security operations optimization
Post on 19-Oct-2014
493 views
DESCRIPTION
Presented by IBM Security Business Manager, KSA; Mr. Ahmed Abdel Hamid at the Mobily-IBM Security & Resiliency Conference 2014TRANSCRIPT
Security Operations Optimization
Ahmed Abdel Hamid Security Business Manager, KSA April 23, 2014
© 2014 IBM Corporation
Agenda
New attacks landscape
Security Operations Optimization
Managed SIEM
Managed Security Services
Call to Action
3 Highly Confidential
Refe
ren
ce
No. (9
pt A
ria
l)
28-Apr-14
4 Highly Confidential
Refe
ren
ce
No. (9
pt A
ria
l)
28-Apr-14
5 Highly Confidential
Refe
ren
ce
No. (9
pt A
ria
l)
28-Apr-14
© 2014 IBM Corporation
The famous 2014 “Retailers” breach
6
Target and Neiman Marcus
Breaches Are Only the
Beginning - 22 Jan 2014
Neiman Marcus Hack Went
Undetected For 5 Months - Reuters , 17 January 2014
Target: 40 million credit cards
compromised - CNNMoney, 19 December 2013
© 2014 IBM Corporation IBM Confidential
Anonymous Israel Attack on April 7th - said
today in its response to questions, claiming its
official estimate of damage so far includes
hacking of 60,000 websites, 40,000 Facebook
pages, 5,000 Twitter accounts and 30,000
Israeli bank accounts, "causing an estimated
$3 billion in damage.“
……However, now Israeli hactivists are fired
up and counter-striking at Palestinian, Iranian
and Turkish website targets.
Network World USA April 2013
8 Highly Confidential
Refe
ren
ce
No. (9
pt A
ria
l)
28-Apr-14
Database
Breach….
© 2014 IBM Corporation
Top 5 Global SPAM Destination Countries Saudi Arabia is maintaining #1 Position into 2013
May 2013 June 2013
2012 Summary of SPAM for GCC Receiving Countries
• Saudi Arabia: Number 1 SPAM receiving country except for 1 month was #2.
© 2014 IBM Corporation
© 2014 IBM Corporation
more than
half a billion records of personally identifiable information (PII) were leaked in 2013
12 Highly Confidential
Refe
ren
ce
No. (9
pt A
ria
l)
28-Apr-14
© 2014 IBM Corporation
Security Strategy, Risk and Compliance
Cyb
ers
ecu
rity A
ssessm
en
t an
d
Resp
on
se
Security Operations Optimization
Infrastructure and Endpoint
Security
Identity and Access
Management
Data and Application
Security
Managed Security
IBM has a broad base of security services to help you
Managed Services
Security Consulting &
Professional Services
Expertise Intelligence Integration
•Globally available managed
security services platform
•Manage security operations,
detect and respond to emerging
risk
•6000+ Security Consultants &
Architects
•Assess security risk and
compliance, evolve security
program
© 2014 IBM Corporation
IBM Security Operations Optimization
© 2014 IBM Corporation
There is no app for that…
Log Integrity Firewall IDPS Brand
Monitoring
Device Management
Security Monitoring
Incident Escalation
Incident Response
Compliance Management Correlation Rules
Security Intelligence
Policy Management
Application
Monitoring
OFF
ON
Client Success Undefined
>
Functionality
ON
ON
ON OFF
OFF
OFF
In-House Outsource Co-Deliver
People
Technology Scope
Compliance & Reporting
>
Escalations & Notifications
>
DLP Identity &
Access
© 2014 IBM Corporation
Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints
Business Requirements
Centralized Decentralized
Technical Requirements
Standard Highly Customized
Risk Tolerance
Externally Managed Internally Managed
Financial Constraints
Low Cost High Cost
© 2014 IBM Corporation
Security Intelligence
Network Activity
Application
Activity Server & Hosts
Firewall
IDPS
Vulnerability Scan
User Activity
Threat Intel
Feeds
Geo-IP Location
Capture Analyze Act Monitor
Data Import
IBM MSS Security Intelligence capabilities are centered around the IBM X-Force Protection System (XPS) and
Managed SIEM QRadar technologies, uniting the sophisticated intelligence of each of these technologies through
global intelligence and a single centralized vSOC Customer Portal.
