Setting up an Security Operations Center (SOC) –A step by ... · People First, Performance Now...

People First,Performance Now

Ministry of Science,Technology and Innovation

Setting up an Security Operations Center (SOC) – A step by step approachAbdul Rahman MohamedAbdul Rahman MohamedVP, IT Strategy, Risk & DeliveryGroup IT, Malaysia Airlines

07 November 2012



My apology…. I am standing between you and home sweet home. I’ll be On-Time.



About the speaker…

• 19 years of experience• 19 years of experience• Was CISSP and CISM• Oil and Gas, Banking and

Consultancy• IT Strategy & Transformation,

Governance, Risk & Security, IT Service Delivery, Project ManagementManagement



We are here to share our experience…

• In setting up an internal SoC, as well as its journey and evolution

• Its value to our business• The lesson learned

• DISCLAIMER: It works for us.



Allow me to introduce the Air Travel Industry….



The Airline industry is glamorous, and a quick way to lose money…..

“How do you become a millionaire ?

First become a BillionaireFirst, become a Billionaire, then you run an Airline” – Sir Richard Branson



Group IT is the enabler and IT partner of THE PREFFERED PREMIUM CARRIER…

StockholmBergen

2 + 6 Data Centers

(incl MHNet, SITA, Enrich)

2 + 6 Data Centers

(incl MHNet, SITA, Enrich)

RomeMadrid

Barcelona

Geneva MilanBrussels

FrankfurtLondon

Leeds

GothenburgStavenger

OsloStockholm

Helsinki

Copenhagen

Bergen

SandefjordAberdeen

Teesside

Manchester

Edinburgh

DublinBelfast

Glasgow

Amsterdam

SeoulInch’on

Tashkent

ViennaMunich

Beijing

56applications

56applications

M il

Bahrain

Muscat

Athens

Madrid

Yangon

Seoul

Tokyo

Nagoya

Kansai

Hanoi

Inch’on

Doha

FukuokaShanghai

Hong Kong

Beijing

Guangzhou

16K IT Devices16K

IT Devices14-15 mil Pax /annum

(2010/11)

14-15 mil Pax /annum

(2010/11)

Kota Kinabalu

Manila

Cebu

Dar es Salaam

Medan

Phuket

Jakarta

LangkawiPenang

Bangkok Siem Reap

Ho Chi Minh

Singapore

Colombo

Phnom Penh

KUALA LUMPUR

Kuching

Over 90 Stations(MW,FY,MH)

Over 90 Stations(MW,FY,MH)

45 FTEs45

FTEs

Surabaya

G ld C

Sunshine CoastFraser CoastRockhampton

MackayHamilton IslandTownsville

Cairns

BrisbaneDurban

Windhoek, NAMIBIA

Harare, ZIMBABWE

Victoria Falls, ZIMBABWE

MaputoMOZAMBIQUE

TANZANIA

JohannesburgGaborone, BOTSWANA

DenpasarDarwin

BroomeMauritius

Over 12 Key IT Partners

(out of 84)

Over 12 Key IT Partners

(out of 84)20K Staff20K Staff

CanberraSydney

NewcastleCoffs Coast

Ballina ByronGold Coast

Port Elizabeth East London

Maseru, LESOTHOPerth

AdelaideMelbourne

Launceston Hobart

Figures per December 2011



Lets get to the actual presentation



The steps that we took in establishing the SoC….

• Find the right resources • Find the business value of your SoC•Get the Sponsors and know your stakeholders

• Begin with the end in mind• Begin with the end in mind• Start small• LeverageLeverage• Can pause but keep evolving• “Marketecture”



In any endeavors, we have to have the right resource for the job that meet the following criteria:

1

“Committed to Integrity; Committed to Performance and

Committed to Change.”

Jeff ImmeltCEO GECEO, GE



“There is no such thing as an IT project there is only business project”project, there is only business project

Paul CobyPaul CobyEx CIO British Airways



“Else… You syok di i”sendiri”

Abdul Rahman MohamedFuture CIO



We established the SoC for the airline business….2

• Alignment with corporate strategies and Business Transformation Plan (BTP2):

• No compromise on safety and security• No compromise on safety and security• Serve Customer, Make Money, Save

Money

• Compliance with regulatory requirements (local and international) e.g. Anti Trust/Competition Law, Data Privacy, PCI, National Cyber Security Policy (NCSP)y, , y y y ( )

• Increase in IT Outsourcing activity and the need for near realtime transparency



The projects was actually owned by CorporateThe projects was actually owned by Corporate Security but funded by IT….

Board Safety and Security Committee

3

Group IT CSSHE*

Management Committee


Corp.

