The Next Generation Air The Next Generation Air Transportation
Building and Instrumenting the Next- Generation Security ... · Building and Instrumenting the...
Transcript of Building and Instrumenting the Next- Generation Security ... · Building and Instrumenting the...
Webinar Logistics
• Enable pop-ups within your browser
• Turn on your system’s sound to hear the streaming presentation
• Questions? Submit them to the presenters at anytime on the console
• Technical problems? Click “Help” or submit a question for assistance
Optimize your experience today
Featured SpeakersOur knowledgeable speakers today are:
Tim WilsonEditor in ChiefDark Reading
Roselle SafranCo-founder & CEO
Uplevel Security
Chris PetersenCo-founder, SVP of
Customer Care & CTOLogRhythm
Moderator:
BUILDING AND INSTRUMENTINGTHE NEXT-GENERATION SECURITY OPERATIONS CENTER
OCTOBER 11TH, 2016
Roselle [email protected]
www.uplevelsecurity.com @uplevelsecurity
DHS/US-CERT
Uplevel Security
Ernst & Young
Executive Office of the President
BACKGROUND
www.uplevelsecurity.com @uplevelsecurity
PURPOSE OF A SECURITY OPERATIONS CENTER (SOC)
A SOC protects the confidentiality, integrity and availability of the organization’s information systems and assets.
Prevent
DetectRespond
www.uplevelsecurity.com @uplevelsecurity
• Thoroughly scoped
• Resilient by design
• Automated to streamline
• Intelligence-driven
• Learning continuously
NEXT-GENERATION SOC KEY CHARACTERISTICS
A Next-Gen SOC uses a systematic approach to optimize the abilities of its people, the capabilities of technology, and the structure of processes to most effectively protect the confidentiality, integrity and availability of the organization’s information systems and assets against an increasingly
varied, adaptive and sophisticated set of adversaries.
A Next-Gen SOC follows the TRAIL:
www.uplevelsecurity.com @uplevelsecurity
THOROUGHLY SCOPED
• Devised and assembled in a comprehensive and holistic manner
www.uplevelsecurity.com @uplevelsecurity
Tier 2
Tier 1
Tier 3
Insider Threat
Other Business Units
THOROUGHLY SCOPED: PEOPLE
www.uplevelsecurity.com @uplevelsecurity
Prevent Detect Respond
Log Management
NetworkMonitor
EndpointMonitor
EmailMonitor
Network TrafficFilter
EmailFilter
Endpoint Filter
InventoryMgmt
Vulnerability Scanning
PatchMgmt
FOUNDATIONAL
NetworkInvestigate
EndpointInvestigate
EmailInvestigate
Alert/Case Management
ADVANCED
THOROUGHLY SCOPED: TECHNOLOGY
www.uplevelsecurity.com @uplevelsecurity
PlaybooksPreventDetectRespond
etc.
PoliciesIT useRetentionetc.
Tech
People
THOROUGHLY SCOPED: PROCESSES
PerformanceMetrics
ManagerialOperationaletc.
Incident ResponseBusiness Continuity Exercisesetc.
Plans
www.uplevelsecurity.com @uplevelsecurity
* People- Analysts (Tiers 1, 2, 3)- Other business units- Insider threat
* Technology- Foundational elements -- Prevention: email, network traffic, endpoint filter; vulnerability management;
inventory management-- Detection: email, network traffic, endpoint monitor; log management-- Response: email, network traffic, endpoint investigate; centralized ticket/case management
- Advanced elements layered on top* Processes- Define policies (IT use, retention, etc.)- Define playbooks (prevention, detection, response, etc.)- Define metrics (managerial, operational, etc.)- Define plans (incident response, business continuity, exercises, etc.)
