Upload
truongkhue
View
214
Download
0
Embed Size (px)
Citation preview
9/7/2016
1
Transforming an Existing Security Team to an Elite SOC
Michael Buckwell
September 2016
2
9/7/2016
2
About Me
» Current• Manager of Enterprise SOC –
Windstream
• Adjunct Faculty University of Akron
» Prior• Business Information Security Officer (BISO)
– IT ‐Windstream
• Enterprise Security Architect ‐ Diebold
• Senior Data Center Engineer ‐ SecureData365
• Security Analyst ‐ Progressive Insurance
» Certifications• CISSP #376176
• GSEC #7576
• GAWN #1153
• GPEN #2379
• GWAPT #644
• GCFA #9706
3
People, Process, Technology
People
ProcessTechnology
» Presentation focus on People and Process
» Technologies can help as tools, but without People and Process, how can the tools be used?
9/7/2016
3
Security Operation Center: Defined
» “A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.” –MITRE Ten Strategies of a World‐Class Cybersecurity Operations Center pg 9
• Provide a means to report suspected cybersecurity incidents
• Provide incident handling assistance
• Disseminate incident‐related information
9/7/2016
4
SOC Mission
» Lead and coordinate response to confirmed cybersecurity incidents
» Monitoring, detection, and prevention of cybersecurity incidents
» On going threat analysis and situation awareness
» Network, host, and application vulnerability identification
Some definitions for clarity» Event: Any observable occurrence in a system and/or network. Events sometimes
provide indication that an incident is occurring.[1]
» Incident: An assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies[1]
» Triage: process of sorting, categorizing, and prioritizing incoming incident reports [2]
[1] Committee on National Security Systems, “CNSS Instruction No. 4009,” Committeeon National Security Systems, Ft. Meade, 2010. https://www.ncsc.gov/nittf/docs/CNSSI‐4009_National_Information_Assurance.pdf[2] Killcrece, Georgia; Kossakowski, Klaus‐Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. www.cert.org/archive/pdf/03hb001.pdf.
9/7/2016
5
Original State: What wasn’t happening
» Cyber functions, such as event monitoring, event triage, and computer forensics were secondary to operational functions• Monitoring activities that did happen were limited and immature
» Core cyber skills not regularly exercised due to other operational duties
Original State: What wasn’t happening
» Event Monitoring & Threat Management are analytical disciplines ‐many security tools are deployed by IT operations “out of the box”, little is done to assess effectiveness or implement mitigations for evolving threat
» Unable to act on “Indicators of Compromise” received from third parties (FBI/DHS, Sector info sharing, open source reports)
9/7/2016
6
Original State: What was happening
» Organizational growth through acquisitions brought operational support of key infrastructure• Network Firewalls, Authentication Platforms, Web and Application Proxy
» Platforms required real‐time focus to prevent user impacting downtime
Preparing To Change» Champion for change: there needs to be someone who will advocate for a change from the status quo• In this case the CISO
» Key stakeholder support: the change champion must win the support of key parts of the organization• CIO, CFO, VP‐Infrastructure
9/7/2016
7
Communicating the Drivers for change
» Centralization of key security capabilities to the CISO organization is a move to help with enforcement of policy
» Reduce impact of attacks that can affect network performance
» Dedicated monitoring and triage of cyber threats and vulnerabilities reduce the risk of threat actor activities impacting core network and system
» Improved security detective and preventative cyber controls to mitigate risk to business strategies
13
Communicating the Drivers for change2016 Verizon Data Breach Investigation Report
9/7/2016
8
Communicating the Drivers for change2016 Verizon Data Breach Investigation Report
Communicating the Drivers for change2015 Verizon Data Breach Investigation Report
“… “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.”
