Draft – Preliminary Work Product

Click to edit Master text stylesSecond levelThird level

Fourth levelFifth level

Telstra Enterprise and Government

[Insert Title Here]

Version 1.2

TelstraSecurity Operations Centre (T-SOC)

QuestNet

Andy Solterbeck

September 2009

Security Context

• Major Security Themes:• Frequency, size and duration of attacks are increasing• Attacks are being mounted from all layers of the network• Attacks from outsiders are increasing as a percentage of all

attacks • Attacks from organised crime now form the majority of

attacks

• Security incidents have significant consequences:• Damage to reputation and brand• Loss of stakeholder confidence• Loss of revenues• Loss of customers• Regulatory action/sanction• Litigation/legal action

• Within the last 6 weeks more than 12 Organisations have been under attack

Telstra has the Capability to Deliver A Unique Value Proposition

1. Ensure business continuity2. Realise ROI in security (including opportunity cost of capital)3. Business risk mitigation: Compliance, Brand, Shareholder Price

1. Recognise threats quickly and accurately

Target market capability requirements

Target market value drivers

2. Rapidly respond with right solution to prevent and to

recover

3. Demonstrate the investment in security

precautions reflects the risk profile of my enterprise

TSOC• View Security Events core and

Customer• People (Cleared)• Process (DSD Approved)• Tool (End to End Visibility, Portal) • Business Case in Development

Highly Secure Network• Encrypted Overlay (Service)• People (Cleared)• Process (DSD Approved)• Tools (Project Enterprise)• Business Case in Development

Better AE Engagement Marketing Engagement Project Enterprise

Secure Services• Secure Gateways, UC & Voice• Requires Data Centre Facility (T4)• People (Cleared)• Process (DSD Approved)• Tools (Cisco/EMC/RSA/VMWare)• Secure TIPT

See http://www.in.telstra.com.au/ism/enterpriseandgovernmentsales/security.asp

Visibility Capacity Capability

Certification

Security Consideration: Capacity

• Telstra maintains 100% physically separate Internet and Private IP networks:- Significant events on one network are isolated from the other logically

and physically.- Internet and corporate traffic is physically separated from the Internet.

• Capacity is maintained in both networks at a level exceeding all other Australian providers allowing Telstra to manage extreme traffic events without customer interruption:- An Internet based DoS attack is isolated from critical business traffic.

Even an attack of unprecedented scale on Telstra infrastructure would not affect traffic within the private IP Network (branch, call centre, corporate)

Telstra

NextIPOptus

InternetCleaning

Large Attack

Internet/IP Core

Good Traffic

Large Attack

Good Traffic

Corporate IP Voice Corporate IP Data

Corporate IP DataCorporate IP Voice

Security Consideration: Visibility

• Telstra gathers detailed telemetry from all layers and devices in our networks to understand emerging threats and challenges. All data is integrated into Telstra Security Operations Centre monitoring.

• Telstra engages in a worldwide security community enabling the engagement of global peers in mitigation of security incidents and the gathering of intelligence where required.

• To fully protect customer, the Service Provider must have end-end visibility of all circuits that carry ANZ traffic. Any handoff to alternate carrier network is a vulnerability.

Physical

Data Link

Network

Transport

Telstra

Physical

Data Link

Network

Transport

OptusMonitor & Manager

Gap

Telstra Provides visibility at all network layers ensuring attacks are dealt with regardless of origin

Security Consideration: Capability Core

• The Telstra Security Operations Centre provides 24/7 monitoring across Telstra infrastructure using state of the art correlation tools and process all within a ASIO T4 certified centre.

• Any issues are escalated to the Telstra Computer Emergency Response Team (T-CERT), a dedicated security team to manage incidents.

• T-CERT engages any required resources from all operational and SME teams to investigate, mitigate and resolve any identified issue.

• T-CERT engages Telstra’s Network Hardening Teams to review the incident, quantify the lessons learned from the incidents and protect all other Telstra environments against similar classes of attack vector.

Security Consideration: Certification

• Independent verification and validation of Security capability allows ANZ to more quickly and easily meet regulatory compliance requirements

• Regulations:

• Why Telstra is Uniquely Capable of handling this requirement:- Telstra has achieved ISO 27001 on it IPMAN, IPWAN and IPWireless- Telstra has achieved T4 certification of the NPC facilities- Telstra has Secret cleared staff in the Network Protection Centre- Telstra has DSD approved Secure Gateways Infrastructure to meet the

security requirements of Commonwealth customersTelstra can assist in meeting ANZ’s Network Centric Regulatory Compliance requirements to decrease

risk and cost of compliance

Security Consideration: Governance

• Telstra takes security seriously and is organised to ensure that it is central to all capability development

- Executive Steering Committee: Overall Governance: Group Managing Directors , CFO, Head of Corporate Security, CTO, CIO

- Security Working Group: Executive Directors , Directors , SME 8 Manage all security programs across the company

