4 SOC Consulting v5

IBM Security Services
Building a Security Operations Center
Engin zbay
IBM Security, Turkey
enginoz@tr.ibm.com
2015 IBM Corporation

IBM Security Systems
Security operations in a changing environment
22 2015
The current environment is putting new demands on security

operations
New Business Models, Velocity of Threats
New Technologies
Large existing IT
infrastructures with a
globalized workforce,
Mobile Collaboration / Cloud / 3rd party services,
BYOD Virtualization and a growing
customer base
Social Business Evolving Regulations

Blurring Social Identities
Potential Impacts
Malware infection $$$

Data or Device Loss of productivity Regulatory Fines Data Leakage
Loss or Theft
3 2015 IBM Corporation

Why do we build operational security controls & capabilities?
Reduce enterprise risk. Protect the business.
Move from reactive response to proactive mitigation.
Increase visibility over the environment.
Meet compliance/regulatory requirements.

What is a Security Operations Center, or SOC?
A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce
security risk
Security Operations Centers (SOC) are designed to:

protect mission-critical data and assets
prepare for and respond to cyber emergencies
help provide continuity and efficient recovery
fortify the business infrastructure
The SOCs major responsibilities are:

Monitor, Analyze, Correlate & Escalate Intrusion Events
Develop Appropriate Responses; Protect, Detect, Respond
Conduct Incident Management and Forensic Investigation
Maintain Security Community Relationships
Assist in Crisis Operations

Security operations centers must be responsive to the evolving

threats and provide management the information and control that it
needs
The SOC .
Must demonstrate compliance with regulations

Protect intellectual property and ensure privacy properly
Manage security operations effectively and efficiently
Provide real-time insight into the current security posture of your organization
Provide security intelligence and the impact of threats on the organization
Enable your organization to know who did what, when - and prove it
(evidence)
But its not that simple...

Designing and building a SOC requires a solid understanding of the

business needs and the resources that IT can deploy
Multiple stakeholders, processes and Personnel skills: Security analysts, shift leads, SOC
technologies to consider managers

An operational process framework
Physical space
requirements and
location

There is no app for that
Client Success Undefined >

Compliance & Reporting
>
Technology Scope
Identity & Application Brand

Log Integrity Firewall IDPS DLP
Access Monitoring Monitoring
People
In-House Co-Deliver Outsource
Functionality
Security Intelligence ON Security Monitoring ON
Compliance Management OFF Correlation Rules ON
Device Management OFF Incident Escalation ON
Policy Management OFF Incident Response OFF
Escalations & Notifications >
.Dont be a FOOL and think you just need to buy a TOOL 2015 IBM Corporation
Building a Security Operations Center involves multiple domains

People Process
Do you need 24x7x365 staff? What does the plan look like?
What are the skills needed? How do we measure progress and
goals?
Where do you get staff?
What is the optimal design of core
What about training?
processes? (eg. incident
How do you keep staff? management, tuning, etc.)
Metrics to measure performance Process and continual improvement
Capacity planning
Technology Governance / Metrics

SIEM architecture & use cases Dashboard visibility and oversight
Log types and logging options Policy, measurement and enforcement
Platform integrations; ticketing Integrated governance that balances
governance, big data daily operations with strategic planning
Web services to integrate them Ministry objectives
Technology should improve Informing stakeholders
effectiveness and efficiency
Informing employees
9 IBM Confidential 2015 IBM Corporation
SOC Models
2012 IBM
2015 IBMCorporation
Corporation
The changing requirements for enterprise security & risk management

coupled with technology advancements have triggered a paradigm shift in
the design and ongoing administration of a SOC.
Legacy SOC Optimized SOC
Technology or service Build a dedicated security
Mission & Strategy
Charter
only operations capability
Cross-functional
Governance Self governed (IT Security)
(IT, Business, Audit, etc.)
Budget based, 3+ year cycle, priorities
Strategy
12 month planning cycle set by enterprise
Proactive.
Detect & Tools SIEM tool only
SIEM, ticketing, portal/ Visible.
dashboard, Big Data
Anticipate
Technology
react to Standard rules Tailored rules based on

threats.
Use Cases
Minimal customization risk & compliance drivers threats.
Referential Minimal importance, Required data, used to Mitigate
Data Secondary priority prioritize work
risks.
Management
Silos, ticket/technology Cross-functional, efficiency,

Operations
Measures
driven quality, KPI/SLO/SLA
Metrics, analytics,
Reporting Ticket/technology driven
scorecards, & dashboards

