security operations optimization

Security Operations Optimization

Ahmed Abdel Hamid Security Business Manager, KSA April 23, 2014

© 2014 IBM Corporation

Agenda

New attacks landscape


Managed SIEM

Managed Security Services

Call to Action

3 Highly Confidential

Refe

ren

ce

No. (9

pt A

ria

l)

28-Apr-14


Refe

ren

ce

No. (9

pt A

ria

l)

28-Apr-14


The famous 2014 “Retailers” breach

6

Target and Neiman Marcus

Breaches Are Only the

Beginning - 22 Jan 2014

Neiman Marcus Hack Went

Undetected For 5 Months - Reuters , 17 January 2014

Target: 40 million credit cards

compromised - CNNMoney, 19 December 2013

© 2014 IBM Corporation IBM Confidential

Anonymous Israel Attack on April 7th - said

today in its response to questions, claiming its

official estimate of damage so far includes

hacking of 60,000 websites, 40,000 Facebook

pages, 5,000 Twitter accounts and 30,000

Israeli bank accounts, "causing an estimated

$3 billion in damage.“

……However, now Israeli hactivists are fired

up and counter-striking at Palestinian, Iranian

and Turkish website targets.

Network World USA April 2013


Refe

ren

ce

No. (9

pt A

ria

l)

28-Apr-14

Database

Breach….


Top 5 Global SPAM Destination Countries Saudi Arabia is maintaining #1 Position into 2013

May 2013 June 2013

2012 Summary of SPAM for GCC Receiving Countries

• Saudi Arabia: Number 1 SPAM receiving country except for 1 month was #2.


more than

half a billion records of personally identifiable information (PII) were leaked in 2013


Refe

ren

ce

No. (9

pt A

ria

l)

28-Apr-14


Security Strategy, Risk and Compliance

Cyb

ers

ecu

rity A

ssessm

en

t an

d

Resp

on

se


Infrastructure and Endpoint

Security

Identity and Access

Management

Data and Application

Security

Managed Security

IBM has a broad base of security services to help you

Managed Services

Security Consulting &

Professional Services

Expertise Intelligence Integration

•Globally available managed

security services platform

•Manage security operations,

detect and respond to emerging

risk

•6000+ Security Consultants &

Architects

•Assess security risk and

compliance, evolve security

program


IBM Security Operations Optimization


There is no app for that…

Log Integrity Firewall IDPS Brand

Monitoring

Device Management

Security Monitoring

Incident Escalation

Incident Response

Compliance Management Correlation Rules

Security Intelligence

Policy Management

Application

Monitoring

OFF

ON

Client Success Undefined

>

Functionality

ON

ON

ON OFF

OFF

OFF

In-House Outsource Co-Deliver

People

Technology Scope

Compliance & Reporting

>

Escalations & Notifications

>

DLP Identity &

Access


Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints

Business Requirements

Centralized Decentralized

Technical Requirements

Standard Highly Customized

Risk Tolerance

Externally Managed Internally Managed

Financial Constraints

Low Cost High Cost


Security Intelligence

Network Activity

Application

Activity Server & Hosts

Firewall

IDPS

Vulnerability Scan

User Activity

Threat Intel

Feeds

Geo-IP Location

Capture Analyze Act Monitor

Data Import

IBM MSS Security Intelligence capabilities are centered around the IBM X-Force Protection System (XPS) and

Managed SIEM QRadar technologies, uniting the sophisticated intelligence of each of these technologies through

global intelligence and a single centralized vSOC Customer Portal.

CUSTOMER DATA

IBM DATA Enrichment

Availability of both CPE and

Cloud-based SIEM

Analysis across thousands of

customers worldwide

Advanced Threat Analytics

Advance Business Analytics

Compliance Reporting

System Activity & Privileged

User Monitoring

Historical Analysis &

Reporting

Security Visualization

Real-time & Historical Query

Incident Management

VALUE PROPOSITION

Real-time Correlation & Analysis

Historical Analytics & Data Mining

Real-time Correlation & Analysis

Historical Analytics & Data Mining

1

CPE-based Managed QRadar

Cloud-based SIEM

2

X-Force Protection System (XPS)

11

Security Operation

Centers

3,700+

MSS Clients

Worldwide

Billions+

Events Managed per

Day

1,000+

Security Patents*

133

Monitored

Countries (MSS)

Global

Intelligence

3


SOC Consulting Offerings in Development

Security Operations Center (SOC) Workshop – 2-3 day management workshop to establish goals and objectives for developing the SOC, identifying stakeholders,

types of threats monitored, and the management model

Security Operations Center (SOC) Assessment – Consulting assessment for customers that have en existing SOC but are looking for IBM to review their

capabilities and maturity and make recommendations for improvements

Security Operations Center (SOC) Strategy Engagement – Consulting strategy engagement for customers that either do not have a SOC or just some monitoring

components in their environment, or have out-tasked functions to service providers and now want to bring it in-

house.

Security Operations Center (SOC) Design / Build Project – Professional services for customers who have already have a SOC strategy and are seeking assistance to design

and build 1 or multiple SOC’s for their organization

– Components would include.

• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)

• Processes, Procedures, Guidelines (Define, develop and document, update existing)

• Technology (Plan, design, deploy technology components, integrate feeds and other referential sources)


Get Started

What is the primary purpose of the SOC?

