How To Build A Successful SOC

How to build a successful SOC
Marcel Hoffmann, Manager

Cyber Defense Center Operations
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
What is the Cyber Defense Center?
The challenge
Our solution
• Technology
• People
• Process
Lessons learned
2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is the CDC?
HP’s internal Security The biggest test A live showcase for

Operation Center environment for HP customers and partners
security technologies
What is the CDC?
The challenge
SOC Engagement Matrix
Non-existing
Cobble Build
Reactive Proactive
Rebuild Optimize
Pre-existing
Challenges
Build ArcSight infrastructure Hire and train 16 analysts

In 9 months In 3 months
• Sustain 3 billion EPD and more • Develop training program
• Fulfil HA/DR requirements • Get everybody GCIA certified
• Ready for compliance
Complete physical construction Start 24x7 operations

In 6 months By November 2013
• Design state-of-the-art watch floor • Perform security monitoring
• Allow customer briefings • Operate security mailbox and hotline
Our solution
Security Operations
Threat Technology
intel Process
Firewall
Escalation
Network IDS/IPS
People 5 Network &
system
1 2
owners
Incident
handler
Level 1 Level 2
6
4 Case
3 Engineer closed
Proxy Web server
7
ESM
server
Business
Security Operations
Manufacturing success stories
 Event  Alert  Incident
Security Operation Center
Incident Mgmt
Platform Content
External
Incident departments
Storage Rules Investigation
R&D
Raw
events Normalization/ Correlation Triage
categorization
Quality
assurance Success
Event feeds story
Threat intelligence
False positives
Technology
Platform Content
Storage Rules
Raw
events Normalization/ Correlation
categorization
Event feeds
Threat intelligence
3 phase approach
• Detect insider threat
• Detect fraud SOC 3.0
• Gain predictable intelligence Secure the business
• Archieve compliance
• Reduce potential
impact
SOC 2.0
Secure the application
• Reduce attack
surface
• Leverage threat SOC 1.0
intelligence Secure the perimeter HP TippingPoint
ArcSight architecture Active Stack Standby Stack
Global ESM Tier
Correlation ESM Tier
Compliance
Relay Connector Tier
BU Stacks
API Connector Tier
People
Incident Mgmt
Platform Content
Level-1 Analyst
Incident Responder
Manager
Platform Content Level-1

Engineer Engineer Analyst Level-2
Analyst
Staffing
Certifications held by CDC staff:
• SANS GCIA • CISSP

18+4 Intrusion Analysts • SANS GCFW • CCNA
24x7 coverage, 10 hours/shift, 3 shifts/day • SANS GCFE • AESA
7 Incident Responders • SANS GCIH • AEIA
6 Dedicated Senior Engineers Senior CDC staff have over a combined 80

years InfoSec experience
3 Managers Extensive, customized 3-month training

tailored to analysts’ strengths
1 Senior Department Manager
Shift schedule
Early shift Mid shift Night shift

3x L1 3x L1 3x L1
5:00 – 15:00 5h 10:00 – 20:00 0.5h 19:30 – 5:30 0.5h
Su Mo Tu We Th Fr Sa
Front Front Front Front
Back Back Back Back
Rotation every two months

New shift pairing every month
Purple = Overlap time
Hiring and training
Candidate backgrounds Analyst training