CUSTOMER DATA
IBM DATA Enrichment
Availability of both CPE and
Cloud-based SIEM
Analysis across thousands of
customers worldwide
Advanced Threat Analytics
Advance Business Analytics
Compliance Reporting
System Activity & Privileged
User Monitoring
Historical Analysis &
Reporting
Security Visualization
Real-time & Historical Query
Incident Management
VALUE PROPOSITION
Real-time Correlation & Analysis
Historical Analytics & Data Mining
Real-time Correlation & Analysis
Historical Analytics & Data Mining
1
CPE-based Managed QRadar
Cloud-based SIEM
2
X-Force Protection System (XPS)
11
Security Operation
Centers
3,700+
MSS Clients
Worldwide
Billions+
Events Managed per
Day
1,000+
Security Patents*
133
Monitored
Countries (MSS)
Global
Intelligence
3
© 2014 IBM Corporation
SOC Consulting Offerings in Development
Security Operations Center (SOC) Workshop – 2-3 day management workshop to establish goals and objectives for developing the SOC, identifying stakeholders,
types of threats monitored, and the management model
Security Operations Center (SOC) Assessment – Consulting assessment for customers that have en existing SOC but are looking for IBM to review their
capabilities and maturity and make recommendations for improvements
Security Operations Center (SOC) Strategy Engagement – Consulting strategy engagement for customers that either do not have a SOC or just some monitoring
components in their environment, or have out-tasked functions to service providers and now want to bring it in-
house.
Security Operations Center (SOC) Design / Build Project – Professional services for customers who have already have a SOC strategy and are seeking assistance to design
and build 1 or multiple SOC’s for their organization
– Components would include.
• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)
• Processes, Procedures, Guidelines (Define, develop and document, update existing)
• Technology (Plan, design, deploy technology components, integrate feeds and other referential sources)
© 2014 IBM Corporation
Get Started
What is the primary purpose of the SOC?
What are the specific tasks assigned to the SOC? (e.g., threat intelligence,
security device management, compliance management, detecting insider abuse
on the financial systems, incident response and forensic analysis, vulnerability
assessments, etc.)
Who are the consumers of the information collected and analyzed by the SOC?
What requirements do they have for the SOC?
Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the rest
of the organization?
What types of security events will eventually be fed into the SOC for monitoring?
Will the organization seek an external partner to help manage the SOC?
20
© 2014 IBM Corporation
Moving Forward
Phase 1
Phase 2
Phase 3
Determine
Requirements
Information Gathering
Information Analysis
Blueprint Creation
Execute Blueprint
Phase 1 and 2 must be completed to
determine Phase 3 requirements
© 2014 IBM Corporation
Managing your SIEM solution
© 2014 IBM Corporation
How will a SIEM solution help me?!
