![Page 1: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Hanna Sicker CISM, CISSP
Building a World-Class Proactive Integrated Security & Network Operations Center SNOC
AIR-T11
Security & Network Operations SNOC Sr. Mgr.StubHub/eBay@snocgirl
![Page 2: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/2.jpg)
#RSAC
Operations Leaders (Security & Network)
![Page 3: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/3.jpg)
#RSAC
Service Unavailable…
![Page 4: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/4.jpg)
#RSAC
We Did it!
![Page 5: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/5.jpg)
#RSAC
SNOC Impact on Uptime & CSS
Year 2011 Year 2012 Year 2013 Year 2014 Year 2015
99.95% 99.97% 99.99%99.90%
98.00%CSS
* CSS: Customer Satisfaction Score
![Page 6: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/6.jpg)
#RSAC
How…
![Page 7: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/7.jpg)
#RSAC
Typical NOC & SOC Challenges
![Page 8: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/8.jpg)
#RSAC
How We Overcame the Challenges
![Page 9: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/9.jpg)
#RSACBreak the Rules Say “NO” to Traditional Tiered Model
![Page 10: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/10.jpg)
#RSAC
SNOC IRP (Incident Response Process)
Visibility Detection
Analysis Investigation
Response Remediation
SLA
Change Mgt.
Process
![Page 11: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/11.jpg)
#RSAC
IRP – Step 1
![Page 12: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/12.jpg)
#RSAC
IRP – Step 2
![Page 13: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/13.jpg)
#RSAC
IRP – Step 3
![Page 14: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/14.jpg)
#RSAC
Proactive Integrated SNOC Framework
Mgt.
Team
ToolsBIC Services
Reports Reinvest
Reco
gnize
Enable
![Page 15: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/15.jpg)
#RSAC
Building a Winning Team
![Page 16: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/16.jpg)
#RSAC
Detailed SNOC Framework – Team
Stage 1 • Quick impact - utilize the existing structure
Stage 2 • Optimize & emphasize on quality
Stage 3• Identify & hire talent
Stage 4 • Empower the team & remove the tiers
Stage 5 • Team development life cycle - TDLC
![Page 17: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/17.jpg)
#RSAC
Stage 1 – Quick Impact (2 mo.)
![Page 18: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/18.jpg)
#RSAC
Stage 2 – Optimize & Emphasize on Quality
![Page 19: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/19.jpg)
#RSAC
Stage 3 – Identify & Hire Talent
Round out the team puzzle
![Page 20: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/20.jpg)
#RSAC
Stage 4 – Empower the Team
![Page 21: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/21.jpg)
#RSAC
Stage 5 - Team Development Life Cycle - TDLC
Train MentorCoach
Hire Talent
Process
Cross Train
Enable
Engage
Quality
![Page 22: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/22.jpg)
#RSAC
Detailed SNOC Framework – Tools
Stage 1 • Utilize
Stage 2 • Optimize
Stage 3• Automate
![Page 23: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/23.jpg)
#RSAC
Finding the Right Tools
![Page 24: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/24.jpg)
#RSAC
SNOC Framework – BIC Services
Our Formula
BIC Services = Business Objectives = Customer Satisfaction Score (CSS) + Revenue ($) + Team Defined Goals (*APS)APS = Availability + Performance + Security
Quick results without initial Mgt support = Team + Existing Tools + Reports
![Page 25: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/25.jpg)
#RSAC
SNOC Framework – Management
Our Formula
Increased demonstrated value = increased Mgt support (IMS)
IMS = Recognition + Reinvestment
![Page 26: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/26.jpg)
#RSAC
Our Key to Success
![Page 27: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/27.jpg)
#RSAC
Team Characteristics
![Page 28: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/28.jpg)
#RSAC
Right Architecture - Security Layers
3rd Parties
TokenizationFraud detection
WAF Client reputationCustomized rulesBot detection
IDS IPS SIEMPacket capture
Bot detection
WAF
Vulnerability mgt. Fraud protection
Data Activity Monitoring Log mgt.
![Page 29: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/29.jpg)
#RSAC
Use Case – Reducing ATOs
![Page 30: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/30.jpg)
#RSAC
SNOC Benefits & Future Challenges
![Page 31: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/31.jpg)
#RSAC
Apply
If you are in the process of building a SOC, and you have an existing NOC, utilize your existing NOC team and transition them to become SNOC.
Recognize similar functions between NOC & SOC and combine them.
Before obtaining Mgt. commitment, focus on your team as the core component to build successful SNOC.
![Page 32: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/32.jpg)
#RSAC
Apply
When you add new members, focus on character and culture fit. Try to round out the team puzzle.
Do not pay for expertise; grow your own (entry level but highly motivated and trainable).
Lead from the front
Build alliances with other teams across all departments & learn from their key players.
![Page 33: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/33.jpg)
#RSAC
Apply
Understand your business goals, traffic and users.
Filter your traffic at the edge and protect at all layers.
Shield your data center - If your business does B2C then any cloud services who host businesses can be blocked. If your clients are within a specific geographic area, then block all other countries/areas that you do not do business with.
To reduce ATOs & attacks, create WAF rules based on your traffic & customers’ behavior.
![Page 34: Building a World-Class Proactive Integrated Security and Network Ops Center](https://reader031.vdocument.in/reader031/viewer/2022030305/58729ceb1a28ab07208b4ea9/html5/thumbnails/34.jpg)
#RSAC
Apply – Cont.
Utilize & optimize your and other teams’ existing tools.
If no tools are available, then automate processes using scripts written by one of your own or another team’s members.
Tune out false positive alerts and train the team to tune and modify the thresholds.
Check if the NOC has tools that are applicable for SOC usage. Example: If the NOC is using a network performance monitoring tools, check to see if the tools can perform full packet capture.