprise Incidence Response • Enterprise Risk Dashboard • Compliance Reports • Etc, etc
Threats & Vulnerability identification(Zero Day
Attack Detection)
Risk Mitigation
Monitor & Analyze
Impact Analysis & Risk Determination
SOC ARCHITECTURE
Corporate WAN
SERVER FARM
Storage
Data-Center 1
SERVER FARM
Risk Monitoring
Portal
• Performance Monitoring • Security Monitoring • Availability Monitoring • Scheduled Reporting
• Threat Analysis • Risk Assessment • Manage Performance • Manage Availability • Trend analysis and Reporting • Compliance Management
Support
Data-Center n
SERVER FARM
Storage SERVER FARM
To Other Business Units
SOC Centralized Management
L1 L2 L3
Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
- Risk Mitigation Plan - Control Verification - Compliance impact
analysis - Manage new requirements
PROACTIVE SOC APPROACH
Logs
Event Correlation
Reports & Statistics
Forensics
Knowledgebase
Security Analytics
Customer service Technical support
Incident Mgmt Problem Mgmt
Release Mgmt Change Mgmt
Configuration Mgmt
Security Operations & Management
Infrastructure Assessment Service
Vulnerability Assessment & Penetration Testing
Vulnerability Management
Customized Advisories
Proactive Intelligence
Standards – BSI 15000, ITIL, ISO, ISO27001 etc.
PEOPLE, PROCESS, OR TECHNOLOGY PROBLEM?
SOC OPERATIONAL MODEL (PEOPLE)
- Security Event Monitoring
- Incident Detection & 1st level analysis
- Routine maintenance & operational tasks
- Operational reporting
L1: Security Operators
L3: Security Incident
Managers
L2: Security Analysts
Vendor Management - Technical Support - Incident Escalation - Product Support - Trainings
Knowledgebase/Security Portal
Threat Alert & Advisory
SOC Management Team - Resource management, skill
development - Operational process
Improvement - Program Escalation
Management - Customer Management
SOC Service Delivery Structure
- Administration of SOC security - Implementation projects - Compliance Mgmt. - Incident Mgmt. - Enhancement projects
SOC Security - Management of SOC tool
configuration - Enhancement to SOC tools - Architecture design of SOC - Transformation Projects for
SOC
SOC Engineering
- Performance Mgmt. - Problem Mgmt. - Change & Release Mgmt. - Configuration Mgmt. - Service Level Mgmt. - Availability & Continuity Mgmt.
- Incident Analysis & Validation - Vulnerability Assessment &
Remediation support - Device mgmt. tasks - Trend monitoring & analysis - Vulnerability Impact Analysis - Escalation Management - Compliance reporting
- Incident Handling & Closure
- Service Mgmt. Reporting - Compliance impact
analysis - Manage new requirements
SOC Operations Managers
- SOC Incident Management
COEs - Threat A&A - Innovation - Benchmarks - Reuse Component/solutions
SOC Operational model (process)
Information & Action
Network Industry Sources
Firewalls SD
HEWLETTPACKARD
Syslogs SNMP
IDS
NORMALIZE
FILTERING
CORRELATION
INTELLIGENCE
ENGINEERS
Tool Foot Print
Manager
Raw log data
Alerts & normalize log data
SOC
Agent
Dashboard view via portal
Real Time Security Analysis
Response & Management
Real Time Alert Management
Normalised Alerts
Consolidated Logs
Remote management from -SOC
Asset Criticality
Asset Vulnerability
Collect Collect Collect
SOC OPERATIONAL MODEL (TECHNOLOGY)
Baseline Report Forensics
Manage
Device Device Trend Micro Antivirus
Microsoft ISS
Juniper IDP
Cisco IPS
Netscreen Firewall
Windows Server
Correlated Alerts
Realtime Analysis
Legacy Supported Devices
Integrated Incident Mgmt.
Analyze
Event Explorer
UDS
Interactive Query
SOC KEY DIFFERENTIATION AREAS
• Configuration Management Database (CMDB) features: • Connectors sync data with external systems
• Create, update, and view CIs
• Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users
• Automatically track CI change history
• Service definition and mapping
INTEGRATED CMDB
Integrated | Efficient | Business Aligned
Work Items
Config Items
CMDB Data
Relationships
WHAT OUR CUSTOMER DATA TELLS US
Operational issues account for 76% of Critical
Situations (CritSits)
6% due to KNOWN bugs- already fixed
48% Misconfiguration
33% were due to Installation
issues
67% POST installation ‘changes’
22% are how-to related – poor /
improper operations of the
environment
3% NEW bugs
21% is everything else combined
(“unclassified” or ‘other’)
• Process workflows • Escalations • Notifications
• Customizable templates • Knowledge & History • Automatic incident creation
• Desired Configuration Monitor (DCM) errors
• Operations Manager alerts • Inbound Email • Portal
INCIDENT MANAGEMENT KEEP USERS AND DATA CENTER SERVICES UP AND RUNNING, AND RESTORE SERVICE QUICKLY
• Problem creation from similar incidents or Attacks
• Link Incidents and Change requests to problem
• Auto resolution of Incidents linked to the Problem
CASE MANAGEMENT ENABLES ORGANIZATIONS TO IDENTIFY AND TRACK PROBLEMS
• Typical Change Models • Standard, Major, Emergency…
• Review and Manual activities • Customizable Templates • Workflows and Notifications • Analyst Portal
• Approvals via Web
• Relate Change Requests to Incidents, Problems and Configuration Items
CHANGE MANAGEMENT MINIMIZE ERRORS AND REDUCE RISK
VULNERABILITY MANAGEMENT PROCESS
1. DISCOVERY (Mapping)
2. ASSET PRIORITISATION (and allocation)
3. ASSESSMENT (Scanning)
4. REPORTING (Technical and Executive)
5. REMEDIATION (Treating Risks)
6. VERIFICATION (Rescanning)
INVESTIGATIONS AND FORENSICS
• Being able to investigate and manipulate data
• Visualization
• Post-event correlation
• Managing by case / incident
• Chain of custody
• Integrity of data
SCENE
61
CRIME SCENE CRIME SCENE CRIME SCENE
II. CISRT
62
- Organization decision of building a team based on size and ROSI
- Compose team or select members who can escalate and do initial necessary action.
- Train the team based on situations and scenario's the most common
- Acquire the required tools