Embed Size (px)
Citation preview
Security Operations CenterSecurity Operations Center
Security Operations CenterSecurity Operations Center
Petr Kunstat
Microfocus SW
Who of you has Intelligent Security Operational Center
2
Intelligent Security Operational Center depends on …
3
Team size Use cases
Team skills
Infrastructure
Regulation
HW, SW Tools Company
Rules
Ops x Dev x Sec Compliance
Intelligent Security Operational Center depends on …
4
Team size Use cases
Team skills
Infrastructure
Processes
HW, SW Tools Legislation
Ops x Dev x Sec Compliance
PEOPLE TECHNOLOGY PROCESSES
In all cases the main Objective of SOC
SOC is centralized unit deals with security issues on an organizational & technical level
▪Every second counts- As early as possible; including sophisticated attacks
- Understand the next expected event
- Be able to determine the scope of the attack
- Prevent or mitigate likely business damage
- Learn from detection to improve general security & detection
Detect
AnalyzeRespond
Prevent
Attacks
PEOPLE
Build on People Experience
9
Train People and Simplify their tasksVisual context
10
Maximize Business Context of Events and Logs
11
Jun 17 2010 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags
FIN ACK on interface outside
Jun 17 2010 14:53:16 drop gw.foobar.com >eth0 product VPN-1 & Firewall-1 src xxx.xxx.146.12 s_port 2523 dstxxx.xxx.10.2 service ms-sql-m proto udp rule 49
Easy to read and analyze by analyst
Normalization, Categorization
Team expansion Triggers 1->3->10
12
Have technology for SOC under control
13
TECHNOLOGY
SOC has to be based on
a Simple, powerful
technology
Open(for innovation)
Analytics(for detection)
3
2
Simple(for you)
1
Finding the Needle in the Haystack
Big Data is the must for 5G/SOC
Intelligent 5G SOC with continuous measures
0) Log collection, Data lakes
1) Compliance –Analysis - Reporting
2) Intelligence – Correlation- Use Cases
3) Detect suspicious behavior
4) Agility – Discovery, Team skills
5) Mitigate false positives
6) Integration – Workflow
7) Big data Analysis, Machine learning
Capabilities – Do I have …. Review
17
PROCESSES
Triage Process
20
RAW data+ Business
contextCorrelation TRIAGE Incident WF END
L3
L2
L1
Format Preserving Encryption (FPE)
Ex. Tax ID masking
934-753-2356
345-753-5772
Continuous Measures
Regular Feedback
Maturity Audit
Success stories
API
S
[email protected] [email protected] ]ŁĎĂTJtď$Ů˝™µÚNŃ«ěJÝ—OͨAES ECB
Organization of SOC in Bi-Modal IT
▪ Set correctly Interoperability among IT OPS, IT DEV, IT SEC
▪ Set correctly Org Chart (SOC close to CIO)
▪ Set the correct expectation
21
ReactiveProactive VS
SOC Manager - Reliable Monitoring
22
All product views are illustrations and might not represent actual product screens
BE STRONG
Top 5 mistakes I saw companies make with SOC
▪ #1 – Lack of organizational support
▪ #2 – Over-reliance on technology
▪ #3 – Basics are overlooked
▪ #4 – Assigning administrative tasks to a SOC
▪ #5 – Focus on compliance
34
Is this a highly successful SOC?
NO!
Characteristics of a Successful SOC
39
Secure the New
SIEM
Data
Security
Identity
Management
Application
Security
Intelligent Security Operations – Use case Roadmap
Log Management
• Centralize Logs
• Retain data
• Compliance
Data Analysis
• Forensics
• Rapid Search
• Reporting
Real time alerting
& monitoring
• Detect & identify
• Respond in time
• Build workflow
Security Analytics
• Behavior Profiling
• Threat detection
• Know the unknown
Intelligent Security
Operations
• Integrated monitoring
• People & Process &
Technology
• Efficiency & Resilience
