Documente Academic
Documente Profesional
Documente Cultură
Engin zbay
IBM Security, Turkey
enginoz@tr.ibm.com
22 2015
2012 IBM Corporation
IBM Security Services
Large existing IT
infrastructures with a
globalized workforce,
Mobile Collaboration / Cloud / 3rd party services,
BYOD Virtualization and a growing
customer base
Potential Impacts
A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce
security risk
An operational process framework
Physical space
requirements and
location
People
Functionality
.Dont be a FOOL and think you just need to buy a TOOL 2015 IBM Corporation
IBM Security Services
SOC Models
2012 IBM
2015 IBMCorporation
Corporation
IBM Security Services
Charter
only operations capability
Cross-functional
Governance Self governed (IT Security)
(IT, Business, Audit, etc.)
Budget based, 3+ year cycle, priorities
Strategy
12 month planning cycle set by enterprise
Proactive.
Detect & Tools SIEM tool only
SIEM, ticketing, portal/ Visible.
dashboard, Big Data
Anticipate
Technology
Measures
driven quality, KPI/SLO/SLA
Metrics, analytics,
Reporting Ticket/technology driven
scorecards, & dashboards
Business
BusinessUnits
Units
Executive
Executive Security
Security Intelligence
Intelligence Briefings
Briefings Local
Local Reg.
Reg. Security
Security Oversight
Oversight SOC
SOC Governance
Governance
Consolidated
Consolidated Security
SecurityAnalytics
Analytics && Dashboards
Dashboards Local/Reg.
Local/Reg. Intel.
Intel. Briefings
Briefings Legal
Legal
SOC
Audit
Audit
SOC
SOC Service
Service Delivery
Delivery Management
Management
Service
Service Level
Level Management
Management Operational
Operational Efficiency
Efficiency Service
Service Reporting
Reporting Escalation
Escalation Business
Business
Operations
Operations
Business
BusinessOps
Ops
Investigations
Investigations
Architecture
Architecture &
& Security
Security Intelligence
Intelligence Security
SecurityAnalytics
Analytics &
& Public
PublicRelations
Relations
Projects
Projects Incident
Incident Reporting
Reporting
Incident
Incident Hunting
Hunting PM
PM Use
Use Case
Case Recommendations
Recommendations Legal
Legal//Fraud
Fraud
Operations
Emergency
Emergency
SOC
Response
Response
Admin
Admin Support
Support Threat
Threat Threat
Threat Threat
Threat CSIRT
CSIRT Management
Management
Services
Services Monitoring
Monitoring Triage
Triage Response
Response Corp.
Corp.Incident
IncidentResponse
Response IT
ITOperations
Operations
Tool Adv.
Adv. Event
EventAnalysis
Analysis
ToolIntegration
Integration Threat
ThreatAnalysis
Analysis Investigations
Investigations Table-top
Table-topExercises
Exercises Incident
IncidentMgmt
Mgmt
Escalations
Escalations
Rule
RuleAdmin
Admin Impact
ImpactAnalysis
Analysis Incident
IncidentTriage
Triage Problem
ProblemMgmt
Mgmt
Incident
IncidentMgmt.
Mgmt.
Change
ChangeMgmt
Mgmt
Release
ReleaseMgmt
Mgmt
SOC
SOC Platform
Platform Components
Components
Security IT
IT Operations
Operations
Security Device
Device Data
Data Event
Event Data
Data (Int./Ext.)
(Int./Ext.) Event
Event Patterns
Patterns Correlation
Correlation
Aggregate
Aggregate Security
Security Events
Events Log
Log Data
Data (Transactional)
(Transactional) Unstructured
Unstructured Data
Data (Big
(Big Data)
Data) Custom
Custom Rules
Rules
Technology
Legend
SOC
SOC Data
Data Sources
Sources SOC
Logs
Logs(Transactional)
(Transactional) Network
NetworkHierarchy
Hierarchy&&Design
Design Business
BusinessData
Datafrom
fromStructure
Structure&&Geography
Geography
IT / Corp
Unstructured
Unstructured(Big
(BigData)
Data) Asset
Asset&&Data
DataClassifications
Classifications Threat
ThreatIntelligence
Intelligence
12 2015 IBM Corporation
IBM Security Services
Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt
Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt
The SOC is only as good as its people, and upfront planning for the unique people management
aspects of a 24x7 security centric organization will provide significant long term returns.
Points of Consideration:
SOC staff have a specialized skill set and experienced staff are often difficult to find
Training is expensive, time consuming, and improves marketability of staff. Compensation strategies
must be evaluated accordingly.
