CanSSOC:Sharing is Caring!Martin Loeffler – University of TorontoMI (IPS), CISSP, CISM, CISA, CRISC

Who’s our audience?

Who’s in IT?

Who’s in IS?

Who’s in neither?

We have a web site!

https://www.canssoc.ca

• Learn more about us• News, events, and

sign up for email notifications!

What’s a‘SOC’?

A SOC is a ‘Security Operations Centre’

Like NASA’s Mission Control, but for catching hackers

What does a SOC do?

A SOC :

Collects data ..

.. Normalizes data

Lorem ipsum is dummy text

Lorem ipsum is dummy text

L o r e m ip s u m is d u m m y t e x tLorem ipsum is dummy textLorem ipsum is dummy text

e Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy text

.. Enriches data📍 Lorem Ipsum

📍 Lorem Ipsum

📍 Lorem Ipsum

📍 Lorem Ipsum

📍 Lorem Ipsum📍 Lorem Ipsum

.. Analyzes data

.. Creates alerts

.. And automated responses

So, what is a ’CanSSOC’?

A can of socks? A Canadian clothing line?

A Canadian Shared Security

Operations Centre?

What is a ’CanSSOC’?

The CanSSOC Project is a shared security operations centre

proof of concept between:

the University of Alberta, University of British Columbia,

McGill University, McMaster University, Ryerson University

and the University of Toronto.

Why a ’Proof of Concept’?

Why not just build the thing?

• Technology is constantly changing

• It’s a Shared SOC – which means we have partners who need to be heard

• The technology is uncertain and, to a degree, untested

It’s not that easy ..

Why build it at all?

What challenges are you facing in your department?

What possible

benefits of

partnership in your

space?

Strategic Wins• Cyber Security Effectiveness

• Articulating return on investment

Finding budget

• Measurable metrics

• Research partnerships

A Shared SOC brings more value than a stand-alone SOC

“Together we see more”

Global profile

Attracting talent

Economies of scale

Higher Ed focus

Operational Wins

Analysis•Fewer erroneous alerts

than provided by current efforts – a manageable flow of information.

•Alerts prioritized by risk –asset value vs. likelihood of attack success.

Operational Wins

Intelligence•A source of threat

information and early indicators of compromise

•A central source for sharing threat information

•Direct integration with institutions’ internal alert and control systems

Operational Wins

Support• Relieving senior staff to respond to

incidents requiring context-specific understanding vs. spending time on junior-level analysis of raw data

• Automated responses to incidents• External resources to assist with

vulnerability identification and remediation

• Access to stored activity data / support for audit activity

Operational Wins

• A communications clearing house, providing / sharing:• A broad understanding of threat

activity within the participating institutions’ environments

• Metrics for / trends of threat activity within the participating institutions’ environments

• Effective practices for risk management in use at other institutions

Communication

Operational Wins

Other•Opportunities to participate

in virtual ‘centres of excellence’ to enhance professional practice

•Better value for cost than comparable commercial services – no profit motive

“By partnering to share data, best practices, resources, and

infrastructure, effectiveness in identifying threats is increased,

overall costs from risk can be reduced, and broader threat-

intelligence sharing partnerships can be established.”

Who else is doing this?

OmniSOC

University of Texas at Austin (CSOC)

How long will it take to build?

Project length is 18 months, ending in December 2019 ..

• Hire staff

• Set a project plan

• Set a budget• Develop project governance

• Establish data sharing agreements

• Meet with partners

• Develop a service catalog

• Develop architecture

• Evaluate alternatives

• Build prototypes• Run prototypes

• Test functionality• Measure performance

• Test integration

• Test reports and alerting

Where are we now?

.. in the middle of building something amazing

Architecture

ArchitectureCollect

Normalize

Enrich Analyze

Threat Intelligence

Monitoring

CISO DashboardOverview

Customizable widgets with Metrics and KPI potentially covering everything from compliance, risk, average request times, labour costs etc. Configurable on a per user, per institution basis.

CISO DashboardIncident Response Overview

Customisable widgets that show key Incident and Service Request Metrics ranging from time to contain, time to eradicate and types of incidents.

Questions?