Building a Cyber Defence Centre

42
Building a Cyber Defence Centre Antonio Forzieri EMEA Cyber Security Practice Lead

Transcript of Building a Cyber Defence Centre

Page 1: Building a Cyber Defence Centre

Building a Cyber Defence Centre

Antonio Forzieri EMEA Cyber Security Practice Lead

Page 2: Building a Cyber Defence Centre

Agenda

1 Introduction

2 Adopting a Well Defined Model

3 Services Sourcing Strategy

4 The people bit

5 Building CDC

6 A Customer Story

2

Page 3: Building a Cyber Defence Centre

On the morning of 7 December

1941, a radar station in Oahu,

Hawaii, operated by the U.S.

Army, picked up a huge blip on

its instruments.

Carson Zimmerman

Ten Strategies of a World-Class CyberSecurity Operations Center

Copyright © 2014 Symantec Corporation 3

Page 4: Building a Cyber Defence Centre

Forrest Gump MANTRA it happens

Copyright © 2014 Symantec Corporation 4

Page 5: Building a Cyber Defence Centre

Adopting a well defined model

Copyright © 2014 Symantec Corporation

Page 6: Building a Cyber Defence Centre

Reasons to Adopt an off the Shelf CDC Model? • Building a CDC is a very complex project with a high impact on the organization and IT/Security Infrastructure

• Adopting a comprehensive CDC model allows you to: – Comply to widely recognized standards and industry best practices

– Define clearl goals, objectives, and expectations about CDC

– Define CDC services, functions and responsabilities, explaining them across the organization

– Define organizaional and staff model with processes, roles and responsibilities

– Define the technology infrastructure to support services delivery

– Evaluate the Return of Investment (ROI) and growing of the service

6 Copyright © 2014 Symantec Corporation

Page 7: Building a Cyber Defence Centre

Symantec CDC Management System Best Practices Based Model

7

CDC

Quality & Maturity

Processes

Services Catalog

Organization

Roles & Responsabilities

Technology

Standards & Best

Practices

•CMU HB 001

•CMU HB 002

•CMU TR 001

•RFC 2350

•NIST SP 800-61

•CMU TR015

•ISO 27035:2011

•ISF •COBIT 5

•ISO 27002:2006

•ISO 1335:2004

•ISO 27035:2011

•ITIL

•COBIT 5

•ISO 27002:2006

•NIST SP 800-61

•CMU TR 015

• ITIL •COBIT 5 (RACI)

•ISO 27002:2006

•ISO 21827 (CMM)

•COBIT 5

•ISM3

Page 8: Building a Cyber Defence Centre

CDC Management System “Components Path”

8

Services Catalogue

• Service Description & Scope

Capability Maturity Model

• Primary/Secondary Services

Main Processes

• Process Diagrams

• Process Tables

Roles & Responsibilities

(RACI)

Technical & Organizational

Model

Well-defined CDC Model

Page 10: Building a Cyber Defence Centre

Cyber Defense Center Service Catalog Successful Components

10

Mo

nit

ori

ng

Services and processes that have the main goal in the control and security supervision. No operative

tasks.

Ad

vis

ori

ng

Consulting and notification services mainly towards external 3d party. Essential to provide information about

the organization security trends or referred to the external security threats.

Man

ag

ing

Hands-on and strategic services to provide operational and security management.

B

E

A

M

S

Page 11: Building a Cyber Defence Centre

Cyber Defense Center Service Catalog Successful Components

•Incident Identification •Incident Classification

•Real Time Device Monitor •Vulnerability Assessment •Penetration Test •Security & Compliance Audit •Security Intelligence •Performance Monitoring •Fault Monitoring •Policy Compliance

•Business Impact Analysis •Risk Assessment •Technology Watch

•Incident Notification

•Alerting & Warning •Technical Reporting •Security Hotline

•Executive Reporting •Security Consulting •Awareness •Countermeasures Selection

•Incident Response & Containment •Incident Recovery •Forensics Evidence Collection •Forensics Analysis •Tracking & Tracing •Post Mortem Analysis

