John Blamire – CEO Falanx Group LimitedSteve Heneghan – CTO Falanx Assuria Limited

Terry Pudwell – Director & Co-Founder Assuria LimitedTom Evans – COO Falanx Assuria Limited

Security Monitoring as a Managed Service

COMMERCIAL IN CONFIDENCE

The Threat

Steve Heneghan – CTO Falanx Assuria Limited

Cyber Security Challenges

Legal liability increasing

Business now has much greater legal

liability to employees and customers over the stewardship of

data and consequential loss

PCI-DSS, Sarbanes-Oxley (Basil II), HIPAA, DPA

Users represent

highest risk

Often not aware of responsibilities

Rarely made accountable for their

actions

Difficult to determine risk

What are - attacks, threats,

vulnerabilities?

Which are priority?

How to remediate?

Companies are ill prepared for

security incident

Time to spot

Time to fix

True impact on business

What is Cyber Security Monitoring• It is proactive defence that monitors:

- Human threat behaviour - Poor procedures - Technical threats - Technical vulnerabilities

• It does this by collecting disparate information system activity, filtering, correlating and analyzing the data to identify threats

• It provides a central Cyber Security Operations Centre (CSOC) that manages the monitoring and alerting of security related events

• Provides evidence of care following recognised good practice– Supports defence of reasonable use and care in stewardship of 3rd party data– Supports forensic investigations

Security Monitoring - where do you start?

• Compliance driven (Accreditation, Certification)?• Risk managed approach

– Risks (business)

– Threats (business translated to information, information systems and technology)

– Vulnerabilities

– Controls & Counter Measures

• Are there any standards?

Cost of Security Counter Measures

Cost of Breach

Baseline Security Monitoring• Good Practice Guide 13 (GPG-13) – Protective Monitoring• Published and mandated by UK Government

– CESG the Information Assurance arm of GCHQ– ‘the definitive voice on the technical aspects of Information

Security in Government’

• For different types of Government data GPG-13 defines:– What to RECORD, what to REPORT, what to ALERT

• It supports pro-active defence

• Audit logs are generated by almost everything in an IT infrastructure – Servers, workstations, applications– Databases, routers, switches, firewalls, etc.

• Audit logs include audit events - a record of actions completed– User logons, file deletions, configuration changes, etc.

• The analysis and correlation of the audit events can identify suspicious behaviour on systems either from humans or other systems

• 12 controls that define WHAT not HOW

Baseline Security Monitoring

Record (Log) the relevant thingsPolicy• Information Security•Acceptable Usage•Legal/Regulatory

Infrastructure•Firewalls, IDS/IPS, VPN’s•Switches, Routers, Network Devices•DNS Requests, Packets, Connections

Server / EUC•Connections, Authentication, Errors•Processes, Daemons, Ports•Changes, Patches, Software, Registry

Applications•Connections, Malformed Requests•Authentication, Errors•Changes

Not Just Internal - Combine Intelligence

Business

Internal Know

ledge

Business Logic

Feeds

Vendors

Blacklists/W

hitelists

Vulnerability F

eeds

Malw

are Feeds

IOC

Feeds

Communities

CE

RT

CIS

P

Industry

Peer G

roups

Understand Your Business & Go Anomaly Hunting

IP / DNS

Short random domains?

Timing / Frequency / Size

High count on limited hosts

Burst activity after other event

HTTP Headers / User Agents / Content

Domain Age

Unusual Service Usage

Processes

New / Unknown

Short file names

Executable in tmp

Rare Executables

Runtime Execution

Injection / Hiding / Obfuscation

Account Activity

System / Service Accounts

Success vs Failure

New privileged accounts

Empty log

Interpret what to Record, Report and Alert

Record• Relevant events vs all

events• Start small but

meaningful – critical systems/boundary device

Report• Realistic actionable items:

• Top 10 failed URL requests vs top 10,000

• All failed user log-ins vs failed admin log-ins vs key user log-ins

Alert• Distinguish between

Alerts:• That require immediate

action (e.g. Breach)• Require action at some

point soon (e.g. policy exception)

• Configure auditing on systems and devices.

• Classify servers, workstations and devices

• Securely collect the logs and analyse as required for the recording profile

•Requirements – which recording profile is applicable?

•Which devices are in scope?

• Alert as required• Report as

required• Are the recording

profile requirements being met? Reports and

AlertsRequirements

Scope

Configure auditing and log manager

Collect and analyse

Iterative and On-Going

Events Alerts

Managed Service Security Monitoring Components

Client Estate

(Data Sets)

Monitoring Toolset

Events

Alerts

Client

PotentialIncidents

ConfirmedIncidents

False Positives

FalsePositives

Automation, Experience and Knowledge

Monitoring Toolset

Security Monitoring Architecture designed in• Automated Build and deploy of

CSOC components• Provides key components pre-

integrated for security monitoring services

• Integrates with external agencies where required

• Segregates data between customers and between different assurance levels

• Allows secure, auditable remote access for Analysts and Support Partners

• Provides ability to self monitor

16

Benefits of Protective Monitoring• Non-intrusive• A single cyber security picture of your IT networks, platforms and

policies• Helps identify and protect your key assets and information• Captures who is accessing your systems and information• Identifies non-compliances:

– Regulatory requirements, standards and local policies of configuration and acceptable usage

• Reduces probability of attack / misuse• Reduces impact of an attack / misuse• Provides forensic evidence to support legal or regulatory

investigation

Terry Pudwell – Director and Co-Founder Assuria Limited

Security Monitoring Targets• People (end users, partners, 3rd parties)

– Use of applications, credentials, USB devices, Web surfing, email, file permissions, dates/times, resource usage etc.

