Vous êtes sur la page 1sur 54

IBM Security Services

Building a Security Operations Center

Engin Özbay
IBM Security, Turkey

enginoz@tr.ibm.com

© 2015 IBM Corporation


IBM Security Systems

Security operations in a
changing environment

2 © 2015
2012 IBM Corporation
IBM Security Services

The current environment is putting new demands on security


operations
New Business Models, Velocity of Threats
New Technologies

Large existing IT
infrastructures with a
globalized workforce,
Mobile Collaboration / Cloud / 3rd party services,
BYOD Virtualization and a growing
customer base

Social Business Evolving Regulations


Blurring “Social” Identities

Potential Impacts

Malware infection $$$


Regulatory Fines
Data or Device Loss of productivity Data Leakage
Loss or Theft

3 © 2015 IBM Corporation


IBM Security Services

Why do we build operational security controls & capabilities?

Reduce enterprise risk. Protect the business.

Move from reactive response to proactive mitigation.

Increase visibility over the environment.

Meet compliance/regulatory requirements.

© 2015 IBM Corporation


IBM Security Services

What is a Security Operations Center, or SOC?

 A Security Operations Center is a highly skilled team following defined


definitions and processes to manage threats and reduce security risk

 Security Operations Centers (SOC) are designed to:


– protect mission-critical data and assets
– prepare for and respond to cyber emergencies
– help provide continuity and efficient recovery
– fortify the business infrastructure

 The SOC’s major responsibilities are:


– Monitor, Analyze, Correlate & Escalate Intrusion Events
– Develop Appropriate Responses; Protect, Detect, Respond
– Conduct Incident Management and Forensic Investigation
– Maintain Security Community Relationships
– Assist in Crisis Operations
5 © 2015 IBM Corporation
IBM Security Services

Security operations centers must be responsive to the evolving


threats and provide management the information and control that it
needs
The SOC ….

 Must demonstrate compliance with regulations


 Protect intellectual property and ensure privacy properly
 Manage security operations effectively and efficiently
 Provide real-time insight into the current security posture of your
organization
 Provide security intelligence and the impact of threats on the organization
 Enable your organization to know who did what, when - and prove it
(evidence)

But it’s not that simple...

6 © 2015 IBM Corporation


IBM Security Services

Designing and building a SOC requires a solid understanding of the


business’ needs and the resources that IT can deploy
Multiple stakeholders, processes and
technologies to consider Personnel skills: Security analysts,
shift leads, SOC managers
People In-house staff Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment



Process •
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt


An operational process framework
Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

Physical space
requirements and
location

7 © 2015 IBM Corporation


IBM Security Services

There is no app for that…

Client Success Undefined >


Compliance & Reporting >

Technology Scope

Identity & Application Brand


Log Integrity Firewall IDPS DLP
Access Monitoring Monitoring

People

In-House Co-Deliver Outsource

Functionality

Security Intelligence ON Security Monitoring ON

Compliance Management OFF Correlation Rules ON

Device Management OFF Incident Escalation ON

Policy Management OFF Incident Response OFF

Escalations & Notifications >

….Don’t be a FOOL and think you just need to buy a TOOL


© 2015 IBM Corporation
IBM Security Services

Building a Security Operations Center involves multiple domains


People Process
• Do you need 24x7x365 staff? • What does the plan look like?
• What are the skills needed? • How do we measure progress and
goals?
• Where do you get staff?
• What is the optimal design of core
• What about training?
processes? (eg. incident
• How do you keep staff? management, tuning, etc.)
• Metrics to measure performance • Process and continual improvement
• Capacity planning

Technology Governance / Metrics


• SIEM architecture & use cases • Dashboard visibility and oversight
• Log types and logging options • Policy, measurement and enforcement
• Platform integrations; ticketing • Integrated governance that balances
governance, big data daily operations with strategic planning
• Web services to integrate them • Ministry objectives
• Technology should improve • Informing stakeholders
effectiveness and efficiency
• Informing employees
9 IBM Confidential © 2015 IBM Corporation
IBM Security Services

SOC Models

© 2012 IBM
© 2015 IBMCorporation
Corporation
IBM Security Services

The changing requirements for enterprise security & risk management


coupled with technology advancements have triggered a paradigm shift in
the design and ongoing administration of a SOC.
Legacy SOC Optimized SOC
Technology or service Build a dedicated security
Mission & Strategy

Charter
only operations capability
Cross-functional
Governance Self governed (IT Security)
(IT, Business, Audit, etc.)

