© Copyright 2014 Hewlett -Packard Development Company, …h41382. · AKAMAI KONA. Cloud-based DDoS & WAF. Devices logging to ArcSight; SIEM correlation; enrich data; push updates

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

© 2014 Sentry Metrics Inc.

the right solution at the right time.

Sheldon Malm Vice President, Business Development

Next-generation SOC: Building a Learning Security Ecosystem using HP ArcSight

Mahbod Tavallaee Global Practice Lead, SIEM Solutions

© 2014 Sentry Metrics Inc. Leaders in Information Security, Compliance and Risk Management Solutions | Confidential


Traditional Security services

The new way = Next Generation SOC

Measuring Security Metrics

Improving Security Posture using ArcSight

Agenda

3



4

Traditional Security Services

4



How do we know the old way is not working?

We’re spending at record levels, with all the latest tools … how are attackers so successful when we should have the advantage?

5



6

Advantage: Attacker

Attacker Capabilities have reached a tipping point • New technologies and services are adopted more quickly • Intelligence is shared and incorporated more effectively • Business logic is standardized and more scalable • Frameworks and services are driven by client (attacker) needs

Current Imbalance requires a new approach

• Standardized Use Cases and Integrations of best-in-class technologies • Share Intelligence from external sources and from within client clusters • Make Best Practice Business Processes easy to ADOPT • Make customer-specific Client Procedures easy to ADAPT



More than 90% avoidable through standard controls

More than 90% carried out by external agents

Slightly more than 50% utilize some form of hacking

More than 90% of attacks not highly difficult

Less than 50% incorporate malware

More than 85% discovered by external third parties

What are we learning about threats and breaches?

7









What do threats tell us about our own exposures?

Visibility Gap: Other people know more about

our environment than we do.

Security Intelligence Gap: Attackers study the systems we run …

what information can they gather?

Security Controls Gap: Most attacks use simple exploits of exposures that are easy to fix.

8









What do threats and exposures tell us about countermeasures?

Improve Visibility: We need to understand our own

environment better than anyone else

Leverage Intelligence: We have expensive technologies in-house

generating intelligence that we ignore

Enhance Security Controls: Managing Exposures & Threats separately

fails to inform our countermeasures

9



10

Traditional Methods: In-Source; Out-Source – Either Way, You Lose

Customers have 2 all-or-nothing choices today - Self Service for those who choose to manage Security Operations in-house - Managed Service for those who choose outsourcing; co-managed service is mostly lip service

Most Customers are in the middle - Desire to mature processes and implement best practices; dissatisfied with existing operations or providers - Capable staff; varied across disciplines; desire to do more in-house; suboptimal performance overall

Attackers take advantage of the disconnects - Managed Services were designed to be low-cost; attackers have evolved beyond these boundaries - Poor visibility, meets-minimum service, and expertise atrophy with outsourced operations

Outsourcing can improve posture and some performance … but at what cost? - Sacrificing in-house expertise and capabilities are now expensive trade-off’s for cost savings - Losing competency means losing to attackers in the short term and over the long term



11

The new way = Next Generation SOC

11



What is the Next Generation SOC?

NGSOC is a LEARNING SYSTEM that eliminates noise, builds intelligence dynamically, recalibrates controls proactively, and aligns Security processes with Business operations.

Defines processes based on ITSM and Security best practices, aligned to business operations

Balanced analysis of exposures and threats triggers appropriate action and countermeasure adaptation

Connects internal, external, and global threat intelligence data to constantly refine context

Proactive analysis separates business activity, benign traffic, noise, and actionable Security Events

Continuous tuning of active protections keeps the ecosystem efficient and ahead of attackers

Optimized processes are automated to increase velocity and improve operational efficiencies

12



13

Context is Key

Correlating Exposures and Threats is the single most important step a Security team can take to effectively

focus resources on the most critical activities.

It is the key to eliminating False Positives and other noise that distracts resources from discovering, analyzing, and

ultimately managing risk.

