Building and Instrumenting the Next- Generation Security ... · Building and Instrumenting the...

Sponsored by

Building and Instrumenting the Next-Generation Security Operations Center

Webinar Logistics

• Enable pop-ups within your browser

• Turn on your system’s sound to hear the streaming presentation

• Questions? Submit them to the presenters at anytime on the console

• Technical problems? Click “Help” or submit a question for assistance

Optimize your experience today

Featured SpeakersOur knowledgeable speakers today are:

Tim WilsonEditor in ChiefDark Reading

Roselle SafranCo-founder & CEO

Uplevel Security

Chris PetersenCo-founder, SVP of

Customer Care & CTOLogRhythm

Moderator:

BUILDING AND INSTRUMENTINGTHE NEXT-GENERATION SECURITY OPERATIONS CENTER

OCTOBER 11TH, 2016

Roselle [email protected]

www.uplevelsecurity.com @uplevelsecurity

DHS/US-CERT

Uplevel Security

Ernst & Young

Executive Office of the President

BACKGROUND


PURPOSE OF A SECURITY OPERATIONS CENTER (SOC)

A SOC protects the confidentiality, integrity and availability of the organization’s information systems and assets.

Prevent

DetectRespond


• Thoroughly scoped

• Resilient by design

• Automated to streamline

• Intelligence-driven

• Learning continuously

NEXT-GENERATION SOC KEY CHARACTERISTICS

A Next-Gen SOC uses a systematic approach to optimize the abilities of its people, the capabilities of technology, and the structure of processes to most effectively protect the confidentiality, integrity and availability of the organization’s information systems and assets against an increasingly

varied, adaptive and sophisticated set of adversaries.

A Next-Gen SOC follows the TRAIL:


THOROUGHLY SCOPED

• Devised and assembled in a comprehensive and holistic manner


Tier 2

Tier 1

Tier 3

Insider Threat

Other Business Units

THOROUGHLY SCOPED: PEOPLE


Prevent Detect Respond

Log Management

NetworkMonitor

EndpointMonitor

EmailMonitor

Network TrafficFilter

EmailFilter

Endpoint Filter

InventoryMgmt

Vulnerability Scanning

PatchMgmt

FOUNDATIONAL

NetworkInvestigate

EndpointInvestigate

EmailInvestigate

Alert/Case Management

ADVANCED

THOROUGHLY SCOPED: TECHNOLOGY


PlaybooksPreventDetectRespond

etc.

PoliciesIT useRetentionetc.

Tech

People

THOROUGHLY SCOPED: PROCESSES

PerformanceMetrics

ManagerialOperationaletc.

Incident ResponseBusiness Continuity Exercisesetc.

Plans


* People- Analysts (Tiers 1, 2, 3)- Other business units- Insider threat

* Technology- Foundational elements -- Prevention: email, network traffic, endpoint filter; vulnerability management;

inventory management-- Detection: email, network traffic, endpoint monitor; log management-- Response: email, network traffic, endpoint investigate; centralized ticket/case management

- Advanced elements layered on top* Processes- Define policies (IT use, retention, etc.)- Define playbooks (prevention, detection, response, etc.)- Define metrics (managerial, operational, etc.)- Define plans (incident response, business continuity, exercises, etc.)

THOROUGHLY SCOPED


RESILIENT BY DESIGN

• Structured to efficiently adapt to new and challenging tactical, operational and strategic situations


RESILIENT BY DESIGN: PEOPLE

Tier 2

Tier 1

Tier 3

Insider Threat

Engineering

Red TeamOther Business Units



Log Management

NetworkMonitor

EndpointMonitor

EmailMonitor


EmailFilter

Endpoint Filter

InventoryMgmt


PatchMgmt

FOUNDATIONAL

NetworkInvestigate

EndpointInvestigate

EmailInvestigate


Triage

ADVANCED

Remediate/Mitigate

Pen TestingCloud

MonitorCloud Filter

Mobile Device Management

Phys SecMonitor

Webserver Filter

App/DB Monitor

In Cloud

RESILIENT BY DESIGN: TECHNOLOGY


Implement

PreventDetectRespond

etc.


