Building a Successful Security Operations Center in 2013

Summary:

The passage discusses the capabilities of FlexConnectors from HP ArcSight SmartConnectors for custom log requirements, secure communication using IPsec protocols over existing networks, comprehensive data aggregation strategy to capture status, alarms, and alerts from various monitored devices such as firewalls and intrusion detection systems, normalization, filtering unwanted traffic, severity setting, intelligent bandwidth management, event correlation, prioritization of incidents, statistical analysis, historical and forensic analysis, physical and logical analysis/location correlation, automating operational tasks for efficiency, reducing errors, integrating with external tools and processes, holistic approach to design, build, and manage an Internal Security Operations Center (SOC), enhancing the ability to recognize and respond to malicious information security events, meeting regulatory compliance requirements, and protecting hybrid IT infrastructure against advanced threats. The solution is based on HP ArcSight, HP Fortify, and HP TippingPoint products, aiming to reduce risk in hybrid environments and defend against sophisticated cyber threats.

Details:

The business white paper "Building a Successful SOC" provides comprehensive guidance on establishing and enhancing a Security Operations Center (SOC). It covers various aspects including mission, business case, people considerations, processes & procedures, training, staffing plans, technology selection, and data collection. The introduction highlights the importance of modernizing security operations to adapt to complex threats such as zero-day attacks and evolving regulations. The paper defines a SOC's purpose as preventing, detecting, analyzing, and responding to potential cybersecurity threats by integrating various technologies including network intrusion prevention systems (IPS), firewalls from Cisco, and host-based protection from McAfee. The technology section emphasizes the need for diverse security solutions (best-of-breed) across different platforms like HP Tipping Point for IPS, Cisco for firewalls, and McAfee for host protection to avoid vendor lock-in. However, this diversity in technologies presents challenges in normalizing, aggregating, and correlating data from various systems, which hampers real-time threat analysis and hinders forensic investigations post-attack. In summary, the white paper underscores the importance of a robust SOC that can efficiently handle modern security threats while ensuring compliance with regulations through technology integration and effective team management. It serves as a valuable resource for organizations aiming to establish or improve their SOC capabilities. The article discusses the importance of maintaining a strong security posture in organizations, which involves centralized monitoring, analysis, and response to security events across various technologies. To meet this requirement, many organizations turn to Managed Security Services Providers (MSSPs) to outsource bulk of security monitoring and testing. MSSPs offer several benefits including 24/7 monitoring, expert information security, advanced threat detection, cost efficiency for clients without dedicated staff, and economies of scale in service provision. However, they also have disadvantages such as lack of deep understanding of client's specific IT environment or policies, non-dedicated support for every customer, standardization of services across customers, potential loss of data control (transmitted and stored at MSSP locations), and inability to offer customized services. In weighing the benefits and drawbacks, some organizations prefer building their own Security Operations Center (SOC) to centralize security monitoring, analysis, and response within a single team. This approach can be due to specific business requirements or cost drivers that necessitate an in-house SOC. However, starting an in-house SOC presents its own set of challenges for IT groups. The article provides guidance on how to build a SOC by balancing the triad of people, processes, and technology within IT projects. To effectively establish a Security Operations Center (SOC), organizations must first conduct thorough planning and define their mission and business case. This involves answering key questions about the purpose of the SOC, its specific tasks, consumers of the information it produces, project sponsors, and types of security events to be monitored. The main goal is to create a clear sense of purpose for the team that will help them prioritize work effectively. It's crucial to outline the costs associated with setting up a SOC, including expenses like facilities, personnel (such as security analysts and managers), and supporting roles like network support. Providing this information upfront can initiate discussions about the financial aspects and strategies for recovering these investments, which are essential components of the business case. A security operations center (SOC) provides comprehensive support across several areas including stem support, database support, telephony support, and security device management. It offers education and training programs for staff, subscribes to threat intelligence for up-to-date information on emerging threats, utilizes monitoring technology such as hardware, software, storage, and implementation services, and employs additional technologies like problem and change management, email, and knowledge sharing. Recovering the costs associated with a SOC can be challenging but there are several strategies that can help justify these expenses: 1. **Cost avoidance**: Building a SOC is less expensive than dealing with the consequences of undetected attacks, which can lead to significant financial losses or data breaches. 2. **Cost efficiencies**: By automating or consolidating existing organizational processes and utilizing technology effectively, a SOC can reduce manual effort and save money. 3. **Improving security ROI**: Optimizing configurations of existing security technologies and analyzing device-generated data enhances the effectiveness and value of these investments. 4. **Cost sharing**: Other departments or groups within an organization may be willing to share the responsibilities for which the SOC was created, helping in cost minimization. 