Buckwell 2016 Transforming an Existing Security Team … · Transforming an Existing Security Team to an Elite SOC Michael Buckwell September 2016 2. 9/7/2016 2 About Me » Current

9/7/2016

1

Transforming an Existing Security Team to an Elite SOC

Michael Buckwell

September 2016

2

9/7/2016

2

About Me

» Current• Manager of Enterprise SOC –

Windstream

• Adjunct Faculty University of Akron

» Prior• Business Information Security Officer (BISO)

– IT ‐Windstream

• Enterprise Security Architect ‐ Diebold

• Senior Data Center Engineer ‐ SecureData365

• Security Analyst ‐ Progressive Insurance

» Certifications• CISSP #376176

• GSEC #7576

• GAWN #1153

• GPEN #2379

• GWAPT #644

• GCFA #9706

3

People, Process, Technology

People

ProcessTechnology

» Presentation focus on People and Process

» Technologies can help as tools, but without People and Process, how can the tools be used?

9/7/2016

3

Security Operation Center: Defined

» “A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.” –MITRE Ten Strategies of a World‐Class Cybersecurity Operations Center pg 9

• Provide a means to report suspected cybersecurity incidents

• Provide incident handling assistance

• Disseminate incident‐related information

9/7/2016

4

SOC Mission

» Lead and coordinate response to confirmed cybersecurity incidents

» Monitoring, detection, and prevention of cybersecurity incidents

» On going threat analysis and situation awareness

» Network, host, and application vulnerability identification

Some definitions for clarity» Event: Any observable occurrence in a system and/or network. Events sometimes

provide indication that an incident is occurring.[1]

» Incident: An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies[1]

» Triage: process of sorting, categorizing, and prioritizing incoming incident reports [2]

[1] Committee on National Security Systems, “CNSS Instruction No. 4009,” Committeeon National Security Systems, Ft. Meade, 2010. https://www.ncsc.gov/nittf/docs/CNSSI‐4009_National_Information_Assurance.pdf[2] Killcrece, Georgia; Kossakowski, Klaus‐Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. www.cert.org/archive/pdf/03hb001.pdf.

9/7/2016

5

Original State: What wasn’t happening

» Cyber functions, such as event monitoring, event triage, and computer forensics were secondary to operational functions• Monitoring activities that did happen were limited and immature

» Core cyber skills not regularly exercised due to other operational duties

Original State: What wasn’t happening

» Event Monitoring & Threat Management are analytical disciplines ‐many security tools are deployed by IT operations “out of the box”, little is done to assess effectiveness or implement mitigations for evolving threat

» Unable to act on “Indicators of Compromise” received from third parties (FBI/DHS, Sector info sharing, open source reports)

9/7/2016

6

Original State: What was happening

» Organizational growth through acquisitions brought operational support of key infrastructure• Network Firewalls, Authentication Platforms, Web and Application Proxy

» Platforms required real‐time focus to prevent user impacting downtime

Preparing To Change» Champion for change: there needs to be someone who will advocate for a change from the status quo• In this case the CISO

» Key stakeholder support: the change champion must win the support of key parts of the organization• CIO, CFO, VP‐Infrastructure

9/7/2016

7

Communicating the Drivers for change

» Centralization of key security capabilities to the CISO organization is a move to help with enforcement of policy

» Reduce impact of attacks that can affect network performance

» Dedicated monitoring and triage of cyber threats and vulnerabilities reduce the risk of threat actor activities impacting core network and system

» Improved security detective and preventative cyber controls to mitigate risk to business strategies

13

Communicating the Drivers for change2016 Verizon Data Breach Investigation Report

9/7/2016

8



“… “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.”

VDBR PG 6 2015

9/7/2016

9

Communicating the Drivers for change

2014 Verizon Data Breach Investigation Report


18

9/7/2016

10


19

Communicating the Transition PlanVP

Infrastructure

Director

InfoSec Senior Engineer


InfoSec Analyst

InfoSec Analyst

CISO



InfoSec Analyst

InfoSec Analyst

CISO

SOC Manager

Engineering


InfoSec Engineer

Tier II

InfoSec Senior Analyst

InfoSec Senior Analyst

Tier I

InfoSec Analyst

InfoSec Analyst

InfoSec Analyst

2014 2015 2015 Proposed

9/7/2016

11

Transitioning

Removing “Other” Operational Function

» Operational tasks were realigned with other existing internal teams that supported similar areas• Alignment of synergies across multiple internal departments

- Network firewalls, Authentication platforms

• Remnants of acquisition integrated or decommissioned

9/7/2016

12

Removing “Other” Operational Function

» Original plan called for SOC Engineering focus to maintain and support key technologies