Tech

People

RESILIENT BY DESIGN: PROCESSES

PerformanceMetrics


AssessUpdate


Plans

Playbooks

Train

Assess playbooks and plans with periodic exercises

Train all team members as new tech and info arrive

Update playbooks and plans when adding tech and after assessments

Implement technology


* People- Engineering- Red Team- 24x7 or follow the sun

* Technology- Penetration testing- Full incident response lifecycle coverage (triage, investigate, remediate/mitigate)- Private cloud infrastructure- Modular approach to adding enterprise-specific technology-- Mobile device management -- Cloud filter and monitor-- Webserver filter-- Application, Database monitor -- Physical security monitor

* Processes- Train all team members as new tech and info arrive- Assess playbooks and plans with periodic exercises- Update playbooks and plans when adding tech and after assessments- Implement technology

RESILIENT BY DESIGN


AUTOMATED TO STREAMLINE

• Utilizing machine capabilities in place of human involvement when applicable for productivity gains


Tier 2

Tier 1

Tier 3

Insider Threat

Engineering

Red Team

AUTOMATED TO STREAMLINE: PEOPLE

Hunters




Log Management

NetworkMonitor

EndpointMonitor

EmailMonitor


EmailFilter

Endpoint Filter

InventoryMgmt


PatchMgmt

FOUNDATIONAL

NetworkInvestigate

EndpointInvestigate

EmailInvestigate


Triage

ADVANCED

Remediate/Mitigate

Pen TestingCloud

MonitorCloud Filter


Phys SecMonitor

Webserver Filter

App/DB Monitor Sandbox

Graph Analysis

Response TrackingPlaybook

Orch/Exe

In Cloud

AUTOMATED TO STREAMLINE: TECHNOLOGY


Implement


etc.


Tech

People

AUTOMATED TO STREAMLINE: PROCESSES


AssessUpdate


Plans

Playbooks

Train

w/ automation

PerformanceMetrics


Assess automation techperiodically

Train Tier 1 Analysts for new roles

Update playbooks when adding tech

Update metrics when adding tech


* People- Tier 1 roles eliminated- Tier 1 Analysts move to advanced work- Hunters

* Technology- Sandbox - Graph analysis- Playbook orchestration and execution - Response tracking

* Processes- Train Tier 1 Analysts for new roles- Assess automation tech periodically- Update playbooks when adding tech- Update metrics when adding tech- Implement technology

AUTOMATED TO STREAMLINE


INTELLIGENCE-DRIVEN

• Applying relevant, timely and actionable information to the appropriate aspects of operations


Tier 2

Tier 1

Tier 3

Insider Threat

Engineering

Red Team

INTELLIGENCE-DRIVEN: PEOPLE

Threat Intel

Hunters




Log Management

NetworkMonitor

EndpointMonitor

EmailMonitor


EmailFilter

Endpoint Filter

InventoryMgmt


PatchMgmt

FOUNDATIONAL

NetworkInvestigate

EndpointInvestigate

EmailInvestigate


Triage

ADVANCED

Remediate/Mitigate

Pen TestingCloud

MonitorCloud Filter


Phys SecMonitor

Webserver Filter


Graph Analysis


Orch/Exe

Threat Intel Management/Scoring/Report Generation

In Cloud

INTELLIGENCE-DRIVEN: TECHNOLOGY


Implement


etc.


Tech

People

INTELLIGENCE-DRIVEN: PROCESSES


AssessUpdate


Plans

Playbooks

Train

w/ automation

PerformanceMetrics

w/ intel+ Data

Update playbooks and plans to include intel and info sharing programs


Assess feeds and sources periodically

Train TI analysts on gathering intel, rest of team on using TI


* People- Threat Intelligence Analysts

* Technology- Threat intel management- Threat intel feed scoring/filtering/prioritizing- Threat intel report generation

* Processes- Train TI analysts on gathering intel, rest of team on using TI- Assess feeds and sources periodically- Update playbooks and plans to include intel and info sharing programs- Implement technology

INTELLIGENCE-DRIVEN


LEARNING CONTINUOUSLY

• Applying and expanding institutional knowledge in a constant feedback loop


Tier 2

Tier 1

Tier 3

Insider Threat

Engineering

Red Team

LEARNING CONTINUOSLY: PEOPLE

Threat Intel

Hunters Internal Auditors

Innovation




Log Management

NetworkMonitor

EndpointMonitor

EmailMonitor


EmailFilter

Endpoint Filter

InventoryMgmt


PatchMgmt

FOUNDATIONAL

NetworkInvestigate

EndpointInvestigate

EmailInvestigate


Triage

ADVANCED

Remediate/Mitigate

Pen TestingCloud

MonitorCloud Filter


Phys SecMonitor

Webserver Filter


Graph Analysis


Orch/Exe

Threat Intel Management/Scoring/Report Generation

Machine Learning

Baselining

Anomaly Identification

Heuristic Analysis

Predictive AnalyticsIn Cloud

LEARNING CONTINUOSLY: TECHNOLOGY


Implement


etc.


