Presentation from Ben Rothke at Secure360 2010 - Building a Security Operations Center (SOC)

1. Building a Security Operations
Center (SOC)
1
Ben Rothke, CISSP, PCI QSA
Senior Security Consultant
BT Global Services
ben.rothke@bt.com

2. Agenda
2
Introduction
Need for a Security Operations Center (SOC)
Components of an effective SOC
Deciding to insource or outsource the SOC
SOC requirements
Q/A

3. About me
3
Senior Security Consultant – BT Global
Services
Certifications: CISSP, CISM, PCI QSA, CISA,
CCO, SITA, Dad
IT sector since 1988 and information security
since 1994
Frequent writer and speaker
Author - Computer Security: 20 Things Every
Employee Should Know

4. Current Security Challenges
4
Onslaught of security data from disparate
systems, platforms and applications
Numerous point solutions (antivirus, firewalls,
IDS/IPS, ERP, access control, IdM, SSO, etc.)
Millions of messages daily
Attacks becoming more frequent and
sophisticated
Regulatory compliance issues place
increasing burden on systems and network
administrators

5. Current Climate
5
Most organizations inadequately prepared to
deal with intrusions and security incidents
Address issue only after a serious breach occurs
When incident occurs, decisions made in
haste, which reduces ability to:
Understand extent and source of incident
Protect sensitive data contained on systems
Protect systems/networks and their ability to continue operating as
intended and recover systems
Collect information to understand what happened. Without such
information, you may inadvertently take actions that can further
damage your systems
Support legal investigations and forensics

6. Current SOC Climate
6
In recent years, the complexity of managing a
SOC has increased exponentially
Security operations is not just about
perimeter threats anymore
Array of hundreds of event sources - firewalls, IPS,
IDS, proxy information, applications, identity
management, database, router, switch, merchant/PCI,
physical security devices and more
SOC’s are aggregation points of tens of
millions of daily events that must be
monitored, logged, analyzed and correlated

7. Why do you need a SOC?
7
Designed to be nucleus of all your information
and Internet security operations
Provides:
Continuous prevention
Protection
Detection
Response capabilities against threats, remotely
exploitable vulnerabilities and real-time incidents on
your networks
Works with CIRT to create comprehensive
infrastructure for managing security ops

8. SOC Benefits
8
Speed of response time
Malware can spread throughout the Internet in
minutes or even seconds, potentially knocking out
your network or slowing traffic to a crawl
Consequently, every second counts in
identifying these attacks and negating them
before they can cause damage
Ability to recover from a DDoS attack in a
reasonable amount of time

9. Integrated SOC
9
IBM

10. SOC Functions
10
Real-time monitoring / management
Aggregate logs
Aggregate data
Coordinate response and remediation
Reporting
Executives
Auditors
Security staff
Post-incident analysis
Forensics
Investigation

11. SOC Requirements
11
Trained staff
Good management
Adequate budget
Typically, only largest companies have resources to
build and staff a dedicated SOC
Good processes
Integration into incident response

12. SOC Planning
12
Full audit of existing procedures, including informal and
ad-hoc
Independent consultants to advise on industry best
practices
Planning of location, resources, training programs, etc.
But plans change; don’t try to prepare everything ahead
of time
Sometimes best approach is not clear until you have actually started
But plans change; don’t try to prepare everything ahead
of time
Sometimes best approach is not clear until you have actually started
Build it like an aircraft carrier
Change built into the design

13. SIM Tool
13
Many SOC benefits come from good SIM tool
Consolidates all data and analyzes it intelligently
Provides visualization into environment
SOC is inefficient if overwhelmed with data
SIM and configuring it is key
Define requirements first
Choose SIM that’s flexible and agile, plus:
Priority determination
Real-time correlation
Cross-device correlation
Audit and compliance
Track and escalate according to threat level

14. SIM Automation
14
IDS/IPS Firewalls/VPNs Routers Business Applications
Access Control Databases Web Servers
Network O/S Desktops Others
3 Million Messages Received
186,000 Alerts Processed
180 Tickets Analyzed
3
Direct SOC analyst handled

15. Challenge of SIM & Automation
15
A well-configured SIM can automate much of
the SOC process. But…
“The more advanced a control system is, so
the more crucial may be the contribution of
the human operator”
Ironies of Automation - Lisanne Bainbridge
Don’t get caught in the hype that a SIM can
replace SOC analysts

16. SOC Setup
16
Recruitment
Skill sets required for broad range of technologies
Determine at what stage to bring staff on board, and
in what quantity
Training plan
Infrastructure
Create procedures on how you can ensure your
availability and ability to work, even in an outage
Determine where the SOC should be located
With IT Security, NOC, elsewhere?

