RSA Archer Security Operations Management (SecOps)schd.ws/hosted_files/nationwideinsuranceitfedera2015/36/RSA... · RSA Security Operations Management n s t People Process Orchestrate

1 © Copyright 2013 EMC Corporation. All rights reserved.

RSA Archer Security Operations Management (SecOps) RSA, The Security Division of EMC


Security Incidents are Going Unnoticed

Lack of Staff

Too Many False Positive Responses

Too Many Manual Processes

Too Many Non-Integrated Tools

Security Attacks are Sophisticated

* ESG white Paper – “The Big Data Security Analytics is Here”, January 2013


Security Incidents à Data Breach

* Ponemon Institute – “2013 Cost of Data Breach Study: Global Analysis”, Cost of a Data Breach in US

70% Company’s

Value is IP

78% Weeks to Discover

56% Staf f

Shortage

Average Cost of a Data Breach

$5,403,644

$4,104,932

$3,143,048

$2,275,404

$4,823,583

$3,763,299

$2,282,095

$1,321,903

Impact to an Enterprise

Financial

+ Reputational Damage


Centralizing Incident Response Teams

Specialized Team

� Reporting to: –  CSO/CISO à CIO

� Consisting of: –  People –  Process –  Technology

Detect, Investigate and Respond

SOC Manager

Tier 2 Analyst

Analysis & Tools Support Analyst

Tier 1 Analyst

Threat Analyst


Current Challenges SOCs are Event Focused and Reactive

No Centralization of Alerts Lack of Centralized Incident Management

Lack of Context Lack of Process Lack of Best Practices


Shift Handoff

SOC Manager 1

SOC Manager 2

CISO

Finance

Legal

Incident Process

Threat Analysis

Report KPIs

Breach Process

IT Handoff

Centralize Alerts

Measure Efficacy

L1 Analyst

Breach Coordinator HR

IT

L2 Analyst

Threat Analyst

SIEM

DLP

Network Visibility

eFraud

Host Visibility

Complexities of a SOC


Detect & Respond to Security Incidents RSA Reference Architecture

RSA Live Intelligence Threat Intelligence – Rules – Parsers – Alerts – Feeds – Apps – Directory Services – Reports and Custom Actions

SharePoint

File Servers

Databases

NAS/SAN

Endpoints

Enterprise Mgmt.

RSA ECAT

RSA Security Operations

Management

Windows Clients/Servers

Incident Management

Breach Management

SOC Program Management

IT Risk Management

NEW


Incident Management

Breach Management

SOC Program

Management

IT Security Risk

Management

RSA Security Operations Management

Dom

ain

Sec

urity

Ope

ratio

ns

Man

agem

ent

People

Process

Technology Orchestrate &

Manage

Consistent / Predictable Business Process


RSA SecOps

SecOps Marketecture Orchestration / Management of the SOC

Aggregate Alerts to Incidents

Incident Response

Breach Response

SOC Program

Management

Dashboard & Report

RSA Archer Enterprise

Management (Context)

RSA Archer BCM

(Crisis Events)

ALERTS

CONTEXT

Capture & Analyze – Packets, Logs & Threat Feeds

LAUNCH TO SA


Persona Driven Design Customized for the SOC Personas

L1/L2 Analyst

•  Review Incidents •  Collect Data •  Investigate / Escalate •  Forensic Analysis

Incident Coordinator

•  Analyst Mgmt. •  Shift Handover •  Incident Trends

Breach Response

Lead

•  Review Escalations •  Breach Impact Analysis •  Notification Process

SOC Manager/

CISO

•  SOC Visibility •  Access to Dashboards •  Access to Reports •  Measure Effectiveness


New and My Incident Queue

Overall Incident Status

Analyst Focused Dashboard


Contextual Launch to Collect Data

Launch to SA To Collect Additional

Data


New and My Incident Queue

Link to Business Context

Cross-Reference Alerts to Asset Details and Business Context


Incident Coordinator Dashboard

Shift Handover Analyst Workload

Incident Trends


Breach Coordinator Dashboard

Current Breaches, Impact and Records Affected


IT Operations Dashboard

Current Breaches, Impact and Records Affected Findings Addressed by IT Help Desk


SOC Manager / CISO Dashboard

Overall View of Security Operation Center


The Value of SecOps Orchestration and Framework for the SOC

Enable SOC Team to Be More Effective

•  Incident Prioritization •  Workflow to guide IR process •  Response Procedures

Optimize SOC Investments •  Automation •  Monitor KPIs •  Measure Security Controls •  Manage SOC Team

Better Manage IT Security & Business Risk

•  Visibility & Biz Context •  Data Breach Management •  Enterprise Risk


Security Operations Management Deployment Maturity Model

Stage 1 Alerts & Context

•  Business Context •  Define Alerting Rules for Security Monitoring Systems

Stage 2 Incident Response

•  Alert Aggregation •  Investigation / Incident Management Process •  Breach Management Process

Stage 3 Program Management

•  Team / Shift Management •  SOC Readiness, Security Control Efficacy •  KPI Monitoring

Stage 4 Business Risk Management

•  IT Security Risk Management •  Enterprise Risk & BCM


Professional Services Offerings SecOps Program Offerings

•  Early Stage Deployment of SOC −  Strategy, Design, Implement & Operate −  Custom SOW Based on Customer

Requirements

•  Mature SOC Customer −  Technical Implementation - Install,

Integrate & Functional Overview

Incident Response

Breach Response

Reports & Dashboards

GRC Integrations

SOC Program Management

Holistic Solution Portfolio

RSA Archer Security Operations Management (SecOps)schd.ws/hosted_files/nationwideinsuranceitfedera2015/36/RSA... · RSA Security Operations Management n s t People Process Orchestrate

Documents