Upload
vodieu
View
219
Download
0
Embed Size (px)
Citation preview
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
© 2014 Sentry Metrics Inc.
the right solution at the right time.
Sheldon Malm Vice President, Business Development
Next-generation SOC: Building a Learning Security Ecosystem using HP ArcSight
Mahbod Tavallaee Global Practice Lead, SIEM Solutions
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Traditional Security services
The new way = Next Generation SOC
Measuring Security Metrics
Improving Security Posture using ArcSight
Agenda
3
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
4
Traditional Security Services
4
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
How do we know the old way is not working?
We’re spending at record levels, with all the latest tools … how are attackers so successful when we should have the advantage?
5
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
6
Advantage: Attacker
Attacker Capabilities have reached a tipping point • New technologies and services are adopted more quickly • Intelligence is shared and incorporated more effectively • Business logic is standardized and more scalable • Frameworks and services are driven by client (attacker) needs
Current Imbalance requires a new approach
• Standardized Use Cases and Integrations of best-in-class technologies • Share Intelligence from external sources and from within client clusters • Make Best Practice Business Processes easy to ADOPT • Make customer-specific Client Procedures easy to ADAPT
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
More than 90% avoidable through standard controls
More than 90% carried out by external agents
Slightly more than 50% utilize some form of hacking
More than 90% of attacks not highly difficult
Less than 50% incorporate malware
More than 85% discovered by external third parties
What are we learning about threats and breaches?
7
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
More than 90% carried out by external agents
More than 85% discovered by external third parties
Slightly more than 50% utilize some form of hacking
Less than 50% incorporate malware
More than 90% of attacks not highly difficult
More than 90% avoidable through standard controls
What do threats tell us about our own exposures?
Visibility Gap: Other people know more about
our environment than we do.
Security Intelligence Gap: Attackers study the systems we run …
what information can they gather?
Security Controls Gap: Most attacks use simple exploits of exposures that are easy to fix.
8
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
More than 90% carried out by external agents
More than 85% discovered by external third parties
Slightly more than 50% utilize some form of hacking
Less than 50% incorporate malware
More than 90% of attacks not highly difficult
More than 90% avoidable through standard controls
What do threats and exposures tell us about countermeasures?
Improve Visibility: We need to understand our own
environment better than anyone else
Leverage Intelligence: We have expensive technologies in-house
generating intelligence that we ignore
Enhance Security Controls: Managing Exposures & Threats separately
fails to inform our countermeasures
9
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
10
Traditional Methods: In-Source; Out-Source – Either Way, You Lose
Customers have 2 all-or-nothing choices today - Self Service for those who choose to manage Security Operations in-house - Managed Service for those who choose outsourcing; co-managed service is mostly lip service
Most Customers are in the middle - Desire to mature processes and implement best practices; dissatisfied with existing operations or providers - Capable staff; varied across disciplines; desire to do more in-house; suboptimal performance overall
Attackers take advantage of the disconnects - Managed Services were designed to be low-cost; attackers have evolved beyond these boundaries - Poor visibility, meets-minimum service, and expertise atrophy with outsourced operations
Outsourcing can improve posture and some performance … but at what cost? - Sacrificing in-house expertise and capabilities are now expensive trade-off’s for cost savings - Losing competency means losing to attackers in the short term and over the long term
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
11
The new way = Next Generation SOC
11
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
What is the Next Generation SOC?
NGSOC is a LEARNING SYSTEM that eliminates noise, builds intelligence dynamically, recalibrates controls proactively, and aligns Security processes with Business operations.
Defines processes based on ITSM and Security best practices, aligned to business operations
Balanced analysis of exposures and threats triggers appropriate action and countermeasure adaptation
Connects internal, external, and global threat intelligence data to constantly refine context
Proactive analysis separates business activity, benign traffic, noise, and actionable Security Events
Continuous tuning of active protections keeps the ecosystem efficient and ahead of attackers
Optimized processes are automated to increase velocity and improve operational efficiencies
12
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
13
Context is Key
Correlating Exposures and Threats is the single most important step a Security team can take to effectively
focus resources on the most critical activities.
