Building

Security Operation Center

Denis Batrankov
Solution Architect
bdv@hp.com
Why HP speaks about it

©2013 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Security Intelligence & Operations Centres (SIOC)

BUILT CONSULTED ON

expertise
29+ experience 60+
SIOCS methodology SIOCS

1. Help customers establish a Security Intelligence capability that can monitor, analyse and escalate
significant information security events to protect the confidentiality, integrity and availability of the
information technology enterprise;
2. Ensure HP ArcSight customers are successful with the product by assisting in providing the right
people skills, building the right processes and delivering effective technology; and
3. Add value to the customer’s organization by using metrics to track effectiveness of controls and use
intelligence to proactively protect against attack.
HP SIOC Consultants Background

1. Built and ran Microsoft’s SOC

2. Built and ran IBM’s Managed Security Service Provider SOC
3. Built and ran Verizon’s Managed Security Service Provider SOC
4. Built and ran Symantec’s Managed Security Service Provider SOC
5. Built and ran the SIOC for Europe’s largest Software-as-a-Service business
ArcSight Is the Only Solution
SIEM - Security Information & Event Management

ArcSight Platform

A comprehensive platform for monitoring

modern threats and risks

• Capture any data from any system

Including Apps –SAP, others
• Manage and store every event
• Analyze events in real time
• Identify unusual behavior at user level
• Respond quickly to prevent loss
Cover a lot of products

Access and Identity Data Security Integrated Security NBAD Policy Management Vulnerability Mgmt
Anti-Virus Firewalls Log Consolidation Network Management Router Web Cache
Applications Honeypot Mail Filtering Network Monitoring Security Management Web Filtering
Content Security Host IDS/IPS Mail Server Net Traffic Analysis Switch Web Server
Database Network IDS/IPS Mainframe Operating System VPN Wireless
Accounts Correlation
Look all IDs: email address, badge ID, phone extension
Different events are attached to activity of the person
Each event is attached to field “who it is” to understand his activity and behavior

Accounts
Identity
rjackson
348924323
jackson@arc.com Robert
Jackson
robertj
rjackson_dba
510-555-1212

7
 HP ArcSight ThreatDetector – Profile activity
• Early detection
• Different methods to detect good and bad
behavior
• Look into typical people: insider, angry admin,
intruder
• Allows to create new patterns of behavior
• Immediately checks all previous events on
detected pattern of behavior
Key Benefits of “In-house” Operations
 Maintain end-to-end control of security processes and data; increased
monitoring efficiency
 Business requirements are incorporated into solution
 Ability to expand security/compliance footprint easily (at no or little
additional cost)
 Creates the platform for a security monitoring and reporting

Mission: Monitor, recognize, and escalate

significant information security events to
protect the confidentiality, integrity and
availability of the information technology
enterprise.
Main questions before building SOC.
Why?
 What business issues will SOC resolve?
 What exact tasks does SOC process? (block attacks from Internet,
compliance to PCI DSS, insider activity detection, incident handling
and etc)
 Who will receive information from SOC?
 Who is sponsor of SOC project? Who responsible for this project
inside organization? What he expects from SOC?
 What events should be collected inside SOC?
Example of using SOC
(from a customer)

Malware spread detection Monitor VIP (top managers) devices

Windows servers control Monitor IPS
Monitor Active Directory Compliance PCI: reporting and alerting
Monitor data leakage (DLP) Monitor privileged users
What are Security Operations?

