Building a Cyber Defence Centre
Transcript of Building a Cyber Defence Centre
Building a Cyber Defence Centre
Antonio Forzieri EMEA Cyber Security Practice Lead
Agenda
1 Introduction
2 Adopting a Well Defined Model
3 Services Sourcing Strategy
4 The people bit
5 Building CDC
6 A Customer Story
2
On the morning of 7 December
1941, a radar station in Oahu,
Hawaii, operated by the U.S.
Army, picked up a huge blip on
its instruments.
Carson Zimmerman
Ten Strategies of a World-Class CyberSecurity Operations Center
Copyright © 2014 Symantec Corporation 3
Forrest Gump MANTRA it happens
Copyright © 2014 Symantec Corporation 4
Adopting a well defined model
Copyright © 2014 Symantec Corporation
Reasons to Adopt an off the Shelf CDC Model? • Building a CDC is a very complex project with a high impact on the organization and IT/Security Infrastructure
• Adopting a comprehensive CDC model allows you to: – Comply to widely recognized standards and industry best practices
– Define clearl goals, objectives, and expectations about CDC
– Define CDC services, functions and responsabilities, explaining them across the organization
– Define organizaional and staff model with processes, roles and responsibilities
– Define the technology infrastructure to support services delivery
– Evaluate the Return of Investment (ROI) and growing of the service
6 Copyright © 2014 Symantec Corporation
Symantec CDC Management System Best Practices Based Model
7
CDC
Quality & Maturity
Processes
Services Catalog
Organization
Roles & Responsabilities
Technology
Standards & Best
Practices
•CMU HB 001
•CMU HB 002
•CMU TR 001
•RFC 2350
•NIST SP 800-61
•CMU TR015
•ISO 27035:2011
•ISF •COBIT 5
•ISO 27002:2006
•ISO 1335:2004
•ISO 27035:2011
•ITIL
•COBIT 5
•ISO 27002:2006
•NIST SP 800-61
•CMU TR 015
• ITIL •COBIT 5 (RACI)
•ISO 27002:2006
•ISO 21827 (CMM)
•COBIT 5
•ISM3
CDC Management System “Components Path”
8
Services Catalogue
• Service Description & Scope
Capability Maturity Model
• Primary/Secondary Services
Main Processes
• Process Diagrams
• Process Tables
Roles & Responsibilities
(RACI)
Technical & Organizational
Model
Well-defined CDC Model
Cyber Defense Center Service Catalog Successful Components
P
I
L
L
A
R
S
Cyber Defense Center Service Catalog Successful Components
10
Mo
nit
ori
ng
Services and processes that have the main goal in the control and security supervision. No operative
tasks.
Ad
vis
ori
ng
Consulting and notification services mainly towards external 3d party. Essential to provide information about
the organization security trends or referred to the external security threats.
Man
ag
ing
Hands-on and strategic services to provide operational and security management.
B
E
A
M
S
Cyber Defense Center Service Catalog Successful Components
•Incident Identification •Incident Classification
•Real Time Device Monitor •Vulnerability Assessment •Penetration Test •Security & Compliance Audit •Security Intelligence •Performance Monitoring •Fault Monitoring •Policy Compliance
•Business Impact Analysis •Risk Assessment •Technology Watch
•Incident Notification
•Alerting & Warning •Technical Reporting •Security Hotline
•Executive Reporting •Security Consulting •Awareness •Countermeasures Selection
•Incident Response & Containment •Incident Recovery •Forensics Evidence Collection •Forensics Analysis •Tracking & Tracing •Post Mortem Analysis
•Secure Device Configuration •Secure Device Maintenance •Policy Management •Policy Enforcement •Patch Management •Events Data Retention •Endpoint Management •Hardening
•Business Continuity •Asset Inventory •Policy Planning •Risk Management •Education/Training •Certification
Monitoring
Advis
oring
Man
ag
ing
M
A
T
R
I
X
Inci
de
nt
Han
dlin
g P
roac
tive
Se
curi
ty
Secu
rity
M
anag
em
en
t Capability Maturity Model CDC Services
Initial Aware Defined Managed Optimized
RT Device Monitoring Alerting & Warning Policy Management Policy Enforcement
Incident Identification Incident Notification Incident Response
Vulnerability Assessment Penetration Test Security Intelligence Technical Reporting Event Data Retention
Incident Classification Tracking & Tracing
Security Awareness Executive Security Reporting
Security Device Config. Security Device Maintenance
Business Impact Analysis Risk Assessment Asset Inventory
Fault Monitoring Patch Management End Point Security Hardening
Forensics Evidence Collection Post-mortem Analysis
Technology Watch Security Consulting Countermeasures selection Risk Management
Security Audit Performance Monitoring Policy Compliance Security Hotline
Forensics Analysis
Business Continuity Policy Planning Education/Training Certification
