proactive security monitoring - infosekinfosek.net › gradiva-infosek-2012 › gradivo ›...
TRANSCRIPT
Proactive Security
Monitoring “From Security watch to the
independent SOC
organization”
November 22nd 2012, Marek Deml
2 © 2012 Deloitte Česká republika
Core steps
• Security watch
• SOC
3 © 2012 Deloitte Česká republika
Security watch – Situation to manage
• Heterogeneous environment worldwide in three core data centers and
190 countries
• 15 000 servers, 130 000 desktops, 400+ applications
• Threat management
• Vulnerability management
4 © 2012 Deloitte Česká republika
Security Watch Process: Objectives and Approach
Objectives
In time
Coordinated
With priority
Proactively
Approach
24x5 monitoring
Global presence and involvement of local experts
Consistent criticality prioritization
Timely patch and virus alerting
Main features
• Alerts published on Security Watch alert portal
• Automatic e-mail notification for new and updated alerts to contacts in IT service organization and
different BUs served by IT organization
5 © 2012 Deloitte Česká republika
Security Alert Management and Escalation Touch Points
ALL BUs
1. Initial
assessment and
evaluation of
advisories
2. Alert
approval
3. Alert
distribution
Company Major
Software and
Platform List
4. Alert
implementation
and monitoring
Alert Distribution
List Repository
Security advisory
1
Security advisory
xx
Security advisory
2
Inputs from
Users/BUs
Establish Major SW
List and Process to
Maintain it
Establish
Process to
Maintain DLs
Establish Common
Patch Mng. Policy
and SLA Modify
Alert
Categories
6 © 2012 Deloitte Česká republika
Security Watch Process
1. Initial assessment and evaluation of advisories
Send message next shift and
cc all CISO org non-activity
Alert received No advisory
Alert reviewed by CISO org
person on duty to initially
determine priority of alert
Does CISO org person has
technical knowledge to assess? SME Review required
Complete alert and forward to
duty CISO org person for
review
No
Yes
Major Software and
Platform List
Duty CISO org person to check
security advisories against the
systems used
Security advisory 1 Security advisory xxSecurity advisory 2
Alert priority proposal by CISO
org person
Inputs from Users/
BUs
SME List
7 © 2012 Deloitte Česká republika
Security Watch Process
2. Alert approval
Emergency/Critical/
Maintenance/Notification
priority
Alert send for approval to
CISO and 1 other CISO
org person
Proposal Emergency/Critical
CISO org member creates
alert, assign alert number,
store for publishing
Maintenance
Approved
Approved as Critical
Not Approved
Upgraded / downgraded alert resubmission
Alert send for approval to
CISO and Board Member
followed by phonecall,
contact must be made
within 4 hours
Prepared as Emergency
Approved
Approved as Emergency
Alert priority proposal by
CISO organization
Not Approved
Approved as Maintenance/Notification
Emergency/Critical/
Maintenance/Notification
Alert ready to be released
Alert upgrade/downgrade
or revocation
Revoked alerts repository
Alert revoked
Downgraded and approved as critical
8 © 2012 Deloitte Česká republika
Security Watch Process
critical
vulnerability
announced
time
VULNERABILITY
NOTIFICATION
(INTERNAL)
patch
announced
MAINTENANCE
SECURITY
PATCH ALERT
RELEASED
virus/worm
availability
announced
CRITICAL SECURITY PATCH ALERT RELEASED
virus/worm spreading worldwide and
Company is already impacted, or very
likely to be
EMERGENCY SECURITY PATCH ALERT RELEASED
Priority flow in time
9 © 2012 Deloitte Česká republika
Security Watch Process
Alert categories in detail
Level Priority Criteria Action Deadline to
Implement
Decision- / Approval
Authority
A EMERGENCY - Malware exploiting the
vulnerability is spreading
inside Company network or is
very likely to be
- Released on ad-hoc basis
Top priority
intervention –
supersedes all other IS-
or business priorities
1-3 days
CISO and Board member1
Approval dateline: within
4hr
B CRITICAL Public exploit or Malware
exists
- Rated critical by vendor