Retention of staff is difficult in a non-security centric organization due to continuous need for updated
training, lack of expansive career path options, and burn-out.
Beyond analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers,
Management / Supervision
Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt
SOC processes must be documented, consistently implemented, and based upon existing
standards / governance frameworks. Procedures must take into consideration corporate security
policy, business controls, and relevant regulatory requirements.
Points of Consideration:
The SOCs mission must be clearly defined Incident discovery, CERT, etc.
SOCs differ from NOCs, and an alarm does not always equate to action.
Processes must take into consideration evaluation and incorporation of a constantly changing stream
of potentially actionable threat intelligence.
Best practices for incident investigation, response, and mitigation must be maintained and updated as
technologies are added, change, or mature.
Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt
Technology for a SOC build is the foundation on which the organization demonstrates the ability
to provide security continuously, even under times of duress such as persistent attack, natural
disaster, facilities failure, etc.
Points of Consideration:
SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose,
costly, and challenging to maintain due to their overall complexity
The number of disparate systems and volume of device / event data will typically require a dedicated
IT staff for system administration
Capacity management can be challenge due to the need to support peak loads which may include
DDoS, monthly batch processing, etc
The management and reporting systems must be flexible enough to accommodate process and
security policy as well as changes in the technology landscape
19 2015 IBM Corporation
IBM Security Services
2015 IBM
2015 IBMCorporation
Corporation
IBM Security Services
Audit
Audit
SOC
SOC Service
Service Delivery
Delivery Management
Management
Service
Service Level
Level Management
Management Operational Efficiency
Operational Efficiency Service
Service Reporting
Reporting Escalation
Escalation
Business
Business
Operations
Operations
Business
BusinessOps
Ops
Architecture
Architecture &
& Security
Security Intelligence
Intelligence Security
SecurityAnalytics
Analytics &
& Investigations
Investigations
Projects
Projects Incident
Incident Hunting
Hunting Use
Use Case
Case Management
Management Incident
Incident Reporting
Reporting Public
PublicRelations
Relations
Legal
Legal// Fraud
Fraud
Operations
Emergency
Emergency
SOC
Response
Response
Admin
Admin Support
Support Threat
Threat Threat
Threat Threat
Threat CSIRT
CSIRT Management
Management
Services
Services Monitoring
Monitoring Triage
Triage Response
Response
Adv. Corp.
Corp.Incident
IncidentResponse
Response IT
IT Operations
Operations
Adv. Event
EventAnalysis
Analysis
Investigations Escalations Table-top
Table-topExercises
Exercises Incident
Incident Mgmt
Mgmt
Tool
Tool Integration
Integration Threat
ThreatAnalysis
Analysis Investigations Escalations
Incident Problem
ProblemMgmt
Mgmt
Rule Impact
ImpactAnalysis IncidentTriage
Triage Incident
IncidentMgmt.
Mgmt.
RuleAdmin
Admin Analysis Change
ChangeMgmt
Mgmt
Release
ReleaseMgmt
Mgmt
OT
OT Operations
Operations
SOC
SOC Platform
Platform Components
Components
Security
Security Device
Device Data
Data Event
Event Data
Data (Int./Ext.)