Security Operation Center – Capability and Maturity Model
Incident Recovery
Services Classification Primary/Secondary Enabler
SOC - Primary/Secondary Enabler Service FrameworkP
rim
ary
En
ab
ler
Proactive Security
Services
• RTM Device Monitoring RA
• Vulnerability Assessment RA
• Security Intelligence RA
• Alerting & Warning RA
• Technical Reporting RA
• Policy Management RA
• Policy Enforcement RA
• Event Data Retention RA
Incident Handling
Services
• Incident Identification RA
• Incident Classification RA
• Incident Notification RA
• Incident Response RA
• Tracking or Tracing RA
Security Management
Services
Se
con
da
ryE
nab
ler
• Penetration Test RA
• Security Audit C
• Performance Monitoring I
• Fault Monitoring I
• Policy Compliance C
• Security Hotline RA
• Security Device Configuration A
• Security Device Maintenance A
• Patch Management C
• Endpoint Security A
• Hardening C
• Incident Recovery C
• Forensics Evidence Collection RA
• Forensics Analysis RA
• Post Mortem Analysis RA
• Technology Watch C
• Countermeasures Selection C
• Asset Inventory CI
• Business Impact Analysis I
• Risk Assessment CI
• Security Consulting C
• Awareness C
• Business Continuity C
• Policy Planning C
• Risk Management I
• Education/Training C
• Certification C
• Executive Security Reporting RA
RACI: Responsible, Accountable, Consulted, Informed
Company’s Function connecting to other departments
Having a Cyber Defence Centre disconnected from other company’s functions is the perfect way to fail.
Define CLEAR interface with other functions and build a RACI table for Company’s functions as well:
– Network & System
– Operations
– Security Management
– Application Development
– Customer Service
– Legal Issue
– Public Relations
– Human Resource
– …
14
Services Sourcing Strategy
15
SOC Services Catalog (Based on CDC-MS Model)
SOC Services – Sourcing Strategy 16
• Monitoring. Services and processes that have the main goal in the control and security overseen.
• Advisoring. Consulting and notification services mainly towards external CDC entities (e.g. other internal department, customers or 3d party). They are essential to provide information about the organization security trends or referred to the external security threats (e.g worms, vulnerabilities, exploits, etc)
• Managing. Hands-on and strategic services to provide operational and security management
CDC Services Sourcing Strategies
17
• Regulatory Compliance demand
• Mandatory for large enterprise
• Needs to manage internally to improve Governance
• Services performed on maturity and risk tolerance basis
• CAPEX & OPEX investments
• Recommended for Government, Telco & Finance (medium e large Enterprise)
• More overall control
• Industry Regulations
• Substantial risk reduction with less operational costs
• Fixed Annual Fee (Only OPEX)
• Quick win results
• Reduce operational costs and skills shortages
• Scalability for any midsize company
• Multiple sites
• Hardly to externalize
• Finance and Critical Infrastructure should keep whole services internally
• Services should be provided throughout skilled resources
18
CDC Services Sourcing Strategies
The People Bit
19
Service Levels commonly adopted:
– 8 x 5
– 12 x 5
– 24 x 7 (reduced coverage during night)
• Primary Enabler Services focused:
– Incident Handling
– Proactive – Monitoring & Alerting
– Proactive – Management
Roles:
– Operator
– Analyst
– Specialist
The People Bit How many people and which role do we need?
1. Determine the minimum number of people for one shift.
2. Determine the number of FTE according to the desired coverage model considering a reduced coverage during night shift and availability.
3. Determine coverage considering reduced coverage during night and people availability.
<# devices>
<Device Ratio>
<Resources> =
<Device Ratio> = Devices handles by one resource
(It depends on the device and on the resource).
<FTE> = <# resources> x <# hours per year>
<# hours x year> = <# hours x day> x <# days per
week> x <# weeks per year>
Per shift
<Tot. FTE>
<FTE per person*> <Overall number of people> =
* Includes 5 days for training, 5 days sickness, 20 days PTO.
The People Bit Evaluating the number of resources needed
Soc Manager
Team Leader
Analyst
Operator
Analyst
Operator
Specialist
Specialist
Specialist
Team Leader
Incident Handling Proactive Monitoring & Alert Proactive Management
The People Bit Organization hierarchy
The People Bit Certifications/skills and people retention
• Finding people with the right skills is really hard. DO NOT SETTLE!
• Build a skill matrix for every role in your Cyber Defense Center and be sure to have a clear Carrier Path in place.
