5G/SOC: Inside the world’s most advanced SOCsh41382. · •People, process, and technology •Accelerated success: •Mature project methodology •Best practices •Extensive intellectual

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

5G/SOC: Inside the world’s most advanced SOCs James Blake, Practice Manager EMEA HP Security Intelligence & Operations Consulting

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

HP Security Intelligence & Operations Consulting

The best in the world at building state-of-the-art security operations capabilities/ cyber defense programs Experience: • 45+ SOC builds • 105+ SOC assessments • 50+ SIOC consultants worldwide • Over 250 years of cumulative SOC experience

Solution approach: • People, process, and technology • Accelerated success: • Mature project methodology • Best practices • Extensive intellectual capital

Founded: 2007

SIOC services

http://hp.com/go/sioc



“SIEM implementations often fail to deliver full value — not due to ‘broken tools,’ but due to broken processes and practices by the organization that owns and operates the SIEM tool.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013


“Getting to higher maturity stages requires work — with no shortcuts that are known to be effective across organizations. Ongoing commitment of people and also commitment to process improvements are baseline requirements for that.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013


HP Security Intelligence & Operations Consulting

The best in the world at building state-of-the-art security operations capabilities/ cyber defense programs Experience: • 45+ SOC builds • 105+ SOC assessments • 50+ SIOC consultants worldwide • Over 250 years of cumulative SOC experience

Solution approach: • People, process, and technology • Accelerated success: • Mature project methodology • Best practices • Extensive intellectual capital

Founded: 2007

SIOC services




Y

Everyone SOC

CIRT IT OPS

Prepare

(Detect) Investigate

Contain

Eradicate

Recover

Lessons learned

Incident


People, process, technology

Technology Process

Network & system owners Incident

handler

Case closed

Escalation People

Level 1 Level 2

Content author

1

Firewall Router Intrusion detection

Applications Proxy server

ESM server

3 4

5

6

Audit & CxO

7

2

Threat intelligence

Hunt team


Cyber Defense Center (CDC) Security Operations Center (SOC) Threat Operations Center (TOC) Security Defense Center (SDC) Cyber Security Intelligence Response Center (C-SIRC)

Threat Management Center (TMC) Security Intelligence and Operations Center (SIOC) Security Intelligence and Threat Handlers (SITH) Security Threat and Intelligence Center (STIC)


“If an organization does not have some tuning (initial and ongoing) process to adapt an SIEM tool to a changing environment, the chances of getting the value equivalent to SIEM software purchase price are minuscule.” Gartner: Security Information and Event Management Architecture and Operational Processes, 2013


1G/SOC


1G/SOC: 1970s-1995

Birth of the Internet: businesses not connected, or via slow connections Nuisance programs and minimally impacting malicious code Information security tools appear Military and governments start to build SOCs and CERTs


LOG LOG LOG

Firewalls IDS Network equipment

1G/SOC data feeds


1G/SOC


2G/SOC


2G/SOC: 1996-2001 Malware outbreaks & intrusion detection MSSPs begin to offer SOC as a service to customers SIEM concepts are introduced


2G/SOC data feeds

Firewalls IDS Network equipment


2G/SOC


192.168.0.23:43987 203.45.65.201:1433 SQL Injection Attack 23Mar10 1930:003 user=jones

Where is this coming from?

traceroute

What are these systems called?

nslookup

What is the timing on this? traffic analysis What does this person do?

address book

Is this port open?

port scan What is it used for?

port lookup

Is this a correctly crafted attack?

payload

How does this attack work? signature details What else is going on?

contemporary events

2G/SOC log analytical process


3G/SOC


3G/SOC: 2002-2005

Botnets, cybercrime, intrusion prevention, and compliance Largest companies in specific industries create SOCs internally


3G/SOC data feeds

Intelligence feeds Vulnerability scanning

Server and desktop OS

Firewalls/ VPN IDPS Databases

Network equipment

System health information

Web traffic Anti-virus


3G/SOC




traceroute


nslookup

What is the timing on this? traffic analysis What does this person do?

address book

Is this port open?


port lookup


payload


contemporary events


Is this IP doing anything else? other logs

What is installed on this system? asset inventory

Has this been going on long?

historical context


4G/SOC


4G/SOC: 2006-2013

Hacktivism, intellectual property theft, advanced persistent threat Wide adoption of continuous security monitoring as breaches fill headlines


4G/SOC data feeds Network equipment

Vulnerability scanning Anti-virus

Business context Physical infrastructure

System health information

Web traffic Intelligence feeds Directory

services

Firewalls/ VPN Idps Databases Applications Server and

desktop OS

Identity management


4G/SOC




traceroute


nslookup

What is the timing on this? traffic analysis

What does this person do?

address book

Is this port open?


port lookup


payload


contemporary events


Is this IP doing anything else? other logs

What is installed on this system? asset inventory

Has this been going on long?

historical context

Is this a known bad guy?

