Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Rocking a Security
Operations Center
Brandie Anderson
Sr. Manager, Global Cyber Security Threat & Vulnerability Management
Hewlett-Packard
To be or Not to be
What is a SOC?
Use Case Creation
People
Process & Procedure
Documentation
Agenda
Workflow
Metrics
I dont want to grow up
Rocking a SOC
Questions
2
Building a SOC is a business decision
Organization size
Compliance factors
Reduce the impact of an incident
ROI
Proactive reaction
To be or
Not to be
3
Through people, processes and technology, a SOC is dedicated to
detection, investigation, and response of log events triggered through
security related correlation logic
What is a SOC?
4
ArcSight Correlation
5
91% of Targeted Attacks Start
with Spear-phishing Email
Large-Scale Water
Holing Attack Microsoft's Patch Tuesday
Use Case Campaigns Hitting Leaves Out Crucial
Creation Key Targets Internet Explorer Fix
7
Roles and Responsibilities
8
Training
Information security basics
On-the-job training
SEIM training
SANS GCIA and GCIH
Career development
Avoiding burnout
Providing challenges
Outlining career progression
Exactly how do I get from
level 1 to level 2 to lead, etc
Skill assessments
Certifications
9
Business &
Operational Analytical Technology
10
Microsoft SharePoint
Pro Con
Approved by Policy Complicated to use
Already deployed, supported Typically hard to find information
both internal & by Microsoft (search)
Integrates with Active Not very flexible
Directory & MS Office No real revision File Shares
Allows for Calendars, Task control Pro
Assignment, Notifications, Everyone has MS Office
Documentation Document Revision Tracking Everyone knows how to use a
file share
Repository Wiki
Does not require specific
technology knowledge
Choices Pro
Open Source
Con
Open Source
Con
Editor utilizes Markup Cluttered
Not Vendor supported
Language (HTML-like) Overlap of information
Easy to Search Nearly impossible to search
Malleable for information
Revision Control Requires someone in charge
Plugins allow extensive of upkeep
customization
No revision control
11
12
Rule Fires
Queued
Event
Level 1 Triage Level 2
Incident
Case
Level 1 Triage Level 2
Workflows SOC Investigating Investigating
Departmental
Engineering
Close Events
Organizational Filter/Tuning
Incident Response
Closed or Ticket
13
How many events are coming in? What is coming out?
Raw Events Correlated Events
Incidents / Cases
How many data endpoints are
collected / monitored
Metrics How may different types of data
How quickly are things handled?
Event recognition
How many use cases Event escalation
Event resolution
Further defined
Per hour/day/week/month
Per analyst
Per hour of day/ per day of week
Incident / case category / severity
14
Understand the 80/20 rule
Leverage metrics
Expand senior leader dashboard view
Institute CMM methodology
Monitor organizational health
Increase complexity
Maturing
15
According to the book Pragmatic Security Metrics Applying Metametrics to Information Security*, an
information security version of the Capability Maturity Model (CMM) looks loosely like this:
16
Lessons
Learned
Recovery
Eradication
Containment
Rocking It Identification
Preparation
17
Questions
Thank you!