security operation center - صدا وسیما presentation... · security operation center -...
TRANSCRIPT
![Page 1: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/1.jpg)
SECURITY OPERATION
CENTER - Models, Strategies and development -
By Ali Mohammadi – Desember 12,13, 2017
1
![Page 2: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/2.jpg)
Outline
2
•Organizational Security Concept
•Security Operations Center (SOC) Concept
•SOC Models
•SOC Architecture
•SOC Strategies & Approaches
•SOC Develop & Plan
![Page 3: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/3.jpg)
3
Organizational Security
Concept
![Page 4: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/4.jpg)
4 4
The current environment is putting new demands on security operations
Social Business Blurring “Social” Identities
New Business Models, New Technologies
Cloud /
Virtualization
Large existing IT infrastructures with a
globalized workforce, 3rd party services, and a
growing customer base
Velocity of Threats
Evolving Regulations
-
•
Potential Impacts
Malware infection Loss of productivity Data Leakage Data or Device
Loss or Theft Regulatory Fines
$$$
Mobile Collaboration /
BYOD
![Page 5: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/5.jpg)
5
Why do we build operational security controls &
capabilities?
Reduce enterprise risk. Protect the business. Move from reactive response to proactive mitigation. Increase visibility over the environment. Meet compliance/regulatory requirements.
![Page 6: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/6.jpg)
The organization drives the Security Model
![Page 7: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/7.jpg)
Security Technology Stack
GRC
Identity, Entitlement,
Access
Information & Event Mgmt.
Cryptography
Data Security
Application Security
Host Security
Network Security
Physical Security
![Page 8: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/8.jpg)
Network Security, and its relationships to the stack
Network Security
Data Security Host Security
Identity and Access
Application Security Cryptography
Security Info & Event Management
Interconnected hosts on network Establish secure channel Control hosts on network
Send security logs Detect security incidents
Key management Crypto offload
Monitor and control applications running on network
Use identity Retrieve access control
Monitor and control data flows on network
![Page 9: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/9.jpg)
9
Security Operations
Center (SOC) Concept
![Page 10: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/10.jpg)
10
What is a Security Operations Center, or SOC? A Security Operations Center is a highly skilled team following defined definitions and
processes to manage threats and reduce security risk
Security Operations Centers (SOC) are designed to:
protect mission-critical data and assets
prepare for and respond to cyber emergencies
help provide continuity and efficient recovery
fortify the business infrastructure
The SOC’s major responsibilities are:
Monitor, Analyze, Correlate & Escalate Intrusion Events
Develop Appropriate Responses; Protect, Detect, Respond
Conduct Incident Management and Forensic Investigation
Maintain Security Community Relationships
Assist in Crisis Operations
![Page 11: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/11.jpg)
11
Designing and building a SOC requires a solid understanding of the business’ needs and the resources that IT can deploy Multiple stakeholders, processes
and technologies to consider
An operational process framework
•
•
•
•
Physical space
requirements and
location
Personnel skills: Security analysts,
shift leads, SOC managers
In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability ScannersIdentity &
Desktop MgmtTicketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability ScannersIdentity &
Desktop MgmtTicketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
![Page 12: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/12.jpg)
Building a Security Operations Center involves multiple domains
• Do you need 24x7x365 staff?
• What are the skills needed?
• Where do you get staff?
• What about training?
• How do you keep staff?
• Metrics to measure performance
• Capacity planning
• What does the plan look like?
• How do we measure progress and
goals?
• What is the optimal design of core
processes? (eg. incident
management, tuning, etc.)
• Process and continual improvement
• SIEM architecture & use cases
• Log types and logging options
• Platform integrations; ticketing
governance, big data
• Web services to integrate them
• Technology should improve
effectiveness and efficiency
• Dashboard visibility and oversight
• Policy, measurement and enforcement
• Integrated governance that balances
daily operations with strategic planning
• Ministry objectives
• Informing stakeholders
• Informing employees
People Process
Technology Governance / Metrics
![Page 13: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/13.jpg)
CyberSecurity Operations Center
13
• Security Operations Center (SOC) term is being taken over by physical surveillance companies
• We’re building a Cyber Security Operations Center (CSOC) that doesn’t have any physical surveillance capability.
• It could be a component of a SOC in the future
![Page 14: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/14.jpg)
14
(C)SOC vs. NOC
• Network Operations Center usually responsible for monitoring and maintaining the overall network infrastructure. Its primary function is to ensure uninterrupted network service.
• CSOC leverages security related network activity to refine security incidents response.
• CSOC and NOC should complement each other and work in tandem.
![Page 15: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/15.jpg)
15
SOC Models
![Page 16: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/16.jpg)
16
The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC.
Charter
Governance
Strategy
Build a dedicated security operations capability
Cross-functional (IT, Business, Audit, etc.)
