the healthy soc a case studyrms.koenig-solutions.com/sync_data/trainer/qms1784-2020422874-sa… ·...
TRANSCRIPT
![Page 1: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/1.jpg)
©2017 MFMER | slide-1
The Healthy SOC – A Case Study
Chad Sadosty - Senior Manager, Cybersecurity Operations CenterRichard Noel - Manager, MSSP, CSOC Tier 1
![Page 2: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/2.jpg)
©2017 MFMER | slide-2
![Page 3: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/3.jpg)
©2017 MFMER | slide-3
Agenda
• Bios / About Mayo Clinic
• Why do you need a SOC?
• SOC Take 1 – First Iteration
• SOC Stabilization
• SOC Take 2 – Transformation
• MSSP Engagement
• Use Cases
• Metrics
• Future SOC
![Page 4: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/4.jpg)
©2017 MFMER | slide-4
Chad Bio
• USMC
• Mayo Clinic 17 years
• Help desk
• Desktop analyst
• Server admin
• Sever manager
• SOC Sr. Manager
![Page 5: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/5.jpg)
©2017 MFMER | slide-5
Richy Bio
• More handsome than Chad, however shorter and chubbier.
• Started career in Security in 2002 at an MSSP
• From a NOC to a SOC
• Worked for Pharmaceutical company in Montreal
• Ran for Member of Parliament in 2011
• Enjoys going to Burning Man
• Moved to Rochester, Minnesota to work for Mayo!
![Page 6: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/6.jpg)
©2017 MFMER | slide-6
About Mayo Clinic
• Mayo Clinic is an integrated group practice of medicine
• Our mission is to provide the best care to every patient every day through integrated clinical practice, education and research
![Page 7: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/7.jpg)
©2017 MFMER | slide-7
About Mayo Clinic
Rochester,Minnesota
Scottsdale,Arizona
Jacksonville,Florida
![Page 8: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/8.jpg)
©2017 MFMER | slide-8
Why do you need a SOC?
• To keep your feet warm, silly!
• Company Breach?
• News of a breach in your business vertical
• Watching the new of major brands being breached
• General Paranoia???
![Page 9: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/9.jpg)
©2017 MFMER | slide-9
• Need for a SOC Identified
• Bought the Security things to do the Security stuff!
• Got a SIEM and threw all the logs at it
• Tried to use vendor defined alarms
• Re-aligned staff from IT and made them SOC staff
SOC Take 1 - In The Beginning….
![Page 10: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/10.jpg)
©2017 MFMER | slide-10
We ended up with….
• Well intentioned staff with limited security knowledge
• Incident Response program documented, but not followed
• No training or process improvement
• Primarily focused on responding to phishing threats
• With lots of firefighting for other stuff
• Non-functioning SIEM. Insufficient tooling
![Page 11: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/11.jpg)
©2017 MFMER | slide-11
SOC Take 1 - Stabilization
• Complete tear down of the SIEM• Only ingest logs that are required by use cases
• Re evaluate all the tools and how we use them
• Start to automate our Phishing process
• Formalize our Incident Response Program
• Train Staff
![Page 12: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/12.jpg)
©2017 MFMER | slide-12
Incident Response Realignment
• Align to NIST 800-61 rev 2
• Include quarterly Table Top exercises
• Include a “Lessons Learned” process to integrate improvements
• Include integrations with other key departments
![Page 13: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/13.jpg)
©2017 MFMER | slide-13
Incident Response Overview
![Page 14: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/14.jpg)
©2017 MFMER | slide-14
SIEM Redeployment
• Original SIEM installation was burned to the ground and rebuild with significant assistance from the vendor.
• Log sources were rationalized to include only logs needed to fire alarms.
• No more logging everything just because.
![Page 15: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/15.jpg)
©2017 MFMER | slide-15
SIEM Use Case – Initial Load
• Based on alarms from existing security tools to provide a single pane of glass
• Based on industry best practice – what are other SOC’s doing?
• And lots of good intentions…..
![Page 16: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/16.jpg)
©2017 MFMER | slide-16
SOC Take 2 – What can we do better?
• Coverage only during business hours
• On-Call rotation for after hours support
• Flat staffing model
• Insufficient human resources
![Page 17: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/17.jpg)
©2017 MFMER | slide-17
SOC Transformation – More Than Meets The Eye!
• Hybrid staffing model with internal SOC and managed security service provider (MSSP)
• Dedicated 24X7 security monitoring
• Refined business processes and established security monitoring use-cases
• Standardize documentation and templates
![Page 18: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/18.jpg)
©2017 MFMER | slide-18
SOC Transformation – More Than Meets The Eye!