IBM Security Operations Operating Model

Cyber-Security
Cyber-Security Command
Command Center
Center (CSCC)
(CSCC) Corporate
Corporate
Governance
Business
BusinessUnits
Units
Executive
Executive Security
Security Intelligence
Intelligence Briefings
Briefings Local
Local Reg.
Reg. Security
Security Oversight
Oversight SOC
SOC Governance
Governance
Consolidated
Consolidated Security
SecurityAnalytics
Analytics && Dashboards
Dashboards Local/Reg.
Local/Reg. Intel.
Intel. Briefings
Briefings Legal
Legal
SOC
Audit
Audit
SOC
SOC Service
Service Delivery
Delivery Management
Management
Service
Service Level
Level Management
Management Operational
Operational Efficiency
Efficiency Service
Service Reporting
Reporting Escalation
Escalation Business
Business
Operations
Operations
Business
BusinessOps
Ops
Investigations
Investigations
Architecture
Architecture &
& Security
Intelligence Security
SecurityAnalytics
Analytics &
& Public
PublicRelations
Relations
Projects
Projects Incident
Incident Reporting
Reporting
Incident
Incident Hunting
Hunting PM
PM Use
Use Case
Case Recommendations
Recommendations Legal
Legal//Fraud
Fraud
Operations
Emergency
Emergency
SOC
Response
Response
Admin
Admin Support
Support Threat
Threat Threat
Threat Threat
Threat CSIRT
CSIRT Management
Management
Services
Services Monitoring
Monitoring Triage
Triage Response
Response Corp.
Corp.Incident
IncidentResponse
Response IT
ITOperations
Operations
Tool Adv.
Adv. Event
EventAnalysis
Analysis
ToolIntegration
Integration Threat
ThreatAnalysis
Analysis Investigations
Investigations Table-top
Table-topExercises
Exercises Incident
IncidentMgmt
Mgmt
Escalations
Escalations
Rule
RuleAdmin
Admin Impact
ImpactAnalysis
Analysis Incident
IncidentTriage
Triage Problem
ProblemMgmt
Mgmt
Incident
IncidentMgmt.
Mgmt.
Change
ChangeMgmt
Mgmt
Release
ReleaseMgmt
Mgmt
SOC
SOC Platform
Platform Components
Components
Security IT
IT Operations
Operations
Security Device
Device Data
Data Event
Event Data
Data (Int./Ext.)
(Int./Ext.) Event
Event Patterns
Patterns Correlation
Correlation
Aggregate
Aggregate Security
Security Events
Events Log
Log Data
Data (Transactional)
(Transactional) Unstructured
Unstructured Data
Data (Big
(Big Data)
Data) Custom
Custom Rules
Rules
Technology
Ticketing & Integration Tools Reporting /

SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC
Legend
SOC
SOC Data
Data Sources
Sources SOC
Logs
Logs(Transactional)
(Transactional) Network
NetworkHierarchy
Hierarchy&&Design
Design Business
BusinessData
Datafrom
fromStructure
Structure&&Geography
Geography
IT / Corp
Unstructured
Unstructured(Big
(BigData)
Data) Asset
Asset&&Data
DataClassifications
Classifications Threat
ThreatIntelligence
Intelligence
We understand that an effective SOC has the right balance of People,

Process and Technology components
People In-house staf Partners Customers Outsourced Providers
Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment
Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt
Log Management Compliance Reporting Event Correlation Threat Reporting
Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

It starts with the right people
People In-house staf Partners Customers Outsourced Providers
The SOC is only as good as its people, and upfront planning for the unique people management
aspects of a 24x7 security centric organization will provide significant long term returns.
Points of Consideration:
SOC staff have a specialized skill set and experienced staff are often difficult to find
Training is expensive, time consuming, and improves marketability of staff. Compensation strategies
must be evaluated accordingly.
Retention of staff is difficult in a non-security centric organization due to continuous need for updated
training, lack of expansive career path options, and burn-out.
Beyond analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers,
Management / Supervision

IILLUSTRATIVE
The SOC organization is organized around the standard plan, build

and run model
SOC Organization Chart
Governance

IILLUSTRATIVE
A responsibility matrix for all SOC roles should be defined across

each SOC service.

IILLUSTRATIVE
Sample Job Description: Triage Analyst
Responsibilities Experience and Skills

Monitoring of security events received through alerts from SIEM or Process and Procedure adherence
other security tools General network knowledge, TCP/IP Troubleshooting
Review alerts escalated by end users Ability to trace down an endpoint on the network based on ticket
Handel end user and security services consumer initiated incidents information
and initiating trouble tickets Sev 4 tickets Familiarity with system log information and what it means
Performing Level 1 triage of incoming issues ( initial assessing the Understanding of common network services (web, mail, DNS,
priority of the event, initial determination of incident to determine authentication)
risk and damage or appropriate routing of security or privacy data Knowledge of host based firewalls, Anti-Malware, HIDS
request) General Desktop OS and Server OS knowledge
Monitoring of alert and downstream dependencies health (logger, TCP/IP, Internet Routing, UNIX & Windows NT
client agents, etc) Strong analytical and problem
Responsible for troubleshooting agents and logs required for
reporting when not reporting to alerting systems
Intake intelligence actions from Intelligence teams and ticket for Training
appropriate operators for tool policy or tool setting tuning
Provide limited incident response to end users for low complexity Required: Security Essentials SEC401 (optional GSEC
security incidents certification)
Notifying appropriate contact for security events and response Computer Forensic Investigation Windows In-Depth - FOR408
Takes an active part in the resolution of incidents, even after they Recommended: Security Incident Handling and Forensic - FOR
are escalated 508
Work assigned ticket queue
Understanding and exceeding all tasked SLA commitments
Track and report on closure of tickets per SLAs
Escalating issues to Tier II or management when necessary
Provide daily and weekly metrics for security and vulnerability
incidents
24/7 Shift work required