23
Identified . threats
Known vulnerabilities
Business-critical IT assets
Risk-based Prioritization Threat Determined
Firewalls/ VPN
Intrusion Detection Systems
Vulnerability Assessment
Network Equipment
Server and Desktop OS Anti-Virus Applications Databases
User Activity Monitoring
Critical file modifications
Policy
Changes
Malicious IP
Traffic
Web Traffic
Tens of Millions: Raw Events
Millions: Security Relevant Events
Hundreds: Correlated Events
© 2014 IBM Corporation
Gain enterprise-wide security visibility and intelligence
Integrated Intelligent Security Monitoring:
People: Identity and Access Management
Data: Database and Data Loss Prevention Security
Applications: Vulnerability Scanning and Logs
Infrastructure: Network, Server and Endpoint
Threat Intelligence: X-Force, MSS Global Analytics and 3rd Parties
© 2014 IBM Corporation
Combining three functional capabilities
Log management
Log collection, retention and search capabilities
Near-real-time security event and incident management
End-to-end incident and event management, including alerting, ticket logging, escalation
management and assist remediation
Compliance management
Regulatory compliance monitoring, alerting and reporting framework combined with
expert analytical capabilities, improvement programs and threat assessments
© 2014 IBM Corporation
In order to make the best use of your SIEM solution, IBM will:
BUILD
Assess, Design and Deploy
OPERATE
Manage, Monitor, Alert and Remediate
RESPOND
Incident Planning, Response and Forensics
OVERSEE
Governance, Compliance and Awareness
© 2014 IBM Corporation
A consistent service delivery methodology with high touch consultative focus to deliver a SIEM solution
Kick off
Requirements
Definition and
Planning Session
Deliverable:
Service/Project
Plan
Architecture
Design
System Design
Design Review
Deliverable:
Updated
Service/Project
Plan
Rack and Stack
Deployment
Initial
Configuration and
Tuning
Deliverable:
Operational SIEM
System
Staged Transition to
Operational Support
Reports Definition and
Validation
Readiness Assessment
Initiate Steady State
Operations
Deliverable: Application
Support and Control
Document, Communications
Plan, and first Report Set
Real-time Event Monitoring
and Notification
Reports Generation, review
and Analysis
SIEM System Management
SIEM System Change
Requests
X-Force Threat Analysis
Service
Deliverable: Monthly Report
Set, XFTAS Reports, Monthly,
Quarterly, and Annual
Reviews
Project Initiation
and Planning
SIEM System
Design Implementation Integration and Transition
Ongoing Operational
Support
Month 1 Month 4 Month 5+ Month 2 Month 3
IBM’s Migration Methodology includes staggered on-boarding while processes are documented and integration and transition activities are performed.
© 2014 IBM Corporation
Managed Security Services Offerings
© 2014 IBM Corporation
IBM Security Services Portfolio : Managed and Cloud.
Cloud security
services
Hosted vulnerability
management services
Hosted security event and log
management services
Hosted IBM X-Force® threat
analysis services
Multiple device types and
vendors supported 1Intrusion Protection System 2Intrusion Detection System 3Unified threat management
Security
Requirements
Managed and
monitored firewall
services
Managed IPS1 and IDS2
services
Managed UTM3
services
Managed Security
Services
© 2014 IBM Corporation
SOC Basic Architecture
Firewalls and IDS
and IPS1
Applications
Networking
devices
Vulnerability
Aggregation
Aggregation
Correlation
Archival
Reporting
Workflow
Virtual-SOC technology platform
Security
Operations
Center (SOC)
Normalize Aggregate Correlate
Archive Escalate
Remediate
Internet
Virtual-SOC portal Virtual Security Operations
Center (V-SOC)
Anti Virus and
filtering
© 2014 IBM Corporation
Mobily-IBM Managed Security Services Customer Portal
© 2014 IBM Corporation
Combining best of MSS and PSS in one company
IBM Security Consulting
Services
IBM Managed Security
Services
“IBM has the largest client base of the participants... Clients praised the flexibility, knowledge,
and responsiveness …while also noting the company’s excellent documentation. Organizations
looking for a high-quality vendor that can do it all and manage it afterwards should consider
IBM.”
Source: Forrester Research Inc. “Forrester WaveTM”: Information Security Consulting Services, Q1 2013”. And Forester
Wave: Managed Security Services providers Q1, 2012
Full report can be accessed at http://www.ibm.com
© 2014 IBM Corporation
Call to Action
Perform Security Operations Assessment workshop
Evaluate how much value you gain from your current
SIEM Solution
Managed Security Services can be an interim effective
solution