It is the key to eliminating False Positives and other noise that distracts resources from discovering, analyzing, and
ultimately managing risk.
Sentry has used this correlation to enable proactive problem management and control tuning for clients that
has reduced Security alerts by up to 96%.
In the absence of this correlation, countermeasures are highly ineffective and management of them is highly
inefficient.
COUNTER-MEASURES
THREATS
EXPOSURESVULNERABILITIES
& LATENT RISK
MALICIOUSACTIVITIES
TECHNOLOGIES& PROCESSES
Primary source of Security Risk
Primary source of Wasted Effort
Performance Target
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Proactive Problem Management analyzes blocked and actionable events to uncover opportunities for improvement *even when existing controls have been successful*
InternetInternet
EDGEFIREWALL
Initial threat blocking
IDS/IPS
Intrusion Prevention
INTERNALFIREWALL
Network traffic control
WEB APP FIREWALL
Web Threat Blocking
HO
ST-B
ASE
D
Host-Based Web & Application Controls
DB FIREWALL
Database traffic control
Web/App Server
DAM
DB
Database Encryption
Log Mgmt &Search
Event Mgmt & Monitoring
AKAMAIKONA
Cloud-based DDoS & WAF
Devices logging to ArcSight; SIEM correlation; enrich data; push updates to other Security Controls throughout ecosystem
ArcSight Express and Logger
Blocked/Actionable Events inform Security Controls based on threat/countermeasure relationship prioritized by exposure
theSentry(ITSM)
Proactive Problem Management
14
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
15
NGSOC provides improved posture, program performance, and productivity through complementary, integrated services that deliver greater visibility and proactive protection.
• Threat Analysis and Intelligence • Internally-generated threat analysis • Sentry community intelligence • Global Threat Intelligence • Malware and Zero Day Threat Updates • Inform continuous adaptation of controls
• Security Exposure Management • Network Vulnerability Management • Configuration Policy Compliance • Web Application Assessment • Process exposure risk management • Exposure/Threat/Countermeasure alignment
• Security Controls Management • SIEM/Log Management operations • Use Case development and augmentation • Change Management optimization • Active Controls Device Management • System Integration and orchestration
• Security Monitoring • 24/7/365 Security Event Monitoring • Incident Management & Response • Proactive Problem Management • Client escalation and collaboration • Executive and Operator reporting
Monitoring Management
Intelligence Exposures
SOC Service Areas
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Appropriate & Intelligent Action and Insight
Continuous Improvement Solution Design
• State of the SOC discipline today – full stop • Most MSSP’s require clients to conform to narrow set of tools • theSentry standardizes to eliminate technology dependencies
• Service Providers starting to offer pass-through 3rd party feeds • Feeds are not often integrated with controls like SIEM/IPS/AMP • theSentry uses global intelligence, internal data, and threat data
from customer base to generate shared, targeted intelligence
• Weakness for traditional MSSP’s – where most fall short • Force customers to conform to tools and tool-specific processes • theSentry provides more flexibility while maintaining standards
• ITIL/ITSM fundamentals are key enablers
• Antithesis of conformity-based approach • Enables custom requirements & connection with internal assets • theSentry provides Client flexibility, built on top of standardized
Business, Intelligence, and Technology elements
Measure, Adapt, and Improve at
each layer
TL
SI
BL
CL
16
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
17
Standard Vulnerability Management
Focused primarily on discovery and detection of vulnerabilities
Provides some risk scoring for prioritization
Output is a report with issues to be remediated
Customer must manage entire operation of remediation, tracking, and Problem/Change management This is where most of the work happens, where remediation
efforts fail, and why hackers can prey on old vulnerabilities
Findings are not normally incorporated into Security Intelligence; tuning Security Controls; or formal Problem, Incident, and Change Management procedures
1 2
3 4
Operator
Scanner
Network
Report
No consideration of People or Processes for Remediation 6
Customer receives a report document of detected vulnerabilities and little guidance as to what people and processes should do to fix them. Customers are left to figure out the “how” and execute manually.