Leveraging tested integrated processes .
Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment
Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt
SOC processes must be documented, consistently implemented, and based upon existing
standards / governance frameworks. Procedures must take into consideration corporate security
policy, business controls, and relevant regulatory requirements.
The SOCs mission must be clearly defined Incident discovery, CERT, etc.
SOCs differ from NOCs, and an alarm does not always equate to action.
Processes must take into consideration evaluation and incorporation of a constantly changing stream
of potentially actionable threat intelligence.
Best practices for incident investigation, response, and mitigation must be maintained and updated as
technologies are added, change, or mature.

Built on a solid technology platform
Log Management Compliance Reporting Event Correlation Threat Reporting
Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt
Technology for a SOC build is the foundation on which the organization demonstrates the ability
to provide security continuously, even under times of duress such as persistent attack, natural
disaster, facilities failure, etc.
SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose,
costly, and challenging to maintain due to their overall complexity
The number of disparate systems and volume of device / event data will typically require a dedicated
IT staff for system administration
Capacity management can be challenge due to the need to support peak loads which may include
DDoS, monthly batch processing, etc
The management and reporting systems must be flexible enough to accommodate process and
security policy as well as changes in the technology landscape
SOC Strategies & Approaches
2015 IBM
2015 IBMCorporation
Corporation
Selecting the optimal SOC operating model depends on balancing

business and technical requirements, risk and financial constraints
Centralized Decentralized
Business Requirements
Single Global SOC Multiple SOCs (Geo. / BU)
CSCC Combined with SOC Single Global CSCC
Lowest Cost High Cost
Easiest to Manage More Difficult to Manage
Standard Highly Customized

Technical Requirements
Simple Platform Complex Platform
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Good Risk Mgmt Capabilities Excellent Risk Mgmt Capabilities
Easy to Scale Operations More Expensive to Scale Operations
Moderate Detail on Threats Rich Detail on Threats
Externally Managed Internally Managed

Risk Tolerance
30-90 Day Implementation Long Implementation Lead Time
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Not Core to Business Core to Business
Leverage Industry Best Practices Frequent Independent Reviews
Low Cost High Cost

Financial Constraints
Lowest Cost to Implement Highest Cost to Implement
Lowest Cost to Operate Highest Cost to Operate
21 IBM and Client Confidential 2015 IBM Corporation
IBM Security Operations Operating Model: MSSP Hybrid

Cyber-Security
Cyber-Security Command
Command Center
Center (CSCC)
(CSCC) Corporate
Corporate
Governance
Executive Security Intelligence Briefings

Executive Security Intelligence Briefings Local
Local Reg. Security Oversight
Reg. Security Oversight SOC
SOC Governance
Governance Business
BusinessUnits
Units
Consolidated
Consolidated Security
SecurityAnalytics
Analytics && Dashboards
Dashboards Local/Reg.
Local/Reg. Intel.
Intel. Briefings
Briefings Legal
Legal
SOC
Audit
Audit
SOC
SOC Service
Service Delivery
Delivery Management
Management
Service
Service Level
Level Management
Management Operational Efficiency
Operational Efficiency Service
Service Reporting
Reporting Escalation
Escalation
Business
Business
Operations
Operations
Business
BusinessOps
Ops
Architecture
Architecture &
& Security
Intelligence Security
SecurityAnalytics
Analytics &
& Investigations
Investigations
Projects
Projects Incident
Incident Hunting
Hunting Use
Use Case
Case Management
Management Incident
Incident Reporting
Reporting Public
PublicRelations
Relations
Legal
Legal// Fraud
Fraud
Operations
Emergency
Emergency
SOC
Response
Response
Admin
Admin Support
Support Threat
Threat Threat
Threat Threat
Threat CSIRT
CSIRT Management
Management
Services
Services Monitoring
Monitoring Triage
Triage Response
Response
Adv. Corp.
Corp.Incident
IncidentResponse
Response IT
IT Operations
Operations
Adv. Event
EventAnalysis
Analysis
Investigations Escalations Table-top
Table-topExercises
Exercises Incident
Incident Mgmt
Mgmt
Tool
Tool Integration
Integration Threat
ThreatAnalysis
Analysis Investigations Escalations
Incident Problem
ProblemMgmt
Mgmt
Rule Impact
ImpactAnalysis IncidentTriage
Triage Incident
IncidentMgmt.
Mgmt.
RuleAdmin
Admin Analysis Change
ChangeMgmt
Mgmt
Release
ReleaseMgmt
Mgmt
OT
OT Operations
Operations
SOC
SOC Platform
Platform Components
Components
Security
Security Device
Device Data
Data Event
Event Data
Data (Int./Ext.)
(Int./Ext.) Event
Event Patterns
Patterns Correlation
Correlation
Aggregate
Aggregate Security
Security Events
Events Log
Log Data
Data (Transactional)
(Transactional) Unstructured
Unstructured Data
Data (Big
(Big Data)
Data) Custom
Custom Rules
Rules
Technology
Ticketing & Integration Tools Reporting /

SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC
Legend
SOC
SOC
SOC Data
Data Sources
Sources IT / Corp
Logs
Logs (Transactional)
(Transactional) Network
Network Hierarchy
Hierarchy && Design
Design Business
Business Data
Data from
from Structure
Structure && Geography
Geography MSSP
Unstructured
Unstructured (Big
(Big Data)
Data) Asset
Asset && Data
Data Classifications
Classifications Threat
Threat Intelligence
Intelligence
Getting Started
Develop a Strategy then a Plan
2015 IBM
2015 IBMCorporation
Corporation
To get started, the organization should consider the following

questions in establishing its objectives
What is the primary purpose of the SOC?
What are the specific tasks assigned to the SOC? (e.g., threat intelligence, security device
management, compliance management, detecting insider abuse on the financial systems,
incident response and forensic analysis, vulnerability assessments, etc.)
Who are the consumers of the information collected and analyzed by the SOC? What
requirements do they have for the SOC?
Who is the ultimate stakeholder for the SOC? Who will sell the SOC to the rest of the
organization?
What types of security events will eventually be fed into the SOC for monitoring?
Will the organization seek an external partner to help manage the SOC?

The Security Operations Optimization portfolio provides a flexible

approach to the entire SOC/SIEM life cycle.
Assessment
Assessment
Workshop
Workshop Design
Design &
& Build
Build Run
Run &
& Enhance
Enhance Optimize
Optimize
Strategy
Strategy
Educational, People and Governance
share best
Define the mission Processes and Practices
practices
Table-top, guided Assess current Technology
SOC maturity operations and
Laying the Leveraging acquired Business aligned
assessments capabilities
foundation of knowledge and threat management
Set high-level Define future capabilities and metrics
experience
vision environment
Designing effective Instituting formal Drive for best
Develop next steps Develop roadmap staffing models and practices
feedback and review
roadmap for action supporting mechanisms Integrated operations
for action processes / Driving further value with improved
technology from the technology communications
Conducting training Expanding business Seek opportunities
and testing coverage and for cost takeout
Implementing functions Continuous
tracking and Tuning and improvement
reporting refinement
capabilities

Security Operations Optimization Consulting Offerings

Sample Duration &
Name Description Details
SOC / SIEM Review security policies and SOC/SIEM mission/charter 1-5 Days
Workshop Review IBM SOC / SIEM Operating Model Point of View Workshop Readout
Review components needed to implement security operation center Deliverable
Platform Arch., processes, organization, metrics/reporting, governance
Discuss best practices for each components and industry trends
Develop client feedback report
SOC Maturity Review security policies and SOC/SIEM mission/charter 1-5 Days
Assessment Assess client environment against IBM SOC / SIEM Maturity Model Maturity Assessment
Workshop Establish future state target maturity by component Deliverable
Analyze current and future targets vs. industry maturity benchmarks
Identify gaps, opportunities for improvement, prioritize improvements
Develop preliminary recommendations for SOC program
SOC/SIEM Review security policies and SOC/SIEM mission/charter

4-6 Weeks
Strategy and Conduct detailed current environment by component area; Platform Arch.,
Maturity Assessment
Program processes, organization, metrics/reporting, governance
Deliverable
Mobilization Review current and planned SOC/SIEM projects/initiatives
Component baselines
Asses current environment vs. Maturity Model, est. future state target
Sample Phase 1 work plan
Identify and prioritize gaps and opportunities for improvement
Identify SOC scenarios and tailor the decision model
Finalize transformation states, service improvements, finalize strategy
Identify initiatives, group into projects, develop roadmap (timeline)

Security Operations Optimization Consulting Offerings

Sample Duration &
Use Case / Review security policies and SOC/SIEM mission/charter 4-8 Weeks
Rule (UCR) Review business/technical requirements, risk tolerance, cost constraints Assessment Report
Assessment Review Use Case Models and rule architecture and design
Identify gaps, opportunities for improvement
Prepare high level Use Case / Rule recommendations
Use Case / Review security policies and SOC/SIEM mission/charter 4-8 Weeks
Rule UCR Review business/technical requirements, risk tolerance, cost constraints Use Case Assessment and
Strategy Review Use Case Models and rule architecture and design Strategy Deliverable
Identify gaps, opportunities for improvement
Identify UCR scenarios and tailor the decision model
Identify target state, prioritize improvements, finalize UCR strategy
Security Review security policies and SOC/SIEM mission/charter 6-12 Weeks