- Security Centre of Excellence8 Internal and External Security Consulting 8 Engaged with all large customers

- Network Security8 General Manager Network manages all aspects of Network and Internal

Security - Enterprise & Government Security Services

8 Director Security Services manages all customer facing Security capabilities

- Security Customer Advisory Group8 CSO’s from key accounts meet to discuss key issues.8 Telstra sets out plans and issues for discussion

Telstra has more than 350 dedicated Security personnel

Offerings

Security Consulting

Network Based Security Solutions• Internet Gateways• Extranet Gateways• Internet protection (mail & web

protect & control)• Remote Working• Denial of Service Protection

• Policy, frameworks and strategy

• Risk Management• Security auditing & assurance• Business continuity Security

arch & design• Certifications

Managed SecuritySolutions

• Managed Firewall• Managed Intrusion Protection• Managed Antivirus & Content

Security• Vulnerability Management

Security Certified IP Networking Products• IPWAN• IPMAN• IPWireless

• All certified to ISO 27001 security standard

Security Solutions - Service Management (SIEM)Single View of Customer

Security Posture

Additional Security Services

Operate the Network Securely

Security Service Management

Key features:• Collects, analyses, stores and

reports on event data and log information from heterogeneous devices, systems, and applications throughout an enterprise’s ICT infrastructure

Value Proposition:• Reduce risk of network down time

or data loss due to security incidents

• Achieve this without requiring complex technology or specialist expertise

Differentiators:• Includes information from network

based services

• Network delivered

• Integrated view

Security Consulting• Policy, frameworks

and strategy• Risk Management• Security auditing &

assurance• Business continuity

planning• Security

architecture & design

• Certifications (eg to ISO27001)

Network Based Security Solutions

• Internet Gateways• Extranet Gateways• Internet protection

(mail & web protect & control)

• Remote Working• Denial of Service

Protection

Managed SecuritySolutions

• Managed Firewall• Managed Intrusion

Protection• Managed Antivirus

& Content Security• Vulnerability

Management

Security Certified IP Networking Products• IPWAN• IPMAN• IPWireless

• All certified to ISO 27001 security standard

Security Service Management (SIEM)

Single View of Customer Security Posture

Additional Security Services

Operate the Network Securely

ServiceInterface (Portal + Service Desk)

CustomerNetwork

CoreNetwork

CustomerEnd Points/

Devices

Policy Manager

IntelligentAnalysis

Information Sources

Customer

T-SOC Program Overview

The T-SOC will deliver the following streams of work:• Secure Service Management Facility – the building of ASIO T4 accredited

facilities in Canberra and Sydney- The building of a primary T4 staff facility in Canberra replacing the Don Gray T4 people facility. This will provide flight deck space for the TSOC as well as workspace for staff supporting Government security accredited products – Managed Security, Secure MNS, Secure TIPT, Secure UC etc.

- The building of a secondary T4 staff facility in Elizabeth St Sydney to a disaster recovery site for the T-SOC monitoring staff

• Toolset (Predominantly delivered by ”Project Enterprise”).- This project is to deliver all the necessary tools required to operate the T-SOC, e.g. SIEM, Scanners. Ticketing, problem and change will be delivered by standard tools.

• People, Process and Roles, Responsibilities (PPRR) – This project will deliver all the documentation required to operate the T-SOC.

• Web Portal (Leveraging TE&G Customer Portal) – This project will provide the Web presence for the T-SOC. The Web Portal will be the primary interface with customers providing reporting (security, problem and change management, etc), Security Bulletins, Threat Landscape, etc.

12Commercial in Confidence – Version 1.0

What would a T-SOC Look Like?

Unified Service Desk

Netvie

w/Info

vista

Corre

latio

n e

ngin

eNetwork

Monitoring

Network Operations

(CNO & EO)

Security Monitoring

Security Operations

(CNO & EO)

CERTTeam

MNOC

NO

CS

OC

Portal

CERT team has small # FTE – virtual resources drawn in from OPS and PS as needed for incidents

Over time this could merge with Network OPS as skill and technology develops

All device up/down and generic health monitoring done here for Network and Security devices

Shared, multi –tenanted tool. This will take log feeds from devices under shared management or dedicated

In addition to raw security logs from devices, relevant event from the network monitoring tools will be fed into the corelation engine

All ticketing performed and managed by the unified service desk

Monitor security events from logs and correlation engine as well as announced vulnerabilities and patches

13Commercial in Confidence – Version 1.0

Function of the T-SOC?

• In real time, manage and monitor firewalls, intrusion detection and prevention systems, DDoS mitigation systems, anti-x solutions, patch updates, endpoint assets, and other security products.

• Analyse security log data, vulnerability information, asset information, and alerts

• Immediately respond to potential security threats and quickly resolve security problems

• Offer real-time views of the customers security postures

• Defend customers against emerging network attacks

• Protect customers technology investments

14Commercial in Confidence – Version 1.0

What are the benefits of a T-SOC

• Effectively deal with Security IncidentsThe T-SOC would give customers the ability to move from a reactionary posture to one of preparedness.

