Security Operations Centre (SOC) Architecture - SIGS · PwC How do you know what to protect?...
Transcript of Security Operations Centre (SOC) Architecture - SIGS · PwC How do you know what to protect?...
PwC
Agenda
1. How do you know what to protect?
2. How do you know when you’re compromised?
3. Start lean, and improve on a continuous basis
2March 2016Security Operations Centre (SOC) Architecture
PwC
How do you know what to protect?
Security Operations Centre (SOC) Architecture3
March 2016
Business Process
• Vison• Mission• Values
Data Governance
• Data classification policy• Data ownership• Risk management & appetite
IT & Sec Architecture
• IT applications• IT system & platforms• Network & Interfaces
Data
• At rest (end point, cloud)• In transit• Processed
Policy
Framework
@
PwC
Regulatory requirements and internal classification guidelines
Regulatory requirements to be considered:
• Data protection law (EU GDPR)
• Financial market regulation
• Industry standards
• PCI-DSS
• Etc.
Identify ‘crown jewels’ (PID/CID and IP)
• Identifiable personal data
• Identifiable client data
• Intellectual property
Security Operations Centre (SOC) Architecture4
March 2016
Policy
Framework
PwC
Data ‘classification’ on data level:Discover segregate restricted from unrestricted
Security Operations Centre (SOC) Architecture5
March 2016
Data classification
Identify data with CID restrictions in data stores- Applications, instances,
systems- DBs, logfiles etc.
Scanning factory
Dev/test/prod(no CID)
Dev/test/prod(CID)
Segregation of data(app. & infra.)
Client identifying data A & B Security classification C1 & C2
Client identifying data C Security classification
Res
tric
ted
Dat
aU
n-r
estr
icte
d D
ata
Service class 2semi-critical data(company owned)
Service class 3(high cost option)
critical datalegal restrictions
Service class 1no critical data
(no PID / CID / IP)
Loca
tion
agn
osti
c an
d cl
oud
read
y
In c
ount
ry /
on
prem
ises
0483-123456-01-0
XXXX-XXXXXX-XX-X
Anonymization, masking, encryption, hashing, etc., where possible
Data obfuscation
PwC
An SOC requires integrated operating models to fuse and share information
6
Traditional SOC services
Logging, monitoring & event management
Security incident management
Vulnerability management
Security testing
Additional services
Disconnected insight in a noisy environment, due to disjointed,
compartmentalised and insufficient data and analysis techniques A robust threat analysis capability built on shared insights, data and research, that fuses insights from,
and supports action by, multiple disparate stakeholders with a common mission
Emerging SOC services
Insider threat monitoring
Internal investigations
Fraud monitoring
Forensic analysis
Compliance testing
Vulnerability scanning
Penetration testing
Perimeter protection
Brand monitoring
Phishing analysis
External countermeasures
Sensor management
Countermeasure coordination
Security engineering and change management
Data analytics
Tactical intelligence coordination
Sensor enrichment
Malware analysisIntrusion analysis
IR/countermeasures
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Security analysts
24x7
Incident response
Digital brand protection
Isolated capabilities
Security Operations Centre (SOC) Architecture March 2016
PwC
The emerging SOC requires an organisation to view transformation from different perspectives
7
Insider threat monitoring
Internal investigations
Fraud monitoring
Forensic analysis
Compliance testing
Vulnerability scanning
Penetration testing
Perimeter protection
Brand monitoring
Phishing analysis
External countermeasures
Sensor management
Countermeasure coordination
Security engineering and Change management
Data analytics
Tactical Intelligence coordination
Sensor enrichment
Malware analysisIntrusion analysis
IR/countermeasures
TVM Security Strategy & Planning
Threat and Vulnerability Evaluation
Security analysts
24x7
Incident response
Digital brand protection
Assessment and realignment of human capital
Vision and operating model
Technology framework – tactical intelligence coordination
Emerging SOC services: tactical intelligence coordination
Security Operations Centre (SOC) Architecture March 2016
PwC
A threat intelligence enrichment framework is based on the following process:
Intel collection
Intel fusion and analytics
Sensor enrichment
Security analytics
Reporting and collaboration
Intelligence is aggregated from a firm-specific set of sources,
including internal network data, social
media, paid- and open-source threat feeds, and incident response and
data security tools.