•Secure Device Configuration •Secure Device Maintenance •Policy Management •Policy Enforcement •Patch Management •Events Data Retention •Endpoint Management •Hardening

•Business Continuity •Asset Inventory •Policy Planning •Risk Management •Education/Training •Certification

Monitoring

Advis

oring

Man

ag

ing

M

A

T

R

I

X

Page 12: Building a Cyber Defence Centre

Inci

de

nt

Han

dlin

g P

roac

tive

Se

curi

ty

Secu

rity

M

anag

em

en

t Capability Maturity Model CDC Services

Initial Aware Defined Managed Optimized

RT Device Monitoring Alerting & Warning Policy Management Policy Enforcement

Incident Identification Incident Notification Incident Response

Vulnerability Assessment Penetration Test Security Intelligence Technical Reporting Event Data Retention

Incident Classification Tracking & Tracing

Security Awareness Executive Security Reporting

Security Device Config. Security Device Maintenance

Business Impact Analysis Risk Assessment Asset Inventory

Fault Monitoring Patch Management End Point Security Hardening

Forensics Evidence Collection Post-mortem Analysis

Technology Watch Security Consulting Countermeasures selection Risk Management

Security Audit Performance Monitoring Policy Compliance Security Hotline

Forensics Analysis

Business Continuity Policy Planning Education/Training Certification

Security Operation Center – Capability and Maturity Model

Incident Recovery

Page 13: Building a Cyber Defence Centre

Services Classification Primary/Secondary Enabler

SOC - Primary/Secondary Enabler Service FrameworkP

rim

ary

En

ab

ler

Proactive Security

Services

• RTM Device Monitoring RA

• Vulnerability Assessment RA

• Security Intelligence RA

• Alerting & Warning RA

• Technical Reporting RA

• Policy Management RA

• Policy Enforcement RA

• Event Data Retention RA

Incident Handling

Services

• Incident Identification RA

• Incident Classification RA

• Incident Notification RA

• Incident Response RA

• Tracking or Tracing RA

Security Management

Services

Se

con

da

ryE

nab

ler

• Penetration Test RA

• Security Audit C

• Performance Monitoring I

• Fault Monitoring I

• Policy Compliance C

• Security Hotline RA

• Security Device Configuration A

• Security Device Maintenance A

• Patch Management C

• Endpoint Security A

• Hardening C

• Incident Recovery C

• Forensics Evidence Collection RA

• Forensics Analysis RA

• Post Mortem Analysis RA

• Technology Watch C

• Countermeasures Selection C

• Asset Inventory CI

• Business Impact Analysis I

• Risk Assessment CI

• Security Consulting C

• Awareness C

• Business Continuity C

• Policy Planning C

• Risk Management I

• Education/Training C

• Certification C

• Executive Security Reporting RA

RACI: Responsible, Accountable, Consulted, Informed

Page 14: Building a Cyber Defence Centre

Company’s Function connecting to other departments

Having a Cyber Defence Centre disconnected from other company’s functions is the perfect way to fail.

Define CLEAR interface with other functions and build a RACI table for Company’s functions as well:

– Network & System

– Operations

– Security Management

– Application Development

– Customer Service

– Legal Issue

– Public Relations

– Human Resource

– …

14

Page 15: Building a Cyber Defence Centre

Services Sourcing Strategy

15

Page 16: Building a Cyber Defence Centre

SOC Services Catalog (Based on CDC-MS Model)

SOC Services – Sourcing Strategy 16

• Monitoring. Services and processes that have the main goal in the control and security overseen.

• Advisoring. Consulting and notification services mainly towards external CDC entities (e.g. other internal department, customers or 3d party). They are essential to provide information about the organization security trends or referred to the external security threats (e.g worms, vulnerabilities, exploits, etc)

• Managing. Hands-on and strategic services to provide operational and security management

Page 17: Building a Cyber Defence Centre

CDC Services Sourcing Strategies

17

Page 18: Building a Cyber Defence Centre

• Regulatory Compliance demand

• Mandatory for large enterprise

• Needs to manage internally to improve Governance

• Services performed on maturity and risk tolerance basis

• CAPEX & OPEX investments

• Recommended for Government, Telco & Finance (medium e large Enterprise)