• 40% of people working in a CDC leaves the company after 18/24 months: – Motivate them
– Motivate them
– Motivate them
• Make them feel like ROCKSTARs!
To “24x7” or not to “24x7” That is NOT the question
• 24x7 Operation MUST maintain a minimum staff of TWO analysts at all times: – Two-person integrity is a best practice in monitoring since having only one
person there with access to a lot of sensitive data and systems can present problems, no matter how well-vetted the employees.
– There are logistical and safety concerns with keeping the floor staffed and secured when someone needs to leave the room.
– With multiple analysts always on shift, they can cross-check each other’s work. Being the sole person on shift can be very lonely and monotonous.
– Each 24x7 seat requires roughly five FTEs, including fill-in for vacation and sick leave.
– This is very expensive compared to 8x5, 12x5, or even 12x7 staffing.
– Assuming a minimum of two filled analyst seats, that means roughly 10 FTEs.
24
Ten Strategies of a World-Class CyberSecurity Operations Center
24x7 coverage The Emergency Room Example – 1 Analyst
25
M T W T F S S M T W T F S S M T W T F S S
Analyst1 A M/N K O O A M/N K O O A M/N K O O A M/N K O O A
Analyst2 M/N K O O A M/N K O O A M/N K O O A M/N K O O A M/N
Analyst3 O A M/N K O O A M/N K O O A M/N K O O A M/N K O O
Analyst4 K O O A M/N K O O A M/N K O O A M/N K O O A M/N K
Analyst5 O O A M/N K O O A M/N K O O A M/N K O O A M/N K O
M T W T F S S M T W T F S S
Analyst1 M/N K O O A M/N K O O A M/N K O O
Analyst2 K O O A M/N K O O A M/N K O O A
Analyst3 A M/N K O O A M/N K O O A M/N K O
Analyst4 O O A M/N K O O A M/N K O O A M/N
Analyst5 O A M/N K O O A M/N K O O A M/N K
Week1 Week2 Week3
Week4 Week5
Morning 07.00 – 14.00
Afternoon 14.00 – 21.00
Night 21.00 – 00.00
Knock off 00.00 – 07.00
Off Shift 00.00 – 00.00
This is very expensive compared to 8x5, 12x5, or even 12x7 staffing.
Building a Cyber Defense Center
26
Challenges of Any Security Operations Center • Threat Evolution Complexity of managing a CDC has increased
exponentially
Inside and outside threats
Requires having global visibility and superior knowledge to detect
• Complex Monitoring CDC monitoring operations are not about perimeter
protection anymore (Firewalls, IPS, IDS, Proxy, Applications, IAM, etc)
Tens of millions of daily logs that must be monitored, analyzed and correlated.
• Staffing Quality staff is hard to find, retain.. Don’t Settle
24 / 7 Shifts difficult to achieve - Good people don’t work on Shifts
Hard to develop a career plan for the resources
Log Monitoring
Incident Detection
Incident Response
Proactive Prevention
Predictive Protection
Security Management
SOC
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY
Main Customer’s needs Seem similar, but are really different
Cyber Security Attack Monitoring
24x7 coverage is required
High Number of Rules
Continuous Tuning of Rules
Rules are usually Standard
Up-to-date Intelligence is a MUST
Hard to Maintain & Fine-Tune
Requires FW, IPS, STAP, Proxy, WAF, AV logs
Incident Response is usually handled by IT or OPS
8x5 or 12x5 is required
Medium/Low Number of Rules
Rules updated as Standards Change
Big need for Custom Rules
Intelligence usually not required
Affordable to maintain & fine-tune
Requires custom applications, servers logs
Incident Response is usually in charge to Risk/Compliance Department
Compliance/Fraud Management
Why do customers fail such projects? The original SIN – 3 steps to fail
Copyright © 2014 Symantec Corporation 29
1. Customer usually gets budget allocated in order to:
– Comply to market standards
– Comply to Regulatory requirements
– Implement Fraud Management
2. SIEM is usually the technology chosen in a similar context. Project GANTT usually spans over 2-6 months.
3. Appetite comes with eating: Customer starts implementing Cyber Security Attack Monitoring use cases.
Customer spends 18-36 months to implement and fine tune (operation is
usually 8x5 or 12x5)
30
Why SIEM is not the right answer to every question “a day to install a year to operationalize”
Secu
rity
A B C D E
SIEM Implementation
Log Collection Initial Rules
Configuration
False Positive Reduction & Advance Rules
Configuration Continuous Fine Tuning
A B C
D
E
2 Months
Time to Market
X
SIEM Maturity
1.5 – 2 Years
Firewalls, IPS, STAP, Proxy and WAF generate a high volume of False Positives during correlation (let’s call them noisy devices). These devices make SIEM fine tuning a nightmare.