Operations Review business/technical requirements, risk tolerance, cost constraints Security Operations
Center Review current metrics, operational/executive reports Assessment and Strategy
Reporting Identify gaps, opportunities for improvement Deliverable
Strategy Identify target state, prioritize improvements, finalize SOC Rpt. strategy

Security Operations Optimization Design / Deploy

Sample Duration &
SOC/SIEM Develop Macro / Micro Design for Security Operation Center 2-3 Months
Design Key scope elements; platform, process, organization, reports, governance SOC/SIEM design method
Data source logical/physical scope and integration architecture Design phase method/plan
Develop use case and rule macro and micro design Workshop decks/schedules
Develop SOC operational model, logical/physical platform architecture Key scope element
Finalize SOC process scope, context diagram, core/non-core processes baselines
Develop organization conceptual/logical model (roles), governance model SOC capacity modeling tool
Develop key metrics, reporting architecture, report list
Product selection decision model and preliminary recommendations (opt.)
Finalize SOC / SIEM Macro and Micro Design Deliverables
SOC/SIEM Prepare SOC implementation plan, conduct SOC build, test, deployment 4-6 Months
Implementation Key scope elements; platform, process, organization, reports, Implementation method/plan
governance MSS build, test, deploy plans
Execute procurement for selected products, services (opt.) Workshop decks/schedules
Finalize MSS implementation plan and build, test and deploy MSS (opt.) Use case / rule frameworks
Build, test and deploy data sources, integration APIs Key scope element
Build, test, deploy use cases and conduct rule tuning baselines
Build, test and deploy SOC processes, metrics, SLAs/SLOs, Ops SOC capacity modeling tool
Manual PoC, pilot, sim. live ops. plan
Build, test and deploy organization design, role descriptions
Build, test and deploy metrics, reports and executive dashboards
Build, test and deploy SOC governance processes
Conduct transition; Proof of Concept, Pilot Ops, Simulated Live Ops
Security Operation Center Go-Live, Update Phase N Design Plan
Helping organizations with their SOC requirements is a core element

of IBMs 10 essential practices required to effectively manage risk
Essential Practices
1. Build a risk aware culture 6. Control network access

and management system and assure resilience
Maturity based approach

2. Manage security incidents S
7. Address new complexity
iinn Seecc
with intelligence ttee uurr
llllii iitty of cloud and virtualization
ggee y
nncc
ee
Automated
O
pt
im
iz
3. Defend the mobile and 8. Manage third party
ed
Pr
social workplace security compliance
of
ic
ie
t n
Manual
Ba
si
4. Secure services, 9. Secure data and

c
by design protect privacy

Reactive Proactive
5. Automate security 10. Manage the identity

hygiene lifecycle

IBM can provide unmatched global coverage and security awareness.
Security Operations Centers
Security Research Centers
Security
Security Solution
Solution Development
Development Centers
Centers
Institute for Advanced Security Branches
10B analyzed web pages and Worldwide managed

IBM Research images security services coverage
20,000-plus devices under contract
150M intrusion attempts daily
3,300 GTS1 service delivery experts
40M span and phishing attacks 3,700-plus MSS2 clients worldwide
46K documented vulnerabilities 20B-plus events managed per day
and millions of unique malware 3,000-plus security patents
samples 133 monitored countries (MSS)
1
IBM Global Technology Services (GTS); 2Managed Security Services (MSS)

Largest Bank in Canada improves security by establishing SOC &

implementing monitoring tools and processes
Client Situation : Profile:

The client had engaged IBM to help them map out their security needs, include
SOC strategy, architecture, analyzing and querying log, threat, vulnerability data Largest Bank in Canada, 3rd
(SIEM) and ongoing management. A few high-level issues were: - largest in North America, top 10
globally. The bank serves 18
Lack of any SOC model and strategy roadmap
million clients and has 80,100
There were no trained SOC Operations team or staff employees worldwide.
No Security monitoring tool or processes for security incidents
IBM Solution :
IBM Security Services Team reviewed the clients business and technical
requirements, risk tolerance and cost constraints. After analyzing the requirements
IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase
implementations. Additionally the following high-level tasks were performed
Global Installation of the QRadar monitoring tool
Archer Ticketing System implementation (security tickets)
Designed the SOC Organization, Process, People Model
SOC Capacity Modeling
Hired and Trained the clients SOC Staff (~12 resources)
Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits:
Reduced risks & costs associated with security incidents and data breaches
Addressed compliance issues by establishing clear audit trails for incident response
Improved security posture with enterprise-wide security intelligence correlating
events from IT & business critical systems/applications.
IBM Confidential
A global insurance company in United States improves security by