(Int./Ext.) Event
Event Patterns
Patterns Correlation
Correlation
Aggregate
Aggregate Security
Security Events
Events Log
Log Data
Data (Transactional)
(Transactional) Unstructured
Unstructured Data
Data (Big
(Big Data)
Data) Custom
Custom Rules
Rules
Technology
Legend
SOC
SOC
SOC Data
Data Sources
Sources IT / Corp
Logs
Logs (Transactional)
(Transactional) Network
Network Hierarchy
Hierarchy && Design
Design Business
Business Data
Data from
from Structure
Structure && Geography
Geography MSSP
Unstructured
Unstructured (Big
(Big Data)
Data) Asset
Asset && Data
Data Classifications
Classifications Threat
Threat Intelligence
Intelligence
2015 IBM Corporation
IBM Security Services
Getting Started
Develop a Strategy then a Plan
2015 IBM
2015 IBMCorporation
Corporation
IBM Security Services
Assessment
Assessment
Workshop
Workshop Design
Design &
& Build
Build Run
Run &
& Enhance
Enhance Optimize
Optimize
Strategy
Strategy
Educational, People and Governance
share best
Define the mission Processes and Practices
practices
Table-top, guided Assess current Technology
SOC maturity operations and
Laying the Leveraging acquired Business aligned
assessments capabilities
foundation of knowledge and threat management
Set high-level Define future capabilities and metrics
experience
vision environment
Designing effective Instituting formal Drive for best
Develop next steps Develop roadmap staffing models and practices
feedback and review
roadmap for action supporting mechanisms Integrated operations
for action processes / Driving further value with improved
technology from the technology communications
Conducting training Expanding business Seek opportunities
and testing coverage and for cost takeout
Implementing functions Continuous
tracking and Tuning and improvement
reporting refinement
capabilities
SOC / SIEM Review security policies and SOC/SIEM mission/charter 1-5 Days
Workshop Review IBM SOC / SIEM Operating Model Point of View Workshop Readout
Review components needed to implement security operation center Deliverable
Platform Arch., processes, organization, metrics/reporting, governance
Discuss best practices for each components and industry trends
Develop client feedback report
SOC Maturity Review security policies and SOC/SIEM mission/charter 1-5 Days
Assessment Assess client environment against IBM SOC / SIEM Maturity Model Maturity Assessment
Workshop Establish future state target maturity by component Deliverable
Analyze current and future targets vs. industry maturity benchmarks
Identify gaps, opportunities for improvement, prioritize improvements
Develop preliminary recommendations for SOC program
Use Case / Review security policies and SOC/SIEM mission/charter 4-8 Weeks
Rule (UCR) Review business/technical requirements, risk tolerance, cost constraints Assessment Report
Assessment Review Use Case Models and rule architecture and design
Identify gaps, opportunities for improvement
Prepare high level Use Case / Rule recommendations
Use Case / Review security policies and SOC/SIEM mission/charter 4-8 Weeks
Rule UCR Review business/technical requirements, risk tolerance, cost constraints Use Case Assessment and
Strategy Review Use Case Models and rule architecture and design Strategy Deliverable
Identify gaps, opportunities for improvement
Identify UCR scenarios and tailor the decision model
Identify target state, prioritize improvements, finalize UCR strategy
SOC/SIEM Develop Macro / Micro Design for Security Operation Center 2-3 Months
Design Key scope elements; platform, process, organization, reports, governance SOC/SIEM design method
Data source logical/physical scope and integration architecture Design phase method/plan
Develop use case and rule macro and micro design Workshop decks/schedules
Develop SOC operational model, logical/physical platform architecture Key scope element
Finalize SOC process scope, context diagram, core/non-core processes baselines
Develop organization conceptual/logical model (roles), governance model SOC capacity modeling tool
Develop key metrics, reporting architecture, report list
Product selection decision model and preliminary recommendations (opt.)
Finalize SOC / SIEM Macro and Micro Design Deliverables
SOC/SIEM Prepare SOC implementation plan, conduct SOC build, test, deployment 4-6 Months
Implementation Key scope elements; platform, process, organization, reports, Implementation method/plan
governance MSS build, test, deploy plans
Execute procurement for selected products, services (opt.) Workshop decks/schedules
Finalize MSS implementation plan and build, test and deploy MSS (opt.) Use case / rule frameworks
Build, test and deploy data sources, integration APIs Key scope element
Build, test, deploy use cases and conduct rule tuning baselines
Build, test and deploy SOC processes, metrics, SLAs/SLOs, Ops SOC capacity modeling tool
Manual PoC, pilot, sim. live ops. plan
Build, test and deploy organization design, role descriptions
Build, test and deploy metrics, reports and executive dashboards
Build, test and deploy SOC governance processes
Conduct transition; Proof of Concept, Pilot Ops, Simulated Live Ops
2015 IBM Corporation
Security Operation Center Go-Live, Update Phase N Design Plan
IBM Security Services
Essential Practices
O
pt
im
iz
3. Defend the mobile and 8. Manage third party
ed
Pr
social workplace security compliance
of
ic
ie
t n
Manual
Ba
si
Security
Security Solution
Solution Development
Development Centers
Centers
1
IBM Global Technology Services (GTS); 2Managed Security Services (MSS)
IBM Solution :
IBM Security Services Team reviewed the clients business and technical
requirements, risk tolerance and cost constraints. After analyzing the requirements
IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase
implementations. Additionally the following high-level tasks were performed
Global Installation of the QRadar monitoring tool
Archer Ticketing System implementation (security tickets)
Designed the SOC Organization, Process, People Model
SOC Capacity Modeling
Hired and Trained the clients SOC Staff (~12 resources)
Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits:
Reduced risks & costs associated with security incidents and data breaches
Addressed compliance issues by establishing clear audit trails for incident response
Improved security posture with enterprise-wide security intelligence correlating
events from IT & business critical systems/applications.