3+ year cycle, priorities set by enterprise
Technology or service only
Self governed (IT Security)
Budget based, 12 month planning cycle M
issi
on
& S
trat
egy
Tools
Use Cases
Referential Data
SIEM, ticketing, portal/ dashboard, Big Data
Tailored rules based on risk & compliance drivers
Required data, used to prioritize work
SIEM tool only
Standard rules Minimal customization
Minimal importance, Secondary priority
Tech
no
logy
Measures
Reporting
Cross-functional, efficiency, quality, KPI/SLO/SLA
Metrics, analytics, scorecards, & dashboards
Silos, ticket/technology driven
Ticket/technology driven Op
erat
ion
s M
anag
emen
t
Proactive.
Visible.
Anticipate
threats.
Mitigate
risks.
Detect & react to threats.
Legacy SOC Optimized SOC
![Page 17: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/17.jpg)
Threat
Response Adv. Event Analysis
Escalations
Incident Mgmt.
SOC Data Sources Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
Threat
Monitoring
Threat Analysis
Impact Analysis
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns Correlation
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Security Analytics &
Incident Reporting
Cyber-Security Command Center (CSCC)
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
SO
C
Go
ve
rna
nce
SO
C
Te
ch
no
log
y
Security Intelligence
Incident Hunting PM Use Case Recommendations
Admin Support
Services
Tool Integration
Rule Admin
CSIRT
Management
Corp. Incident Response
Table-top Exercises
SIEM Ticketing &
Workflow Portal
Integration Tools
(e.g. Web Srvcs)
Reporting /
Dashboard Big Data
Threat
Triage
Investigations
Incident Triage
Security Operations Operating Model
SO
C
Op
era
tio
ns
Corporate
Business Units
Legal
Audit
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
Business
Operations
Business Ops
Investigations
Public Relations
Legal / Fraud
Architecture &
Projects
Emergency
Response
IT Operations
Legend
SOC
IT / Corp
![Page 18: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/18.jpg)
18
We understand that an effective SOC has the right balance of People, Process and Technology components
In-house staff Partners Outsourced Providers People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &
Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk Assessment Change Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
![Page 19: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/19.jpg)
19
The SOC organization is organized around the standard plan, build and run model
SOC Delivery Manager
SOC Engineering
Manager (Build)
Security System Administrator
Security Policy Administrator
Device Administrator
SOC Monitoring Tier 1 (Run)
Senior Threat Analyst
Threat Analyst
Threat Analyst
Trainee
SOC Triage Tier 2 (Run)
Senior Threat Response Analyst
Threat Response Mitigation Analyst
(Reactive)
Threat Response Remediation Analyst
(Proactive)
SOC Escalation Tier 3 (Run)
Incident Case Manager
Senior ERS Incident Response Technical
Analyst
Security
Intelligence Manager
(Build / Plan)
SOC / Security Intel Architect
(Plan)
IT Operations
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
Device Mgmt
SOC Organization Chart
Governance
![Page 20: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/20.jpg)
20
A responsibility matrix for all SOC roles should be defined across each SOC service.
SOC Analyst:
Monitoring
SOC Analyst:
Triage
SOC Analyst:
Response
Security
Intelligence
Analyst
Security
Incident
Handler
(Certified)
SOC Tools
AdminSOC Manager
Security
Forensic
Analyst
IT Security
AdminIT Operations CERT
Security Monitoring R C A
Incident Triage C R C A
Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Service Testing & Tuning R A I I
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security Intelligence Briefings A C C C
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I
Contextual Data Management C R A C C
Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C
Security Reporting C C C C C A C I
Efficiency Reporting C C C A C I
Financial Reporting C C C C A I
Enterprise Incident Management C A
Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C
Reporting
Services
Optional Services
Core Security
Services
Deployment
Services
Security
Intelligence
Services
Administrative
Services
![Page 21: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/21.jpg)
21
SOC Architecture
![Page 22: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/22.jpg)
22
Why?
• We’ve been collecting security related data for a number of years and needed a focal point to help us see the big picture
• Data from • Security Reviews
• Vulnerability scans (push/pull)
• IPS/IDS data
• System logs
• We want to build a “security history” for a host
![Page 23: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/23.jpg)
23
Why?
• The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy • Preventing Network Based Attacks
• Preventing Host Based Attacks
• Eliminating Security Vulnerabilities
• Supporting Authorized Users
• Providing tools for Minimizing Business Loss
![Page 24: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/24.jpg)
24
Where?
• OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow
• CSOC needs to be able to analyze and display this data quickly
• Data resides on separate, distributed servers
• CSOC pulls data from these servers as needed
• CSOC lives in the IT Security Office & Lab
![Page 25: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/25.jpg)
25
What?
• Provides real-time view of the VT network’s security status
• Provides info to assess risk, attacks, mitigation
• Provides metrics • Executive
• Operational
• Incident
![Page 26: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/26.jpg)
26
What?
• Event Generators (E boxes) • Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active
Directory servers, Remedy, vulnerability scanners, TACACS, application software
• Most are Polling Generators • Generate specific event data in response to a specific
action
• Example: IDS or firewall
![Page 27: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/27.jpg)
27
What?
• Events Databases (D boxes) • Provide basic storage, search and correlation tools for
events collected and sent to the CSOC
• Vulnerability databases contain info about security breaches, etc.