VDBR PG 6 2015
9/7/2016
9
Communicating the Drivers for change
2014 Verizon Data Breach Investigation Report
Communicating the Drivers for change2013 Verizon Data Breach Investigation Report
18
9/7/2016
10
Communicating the Drivers for change2012 Verizon Data Breach Investigation Report
19
Communicating the Transition PlanVP
Infrastructure
Director
InfoSec Senior Engineer
InfoSec Senior Engineer
InfoSec Analyst
InfoSec Analyst
CISO
InfoSec Senior Engineer
InfoSec Senior Engineer
InfoSec Analyst
InfoSec Analyst
CISO
SOC Manager
Engineering
InfoSec Senior Engineer
InfoSec Engineer
Tier II
InfoSec Senior Analyst
InfoSec Senior Analyst
Tier I
InfoSec Analyst
InfoSec Analyst
InfoSec Analyst
2014 2015 2015 Proposed
9/7/2016
11
Transitioning
Removing “Other” Operational Function
» Operational tasks were realigned with other existing internal teams that supported similar areas• Alignment of synergies across multiple internal departments
- Network firewalls, Authentication platforms
• Remnants of acquisition integrated or decommissioned
9/7/2016
12
Removing “Other” Operational Function
» Original plan called for SOC Engineering focus to maintain and support key technologies
» Larger organizational realignment provided opportunities for further consolidation of synergies• Customer facing security engineering group aligned into the CISO org
• Align SOC mission functions and transition away platform engineering and support
Focusing on SOC Mission
» Lead and coordinate response to confirmed cybersecurity incidents
• Identify key incident response processes
• Refine through lessons learned
• Formalization and expansion of forensic processes
9/7/2016
13
Focusing on SOC Mission
» Monitoring, detection, and prevention of cybersecurity incidents
• Development of monitoring use cases
• Ensuring risked based approach to monitoring
• Examining log and events previously reviewed
Focusing on SOC Mission
» On going threat analysis and situation awareness• Processing 3rd party data around IOC, threats, trends, vulnerabilities
• Technical review and processing
• Internal communication to raise situational awareness
9/7/2016
14
Focusing on SOC Mission
» Network, host, and application vulnerability identification• Expanded vendor vulnerability review
• Extensive discovery and credentialed vulnerability scanning
• Application security service models
• Standing role in SDLC project gates- Budgetary inputs to ensure time and costs covered
Transitioning: Current StateSOC
Manager
Engineering
Senior Analyst
Analyst
Red Team
Analyst II
Analyst
Blue Team
Senior Analyst
Analyst
Analyst
AnalystSOC Tier 1
SOC Manager
Red Team
Senior Analyst
Analyst II
Analyst
Analyst
Blue Team
Senior Analyst
Analyst
Analyst
Analyst
MSSP 24x7 Monitoring
2015 Actual Present
SOC Tier 1
9/7/2016
15
Challenges
Finding the right peopleAddressing the Skills Gap
» Industry as a whole calls out the lack of cyber security professionals
» Nearly a constant process of filling open positions
0
1
2
3
4
5
6
7
8
9
Filled vs Total Jobs
Filled Position Total Positions
9/7/2016
16
2015 (ISC)2 Global Information Security Workforce Study
» “62% of the survey respondents stated that their organizations have too few information security professionals.”
https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan‐(ISC)%C2%B2‐Global‐Information‐Security‐Workforce‐Study‐2015.pdf
2015 (ISC)2 Global Information Security Workforce Study
https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan‐(ISC)%C2%B2‐Global‐Information‐Security‐Workforce‐Study‐2015.pdf
9/7/2016
17
2016 Black Hat Attendee Survey
https://www.blackhat.com/docs/us‐16/2016‐Black‐Hat‐Attendee‐Survey.pdf
2016 Black Hat Attendee Survey
https://www.blackhat.com/docs/us‐16/2016‐Black‐Hat‐Attendee‐Survey.pdf
9/7/2016
18
ISACA 2016
http://www.isaca.org/cyber/PublishingImages/Cybersecurity‐Skills‐Gap‐1500.jpghttp://www.isaca.org/cyber/Documents/State‐of‐Cybersecurity_Res_Eng_0415.pdf
Finding the Right People» Internal transfers
• Existing employee base knows the business better than external candidates
• Bring invaluable operational knowledge• Two key hires came from other parts of the organization
» External candidates with the right fit• Candidates that match the mission of the team but who also can
work well with the team• For some positions demonstrating the drive to learn can be just
as important as coming to the table with developed skills
9/7/2016
19
Finding the Right People: Sourcing» Contract to Hire
• Provides a lower risk trial period for both parties
» Local Universities• Teaching provided a pool of potential candidates• In class experience provides insight into future job performance
• Key analyst for ransomware and phishing response had taken my class a year earlier
Developing the skills you need
» If the analysts do not have the needed skills either because they are new to the security profession or those with the developed skills are hard to find
» Develop and train the skills you need
• Mentoring and coaching becomes critical
9/7/2016
20
Developing the skills you need» Daily all team touch point standup meeting» Each analyst gets one‐on‐one time to review issues, concerns, progress, and development areas
» Larger sub team meetings • Red team, Blue Team, Monitoring, and Logging
» Team lead training sessions• One person researches and presents to the rest a tool or technology
• Sessions are recorded for future analysts
What happens when this approach fails
» Process of trying to develop analysts may not always succeed
» Leadership must closely monitor each individual and the team’s overall health
» Minor corrections can and should be made frequently
» Some situations may require more drastic actions
9/7/2016
21
Key Observation
Key Observations
» Executive Stakeholder support key
» Mission focus critical to success
» People alignment with plan needed and may require staff changes
» Developing desired skill sets can succeed but also has risk of failure
9/7/2016
22
Further Reading» Killcrece, Georgia; Kossakowski, Klaus‐Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. www.cert.org/archive/pdf/03hb001.pdf.
» Zimmerman, C “Ten Strategies of a World‐Class Cybersecurity Operations Center” 2014 [Online]. https://www.mitre.org/sites/default/files/publications/pr‐13‐1028‐mitre‐10‐strategies‐cyber‐ops‐center.pdf