What are the specific tasks assigned to the SOC? (e.g., threat intelligence,

security device management, compliance management, detecting insider abuse

on the financial systems, incident response and forensic analysis, vulnerability

assessments, etc.)

Who are the consumers of the information collected and analyzed by the SOC?

What requirements do they have for the SOC?

Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the rest

of the organization?

What types of security events will eventually be fed into the SOC for monitoring?

Will the organization seek an external partner to help manage the SOC?

20


Moving Forward

Phase 1

Phase 2

Phase 3

Determine

Requirements

Information Gathering

Information Analysis

Blueprint Creation

Execute Blueprint

Phase 1 and 2 must be completed to

determine Phase 3 requirements


Managing your SIEM solution


How will a SIEM solution help me?!

23

Identified . threats

Known vulnerabilities

Business-critical IT assets

Risk-based Prioritization Threat Determined

Firewalls/ VPN

Intrusion Detection Systems

Vulnerability Assessment

Network Equipment

Server and Desktop OS Anti-Virus Applications Databases

User Activity Monitoring

Critical file modifications

Policy

Changes

Malicious IP

Traffic

Web Traffic

Tens of Millions: Raw Events

Millions: Security Relevant Events

Hundreds: Correlated Events


Gain enterprise-wide security visibility and intelligence

Integrated Intelligent Security Monitoring:

People: Identity and Access Management

Data: Database and Data Loss Prevention Security

Applications: Vulnerability Scanning and Logs

Infrastructure: Network, Server and Endpoint

Threat Intelligence: X-Force, MSS Global Analytics and 3rd Parties


Combining three functional capabilities

Log management

Log collection, retention and search capabilities

Near-real-time security event and incident management

End-to-end incident and event management, including alerting, ticket logging, escalation

management and assist remediation

Compliance management

Regulatory compliance monitoring, alerting and reporting framework combined with

expert analytical capabilities, improvement programs and threat assessments


In order to make the best use of your SIEM solution, IBM will:

BUILD

Assess, Design and Deploy

OPERATE

Manage, Monitor, Alert and Remediate

RESPOND

Incident Planning, Response and Forensics

OVERSEE

Governance, Compliance and Awareness


A consistent service delivery methodology with high touch consultative focus to deliver a SIEM solution

Kick off

Requirements

Definition and

Planning Session

Deliverable:

Service/Project

Plan

Architecture

Design

System Design

Design Review

Deliverable:

Updated

Service/Project

Plan

Rack and Stack

Deployment

Initial

Configuration and

Tuning

Deliverable:

Operational SIEM

System

Staged Transition to

Operational Support

Reports Definition and

Validation

Readiness Assessment

Initiate Steady State

Operations

Deliverable: Application

Support and Control

Document, Communications

Plan, and first Report Set

Real-time Event Monitoring

and Notification

Reports Generation, review

and Analysis

SIEM System Management

SIEM System Change

Requests

X-Force Threat Analysis

Service

Deliverable: Monthly Report

Set, XFTAS Reports, Monthly,

Quarterly, and Annual

Reviews

Project Initiation

and Planning

SIEM System

Design Implementation Integration and Transition

Ongoing Operational

Support

Month 1 Month 4 Month 5+ Month 2 Month 3

IBM’s Migration Methodology includes staggered on-boarding while processes are documented and integration and transition activities are performed.


Managed Security Services Offerings


IBM Security Services Portfolio : Managed and Cloud.

Cloud security

services

Hosted vulnerability

management services

Hosted security event and log

management services

Hosted IBM X-Force® threat

analysis services

Multiple device types and

vendors supported 1Intrusion Protection System 2Intrusion Detection System 3Unified threat management

Security

Requirements

Managed and

monitored firewall

services

Managed IPS1 and IDS2

services

Managed UTM3

services

Managed Security

Services


SOC Basic Architecture

Firewalls and IDS

and IPS1

Applications

Networking

devices

Vulnerability

Aggregation

Aggregation

Correlation

Archival

Reporting

Workflow

Virtual-SOC technology platform

Security

Operations

Center (SOC)

Normalize Aggregate Correlate

Archive Escalate

Remediate

Internet

Virtual-SOC portal Virtual Security Operations

Center (V-SOC)

Anti Virus and

filtering


Mobily-IBM Managed Security Services Customer Portal


Combining best of MSS and PSS in one company

IBM Security Consulting

Services

IBM Managed Security

Services

“IBM has the largest client base of the participants... Clients praised the flexibility, knowledge,

and responsiveness …while also noting the company’s excellent documentation. Organizations

looking for a high-quality vendor that can do it all and manage it afterwards should consider

IBM.”

Source: Forrester Research Inc. “Forrester WaveTM”: Information Security Consulting Services, Q1 2013”. And Forester

Wave: Managed Security Services providers Q1, 2012

Full report can be accessed at http://www.ibm.com


Call to Action

Perform Security Operations Assessment workshop

Evaluate how much value you gain from your current

SIEM Solution

Managed Security Services can be an interim effective

solution

security operations optimization

Technology

historical analytics

security operations optimization

time correlation

force protection system

security operations center

managed security services

managed security

siem solution