Top Banner
SESSION ID: #RSAC TIMOTHY LEE INTEGRATED SECURITY OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION STR-F03 CHIEF INFO SECURITY OFFICER CITY OF LOS ANGELES
25

STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

Apr 17, 2018

Download

Documents

vudieu
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

SESSION ID:

#RSAC

TIMOTHY LEE

INTEGRATED SECURITY OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION

STR-F03

CHIEF INFO SECURITY OFFICERCITY OF LOS ANGELES

Page 2: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Background – City of Los Angeles

2

4 Million people, 465 sq mi, 15 Council District

2nd largest city in US

Employment: 1.81 million

Annual visitors: 42.21 Million

43 departments, 35,000 FTE

Port of LA, Airport, Water and Power (3 Proprietary Departments) managing their own networks

Information Technology Agency (ITA) manages the rest

Page 3: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Mayor’s Executive Directive on Cybersecurity

3

“I’m creating this Cyber Intrusion Command Center (CICC) so that we have a single, focused team responsible for implementing enhanced security standards across city departments and serving as a rapid reaction force to cyber-attacks,”

Mayor Eric Garcetti

Page 4: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Business Challenge

4

IT Security Team is understaffed

Dispersed log capturing capabilities

Minimal use of collaboration tools

Lack of Incident Management platform

No integrated threat intelligence program

Limited situation awareness (SA) and operational metrics for City as a whole

Imbalance in Detection and Response capability

“Siloed” SOCs/NOCs

Page 5: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Solution

5

Integrated Security Operations Center (ISOC)

Page 6: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Know yourself, Know the enemy

6

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

― Sun Tzu, The Art of War

Page 7: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Know yourself, Know your Enemy

7

Know Enemy Threat

Intelligence (TI)

Know Yourself Situation

Awareness (SA)

Page 8: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Integrated Security Operations Center

8

Situation Awareness

(SA)

Threat Intelligence

Program (TIP)

Integrated Security

Operations Center (ISOC)

Page 9: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Situation Awareness

9

Knowing What is going on

Page 10: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

What is Situation Awareness ?

10

Situation Awareness (SA) is the perception of the elements in the environment within a volume of time and space, the comprehensionof their meaning, and the projection of their status in the near future.

Mica Endsley, 1988

Page 11: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Endsley SA Model

11

Situation Awareness

Level 1Perception

Level 2Comprehension

Level 3Projection

Decision

ActionState Of The Environment

Page 12: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Situation Awareness

12

PERCEPTION

• Log Collection

• Threat Intel Feeds

• SOC Incident Feeds

• Security Posture Dashboard

COMPREHENSION

• Event Correlation and Analysis

• Threat Intelligence Analysis

PROJETION

• Pattern Matching

• Threat Forecast

Page 13: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

What Is Threat Intelligence (TI)?

13

Centre for the Protection of National Infrastructure cpni.gov.uk

Page 14: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

What is Threat Intelligence?

14

SpecificMeaningfulActionableRelevantTimely

Page 15: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Threat Intelligence Sharing

15

Internal – SOCs, NOCs, Sysadmins, CIRTs

External – Trusted partners, Law Enforcements, Vendors

Standards – IODEF, YARA, OpenIOC, IF-MAP, STIX, TAXII, VERIS, CyBOX, TLP, OTX, CIF etc.

Page 16: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

City of Los AngelesIntegrated Security Operations Center

16

Page 17: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Security Operations Center (SOC)

17

StaffTools &

Technology

FacilityProcesses & Procedures

SOC

Page 18: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Integrated Security Operations Center (ISOC)

18

Threat Intelligence Services

FBI Cyberhood

MS-ISAC

DHS/USSS

SOCs SIEM

NOCs Logs

Access Control

Fire Alarms

HVAC SCADA

Video

Situational Awareness Threat Intelligence

Internal External

Information Security Physical Security

City Of LAIntegrated SOC

Report

RespondCollect

Collaborate

Page 19: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

ISOC Components

19

ISOC SITUATION AWARENESS

Operational Framework

SOC Integration

ISOC Access Control

Security Posture Dashboard

Threat Level Indicator

ISOC On-boarding Requirements

Page 20: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

ISOC Components

20

Threat Intelligence Portal (TIP)

Data Collection (Structured, Unstructured)

Data Sharing and Dissemination (Internal, External)

Data Integration

Classification

Alert Correlation

Access Control

Threat Map / Dashboard

Page 21: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

ISOC Components

21

Facility Design and Build

Display Wall

Display Wall Controller

Consoles

ISOC Dashboard Profiles

Page 22: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSACCity of Los AngelesIntegrated Security Operations Center

22

Page 23: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

Awards

23

CENTER FOR DIGITAL GOVERNMENT’S 2015 CYBERSECURITY LEADERSHIP AND INNOVATION AWARD

PUBLIC TECHNOLOGY INSTITUTE 2016 TECHNOLOGY SOLUTIONS AWARD

Page 24: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

References

25

Security Operation Center Concepts & Implementation – Renaud Bidou

Building An Intelligence Driven Security Operations Center – RSA Technical Brief, June 2014

Toward a Theory of Situation Awareness in Dynamic Systems –Mica R. Endsley, 1995

Technology Overview for Threat Intelligence Platforms – Craig Lawson, Rob McMillan, December 2014

Page 25: STR-F03 INTEGRATED SECURITY OPERATIONS CENTER (ISOC… · OPERATIONS CENTER (ISOC) FOR CYBERSECURITY COLLABORATION ... a single, focused team ... Integrated Security Operations Center

#RSAC

TIMOTHY LEEChief Information Security OfficerCity of Los [email protected]