• More overall control

• Industry Regulations

• Substantial risk reduction with less operational costs

• Fixed Annual Fee (Only OPEX)

• Quick win results

• Reduce operational costs and skills shortages

• Scalability for any midsize company

• Multiple sites

• Hardly to externalize

• Finance and Critical Infrastructure should keep whole services internally

• Services should be provided throughout skilled resources

18

CDC Services Sourcing Strategies

Page 19: Building a Cyber Defence Centre

The People Bit

19

Page 20: Building a Cyber Defence Centre

Service Levels commonly adopted:

– 8 x 5

– 12 x 5

– 24 x 7 (reduced coverage during night)

• Primary Enabler Services focused:

– Incident Handling

– Proactive – Monitoring & Alerting

– Proactive – Management

Roles:

– Operator

– Analyst

– Specialist

The People Bit How many people and which role do we need?

Page 21: Building a Cyber Defence Centre

1. Determine the minimum number of people for one shift.

2. Determine the number of FTE according to the desired coverage model considering a reduced coverage during night shift and availability.

3. Determine coverage considering reduced coverage during night and people availability.

<# devices>

<Device Ratio>

<Resources> =

<Device Ratio> = Devices handles by one resource

(It depends on the device and on the resource).

<FTE> = <# resources> x <# hours per year>

<# hours x year> = <# hours x day> x <# days per

week> x <# weeks per year>

Per shift

<Tot. FTE>

<FTE per person*> <Overall number of people> =

* Includes 5 days for training, 5 days sickness, 20 days PTO.

The People Bit Evaluating the number of resources needed

Page 22: Building a Cyber Defence Centre

Soc Manager

Team Leader

Analyst

Operator

Analyst

Operator

Specialist

Specialist

Specialist

Team Leader

Incident Handling Proactive Monitoring & Alert Proactive Management

The People Bit Organization hierarchy

Page 23: Building a Cyber Defence Centre

The People Bit Certifications/skills and people retention

• Finding people with the right skills is really hard. DO NOT SETTLE!

• Build a skill matrix for every role in your Cyber Defense Center and be sure to have a clear Carrier Path in place.

• 40% of people working in a CDC leaves the company after 18/24 months: – Motivate them

– Motivate them

– Motivate them

• Make them feel like ROCKSTARs!

Page 24: Building a Cyber Defence Centre

To “24x7” or not to “24x7” That is NOT the question

• 24x7 Operation MUST maintain a minimum staff of TWO analysts at all times: – Two-person integrity is a best practice in monitoring since having only one

person there with access to a lot of sensitive data and systems can present problems, no matter how well-vetted the employees.

– There are logistical and safety concerns with keeping the floor staffed and secured when someone needs to leave the room.

– With multiple analysts always on shift, they can cross-check each other’s work. Being the sole person on shift can be very lonely and monotonous.

– Each 24x7 seat requires roughly five FTEs, including fill-in for vacation and sick leave.

– This is very expensive compared to 8x5, 12x5, or even 12x7 staffing.

– Assuming a minimum of two filled analyst seats, that means roughly 10 FTEs.

24

Ten Strategies of a World-Class CyberSecurity Operations Center

Page 25: Building a Cyber Defence Centre

24x7 coverage The Emergency Room Example – 1 Analyst

25

M T W T F S S M T W T F S S M T W T F S S

Analyst1 A M/N K O O A M/N K O O A M/N K O O A M/N K O O A

Analyst2 M/N K O O A M/N K O O A M/N K O O A M/N K O O A M/N

Analyst3 O A M/N K O O A M/N K O O A M/N K O O A M/N K O O

Analyst4 K O O A M/N K O O A M/N K O O A M/N K O O A M/N K

Analyst5 O O A M/N K O O A M/N K O O A M/N K O O A M/N K O

M T W T F S S M T W T F S S

Analyst1 M/N K O O A M/N K O O A M/N K O O

Analyst2 K O O A M/N K O O A M/N K O O A

Analyst3 A M/N K O O A M/N K O O A M/N K O

Analyst4 O O A M/N K O O A M/N K O O A M/N

Analyst5 O A M/N K O O A M/N K O O A M/N K

Week1 Week2 Week3

Week4 Week5

Morning 07.00 – 14.00

Afternoon 14.00 – 21.00

Night 21.00 – 00.00

Knock off 00.00 – 07.00

Off Shift 00.00 – 00.00

This is very expensive compared to 8x5, 12x5, or even 12x7 staffing.

