Professional Documents
Culture Documents
How To Build A Successful SOC
How To Build A Successful SOC
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Agenda
The challenge
Our solution
• Technology
• People
• Process
Lessons learned
2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is the CDC?
3 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is the CDC?
4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The challenge
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SOC Engagement Matrix
Non-existing
Cobble Build
Reactive Proactive
Rebuild Optimize
Pre-existing
6 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Challenges
7 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Our solution
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Operations
Threat Technology
intel Process
Firewall
Escalation
Network IDS/IPS
People 5 Network &
system
1 2
owners
Incident
handler
Level 1 Level 2
6
4 Case
3 Engineer closed
Proxy Web server
7
ESM
server
Business
9 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security Operations
Manufacturing success stories
Event Alert Incident
Incident Mgmt
Platform Content
External
Incident departments
Storage Rules Investigation
R&D
Raw
events Normalization/ Correlation Triage
categorization
Quality
assurance Success
Event feeds story
Threat intelligence
False positives
10 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Technology
Event Alert Incident
Platform Content
Storage Rules
Raw
events Normalization/ Correlation
categorization
Event feeds
Threat intelligence
11 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
3 phase approach
• Detect insider threat
• Detect fraud SOC 3.0
• Gain predictable intelligence Secure the business
• Archieve compliance
• Reduce potential
impact
SOC 2.0
Secure the application
• Reduce attack
surface
• Leverage threat SOC 1.0
intelligence Secure the perimeter HP TippingPoint
12 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
ArcSight architecture Active Stack Standby Stack
Compliance
Relay Connector Tier
BU Stacks
13 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
People
Event Alert Incident
Incident Mgmt
Platform Content
Level-1 Analyst
Incident Responder
Manager
14 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Staffing
15 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Shift schedule
16 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Hiring and training
17 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Process
Event Alert Incident
Incident Mgmt
Platform Content
External
departments
Raw
events
Success
Event feeds story
Threat intelligence
False positives
18 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Process framework 16 processes
40+ procedures
Technology Analytical
Technical details associated Subtle event detection The intelligence and discipline
Incident management
with the technology used to collect information and
Intrusion analysis
deployment, configuration Reporting use it to determine the discrete
and architecture risk to an organization
Design Event management
Business Configuration management Daily operations Operational
The effort to run a The daily tasks and
System administration Training
security operation tempo associated
as a business - with effective
BC/DR Process improvement
finance, metrics, security operations
service levels, etc. Compliance Metrics
Analytical Process Operational Process Technology Process Business Process Business Extended
19 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Reporting and metrics
Event Alert Incident
Incident Mgmt
Platform Content
External
Incident departments
Storage Rules Investigation
R&D
Raw
events Normalization/ Correlation Triage
categorization
Quality
assurance Success
Security systems story
Threat intelligence
False positives
20 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Lessons learned
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Technology
Lessons learned
Own the whole stack Minimize your number of ESM servers
• Use appliances where possible • Cross-correlation between ESM difficult
• Do not use standard builds • Content synchronization difficult
• Start with the deployment immediately • Avoid multi-tier architecture as long as possible
22 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
People
Lessons learned
Prefer contract-to-hire for analysts Maximize analyst retention
• Start with experienced analysts • Encourage participation
• Extends the retention period • Create a career path
• Give performance feedback
23 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Process
Lessons learned
Define a mission statement Facilitate communication
• Clear statement to avoid “feature creep” • Daily or weekly news summaries
• Avoid secondary/tertiary tasks • Persistent chat rooms
• Solid shift turnover procedures
24 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Conclusion
How to make it successful
Gain attention
Avoid gaps in the assembly line
Measure quantitative and qualitative KPIs
Make it “their” SOC
25 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
For more information
Attend these sessions After the event
• BB3055 - 5G/SOC: How the world's most • Download the whitepaper at:
advanced SOCs are leading the way http://h20195.www2.hp.com/V2/GetDocum
ent.aspx?docname=4AA4-6169ENW
• BB3269 - Analysts assemble! Tips for • Learn about our SOC maturity assessments:
successful security analyst recruitment, http://h20195.www2.hp.com/V2/GetDocum
assessment, and retention ent.aspx?docname=4AA4-4144ENW
26 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Please give me your feedback
Session BB3270 Speaker Marcel Hoffmann
27 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.