5
Vulnerability Management the old way
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
18
Vulnerability Management in the NGSOC
Advanced Vulnerability Management
Leverage best-in-class scanning technologies
Advanced risk scoring and threat/malware correlation
Provide problem-based and solution-based reporting
Full ticketing and workflow support for remediation tracking
Integration with Patch Management and IPS solutions for automated Change Management workflow
Vulnerability data imported into SIEM for enhanced Problem Management and Incident Response intelligence
Critical input into Security Intelligence Network
Customized workflow to ensure best practices, track progress, and align with business processes
Vulnerability results trigger multiple, automated work streams for remediation, ticketing, update to
SIEM, and status is automatically mapped to Security Operations, Performance & Compliance dashboards.
SIEM
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
19
Refining Security Intelligence
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
20
NGSOC is built on IT Service Management
Industry recognized best practice framework to structure IT-related activities and the interactions of IT technical personnel with business customers and users.
Closely tied with Business Improvement frameworks and methodologies to enable Continuous Improvement
Key enablers include Service Automation, to maximize the effectiveness and efficiency of the PEOPLE and PROCESSES required to derive value from TECHNOLOGY investments
The world’s most effective organizations use ITSM to continuously improve operations
IT Service Management (ITSM) is the discipline that orchestrates TECHNOLOGY, PEOPLE, and PROCESSES to implement and manage Quality Information Technology Services.
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
21
IT Service Management – Incident Management
Yes
Yes
No
START Critical Alert? Capture non-critical Event informationNo END
Update CMDB, DB, KB, and/or Use Case
Library
ALERT:Security Event
Create Ticket in ITSM
Yes
Verify Alert False Positive?Use Case Applies?
Investigate without Use Case
EscalateTo
Investigator
Review Knowledgebase & Resolve if possible
Resolvertakes
Ownership?
EscalateTo
Resolver
IssueResolved?
Execute Use Case No
Verify Resolution
Manage Escalation until Hand-OffNo
Yes
Update CMDB, DB, KB, and/or Use Case
LibraryEND
Invoke Change Management
Process
Declare Incident
No
Event/Incident Management: Standard Process
Key: NC Notify Customer(s)NS Notify Service Desk
NS
Tuned, Correlated Events supported by
Sentry Use Cases
NC
15Minutes
As perCI Tier
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
22
IT Service Management – Change Management
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Measuring Security Metrics
23
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
24
Do the Traditional Security Metrics Work?
Number of computer viruses/malicious code detected (AV)
Number of security incidents and investigations
Cost of security breaches Time spent on security-related
functions
Meaningful to the organization
Reproducible
Simple Measure
progression toward a goal
Ideal Characteristics
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Recommended Security Metrics
Threats
Counter Measures
Exposures
• Vulnerabilities Detected • Total Number of Scans • Vulnerability Scan Frequency • Number of Successful Vulnerability Scans • Number of Failed Vulnerability Scans
• Number of Security Tests Performed • Frequency of physical risk assessment and reviews • Number of incidents successfully mitigated • Number of implemented Preventive Measures
• Number of Successful Attacks • Number of Major Security Incidents • Number of Trojan infections detected by
the Antivirus system • Number of successful connections to
destinations reported by CTI feeds • Unresolved Incidents • Infections Detected on Hosts
Technologies
People
Processes
• Number of threats detected/blocked • IT Systems with the latest Patches Installed • IT systems with proper end-point protection • A count of viruses detected and deleted from
the infrastructure by the Antivirus system • A count of all alerts generated by the IPS • Number of Security-Related Service
Downtimes
• Average response time to SLAs • Average time to resolve and mitigate incidents
25
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Measure Progression Toward a Goal
Threats
Counter Measures
Exposures
• Noise to Threat Ratio • Number of tuning requests • Number of IDS Alerts against non-
vulnerable hosts