Risk AdvisoryServices

IT Service Delivery

CSSHE

Info/IT

Services

Cor

pora

teSe

curit

yIT Strategy & Governance

Information Risk & Security

Risk MgmtSecurity

Operations

Business Assurance

Audit & BusinessAdvisory

SITO***

Corp. Security Corp. Risk &G

IT SecurityOperations

SACC** Security Assurance

Corp. Security GovernanceOperations* Corporate Safety, Security, Health & Environment** Security Assurance Control Center*** Strategic IT Outsourcing



There are external stakeholders as well….


Group IT CSSHE*

Management Committee


Corp.

Risk AdvisoryServices

IT Service Delivery

CSSHE

Info/IT

Services

Cor

pora

teSe

curit

yIT Strategy & Governance

Information Risk & Security

Risk MgmtSecurity

Operations

Business Assurance

Audit & BusinessAdvisory

SITO***

Corp. Security Corp. Risk &G

IT SecurityOperations

SACC** Security Assurance

Corp. Security GovernanceOperations* Corporate Safety, Security, Health & Environment** Security Assurance Control Center*** Strategic IT Outsourcing



O bli h d h b i j ifi iOnce we established the business justification, we would envision the end in mind….

4



This is half of your journey….



We started our journey with a 5 year vision….

PHASE 1 PHASE 2 PHASE 3 PHASE 4

• Policy AlignmentLink with Corp Security

• Comprehensive viewLink dashboard to external/ic

y • Corp Info Security Policy Information Security

• Integrate with corporate

PHASE 1Assurance and visibility to

Business

PHASE 2Integration to Business

PHASE 3Optimized for Stakeholder’s

Confidence in IT Controls

PHASE 4Integration to Corporate GRC

• IT Compliance Mgmt • Sec Incident & Event

Mgmt

• Link with Corp Security dashboard

• Link dashboard to external/ service providerPo

li • Information Security Dashboard

• Content Security Services• Svc Provider assessment• IT Risk Management

• Info Leakage Prevention• Digital Rights Mgmt• Identity & Access Mgmtes

s /

Tech

corporate GRC framework

Mgmt• Threat Vulnerability Mgmt• Assurance testing

• Awareness: Classroom

• IT Risk Management• IT Assets Mgmt

• Handbook, Video

• Identity & Access Mgmt• Info Retention & e-

Discovery

• E-Awareness, Portal

Proc

e TePe

ople

• Certification

• Assurance of control effectiveness

• Integration with corporate security

• Integration of security processes and technologysu

lts /

enef

itsP

• Transparency• Visibility

• Information Security visible at Corp. Security

business objectives • Obtain stakeholder’s confidenceR

es Be



I li hi l d BIn reality, not everything goes as planned…. But stick to it

PHASE 1 PHASE 2 PHASE 3 PHASE 4

• Policy AlignmentLink with Corp Security

• Comprehensive viewLink dashboard to external/ic

y • Corp Info Security Policy Information Security

• Integrate with corporate

PHASE 1Assurance and visibility to

Business

PHASE 2Integration to Business

PHASE 3Optimized for Stakeholder’s

Confidence in IT Controls

PHASE 4Integration to Corporate GRC

• IT Compliance Mgmt • Sec Incident & Event

Mgmt

• Link with Corp Security dashboard

• Link dashboard to external/ service providerPo

li • Information Security Dashboard

• Content Security Services• Svc Provider assessment• IT Risk Management

• Info Leakage Prevention• Digital Rights Mgmt• Identity & Access Mgmtes

s /

Tech

corporate GRC framework

Mgmt• Threat Vulnerability Mgmt• Assurance testing

• Awareness: Classroom

• IT Risk Management• IT Assets Mgmt

• Handbook, Video

• Identity & Access Mgmt• Info Retention & e-

Discovery

• E-Awareness, Portal

Proc

e TePe

ople

• Certification

• Assurance of control effectiveness

• Integration with corporate security

• Integration of security processes and technologysu

lts /

enef

itsP

• Transparency• Visibility

• Information Security visible at Corp. Security

business objectives • Obtain stakeholder’s confidenceR

es Be



We start small and called our SoC – Security AssuranceControl Center (SACC) using “Subscription on-site”5

Security Assurance Control Center

Assurance Monitoring Assurance Testing Unplanned Assuranceg

oard

PolicyCompliance

g

st

Internal &External

Penetration testS i IT S i

p

eem

ent Additional Device

For Monitoring

g &

Das

hbo

Threat & Vulnerability Management

S it dule

of T

es

Network Services Attestation

Station IT Security Posture

fPric

e A

gre

Additional TestingServices

Forensic

Rep

ortin

g SecurityEvent Management

IncidentR

Sche

d

Web Application code assurance

SocialEngineering ch

edul

e of

Forensicservices

Other securityservices

Response EngineeringDrill Sc By man day rate



We did not own the tools, license, resources and servers.We own the information and results only.