- Software widely used in
Company environment
- Released on ad-hoc basis
Action must be performed
within the shortest
possible time (out-of-
band of regular
maintenance window)
4-30 days CISO & CISO org
member2
Approval dateline: within
24hr
C MAINTENANCE - Rated at least moderately
critical by vendor
- Software widely used in
Company environment
- Released on monthly basis
Needs to be planned and
performed within
reasonable, agreed time
in regular maintenance
window
1-3 months CISO & CISO org
member 3 Approval
dateline: Before 20th of the
month
D NOTIFICATION None. Use as needed. None. Only qualified early
warnings
N/A CISO organization
10 © 2012 Deloitte Česká republika
Alert Approval: Review and Approval Flow
• EMERGENCY - RED
1. Draft alerts emailed to approval authority for approval
2. Follow up with phone call to approval authority
3. Alerts released by CISO once approval received
• CRITICAL - YELLOW
1. Draft alerts emailed to approval authority
2. Alerts released by CISO within 24 hours once approval received
• MAINTENANCE – GREEN, NOTIFICATION - WHITE
1. Draft alerts prepared and stored on shared drive/portal, to be released on 25th day of the month or as needed
2. Shared drive/portal is accessible by approval; authority for review
3. Alerts released by CISO organization on target date by CISO organization if no comments received.
Security Watch Process
11 © 2012 Deloitte Česká republika
Security Watch Process
3. Alert distribution
Alert Distribution
List Repository
Emergency/Critical/
Maintenance/Notification
Alert ready to be released
Emergency/Critical/
Maintenance/Notification
priority
Emergency/Critical
Maintenance/Notification
Alert Distribution
List Repository
Alert published on Alert
portal immediately and
notification email sent to
Alert Distribution List
Batch of alerts published on
Alert portal on 25th of month
or as needed and
notification email sent to
Alert Distribution List
12 © 2012 Deloitte Česká republika
Country
IT
Alert
Distribution list
repository
Regular update
Repository
Maintenance
Regular
Update
BU Master contact
BU Master contact
BU Master contact
BU Master contact
BU Master contact
CISO org
Security Watch Process
BU Security Contacts List Repository Maintenance Process
Regular update cycle: Quarterly
3. Alert distribution
13 © 2012 Deloitte Česká republika
Security Watch Process
4. Alert Implementation and Monitoring
• Alert must be implemented within its implementation deadline as
stated in it, change management principles must apply
• Regular monitoring of alert implementation must be set up in all
entities including escalations for not implemented alerts in time
• Alert compliance reporting should be set up on regular basis to
make sure appropriate steps done in follow up activities
14 © 2012 Deloitte Česká republika
Security Operating Centre (SOC)
SOC business case introduction
SOC Objective
Project: Implementing SOC in the “follow the sun model (24x7)”
15 © 2012 Deloitte Česká republika
Security Operating Centre (SOC)
SOC business case introduction, status before
• Downtimes due to internal security issues
• Reactive security access to incidents
• Missing central management
• No CIRT in place
Business expectation:
• Impact of future attacks to be negated
• Technology packages were purchased in order to protect their
business.
• Services to be managed to a level that the company will not be
impacted by an attack which they have paid for a service to
mitigate.
16 © 2012 Deloitte Česká republika
Security Operating Centre (SOC)
SOC Objective
• Effective Information Security Incident Response Management
• To monitor system logs to see unauthorised activity on client
networks and systems from both internal systems and external
systems.
• To be alerted and act upon network or system Information
Security Incidents.
• To actively manage the malware (virus, bot, etc.) threat.
• To fix a critical audit issue and create a more secure environment
for ourselves and our customers.
