Managed Security Services
& the Riyadh SOC
Imran Ashraf,
Director Cloud & Advance Services,
Mobily
CONFIDENTIAL | www.mobily.com.sa
Page 2 2
Mobily At A Glance
Security Landscape
Security Operation Center (SOC)
Managed Security Services
VSOC Portal
Agenda
Page 3 3
• 40% market share.
• 700 million shares issued.
• 7 billion in paid up capital.
• Share face value SAR 10.
• Awarded license in summer 2004.
• Listed on Tadawul in December 2004.
• Launched Commercially on May 25th, 2005
• Formalized acquisition of Bayanat Al Oula by April 2008.
• Formalized acquisition of Zajil International Telecommunications in November 2008.
11.2% GOSI 27.4%
Etisalat (UAE)
Profile Highlights
Acquisitions
Public Disclosure
Company Overview About Mobily
Page 4 4
2005 2006 2007 2008 2009 2010 2011 2012 2013
Security and Advance services
Mobily Transformation and Infrastructure Evolution
Evolve from a Mobile Voice Operator to Full ICT Provider
Managed Cloud Services
Mobile Operator – GSM –
Data Services
Data Center Managed Services
Page 5 5
From Silo’s approach to ICT hub Changing the IT Industry Dynamics to federated converged Environments
Telco’s IT Service Providers
HW & SW Providers
Enterprise
Telco’s
Enterprise
Telco’s IT Service Providers
HW & SW Providers
Enterprise Enterprise Enterprise
Telcos
HW & SW Providers
Telco’s
Enterprise Enterprise Consumer of Services
IT Service Providers
IT Service Providers IT Service
Providers
HW & SW Providers
Yesterdays/Todays Silo Model
Todays Hybrid Model
Tomorrows Telco’s becoming ICT
Epicenter
TELCO’s/ICT providers Become Epicenter
*Source : IBM GTS, Mobily Internal Analysis
Page 6 6
Early Success – The ICT Journey Begins
IT Transformation and the Shift in Market Power Telco’s Role and Evolution as an ICT provider over a decade
• ICT providers, Namely Telco's, will be the dominant players in providing Resiliency services through their diversified yet converged capabilities
2010 2020
*Source : IDC Report 2012
CONFIDENTIAL | www.mobily.com.sa
Security Landscape
Page 8 8
Increased threats and compliance requirements require more automated, proactive approaches to security.
Proactive
Au
tom
ate
d
Man
ual
Reactive
Organizations use predictive and automated security analytics to drive toward security intelligence
Organizations employ perimeter protection, which regulates access and feeds manual reporting
Security is layered into the IT fabric and business operations
Page 9 9 Source: IBM X-Force Intelligence Report
2012: The explosion of breaches continues!
2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding
leaked records and financial losses
Page 10 10
Targeted Attacks & Social Media Attacks
Projected Targeted Attacks
Source: http://www.symantec.com/theme.jsp?themeid=state_of_spam
Page 11 11
Security Initiatives
Top Information Security Initiatives
Source: IDC, 2012
Page 12 12
Network Security Leads The Security Tech Spending Budget
CONFIDENTIAL | www.mobily.com.sa
Security Operations Center
S O C
Page 14 14
SOC in Saudi Arabia
• 10 Security Operations Centers • 3,700+ MSS clients worldwide • 20,000+ security devices • 15B+ security events daily
• Recording over 30k incident daily • Monitoring in 133 countries • Using a grid of 725+ systems • Maintaining 99.9+% availability
MSS Global Facts and Figures
Riyadh, KSA
Riyadh Malga 2 Data Center
Page 15 15
Security Operations Center (SOC)
A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce security risks
Security Operations Centers (SOC) are designed to:
– Protect mission-critical data and assets
– Prepare for and respond to cyber emergencies
– Help provide continuity and efficient recovery
– Fortify the business infrastructure
The SOC’s major responsibilities are:
– Monitor, Analyze, Correlate & Escalate Intrusion Events
– Develop Appropriate Responses; Protect, Detect, Respond
– Conduct Incident Management and Forensic Investigation
– Maintain Security Community Relationships
– Assist in Crisis Operations
Page 16 16
Mobily-IBM Partnership
IBM has biggest share market in Security and Vulnerability Management (SVM) products • Tivoli Endpoint Manager for Proactive Endpoint Risk Management • Tivoli Security Compliance & Policy Manager • QRadar Security Intelligence and Event Management • Rational AppScan; zSecure Audit; and Guardium Database Vulnerability Assessment
Source: http://www.idc.com/getdoc.jsp?containerId=242465
SVM Forecast Spending
CONFIDENTIAL | www.mobily.com.sa
Managed Security Services
Page 18 18
Vulnerability Management
Service
Security Information
& Event Management
(SIEM)
Security Event & Log
Management (SELM)
Anti-DDoS
Managed Network Security Service
(FW, IPS/IDS, UTM)
Penetration Testing
Secure Internet Service
Secure Device Management
24/7/365 monitoring and management of security technologies and threat analysis. Single management console of the client’s entire security infrastructure.