Page 26: Building a Cyber Defence Centre

Building a Cyber Defense Center

26

Page 27: Building a Cyber Defence Centre

Challenges of Any Security Operations Center • Threat Evolution Complexity of managing a CDC has increased

exponentially

Inside and outside threats

Requires having global visibility and superior knowledge to detect

• Complex Monitoring CDC monitoring operations are not about perimeter

protection anymore (Firewalls, IPS, IDS, Proxy, Applications, IAM, etc)

Tens of millions of daily logs that must be monitored, analyzed and correlated.

• Staffing Quality staff is hard to find, retain.. Don’t Settle

24 / 7 Shifts difficult to achieve - Good people don’t work on Shifts

Hard to develop a career plan for the resources

Log Monitoring

Incident Detection

Incident Response

Proactive Prevention

Predictive Protection

Security Management

SOC

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY

Page 28: Building a Cyber Defence Centre

Main Customer’s needs Seem similar, but are really different

Cyber Security Attack Monitoring

24x7 coverage is required

High Number of Rules

Continuous Tuning of Rules

Rules are usually Standard

Up-to-date Intelligence is a MUST

Hard to Maintain & Fine-Tune

Requires FW, IPS, STAP, Proxy, WAF, AV logs

Incident Response is usually handled by IT or OPS

8x5 or 12x5 is required

Medium/Low Number of Rules

Rules updated as Standards Change

Big need for Custom Rules

Intelligence usually not required

Affordable to maintain & fine-tune

Requires custom applications, servers logs

Incident Response is usually in charge to Risk/Compliance Department

Compliance/Fraud Management

Page 29: Building a Cyber Defence Centre

Why do customers fail such projects? The original SIN – 3 steps to fail

Copyright © 2014 Symantec Corporation 29

1. Customer usually gets budget allocated in order to:

– Comply to market standards

– Comply to Regulatory requirements

– Implement Fraud Management

2. SIEM is usually the technology chosen in a similar context. Project GANTT usually spans over 2-6 months.

3. Appetite comes with eating: Customer starts implementing Cyber Security Attack Monitoring use cases.

Customer spends 18-36 months to implement and fine tune (operation is

usually 8x5 or 12x5)

Page 30: Building a Cyber Defence Centre

30

Why SIEM is not the right answer to every question “a day to install a year to operationalize”

Secu

rity

A B C D E

SIEM Implementation

Log Collection Initial Rules

Configuration

False Positive Reduction & Advance Rules

Configuration Continuous Fine Tuning

A B C

D

E

2 Months

Time to Market

X

SIEM Maturity

1.5 – 2 Years

Firewalls, IPS, STAP, Proxy and WAF generate a high volume of False Positives during correlation (let’s call them noisy devices). These devices make SIEM fine tuning a nightmare.

Page 31: Building a Cyber Defence Centre

Security Management Strategies

31

Co-sourcing

Outsource certain activities to a third party whilst retaining critical components within customer

Outsourcing

Engage a third party to perform SOC activities on behalf of customer

Insourcing

Perform all the activities within the SOC from within customer environment

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY

Page 32: Building a Cyber Defence Centre

Security Management Consideration

Cost High CAPEX

Variable OPEX

Control Internal Team Knows Environment

Potentially Most Efficient Complex to Manage

Time People Recruitment, Tools

Procurement

Staff Hard to Acquire, Retain, Train

Risk High Risk – Mitigated with

Augmentation Assigned to End-User

Cost Low CAPEX

Predictive OPEX

Control Lack of Environment Knowledge

by 3rd Party SLA Based Services

Difficult to Terminate / Change

Time Handover, Service Definition and

SLA Measurement

Staff 3rd Party Responsibility

Risk Medium Risk

Assigned to the Provider

Cost Moderate CAPEX Predictive OPEX

Control Benefits of Local Knowledge and

3rd Party Expertise Partial SLA Service

Flexible Future Change

Time Blended Approach

Staff Staff Augmentation

Risk Lowest Risk;

