Upload
others
View
3
Download
1
Embed Size (px)
Citation preview
Why You Need SOC?
29 April 2019
1
2 © 2018 IBM Corporation
Cost of a Data Breach Study – Highest Data breach cost , Per capita cost by industry sector
2
Why your existing Security Control Never Enough? Are you sure about your defensive cyber security equipment like firewall, IPS/IDS, Antivirus? Is this equipment enough to keep your company truly safe?
You need to have someone, something and some process, which can keep your security perimeter constantly updated against new and evolving threats around the clock.
Defensive equipment keeps out Threat only you have it configured to keep out. But what about the New Threat we don’t know about?
Security Operation Center Functional
4
Core Component of Security Operation Center
- Console the cyber/information security incident management- Command Center to Monitor, Detect, Alert and Response- Knowledge Center for cyber/information security awareness and Threat Intelligence- Co-ordinate Center for External party (Internal and External Org.)- Comply with Law, Regulation and compliance
- Technology : IT Infra, SOC room, SIEM- People : SOC team, Expertise team - Process : Incident Response Framework
IDENTIFY DETECT RESPONSE IMPROVE
Main Objective of Security Operation Center
The Problem with Traditional Security Operation Center
5
• Source Event from InternalLog and Network Traffic
• Lack of Event Filtering
• Incident Response Tracking
Internal visibility
•Default Detection Rule, No Tuning and Improving
•No Customize Use Case Design
• Lack of Updating Threat Knowledge database.
• Ineffective IOC analytic.
Human Threat Monitor/Detect/Analysis
•Manually response
•Delay and error
• Ad-hoc Incident Response
•No Drill or Exercise
Manual Incident Response
• I need a solution that isn’t a siloed tool that adds to the complexity of
security operations
• One that snaps on to the existing security infrastructure
• Simplifies the overly complex security operations
• gives visibility into higher priority risks and threats from insiders
• delivers fast time to insider threat detection
• streamlines investigation to pinpoint threat sources and effective
remediation
• consolidates and leverages existing security data and repositories
• can be acquired, deployed and utilized with the ease of an App from a App
Store
RemediationInvestigation and Impact AssessmentIncident TriageDays
to Weeks
7
RemediationInvestigation and
Impact AssessmentIncident Triage
Minutesto Hours
- Increase Visibility - Solid Identification
(Use Case/Event Filter)
- External Threat Intelligence Sources
- Artifactual Intelligence (AI) Analytic
- Incident Response Playbook
- Automate Response Platform
RemediationInvestigation and Impact AssessmentIncident TriageDays
to Weeks
• Threat Intelligence• AI for cyber security• Automate Monitor/Detect/Response
Cognitive SOC
(Cyber) Threat Intelligence
8
Cyber threat intelligence (CTI) is an area of cybersecurity that focuses on the collection and analysis of information about current and potential attacks that threaten the safety of an organization or its assets.
Advisory, Bulletin, Exploit, Malware DB, Blacklist IP/Spammer/BotNet
SOC KM, Bulletin (Dynamic)
Threat Intelligence Provider :
- Choose Threat Intelligence Provider based-on Business Threat Modeling - Implement Threat Intelligence Feed/Console- Linkup Threat Intelligence to SIEM- (Optional) Build Own Threat Intelligence- Share/Join into Same Sector TI
ICEBERG of Cyber Security Knowledge
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Analyst reports
• Conference presentations
• News sources
• Newsletters
• Tweets
• Wikis
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated Knowledge
TraditionalSecurity Data
security eventsviewed each day200K+
security researchpapers / year 10K
securityblogs / year720K
security relatednews articles / year180K
reported softwarevulnerabilities 75K+
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013
IBM Watson for Cyber Security
*IBM intends to deliver in the future as a QRadar app
IBM Watsonfor cyber security
Corpus of Knowledge
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
Human Generated
Security Knowledge
Sourced by IBM Security
Security events
User activity
Configuration information
Vulnerability results
System and app logs
Security policies
Other
Enterprise
Security AnalyticsCorrelated enterprise data
QRadar Advisor with Watson for Cyber Security unlocks a new partnership between security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
SECURITY ANALYSTS
SECURITY ANALYTICS
QRadarAdvisor
• Alerts
• Security Events and anomalies
• User activity
• Vulnerabilities
• Configuration
• Other
• Threat identification
• Additional indicators
• Relationships
• Evidence
Watson ForCyber Security
12
Cognitive Security Operation Center
Essential CSOC Conceptual
13
Technology Leader
Best Practice ProcessProfessional People
Cognitive Security Operation Center
People External/Internal Context Party
- Prepare Co-ordinate interface to support Internal/External Context
- Define Competency, Role & Responsibility for Offence/Defense Team
SOC Manager
L3:Threat Response Analyst
L2:Threat Triage Analyst
L1: Threat Monitoring Analyst
SOC/SIEM Engineer
Red Team
Threat Hunter/Intelligence AnalystSecurity Arch.