establishing SOC & implementing monitoring tools and processes
Client Situation :
Profile:
The client had made a board-level commitment to raise the visibility, effectiveness
and efficiency of the global security program. A few high-level issues: Global property and casualty insurer.
Multiple day delays in identifying threats Third largest insurer in the United
Extreme incident false positive ratios with current MSSP States.
Labor intensive program, without clear lines of responsibility
Fortune 100 company.
Minimal security analytics & dashboards
IBM Solution : Operates in 900 location s distributed
across 18 countries.
IBM Security Services Team began with a full day SOC optimization workshop to
educate the client program team, review and validate the clients vision and strategy. The company has 50,000+ employees
After the workshop and recommendations, the client requested IBMs support to help worldwide.
them plan, design and build the SOC including the following:
SOC Architecture development
SIEM operationalization (ArcSight)
Remedy Ticketing System implementation (security tickets)
Designed the SOC organization including capacity models
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Implemented Security Operational Reporting and Executive Dashboards
Managed transition from previous MSSP to IBM Managed Services
Client Benefits:
Reduced incident identification time from hours to minutes and streamlined
operations further reducing risks & associated costs & improved global security with
end to end incident management
Created an industry leading view into the overall security position allowing them to
better manage their entire environment
IBM Confidential
A global financial services company in UK improves security by

transforming SOC from compliance to cyber threat monitoring
Client Situation :
Profile:
The client had invested into a SOC that was focused on policy violation and wanted
to expand the capabilities of their existing investment: UK based financial services group.
Compliance focused SOC Retail, commercial, wealth and asset
Significant challenges with existing technology management, international and
SOC manpower outsourced to 3rd Party insurance arms.
Minimal security analytics & dashboards, non-existent Security Intelligence Operates in almost every community in
IBM Solution : the UK.
IBM Security Services Team began with a 2 week SOC maturity assessment to Over 100,000 employees (2014)
gauge the clients current and future capabilities and to review and validate the
clients vision and strategy. After the assessment, recommendations were
presented to the client and IBM lead the transformation programme including:
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Establish a Security intelligence function
Accelerate development and implementation of a Ticketing System
Reviewed the SOC organisation and identified improvements
Demonstrated the importance of capacity modelling
Implemented Security Operational Reporting and Executive Dashboards
Client Benefits:
Increased efficiency from the existing SOC staff handling more events in a defined
and repeatable way.
Increased awareness of their own systems and future threats making use of
Better able to understand and highlight the benefits of the SOC due to improved
metrics and reporting
33 IBM Confidential

Hindi
Tack
Swedish
Greek
Teekkrler Gracias
Thai
Russian
Spanish
Arabic Thank You ObrigadoPortuguese
Grazie Dankie Dank

German
Merci
e
Afrikaans
Italian French
Hvala Slovenian
Simplified Chinese
Korean
Ksznm Hungarian
Japanese

We leverage our SOC framework, which covers the multiple

management dimensions of organizing and managing a SOC

We include 14 key processes that encompass both the business and

IT aspects

Which leads to insightful analyses e.g. Maturity Assessment

IBM offers multiple options in our consulting offerings
Security Operations Center (SOC) Workshop

1 day management workshop to establish goals and objectives for developing the SOC, identifying
stakeholders, types of threats monitored, and the management model
Security Operations Center (SOC) Assessment

Consulting assessment for clients that have en existing SOC but are looking for IBM to review their
capabilities and process maturity and make recommendations for improvements
Security Operations Center (SOC) Strategy Engagement

Consulting strategy engagement for clients who are seeking to develop a comprehensive strategy and plan to
implement a SOC that addresses both IT and the business for managing security and mitigating threats
Security Operations Center (SOC) Design / Build Project

Professional services to help clients design and build one or multiple SOCs that meets the organizations
needs for improved security intelligence and risk management
Components include.
Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)
Processes, Procedures, Guidelines (Define, develop and document, update existing)
Technology (Plan, design, deploy technology components, integrate feeds and other referential
sources)

What you can expect as a result from a SOC implementation
Better understanding of how your

security program reduces risk in
operations and therefore business risk
Measurement of the real-time
compliance of particular security controls
in the organization
Insight into the current state of your
security posture
Visibility of issues, hacks, infections and
misuse that otherwise would require
human discovery and correlation.
Easier measurements of compliance and
audit effort reduction