THOROUGHLY SCOPED
www.uplevelsecurity.com @uplevelsecurity
RESILIENT BY DESIGN
• Structured to efficiently adapt to new and challenging tactical, operational and strategic situations
www.uplevelsecurity.com @uplevelsecurity
RESILIENT BY DESIGN: PEOPLE
Tier 2
Tier 1
Tier 3
Insider Threat
Engineering
Red TeamOther Business Units
www.uplevelsecurity.com @uplevelsecurity
Prevent Detect Respond
Log Management
NetworkMonitor
EndpointMonitor
EmailMonitor
Network TrafficFilter
EmailFilter
Endpoint Filter
InventoryMgmt
Vulnerability Scanning
PatchMgmt
FOUNDATIONAL
NetworkInvestigate
EndpointInvestigate
EmailInvestigate
Alert/Case Management
Triage
ADVANCED
Remediate/Mitigate
Pen TestingCloud
MonitorCloud Filter
Mobile Device Management
Phys SecMonitor
Webserver Filter
App/DB Monitor
In Cloud
RESILIENT BY DESIGN: TECHNOLOGY
www.uplevelsecurity.com @uplevelsecurity
Implement
PreventDetectRespond
etc.
PoliciesIT useRetentionetc.
Tech
People
RESILIENT BY DESIGN: PROCESSES
PerformanceMetrics
ManagerialOperationaletc.
AssessUpdate
Incident ResponseBusiness Continuity Exercisesetc.
Plans
Playbooks
Train
Assess playbooks and plans with periodic exercises
Train all team members as new tech and info arrive
Update playbooks and plans when adding tech and after assessments
Implement technology
www.uplevelsecurity.com @uplevelsecurity
* People- Engineering- Red Team- 24x7 or follow the sun
* Technology- Penetration testing- Full incident response lifecycle coverage (triage, investigate, remediate/mitigate)- Private cloud infrastructure- Modular approach to adding enterprise-specific technology-- Mobile device management -- Cloud filter and monitor-- Webserver filter-- Application, Database monitor -- Physical security monitor
* Processes- Train all team members as new tech and info arrive- Assess playbooks and plans with periodic exercises- Update playbooks and plans when adding tech and after assessments- Implement technology
RESILIENT BY DESIGN
www.uplevelsecurity.com @uplevelsecurity
AUTOMATED TO STREAMLINE
• Utilizing machine capabilities in place of human involvement when applicable for productivity gains
www.uplevelsecurity.com @uplevelsecurity
Tier 2
Tier 1
Tier 3
Insider Threat
Engineering
Red Team
AUTOMATED TO STREAMLINE: PEOPLE
Hunters
Other Business Units
www.uplevelsecurity.com @uplevelsecurity
Prevent Detect Respond
Log Management
NetworkMonitor
EndpointMonitor
EmailMonitor
Network TrafficFilter
EmailFilter
Endpoint Filter
InventoryMgmt
Vulnerability Scanning
PatchMgmt
FOUNDATIONAL
NetworkInvestigate
EndpointInvestigate
EmailInvestigate
Alert/Case Management
Triage
ADVANCED
Remediate/Mitigate
Pen TestingCloud
MonitorCloud Filter
Mobile Device Management
Phys SecMonitor
Webserver Filter
App/DB Monitor Sandbox
Graph Analysis
Response TrackingPlaybook
Orch/Exe
In Cloud
AUTOMATED TO STREAMLINE: TECHNOLOGY
www.uplevelsecurity.com @uplevelsecurity
Implement
PreventDetectRespond
etc.
PoliciesIT useRetentionetc.
Tech
People
AUTOMATED TO STREAMLINE: PROCESSES
ManagerialOperationaletc.
AssessUpdate
Incident ResponseBusiness Continuity Exercisesetc.