Budget based, 3+ year cycle, priorities


Strategy
12 month planning cycle set by enterprise
Proactive.
Detect & Tools SIEM tool only
SIEM, ticketing, portal/ Visible.
dashboard, Big Data
Anticipate
Technology

react to Standard rules Tailored rules based on


threats.
Use Cases
Minimal customization risk & compliance drivers threats.
Referential Minimal importance, Required data, used to
Mitigate
Data Secondary priority prioritize work risks.
Management

Silos, ticket/technology Cross-functional, efficiency,


Operations

Measures
driven quality, KPI/SLO/SLA
Metrics, analytics,
Reporting Ticket/technology driven
scorecards, & dashboards

© 2015 IBM Corporation


IBM Security Services

IBM Security Operations Operating Model


Cyber-Security Command Center (CSCC) Corporate
Governance

Business Units
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings Legal
SOC

Audit

SOC Service Delivery Management


Service Level Management Operational Efficiency Service Reporting Escalation Business
Operations
Business Ops
Investigations
Architecture & Security Intelligence Security Analytics & Public Relations
Projects Incident Reporting
Incident Hunting PM Use Case Recommendations Legal / Fraud
Operations

Emergency
SOC

Response
Admin Support Threat Threat Threat CSIRT
Services Monitoring Triage Response Management IT Operations
Tool Integration Threat Analysis Investigations Adv. Event Analysis Corp. Incident Response Incident Mgmt
Escalations
Rule Admin Impact Analysis Incident Triage Table-top Exercises Problem Mgmt
Incident Mgmt.
Change Mgmt
Release Mgmt

SOC Platform Components


Security Device Data Event Data (Int./Ext.) Event Patterns Correlation IT Operations
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Technology

Ticketing & Integration Tools Reporting /


SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC

Legend

SOC Data Sources SOC


Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
IT / Corp
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
12 © 2015 IBM Corporation
IBM Security Services

We understand that an effective SOC has the right balance of People,


Process and Technology components

People In-house staff Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt

Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

13 © 2015 IBM Corporation


IBM Security Services

It starts with the right people …


People In-house staff Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt

Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

People In-house staff Partners Customers Outsourced Providers

The SOC is only as good as its people, and upfront planning for the unique people management
aspects of a 24x7 security centric organization will provide significant long term returns.

Points of Consideration:
 SOC staff have a specialized skill set and experienced staff are often difficult to find
 Training is expensive, time consuming, and improves marketability of staff. Compensation strategies
must be evaluated accordingly.
 Retention of staff is difficult in a non-security centric organization due to continuous need for updated
training, lack of expansive career path options, and burn-out.
 Beyond analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers,
Management / Supervision

14 © 2015 IBM Corporation


IILLUSTRATIVE
IBM Security Services

The SOC organization is organized around the standard plan, build


and run model
IT
SOC Organization Chart Op
SOC Delivery
Governance er
Manager
ati
on
s
IT Operations
SOC / Security Intel Security
Architect Intelligence Manager
(Plan) (Build / Plan)

Incident Mgmt

SOC Engineering SOC Monitoring SOC Triage SOC Escalation


Manager Tier 1 Tier 2 Tier 3
(Build) (Run) (Run) (Run)
Problem Mgmt

Security System Senior Threat Incident Case


Senior Threat Analyst
Administrator Response Analyst Manager
Change Mgmt

Threat Response Senior ERS Incident


Security Policy Mitigation Analyst
Threat Analyst Response Technical
Administrator
(Reactive) Analyst Release Mgmt

Threat Analyst Threat Response


Device Administrator Remediation Analyst Device Mgmt
Trainee (Proactive)

© 2015 IBM Corporation


IILLUSTRATIVE
IBM Security Services

A responsibility matrix for all SOC roles should be defined across


each SOC service.
Security
Security Security
SOC Analyst: SOC Analyst: SOC Analyst: Incident SOC Tools IT Security
Intelligence SOC Manager Forensic IT Operations CERT
Monitoring Triage Response Handler Admin Admin
Analyst Analyst
(Certified)
Security Monitoring R C A

Core Security Incident Triage C R C A


Services Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Deployment
Service Testing & Tuning R A I I
Services
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security
Intelligence Security Intelligence Briefings A C C C
Services
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I

Administrative Contextual Data Management C R A C C


Services Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C

Security Reporting C C C C C A C I
Reporting
Efficiency Reporting C C C A C I
Services
Financial Reporting C C C C A I
Enterprise Incident Management C A
Optional Services Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C