• Regular maintenance review and testing of incident response plan and SOC policies
• Mayo specific alarms, based on use cases, driven by business requirements, backed my policy and standards
![Page 19: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/19.jpg)
©2017 MFMER | slide-19
Managed Security Services – Vendor Selection
• SOC Maturity a factor in selection process
• Most MSSP’s assume an immature SOC
• Mayo wanted to retain intellectual property of SIEM Alarms and SOP’s
• Needed more “Staff Backfill” of Tier 1 rather than the traditional MSSP model of Alarm Notification.
• MSSP needed to use Mayo provided tools
• No offshoring or storage of Mayo data off Mayo systems!
• SIEM as single pain of glass
![Page 20: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/20.jpg)
©2017 MFMER | slide-20
Managed Security Services, Roles and Responsibilities
MSSP SHARED MAYO
Continuous Security
Monitoring; responds to all
security events
generated/reported
Monitoring and response
capabilities enhancement
SIEM, enterprise/operating
systems of all security tools
Configuration, maintenance,
etc
IT systems
All initial triage of security
alerts coming into SOC.
Follow the SOP to
investigate, escalate if
necessary or close.
Security event investigation
based on SOP
Tier 2+ escalations
SOC SOPs/run books
ownership
Incident response
![Page 21: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/21.jpg)
©2017 MFMER | slide-21
Tiered Staffing, not Tired Staffing – Tier 1 MSSP
• Responds to SIEM alarms, triages and creates cases.
• Provides additional insight on threats by gathering relevant artifacts
• Escalates to Tier 2 for investigation OR escalates to SOC on-call for high severity cases
• Provides 24x7 coverage
![Page 22: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/22.jpg)
©2017 MFMER | slide-22
Tiered Staffing, not Tired Staffing – Tier 1 Mayo
• Responds to Tier 1 general threats to Mayo Clinic, such as commodity malware and broad phishing campaigns
• Works with Tier 1 and 2 analysts to expand knowledge and capabilities
• Assists with Use Case, Alarm and SOP development, documentation and training
![Page 23: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/23.jpg)
©2017 MFMER | slide-23
Tiered Staffing, not Tired Staffing – Tier 2
• Assists with tuning and development of detection signatures
• Performs investigations on escalated incidents
• Assists with Tier 1 and Tier 3 duties as needed
• Mentors Tier 1 engineers
![Page 24: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/24.jpg)
©2017 MFMER | slide-24
Tiered Staffing, not Tired Staffing – Tier 3
• Acts as the IR subject matter expert
• Reverse engineering of Malware
• Leads forensic investigations and severity 1 and 2 incidents
• Mentor for Tier 1 and 2 employees
• Works with TI for attribution on high severity incidents
![Page 25: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/25.jpg)
©2017 MFMER | slide-25
Key Elements for Success
• Leadership endorsement
• A framework to follow
• NIST
• Governance People/Process/Technology
• Policies
• Standards
• Documentation
• Charter
• Use cases
• SOPs
• Metrics
• After Action Reports
• Staff with the right training and skills
![Page 26: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/26.jpg)
©2017 MFMER | slide-26
SOC Charter
• Provide a Mission Statement
• Identify Stakeholders
• Describe SOC Goals
• Event Management
• Incident Response
• Forensic Investigation
• Set out Tiered Staffing Model
![Page 27: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/27.jpg)
©2017 MFMER | slide-27
Use Cases from Business Requirements
![Page 28: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/28.jpg)
©2017 MFMER | slide-28
Use Cases
![Page 29: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/29.jpg)
©2017 MFMER | slide-29
Use Case and Alarm Lifecycle
![Page 30: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/30.jpg)
©2017 MFMER | slide-30
Metrics and KPIs
![Page 31: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/31.jpg)
©2017 MFMER | slide-31
Metrics and KPIs
![Page 32: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/32.jpg)
©2017 MFMER | slide-32
The Future
• Automation and Orchestration
• Integration with TH and TI
• Machine and user analytics
• Integration with other security and IT tools
• Use case request process
• Security in the cloud……
![Page 33: The Healthy SOC A Case Studyrms.koenig-solutions.com/Sync_data/Trainer/QMS1784-2020422874-Sa… · ©2017 MFMER | slide-1 The Healthy SOC –A Case Study Chad Sadosty - Senior Manager,](https://reader036.vdocument.in/reader036/viewer/2022090606/605b7cc66f740467d30ffaa3/html5/thumbnails/33.jpg)
©2017 MFMER | slide-33
Questions