Security Management Strategies
31
Co-sourcing
Outsource certain activities to a third party whilst retaining critical components within customer
Outsourcing
Engage a third party to perform SOC activities on behalf of customer
Insourcing
Perform all the activities within the SOC from within customer environment
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY
Security Management Consideration
Cost High CAPEX
Variable OPEX
Control Internal Team Knows Environment
Potentially Most Efficient Complex to Manage
Time People Recruitment, Tools
Procurement
Staff Hard to Acquire, Retain, Train
Risk High Risk – Mitigated with
Augmentation Assigned to End-User
Cost Low CAPEX
Predictive OPEX
Control Lack of Environment Knowledge
by 3rd Party SLA Based Services
Difficult to Terminate / Change
Time Handover, Service Definition and
SLA Measurement
Staff 3rd Party Responsibility
Risk Medium Risk
Assigned to the Provider
Cost Moderate CAPEX Predictive OPEX
Control Benefits of Local Knowledge and
3rd Party Expertise Partial SLA Service
Flexible Future Change
Time Blended Approach
Staff Staff Augmentation
Risk Lowest Risk;
Shared Between Companies
Co-sourcing Outsourcing Insourcing
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY
Collection
8 /5 SIEM (On-Site)
24 / 7 MSSP (Off-Site)
Incident Handling Process
Logging devices/systems
Hybrid Model
Firewalls
IPS
WAF
OS / Applications
Web and Mail Proxies
Endpoint Protection Customer’s Staff
MSSP CDC
Cyber Security Compliance
What about very advanced services?!? Do not start from here… but head here.
There are many advanced services you may want to build in your Cyber Defense Center. The most common are:
• Hunting
• HoneyPotting
• Strike Back (offensive capabilities)
This services are for very mature CDC, justify the investment for such services will be hard, without having implemented the basics.
Copyright © 2014 Symantec Corporation
34
A customer Story
Customer CDC 1.0: Project Scope
Outsource CDC to Symantec for Two Years
SLA Measured Operations
CDC Transformation for all Components
CDC Operation Transition
CDC Operation Transformed
CDC Transformation
CDC Field Services
Service Delivery (PMO)
Project Components
36
CDC 1.0: Achievements
>40 Process Defined for CDC Operation
>50 SOP (Standard Operation Procedure) for managing the CDC Devices
18 Members on the team organized in three main team:
• Change Management team • Administration team • Operation Team
>250 Devices Managed for both Operation and Monitoring
Hybrid monitor model implemented using both Symantec MSS and Local SIEM
ISO 27001 certification achieved
37
SOC 1.0: Architecture & Services Provided
Incident Identification
Incident Classification
Incident Notification
Breach Response & Containment
Incident Recovery
Forensics Evidence Collection
Forensics Analysis
Tracking & Tracing
Post Mortem Analysis
Real Time Device Monitoring
Vulnerability Assessment
Penetration Test
Security Audit
Security Intelligence
Performance Monitoring
Policy Compliance
Altering & Warning
Security Hotline
CDC
Endpoint Security
Security Device Configuration
Security Device Maintenance
Event Data Retention
Executive Reporting
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
FUTURE
SSL Provisioning Service FUTURE
Security Awareness Service FUTURE
38
Future CDC Strategy (From Outsourced to Fully Insourced)
2012 2013 2014 2015 2016 2017 2018 2019
Outsourced Co-Sourced Co-Sourced
2020
Full Control
100% Operated, Managed & Controlled by Symantec
Some Services Operated by ACME; 30% ACME Controlled
Operate & Mature the Rest of the Services & Launch New Services while Fully Manage the CDC
More Services Operated by ACME; 70% ACME Controlled
Operate & Mature the Rest of the Services and Fully Manage the SOC
Fully Operated by ACME ; 100% ACME Controlled
Symantec Oversight & Periodic Assessments
CDC 1.0 CDC 2.0 CDC 3.0 CDC C 4.0
Establishing a CERT Function
39
Have time for a good read?
1. Consolidate CND Under One Organization
2. Achieve Balance Between Size and Agility
3. Give the SOC the Authority to Do Its Job
4. Do a Few Things Well
5. Favor Staff Quality over Quantity
6. Maximize the Value of Technology Purchases
7. Exercise Discrimination in the Data You Gather
8. Protect the SOC Mission
9. Be a Sophisticated Consumer and Producer of Cyber Threat Intelligence
10. Stop. Think. Respond . . . Calmly Copyright © 2014 Symantec Corporation
41
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.