• People (trusted or privileged users) (e.g. system administrators)– Configuration changes, administration duties, use of security controls, implementing

new services, updated software, security patches

• People (oversight functions) (i.e. Audit the Auditors!)• Security devices/systems

– Network Firewalls, Web Application Firewalls, Anti Virus, IDS/IPS, Mobile Device Management, network devices, physical security etc.

• Operational systems– Business applications, databases, e-commerce, banking,

– Communications systems, financial control systems

SIEM technology underpins all of this• Security Information and Event Management (SIEM) provides visibility into and recording

of all activity which is of security interest or value:-– Collect, store and organise event and activity data from anything– Create secure, forensically sound audit trails– Correlate different events across the whole network– Search and report (on-demand) for forensic investigations– Monitor specific activities at source (where practical) and raise alerts in near real-time– Configurable, automated analysis, reporting & alerting– Generation of reports, alerts and alarms– Feed threat analysis results and data to SOC security analysts and external oversight systems.

Essential SIEM qualities• Ability to collect event and activity data from anything that is currently employed within IT and

control systems functions• Easily extensible to bring new environments, systems and devices into the monitoring service

(future proofing)• Easily deployable in all environments, including on-premise Data Centre, Public Cloud, Private

Cloud, Hybrid Cloud • Rapid deployment (initial results within days/weeks, not months/years!) • Log data enrichment through threat intelligence, geo-location, configuration data, vulnerability

state, patch state + + • Forensic integrity of log data (i.e. forensic chain of custody)• Resilient collection (i.e. guaranteed delivery of log data - no loss) • Pre-configured to meet Industry standards (e.g. GPG-13, ISO27001)• Integration with 3rd party solutions/services (e.g. ticketing systems)

Tom Evans – COO Falanx Assuria Limited

What’s in a CSOC?STRATEGY

Purpose of the CSOC

Compliance

Risk

“Customer”

ENVIRONMENT

Physical

Hosting of CSOC Tools

Data Storage

Security

STANDARDS

ISO/IEC:9001

2000027001

ITIL

IMS

TECHNOLOGY

SIEMTool

Ticketing

Databases

Licensing

Integration Services & Information Exchanges

What’s in a CSOC?PROCESSES

&PROCEDURES

Controls (GPG-13?)

Documentation

Operating plans

BC / DR

INTELLIGENCE&

KNOWLEDGE-BASE

Targeted intelligence

feeds?

Wide field of view

Experience & Skills driven?

STAFFING

In-house / external?

24 x 7 operations?

Clearances

Career progression

Motivation and the team

Senior Analysts:

A minimum of 5 years experience in the role

Shift Leader / team management responsibilities

GIAC Certified Intrusion Analyst or Incident Handler

Junior Analysts:

IT or IT Security degree.

Experience of working in IT support

Working towards MCSE, RHCT, CISSP, CCNA, etc.

GIAC SEC401: Security Essentials Bootcamp

Other:

CSOC Manager

Compliance Manager

Technology Lead / CTO

….. etc ….

What’s in a CSOC?

£Continuous Investment

Managing YOUR risk• How to do it? Monitor your estate and the wider context• CESG guide – Choosing a Service Delivery Model

• In house+ Intimate knowledge of estate and business processes

+ You have complete control

+ Assurance that no data leaves your boundary‒ Limited visibility of threat landscape‒ Recruitment and retention‒ Ongoing commitment to training‒ Length of time to establish‒ Cost £££

• Outsource‒ Data leaves your boundary‒ Relies on suitable knowledge transfer to understand your

risks

+ Dedicated security organization specializing in Monitoring

+ Investment into facility is borne by supplier

+ Expert advice and specialist services

+ Allows you to focus on your core business and invest in appropriate areas

+ Broader visibility across multiple customers

+ Utility model enables significant cost savings

+ Data available for transfer back at any time

In summary…• Ultimately the decision to monitor is either enforced (compliance) or risk driven• How to deliver against the requirements is your decision – we want you to be informed

• This isn’t fire and forget – The threat is constantly evolving

– Protect your critical data. Know what’s happening in your estate

– Whatever you choose, engage with the process for maximum value

– Start with the best practice, improve over time

– Focus on your incident response capability. Balance your budget and protect your brand.

– Review as your business changes, risks change and adapt as appropriate

Cyber Defence Solutions

Falanx Assuria LimitedEuropoint Centre5-11 Lavington StreetLondonSE1 0NZ

T: 00 44 (0) 20 7856 9457F: 00 44 (0) 20 7900 3387E: info@falanxgroup.comwww.falanxassuria.com

Assuria and Assuria Log Manager are registered trade marks of Assuria Limited