Using technologies, a database of risk
indicators fusing threat and risk indicators
specific to the client is created. The collected
data is compared to the indicators in the
database, signalling potential risk.
Once these potential risk indicators are
identified, we develop workflows and
technology pathways to automate detection
of the indicators.
Support for analytical processes, improving logging practices and real-time analysis of security alerts to find both the micro level risks as well as the broader strategic
threats to the organisation.
Building on the information and analysis, define
immediate incident response actions and
further steps for future mitigation and
reporting, involving stakeholders across the
organisation.
8Security Operations Centre (SOC) Architecture March 2016
PwC
Building a threat intelligence management capability in line with an organisation’s business imperatives is an iterative process.
9
Defining a pilot overlay to introduce quick wins and put the concepts into practice can help build organisational momentum
Security Operations Centre (SOC) Architecture March 2016
PwC
Leveraged to develop a model for enhanced intelligence enrichment and analytics….
10Security Operations Centre (SOC) Architecture March 2016
PwC
Target operating model Next Gen SOC:threat intelligence is an essential partOur perspective relies three core capabilities for a next-generation SOC: traditional eyes on glass monitoring, advanced security analytics, system and log collection & integration. These are informed by a wide range of security intelligence feeds both internal and external to the organisation. They allow the organisation to make quicker and more information decisions. In many cases, the firm can take proactive preventative measures or at least shorten the time between breach and response.
11
Processing/enriching Analysis
Threat vector data
Critical asset
inventoriesOpen
source
Universe of data
Externaldata Incident
response
Informed leadership
Proactive response
Advanced security analytics
Eyes on glass monitoring
Engineering integration
& collection management
Vulnerabilitydata
Security Operations Centre (SOC) Architecture March 2016
PwC
SOC models and threat intel sharing
Security Operations Centre (SOC) Architecture12
March 2016
Managed security service providers and vendors
Organisation with a mature SOC
Organisation A
OrganisationB
Organisation C
Organisation n
Finance industry Power grid
Transportation & telecom
Gov CERT(MELANI)
Government level
Inner Circle
Extended circle
Critical Infrastructure
MSSP 1 MSSP 2 Security vendor 1
Security vendor 2 Others Etc.
Law enforcement
Sharing
Contributing
Subscription
CH relevant threat intel
External sources and
feeds
PwC
Summary and next steps
1. Each SOC has a unique maturity level, a specific environment to support and a dedicated operation model.
2. To protect enterprise and personal data, they need to be identified and classified (PCI-DSS/data protection law)
3. Threat intelligence sharing means:
a) technical interfaces but also
b) sharing of social engineering practices with industry alignment
4. Threat intel sharing means all (or at least a core group) have to contribute to enrich
5. The adaptation of global feeds needs to be done just once and then shared among all
6. The main challenge remains to apply threat intelligence to the specific enterprise, to analyse root causes and improve continuously
Security Operations Centre (SOC) Architecture13
March 2016
This publication has been prepared for general guidance on matters of interest only, and doesnot constitute professional advice. You should not act upon the information contained in thispublication without obtaining specific professional advice. No representation or warranty(express or implied) is given as to the accuracy or completeness of the information containedin this publication, and, to the extent permitted by law, PricewaterhouseCoopers AG, itsmembers, employees and agents do not accept or assume any liability, responsibility or duty ofcare for any consequences of you or anyone else acting, or refraining to act, in reliance on theinformation contained in this publication or for any decision based on it.
© 2016 PwC. All rights reserved. In this document, ‘PwC’ refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.