• College graduates • Technical knowledge
• Administrators • Tacit knowledge transfer
• Tier-2/Tier-3 support • Shadowing
Focused on the analytical mindset Emphasis on individual training
Process
Incident Mgmt
Platform Content
External
departments
Raw
events
Success
Event feeds story
Threat intelligence
False positives
Process framework 16 processes
40+ procedures
Technology Analytical
Technical details associated Subtle event detection The intelligence and discipline
Incident management
with the technology used to collect information and
Intrusion analysis
deployment, configuration Reporting use it to determine the discrete
and architecture risk to an organization
Design Event management
Business Configuration management Daily operations Operational
The effort to run a The daily tasks and
System administration Training
security operation tempo associated
as a business - with effective
BC/DR Process improvement
finance, metrics, security operations
service levels, etc. Compliance Metrics
Service Management Business Unit On-boarding
Analytical Process Operational Process Technology Process Business Process Business Extended
Reporting and metrics
Incident Mgmt
Platform Content
External
Incident departments
Storage Rules Investigation
R&D
Raw
events Normalization/ Correlation Triage
categorization
Quality
assurance Success
Security systems story
Threat intelligence
False positives
Lessons learned
Technology
Lessons learned
Own the whole stack Minimize your number of ESM servers
• Use appliances where possible • Cross-correlation between ESM difficult
• Do not use standard builds • Content synchronization difficult
• Start with the deployment immediately • Avoid multi-tier architecture as long as possible
Do not forget compliance

• ArcSight is an important part of audits
• Incorporate compliance requirements from the start
• Consider extended data retention requirements
People
Lessons learned
Prefer contract-to-hire for analysts Maximize analyst retention
• Start with experienced analysts • Encourage participation
• Extends the retention period • Create a career path
• Give performance feedback
ArcSight Engineers are a critical hire Continuous training

• Essential position already in the beginning • Use shift overlaps for weekly training
• 2-5 years of experience required • Develop your own training
Process
Lessons learned
Define a mission statement Facilitate communication
• Clear statement to avoid “feature creep” • Daily or weekly news summaries
• Avoid secondary/tertiary tasks • Persistent chat rooms
• Solid shift turnover procedures
Measure success Keep feedback loops intact

• Document success stories • Analyst feedback important for content tuning
• Show progress to leadership • Analysis and case quality feedback
• Perform maturity audits • Threat intel fidelity feedback
Conclusion
How to make it successful
Gain attention
Avoid gaps in the assembly line
Measure quantitative and qualitative KPIs
Make it “their” SOC
For more information
Attend these sessions After the event
• BB3055 - 5G/SOC: How the world's most • Download the whitepaper at:
advanced SOCs are leading the way http://h20195.www2.hp.com/V2/GetDocum
ent.aspx?docname=4AA4-6169ENW
• BB3269 - Analysts assemble! Tips for • Learn about our SOC maturity assessments:
successful security analyst recruitment, http://h20195.www2.hp.com/V2/GetDocum
assessment, and retention ent.aspx?docname=4AA4-4144ENW
Your feedback is important to us.

Please take a few minutes to complete the session survey.
Please give me your feedback
Session BB3270 Speaker Marcel Hoffmann
Please fill out a survey.

Hand it to the door monitor on your way out.
Thank you for providing your feedback, which
helps us enhance content for future events.
Thank you

How To Build A Successful SOC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How To Build A Successful SOC

Uploaded by

Copyright:

Available Formats

How to build a successful SOC

Marcel Hoffmann, Manager

What is the Cyber Defense Center?

HP’s internal Security The biggest test A live showcase for

Build ArcSight infrastructure Hire and train 16 analysts

Complete physical construction Start 24x7 operations

Security Operation Center

Security Operation Center

Global ESM Tier

Correlation ESM Tier

API Connector Tier

Security Operation Center

Platform Content Level-1

Certifications held by CDC staff:

• SANS GCIA • CISSP

7 Incident Responders • SANS GCIH • AEIA

6 Dedicated Senior Engineers Senior CDC staff have over a combined 80

3 Managers Extensive, customized 3-month training

Early shift Mid shift Night shift

Rotation every two months

Purple = Overlap time

Candidate backgrounds Analyst training

Focused on the analytical mindset Emphasis on individual training

Security Operation Center

Service Management Business Unit On-boarding

Security Operation Center

Do not forget compliance

ArcSight Engineers are a critical hire Continuous training

Measure success Keep feedback loops intact

Your feedback is important to us.

Please fill out a survey.

You might also like