Managed Security Services Portfolio
Page 19 19
Applications
Networking
devices
Vulnerability
IBM X-Force® Protection System
Anti virus and
filtering
Firewalls and IDS
and IPS1
MSS Integrated Services Architecture – In-Depth
MPLS
1Intrusion detection system and intrusion prevent system (IDS and IPS)
Page 20 20
Applications
Networking
devices
Vulnerability
Aggregation
Aggregation
Correlation
Archival
Reporting
Workflow
IBM X-Force® Protection System
Normalize Aggregate Correlate
Archive Escalate Remediate
Anti virus and
filtering
Firewalls and IDS
and IPS1
MPLS
MSS Integrated Services Architecture – In-Depth
Page 21 21
Firewalls and IDS
and IPS1
Applications
Networking
devices
Vulnerability
Aggregation
Aggregation
Correlation
Archival
Reporting
Workflow
IBM X-Force® Protection System
Normalize Aggregate Correlate
Archive Escalate Remediate
Anti virus and
filtering
MSS Integrated Services Architecture – In-Depth
MPLS
Page 22 22
Firewalls and IDS
and IPS1
Applications
Networking
devices
Vulnerability
Aggregation
Aggregation
Correlation
Archival
Reporting
Workflow
IBM X-Force® Protection System
Security
Operations
Center (SOC)
Normalize Aggregate Correlate
Archive Escalate Remediate
Anti virus and
filtering
MSS Integrated Services Architecture – In-Depth
MPLS
Page 23 23
Firewalls and IDS
and IPS1
Applications
Networking
devices
Vulnerability
Aggregation
Aggregation
Correlation
Archival
Reporting
Workflow
IBM X-Force® Protection System
Security
Operations
Center (SOC)
Normalize Aggregate Correlate
Archive Escalate Remediate
Virtual-SOC Portal
Anti virus and
filtering
MSS Integrated Services Architecture – In-Depth
MPLS
Page 24 24
VMS Internal/ External Scanning Architecture.
Customer portal and scanning console
Global scan engine pool
Customer location
MSS cloud-services location
Public-facing servers
Internal scanning appliance
Client location
Scans scheduled from the VSOC portal All appliance monitoring and updating
Internal scan engine appliance is placed behind firewall to scan internal devices for vulnerabilities
Scanning from an external hacker’s point of view
Payment Card Industry-approved scanning vendor scans
Scan web applications (such as: www.mycompany.com)
IBM provides a global scan engine pool for scanning client’s public-facing servers
Page 25 25
X-Force Hosted Threat Analysis Service
Security intelligence service that delivers customized information about a wide array of threats that could affect your network security
Single source for security information
Analysis and correlation of global security threats
Actionable data and recommendations
Designed for prompt access around-the-clock
1. Most comprehensive Vulnerability Database in the world • Over 68,000 unique vulnerabilities cataloged • Entries date back to the 1990’s
2. Updated daily by a dedicated research team 3. The X-Force database currently tracks over…
• 8000 Vendors • 17,000 Products • 40,000 Versions
CONFIDENTIAL | www.mobily.com.sa
VSOC Portal in Depth
Page 27 27
Virtual SOC
The Virtual SOC combines the capabilities of SOC, advanced analysis and correlation, artificial intelligence, professional consultancies, and Web-based management portal. The Virtual SOC is designed to reduce the complexity of managing and monitoring appliances manually. Also, it provides real-time 24x7x365 accurate security event identification, incident escalation and remediation.
Page 28 28
The Virtual Security Operations Center (SOC) Portal
Open-vendor architecture
Consolidated security views – Managed
security services – Security enablement
services
Powerful query and reporting options
Automated event and log analysis
Unlimited event and log archive
Granular permissions system
Guaranteed availability
Integrated trouble ticketing and workflow
Integrated IBM X-Force® intelligence
SAS1-70 Type II certified SOC2 (delivery process and systems)
Regularly tested disaster recovery and business continuity plans
Page 29 29
Here is an example of VSOC integrated services architecture
Events eliminated and validated by analysts
IBM X-Force® Protection Service (XPS) databases and logic engines are referenced and the data analyzed by our industry-leading expert system
Solutions researched and analysis and risk ratings applied
Potential alerts
Alerts generated by XPS
Filtered by your customized IT profile
Prioritized events with solutions requiring client action—MSS1 portal updated
Six events of significant risk that required client response
Manages third-party technologies
1 Billion
150,000
300
6
Example: Typical customer environment
1Managed security services (MSS)
Page 30 30
1Intrusion detection and prevention system (IDPS); 2Unified threat management (UTM); 3Security event log monitor ((SELM); 4Managed protection services (MPS); 5Vulnerability management service (VMS)
Services recommended to enable these capabilities:
(1) VMS5 2.0 (1) Managed IDPS (2) Managed UTM (3) Hosted SELM
(1) Firewall management (2) Managed UTM2
(3) Hosted SELM3
(1) Hosted SELM
Firewall management
IDPS1 management
Unified threat
management
Secure log management
Hosted vulnerability management
Add firewall logs
Add IDPS events:
Add vulnerability scan results
Add operating system and
application logs:
Near-real-time identification of
connections with known attackers
Know the attacks levied
against you
Know if the attacks are Successful
Monitor suspicious
internal activities
IBM Security Intelligence
Good Better Enhanced Superior
Increase your analytic capabilities
Page 31 31
Thank You