© 2015 IBM Corporation


IILLUSTRATIVE
IBM Security Services

Sample Job Description: Triage Analyst

Responsibilities Experience and Skills

• Monitoring of security events received through alerts from SIEM • Process and Procedure adherence
or other security tools • General network knowledge, TCP/IP Troubleshooting
• Review alerts escalated by end users • Ability to trace down an endpoint on the network based on ticket
• Handel end user and security services consumer initiated information
incidents and initiating trouble tickets – Sev 4 tickets • Familiarity with system log information and what it means
• Performing Level 1 triage of incoming issues ( initial assessing • Understanding of common network services (web, mail, DNS,
the priority of the event, initial determination of incident to authentication)
determine risk and damage or appropriate routing of security or • Knowledge of host based firewalls, Anti-Malware, HIDS
privacy data request) • General Desktop OS and Server OS knowledge
• Monitoring of alert and downstream dependencies health (logger, • TCP/IP, Internet Routing, UNIX & Windows NT
client agents, etc) • Strong analytical and problem
• Responsible for troubleshooting agents and logs required for
reporting when not reporting to alerting systems Training
• Intake intelligence actions from Intelligence teams and ticket for
appropriate operators for tool policy or tool setting tuning • Required: Security Essentials – SEC401 (optional GSEC
• Provide limited incident response to end users for low complexity certification)
security incidents • Computer Forensic Investigation – Windows In-Depth - FOR408
• Notifying appropriate contact for security events and response • Recommended: Security Incident Handling and Forensic - FOR
• Takes an active part in the resolution of incidents, even after they 508
are escalated
• Work assigned ticket queue
• Understanding and exceeding all tasked SLA commitments
• Track and report on closure of tickets per SLAs
• Escalating issues to Tier II or management when necessary
• Provide daily and weekly metrics for security and vulnerability
incidents
• 24/7 Shift work required

© 2015 IBM Corporation


IBM Security Services

Leveraging tested integrated processes ….


People In-house staff Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt

Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt

SOC processes must be documented, consistently implemented, and based upon existing
standards / governance frameworks. Procedures must take into consideration corporate security
policy, business controls, and relevant regulatory requirements.
Points of Consideration:
 The SOC’s mission must be clearly defined – Incident discovery, CERT, etc.
 SOCs differ from NOCs, and an alarm does not always equate to action.
 Processes must take into consideration evaluation and incorporation of a constantly changing stream
of potentially actionable threat intelligence.
 Best practices for incident investigation, response, and mitigation must be maintained and updated as
technologies are added, change, or mature.

18 © 2015 IBM Corporation


IBM Security Services
People In-house staff Partners Outsourced Providers

Built on a solid technology platform


Customers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Process
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt

Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

Log Management Compliance Reporting Event Correlation Threat Reporting

Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt

Technology for a SOC build is the foundation on which the organization demonstrates the ability to
provide security continuously, even under times of duress such as persistent attack, natural
disaster, facilities failure, etc.
Points of Consideration:
 SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose,
costly, and challenging to maintain due to their overall complexity
 The number of disparate systems and volume of device / event data will typically require a dedicated IT
staff for system administration
 Capacity management can be challenge due to the need to support peak loads which may include
DDoS, monthly batch processing, etc
 The management and reporting systems must be flexible enough to accommodate process and
security policy as well as changes in the technology landscape
19 © 2015 IBM Corporation
IBM Security Services

SOC Strategies & Approaches

© 2015 IBM
© 2015 IBMCorporation
Corporation
IBM Security Services

Selecting the optimal SOC operating model depends on balancing


business and technical requirements, risk and financial constraints
Centralized Decentralized
Business Requirements
Single Global SOC Multiple SOC’s (Geo. / BU)
CSCC Combined with SOC Single Global CSCC
Lowest Cost High Cost
Easiest to Manage More Difficult to Manage

Standard Highly Customized


Technical Requirements
Simple Platform Complex Platform
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Good Risk Mgmt Capabilities Excellent Risk Mgmt Capabilities
Easy to Scale Operations More Expensive to Scale Operations
Moderate Detail on Threats Rich Detail on Threats

Externally Managed Internally Managed


Risk Tolerance
30-90 Day Implementation Long Implementation Lead Time
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Not Core to Business Core to Business
Leverage Industry Best Practices Frequent Independent Reviews

Low Cost High Cost


Financial Constraints
Lowest Cost to Implement Highest Cost to Implement
Lowest Cost to Operate Highest Cost to Operate
21 IBM and Client Confidential © 2015 IBM Corporation
IBM Security Services

IBM Security Operations Operating Model: MSSP Hybrid


Cyber-Security Command Center (CSCC) Corporate
Governance

Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Business Units
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings Legal
SOC

