2. 2
Graeme Parker
Managing Director - Parker Solutions Group
Extensive experience delivering Cyber Security, Business
Continuity and Risk Management solutions in multiple sectors
including Government, Financial Services, IT Service Providers,
Health Services, Electrical and Power to organizations across
the globe.
Graeme provides consulting at the strategic, tactical and
operational levels, conducts and leads audits and leads
numerous training events worldwide.
+44(0)1609 760293
graeme@parkersolutionsgroup.co.uk
www.parkersolutionsgroup.co.uk
3. 3
Security Operations Centre?
What is a Security Operations Centre (SOC)?
• A facility to protect enterprise information systems such as applications,
network devices, servers, databases and data centres.
• Provides services which could include (not limited to):
• Security Administration
• System and Event Monitoring
• Management of Malware
• Incident Response
• Security Investigations
• Vulnerability Assessment and Penetration Testing
• Technology Configuration and Deployment
• Security Engineering
• Support Services
4. 4
We have never had a security incident
A misconception
• Most of us are familiar with the concept of Preventative, Detective and
Corrective Controls.
• A professionally designed SOC with the right tools and skills can deal with
strengthen the detective aspects which is a vital pillar in your security
posture.
• The vast majority of preventative controls can be defeated much comes
down to the determination and skill set of the attackers.
5. 5
Building a SOC
What is the Current Position?
Operate Extend
BuildNext Steps
Maybe an organisation has some
elements in place in that constitute a
SOC, potentially larger organisations
may have fairly mature operations
already established. The decision is
whether to:
6. 6
Building a SOC
What is required?
There are several key steps and key considerations in building an
effective SOC and the next generation SOC.
The three key areas which are well known are:
• People
• Process
• Technology
7. 7
Threat a key starting point
Firstly we know to understand the threat landscape
Threat Source Capability (0-5) Motivation (0-5) Total
Organised Crime 4 2 8
Internal Employees 5 1 5
Activist Groups 3 2 6
Competitors 3 1 3
Foreign Intelligence
Services
5 1 5
Media/Journalists 3 3 9
Hacking Groups 4 1 4
8. 8
People - Traditional Viewpoint
SANS Building a World Class SOC Roadmap
Skilled people are key to a successful SOC. Whilst there are no
absolute set standards the typical roles to be fulfilled include:
Role Description Competence/Training
Tier 1 Alert Analyst Continuously monitors the alert
queue; triages security alerts;
monitors health of security
sensors and endpoints; collects
data and context necessary to
initiate Tier 2 work.
Through understanding of
internal processes. Strong
knowledge of SIEM tooling and
specific vendor tools used in the
SOC. Good general
understanding of incident
response.
Tier 2 Incident
Responder
Performs deep-dive incident
analysis by correlating data from various
sources; determines if a critical system or
data set has been impacted; advises on
remediation; provides support for new
analytic methods for
detecting threats.
Advanced forensics knowledge,
strong log review skills,
malware knowledge, expertise
in investigation techniques and
standards and procedures.
9. 9
People - Traditional Viewpoint
SANS Building a World Class SOC Roadmap
Role Description Competence/Training
Tier 3 Subject Matter
Expert/Hunter
Possesses in-depth knowledge
on network, endpoint, threat
intelligence, forensics and
malware reverse engineering,
as well as the functioning of
specific applications or
underlying IT infrastructure; acts
as an incident “hunter,” not
waiting for escalated incidents;
closely involved in developing,
tuning and implementing threat
detection analytics.
Advanced knowledge of
anomaly detection, deep dive
investigations, malware reverse
engineering, in depth
penetration testing techniques.
A highly experienced technical
professional.
SOC Manager Manages resources to include
personnel, budget, shift
scheduling and technology
strategy to meet SLAs.
Security management skills,
understanding of risk,
architecture, security strategy.
10. 10
Staffing models
SOC teams
Several options exist for staffing of the various models
Key questions:
Should the organization use its own employees?
Should staff be mixed and partially outsourced?
Should the whole process be fully outsourced?
11. 11
Employees
Staffing
Characteristics
• The organization performs all of its security incident work using its own
employees, with limited external support.
• Given the skills required in a next generation SOC this is extremely difficult
to achieve.