17. SOC Development
17
Procedures must be continually revised, as
technologies advance, and experience shows
how to improve
As the team develops, more skilled work can
be taken on, and range of services expanded
Good for team morale, as well as providing a better
service
SOC runbook must be kept updated, and be
tightly revision controlled
Kept in central location so old versions cannot circulate

18. Which SOC?
18
Outsourced
BT Managed Security Solutions (formerly BT
Counterpane), Symantec, SecureWorks, Solutionary,
WiPro, Tata, Savvis, McAfee, Verizon (Cybertrust /
Ubizen), Orange, Integralis, Verizon, Sprint, EDS,
Qwest iQ Managed Security Service, Unisys and more
Centralized group within enterprise
Corporate SOC

19. Outsourced SOC
19
Advantages Disadvantages
Avoid capital expenses –
it’s their hardware & Contractors will never
software know your environment
Often cheaper than in- like internal employees
house Sending jobs outside
Less potential for organization can lower
collusion between morale
monitoring team and
Lack of capital retention
attacker
Risk of external data
Good security people are
mishandling
difficult to find
Unbiased
SLA

20. Outsourced SOC – General Questions
20
1. What is its reputation?
2. Who are its customers?
3. Does it already service customers in my
industry?
4. Does it service customers my size?
5. How long have its customers been with it?
6. What is its cancellation/non-renew rate?

21. Outsourced SOC – Staffing Questions
21
1. What is the experience of its staff?
2. Does it hire reformed hackers?
3. Are background checks performed on all new
employees?
4. Does it use contractors for any of its services?
5. Are personnel held to strict confidentiality
agreements?
6. What is the ratio of senior engineers to managed
clients?
7. What certifications are held by senior/junior staff?
8. What is its employee turnover rate?

22. Outsourced SOC – Stability Questions
22
1. Is it stable?
2. Does it have a viable business plan?
3. How long has it been in business?
4. Positive signs of growth from major clients?
5. Consistent large account wins / growing revenue?
6. What is its client turnover rate?
7. What are its revenue numbers?
• If private and unwilling to share this information,
ask for percentages rather than actual numbers
8. Will it provide documentation on its internal
security policies and procedures?

23. Outsourced SOC - Sizing / Costs
23
Must provide services for less than in-house
solutions would cost
Can spread out investment in analysts,
hardware, software, facilities over several
clients
How many systems will be monitored?
How much bandwidth is needed?
Potential tax savings
Convert variable costs (in-house) to fixed costs
(services)

24. Outsourced SOC – Performance Metrics
24
Must provide client with an interface providing
detailed information
Services being delivered
How their security posture relates to overall industry
trends
Provide multiple views into the organization
Various technical, management and executive
reports
Complete trouble ticket work logs and notes

25. Outsourced SOC – SLA’s
25
Well-defined SLA’s
processes and time periods within which they will
respond to any security need.
SLA should include specific steps to be taken
Procedures the company takes to assure that the
same system intrusions do not happen again
Guarantee of protection against emerging threats
Recovers losses in the event service doesn’t deliver as
promised
Commitments for initial device deployment, incident
response/protection, requests for security policy &
configuration changes, acknowledgement of requests

26. Outsourced SOC - Transitioning
26
Ensure adequate knowledge transfer
Create formal service level performance
metrics
Establish a baseline for all negotiated service levels
Measure from the baseline, track against it, adjusting
as necessary.
Create internal CIRT
Identify key events and plan the response
Hold regular transition & performance reviews
Be flexible
Schedule formal review to adjust SLA’s after 6 months
of service operation and periodically thereafter.