Audit

SOC Service Delivery Management


Service Level Management Operational Efficiency Service Reporting Escalation
Business
Operations
Business Ops
Architecture & Security Intelligence Security Analytics & Investigations
Projects Incident Hunting Use Case Management Incident Reporting Public Relations
Legal / Fraud
Operations

Emergency
SOC

Response
Admin Support Threat Threat Threat CSIRT
Services Monitoring Triage Response Management
Adv. Event Analysis IT Operations
Investigations Escalations Corp. Incident Response Incident Mgmt
Tool Integration Threat Analysis Problem Mgmt
Impact Analysis Incident Triage Incident Mgmt. Table-top Exercises
Rule Admin Change Mgmt
Release Mgmt

OT Operations
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns Correlation
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Technology

Ticketing & Integration Tools Reporting /


SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC

Legend

SOC

SOC Data Sources IT / Corp


Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
MSSP
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
© 2015 IBM Corporation
IBM Security Services

Getting Started
Develop a Strategy then a Plan

© 2015 IBM
© 2015 IBMCorporation
Corporation
IBM Security Services

To get started, the organization should consider the following


questions in establishing its objectives
 What is the primary purpose of the SOC?
 What are the specific tasks assigned to the SOC? (e.g., threat intelligence,
security device management, compliance management, detecting insider
abuse on the financial systems, incident response and forensic analysis,
vulnerability assessments, etc.)
 Who are the consumers of the information collected and analyzed by the
SOC? What requirements do they have for the SOC?
 Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the
rest of the organization?
 What types of security events will eventually be fed into the SOC for
monitoring?
 Will the organization seek an external partner to help manage the SOC?

24 © 2015 IBM Corporation


IBM Security Services

The Security Operations Optimization portfolio provides a flexible


approach to the entire SOC/SIEM life cycle.

Assessment
Design & Run &
Workshop Optimize
Build Enhance
Strategy
• Educational, People and Governance
share best
• Define the mission Processes and Practices
practices
• Table-top, guided • Assess current Technology
SOC maturity operations and
capabilities • Laying the • Leveraging acquired • Business aligned
assessments
foundation of knowledge and threat management
• Set high-level • Define future capabilities experience and metrics
vision environment
• Designing effective • Instituting formal • Drive for best
• Develop next steps • Develop roadmap staffing models and feedback and review practices
roadmap for action supporting mechanisms • Integrated operations
for action processes / • Driving further value with improved
technology from the technology communications
• Conducting training • Expanding business • Seek opportunities
and testing coverage and for cost takeout
• Implementing functions • Continuous
tracking and • Tuning and improvement
reporting refinement
capabilities

© 2015 IBM Corporation


IBM Security Services

Security Operations Optimization Consulting Offerings


Sample Duration &
Name Description Details

SOC / SIEM • Review security policies and SOC/SIEM mission/charter • 1-5 Days
Workshop • Review IBM SOC / SIEM Operating Model Point of View • Workshop Readout
• Review components needed to implement security operation center Deliverable
• Platform Arch., processes, organization, metrics/reporting, governance
• Discuss best practices for each components and industry trends
• Develop client feedback report

SOC Maturity • Review security policies and SOC/SIEM mission/charter • 1-5 Days
Assessment • Assess client environment against IBM SOC / SIEM Maturity Model • Maturity Assessment
Workshop • Establish future state target maturity by component Deliverable
• Analyze current and future targets vs. industry maturity benchmarks
• Identify gaps, opportunities for improvement, prioritize improvements
• Develop preliminary recommendations for SOC program

SOC/SIEM • Review security policies and SOC/SIEM mission/charter


• 4-6 Weeks
Strategy and • Conduct detailed current environment by component area; Platform Arch.,
processes, organization, metrics/reporting, governance • Maturity Assessment
Program Deliverable
Mobilization • Review current and planned SOC/SIEM projects/initiatives
• Component baselines
• Asses current environment vs. Maturity Model, est. future state target
• Sample Phase 1 work plan
• Identify and prioritize gaps and opportunities for improvement
• Identify SOC scenarios and tailor the decision model
• Finalize transformation states, service improvements, finalize strategy
• Identify initiatives, group into projects, develop roadmap (timeline)

© 2015 IBM Corporation


IBM Security Services

Security Operations Optimization Consulting Offerings


Sample Duration &
Name Description Details

Use Case / • Review security policies and SOC/SIEM mission/charter • 4-8 Weeks
Rule (UCR) • Review business/technical requirements, risk tolerance, cost constraints • Assessment Report
Assessment • Review Use Case Models and rule architecture and design
• Identify gaps, opportunities for improvement
• Prepare high level Use Case / Rule recommendations