Tech

PeopleManagerialOperationaletc.

AssessUpdate


Plans

Playbooks

Train

w/ automationw/ intel

PerformanceMetrics

LEARNING CONTINUOUSLY: PROCESSES

+ Data

Train all team members

Assess and fine tune products regularly


Update playbooks based on new learnings


* People- Innovation- Internal auditors

* Technology- Baselining - Anomaly identification- Heuristic analysis- Machine learning- Predictive analytics

* Processes- Train all team members- Assess and fine tune products regularly- Update playbooks based on new learnings- Implement technology

LEARNING CONTINUOUSLY


THANK YOU!

Roselle SafranUplevel Security

[email protected]

Company Confidential

Recon. and Planning

Initial Planning

Command and Control

Lateral Movement

Target Attainment

Exfiltration,Corruption,Disruption

Data Breaches Can Be Avoided

Advanced threats take their timeand leverage the holistic attack surface

Early neutralization stops cyber incidents and data breaches


Vigilance Requires Visibility at Every Vector

User

Network

Endpoint

Holistic Attack Surface

Endpoint

User

Network

User

Network

User

Endpoint

User

Network

User

User

Network

EndpointUser

Network

Endpoint

Network

Endpoint

User

Network

Endpoint

User

Network

User

User

User


Faster Detection & Response Reduces Risk

High Vulnerability Low Vulnerability

Months

Days

Hours

Minutes

Weeks

MTT

D &

MTT

R

MEAN TIME-TO-DETECT (MTTD)The average time it takes to recognize a threat requiring further analysis and response efforts

MEAN TIME-TO-RESPOND (MTTR)The average time it takes to respond and ultimately resolve the incident

As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced

Exposed to Threats Resilient to Threats


Security Intelligence & Analytics Platform

Time to Detect Time to Respond

Recover

Cleanup

Report

Review

Adapt

Neutralize

Implement countermeasures to mitigate threat

Investigate

Analyze threat to determine nature and extent of the

incident

Qualify

Assess threat to determine risk

and whether full investigation is necessary

Detect & Prioritize

SearchAnalytics

Machine Analytics

Collect & Generate

Forensic Sensor Data

SecurityEvent Data

Log &Machine Data

Example Sources

Example Sources

Threat Lifecycle Management

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://secure360.org/sponsor/rapid-7/rapid7_logo_orange-3/&ei=EWJ0VfeOMKa1sATUvYGgBQ&bvm=bv.95039771,d.cWc&psig=AFQjCNHBrfZugEkYxHJYPX_yhMAOMW196w&ust=1433777040589530

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://secure360.org/sponsor/rapid-7/rapid7_logo_orange-3/&ei=EWJ0VfeOMKa1sATUvYGgBQ&bvm=bv.95039771,d.cWc&psig=AFQjCNHBrfZugEkYxHJYPX_yhMAOMW196w&ust=1433777040589530

http://cyberark.com/

http://cyberark.com/


LogRhythm Security Intelligence Maturity ModelDelivering a Path to Success

MEAN-TIME-TO-DETECT (MTTD)

MEAN-TIME-TO-RESPOND (MTTR)

Security IntelligenceMaturity LevelsLevel 0: BlindLevel 1: Minimally ComplaintLevel 2: Securely CompliantLevel 3: VigilantLevel 4: Resilient

Greater threat resiliency is achieved at higher levels of security intelligence maturity

Months

Days

Hours

Minutes

Weeks

Tim

efra

me

Level 0 Level 1 Level 2 Level 3 Level 4

Exposed to Threats Resilient to Threats

Questions?Submit questions to the presenters via the on-screen text box

Tim WilsonEditor in ChiefDark Reading

Roselle SafranCo-founder & CEO

Uplevel Security

Chris PetersenCo-founder, SVP of

Customer Care & CTOLogRhythm

Moderator:

Thank you for attending

Upcoming Events:

• http://darkreading.com/webinar_upcoming.asp

Additional Resources:

• http://www.logrhythm.com/solutions/security/soc-platform/

• https://logrhythm.com/pdfs/whitepapers/lr-security-intelligence-maturity-model-ciso-whitepaper.pdf

Please visit our sponsor and any of the resources below:

http://darkreading.com/webinar_upcoming.asp

http://www.logrhythm.com/solutions/security/soc-platform/

https://logrhythm.com/pdfs/whitepapers/lr-security-intelligence-maturity-model-ciso-whitepaper.pdf

Building and Instrumenting the Next- Generation Security ... · Building and Instrumenting the...

Documents

Transcript of Building and Instrumenting the Next- Generation Security ... · Building and Instrumenting the...