• Number of threats detected/blocked • IT Systems with the latest Patches Installed • IT systems with proper end-point protection • A count of viruses detected and deleted from
the infrastructure by the Antivirus system • A count of all alerts generated by the IPS • Number of incidents successfully mitigated • Number of implemented Preventive Measures • Average response time to SLAs • Average time to resolve and mitigate
incidents
• Vulnerable systems that are not exploited and the relevant IDS signatures have never been fired
• Number of Successful Attacks • Number of Major Security Incidents • Number of Trojan infections detected by the
Antivirus system • Vulnerabilities Detected But Not Remediated • Vulnerabilities Detected With No Remediation
Plan • Number of identified Shortcomings during
Security Tests • Viruses that were found, where the Antivirus
system failed to quarantine 1
2
3
Security Posture
1. Primary Source of Wasted Effort
2. Untargeted Vulnerabilities
3. Primary Source of Security Risk
26
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Dashboards and Reports to Monitor Improvement
27
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Improving Security Posture using ArcSight
28
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
29
Identifying Events of Interests (EOI)
Reasons to have noise events: 1. Settings for audit logs 2. System Misconfiguration 3. Non-Security Related Actions/Events 4. Policy Violations
Blocked Traffic Generated by Crawlers
Events of Interests
Reasons to have false positives in the rules: 1. Raw events that are non categorized properly 2. Duplicate logs for the same action
Event Name Windows Event ID
The domain controller attempted to validate the credentials for an account
4776
An account failed to logon 4625
An account was successfully logged on 4624
An account was logged off 4634
A Kerberos authentication ticket (TGT) was requested
4768
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Proactive Problem Management
Establish KPIs/KRIs
Implement and
automate
Monitor and
Review
Improve the
counter-measures
Plan
Do
Check
Act
Opportunities for Improvement Pushing Defence
mechanisms to the perimeter
Improve packet inspection
Introduce new security layers
Analysis of Events of Interest
Blocked Connections Correlated Events Detected Malware
30
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
Layered Defense Approach
Firewall IPS Load Balancer WAF Web/App Server
31
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
32
Event Correlation & Threat Intelligence Feeds
• IDS/IPS + Vulnerability Scanners • Host-based Firewall + Vulnerability Scanners • DNS + Threat Intelligence Feeds • IDS/IPS + Threat Intelligence Feeds • Firewall + Threat Intelligence Feeds
Threat Intelligence Feeds: 1. HP RepSM 2. Collective Intelligence Framework (CIF)
32
COUNTER-MEASURES
THREATS
EXPOSURESVULNERABILITIES
& LATENT RISK
MALICIOUSACTIVITIES
TECHNOLOGIES& PROCESSES
Primary source of Security Risk
Primary source of Wasted Effort
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
33
Data Enrichment
• Network Modeling • Asset Modeling and Prioritization • User Tracking (IP Address to User Mapping) • LDAP Queries (User info and Roles)
Client Onboarding and Initial Setup
Faster Response Time Higher Customer Satisfaction
To avoid performance issues, it’s recommended to apply data enrichment only on the Correlated Events
Security Events (100%, 1000 EPS)
Aggregation (50%, 500 EPS)
Connector Filters (20%, 200 EPS)
Events of Interests (1%, 10 EPS)
Correlated Events (0.01%, 0.1 EPS)
Use Cases (0.0001%, 86 Per Day)
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
34
Use Case Development
In IT security, a use case refers to a methodology used to identify, define, clarify and organize security incidents.
Requirements Gathering
Event Validation
Implementation and Testing
Procedures and Workflows
SOC Training
Business Requirements: • Business • Compliance • Regulatory • Security
Technical Requirements:
• Scope (Main Infrastructure, end-points, etc.) • Data Sources (IDS, AV, DLP, etc.) • Data Location (Centralized Server, SIEM, Cloud, etc.) • SLA Requirements
© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential
the right solution at the right time.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36
Please fill out a survey. Hand it to the door monitor on your way out.
Thank you for providing your feedback, which helps us enhance content for future events.
Session PN3315 Speakers Sheldon Malm and Mahbod Tavallaee
Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you