Scribd Logo
Upload

Welcome to Scribd!

  • Cyber Security Operations

    Uploaded by

    Tahir
    69 views16 pages
    Cyber Security Operations

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cyber Security Operations

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    69 views16 pages

    Cyber Security Operations

    Uploaded by

    Tahir
    Cyber Security Operations

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Cyber Security Operations: Building or

    Outsourcing
    Michael Levin, Optum
    Stephen Moore, Anthem
    Jeff Schilling, Armor
    2016 HITRUST Alliance.

    Introduction
    Michael J. Levin, JD, CISSP,
    EnCE, GLEG, GSLC
    Director of Cyber Defense for
    Optum
    Former Director of Security Design
    and Innovation with U.S. Dept. Health
    and Human Services, Senior Associate with Deloitte, and
    Investigative Counsel with U.S. Office of Special Counsel
    https://www.linkedin.com/in/michaellevin/
    2016 HITRUST Alliance.

    Cyber Defense
    Provides Cyber Security Services to UnitedHealth
    Group, monitoring security for over 150,000 endpoints
    Cyber Defense consists of

    Security Operations Center


    Cyber Forensic Investigations
    Persistent Threat Analysis
    Cyber Intelligence Services
    Active Cyber Defense
    Data Analytics and Security Innovation

    2016 HITRUST Alliance.

    Cyber Defense Structure


    CD
    Director
    SOC

    CFI

    PTA

    ACD

    DASI

    CIS

    2016 HITRUST Alliance.

    Magnitude of Security Data


    Monitoring 150,000 end nodes results in:
    ~2 TB of raw logs each day
    1.5 Billion Network, Security, and End Point events
    daily (17,000 a second)

    This requires 24 hour, in house, security analyst


    support

    2016 HITRUST Alliance.

    Security Operations Center


    Utilizing the SIEM
    and manual analysis the
    Raw Logs
    SOC reduces the 1.5
    billion daily events, to an
    Network,
    average of 50 security
    Security, Host
    incidents each day.
    Based Events
    On average, 20 incidents are
    escalated daily to CFI for
    Security
    advanced Incident Response and
    Incidents
    investigation.
    2016 HITRUST Alliance.

    Manpower Investigative Teams


    SOC 24/7 support across 3 shifts, 28 analysts, approx.
    1 analyst per 5,000 end nodes
    CFI 13 Incident Responders, approx. 1 per 10,000 end
    nodes
    PTA 7 Security Hunters, sufficient manpower and
    experience to effectively hunt within the enterprise for
    unidentified threats.
    CIS 9 Intelligence Analysts, No easy rule to
    determined team size, rather gauged on output and
    success.
    2016 HITRUST Alliance.

    In-House vs Outsourcing
    Pros:
    Organizational Data maintained within org.
    Better organizational knowledge, access, and expertise, all inhouse
    No contract re-negotiation or arguments when specific security
    work is needed
    Immediate Incident Response activity

    Cons:
    Significant initial capital investment
    Upfront and on-going talent acquisition and retention
    2016 HITRUST Alliance.

    Options for building a SOC


    Jeff Schilling, CSO Armor

    2016 HITRUST Alliance.

    Great guide
    Carson Zimmerman
    MITRE
    Free!!!

    2016 HITRUST Alliance.

    The security process


    PROTECT

    DETECT

    Defense technologies such as


    DDOS mitigation, IPRM, WAF, etc.

    Detection technologies (e.g., AV/AM,


    FIM, SIEM and log correlation)
    tuned to the behaviors of real threat
    actors

    Threat intelligence feeds our rules


    engines, making intelligence
    systems smarter over time

    CYBER &
    PHYSICAL
    SECURITY

    Experienced personnel on hand


    24x7x365 differentiating real
    security events from false positives

    RECOVER

    RESPOND

    Automation technologies to perform


    necessary cleaning measures and/or update
    policies and rules engines in real-time

    Technologies to limit blast radius and prevent


    spread (e.g., hypervisor-based firewalls)

    Precise processes and trained personnel to


    remove compromises and secure against
    repeat attacks

    Experienced personnel trained in


    preventative measures
    Proactive processes in place for notifying
    customers and other relevant parties
    (e.g., law enforcement agencies
    where appropriate)

    2016 HITRUST Alliance.

    The threats process


    1

    RECONNAISSANCE

    WEAPONIZATION

    DISTRIBUTION
    & STRATEGY

    EXPLOITATION

    PERSIST/LATERAL
    MOVEMENT

    COMMAND
    & CONTROL

    ACTION
    ON TARGET

    Open source research


    Social network
    research
    Port scan, IP sweep
    Google research

    Combine the exploit


    tool with the method

    Phishing email
    Website drive by
    SQL inject script

    Infected Word Doc or


    PDF is opened
    Java script exploited
    in browser
    Command line SQL
    inject

    Registry Key changed


    Privilege Escalation
    Look for open
    connections

    Malware or
    compromised system
    reaches out for
    instructions

    Search the target


    Destroy or disrupt
    Package and prepare
    for and exfil data

    2016 HITRUST Alliance.

    Options

    SOC completely insourced


    Big Security budget
    Access to both technology and talent
    Defendable architecture

    SOC partially insourced partially outsourced


    Most likely solution
    Tuned to your teams technical capabilities and skills

    SOC completely outsourced


    Smaller, less complex environment

    2016 HITRUST Alliance.

    Assessing your capabilities

    TALENT

    TECHNOLOGY

    TECHNIQUES

    2016 HITRUST Alliance.

    Functions to assess
    Security OperaCon
    Center

    Threat
    Intelligence

    Threat assessment
    Threat Intel data analysis
    TradecraL analysis
    Threat trending
    Custom signature wriCng
    Advanced Threat HunCng
    PenetraCon tesCng

    IndicaCons and
    Warnings

    Real Cme monitoring


    Triage
    Incident EscalaCon
    Incident Handling
    Call Center

    Incident
    Response and
    Forensics

    Memory analysis
    Host analysis
    Network analysis
    Malware Rev Eng
    Containment
    EradicaCon

    Security
    Infrastructure
    Management

    Security device mgt


    Security control sig mgt
    Security device patching
    Security device availability

    Vulnerability
    Threat
    Management

    Managing CMDB
    Scanning the environment
    IdenCfying vulnerabiliCes
    RemediaCon/patch mgt

    2016 HITRUST Alliance.

    QUESTIONS?

    2016 HITRUST Alliance.

    You might also like