• To protect the business.
17 © 2012 Deloitte Česká republika
SOC – Responsibilities for the project
• Global information security – CISO organisation
• Design and development
• Owner
• Build
• Local Information security managers EMEA, AP, AM
• Review
• Build
• Support CISO org and SAO
• Secure Access Operation EMEA, AP, AM
• Run – 2nd level support, Review SOC procedures, Support SOC organization
• Manage non-standard changes
• SOC organisation– EMEA, AP, AM
• Run – 1st level support
• Implement SOC process and procedures, Run SOC operations
• Manage pre-approved change
18 © 2012 Deloitte Česká republika
SOC – Implementation Stages worldwide
• Stage 1 – Basic operations EMEA
• Focused on handling security incidents related to Malware (virus, worms,
bots etc.)
• Development of Basic Operation process and procedure in EMEA, to be
duplicated to AP and AM
• Stage 2 – Basic operations with Follow the Sun in EMEA, AP, AM
• Focused on handling security incidents related to Malware (virus, worms,
bots etc.)
• Duplicate SOC Basic Operation from EMEA to AP and AM
• SOC Basic Operation run in EMEA to AP and AM in Follow The Sun
• Stage 3 – Enhanced operations with Follow the Sun in EMEA, AP, AM
• Enhance handling of security incidents to include misconfigurations, misuse
and suspicious activities.
19 © 2012 Deloitte Česká republika
SOC - Implementation
• Stage 1 – Basic operations EMEA
• Focused on handling security incidents related
to Malware (virus, worms, bots etc.)
• Development of Basic Operation process and
procedure in EMEA, to be duplicated to AP and
AM
EMEA DC
Console
EMEA Region
NIPS
Monitored Security
Incidents: Malware
SOC Basic Operation Mode8hr x 5 days
No coverage for weekends or public holiday
NIPS Events
20 © 2012 Deloitte Česká republika
SOC - Implementation
• Stage 2 – Basic operations with Follow the Sun in EMEA, AP, AM
• Focused on handling security incidents related to Malware (virus, worms, bots etc.)
• Duplicate SOC Basic Operation from EMEA to AP and AM
• SOC Basic Operation run in EMEA to AP and AM in Follow The Sun
EMEA
Console
EMEA
Region
NIPS
Monitored Security
Incidents: Malware
- SOC Basic Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- EMEA SOC Monitor AM and AP
Console during EMEA shift
- Monitored Security Incidents:
Malware
NIPS Events
Console
AM
Console
AM Region
NIPS
Monitored Security
Incidents: Malware
NIPS Events
Console
AP
Console
AP Region
NIPS
Monitored Security
Incidents: Malware
NIPS Events
Console
- SOC Basic Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- AM SOC Monitor EMEA and AP
Console during AM shift
- Monitored Security Incidents:
Malware
- SOC Basic Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- AP SOC Monitor EMEA and AM –
Console during AP Shift
- Monitored Security Incidents:
Malware
Handover Handover
Handover
SOC Basic Operation in Follow The Sun Model
21 © 2012 Deloitte Česká republika
SOC - Implementation
• Stage 3 – Enhanced operations with Follow the Sun in EMEA, AP, AM
• Enhance handling of security incidents to include misconfigurations, misuse
and suspicious activities.
