Draft – Preliminary Work Product Click to edit Master text styles Second level Third level Fourth...
-
Upload
sadie-goodie -
Category
Documents
-
view
216 -
download
0
Transcript of Draft – Preliminary Work Product Click to edit Master text styles Second level Third level Fourth...
Draft – Preliminary Work Product
Click to edit Master text stylesSecond levelThird level
Fourth levelFifth level
Telstra Enterprise and Government
[Insert Title Here]
Version 1.2
TelstraSecurity Operations Centre (T-SOC)
QuestNet
Andy Solterbeck
September 2009
Security Context
• Major Security Themes:• Frequency, size and duration of attacks are increasing• Attacks are being mounted from all layers of the network• Attacks from outsiders are increasing as a percentage of all
attacks • Attacks from organised crime now form the majority of
attacks
• Security incidents have significant consequences:• Damage to reputation and brand• Loss of stakeholder confidence• Loss of revenues• Loss of customers• Regulatory action/sanction• Litigation/legal action
• Within the last 6 weeks more than 12 Organisations have been under attack
Telstra has the Capability to Deliver A Unique Value Proposition
1. Ensure business continuity2. Realise ROI in security (including opportunity cost of capital)3. Business risk mitigation: Compliance, Brand, Shareholder Price
1. Recognise threats quickly and accurately
Target market capability requirements
Target market value drivers
2. Rapidly respond with right solution to prevent and to
recover
3. Demonstrate the investment in security
precautions reflects the risk profile of my enterprise
TSOC• View Security Events core and
Customer• People (Cleared)• Process (DSD Approved)• Tool (End to End Visibility, Portal) • Business Case in Development
Highly Secure Network• Encrypted Overlay (Service)• People (Cleared)• Process (DSD Approved)• Tools (Project Enterprise)• Business Case in Development
Better AE Engagement Marketing Engagement Project Enterprise
Secure Services• Secure Gateways, UC & Voice• Requires Data Centre Facility (T4)• People (Cleared)• Process (DSD Approved)• Tools (Cisco/EMC/RSA/VMWare)• Secure TIPT
See http://www.in.telstra.com.au/ism/enterpriseandgovernmentsales/security.asp
Visibility Capacity Capability
Certification
Security Consideration: Capacity
• Telstra maintains 100% physically separate Internet and Private IP networks:- Significant events on one network are isolated from the other logically
and physically.- Internet and corporate traffic is physically separated from the Internet.
• Capacity is maintained in both networks at a level exceeding all other Australian providers allowing Telstra to manage extreme traffic events without customer interruption:- An Internet based DoS attack is isolated from critical business traffic.
Even an attack of unprecedented scale on Telstra infrastructure would not affect traffic within the private IP Network (branch, call centre, corporate)
Telstra
NextIPOptus
InternetCleaning
Large Attack
Internet/IP Core
Good Traffic
Large Attack
Good Traffic
Corporate IP Voice Corporate IP Data
Corporate IP DataCorporate IP Voice
Security Consideration: Visibility
• Telstra gathers detailed telemetry from all layers and devices in our networks to understand emerging threats and challenges. All data is integrated into Telstra Security Operations Centre monitoring.
• Telstra engages in a worldwide security community enabling the engagement of global peers in mitigation of security incidents and the gathering of intelligence where required.
• To fully protect customer, the Service Provider must have end-end visibility of all circuits that carry ANZ traffic. Any handoff to alternate carrier network is a vulnerability.
Physical
Data Link
Network
Transport
Telstra
Physical
Data Link
Network
Transport
OptusMonitor & Manager
Gap
Telstra Provides visibility at all network layers ensuring attacks are dealt with regardless of origin
Security Consideration: Capability Core
• The Telstra Security Operations Centre provides 24/7 monitoring across Telstra infrastructure using state of the art correlation tools and process all within a ASIO T4 certified centre.
• Any issues are escalated to the Telstra Computer Emergency Response Team (T-CERT), a dedicated security team to manage incidents.
• T-CERT engages any required resources from all operational and SME teams to investigate, mitigate and resolve any identified issue.
• T-CERT engages Telstra’s Network Hardening Teams to review the incident, quantify the lessons learned from the incidents and protect all other Telstra environments against similar classes of attack vector.
