proactive security monitoring - infosekinfosek.net › gradiva-infosek-2012 › gradivo ›...

Proactive Security

Monitoring “From Security watch to the

independent SOC

organization”

November 22nd 2012, Marek Deml

2 © 2012 Deloitte Česká republika

Core steps

• Security watch

• SOC


Security watch – Situation to manage

• Heterogeneous environment worldwide in three core data centers and

190 countries

• 15 000 servers, 130 000 desktops, 400+ applications

• Threat management

• Vulnerability management


Security Watch Process: Objectives and Approach

Objectives

In time

Coordinated

With priority

Proactively

Approach

24x5 monitoring

Global presence and involvement of local experts

Consistent criticality prioritization

Timely patch and virus alerting

Main features

• Alerts published on Security Watch alert portal

• Automatic e-mail notification for new and updated alerts to contacts in IT service organization and

different BUs served by IT organization


Security Alert Management and Escalation Touch Points

ALL BUs

1. Initial

assessment and

evaluation of

advisories

2. Alert

approval

3. Alert

distribution

Company Major

Software and

Platform List

4. Alert

implementation

and monitoring

Alert Distribution

List Repository

Security advisory

1

Security advisory

xx

Security advisory

2

Inputs from

Users/BUs

Establish Major SW

List and Process to

Maintain it

Establish

Process to

Maintain DLs

Establish Common

Patch Mng. Policy

and SLA Modify

Alert

Categories


Security Watch Process

1. Initial assessment and evaluation of advisories

Send message next shift and

cc all CISO org non-activity

Alert received No advisory

Alert reviewed by CISO org

person on duty to initially

determine priority of alert

Does CISO org person has

technical knowledge to assess? SME Review required

Complete alert and forward to

duty CISO org person for

review

No

Yes

Major Software and

Platform List

Duty CISO org person to check

security advisories against the

systems used

Security advisory 1 Security advisory xxSecurity advisory 2

Alert priority proposal by CISO

org person

Inputs from Users/

BUs

SME List



2. Alert approval

Emergency/Critical/

Maintenance/Notification

priority

Alert send for approval to

CISO and 1 other CISO

org person

Proposal Emergency/Critical

CISO org member creates

alert, assign alert number,

store for publishing

Maintenance

Approved

Approved as Critical

Not Approved

Upgraded / downgraded alert resubmission

Alert send for approval to

CISO and Board Member

followed by phonecall,

contact must be made

within 4 hours

Prepared as Emergency

Approved

Approved as Emergency

Alert priority proposal by

CISO organization

Not Approved

Approved as Maintenance/Notification

Emergency/Critical/


Alert ready to be released

Alert upgrade/downgrade

or revocation

Revoked alerts repository

Alert revoked

Downgraded and approved as critical



critical

vulnerability

announced

time

VULNERABILITY

NOTIFICATION

(INTERNAL)

patch

announced

MAINTENANCE

SECURITY

PATCH ALERT

RELEASED

virus/worm

availability

announced

CRITICAL SECURITY PATCH ALERT RELEASED

virus/worm spreading worldwide and

Company is already impacted, or very

likely to be

EMERGENCY SECURITY PATCH ALERT RELEASED

Priority flow in time



Alert categories in detail

Level Priority Criteria Action Deadline to

Implement

Decision- / Approval

Authority

A EMERGENCY - Malware exploiting the

vulnerability is spreading

inside Company network or is

very likely to be

- Released on ad-hoc basis

Top priority

intervention –

supersedes all other IS-

or business priorities

1-3 days

CISO and Board member1

Approval dateline: within

4hr

B CRITICAL Public exploit or Malware

exists

- Rated critical by vendor

- Software widely used in

Company environment

- Released on ad-hoc basis

Action must be performed

within the shortest

possible time (out-of-

band of regular

maintenance window)

