Security operations centre (SOC) architecture:a holistic approachMarch 2016

www.pwc.com

PwC

Agenda

1. How do you know what to protect?

2. How do you know when you’re compromised?

3. Start lean, and improve on a continuous basis

2March 2016Security Operations Centre (SOC) Architecture

PwC

How do you know what to protect?

Security Operations Centre (SOC) Architecture3

March 2016

Business Process

• Vison• Mission• Values

Data Governance

• Data classification policy• Data ownership• Risk management & appetite

IT & Sec Architecture

• IT applications• IT system & platforms• Network & Interfaces

Data

• At rest (end point, cloud)• In transit• Processed

Policy

Framework

@

PwC

Regulatory requirements and internal classification guidelines

Regulatory requirements to be considered:

• Data protection law (EU GDPR)

• Financial market regulation

• Industry standards

• PCI-DSS

• Etc.

Identify ‘crown jewels’ (PID/CID and IP)

• Identifiable personal data

• Identifiable client data

• Intellectual property

Security Operations Centre (SOC) Architecture4

March 2016

Policy

Framework

PwC

Data ‘classification’ on data level:Discover segregate restricted from unrestricted

Security Operations Centre (SOC) Architecture5

March 2016

Data classification

Identify data with CID restrictions in data stores- Applications, instances,

systems- DBs, logfiles etc.

Scanning factory

Dev/test/prod(no CID)

Dev/test/prod(CID)

Segregation of data(app. & infra.)

Client identifying data A & B Security classification C1 & C2

Client identifying data C Security classification

Res

tric

ted

Dat

aU

n-r

estr

icte

d D

ata

Service class 2semi-critical data(company owned)

Service class 3(high cost option)

critical datalegal restrictions

Service class 1no critical data

(no PID / CID / IP)

Loca

tion

agn

osti

c an

d cl

oud

read

y

In c

ount

ry /

on

prem

ises

0483-123456-01-0

XXXX-XXXXXX-XX-X

Anonymization, masking, encryption, hashing, etc., where possible

Data obfuscation

PwC

An SOC requires integrated operating models to fuse and share information

6

Traditional SOC services

Logging, monitoring & event management

Security incident management

Vulnerability management

Security testing

Additional services

Disconnected insight in a noisy environment, due to disjointed,

compartmentalised and insufficient data and analysis techniques A robust threat analysis capability built on shared insights, data and research, that fuses insights from,

and supports action by, multiple disparate stakeholders with a common mission

Emerging SOC services

Insider threat monitoring

Internal investigations

Fraud monitoring

Forensic analysis

Compliance testing

Vulnerability scanning

Penetration testing

Perimeter protection

Brand monitoring

Phishing analysis

External countermeasures

Sensor management

Countermeasure coordination

Security engineering and change management

Data analytics

Tactical intelligence coordination

Sensor enrichment

Malware analysisIntrusion analysis

IR/countermeasures

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Security analysts

24x7

Incident response

Digital brand protection

Isolated capabilities

Security Operations Centre (SOC) Architecture March 2016

PwC

The emerging SOC requires an organisation to view transformation from different perspectives

7

Insider threat monitoring

Internal investigations

Fraud monitoring

Forensic analysis

Compliance testing

Vulnerability scanning

Penetration testing

Perimeter protection

Brand monitoring

Phishing analysis

External countermeasures

Sensor management

Countermeasure coordination

Security engineering and Change management

Data analytics

Tactical Intelligence coordination

Sensor enrichment

Malware analysisIntrusion analysis

IR/countermeasures

TVM Security Strategy & Planning

Threat and Vulnerability Evaluation

Security analysts

24x7

Incident response

Digital brand protection

Assessment and realignment of human capital

Vision and operating model

Technology framework – tactical intelligence coordination

Emerging SOC services: tactical intelligence coordination

Security Operations Centre (SOC) Architecture March 2016

PwC

A threat intelligence enrichment framework is based on the following process:

Intel collection

Intel fusion and analytics

Sensor enrichment

Security analytics

Reporting and collaboration

Intelligence is aggregated from a firm-specific set of sources,

including internal network data, social

media, paid- and open-source threat feeds, and incident response and

data security tools.

Using technologies, a database of risk

indicators fusing threat and risk indicators

specific to the client is created. The collected

data is compared to the indicators in the

database, signalling potential risk.

Once these potential risk indicators are

identified, we develop workflows and

technology pathways to automate detection

of the indicators.

Support for analytical processes, improving logging practices and real-time analysis of security alerts to find both the micro level risks as well as the broader strategic

threats to the organisation.

Building on the information and analysis, define

immediate incident response actions and

further steps for future mitigation and

reporting, involving stakeholders across the

organisation.

8Security Operations Centre (SOC) Architecture March 2016

PwC

Building a threat intelligence management capability in line with an organisation’s business imperatives is an iterative process.

9

Defining a pilot overlay to introduce quick wins and put the concepts into practice can help build organisational momentum

Security Operations Centre (SOC) Architecture March 2016

PwC

Leveraged to develop a model for enhanced intelligence enrichment and analytics….

10Security Operations Centre (SOC) Architecture March 2016

PwC

Target operating model Next Gen SOC:threat intelligence is an essential partOur perspective relies three core capabilities for a next-generation SOC: traditional eyes on glass monitoring, advanced security analytics, system and log collection & integration. These are informed by a wide range of security intelligence feeds both internal and external to the organisation. They allow the organisation to make quicker and more information decisions. In many cases, the firm can take proactive preventative measures or at least shorten the time between breach and response.

11

Processing/enriching Analysis

Threat vector data

Critical asset

inventoriesOpen

source

Universe of data

Externaldata Incident

response

Informed leadership

Proactive response

Advanced security analytics

Eyes on glass monitoring

Engineering integration

& collection management

Vulnerabilitydata

Security Operations Centre (SOC) Architecture March 2016

PwC

SOC models and threat intel sharing

Security Operations Centre (SOC) Architecture12

March 2016

Managed security service providers and vendors

Organisation with a mature SOC

Organisation A

OrganisationB

Organisation C

Organisation n

Finance industry Power grid

Transportation & telecom

Gov CERT(MELANI)

Government level

Inner Circle

Extended circle

Critical Infrastructure

MSSP 1 MSSP 2 Security vendor 1

Security vendor 2 Others Etc.

Law enforcement

Sharing

Contributing

Subscription

CH relevant threat intel

External sources and

feeds

PwC

Summary and next steps

1. Each SOC has a unique maturity level, a specific environment to support and a dedicated operation model.

2. To protect enterprise and personal data, they need to be identified and classified (PCI-DSS/data protection law)

3. Threat intelligence sharing means:

a) technical interfaces but also

b) sharing of social engineering practices with industry alignment

4. Threat intel sharing means all (or at least a core group) have to contribute to enrich

5. The adaptation of global feeds needs to be done just once and then shared among all

6. The main challenge remains to apply threat intelligence to the specific enterprise, to analyse root causes and improve continuously

Security Operations Centre (SOC) Architecture13

March 2016

This publication has been prepared for general guidance on matters of interest only, and doesnot constitute professional advice. You should not act upon the information contained in thispublication without obtaining specific professional advice. No representation or warranty(express or implied) is given as to the accuracy or completeness of the information containedin this publication, and, to the extent permitted by law, PricewaterhouseCoopers AG, itsmembers, employees and agents do not accept or assume any liability, responsibility or duty ofcare for any consequences of you or anyone else acting, or refraining to act, in reliance on theinformation contained in this publication or for any decision based on it.

© 2016 PwC. All rights reserved. In this document, ‘PwC’ refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.