Use Case / • Review security policies and SOC/SIEM mission/charter • 4-8 Weeks
Rule UCR • Review business/technical requirements, risk tolerance, cost constraints • Use Case Assessment and
Strategy • Review Use Case Models and rule architecture and design Strategy Deliverable
• Identify gaps, opportunities for improvement
• Identify UCR scenarios and tailor the decision model
• Identify target state, prioritize improvements, finalize UCR strategy

Security • Review security policies and SOC/SIEM mission/charter • 6-12 Weeks


Operations • Review business/technical requirements, risk tolerance, cost constraints • Security Operations
Center • Review current metrics, operational/executive reports Assessment and Strategy
Reporting • Identify gaps, opportunities for improvement Deliverable
Strategy • Identify target state, prioritize improvements, finalize SOC Rpt. strategy

© 2015 IBM Corporation


IBM Security Services

Security Operations Optimization – Design / Deploy


Sample Duration &
Name Description Details

SOC/SIEM • Develop Macro / Micro Design for Security Operation Center • 2-3 Months
Design • Key scope elements; platform, process, organization, reports, governance • SOC/SIEM design method
• Data source logical/physical scope and integration architecture • Design phase method/plan
• Develop use case and rule macro and micro design • Workshop decks/schedules
• Develop SOC operational model, logical/physical platform architecture • Key scope element baselines
• Finalize SOC process scope, context diagram, core/non-core processes • SOC capacity modeling tool
• Develop organization conceptual/logical model (roles), governance model
• Develop key metrics, reporting architecture, report list
• Product selection decision model and preliminary recommendations (opt.)
• Finalize SOC / SIEM Macro and Micro Design Deliverables

SOC/SIEM • Prepare SOC implementation plan, conduct SOC build, test, deployment • 4-6 Months
Implementation • Key scope elements; platform, process, organization, reports, governance • Implementation method/plan
• Execute procurement for selected products, services (opt.) • MSS build, test, deploy plans
• Finalize MSS implementation plan and build, test and deploy MSS (opt.) • Workshop decks/schedules
• Build, test and deploy data sources, integration API’s • Use case / rule frameworks
• Build, test, deploy use cases and conduct rule tuning • Key scope element baselines
• Build, test and deploy SOC processes, metrics, SLA’s/SLO’s, Ops Manual • SOC capacity modeling tool
• Build, test and deploy organization design, role descriptions • PoC, pilot, sim. live ops. plan
• Build, test and deploy metrics, reports and executive dashboards
• Build, test and deploy SOC governance processes
• Conduct transition; Proof of Concept, Pilot Op’s, Simulated Live Op’s
• Security Operation Center Go-Live, Update Phase N Design Plan
© 2015 IBM Corporation
IBM Security Services

Helping organizations with their SOC requirements is a core element


of IBM’s 10 essential practices required to effectively manage risk

Essential Practices

1. Build a risk aware culture 6. Control network access


and management system and assure resilience

Maturity based approach


2. Manage security incidents 7. Address new complexity
with intelligence Automated
of cloud and virtualization

3. Defend the mobile and 8. Manage third party


social workplace security compliance
Manual

4. Secure services, 9. Secure data and


by design protect privacy
Reactive Proactive

5. Automate security 10. Manage the identity


“hygiene” lifecycle

29 © 2015 IBM Corporation


IBM Security Services

IBM can provide unmatched global coverage and security awareness.

Security Operations Centers

Security Research Centers

Security Solution Development Centers

Institute for Advanced Security Branches

10B analyzed web pages and Worldwide managed


IBM Research images security services coverage
150M intrusion attempts daily  20,000-plus devices under contract
 3,300 GTS1 service delivery experts
40M span and phishing attacks  3,700-plus MSS2 clients worldwide
46K documented vulnerabilities  20B-plus events managed per day
and millions of unique malware  3,000-plus security patents
samples  133 monitored countries (MSS)

1IBM Global Technology Services (GTS); 2Managed Security Services (MSS)

30 © 2015 IBM Corporation


IBM Security Services

Largest Bank in Canada improves security by establishing SOC &


implementing monitoring tools and processes

Client Situation : Profile:


The client had engaged IBM to help them map out their security needs, include
SOC strategy, architecture, analyzing and querying log, threat, vulnerability data Largest Bank in Canada, 3rd
(SIEM) and ongoing management. A few high-level issues were: - largest in North America, top 10
globally. The bank serves 18
 Lack of any SOC model and strategy roadmap million clients and has 80,100
 There were no trained SOC Operations team or staff employees worldwide.
 No Security monitoring tool or processes for security incidents