IBM Confidential
IBM Security Services
IBM Confidential
IBM Security Services
Hindi
Tack
Swedish
Greek
Teekkrler Gracias
Thai
Russian
Spanish
Italian French
Hvala Slovenian
Simplified Chinese
Korean
Ksznm Hungarian
Japanese
40
40 2015
2012 IBM Corporation
IBM Security Services
IBM burst into the Leader category by demonstrating superb global delivery capabilities
41 2015 IBM Corporation
IBM Security Services
Integration
Integration
Integrated
Integrated with
with 400+
400+ products
products and
and vendor
vendor platforms
platforms
SIEM,
SIEM, log
log management,
management, network
network anomaly
anomaly
detection,
detection, and
and risk
risk management
management combined
combined in
in aa
single
single console
console
Expertise
Expertise
Embedded
Embedded 3rd 3rd party
party security
security feeds
feeds including
including
IBM
IBM X-Force
X-Force
Tight
Tight integration
integration with
with InfoSphere
InfoSphere Guardium
Guardium
and
and IBM
IBM Identity
Identity Manager
Manager & & Access
Access Manager
Manager
for
for optimized
optimized data
data &
& user
user security
security
Solution:
A series of business and technical workshops were conducted to start
the assessment as the client needed to refocus their operations on Solution components:
security, while retaining maintain regulatory compliance. These IBM Q-Radar SIEM
workshops then advanced to a full security operations design,
integrating disparate business unit requirements, focusing analysis on IBM Security Services
important log sources, and reorganizing the department. Ultimately, the SOC Workshop & Design
client chose to have IBM staff their new SOC, reducing the total number IBM Security Services
of hired staff and overall cost. Professional Security
Services
Benefits: Overall SOC costs were reduced and the resulting
organization is more focused and effective.
Solution:
A business and technical workshop was conducted to start the
assessment and help the client envision the end-state should look like
and how to initiate the centralization process. Leveraging a deployed Solution components:
IBM Q-Radar installation, the solution involves creating a two redundant IBM Security Services
SOCs to centralize security intelligence and device management SOC Workshop
operations. These SOCs will work cooperatively using the best-
practice operational models derived from IBM MSS Global SOCs IBM Q-Radar
providing a single, measurable view of security across their global IBM Security Services
operations. Managed SIEM
45
45 2015
2012 IBM Corporation
IBM Security Services
Backup Pages
Deliver SOC Workshop Identify stakeholders Deliver training: on the job, Maintain dedicated SOC manager
Perform SOC Maturity Define roles, responsibilities, and job intrusion analysis, and Technology
SOC People
Architect & design SIEM Install & configure SIEM Operate and maintain SIEM solutions Operate and Maintain SIEM
Implement dashboards Maintain architecture and product
SOC Technology
solutions solutions
Plan Use Cases Establish data feeds Develop operational and business documentation
Map operations to Implement Use Cases reports Perform health check on SIEM
regulatory and business Build content Investigate using advanced analytics environment at planned intervals
requirements Design analyst workstations Manage incidents via cases Perform capacity planning
Health check Integrate threat intelligence Develop steady-state technology
costs
Who?
An internal user
What?
Oracle data
Where?
Gmail
PCI compliance at
risk?
Real-time detection of
possible violation
Unencrypted Traffic
IBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open,
public networks
Compliance Simplified
Out-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards
Operational
M a n a g e d S I E Overview
M S e r v ic e O v e r v ie w
C o m p lia n c e P o lic y
A n a ly s is R u le s B e s t P r a c tic e s R e m e d ia tio n
G u id e lin e s
M o n ito r s
d a s h b o a rd
2 4 x 7 In c id e n t c lo s e ly
R e a l T im e D a ta s o u r c e s E x p e r t K n o w le d g e
M anagem ent
R e a l-T im e
A l e r t / E x c e p ti o n
R E A L T IM E IN C ID E N T
ID E N T IF IC A T IO N T ic k e tin g In c i d e n t R e p o r t i n g
E N G IN E
C O M P L IA N C E
L o g D a ta
E N G IN E
S e r v ic e
R e p o r tin g
S c h e d u le d L o g
D A S H B O A R D and
s o u rc e s R E P O R T IN G C o m p li a n c e
E N G IN E R e p o rtin g
A n o m a ly
R e p o rtin g
C u s to m R e p o rtin g
(A n o m a l y / F o r e n s ic s )
R aw Log access
Project Timeline
Ongoing Maturation