Escalation
TECHNOLOGY
PEOPLE 5 Customers
1
2
Incident
Handler
Level 1 Level 2
6 Case closed
4
Enginee
3
r

PROCESS
People in SOC
Olympic
Games
Russia Kazan
July 2013
Establish the Right Skills
Career Progression
Roles Training
Security Intelligence Information Security Bootcamp
• Manager ArcSight Training
• Level-1 Analyst • ArcSight ESM Operations
• Level-2 Analyst • ArcSight ESM Security Analyst
• SIEM Content Specialist • ArcSight ESM Use Case Foundations
Key Organizations SANS Institute
• Incident Manager • GIAC Certified Intrusion Analyst (GCIA)
• Forensic Analyst • GIAC Certified Incident Handler (GCIH)
• SIEM Engineer On-the-Job Training & Mentoring
SOC Methodology
HP Security Intelligence & Operations Consulting have a proven methodology for building and
operating a security intelligence and operations capability
• Assess customer’s business requirements
and capability compared with security
operations best practices.
ASSESS DESIGN
• Design people, process and technology to
deliver business objectives and provide a
SOC practice roadmap to best practice.
• Manage measurable, repeatable and
MATURE MANAGE continually improved security operations.
• Mature the customer’s capability to provide
continual improvements in efficiency and risk
coverage
Security Intelligence
• Proactive research into new threats and risks to your organisation
• The only team with end-to-end vision and situational awareness
• Feedback on control effectiveness
• Monitoring of threat agent channels for upcoming attacks
SOC Cost Components
Labor Direct Storage
SOC Analysts (24x7x365)
High performance RAID 1+0 SAN, 1-10+ Terabytes
SOC Manager (Driven by data retention requirements and events/day)

SIEM Engineer (Administration and Content Development) Services

Education and Training for SOC Personnel
ESM Professional Services Installation
Labor Indirect
Long term engineering or content development services
Security Device Management (Device: Analyst = 20:1 – 60:1)
IT Support Services (3rd party ticketing systems, network
Incident Response Team
infrastructure, annualize IT business processes, etc.)
Software
Systems Management Services (Availability, backup / recovery,
ArcSight ESM w/ High Availability Failover
capacity / performance, system administration)
Connectors
Threat Intelligence Subscription
Full Consoles / Web Consoles

Compliance Insight Packages Facilities

Maintenance and Support Hardened and secure datacenter location

Hardware (5 yr amortization schedule) SOC facility

ESM Servers
Wall mountable screens or projectors
Database Servers
Telecommunications – Phone / IP Phone
Connector Appliances
Power and HVAC
Workstations w/ dual monitor displays and Laptops

Uninterruptible power supplies (UPS) Maintenance

Build-a-SOC
Staff Rota
Use Cases
Use Case Primary Data Sources Alert Criteria Action

Botnet activity Firewall, IDS, Proxy, Mail, Threat Connection to or from known Display in analyst active channel
Intelligence malicious host or domain
Virus outbreak Antivirus 3 viruses detected with same name in Page desktop team / display in
10 minutes dashboard
Successful attack / malicious IDS/IPS, Vulnerability Targeted asset exhibits vulnerability, Page server team / display in active
code relevance=10 channel / display in dashboard

SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within specified Display in analyst active channel
time frame
Phishing Threat Intelligence, Firewall, IDS, Connection to or from known Display in analyst active channel
Proxy, Mail malicious host or domain
Unauthorized remote access VPN, Applications Successful VPN authentication from a Display in analyst active channel /
non domain member Page network team
New vulnerability on DMZ host Vulnerability New vulnerability identified on publicly Email daily report to vulnerability
accessible host team
Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, exploit, Email daily suspicious user activity
brute force, etc.) report to level 1
Statistical anomaly IDS, Firewall, Proxy, Mail, VPN, Moving average variation of X Display alerts in situational
Web Server magnitude in specified time frame awareness dashboard

New pattern of activity IDS, Firewall, Proxy, Mail, VPN, Previously unseen pattern detected Display in analyst active channel
Web Server
Event funnel