Security Consideration: Certification
• Independent verification and validation of Security capability allows ANZ to more quickly and easily meet regulatory compliance requirements
• Regulations:
• Why Telstra is Uniquely Capable of handling this requirement:- Telstra has achieved ISO 27001 on it IPMAN, IPWAN and IPWireless- Telstra has achieved T4 certification of the NPC facilities- Telstra has Secret cleared staff in the Network Protection Centre- Telstra has DSD approved Secure Gateways Infrastructure to meet the
security requirements of Commonwealth customersTelstra can assist in meeting ANZ’s Network Centric Regulatory Compliance requirements to decrease
risk and cost of compliance
Security Consideration: Governance
• Telstra takes security seriously and is organised to ensure that it is central to all capability development
- Executive Steering Committee: Overall Governance: Group Managing Directors , CFO, Head of Corporate Security, CTO, CIO
- Security Working Group: Executive Directors , Directors , SME 8 Manage all security programs across the company
- Security Centre of Excellence8 Internal and External Security Consulting 8 Engaged with all large customers
- Network Security8 General Manager Network manages all aspects of Network and Internal
Security - Enterprise & Government Security Services
8 Director Security Services manages all customer facing Security capabilities
- Security Customer Advisory Group8 CSO’s from key accounts meet to discuss key issues.8 Telstra sets out plans and issues for discussion
Telstra has more than 350 dedicated Security personnel
Offerings
Security Consulting
Network Based Security Solutions• Internet Gateways• Extranet Gateways• Internet protection (mail & web
protect & control)• Remote Working• Denial of Service Protection
• Policy, frameworks and strategy
• Risk Management• Security auditing & assurance• Business continuity Security
arch & design• Certifications
Managed SecuritySolutions
• Managed Firewall• Managed Intrusion Protection• Managed Antivirus & Content
Security• Vulnerability Management
Security Certified IP Networking Products• IPWAN• IPMAN• IPWireless
• All certified to ISO 27001 security standard
Security Solutions - Service Management (SIEM)Single View of Customer
Security Posture
Additional Security Services
Operate the Network Securely
Security Service Management
Key features:• Collects, analyses, stores and
reports on event data and log information from heterogeneous devices, systems, and applications throughout an enterprise’s ICT infrastructure
Value Proposition:• Reduce risk of network down time
or data loss due to security incidents
• Achieve this without requiring complex technology or specialist expertise
Differentiators:• Includes information from network
based services
• Network delivered
• Integrated view
Security Consulting• Policy, frameworks
and strategy• Risk Management• Security auditing &
assurance• Business continuity
planning• Security
architecture & design
• Certifications (eg to ISO27001)
Network Based Security Solutions
• Internet Gateways• Extranet Gateways• Internet protection
(mail & web protect & control)
• Remote Working• Denial of Service
Protection
Managed SecuritySolutions
• Managed Firewall• Managed Intrusion
Protection• Managed Antivirus
& Content Security• Vulnerability
Management
Security Certified IP Networking Products• IPWAN• IPMAN• IPWireless
• All certified to ISO 27001 security standard
Security Service Management (SIEM)
Single View of Customer Security Posture
Additional Security Services
Operate the Network Securely
ServiceInterface (Portal + Service Desk)
CustomerNetwork
CoreNetwork
CustomerEnd Points/
Devices
Policy Manager
IntelligentAnalysis
Information Sources
Customer
T-SOC Program Overview
The T-SOC will deliver the following streams of work:• Secure Service Management Facility – the building of ASIO T4 accredited
facilities in Canberra and Sydney- The building of a primary T4 staff facility in Canberra replacing the Don Gray T4 people facility. This will provide flight deck space for the TSOC as well as workspace for staff supporting Government security accredited products – Managed Security, Secure MNS, Secure TIPT, Secure UC etc.
- The building of a secondary T4 staff facility in Elizabeth St Sydney to a disaster recovery site for the T-SOC monitoring staff
• Toolset (Predominantly delivered by ”Project Enterprise”).- This project is to deliver all the necessary tools required to operate the T-SOC, e.g. SIEM, Scanners. Ticketing, problem and change will be delivered by standard tools.
• People, Process and Roles, Responsibilities (PPRR) – This project will deliver all the documentation required to operate the T-SOC.
• Web Portal (Leveraging TE&G Customer Portal) – This project will provide the Web presence for the T-SOC. The Web Portal will be the primary interface with customers providing reporting (security, problem and change management, etc), Security Bulletins, Threat Landscape, etc.
12Commercial in Confidence – Version 1.0
What would a T-SOC Look Like?
Unified Service Desk
Netvie
w/Info
vista
Corre
latio
n e
ngin
eNetwork
Monitoring
Network Operations
(CNO & EO)
Security Monitoring
Security Operations
(CNO & EO)
CERTTeam
MNOC
NO
CS
OC
Portal
CERT team has small # FTE – virtual resources drawn in from OPS and PS as needed for incidents
Over time this could merge with Network OPS as skill and technology develops
All device up/down and generic health monitoring done here for Network and Security devices
Shared, multi –tenanted tool. This will take log feeds from devices under shared management or dedicated
In addition to raw security logs from devices, relevant event from the network monitoring tools will be fed into the corelation engine
All ticketing performed and managed by the unified service desk
Monitor security events from logs and correlation engine as well as announced vulnerabilities and patches
13Commercial in Confidence – Version 1.0
Function of the T-SOC?
• In real time, manage and monitor firewalls, intrusion detection and prevention systems, DDoS mitigation systems, anti-x solutions, patch updates, endpoint assets, and other security products.
• Analyse security log data, vulnerability information, asset information, and alerts
• Immediately respond to potential security threats and quickly resolve security problems
• Offer real-time views of the customers security postures
• Defend customers against emerging network attacks
• Protect customers technology investments
14Commercial in Confidence – Version 1.0
What are the benefits of a T-SOC
• Effectively deal with Security IncidentsThe T-SOC would give customers the ability to move from a reactionary posture to one of preparedness.