- SOC Enhanced Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- EMEA SOC Monitor AM and AP
Console during EMEA shift
- Monitored Security Incidents:
Malware, Misconfigurations,
Suspicious Activities
EMEA
SOC
Console
EMEA
Region
NIPS
Monitored Security Incidents:
Malware, Misconfiguration,
Suspicious Activities
NIPS Events
Console
AM SOC
Console
AM Region
NIPS
NIPS Events
Console
AP SOC
Console
AP Region
NIPS
NIPS Events
Console
- SOC Enhanced Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- AM SOC Monitor EMEA and AP
Console during AM shift
- Monitored Security Incidents:
Malware, Misconfigurations,
Suspicious Activities
- SOC Enhanced Operation Mode
- 8hr x 5 days
- No coverage for weekends or public
holiday
- AP SOC Monitor EMEA and AM –
Console during AP Shift
- Monitored Security Incidents:
Malware, Misconfigurations,
Suspicious Activities
Handover Handover
Handover
SOC Enhanced Operation in Follow The Sun Model
Monitored Security Incidents:
Malware, Misconfiguration,
Suspicious Activities
Monitored Security Incidents:
Malware, Misconfiguration,
Suspicious Activities
22 © 2012 Deloitte Česká republika
Page 22
SOC – Technologies used
Each new technology was added into SOC as separated project task
• IBM NIPS and Site Protector console and database (Core)
• Darknet (Botnet C&C communication)
• Antivirus
• NAC
• Specific System logs
• Email Security
NIPS
Console
Darknet
Console
Antivirus
Logs
NAC Specific
System Logs
SOC Monitoring
Security
Core Component Additional Component
23 © 2012 Deloitte Česká republika
Page 23
SOC – Processes developed and implemented
Phase I.
• SOC High Level Security Event Handling Process
• SOC Security Incident Handling Procedure For Malware (Focusing on Malware related security incidents)
• SOC Security Incident Exemption Process
• SOC NIPS Policy management for phase I
Phase II.
• SOC Follow the Sun and Handover Process
• SOC Security Event signatures Review and Evaluation Process
• SOC Global NIPS Policy management for phase II
Phase III
• SOC Global NIPS Policy management for phase III
• SOC Security Incident Handling Procedure for Misconfiguration
• SOC Security Incident Handling Procedure for Suspicious Activities
• SOC Security Incident Handling Procedure for Uncategorized Security Incidents
24 © 2012 Deloitte Česká republika
Page 24
SOC – Global NIPS policy
• Why
• Key features of Global NIPS Policy
• Management of Global NIPS Policy
• NIPS Security Event Signature Assessment Methodology
• Typical conditions for enabling security event signature in Monitor and Block mode
• Typical conditions for enabling security event signature in Monitor mode only
• Typical conditions for not enabling the Security event signature
• NIPS Security Event Signature Evaluation and Approval Process
• Normal situation
• Emergency situation
• NIPS Filter Approval Process
• NIPS Policy Implementation Compliance Check Process
25 © 2012 Deloitte Česká republika
Page 25
SOC – Global NIPS policy
EA Local
Filter/Exemption
EMEA
SOC
+AM Local
Filter/Exemption
AM
SOC
+AP Local
Filter/Exemption
AP
SOC
+
Global NIPS Policy Global NIPS Policy Global NIPS Policy
Global NIPS Policy
1
2 3 4
Design
SOC
ImplementSOC
Implement
SOC
Implement
CISO
Organization
NIPS Policy Implementation
Compliance Check Process
5
26 © 2012 Deloitte Česká republika
Page 26
SOC – Global NIPS policy - Important parameters assessed
• Security Event name and Severity - vendor
• ISS XPU and Type - vendor
• Default ISS NIPS Action (in Block Mode) - vendor
• NIPS To Enable – CISO organization and SOC
• NIPS to Block - CISO organization and SOC
• NIPS to Quarantine (Set type = Quarantine Worm only) - CISO organization and SOC
• Client severity - CISO organization
• Known Threat/Remark - CISO organization and SOC
• Category - CISO organization
• MS Alert - vendor
• Security watch Alert - CISO organization
• Added/Modifed in Version - CISO organization
• Next Review Date - CISO organization
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
private company limited by guarantee, and its network of member firms, each
of which is a legally separate and independent entity. Please see
www.deloitte.com/cz/about for a detailed description of the legal structure of
Deloitte Touche Tohmatsu Limited and its member firms.
© 2012 Deloitte Czech Republic