IBM Solution :
IBM Security Services Team reviewed the client’s business and technical
requirements, risk tolerance and cost constraints. After analyzing the requirements
IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase
implementations. Additionally the following high-level tasks were performed
 Global Installation of the QRadar monitoring tool
 Archer Ticketing System implementation (security tickets)
 Designed the SOC Organization, Process, People Model
 SOC Capacity Modeling
 Hired and Trained the client’s SOC Staff (~12 resources)
 Implemented SOC Operational Reporting and Executive Dashboards

Client Benefits:
 Reduced risks & costs associated with security incidents and data breaches
 Addressed compliance issues by establishing clear audit trails for incident response
 Improved security posture with enterprise-wide security intelligence correlating
events from IT & business critical systems/applications.
IBM Confidential
IBM Security Services

A global insurance company in United States improves security by


establishing SOC & implementing monitoring tools and processes

Client Situation :
Profile:
The client had made a board-level commitment to raise the visibility, effectiveness
and efficiency of the global security program. A few high-level issues: Global property and casualty insurer.
Multiple day delays in identifying threats Third largest insurer in the United
Extreme incident false positive ratios with current MSSP States.
Labor intensive program, without clear lines of responsibility Fortune 100 company.
Minimal security analytics & dashboards
Operates in 900 location s distributed
IBM Solution : across 18 countries.
IBM Security Services Team began with a full day SOC optimization workshop to
The company has 50,000+ employees
educate the client program team, review and validate the client’s vision and
worldwide.
strategy. After the workshop and recommendations, the client requested IBM’s
support to help them plan, design and build the SOC including the following:
SOC Architecture development
SIEM operationalization (ArcSight)
Remedy Ticketing System implementation (security tickets)
Designed the SOC organization including capacity models
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Implemented Security Operational Reporting and Executive Dashboards
Managed transition from previous MSSP to IBM Managed Services
Client Benefits:
 Reduced incident identification time from hours to minutes and streamlined
operations further reducing risks & associated costs & improved global security
with end to end incident management
 Created an industry leading view into the overall security position allowing them to
better manage their entire environment
IBM Confidential
IBM Security Services

A global financial services company in UK improves security by


transforming SOC from compliance to cyber threat monitoring

Client Situation :
Profile:
The client had invested into a SOC that was focused on policy violation and wanted
to expand the capabilities of their existing investment: UK based financial services group.
Compliance focused SOC Retail, commercial, wealth and asset
Significant challenges with existing technology management, international and
SOC manpower outsourced to 3rd Party insurance arms.
Minimal security analytics & dashboards, non-existent Security Intelligence Operates in almost every community in
IBM Solution : the UK.
IBM Security Services Team began with a 2 week SOC maturity assessment to Over 100,000 employees (2014)
gauge the client’s current and future capabilities and to review and validate the
client’s vision and strategy. After the assessment, recommendations were
presented to the client and IBM lead the transformation programme including:
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Establish a Security intelligence function
Accelerate development and implementation of a Ticketing System
Reviewed the SOC organisation and identified improvements
Demonstrated the importance of capacity modelling
Implemented Security Operational Reporting and Executive Dashboards
Client Benefits:
 Increased efficiency from the existing SOC staff handling more events in a defined
and repeatable way.
 Increased awareness of their own systems and future threats making use of
Security Intelligence
 Better able to understand and highlight the benefits of the SOC due to improved
metrics and reporting
33 IBM Confidential
IBM Security Services

ευχαριστώ
Hindi
Tack
Swedish
Greek

Спасибо
Teşekkürler Gracias
Thai

Russian

Spanish

Arabic Thank You ObrigadoPortuguese

Grazie Dankie Danke


Italian
Afrikaans
German
Merci
French

Hvala
Slovenian
Simplified Chinese
Korean

Köszönöm Hungarian
Japanese

© 2015 IBM Corporation


IBM Security Services

We leverage our SOC framework, which covers the multiple


management dimensions of organizing and managing a SOC

35 © 2015 IBM Corporation


IBM Security Services

We include 14 key processes that encompass both the business and


IT aspects

36 © 2015 IBM Corporation


IBM Security Services

Which leads to insightful analyses – e.g. Maturity Assessment

37 © 2015 IBM Corporation


IBM Security Services

IBM offers multiple options in our consulting offerings

 Security Operations Center (SOC) Workshop


– 1 day management workshop to establish goals and objectives for developing the SOC, identifying
stakeholders, types of threats monitored, and the management model