4-30 days CISO & CISO org

member2

Approval dateline: within

24hr

C MAINTENANCE - Rated at least moderately

critical by vendor

- Software widely used in

Company environment

- Released on monthly basis

Needs to be planned and

performed within

reasonable, agreed time

in regular maintenance

window

1-3 months CISO & CISO org

member 3 Approval

dateline: Before 20th of the

month

D NOTIFICATION None. Use as needed. None. Only qualified early

warnings

N/A CISO organization


Alert Approval: Review and Approval Flow

• EMERGENCY - RED

1. Draft alerts emailed to approval authority for approval

2. Follow up with phone call to approval authority

3. Alerts released by CISO once approval received

• CRITICAL - YELLOW

1. Draft alerts emailed to approval authority

2. Alerts released by CISO within 24 hours once approval received

• MAINTENANCE – GREEN, NOTIFICATION - WHITE

1. Draft alerts prepared and stored on shared drive/portal, to be released on 25th day of the month or as needed

2. Shared drive/portal is accessible by approval; authority for review

3. Alerts released by CISO organization on target date by CISO organization if no comments received.




3. Alert distribution

Alert Distribution

List Repository

Emergency/Critical/


Alert ready to be released

Emergency/Critical/


priority

Emergency/Critical


Alert Distribution

List Repository

Alert published on Alert

portal immediately and

notification email sent to

Alert Distribution List

Batch of alerts published on

Alert portal on 25th of month

or as needed and

notification email sent to

Alert Distribution List


Country

IT

Alert

Distribution list

repository

Regular update

Repository

Maintenance

Regular

Update

BU Master contact

BU Master contact

BU Master contact

BU Master contact

BU Master contact

CISO org


BU Security Contacts List Repository Maintenance Process

Regular update cycle: Quarterly

3. Alert distribution



4. Alert Implementation and Monitoring

• Alert must be implemented within its implementation deadline as

stated in it, change management principles must apply

• Regular monitoring of alert implementation must be set up in all

entities including escalations for not implemented alerts in time

• Alert compliance reporting should be set up on regular basis to

make sure appropriate steps done in follow up activities


Security Operating Centre (SOC)

SOC business case introduction

SOC Objective

Project: Implementing SOC in the “follow the sun model (24x7)”



SOC business case introduction, status before

• Downtimes due to internal security issues

• Reactive security access to incidents

• Missing central management

• No CIRT in place

Business expectation:

• Impact of future attacks to be negated

• Technology packages were purchased in order to protect their

business.

• Services to be managed to a level that the company will not be

impacted by an attack which they have paid for a service to

mitigate.



SOC Objective

• Effective Information Security Incident Response Management

• To monitor system logs to see unauthorised activity on client

networks and systems from both internal systems and external

systems.

• To be alerted and act upon network or system Information

Security Incidents.

• To actively manage the malware (virus, bot, etc.) threat.

• To fix a critical audit issue and create a more secure environment

for ourselves and our customers.

• To protect the business.


SOC – Responsibilities for the project

• Global information security – CISO organisation

• Design and development

• Owner

• Build

• Local Information security managers EMEA, AP, AM

• Review

• Build

• Support CISO org and SAO

• Secure Access Operation EMEA, AP, AM

• Run – 2nd level support, Review SOC procedures, Support SOC organization

• Manage non-standard changes

• SOC organisation– EMEA, AP, AM

• Run – 1st level support

• Implement SOC process and procedures, Run SOC operations

• Manage pre-approved change


SOC – Implementation Stages worldwide

• Stage 1 – Basic operations EMEA

• Focused on handling security incidents related to Malware (virus, worms,

bots etc.)

• Development of Basic Operation process and procedure in EMEA, to be

duplicated to AP and AM

• Stage 2 – Basic operations with Follow the Sun in EMEA, AP, AM

• Focused on handling security incidents related to Malware (virus, worms,

bots etc.)

• Duplicate SOC Basic Operation from EMEA to AP and AM

• SOC Basic Operation run in EMEA to AP and AM in Follow The Sun

• Stage 3 – Enhanced operations with Follow the Sun in EMEA, AP, AM

• Enhance handling of security incidents to include misconfigurations, misuse

and suspicious activities.


SOC - Implementation

• Stage 1 – Basic operations EMEA

• Focused on handling security incidents related

to Malware (virus, worms, bots etc.)

• Development of Basic Operation process and

procedure in EMEA, to be duplicated to AP and

AM

EMEA DC

Console

EMEA Region

NIPS

Monitored Security

Incidents: Malware

SOC Basic Operation Mode8hr x 5 days

No coverage for weekends or public holiday

NIPS Events



• Stage 2 – Basic operations with Follow the Sun in EMEA, AP, AM

• Focused on handling security incidents related to Malware (virus, worms, bots etc.)