Sentry has used this correlation to enable proactive problem management and control tuning for clients that

has reduced Security alerts by up to 96%.

In the absence of this correlation, countermeasures are highly ineffective and management of them is highly

inefficient.

COUNTER-MEASURES

THREATS

EXPOSURESVULNERABILITIES

& LATENT RISK

MALICIOUSACTIVITIES

TECHNOLOGIES& PROCESSES

Primary source of Security Risk

Primary source of Wasted Effort

Performance Target



Proactive Problem Management analyzes blocked and actionable events to uncover opportunities for improvement *even when existing controls have been successful*

InternetInternet

EDGEFIREWALL

Initial threat blocking

IDS/IPS

Intrusion Prevention

INTERNALFIREWALL

Network traffic control

WEB APP FIREWALL

Web Threat Blocking

HO

ST-B

ASE

D

Host-Based Web & Application Controls

DB FIREWALL

Database traffic control

Web/App Server

DAM

DB

Database Encryption

Log Mgmt &Search

Event Mgmt & Monitoring

AKAMAIKONA

Cloud-based DDoS & WAF

Devices logging to ArcSight; SIEM correlation; enrich data; push updates to other Security Controls throughout ecosystem

ArcSight Express and Logger

Blocked/Actionable Events inform Security Controls based on threat/countermeasure relationship prioritized by exposure

theSentry(ITSM)

Proactive Problem Management

14



15

NGSOC provides improved posture, program performance, and productivity through complementary, integrated services that deliver greater visibility and proactive protection.

• Threat Analysis and Intelligence • Internally-generated threat analysis • Sentry community intelligence • Global Threat Intelligence • Malware and Zero Day Threat Updates • Inform continuous adaptation of controls

• Security Exposure Management • Network Vulnerability Management • Configuration Policy Compliance • Web Application Assessment • Process exposure risk management • Exposure/Threat/Countermeasure alignment

• Security Controls Management • SIEM/Log Management operations • Use Case development and augmentation • Change Management optimization • Active Controls Device Management • System Integration and orchestration

• Security Monitoring • 24/7/365 Security Event Monitoring • Incident Management & Response • Proactive Problem Management • Client escalation and collaboration • Executive and Operator reporting

Monitoring Management

Intelligence Exposures

SOC Service Areas



Appropriate & Intelligent Action and Insight

Continuous Improvement Solution Design

• State of the SOC discipline today – full stop • Most MSSP’s require clients to conform to narrow set of tools • theSentry standardizes to eliminate technology dependencies

• Service Providers starting to offer pass-through 3rd party feeds • Feeds are not often integrated with controls like SIEM/IPS/AMP • theSentry uses global intelligence, internal data, and threat data

from customer base to generate shared, targeted intelligence

• Weakness for traditional MSSP’s – where most fall short • Force customers to conform to tools and tool-specific processes • theSentry provides more flexibility while maintaining standards

• ITIL/ITSM fundamentals are key enablers

• Antithesis of conformity-based approach • Enables custom requirements & connection with internal assets • theSentry provides Client flexibility, built on top of standardized

Business, Intelligence, and Technology elements

Measure, Adapt, and Improve at

each layer

TL

SI

BL

CL

16



17

Standard Vulnerability Management

Focused primarily on discovery and detection of vulnerabilities

Provides some risk scoring for prioritization

Output is a report with issues to be remediated

Customer must manage entire operation of remediation, tracking, and Problem/Change management This is where most of the work happens, where remediation

efforts fail, and why hackers can prey on old vulnerabilities

Findings are not normally incorporated into Security Intelligence; tuning Security Controls; or formal Problem, Incident, and Change Management procedures

1 2

3 4

Operator

Scanner

Network

Report

No consideration of People or Processes for Remediation 6

Customer receives a report document of detected vulnerabilities and little guidance as to what people and processes should do to fix them. Customers are left to figure out the “how” and execute manually.