 Security Operations Center (SOC) Assessment


– Consulting assessment for clients that have en existing SOC but are looking for IBM to review their
capabilities and process maturity and make recommendations for improvements

 Security Operations Center (SOC) Strategy Engagement


– Consulting strategy engagement for clients who are seeking to develop a comprehensive strategy and plan to
implement a SOC that addresses both IT and the business for managing security and mitigating threats

 Security Operations Center (SOC) Design / Build Project


– Professional services to help clients design and build one or multiple SOC’s that meets the organization’s
needs for improved security intelligence and risk management
– Components include.
• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)
• Processes, Procedures, Guidelines (Define, develop and document, update existing)
• Technology (Plan, design, deploy technology components, integrate feeds and other referential
sources)

38 © 2015 IBM Corporation


IBM Security Services

What you can expect as a result from a SOC implementation

 Better understanding of how your


security program reduces risk in
operations and therefore business risk
 Measurement of the real-time
compliance of particular security controls
in the organization
 Insight into the current state of your
security posture
 Visibility of issues, hacks, infections and
misuse that otherwise would require
human discovery and correlation.
 Easier measurements of compliance
and audit effort reduction

39 © 2015 IBM Corporation


IBM Security Systems

IBM knows security

40 © 2015
2012 IBM Corporation
IBM Security Services

IBM is recognized as a leader in Security Consulting

“IBM burst into the Leader category by demonstrating superb global delivery capabilities”
41 © 2015 IBM Corporation
IBM Security Services

Why IBM SIEM Security Technology? Breadth, deep expertise,


integration
Leadership
 Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,
May 12, 2011, May 13, 2010, May 29, 2009.
 #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security
Information and Event Management Technology," Gartner, 12 May 2011)

Integration
 Integrated with 400+ products and vendor platforms
 SIEM, log management, network anomaly
detection, and risk management combined in a
single console

Expertise
 Embedded 3rd party security feeds including
IBM X-Force
 Tight integration with InfoSphere Guardium
and IBM Identity Manager & Access Manager
for optimized data & user security

42 © 2015 IBM Corporation


IBM Security Services

Client example - a large financial services company


Business Challenge:
A large European financial institution with multiple global locations was
searching for best practices and assistance in creating an in-house,
compliant and effective Security Operations Center. Compounding the
challenge of the sheer magnitude of their operations was the
complications surrounding several recent acquisitions that have not
been fully integrated. The current operation was largely driven by SOX
compliance requirements and resulted in diluting the effectiveness of the
SOC with “unimportant” log sources.

Solution:
A series of business and technical workshops were conducted to start
the assessment as the client needed to refocus their operations on Solution components:
security, while retaining maintain regulatory compliance. These  IBM Q-Radar SIEM
workshops then advanced to a full security operations design,
integrating disparate business unit requirements, focusing analysis on  IBM Security Services
important log sources, and reorganizing the department. Ultimately, the SOC Workshop & Design
client chose to have IBM staff their new SOC, reducing the total number  IBM Security Services
of hired staff and overall cost. Professional Security
Services
Benefits: Overall SOC costs were reduced and the resulting
organization is more focused and effective.

43 © 2015 IBM Corporation


IBM Security Services

Client example –global pharmaceutical company


Business Challenge:
A large global pharmaceutical company with research locations
scattered around the world faces the ongoing threats of industrial
espionage and is frequently a target of hactivitists. Their current security
operations is decentralized allowing each unit to “fend for themselves”.
After some minor faults but no major incidents, the company has
decided to centralize their security operations and create a holistic view
of security across the entire organization.

Solution:
A business and technical workshop was conducted to start the
assessment and help the client envision the end-state should look like
and how to initiate the centralization process. Leveraging a deployed Solution components:
IBM Q-Radar installation, the solution involves creating a two redundant  IBM Security Services
SOC’s to centralize security intelligence and device management SOC Workshop
operations. These SOC’s will work cooperatively using the best-practice
operational models derived from IBM MSS Global SOC’s providing a  IBM Q-Radar
single, measurable view of security across their global operations.  IBM Security Services
Managed SIEM
Benefits: A centralized operational model allows the economies of scale
to drive costs down, while improving the effectiveness of the security
operations and threat intelligence sharing.

44 © 2015 IBM Corporation


IBM Security Systems

Thank you for your time!