27. Outsourced SOC – Termination
27
All outsourcing contracts must anticipate the
eventual termination at the end of the
contract and plan for an orderly in-house
transition or a transition to another provider
Develop an exit strategy
Define key resources, assets and process
requirements for continued, effective delivery of the
services formerly provided by the outgoing provider

28. Internal SOC
Advantages 28 Disadvantages
• Knows environment • Larger up-front
better than a third-party investment
• Solutions are generally • Higher pressure to
easier to customize show ROI quickly
• Potential to be most • Higher potential for
efficient collusion between
analyst and attacker
• Most likely to notice
correlations between • Less likely to recognize
groups large-scale, subtle
patterns that include
• Better tool pricing – multiple groups
higher volume

29. Internal SOC - Questions
29
1. Does your staff have the competencies
(skills and knowledge) to manage a SOC?
2. How do you plan to assess if they really do
have those competencies?
3. Are you willing to take the time to document
all of the SOC processes and procedures?
4. Who’s going to develop a training program?
5. Who’s going to design the physical SOC site?
6. Can you hire and maintain adequate staff
levels?

30. Internal SOC Success Factors
30
1. Trained staff
2. Good management
3. Adequate budget
4. Good processes
5. Integration into incident response
If your organization can’t commit to these five
factors, do not build an internal SOC – it will fail
Will waste money and time and create false sense of security
If you need a SOC but can’t commit to these factors,
strongly consider outsourcing

31. SOC Mistakes
31
Huge waste of money
False sense of security
Miss active attacks
Compliance issues and violations
Much more likely to violate privacy laws
Federal / State
EU Privacy Directives
SOC success ultimately dependent on quality of SOC staff
Staff success ultimately dependent on quality of SOC manager

32. SOC Analysts
32
Good SOC analysts hard to find, hard to keep
Have combination of technical knowledge and
technical aptitude
Hire experienced SOC analysts
Pay them well
You get what you pay for
Skill sets • Directories
• Operating system proficiency
• Routers/switches/firewalls
• Network protocols
• Programming
• Chain of custody issues
• Databases
• Ethics
• IDS
• Corporate policy
• Investigative processes
• Services
• Applications
• Multiple hardware platforms
• and much more
• Attacks

33. SOC Analysts - Qualities
33
Extremely curious
Ability & desire to find answers to difficult problems
and situations
Abstract thinker
Can correlate IDS incidents and alerts in real-time
Ethical
Deals with low-level details while keeping
big-picture view of situation
Can communicate to various groups that
have very different requirements
Responds well to frustrating situations

34. SOC Analyst Burnout
34
SOC analysts can burnout
Have a plan to address this
Extensive training
Bonuses
Promotions
Management opportunities
Job rotation

35. SOC Management
35
Management and supervision of a SOC is a
key factor to ensure its efficiency
While analysts, other staff, hardware and
software are key elements, a SOC’s ultimate
success is dependant on a competent SOC
manager.
Inadequate/poor management has significant
consequences, from process performance
decrements, to incidents being missed or
incorrectly handled

36. SOC Processes
36
SOC heavily process-driven
Processes work best when documented in
advance
Usability and workflow critical
Documentation
Adequate time must be given to properly document
many different SOC functions
Corporate networks and SOC are far too complex to be
supported in an ad-hoc manner
Documentation makes all the difference

37. SOC Processes ToC
37

38. SOC Metrics
38
Measured by how quickly incidents are:
Identified
Addressed
Handled
Must be used judiciously
Don’t measure base performance of an
analyst simply on the number of events
analyzed or recommendations written

39. Additional references
39

40. Conclusions
40
Building a SOC is complex
SOC is the foundation of your organization’s
security management program
Multiple organizational and technical issues
should be considered when planning and
evaluating a SOC
Potential benefits of a SOC are enormous
Planning and requirements definition are crucial
But if you do this right, your security benefits
will be immense

41. Thanks for attending - Q/A
41
Ben Rothke, CISSP PCI QSA
Senior Security Consultant
BT Professional Services
ben.rothke@bt.com
www.linkedin.com/in/benrothke
www.twitter.com/benrothke