5

Vulnerability Management the old way



18

Vulnerability Management in the NGSOC

Advanced Vulnerability Management

Leverage best-in-class scanning technologies

Advanced risk scoring and threat/malware correlation

Provide problem-based and solution-based reporting

Full ticketing and workflow support for remediation tracking

Integration with Patch Management and IPS solutions for automated Change Management workflow

Vulnerability data imported into SIEM for enhanced Problem Management and Incident Response intelligence

Critical input into Security Intelligence Network

Customized workflow to ensure best practices, track progress, and align with business processes

Vulnerability results trigger multiple, automated work streams for remediation, ticketing, update to

SIEM, and status is automatically mapped to Security Operations, Performance & Compliance dashboards.

SIEM



19

Refining Security Intelligence



20

NGSOC is built on IT Service Management

Industry recognized best practice framework to structure IT-related activities and the interactions of IT technical personnel with business customers and users.

Closely tied with Business Improvement frameworks and methodologies to enable Continuous Improvement

Key enablers include Service Automation, to maximize the effectiveness and efficiency of the PEOPLE and PROCESSES required to derive value from TECHNOLOGY investments

The world’s most effective organizations use ITSM to continuously improve operations

IT Service Management (ITSM) is the discipline that orchestrates TECHNOLOGY, PEOPLE, and PROCESSES to implement and manage Quality Information Technology Services.



21

IT Service Management – Incident Management

Yes

Yes

No

START Critical Alert? Capture non-critical Event informationNo END

Update CMDB, DB, KB, and/or Use Case

Library

ALERT:Security Event

Create Ticket in ITSM

Yes

Verify Alert False Positive?Use Case Applies?

Investigate without Use Case

EscalateTo

Investigator

Review Knowledgebase & Resolve if possible

Resolvertakes

Ownership?

EscalateTo

Resolver

IssueResolved?

Execute Use Case No

Verify Resolution

Manage Escalation until Hand-OffNo

Yes

Update CMDB, DB, KB, and/or Use Case

LibraryEND

Invoke Change Management

Process

Declare Incident

No

Event/Incident Management: Standard Process

Key: NC Notify Customer(s)NS Notify Service Desk

NS

Tuned, Correlated Events supported by

Sentry Use Cases

NC

15Minutes

As perCI Tier



22

IT Service Management – Change Management



Measuring Security Metrics

23



24

Do the Traditional Security Metrics Work?

Number of computer viruses/malicious code detected (AV)

Number of security incidents and investigations

Cost of security breaches Time spent on security-related

functions

Meaningful to the organization

Reproducible

Simple Measure

progression toward a goal

Ideal Characteristics



Recommended Security Metrics

Threats

Counter Measures

Exposures

• Vulnerabilities Detected • Total Number of Scans • Vulnerability Scan Frequency • Number of Successful Vulnerability Scans • Number of Failed Vulnerability Scans

• Number of Security Tests Performed • Frequency of physical risk assessment and reviews • Number of incidents successfully mitigated • Number of implemented Preventive Measures

• Number of Successful Attacks • Number of Major Security Incidents • Number of Trojan infections detected by

the Antivirus system • Number of successful connections to

destinations reported by CTI feeds • Unresolved Incidents • Infections Detected on Hosts

Technologies

People

Processes

• Number of threats detected/blocked • IT Systems with the latest Patches Installed • IT systems with proper end-point protection • A count of viruses detected and deleted from

the infrastructure by the Antivirus system • A count of all alerts generated by the IPS • Number of Security-Related Service

Downtimes

• Average response time to SLAs • Average time to resolve and mitigate incidents

25



Measure Progression Toward a Goal

Threats

Counter Measures

Exposures

• Noise to Threat Ratio • Number of tuning requests • Number of IDS Alerts against non-

vulnerable hosts

• Number of threats detected/blocked • IT Systems with the latest Patches Installed • IT systems with proper end-point protection • A count of viruses detected and deleted from

the infrastructure by the Antivirus system • A count of all alerts generated by the IPS • Number of incidents successfully mitigated • Number of implemented Preventive Measures • Average response time to SLAs • Average time to resolve and mitigate

incidents

• Vulnerable systems that are not exploited and the relevant IDS signatures have never been fired