» Larger organizational realignment provided opportunities for further consolidation of synergies• Customer facing security engineering group aligned into the CISO org

• Align SOC mission functions and transition away platform engineering and support

Focusing on SOC Mission

» Lead and coordinate response to confirmed cybersecurity incidents

• Identify key incident response processes

• Refine through lessons learned

• Formalization and expansion of forensic processes

9/7/2016

13


» Monitoring, detection, and prevention of cybersecurity incidents

• Development of monitoring use cases

• Ensuring risked based approach to monitoring

• Examining log and events previously reviewed


» On going threat analysis and situation awareness• Processing 3rd party data around IOC, threats, trends, vulnerabilities

• Technical review and processing

• Internal communication to raise situational awareness

9/7/2016

14


» Network, host, and application vulnerability identification• Expanded vendor vulnerability review

• Extensive discovery and credentialed vulnerability scanning

• Application security service models

• Standing role in SDLC project gates- Budgetary inputs to ensure time and costs covered

Transitioning: Current StateSOC

Manager

Engineering

Senior Analyst

Analyst

Red Team

Analyst II

Analyst

Blue Team

Senior Analyst

Analyst

Analyst

AnalystSOC Tier 1

SOC Manager

Red Team

Senior Analyst

Analyst II

Analyst

Analyst

Blue Team

Senior Analyst

Analyst

Analyst

Analyst

MSSP 24x7 Monitoring

2015 Actual Present

SOC Tier 1

9/7/2016

15

Challenges

Finding the right peopleAddressing the Skills Gap

» Industry as a whole calls out the lack of cyber security professionals

» Nearly a constant process of filling open positions

0

1

2

3

4

5

6

7

8

9

Filled vs Total Jobs

Filled Position Total Positions

9/7/2016

16

2015 (ISC)2 Global Information Security Workforce Study

» “62% of the survey respondents stated that their organizations have too few information security professionals.”

https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan‐(ISC)%C2%B2‐Global‐Information‐Security‐Workforce‐Study‐2015.pdf

2015 (ISC)2 Global Information Security Workforce Study

https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan‐(ISC)%C2%B2‐Global‐Information‐Security‐Workforce‐Study‐2015.pdf

9/7/2016

17

2016 Black Hat Attendee Survey

https://www.blackhat.com/docs/us‐16/2016‐Black‐Hat‐Attendee‐Survey.pdf

2016 Black Hat Attendee Survey

https://www.blackhat.com/docs/us‐16/2016‐Black‐Hat‐Attendee‐Survey.pdf

9/7/2016

18

ISACA 2016

http://www.isaca.org/cyber/PublishingImages/Cybersecurity‐Skills‐Gap‐1500.jpghttp://www.isaca.org/cyber/Documents/State‐of‐Cybersecurity_Res_Eng_0415.pdf

Finding the Right People» Internal transfers

• Existing employee base knows the business better than external candidates

• Bring invaluable operational knowledge• Two key hires came from other parts of the organization

» External candidates with the right fit• Candidates that match the mission of the team but who also can

work well with the team• For some positions demonstrating the drive to learn can be just

as important as coming to the table with developed skills

9/7/2016

19

Finding the Right People: Sourcing» Contract to Hire

• Provides a lower risk trial period for both parties

» Local Universities• Teaching provided a pool of potential candidates• In class experience provides insight into future job performance

• Key analyst for ransomware and phishing response had taken my class a year earlier

Developing the skills you need

» If the analysts do not have the needed skills either because they are new to the security profession or those with the developed skills are hard to find

» Develop and train the skills you need

• Mentoring and coaching becomes critical

9/7/2016

20

Developing the skills you need» Daily all team touch point standup meeting» Each analyst gets one‐on‐one time to review issues, concerns, progress, and development areas

» Larger sub team meetings • Red team, Blue Team, Monitoring, and Logging

» Team lead training sessions• One person researches and presents to the rest a tool or technology

• Sessions are recorded for future analysts

What happens when this approach fails

» Process of trying to develop analysts may not always succeed

» Leadership must closely monitor each individual and the team’s overall health

» Minor corrections can and should be made frequently

» Some situations may require more drastic actions

9/7/2016

21

Key Observation

Key Observations

» Executive Stakeholder support key

» Mission focus critical to success

» People alignment with plan needed and may require staff changes

» Developing desired skill sets can succeed but also has risk of failure

9/7/2016

22

Further Reading» Killcrece, Georgia; Kossakowski, Klaus‐Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. www.cert.org/archive/pdf/03hb001.pdf.

» Zimmerman, C “Ten Strategies of a World‐Class Cybersecurity Operations Center” 2014 [Online]. https://www.mitre.org/sites/default/files/publications/pr‐13‐1028‐mitre‐10‐strategies‐cyber‐ops‐center.pdf