Presentation I used to give on the topic of using a SIM/SIEM to unify the information stream flowing into the SOC. This piece of collateral was used to help close the largest SIEM deal (Product and services) that my employer achieved with this product line.
1. Best Practices for Building a Security Operations Center Untangling the Mess Created by Multiple Security Solutions Michael Nickle, CA Technology Services
7. SOC Clients Dashboard and/or reports that reflect organizational risk status and security trends CIO Report interface to key security metrics Auditor Compliance oriented reporting that reflects current status against the organization’s key security objectives Security Officer Operational dashboard that highlights areas of risk or immediate threat and enables quick drill down to incident status and event detail Security Manager Intuitive investigation console that eases log analysis tasks and automates incident identification and repetitive response tasks Security Analyst (sometimes IT Administrator)
14. What’s in a SOC What is it? What does it do? What’s a good one and what’s a bad one? Is it worth the time/money?
15. Where does the SOC fit? External Data Sources Context for events Internal Logs Log Aggregation Process Reviews Feed from the NOC Tie into Remediation Worklfow/Ticketing Event Journaling Training Automatic Notifications Reports Access for the NOC Vulnerability Assessment Asset Inventory SOC Audit Checks Health Monitoring Archival
22. The Complexity of Regulatory Compliance Continuous Compliance cuts across all areas Business Issues Business Continuity Business Enablement Risk Management Operational Efficiency Industry Regulations EU Data Protection Basel II ISO 17799 Sarbanes – Oxley HIPAA GLBA Risks Credit Risk Market Volatility Reputation Liability Competition Operational Risk
23. COBIT ( section DS5.2: Identification, Authorization and Access ) … Resources should be restricted … … Prevent Unauthorized … Access …
24. SOX Source: Section 404 Management Assessment of Internal Controls Responsibility of management for establishing and maintaining an adequate internal control structure and …periodic review…
25.
26. An Example An example of a SOC and NOC working together the right way
29. Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Investigation Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics EITM Common Services and MDB Threat Management Identity and Access Management Desktop and Server Management Enterprise and System Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation
30. Discovery through Remediation Real-time Aggregation, Correlation in support of Incident Response and Event monitoring Historical Analysis, Trending and Forensics Security Command Center/Audit Asset Risk Value Compliance to Policy Risk Management, Compliance, Event and Information Management, and Forensics Desktop and Server Management Enterprise and System Management EITM Common Services and MDB e Trust Security Command Center / Audit e Trust Network Forensics e Trust Network Forensics e Trust Policy Compliance e Trust Vulnerability Manager Threat Management Identity and Access Management Vulnerability Management Security Configuration Management Network Analysis Trouble Ticketing / Service Desk Patch Management Self - Healing Forensics Investigation