• Number of Successful Attacks • Number of Major Security Incidents • Number of Trojan infections detected by the

Antivirus system • Vulnerabilities Detected But Not Remediated • Vulnerabilities Detected With No Remediation

Plan • Number of identified Shortcomings during

Security Tests • Viruses that were found, where the Antivirus

system failed to quarantine 1

2

3

Security Posture

1. Primary Source of Wasted Effort

2. Untargeted Vulnerabilities

3. Primary Source of Security Risk

26



Dashboards and Reports to Monitor Improvement

27



Improving Security Posture using ArcSight

28



29

Identifying Events of Interests (EOI)

Reasons to have noise events: 1. Settings for audit logs 2. System Misconfiguration 3. Non-Security Related Actions/Events 4. Policy Violations

Blocked Traffic Generated by Crawlers

Events of Interests

Reasons to have false positives in the rules: 1. Raw events that are non categorized properly 2. Duplicate logs for the same action

Event Name Windows Event ID

The domain controller attempted to validate the credentials for an account

4776

An account failed to logon 4625

An account was successfully logged on 4624

An account was logged off 4634

A Kerberos authentication ticket (TGT) was requested

4768



Proactive Problem Management

Establish KPIs/KRIs

Implement and

automate

Monitor and

Review

Improve the

counter-measures

Plan

Do

Check

Act

Opportunities for Improvement Pushing Defence

mechanisms to the perimeter

Improve packet inspection

Introduce new security layers

Analysis of Events of Interest

Blocked Connections Correlated Events Detected Malware

30



Layered Defense Approach

Firewall IPS Load Balancer WAF Web/App Server

31



32

Event Correlation & Threat Intelligence Feeds

• IDS/IPS + Vulnerability Scanners • Host-based Firewall + Vulnerability Scanners • DNS + Threat Intelligence Feeds • IDS/IPS + Threat Intelligence Feeds • Firewall + Threat Intelligence Feeds

Threat Intelligence Feeds: 1. HP RepSM 2. Collective Intelligence Framework (CIF)

32

COUNTER-MEASURES

THREATS

EXPOSURESVULNERABILITIES

& LATENT RISK

MALICIOUSACTIVITIES

TECHNOLOGIES& PROCESSES

Primary source of Security Risk

Primary source of Wasted Effort



33

Data Enrichment

• Network Modeling • Asset Modeling and Prioritization • User Tracking (IP Address to User Mapping) • LDAP Queries (User info and Roles)

Client Onboarding and Initial Setup

Faster Response Time Higher Customer Satisfaction

To avoid performance issues, it’s recommended to apply data enrichment only on the Correlated Events

Security Events (100%, 1000 EPS)

Aggregation (50%, 500 EPS)

Connector Filters (20%, 200 EPS)

Events of Interests (1%, 10 EPS)

Correlated Events (0.01%, 0.1 EPS)

Use Cases (0.0001%, 86 Per Day)



34

Use Case Development

In IT security, a use case refers to a methodology used to identify, define, clarify and organize security incidents.

Requirements Gathering

Event Validation

Implementation and Testing

Procedures and Workflows

SOC Training

Business Requirements: • Business • Compliance • Regulatory • Security

Technical Requirements:

• Scope (Main Infrastructure, end-points, etc.) • Data Sources (IDS, AV, DLP, etc.) • Data Location (Centralized Server, SIEM, Cloud, etc.) • SLA Requirements



© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session PN3315 Speakers Sheldon Malm and Mahbod Tavallaee

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

Documents

© Copyright 2014 Hewlett -Packard Development Company, …h41382. · AKAMAI KONA. Cloud-based DDoS & WAF. Devices logging to ArcSight; SIEM correlation; enrich data; push updates