Security Assurance Control Center

Assurance Monitoring Assurance Testing Unplanned Assuranceg

oard

PolicyCompliance

g

st

Internal &External

Penetration testS i IT S i

p

eem

ent Additional Device

For Monitoring

g &

Das

hbo


S it dule

of T

es



fPric

e A

gre


Forensic

Rep

ortin

g SecurityEvent Management

IncidentR

Sche

d


SocialEngineering ch

edul

e of

Forensicservices


Response EngineeringDrill Sc By man day rate

A it i li d ll iti lAssurance monitoring ensures compliance and all critical devices at HQ and stations are sufficiently protected

Assurance Monitoring

d

PolicyC li

IBM

iMac iMac

& D

ashb

oard Compliance


latigid latigidlatigid

latigid

latigid

iMac

Rep

ortin

g &

SecurityEvent Management

IncidentIncidentResponse

ITIT Helpdesk Threat

MgmtCenter

A t ti i t id th it i f thAssurance testing is to provide the security view from the perpetrators for security improvements

Assurance Testing

Internal &Tester

f Tes

t

Internal &External

Penetration test


IBM

latigid latigidlatigid

iMac

iMac

iMac

Sche

dule

of



latigid

latigidSocialEngineering

Drill

Tester



We also leverage on other’s capabilities, locally…6

MoU between Malaysia Airlines and CyberSecurity Malaysia



We also leverage on other’s capabilities, internationally.

MoU between Malaysia Airlines and Tata Consultancy Services



A ti d li did f t iAs mentioned earlier, we did pause for certain capabilities but we continue to evolve into IT Control Tower

7

Control Tower

Security Assurance Control CenterIT Control Tower

Assurance Monitoring

d

PolicyCompliance

Assurance Testing

Internal &External

Penetration test

Unplanned Assurance

men

t

Additional DeviceFor Monitoring

RealITy Dashboard Reports

Support Teams

port

ing

& D

ashb

oard


SecurityEvent Management Sc

hedu

le o

f Tes

t




dule

of P

rice

Agre

em


Forensicservices

Support Teams All Vendors

ESM

MH

MTM

IT ISS

Re

IncidentResponse

code assurance

SocialEngineering

Drill

Sche

d


By man day rate

M Team

Mail Team

M Team

S Team

Security Team



IT Control Tower uses more comprehensive tools whichIT Control Tower uses more comprehensive tools which focuses on end to end IT services including Security and Compliance



T lk h lk i ll i lk hTalk the walk is equally important to walk the talk… We need to “marketecture”.8

• We communicate our findings to• Board Safety and Security Committee - Quarterly• Accountable Managers Meeting - QuarterlyAccountable Managers Meeting Quarterly• IT Management – Monthly

• Participate in Cyberdrills with MKN and CyberSecurity Malaysiap y y y y

• Repels targeted attacks on Malaysia Airlines on 1 July 2012 (16 hours)

f f G C G• Visits from fellow GLCs and Government agencies



IT Security Index Global Threat and Vulnerability Virus Protection IndexIT Security Index y

Overall VPI -98.93 %Overall - Low Overall - Low

Status as on : July 2012 Report Status as on : July 2012 ReportStatus based on : July 2012 Report

SPAM Filt i I d IT Security Policy Compliance IT S it I id tSPAM Filtering Index IT Security Policy Compliance IT Security Incidents

Overall SFI – 81.6 % Overall IT SPC – 87.81 % Overall - Medium

Status based on : July 2012 Report Status as on : July 2012 ReportStatus as on : July 2012 Report



W d d f h I f i S iWe were awarded for the Information Security project of the year 2009



We were awarded for the IT Visionary Award forAsia South 2008



I 2010 l f h li i i i iIn 2010, as a result of the earlier initiatives, we won more awards… It is nice to be appreciated.

• CIO of the year• CIO of the year• Deputy Minister

Award• Information Security y

projects of the year –PCI-DSS



As a Recap…

• Find the right resources • Find the business value of your SoC• Get the Sponsors and know your stakeholders• Begin with the end in mind• Start small but shout big• Start small but shout big• Leverage• Can pause but keep evolvingCan pause but keep evolving• “Marketecture”



Thank youThank you

Setting up an Security Operations Center (SOC) –A step by ... · People First, Performance Now...

Documents

Transcript of Setting up an Security Operations Center (SOC) –A step by ... · People First, Performance Now...