DeepSight

Who owns this system? Are there any current changes?

ITAM

Are other sites seeing this?

DShield

Is this system vulnerable to this?

vulnerability scan What is the status

of this user?

IDAM


5G/SOC cyber defense future-proofed


10+ years of breaches

How we got here

Increased awareness Advancements in technology Increasing regulation Consumerization of IT

Threat level continues to rise


Subtle threat detection, hunt teams, counter-intel, anti-fragile, advanced analytics, big data

5G/SOC: 2013 - ?

278,000+ tweets

Every 60 seconds…

23,148 apps downloaded

400,710 ad requests

34,597 people are using Zinio

1,500 pings sent on PingMe

2000 lyrics played on Tunewiki

208,333 minutes of Angry Birds played

Mainframe Client/server The internet Mobile, social, Big Data & the cloud

PaperHost

SLI Systems

NetSuite

OpSource

Joyent

Hosting.com

Tata Communications

Datapipe

PPM

Alterian

Hyland

NetDocuments

NetReach

OpenText

Xerox

Google

Microsoft

IntraLinks

Qvidian

Sage

SugarCRM

Volusion

Zoho

Adobe

Avid

Corel

Microsoft

Serif

Yahoo

CyberShift

Saba

Softscape

Sonar6

Ariba

Yahoo!

Quadrem

Elemica

Kinaxis

CCC

DCC

SCM ADP VirtualEdge

Cornerstone onDemand

CyberShift

Kenexa Saba

Softscape

Sonar6

Workscape

Exact Online

FinancialForce.com

Intacct NetSuite

Plex Systems

Quickbooks

eBay

MRM

Claim processing

Payroll

Sales tracking & marketing

Commissions Database

ERP

CRM

SCM

HCM

HCM

PLM

HP

EMC

Cost management

Order entry

Product configurator

Bills of material Engineering

Inventory

Manufacturing projects

Quality Control

SAP

Cash management

Accounts receivable Fixed assets Costing

Billing

Time and expense

Activity management Training

Time & attendance Rostering

Service

Data warehousing

IBM

Unisys

Burroughs

Hitachi

NEC Bull

Fijitsu

YouTube

Viber

Qzone

Amazon Web Services

GoGrid

Rackspace

LimeLight

Jive Software

salesforce.com

Xactly

Paint.NET

Business

Education Entertainment

Games

Lifestyle

Music

Navigation

News

Photo & Video

Productivity

Reference

Social Networking

Sport

Travel

Utilities

Workbrain

SuccessFactors

Taleo

Workday

Finance

box.net

Facebook LinkedIn

TripIt

Pinterest

Zynga

Zynga

Baidu

Twitter

Twitter

Yammer

Atlassian

Atlassian

MobilieIron SmugMug

SmugMug

Atlassian

Amazon

Amazon iHandy

PingMe

PingMe

Associatedcontent

Flickr

Snapfish

Answers.com

Tumblr.

Urban

Scribd. Pandora

MobileFrame.com

Mixi

CYworld

Renren

Xing

Yandex

Yandex

Heroku

RightScale

New Relic

AppFog

Bromium Splunk

CloudSigma

cloudability

kaggle

nebula

Parse

ScaleXtreme

SolidFire

Zillabyte

dotCloud

BeyondCore

Mozy

Fring Toggl

MailChimp

Hootsuite

Foursquare

buzzd

Dragon Diction

SuperCam

UPS Mobile

Fed Ex Mobile

Scanner Pro

DocuSign

HP ePrint

iSchedule

Khan Academy

BrainPOP

myHomework

Cookie Doodle

Ah! Fasion Girl


5G/SOC

Acknowledge security threats are driven by human adversaries

Assume compromise

Anti-fragile enterprise – led by intelligence, not vulnerabilities

Interaction with peers; organizations readily share information

Hunt teams search large data sets to find threats and attack patterns we did not know about previously

Convergence of IT Security and IT Operations tools to facilitate better visibility

Data visualization drives how anomalies are discovered and researched

The SOC must align to the business and demonstrate meaningful value


Discovery

Attack lifecycle

Research

Our enterprise

Their ecosystem

Infiltration

Capture

Exfiltration


HP attack lifecycle – what can you actually detect?

Reconnaissance Weaponisation Delivery Exploitation Installation C2 Actions

External reconnaissance or anomalous

communication

Attack delivery Exploitation Installation C2

Local compromise

Internal reconnaissance

Lateral movement

Establish persistence


Organization


£85743 £84392 £101234 £62394 £81923 £76209

£2634453 £2545669 £2854883

£2134521 £2432459 £2378906

£0

£750000

£1500000

£2250000

£3000000

November December January February March April

Residual risk SOC OpEx Raw exposure


Metric description: Measures the number of attacks at the business unit level that are either prevented or contained from causing further damage after initial detection. Frequency: Daily, weekly Usage: Drives situational awareness of bad actors and allows business units to enact countermeasures based on these bad actors.