14. 14
Selecting the appropriate model
Team model selection factors
Factors to be considered
• The need for 24/7 availability
• Full time or part-time members
• Cost
• Expertise
• Outsourcing
• Technical Resources
15. 15
Process
Process Maturity and the Human Factor is key
• Clear defined processes are fundamental to the success of a SOC. Such
process need to be repeatable and clearly defined and understood.
• NIST SP800-61 R2 Computer Security Incident Handling Guide and ISO
27035 can provide some clear guidance in this area.
• However our aim is not to define rigid inflexible processes. Our analysts
need to be able to use their own expertise and skills to provide an effective
service.
16. 16
Red and Blue Teams
Processes which require rules of engagement
• Blue teams usually defend information systems (main part of a SOC).
• Red teams are employed to test the defences and launch attacks to test not
only defences but the organisations ability to detect and respond.
• These teams are at the cutting edge of any mature SOC but clear rules of
engagement must be defined.
17. 17
Technologies
A blend of technology
Security Monitoring –
Beyond SIEM
Vulnerability
scanners,
firewalls,
WAFs,
IDS/IPS
Asset data,
threat
intelligence.
System logs,
FIM Solutions
Network
traffic,
endpoint data,
security events
18. 18
Context
Data requires clear context
• Alerting tools can provide many individual pieces of information.
• Individual pieces of information such as ip address of an endpoint does not
however tell the whole story.
• Rich data from multiple sources as such asset type, time, known/detected
vulnerabilities, user action, file types and threat intelligence can mean the
difference when deciding on key actions.
19. 19
The next generation SOC
Where are things heading?
Many technologies, processes and skills are required but what does a next
generation SOC look like? First we need to understand the various
generations:
Image from HP Arcsight 5G SOC Business Whitepaper
20. 20
Next Generation
• Automated solutions which can analyse large data sets can more effectively
identify threats and attacks using machine learning.
• Automation does not replace the analyst but allows analysts to be more
focussed on the human aspects of attacks and intelligence
• Whilst attacks maybe automated ultimately attacks are driven based on
human behaviour. Our analysts need therefore to be more than technical
experts. They need to understand topics like counter intelligence,
surveillance and criminal psychology.
Analytics, Big Data and Human Behaviour
21. 21
Next Generation
“It takes constant monitoring and maximum use of data to find attacks and
abnormal behaviour before damage is done. But the world produces over 2.5
quintillion bytes of data every day, and 80 per cent of it is unstructured. This
means it’s expressed in natural language — spoken, written or visual — that a
human can easily understand but traditional security systems can’t.”
— IBM Cognitive Security
Analytics, Big Data and Human Behaviour –
a quote from IBM
22. 22
Next Generation
• With this considered the ability to analyse large data sets of threat and
business intelligence to detect patterns is a key skills of an equipped SOC.
This means mathematicians, statisticians, and data scientists play a role as
the next SOC analyst.
• Threat intelligence is a crucial input but does not come from one source.
SOC leaders need to be identifying data from multiple sources.
• Red and Blue teams roles increase in importance for instant readiness
along with hunt teams freed from day to day processes.
Analytics, Big Data and Human Behaviour
23. 23
Next Generation
• All of the traditional areas of focus for a SOC still apply though
new areas exist:
IoT devices
API’s
Remote Access Solutions
Cloud services
Converged networks
Web based applications
Endpoints and devices
Federated identity management systems
Focus Areas
24. 24
Next Generation
• A next generation SOC has at its heart:
• Collection of raw logs and live data from all parts of the environment
• Ability to use predictive analysis based on vast data sets including
human intelligence
• Threat detection from multiple sources
• Multi skilled dynamic teams
• A business focus and delivery of a holistic service
• The ability leverage non security tools to analyse data
• The environment to share and receive knowledge and expertise
across industry
What sets a next generation SOC apart?
25. 25
Key Messages
• A SOC is at the heart of any organisation’s security posture.
• It needs to be dynamic constantly learning and adapting.
• Skilled and motivated people are crucial to success. Learning and
experience is constant.
• Tasks can be shared with third parties but internal ownership is of
paramount importance.
• Preventative controls will only take you so far.
• Automation to interrogate large data sets to add context to provide
intelligence will support the right decisions.
• A SOC should cover all aspects of an organisations architecture and should
be aligned to real business processes.
Key Messages