- Clearly Career Path
L1 L2 L3
SOC Eng.
Th. Intel
Red Team
SOC Mng
Sec Arch.
Cognitive Security Operation Center
15
Technology
SIEM
Multiple Src.- Event/Log- Network - Endpoint- Vulnerability- Cloud
Use-case Orch.
Automate IR
Playbook Tracking
Playbook Orch.
Automate Response
Cyber Range/Drill
Pentest/VA
Forensic
Drill Playbook
Cyber Range Platform
Cyber Range Courseware
Physical
DC DR
Physical Ctl.
- Physical Security
Email/Msg Sys.
Service Desk
Ticket Sys.
Console Portal
KM Sys.
- Provision Service Desk Solution
IDENTIFY DETECT RESPONSE IMPROVE
- SOC components: IDENTIFY, DETECT, RESPONSE, IMPROVE
Infrastructure
Security Device
Endpoint Sec. SOC PC.
Network Device
Virtualization
Patch Mgt.
Backup Sys.
- SOC Infra: Defense In Depth Concept Design
Sandbox
Threat Intelligence
AI/ML
Threat Detect Tracking
Predictive Analytic
Incident Response Console
Cognitive Security Operation CenterProcess IDENTIFY
DETECT
RESPONSE
IMPROVE
- Product Incident Response Policy/Procedure
A.16 Information security incident management
- Define Operation Framework with improvement concept
- Exercise, Tuning, Improve and Update
Threat Modeling Use-case design
Deploy use-caseAnomaly/Prediction AnalyticThreat Detection ProcedureThreat Intelligence/HuntingAI/ML Analytic
IR PlaybookForensic Procedure Co-ordinate Procedure
Cyber Range Incident Response DrillUpdate Use-case/playbookTraining and AwareThreat Intel Bulletin
17
SECUREiNFO:
Cyber Security Operation Center Service
SERViCE PORTFOLiO
Cyber Security Risk Assessment
• Penetration Testing
• Compliance Audit • Security Gap
Assessment
• Compliance Audit
Managed Security Service (MSS)
• CSOC Service : Threat
Monitoring-Analysis-Response-Improve
• Incident Response (Manual/Automate)
• Threat Intelligence/Hunting
• CSOC
Improvement/Turnkey
Cyber Security Consultant
• Security Advisory Services
• Security Staff Outsourcing
• Security Solution deployment
and Integration
Security Education and Enablement
• Professional Security
Training
• Customized Security
Workshop
18
SECUREiNFO: Essential CSOC Conceptual
19
- AI Watson for cyber Security Technology - Global Threat Intelligence capability
Technology Leader Best Practice ProcessProfessional People
- 24x7 CSOC Operation Staffs
- Emergency Response Team - Professional Cyber Security Team
IDENTIFY DETECT
RESPONSE IMPROVE
- Global CSOC Standard and Framework- Use Case Design and Tuning- Incident Response Playbook
Key Feature : SOC SECUREiNFOAI for
Cyber Security
Effective and Accuracy Incident Analytic and Monitoring with Leader World-class AI
Cognitive Threat
Intelligence
Improve SOC visibility and proactive monitoring with Cyber Threat Intelligence Big Data.
Incident
Management Portal
Automated and Adaptive Remediation with Leader Incident Response Platform
Integrated Multi-
Source
Provide Security Service such as Emergency Response, SOC Consultant, SOC Assessment, SOC Drill, SOC Improvement and SOC Staff Outsource
Incident
Response Platform
We provide Incident Response Management System based on Global SOC framework of IBM Security Service