![Page 28: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/28.jpg)
28
What? • Events Reactions (R boxes)
• SOC Console • Used for internal analysis
• Real-time monitors (Snort, Base, IPS, Dshield)
• Incident Handling
• Remedy trouble ticket system
• Location tools
• Statistical analysis
• End User Portals • Multi level reporting for various target audiences
• Sysadmin, management
![Page 29: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/29.jpg)
29
What? • Analysis Engines (A Boxes)
• Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc.
• Knowledge Base Engines (K boxes) • Store security configs of critical assets, tips/tricks and
effective solutions to previous problems
• Reaction and Report Engines (R boxes) • Switches, routers, IPS and associated management
tools
![Page 30: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/30.jpg)
30
Access Management
Security Operations Center (SOC)
Automation & Integration of Security Operations
![Page 31: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/31.jpg)
31 SOC Architecture
![Page 32: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/32.jpg)
32 SOC Workflow
![Page 33: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/33.jpg)
33
Security Operations Center Infrastructure v1.0 6/4/2008
<F
un
ctio
n>
ITSO Staff
Daily Scan
Nexpose
Acunetix
Core Impact
Vulnerability
Results Database
Central Syslog
ServersDshield
Checknet
Snort
SensorsHost Locator DB
Remedy
Correlation & Report
Generation
text
BASE
IP Ranges, Dept.
Liaisons, DHCP, VPN,
Modem Pool
Nessus
nmap Scanner User
Scan Results
(PDF)
User Initiated
Scan
Green – E boxes
Blue – D boxes
Grey – A boxes
Yellow – K boxes
![Page 34: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/34.jpg)
34
SOC Strategies &
Approaches
![Page 35: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/35.jpg)
35
Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints
Business Requirements
Centralized Decentralized
Single Global SOC CSCC Combined with SOC Lowest Cost Easiest to Manage
Multiple SOC’s (Geo. / BU) Single Global CSCC
High Cost More Difficult to Manage
Technical Requirements
Standard Highly Customized
Simple Platform Lowest Cost to Implement/Operate Good Risk Mgmt Capabilities Easy to Scale Operations Moderate Detail on Threats
Complex Platform High Cost to Implement/Operate Excellent Risk Mgmt Capabilities
More Expensive to Scale Operations Rich Detail on Threats
Risk Tolerance
Externally Managed Internally Managed
30-90 Day Implementation Lowest Cost to Implement/Operate Not Core to Business Leverage Industry Best Practices
Long Implementation Lead Time High Cost to Implement/Operate
Core to Business Frequent Independent Reviews
Financial Constraints
Low Cost High Cost
Lowest Cost to Implement Lowest Cost to Operate
Highest Cost to Implement Highest Cost to Operate
![Page 36: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/36.jpg)
36
SOC Develop & Plan
![Page 37: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/37.jpg)
37
To get started, the organization should consider the following questions in establishing its objectives
• What is the primary purpose of the SOC?
• What are the specific tasks assigned to the SOC? (e.g., threat
intelligence, security device management, compliance management,
detecting insider abuse on the financial systems, incident response
and forensic analysis, vulnerability assessments, etc.)
• Who are the consumers of the information collected and analyzed by
the SOC? What requirements do they have for the SOC?
• Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC
to the rest of the organization?
• What types of security events will eventually be fed into the SOC for
monitoring?
• Will the organization seek an external partner to help manage the
SOC?
![Page 38: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/38.jpg)
38
The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle.
• Define the mission
• Assess current
operations and
capabilities
• Define future
environment
• Develop roadmap
for action
People and Governance
Processes and Practices
Technology
• Laying the
foundation of
capabilities
• Designing effective
staffing models and
supporting
processes /
technology
• Conducting training
and testing
• Implementing
tracking and
reporting
capabilities
• Leveraging acquired
knowledge and
experience
• Instituting formal
feedback and review
mechanisms
• Driving further value
from the technology
• Expanding business
coverage and
functions
• Tuning and
refinement
• Business aligned
threat management
and metrics
• Drive for best
practices
• Integrated operations
with improved
communications
• Seek opportunities
for cost takeout
• Continuous
improvement
Design &
Build
Run &
Enhance Optimize
• Educational,
share best
practices
• Table-top, guided
SOC maturity
assessments
• Set high-level
vision
• Develop next steps
roadmap
for action
Introduction
Assessment
Strategy
![Page 39: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/39.jpg)
39
Refrences
• IBM Security Services
• Meadowville Technology Park, Chesterfield
County, Virginia
• Carl Hill, President, www.gtscloud.com
• Paladion Co, paladion.net
• Randy Marchany, VA Tech IT Security Office and Lab
![Page 40: SECURITY OPERATION CENTER - صدا وسیما Presentation... · SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi – Desember 12,13, 2017 1](https://reader030.vdocuments.net/reader030/viewer/2022012314/5c770a4209d3f2a94e8b5f59/html5/thumbnails/40.jpg)
40
Thank you for your time!
Questions and Answers