Questions and Answers

45 © 2015
2012 IBM Corporation
IBM Security Services

Backup Pages

46 © 2015 IBM Corporation


IBM Security Services

Typical SOC Project Scope


Consult and Design Build Operate Maintain
• Deliver SOC Workshop • Build Wiki framework for agile • Implement incident management • Perform SOC Maturity Assessment
• Perform SOC Maturity documentation approach process annually
SOC Processes

Assessment • Build new and integrate existing • Continue documentation and • Maintain and update SOC
processes and procedures update as necessary documentation
• Align SOC operations across the • Implement process improvement • Evaluate, measure and improve
enterprise program processes
• Drive business through metrics
• Manage risk and compliance

• Deliver SOC Workshop • Identify stakeholders • Deliver training: on the job, • Maintain dedicated SOC manager
• Perform SOC Maturity • Define roles, responsibilities, and job intrusion analysis, and Technology and analyst positions
SOC People

Assessment descriptions solutions. • Continue on-going boarding and


• Design staffing models • Analyst coaching training of new analysts as necessary
• Develop training plans • Developing key organizational
• Help hire the right staff or linkages
complement existing teams

• Architect & design SIEM • Install & configure SIEM • Operate and maintain SIEM solutions •Operate and Maintain SIEM
solutions solutions • Implement dashboards •Maintain architecture and product
SOC Technology

• Plan Use Cases • Establish data feeds • Develop operational and business documentation
• Map operations to • Implement Use Cases reports • Perform health check on SIEM
regulatory and business • Build content • Investigate using advanced analytics environment at planned intervals
requirements • Design analyst workstations • Manage incidents via cases • Perform capacity planning
• Health check • Integrate threat intelligence • Develop steady-state technology
costs

Client SOC Capability Transformation

47 © 2015 IBM Corporation


Security Intelligence
IBM Security Services

Challenge 1: Detecting Threats

Potential Botnet Detected?


This is as far as traditional SIEM
can go

IRC on port 80?


IBM Security QRadar QFlow
detects a covert channel

Irrefutable Botnet Communication


Layer 7 flow data contains botnet
command control instructions

Application layer flow analysis can detect threats others miss


48 © 2015 IBM Corporation
Security Intelligence
IBM Security Services

Challenge 2: Consolidating Data Silos


Analyzing both flow and
event data. Only IBM
Security QRadar fully
utilizes Layer 7 flows.

Reducing big data to


manageable volumes
Data Reduction Ratio 1153571 : 1

Advanced correlation for


analytics across silos

Exceptionally Accurate
Extensive Data Sources + Deep Intelligence = and Actionable Insight
49 © 2015 IBM Corporation
Security Intelligence
IBM Security Services

Challenge 3: Detecting Insider Fraud

Potential Data Loss


Who? What? Where?

Who?
An internal user

What?
Oracle data

Where?
Gmail

Threat detection in the post-perimeter world


User anomaly detection and application level visibility are critical
to identify inside threats
50 © 2015 IBM Corporation
Security Intelligence
IBM Security Services

Challenge 4: Better Predicting Risks to Your Business


Assess assets with high-risk input manipulation vulnerabilities

Which assets are affected?


How should I prioritize them?

What are the details?


Vulnerability details, ranked
by risk score

How do I remediate the


vulnerability?

Pre-exploit Security Intelligence


Monitor the network for configuration and compliance risks,
and prioritize them for mitigation
51 © 2015 IBM Corporation
Security Intelligence
IBM Security Services

Challenge 5: Addressing Regulatory Mandates

PCI compliance at
risk?
Real-time detection of
possible violation

Unencrypted Traffic
IBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public
networks

Compliance Simplified
Out-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards

52 © 2015 IBM Corporation


IBM Security Services

Operational
Managed SIEMOverview
Service Overview
Compliance Policy
Analysis Rules Best Practices Remediation
Guidelines

Monitors
dashboard
24x7 Incident closely
Real Time Data sources Expert Knowledge
Management

Real-Time
Alert/Exception

Real-Time event/log Security Investigation & Escalation


Client Premise- SIEM SOLUTION Incident

REAL TIME INCIDENT


IDENTIFICATION Ticketing Incident Reporting
ENGINE

COMPLIANCE
Log Data
ENGINE
Service
Reporting
Scheduled Log
DASHBOARD and
sources REPORTING Compliance
ENGINE Reporting

Anomaly
Reporting

Custom Reporting
(Anomaly / Forensics)
Raw Log access

53 © 2015 IBM Corporation


© IBM Corporation 2011.
IBM Security Services

Project Timeline

Ongoing Maturation

Steady State &


Ongoing automation

SOC achieves 100%


Operational Control

• Staff Onboarding & Training


• Documented Process

• Detailed Support Planning


• Governance Model
• Communications Plan

30 days 3 months 6 months 9 months 1 year


Workshop & Roadmap
54 © 2015 IBM Corporation