Shared Between Companies

Co-sourcing Outsourcing Insourcing

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY

Page 33: Building a Cyber Defence Centre

Collection

8 /5 SIEM (On-Site)

24 / 7 MSSP (Off-Site)

Incident Handling Process

Logging devices/systems

Hybrid Model

Firewalls

IPS

WAF

OS / Applications

Web and Mail Proxies

Endpoint Protection Customer’s Staff

MSSP CDC

Cyber Security Compliance

Page 34: Building a Cyber Defence Centre

What about very advanced services?!? Do not start from here… but head here.

There are many advanced services you may want to build in your Cyber Defense Center. The most common are:

• Hunting

• HoneyPotting

• Strike Back (offensive capabilities)

This services are for very mature CDC, justify the investment for such services will be hard, without having implemented the basics.

Copyright © 2014 Symantec Corporation

34

Page 35: Building a Cyber Defence Centre

A customer Story

Page 36: Building a Cyber Defence Centre

Customer CDC 1.0: Project Scope

Outsource CDC to Symantec for Two Years

SLA Measured Operations

CDC Transformation for all Components

CDC Operation Transition

CDC Operation Transformed

CDC Transformation

CDC Field Services

Service Delivery (PMO)

Project Components

36

Page 37: Building a Cyber Defence Centre

CDC 1.0: Achievements

>40 Process Defined for CDC Operation

>50 SOP (Standard Operation Procedure) for managing the CDC Devices

18 Members on the team organized in three main team:

• Change Management team • Administration team • Operation Team

>250 Devices Managed for both Operation and Monitoring

Hybrid monitor model implemented using both Symantec MSS and Local SIEM

ISO 27001 certification achieved

37

Page 38: Building a Cyber Defence Centre

SOC 1.0: Architecture & Services Provided

Incident Identification

Incident Classification

Incident Notification

Breach Response & Containment

Incident Recovery

Forensics Evidence Collection

Forensics Analysis

Tracking & Tracing

Post Mortem Analysis

Real Time Device Monitoring

Vulnerability Assessment

Penetration Test

Security Audit

Security Intelligence

Performance Monitoring

Policy Compliance

Altering & Warning

Security Hotline

CDC

Endpoint Security

Security Device Configuration

Security Device Maintenance

Event Data Retention

Executive Reporting

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

FUTURE

SSL Provisioning Service FUTURE

Security Awareness Service FUTURE

38

Page 39: Building a Cyber Defence Centre

Future CDC Strategy (From Outsourced to Fully Insourced)

2012 2013 2014 2015 2016 2017 2018 2019

Outsourced Co-Sourced Co-Sourced

2020

Full Control

100% Operated, Managed & Controlled by Symantec

Some Services Operated by ACME; 30% ACME Controlled

Operate & Mature the Rest of the Services & Launch New Services while Fully Manage the CDC

More Services Operated by ACME; 70% ACME Controlled

Operate & Mature the Rest of the Services and Fully Manage the SOC

Fully Operated by ACME ; 100% ACME Controlled

Symantec Oversight & Periodic Assessments

CDC 1.0 CDC 2.0 CDC 3.0 CDC C 4.0

Establishing a CERT Function

39

Page 40: Building a Cyber Defence Centre
Page 41: Building a Cyber Defence Centre

Have time for a good read?

1. Consolidate CND Under One Organization

2. Achieve Balance Between Size and Agility

3. Give the SOC the Authority to Do Its Job

4. Do a Few Things Well

5. Favor Staff Quality over Quantity

6. Maximize the Value of Technology Purchases

7. Exercise Discrimination in the Data You Gather

8. Protect the SOC Mission

9. Be a Sophisticated Consumer and Producer of Cyber Threat Intelligence

10. Stop. Think. Respond . . . Calmly Copyright © 2014 Symantec Corporation

41

Page 42: Building a Cyber Defence Centre

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.