750 events = 31.25 EPAH

 Analyst Effectiveness
Weekly Analysis of Events per Analyst
Week Raw Correlated Analysts Raw / Analyst Correlated / Analyst
Week 1 38,697,210 97,922 10 3,869,721 9,792.20
Week 2 60,581,457 66,102 10 6,058,146 6,610.20 Raw Events / Analyst
Week 4 55,585,228 19,116 10 5,558,523 1,911.60 25,000,000
Week 5 55,917,976 23,755 10 5,591,798 2,375.50
Week 6 54,044,928 18,340 10 5,404,493 1,834.00 20,000,000
Week 7 59,840,026 18,340 10 5,984,003 1,834.00
Week 8 72,364,038 33,866 10 7,236,404 3,386.60 15,000,000
Week 9 71,964,115 30,927 10 7,196,412 3,092.70 y = 589551x + 2E+06
Week 10 71,500,000 28,900 10 7,150,000 2,890.00 10,000,000
Week 11 59,600,000 19,300 10 5,960,000 1,930.00
Week 12 51,200,000 11,400 10 5,120,000 1,140.00 5,000,000
Week 13 67,600,000 17,600 10 6,760,000 1,760.00
Week 14 76,600,000 30,000 10 7,660,000 3,000.00 -

Week 15 75,300,000 22,000 10 7,530,000 2,200.00 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Week 16 69,200,000 17,000 10 6,920,000 1,700.00
Week 17 97,800,000 17,800 10 9,780,000 1,780.00
Week 18 108,500,000 11,500 10 10,850,000 1,150.00
Correlated Events / Analyst
Week 19 183,200,000 5,600 10 18,320,000 560.00 12,000.00
Week 20 182,400,000 5,100 10 18,240,000 510.00 10,000.00
Week 21 170,000,000 4,800 10 17,000,000 480.00
Week 22 182,400,000 7,600 10 18,240,000 760.00 8,000.00
Week 23 219,000,000 11,300 10 21,900,000 1,130.00
6,000.00
Week 24 168,800,000 8,100 10 16,880,000 810.00
Week 25 151,500,000 6,876 10 15,150,000 687.60 4,000.00
Week 26 170,500,000 7,813 10 17,050,000 781.30 y = -150.3x + 4274
2,000.00
Week 27 165,300,000 28,247 10 16,530,000 2,824.70
Week 28 161,500,000 4,569 10 16,150,000 456.90 -
Week 29 186,700,000 6,164 10 18,670,000 616.40 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Week 30 173,600,000 5,632 10 17,360,000 563.20 (2,000.00)

Average 112,454,999 20,195 11,245,500 2,020

Median 76,600,000 17,600 7,660,000 1,760
The Cyber Killchain
Ensure the Operations are Repeatable
Event Management
Subtle Event Detection  Triage
 Data Visualization  Callouts
 Pattern Analysis  Case Management
Reporting  Crisis Response
 Analyst Comments Daily Operations
 Incident Summary  Shift Schedule
 Threat Reports  Monitoring
Incident Management  Problem and Change
 Incident Research  Shift Turn-Over
 Focused Monitoring  Daily Operations Call
 Incident Response Training
Intrusion Analysis  Training plans
 Event Analysis  Skills Development tracking
 Threat Intelligence
Information Fusion
BC/DR
 Business Continuity Plan
 Disaster Recovery Plan
Design Process Improvement
 Developing Use Cases  Maturity Assessments
 User and Asset Modeling  Project Methodology
Configuration Management  Knowledgebase (wiki)
 SIEM Architecture Compliance
 Data Feed Integration  Internal Compliance
System Administration  Compliance Support
 Access Management Metrics
 Maintenance and Upgrades  Reporting KPIs
 Infrastructure Performance
 Operational Efficiencies
Improve processes

CMMI - Capability Maturity Model® Integration

Workflow: Merging people, process & technology
Categories SIEM Priority Levels
0-2 3-4 5-6 7-8 9-10 Legend
Unauthorized Root/Admin Access A A A C1 C1
 C1: Critical callout –15 min
 C2: Urgent callout –30 min
Unauthorized User Access A A I2 C2 C1
 C3: Routine callout –2 hr
 I2: Urgent investigation
Attempted Unauthorized Access A A A I3 C3  I3: Routine investigation
 T1: Critical ticket opened
Successful Denial of Service A A I2 C2 C1  T2: Urgent ticket opened
 T3: Routine ticket opened
Policy Violation A A T3 T2 T1  A: Active monitoring