2

2

1 Baggage

Ticketing

Checkin

High impact

Prevented attacks by Business Unit (January 7, 2013)

1

3

1

Baggage

Ticketing

Checkin

Moderate impact 1

1 4

Baggage

Ticketing

Checkin

Low impact

Contained attacks by Business Unit (January 7, 2013)

2

1 Baggage

Ticketing

High impact

1

2

Baggage

Checkin

Moderate impact

1 3

Baggage

Checkin

Low impact

KPI-002/003: Prevented & contained attacks (Business Unit)


Metric description: Measures the number of alerts an analyst must research every hour. Measured at both the team and analyst level. Frequency: Daily Usage: Drives workload balancing, staffing, and training plans.

Events per analyst per hour, 7 day rolling average (January 7, 2013)

By analyst (actuals, not average)

TM-003: Events per analyst per hour

8.09.0

10.011.012.013.014.0

Target

EPAH

0

5

10

15

Joe

Mary

JaneEP

AH


Metric description: Measures the alerts where an analyst escalates to a higher tier analyst for additional support. This can indicate a training gap or poor use case design. Frequency: Weekly Usage: Drives analyst development plans and use case design.

Level 1 and level 2 escalations Weekly summary

By analyst

TM-007: Alerts requiring escalation to higher level of analysis

Tick

ets

Tick

ets

0

10

20

30

40

Level 1 Level 2

Total

Escalated

05

10152025

Mary Joe Jane

Total

Escalated


Metric description: Measures the use cases where the recipient of the alert indicates the it was a false positive. Frequency: Daily Usage: Drives use case development and improvement along with the organizational commitment to quality.

Top 5 use cases with false positives 7 day rolling average

All use cases with false positives

TM-006: Top 5 uses cases where false positives reported

0%

5%

10%

15%

20%

SQL Injectionfrom Internal

Brute force SSHpassword attack

Connection topotential Zeus

host

Rogue accesspoint

Connection onport 8000-8002

Perc

enta

ge

repo

rted

0%

5%

10%

15%

20%

1/1/2013 1/2/2013 1/3/2013 1/4/2013 1/5/2013 1/6/2013 1/7/2013

Perc

enta

ge

repo

rted


KPIs: Sample practices Key Performance Indicators - Executive Dashboard

ID Metric

November ‘13 December ‘13 Current period

Trend Status Daily mean

Daily high

Daily low

Daily mean

Daily high

Daily low

Daily mean

Daily high

Daily low

KPI-001 Threat Level 16 21 13 18 28 16 20 27 19 ▲

KPI-002 Prevented Attacks 7 9 3 13 23 7 13 16 5 --

KPI-003 Contained Attacks 19 21 17 17 19 8 13 17 8 ▼

KPI-004 Blacklisted Sources 7 8 6 13 13 12 17 20 16 ▲

KPI-005 Cases Opened 2 3 0 2 3 0 3 4 1 --

KPI-006 Case Backlog 7 8 6 13 15 10 17 20 16 ▲

KPI-007 Closed Cases 2 4 0 4 5 1 3 4 0 --

KPI-008 Case Resolution Time (Days) 2.3 4.3 1.2 2.6 6.1 1.3 2.8 8.1 1.4 ▲

KPI-009 Log Visibility (Perimeter) 80% 82% 74% 82% 84% 77% 85% 87% 82% ▲

KPI-010 Log Visibility (Internal) 25% 26% 24% 20% 22% 18% 15% 18% 13% ▼

2

2

2

2

2

1

1

2

1

2


Processes


5G/SOC should break down silos

A/V App IAM DAM DLP WAF Host Perimeter


5G/SOC should measure your control effectiveness


Big data analysis

Hunt teams

Use cases: • Previously unseen connections from DMZ servers • Previously unseen connections from critical business servers • Previously unseen executables launching • Abnormal logins from service accounts • Abnormal logins from admin accounts

Select a subset of fields to save long term for analytical searches


For more information

Attend these sessions

• BB3260, State of Security Operations • BB3270, How to Build a Successful SOC • PN3578, Security Analytics Panel • TT3035, Bridging the gap: SOC and CSIRT • BB3101, The Next Big Thing

After the event

• Visit: http://hp.com/go/sioc Download the 5G/SOC Whitepaper Download the State of Security Operations

• Contact your sales rep

Your feedback is important to us. Please take a few minutes to complete the session survey.


Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session BB3055 Speaker James Blake

Please give me your feedback


Thank you! [email protected] +44 (0) 7917 558639 www.hp.com/go/5GSOC