Plans
Playbooks
Train
w/ automation
PerformanceMetrics
Implement technology
Assess automation techperiodically
Train Tier 1 Analysts for new roles
Update playbooks when adding tech
Update metrics when adding tech
www.uplevelsecurity.com @uplevelsecurity
* People- Tier 1 roles eliminated- Tier 1 Analysts move to advanced work- Hunters
* Technology- Sandbox - Graph analysis- Playbook orchestration and execution - Response tracking
* Processes- Train Tier 1 Analysts for new roles- Assess automation tech periodically- Update playbooks when adding tech- Update metrics when adding tech- Implement technology
AUTOMATED TO STREAMLINE
www.uplevelsecurity.com @uplevelsecurity
INTELLIGENCE-DRIVEN
• Applying relevant, timely and actionable information to the appropriate aspects of operations
www.uplevelsecurity.com @uplevelsecurity
Tier 2
Tier 1
Tier 3
Insider Threat
Engineering
Red Team
INTELLIGENCE-DRIVEN: PEOPLE
Threat Intel
Hunters
Other Business Units
www.uplevelsecurity.com @uplevelsecurity
Prevent Detect Respond
Log Management
NetworkMonitor
EndpointMonitor
EmailMonitor
Network TrafficFilter
EmailFilter
Endpoint Filter
InventoryMgmt
Vulnerability Scanning
PatchMgmt
FOUNDATIONAL
NetworkInvestigate
EndpointInvestigate
EmailInvestigate
Alert/Case Management
Triage
ADVANCED
Remediate/Mitigate
Pen TestingCloud
MonitorCloud Filter
Mobile Device Management
Phys SecMonitor
Webserver Filter
App/DB Monitor Sandbox
Graph Analysis
Response TrackingPlaybook
Orch/Exe
Threat Intel Management/Scoring/Report Generation
In Cloud
INTELLIGENCE-DRIVEN: TECHNOLOGY
www.uplevelsecurity.com @uplevelsecurity
Implement
PreventDetectRespond
etc.
PoliciesIT useRetentionetc.
Tech
People
INTELLIGENCE-DRIVEN: PROCESSES
ManagerialOperationaletc.
AssessUpdate
Incident ResponseBusiness Continuity Exercisesetc.
Plans
Playbooks
Train
w/ automation
PerformanceMetrics
w/ intel+ Data
Update playbooks and plans to include intel and info sharing programs
Implement technology
Assess feeds and sources periodically
Train TI analysts on gathering intel, rest of team on using TI
www.uplevelsecurity.com @uplevelsecurity
* People- Threat Intelligence Analysts
* Technology- Threat intel management- Threat intel feed scoring/filtering/prioritizing- Threat intel report generation
* Processes- Train TI analysts on gathering intel, rest of team on using TI- Assess feeds and sources periodically- Update playbooks and plans to include intel and info sharing programs- Implement technology
INTELLIGENCE-DRIVEN
www.uplevelsecurity.com @uplevelsecurity
LEARNING CONTINUOUSLY
• Applying and expanding institutional knowledge in a constant feedback loop
www.uplevelsecurity.com @uplevelsecurity
Tier 2
Tier 1
Tier 3
Insider Threat
Engineering
Red Team
LEARNING CONTINUOSLY: PEOPLE
Threat Intel
Hunters Internal Auditors
Innovation
Other Business Units
www.uplevelsecurity.com @uplevelsecurity
Prevent Detect Respond
Log Management
NetworkMonitor
EndpointMonitor
EmailMonitor
Network TrafficFilter
EmailFilter
Endpoint Filter
InventoryMgmt
Vulnerability Scanning
PatchMgmt
FOUNDATIONAL
NetworkInvestigate
EndpointInvestigate
EmailInvestigate
Alert/Case Management
Triage
ADVANCED
Remediate/Mitigate
Pen TestingCloud
MonitorCloud Filter
Mobile Device Management
Phys SecMonitor
Webserver Filter
App/DB Monitor Sandbox
Graph Analysis
Response TrackingPlaybook
Orch/Exe
Threat Intel Management/Scoring/Report Generation
Machine Learning
Baselining
Anomaly Identification
Heuristic Analysis
Predictive AnalyticsIn Cloud
LEARNING CONTINUOSLY: TECHNOLOGY
www.uplevelsecurity.com @uplevelsecurity
Implement
PreventDetectRespond
etc.