Rather than scrambling to respond to a security breach, the T-SOC would have a well-established processes to follow, to move fast and effectively, to isolate, contain, and diffuse the threat.
• Reduces Risks to CustomersThe T-SOC will enable customers to minimize security-related network downtime. By keeping pace with
evolving threats, the T-SOC will better protect customers’ data traffic from loss or manipulation.
• Improves Security ResponseThe T-SOC systematically analyses potential reasons for traffic abnormalities and appropriately
elevates the events. By moving quickly, the T-SOC can deal with security incidents in minutes – not hours or days – greatly lessening potential disruption to customers critical services and business processes.
• Enhances Operational EfficiencyBy defining security rules and policies, the T-SOC specialists will be able to quickly identify threats and
apply remedies to customer sites at risk before network attacks hit them.
• Comply with RegulationsCustomers often need to comply with regulations and policies governing the use, protection, or privacy
of information. Customers can use reports that the T-SOC can generate, to help adhere to these regulations and policies, including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the data-security storage requirements associated with the payment card industry.
TSOC Solution Architecture
The TSOC
Omnibus
Object Servers
Object Servers
Processing Layer
Impact
Object Servers
Object Servers
Collection Layer
PE-Netcool
Probes
Escalation to InterdomainRCA and ticketable
alarms
Probes ISM
PE – NSA Cache
PE – Infovista
Vista Servers
Vista Discovery
VistaMart
VistaPortal
VistaBridge
PE – ConfigProvisioning
App
TE&G PortalIV
ReportsSIIAM
CNS-DI
PE – CMIBOSS
EM 7
Cisco CUOM
Security Appliance
CMI
Cisco CallMan
ager
Cisco Unity Telepresence
Customer Networks
SNMP V3PEIL(PE-ROSMAP)
SNMP V3SNMP V3
(1) ICMP/SNMP Ping requests(2) SNMP Traps for non-EMS managed devices (switches & routers)
CPE Device Configs
IV Polling & Discovery
IV Seeding
Inventory feed
Correlation Requests initiated via Impact
Operations
Alarms / Events(View/Update)
PE – Repository
PE – BO Reporting
Ticket Creation/Update
Update Inventory data
Enrichment data & Seeding to ISM
Inventory/Eligibility
Leverages components in Cisco ROS Solution
Legacy Applications
HTTP Links embedded in TE&G Portal
PE – CorrelationEngine
SiteminderSingleSign-on Account-01
Account-01
R&E
Object Servers
Object Servers
Display Layer
WebtopServer
INTERDAM
LDAP Integration
ACS
User Authentication
CMI (or EDN)
Account-01
Performance metrics from
EMS (csv files)
Syslog-NG
syslog
RCA Rules
Rules Config UI
Alert Publisher
Alert Transient
Store
Alert Processor
Netcool Alm Fwder
Ops StateMonitor
Trouble TicketingCustomer Incident &
Notifications
Discovery & Reconciliation
Operations
Operations
Manual ProvisoningFor EM7 and CUOM
User authentication for CPE will be done via ACS
Ticket Updates
TSOC Solution Architecture Detail
NetForensics
Managed DMZ
External to company
Secure Administration
Internal to company
Increased trust into company Source: Keith PriceDenotes a security device
Security Zone Model
ExternalControlled
(business partners)
ExternalUncontrolled
(Internet and wireless)
Internal Users and Systems
DMZ
DMZfor Service
Presentation
Business Applications
Secure DataStorage
Secure Data Storage
Business Applications
Internal Users and Systems
Manage the whole DMZ environmen
t
Key features:• Security focused management of
devices located in a DMZ (eg web content security, proxies, load balances, VPN concentrators etc)
• Customer site or Telstra Hosted
Value Proposition:• 24x7 service without the cost
• Specialist expertise
Specific Differentiators:• Single Provider
• Linked to internet delivered features (eg DOSP, Content Security)
End Point Security
Key features:• Prevent non-compliant devices from
Connecting to a customer network
• Secure the end-point device itself (eg antivirus, Firewall, intrusion prevention)
• All with centralised policy control and reporting)
Value Proposition:• Reduced threat from uncontrolled
devices.
• Controlled and managed from within the customer network
• 24x7 service without the cost
• Ensure policy compliance
Specific Differentiators:• Network delivered (phase 2)
• Integrated view
CustomerNetworkThe Internet
Prevent High Risk devices
from connecting
to the network
Protect end-point devices
Secure Managed Network Services
Key features:
Overlays on MNS for:
• Secure Wireless LAN: Who has access for what purposes
• Encryption over MNS networks
• Log Management on network devices
Value Proposition:• Option for high security features
to meet to end compliance requirements (eg PCI, Finance industry)
Specific Differentiators:• Network integrated & managed
• Integrated view
CustomerNetwork
Control who has wireless access for
what purpose
Encrypt traffic from the edge
router & manage security
relevant log data