Reconnaissance A A A I3 I2

Malware Infection A A T3 T2 C2
Analytical Tools
Analytical Tools: Visualisation
Analytical Tools
3
Monthly Executive Brief

3
SOC Maturity Assessment
Establish the baseline,
pragmatic plan for improvement

©2013 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Security Operations Maturity Assessment
SOMM Level Name Description

Level 0 Incomplete Operational elements do not exist

Level 1 Performed Reliant on people and relationships, not standardized nor repeatable

Business goals are met and operational tasks are repeatable

Level 2 Managed Many SOCs run successfully for some period of time at this maturity level. Missing aspects often
include continual improvement and demonstrated ROI.

Operations are well-defined, subjectively evaluated, and flexible.

Level 3 Defined Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet
business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and
changing threat landscape without excessive overhead in processes.

Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and
proactively improved.
Level 4 Measured Appropriate for a managed service provider environment where financial penalties result from
inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging
threats and requires dedicated staff to sustain the maturity level.

All processes are tightly constrained and continually measured for deficiencies, variation, and are
continually improved.
Level 5 Optimizing
Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and
static environment.
Security Operations Maturity Assessment
People 1.57
General 1.75 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as
criteria for member evaluation.
Training 1.55 The opportunity exists to develop an overall training program that includes a defined structure for
analyst on boarding and continual growth through the career of the analyst.
Certifications 1.00 Lack of overall industry certifications possessed by the team.
Experience 1.70 The feeder pool to hire analysts is reasonable, yet the experience and background of some of the
analysts is questionable.
Skill Assessments 1.69 A skills assessment program should be adopted and leveraged to improve training plans and the
overall skills composition of the group.
Career Path 1.69 There is an opportunity to develop career progression plans and to help guide analysts into senior
positions within the SOC or internally within the company.
Leadership 1.77 Conducting an organizational climate survey is encouraged in order to collect feedback and
incorporate it into the leadership function.
Process 1.26
Mission 1.27 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC
and to internal groups within the organization.
Operational Process 1.66 There are several opportunities to further develop operational processes and metrics to measure
operational efficiencies.
Analytical Process 1.15 Efforts to centralize a knowledge management solution for security analysts are currently
underway.
Business Process 0.89 SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture
metrics and track operational efficiencies
Technology 2.38
SIEM Monitoring 2.45 SIEM meets current business needs. A Test environment does exist, which means that content
and data feed on boarding does/can go through a proper testing cycle.
Architecture 1.95 Document data flow diagrams for troubleshooting purposes.
Correlation 2.56 Event management metrics are captured and used to track events monitored.
Monitored Technologies 2.22 A wide range of technologies are monitored, giving the SOC wider visibility against attack
vectors.
ILM 2.61 Data retention and protection policies adhere to company policies.
Overall SOMM Level 1.74
Security Operations Maturity Assessment

Average SOMM By Vertical

Financial 2.25
Retail 2.35
Technology 1.60
Government 1.98
Utility 1.50
Telco 2.27
MSSP 2.40
Pragmatic Roadmap for Improvement
Phase I Phase II Phase III
(Interim (Dedicated (Mature Security
Capability) Operations) Operations)
Coverage Part-time Dedicated 8x5 24x7x365
resources as Virtual off-hours
available
Staffing No dedicated staff 1 dedicated analyst, 12 FTE
1 dedicated SIEM
engineer
Incident 1-5 per week 5-10 per week 10-20 per week
Escalations
Use Cases 10 25 100+
Events per 200 500 1000
second (EPS)
Target 90 days 180 days 2 years
Timeframe
Thank you
Denis Batrankov
Solution Architect
bdv@hp.com