PoliciesIT useRetentionetc.
Tech
PeopleManagerialOperationaletc.
AssessUpdate
Incident ResponseBusiness Continuity Exercisesetc.
Plans
Playbooks
Train
w/ automationw/ intel
PerformanceMetrics
LEARNING CONTINUOUSLY: PROCESSES
+ Data
Train all team members
Assess and fine tune products regularly
Implement technology
Update playbooks based on new learnings
www.uplevelsecurity.com @uplevelsecurity
* People- Innovation- Internal auditors
* Technology- Baselining - Anomaly identification- Heuristic analysis- Machine learning- Predictive analytics
* Processes- Train all team members- Assess and fine tune products regularly- Update playbooks based on new learnings- Implement technology
LEARNING CONTINUOUSLY
www.uplevelsecurity.com @uplevelsecurity
THANK YOU!
Roselle SafranUplevel Security
Company Confidential
Recon. and Planning
Initial Planning
Command and Control
Lateral Movement
Target Attainment
Exfiltration,Corruption,Disruption
Data Breaches Can Be Avoided
Advanced threats take their timeand leverage the holistic attack surface
Early neutralization stops cyber incidents and data breaches
Company Confidential
Vigilance Requires Visibility at Every Vector
User
Network
Endpoint
Holistic Attack Surface
Endpoint
User
Network
User
Network
User
Endpoint
User
Network
User
User
Network
EndpointUser
Network
Endpoint
Network
Endpoint
User
Network
Endpoint
User
Network
User
User
User
Company Confidential
Faster Detection & Response Reduces Risk
High Vulnerability Low Vulnerability
Months
Days
Hours
Minutes
Weeks
MTT
D &
MTT
R
MEAN TIME-TO-DETECT (MTTD)The average time it takes to recognize a threat requiring further analysis and response efforts
MEAN TIME-TO-RESPOND (MTTR)The average time it takes to respond and ultimately resolve the incident
As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced
Exposed to Threats Resilient to Threats
Company Confidential
Security Intelligence & Analytics Platform
Time to Detect Time to Respond
Recover
Cleanup
Report
Review
Adapt
Neutralize
Implement countermeasures to mitigate threat
Investigate
Analyze threat to determine nature and extent of the
incident
Qualify
Assess threat to determine risk
and whether full investigation is necessary
Detect & Prioritize
SearchAnalytics
Machine Analytics
Collect & Generate
Forensic Sensor Data
SecurityEvent Data
Log &Machine Data
Example Sources
Example Sources
Threat Lifecycle Management
Company Confidential
LogRhythm Security Intelligence Maturity ModelDelivering a Path to Success
MEAN-TIME-TO-DETECT (MTTD)
MEAN-TIME-TO-RESPOND (MTTR)
Security IntelligenceMaturity LevelsLevel 0: BlindLevel 1: Minimally ComplaintLevel 2: Securely CompliantLevel 3: VigilantLevel 4: Resilient
Greater threat resiliency is achieved at higher levels of security intelligence maturity
Months
Days
Hours
Minutes
Weeks
Tim
efra
me
Level 0 Level 1 Level 2 Level 3 Level 4
Exposed to Threats Resilient to Threats
Questions?Submit questions to the presenters via the on-screen text box
Tim WilsonEditor in ChiefDark Reading
Roselle SafranCo-founder & CEO
Uplevel Security
Chris PetersenCo-founder, SVP of
Customer Care & CTOLogRhythm
Moderator:
Thank you for attending
Upcoming Events:
• http://darkreading.com/webinar_upcoming.asp
Additional Resources:
• http://www.logrhythm.com/solutions/security/soc-platform/
• https://logrhythm.com/pdfs/whitepapers/lr-security-intelligence-maturity-model-ciso-whitepaper.pdf
Please visit our sponsor and any of the resources below: