CanSSOC: Sharing is Caring!€¦ · Sharing is Caring! Martin Loeffler – University of Toronto MI...
Transcript of CanSSOC: Sharing is Caring!€¦ · Sharing is Caring! Martin Loeffler – University of Toronto MI...
CanSSOC:Sharing is Caring!Martin Loeffler – University of TorontoMI (IPS), CISSP, CISM, CISA, CRISC
Who’s our audience?
Who’s in IT?
Who’s in IS?
Who’s in neither?
We have a web site!
https://www.canssoc.ca
• Learn more about us• News, events, and
sign up for email notifications!
What’s a‘SOC’?
A SOC is a ‘Security Operations Centre’
Like NASA’s Mission Control, but for catching hackers
What does a SOC do?
A SOC :
Collects data ..
.. Normalizes data
Lorem ipsum is dummy text
Lorem ipsum is dummy text
L o r e m ip s u m is d u m m y t e x tLorem ipsum is dummy textLorem ipsum is dummy text
e Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy texte Lorem ipsum is dummy text
.. Enriches data📍 Lorem Ipsum
📍 Lorem Ipsum
📍 Lorem Ipsum
📍 Lorem Ipsum
📍 Lorem Ipsum📍 Lorem Ipsum
.. Analyzes data
.. Creates alerts
.. And automated responses
So, what is a ’CanSSOC’?
A can of socks? A Canadian clothing line?
A Canadian Shared Security
Operations Centre?
What is a ’CanSSOC’?
The CanSSOC Project is a shared security operations centre
proof of concept between:
the University of Alberta, University of British Columbia,
McGill University, McMaster University, Ryerson University
and the University of Toronto.
Why a ’Proof of Concept’?
Why not just build the thing?
• Technology is constantly changing
• It’s a Shared SOC – which means we have partners who need to be heard
• The technology is uncertain and, to a degree, untested
It’s not that easy ..
Why build it at all?
What challenges are you facing in your department?
What possible
benefits of
partnership in your
space?
Strategic Wins• Cyber Security Effectiveness
• Articulating return on investment
Finding budget
• Measurable metrics
• Research partnerships
A Shared SOC brings more value than a stand-alone SOC
“Together we see more”
Global profile
Attracting talent
Economies of scale
Higher Ed focus
Operational Wins
Analysis•Fewer erroneous alerts
than provided by current efforts – a manageable flow of information.
•Alerts prioritized by risk –asset value vs. likelihood of attack success.
Operational Wins
Intelligence•A source of threat
information and early indicators of compromise
•A central source for sharing threat information
•Direct integration with institutions’ internal alert and control systems
Operational Wins
Support• Relieving senior staff to respond to
incidents requiring context-specific understanding vs. spending time on junior-level analysis of raw data
• Automated responses to incidents• External resources to assist with
vulnerability identification and remediation
• Access to stored activity data / support for audit activity
Operational Wins
• A communications clearing house, providing / sharing:• A broad understanding of threat
activity within the participating institutions’ environments
• Metrics for / trends of threat activity within the participating institutions’ environments
• Effective practices for risk management in use at other institutions
Communication
Operational Wins
Other•Opportunities to participate
in virtual ‘centres of excellence’ to enhance professional practice
•Better value for cost than comparable commercial services – no profit motive
“By partnering to share data, best practices, resources, and
infrastructure, effectiveness in identifying threats is increased,
overall costs from risk can be reduced, and broader threat-
intelligence sharing partnerships can be established.”
Who else is doing this?
OmniSOC
University of Texas at Austin (CSOC)
How long will it take to build?
Project length is 18 months, ending in December 2019 ..
• Hire staff
• Set a project plan
• Set a budget• Develop project governance
• Establish data sharing agreements
• Meet with partners
• Develop a service catalog
• Develop architecture
• Evaluate alternatives
• Build prototypes• Run prototypes
• Test functionality• Measure performance
• Test integration
• Test reports and alerting
Where are we now?
.. in the middle of building something amazing
Architecture
ArchitectureCollect
Normalize
Enrich Analyze
Threat Intelligence
Monitoring
CISO DashboardOverview
Customizable widgets with Metrics and KPI potentially covering everything from compliance, risk, average request times, labour costs etc. Configurable on a per user, per institution basis.
CISO DashboardIncident Response Overview
Customisable widgets that show key Incident and Service Request Metrics ranging from time to contain, time to eradicate and types of incidents.
Questions?