IBM knows security
40
40 2015
IBM is recognized as a leader in Security Consulting
IBM burst into the Leader category by demonstrating superb global delivery capabilities
Why IBM SIEM Security Technology? Breadth, deep expertise,

integration
Leadership
Leadership
Leader
Leader in
in Magic
Magic Quadrant
Quadrant for
for Security
Security Information
Information and
and Event
Event Management,
Management, Gartner,
Gartner,
May
May 12,
12, 2011,
2011, May
May 13,
13, 2010,
2010, May
May 29,
29, 2009.
2009.
#1
#1 rated
rated by
by Gartner
Gartner for
for Compliance
Compliance use
use cases
cases ("Critical
("Critical Capabilities
Capabilities for
for Security
Security
Information
Information and
and Event
Event Management
Management Technology,"
Technology," Gartner,
Gartner, 12
12 May
May 2011)
2011)
Integration
Integration
Integrated
Integrated with
with 400+
400+ products
products and
and vendor
vendor platforms
platforms
SIEM,
SIEM, log
log management,
management, network
network anomaly
anomaly
detection,
detection, and
and risk
risk management
management combined
combined in
in aa
single
single console
console
Expertise
Expertise
Embedded
Embedded 3rd 3rd party
party security
security feeds
feeds including
including
IBM
IBM X-Force
X-Force
Tight
Tight integration
integration with
with InfoSphere
InfoSphere Guardium
Guardium
and
and IBM
IBM Identity
Identity Manager
Manager & & Access
Access Manager
Manager
for
for optimized
optimized data
data &
& user
user security
security

Client example - a large financial services company

Business Challenge:
A large European financial institution with multiple global locations was
searching for best practices and assistance in creating an in-house,
compliant and effective Security Operations Center. Compounding the
challenge of the sheer magnitude of their operations was the
complications surrounding several recent acquisitions that have not
been fully integrated. The current operation was largely driven by SOX
compliance requirements and resulted in diluting the effectiveness of
the SOC with unimportant log sources.
Solution:
A series of business and technical workshops were conducted to start
the assessment as the client needed to refocus their operations on Solution components:
security, while retaining maintain regulatory compliance. These IBM Q-Radar SIEM
workshops then advanced to a full security operations design,
integrating disparate business unit requirements, focusing analysis on IBM Security Services
important log sources, and reorganizing the department. Ultimately, the SOC Workshop & Design
client chose to have IBM staff their new SOC, reducing the total number IBM Security Services
of hired staff and overall cost. Professional Security
Services
Benefits: Overall SOC costs were reduced and the resulting
organization is more focused and effective.

Client example global pharmaceutical company

Business Challenge:
A large global pharmaceutical company with research locations
scattered around the world faces the ongoing threats of industrial
espionage and is frequently a target of hactivitists. Their current
security operations is decentralized allowing each unit to fend for
themselves. After some minor faults but no major incidents, the
company has decided to centralize their security operations and create
a holistic view of security across the entire organization.
Solution:
A business and technical workshop was conducted to start the
assessment and help the client envision the end-state should look like
and how to initiate the centralization process. Leveraging a deployed Solution components:
IBM Q-Radar installation, the solution involves creating a two redundant IBM Security Services
SOCs to centralize security intelligence and device management SOC Workshop
operations. These SOCs will work cooperatively using the best-
practice operational models derived from IBM MSS Global SOCs IBM Q-Radar
providing a single, measurable view of security across their global IBM Security Services
operations. Managed SIEM
Benefits: A centralized operational model allows the economies of

scale to drive costs down, while improving the effectiveness of the
security operations and threat intelligence sharing.

Thank you for your time!

Questions and Answers
45
45 2015
Backup Pages

Typical SOC Project Scope

Consult and Design Build Operate Maintain
Deliver SOC Workshop Build Wiki framework for agile Implement incident management Perform SOC Maturity Assessment
SOC Processes
Perform SOC Maturity documentation approach process annually

Assessment Build new and integrate existing Continue documentation and Maintain and update SOC
processes and procedures update as necessary documentation
Align SOC operations across the Implement process improvement Evaluate, measure and improve
enterprise program processes
Drive business through metrics
Manage risk and compliance
Deliver SOC Workshop Identify stakeholders Deliver training: on the job, Maintain dedicated SOC manager
Perform SOC Maturity Define roles, responsibilities, and job intrusion analysis, and Technology
SOC People
and analyst positions

Assessment descriptions solutions. Continue on-going boarding and
Design staffing models Analyst coaching training of new analysts as necessary
Develop training plans Developing key organizational
Help hire the right staff or linkages
complement existing teams
Architect & design SIEM Install & configure SIEM Operate and maintain SIEM solutions Operate and Maintain SIEM
Implement dashboards Maintain architecture and product
SOC Technology
solutions solutions
Plan Use Cases Establish data feeds Develop operational and business documentation
Map operations to Implement Use Cases reports Perform health check on SIEM
regulatory and business Build content Investigate using advanced analytics environment at planned intervals
requirements Design analyst workstations Manage incidents via cases Perform capacity planning
Health check Integrate threat intelligence Develop steady-state technology
costs
Client SOC Capability Transformation

Challenge 1: Detecting Threats
Potential Botnet Detected?

This is as far as traditional SIEM
can go
IRC on port 80?