Rather than scrambling to respond to a security breach, the T-SOC would have a well-established processes to follow, to move fast and effectively, to isolate, contain, and diffuse the threat.

• Reduces Risks to CustomersThe T-SOC will enable customers to minimize security-related network downtime. By keeping pace with

evolving threats, the T-SOC will better protect customers’ data traffic from loss or manipulation.

• Improves Security ResponseThe T-SOC systematically analyses potential reasons for traffic abnormalities and appropriately

elevates the events. By moving quickly, the T-SOC can deal with security incidents in minutes – not hours or days – greatly lessening potential disruption to customers critical services and business processes.

• Enhances Operational EfficiencyBy defining security rules and policies, the T-SOC specialists will be able to quickly identify threats and

apply remedies to customer sites at risk before network attacks hit them.

• Comply with RegulationsCustomers often need to comply with regulations and policies governing the use, protection, or privacy

of information. Customers can use reports that the T-SOC can generate, to help adhere to these regulations and policies, including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the data-security storage requirements associated with the payment card industry.

TSOC Solution Architecture

The TSOC

Omnibus

Object Servers

Object Servers

Processing Layer

Impact

Object Servers

Object Servers

Collection Layer

PE-Netcool

Probes

Escalation to InterdomainRCA and ticketable

alarms

Probes ISM

PE – NSA Cache

PE – Infovista

Vista Servers

Vista Discovery

VistaMart

VistaPortal

VistaBridge

PE – ConfigProvisioning

App

TE&G PortalIV

ReportsSIIAM

CNS-DI

PE – CMIBOSS

EM 7

Cisco CUOM

Security Appliance

CMI

Cisco CallMan

ager

Cisco Unity Telepresence

Customer Networks

SNMP V3PEIL(PE-ROSMAP)

SNMP V3SNMP V3

(1) ICMP/SNMP Ping requests(2) SNMP Traps for non-EMS managed devices (switches & routers)

CPE Device Configs

IV Polling & Discovery

IV Seeding

Inventory feed

Correlation Requests initiated via Impact

Operations

Alarms / Events(View/Update)

PE – Repository

PE – BO Reporting

Ticket Creation/Update

Update Inventory data

Enrichment data & Seeding to ISM

Inventory/Eligibility

Leverages components in Cisco ROS Solution

Legacy Applications

HTTP Links embedded in TE&G Portal

PE – CorrelationEngine

SiteminderSingleSign-on Account-01

Account-01

R&E

Object Servers

Object Servers

Display Layer

WebtopServer

INTERDAM

LDAP Integration

ACS

User Authentication

CMI (or EDN)

Account-01

Performance metrics from

EMS (csv files)

Syslog-NG

syslog

RCA Rules

Rules Config UI

Alert Publisher

Alert Transient

Store

Alert Processor

Netcool Alm Fwder

Ops StateMonitor

Trouble TicketingCustomer Incident &

Notifications

Discovery & Reconciliation

Operations

Operations

Manual ProvisoningFor EM7 and CUOM

User authentication for CPE will be done via ACS

Ticket Updates

TSOC Solution Architecture Detail

NetForensics

Managed DMZ

External to company

Secure Administration

Internal to company

Increased trust into company Source: Keith PriceDenotes a security device

Security Zone Model

ExternalControlled

(business partners)

ExternalUncontrolled

(Internet and wireless)

Internal Users and Systems

DMZ

DMZfor Service

Presentation

Business Applications

Secure DataStorage

Secure Data Storage

Business Applications

Internal Users and Systems

Manage the whole DMZ environmen

t

Key features:• Security focused management of

devices located in a DMZ (eg web content security, proxies, load balances, VPN concentrators etc)

• Customer site or Telstra Hosted

Value Proposition:• 24x7 service without the cost

• Specialist expertise

Specific Differentiators:• Single Provider

• Linked to internet delivered features (eg DOSP, Content Security)

End Point Security

Key features:• Prevent non-compliant devices from

Connecting to a customer network

• Secure the end-point device itself (eg antivirus, Firewall, intrusion prevention)

• All with centralised policy control and reporting)

Value Proposition:• Reduced threat from uncontrolled

devices.

• Controlled and managed from within the customer network

• 24x7 service without the cost

• Ensure policy compliance

Specific Differentiators:• Network delivered (phase 2)

• Integrated view

CustomerNetworkThe Internet

Prevent High Risk devices

from connecting

to the network

Protect end-point devices

Secure Managed Network Services

Key features:

Overlays on MNS for:

• Secure Wireless LAN: Who has access for what purposes

• Encryption over MNS networks

• Log Management on network devices

Value Proposition:• Option for high security features

to meet to end compliance requirements (eg PCI, Finance industry)

Specific Differentiators:• Network integrated & managed

• Integrated view

CustomerNetwork

Control who has wireless access for

what purpose

Encrypt traffic from the edge

router & manage security

relevant log data