• Duplicate SOC Basic Operation from EMEA to AP and AM

• SOC Basic Operation run in EMEA to AP and AM in Follow The Sun

EMEA

Console

EMEA

Region

NIPS

Monitored Security

Incidents: Malware

- SOC Basic Operation Mode

- 8hr x 5 days

- No coverage for weekends or public

holiday

- EMEA SOC Monitor AM and AP

Console during EMEA shift

- Monitored Security Incidents:

Malware

NIPS Events

Console

AM

Console

AM Region

NIPS

Monitored Security

Incidents: Malware

NIPS Events

Console

AP

Console

AP Region

NIPS

Monitored Security

Incidents: Malware

NIPS Events

Console


- 8hr x 5 days


holiday

- AM SOC Monitor EMEA and AP

Console during AM shift


Malware


- 8hr x 5 days


holiday

- AP SOC Monitor EMEA and AM –

Console during AP Shift


Malware

Handover Handover

Handover

SOC Basic Operation in Follow The Sun Model



• Stage 3 – Enhanced operations with Follow the Sun in EMEA, AP, AM

• Enhance handling of security incidents to include misconfigurations, misuse

and suspicious activities.

- SOC Enhanced Operation Mode

- 8hr x 5 days


holiday

- EMEA SOC Monitor AM and AP

Console during EMEA shift


Malware, Misconfigurations,

Suspicious Activities

EMEA

SOC

Console

EMEA

Region

NIPS

Monitored Security Incidents:

Malware, Misconfiguration,


NIPS Events

Console

AM SOC

Console

AM Region

NIPS

NIPS Events

Console

AP SOC

Console

AP Region

NIPS

NIPS Events

Console


- 8hr x 5 days


holiday

- AM SOC Monitor EMEA and AP

Console during AM shift





- 8hr x 5 days


holiday

- AP SOC Monitor EMEA and AM –

Console during AP Shift




Handover Handover

Handover

SOC Enhanced Operation in Follow The Sun Model








SOC – Technologies used

Each new technology was added into SOC as separated project task

• IBM NIPS and Site Protector console and database (Core)

• Darknet (Botnet C&C communication)

• Antivirus

• NAC

• Specific System logs

• Email Security

NIPS

Console

Darknet

Console

Antivirus

Logs

NAC Specific

System Logs

SOC Monitoring

Email

Security

Core Component Additional Component


SOC – Processes developed and implemented

Phase I.

• SOC High Level Security Event Handling Process

• SOC Security Incident Handling Procedure For Malware (Focusing on Malware related security incidents)

• SOC Security Incident Exemption Process

• SOC NIPS Policy management for phase I

Phase II.

• SOC Follow the Sun and Handover Process

• SOC Security Event signatures Review and Evaluation Process

• SOC Global NIPS Policy management for phase II

Phase III

• SOC Global NIPS Policy management for phase III

• SOC Security Incident Handling Procedure for Misconfiguration

• SOC Security Incident Handling Procedure for Suspicious Activities

• SOC Security Incident Handling Procedure for Uncategorized Security Incidents


SOC – Global NIPS policy

• Why

• Key features of Global NIPS Policy

• Management of Global NIPS Policy

• NIPS Security Event Signature Assessment Methodology

• Typical conditions for enabling security event signature in Monitor and Block mode

• Typical conditions for enabling security event signature in Monitor mode only

• Typical conditions for not enabling the Security event signature

• NIPS Security Event Signature Evaluation and Approval Process

• Normal situation

• Emergency situation

• NIPS Filter Approval Process

• NIPS Policy Implementation Compliance Check Process


SOC – Global NIPS policy

EA Local

Filter/Exemption

EMEA

SOC

+AM Local

Filter/Exemption

AM

SOC

+AP Local

Filter/Exemption

AP

SOC

+

Global NIPS Policy Global NIPS Policy Global NIPS Policy

Global NIPS Policy

1

2 3 4

Design

SOC

ImplementSOC

Implement

SOC

Implement

CISO

Organization

NIPS Policy Implementation

Compliance Check Process

5


SOC – Global NIPS policy - Important parameters assessed

• Security Event name and Severity - vendor

• ISS XPU and Type - vendor

• Default ISS NIPS Action (in Block Mode) - vendor

• NIPS To Enable – CISO organization and SOC

• NIPS to Block - CISO organization and SOC

• NIPS to Quarantine (Set type = Quarantine Worm only) - CISO organization and SOC

• Client severity - CISO organization

• Known Threat/Remark - CISO organization and SOC

• Category - CISO organization

• MS Alert - vendor

• Security watch Alert - CISO organization

• Added/Modifed in Version - CISO organization

• Next Review Date - CISO organization

Questions?

Marek Deml

E-mail: [email protected]

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK

private company limited by guarantee, and its network of member firms, each

of which is a legally separate and independent entity. Please see

www.deloitte.com/cz/about for a detailed description of the legal structure of

Deloitte Touche Tohmatsu Limited and its member firms.

© 2012 Deloitte Czech Republic

proactive security monitoring - infosekinfosek.net › gradiva-infosek-2012 › gradivo ›...

Documents