IBM Security QRadar QFlow
detects a covert channel
Irrefutable Botnet Communication

Layer 7 flow data contains botnet
command control instructions
Application layer flow analysis can detect threats others miss

Challenge 2: Consolidating Data Silos

Analyzing both flow and
event data. Only IBM
Security QRadar fully
utilizes Layer 7 flows.
Reducing big data to

manageable volumes
Data Reduction Ratio 1153571 : 1
Advanced correlation for

analytics across silos

Challenge 3: Detecting Insider Fraud
Potential Data Loss

Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail
Threat detection in the post-perimeter world

User anomaly detection and application level visibility are critical
to identify inside threats
Challenge 4: Better Predicting Risks to Your Business

Assess assets with high-risk input manipulation vulnerabilities
Which assets are affected?

How should I prioritize them?
What are the details?

Vulnerability details,
ranked by risk score
How do I remediate the

vulnerability?
Pre-exploit Security Intelligence

Monitor the network for configuration and compliance risks,
and prioritize them for mitigation
Challenge 5: Addressing Regulatory Mandates
PCI compliance at
risk?
Real-time detection of
possible violation
Unencrypted Traffic
IBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open,
public networks
Compliance Simplified
Out-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards

Operational
M a n a g e d S I E Overview
M S e r v ic e O v e r v ie w
C o m p lia n c e P o lic y
A n a ly s is R u le s B e s t P r a c tic e s R e m e d ia tio n
G u id e lin e s
M o n ito r s
d a s h b o a rd
2 4 x 7 In c id e n t c lo s e ly
R e a l T im e D a ta s o u r c e s E x p e r t K n o w le d g e
M anagem ent
R e a l-T im e
A l e r t / E x c e p ti o n
R e a l-T im e e v e n t/lo g S e c u r i ty In v e s tig a tio n & E s c a la tio n

C l i e n t P r e m i s e - S I E M S O L U T IO N In c i d e n t
R E A L T IM E IN C ID E N T
ID E N T IF IC A T IO N T ic k e tin g In c i d e n t R e p o r t i n g
E N G IN E
C O M P L IA N C E
L o g D a ta
E N G IN E
S e r v ic e
R e p o r tin g
S c h e d u le d L o g
D A S H B O A R D and
s o u rc e s R E P O R T IN G C o m p li a n c e
E N G IN E R e p o rtin g
A n o m a ly
R e p o rtin g
C u s to m R e p o rtin g
(A n o m a l y / F o r e n s ic s )
R aw Log access

I B M C o r p o r a tio n 2 0 1 1 .
Project Timeline
Ongoing Maturation
Steady State &

Ongoing automation
SOC achieves 100%

Operational Control
Staff Onboarding & Training

Documented Process
Detailed Support Planning

Governance Model
Communications Plan
30 days 3 months 6 months 9 months 1 year

Workshop & Roadmap

4 SOC Consulting v5

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

4 SOC Consulting v5

Încărcat de

Drepturi de autor:

Formate disponibile

IBM Security Services

Building a Security Operations Center

2015 IBM Corporation

Security operations in a changing environment

The current environment is putting new demands on security

Social Business Evolving Regulations

Malware infection $$$

3 2015 IBM Corporation

Why do we build operational security controls & capabilities?

Reduce enterprise risk. Protect the business.

Move from reactive response to proactive mitigation.

Increase visibility over the environment.

Meet compliance/regulatory requirements.

2015 IBM Corporation

What is a Security Operations Center, or SOC?

Security Operations Centers (SOC) are designed to:

The SOCs major responsibilities are:

5 2015 IBM Corporation

Security operations centers must be responsive to the evolving

Must demonstrate compliance with regulations

But its not that simple...

6 2015 IBM Corporation

Designing and building a SOC requires a solid understanding of the

7 2015 IBM Corporation

There is no app for that

Client Success Undefined >

Identity & Application Brand

In-House Co-Deliver Outsource

Security Intelligence ON Security Monitoring ON

Compliance Management OFF Correlation Rules ON

Device Management OFF Incident Escalation ON

Policy Management OFF Incident Response OFF

Escalations & Notifications >

Building a Security Operations Center involves multiple domains

Technology Governance / Metrics

The changing requirements for enterprise security & risk management

react to Standard rules Tailored rules based on

Silos, ticket/technology Cross-functional, efficiency,

2015 IBM Corporation

IBM Security Operations Operating Model

Ticketing & Integration Tools Reporting /

We understand that an effective SOC has the right balance of People,

People In-house staf Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Log Management Compliance Reporting Event Correlation Threat Reporting

13 2015 IBM Corporation

It starts with the right people

People In-house staf Partners Customers Outsourced Providers

14 2015 IBM Corporation

The SOC organization is organized around the standard plan, build

2015 IBM Corporation

A responsibility matrix for all SOC roles should be defined across

2015 IBM Corporation

Sample Job Description: Triage Analyst

Responsibilities Experience and Skills

2015 IBM Corporation

Leveraging tested integrated processes .

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

18 2015 IBM Corporation

Built on a solid technology platform

Log Management Compliance Reporting Event Correlation Threat Reporting

SOC Strategies & Approaches

Selecting the optimal SOC operating model depends on balancing

Standard Highly Customized