5. **Revenue/cost recovery**: The SOC can offer its services to internal or external customers, potentially generating additional revenue while managing costs. These strategies help in justifying and managing the expenses associated with maintaining a robust SOC. This text discusses the use of Security Operations Center (SOC) services for other organizations beyond their primary business aspects, emphasizing commercial differentiation through effective information security practices. It highlights that having an SOC can help a company earn trust from clients, enter new markets, and differentiate itself in competitive environments due to heightened awareness about information security among businesses and consumers. The article then moves on to discuss the implementation of an internal SOC within a company, focusing on three key components: people, process, and technology. It emphasizes that while all three aspects are equally important, organizations often struggle with attracting and retaining skilled personnel necessary for running a successful SOC. The text suggests starting with individuals who have experience in system administration, desktop support, and network operations, as they possess the troubleshooting skills required to effectively engage with sophisticated adversaries in cybersecurity. The process of hiring a team of skilled analysts for a Security Operations Center (SOC) can be challenging due to factors such as affordability, cultural differences between teams, and others. To overcome these difficulties, some companies succeed by initially recruiting staff with diverse skill sets and then establishing training programs and mentorship schemes. Retention strategies are crucial in keeping SOC analysts engaged over their typical one to three-year tenure. These include fostering a positive team culture, providing career development opportunities, and preventing "console burnout" through rotational duties. Additionally, it is essential for the SOC Manager to identify potential successors within the company and plan for the progression of existing analysts into other areas such as Incident Response teams, Forensics, Audit, or advanced information security roles. Effective training programs are non-negotiable for SOC analysts, encompassing both formal classroom instruction in standard cybersecurity skills and practical on-the-job experience. Formal training should cover essential modules like SANS' "Intrusion Detection in Depth" and the GIAC Certified Intrusion Analyst (GCIA) certification to provide a strong foundation in TCP/IP monitoring tools and other fundamental concepts. This text primarily focuses on discussing the importance of training and skills development for Security Operations Center (SOC) analysts, particularly in relation to advanced intrusion analysis and tools such as HP ArcSight ESM. It highlights several key points: 1. **Training in SOC Technologies**: The article suggests that vendor training should be leveraged within organizations to ensure proficiency with core SOC technologies like logging and SIEM platforms (specifically mentioning HP ArcSight). This includes specialized courses for advanced content development related to Logger and Extended Security Processor (ESP) or ESM, which are crucial for identifying, correlating, and filtering critical security events. 2. **HP ArcSight ESM Security Analyst Training**: The training program for the HP ArcSight ESM Security Analyst (AESA) is emphasized as essential because it equips analysts with the skills to effectively manage and manipulate advanced intrusion detection tools. This training includes concepts such as identifying, correlating, and filtering critical security events, which are fundamental for an analyst's role in a SOC. 3. **On-the-Job Training**: The article recommends that on-the-job training programs should cover essential information security concepts, specific intrusion detection tool usage, analytical processes, company policies, operations, and effective communication techniques. This is crucial for preparing analysts to handle stressful situations where clear and concise communication with various levels of stakeholders is necessary. 4. **Communication Skills Training**: The importance of learning effective written and verbal communication skills in the SOC environment is stressed. This includes training on managing different forms of communication (paging, emailing, calling) and writing analytical papers that are well-structured and informative. It also recommends creating a program where analysts present their findings to peers for further honing of these skills. 5. **Staffing Plans**: The staffing needs of a SOC depend largely on its specific mission requirements. Whether the SOC is virtual or requires full-time personnel, the staffing model must align with the operational demands and objectives of the organization. In summary, this text underscores the critical role of specialized training in enhancing the capabilities of SOC analysts for effective intrusion analysis using advanced tools, along with developing strong communication skills to manage complex situations and interact effectively across various organizational levels. To summarize the provided information, here are the main points regarding staffing models for a Security Operations Center (SOC): 1. **No Single Analyst Alone**: It is crucial to avoid having only one SOC analyst on duty at any time due to potential safety and performance issues. 2. **Clear Responsibilities and Deliverables**: Each shift and role within the SOC must have clearly defined responsibilities and deliverables to ensure accountability and clarity in expectations. 3. **Regular Performance Measurement**: Workload and output should be regularly measured, and adjustments such as schedule modifications, staffing levels, or task distribution should be made based on performance metrics. Overloaded analysts can hinder objectives. 4. **Shift Turnover Management**: Significant issues often arise during shift transitions (hand-off). Therefore, clear documentation of events is necessary to prevent oversights and errors. 5. **Communication with Night Shift**: SOC managers must prioritize regular communication with the night shift to ensure they feel informed and valued. This includes scheduling joint work hours or ensuring consistent updates. 6. **Minimum Staffing Requirements**: To effectively staff a 24x7x365 SOC, a minimum of ten analysts are recommended, divided into four shifts each working twelve-hours. At least two analysts should be on duty at all times, with additional experienced analysts (Level-2 Analysts) covering for planned and unplanned absences through an overlapping 8x5 shift schedule. 7. **Shift Schedule Example**: As depicted in Figure 1, the daily schedule includes Level 1 and Level 2 Analysts working various shifts, while Security Engineers cover specific hours. This structured approach helps manage a continuous operation around the clock. These guidelines and recommendations aim to optimize performance, efficiency, and safety within a SOC by ensuring proper staffing, clear communication, and effective shift management. The provided text outlines the structure of an on-call rotation schedule for various roles within a SOC (Security Operations Center), including Level 1 Analysts, Level 2 Analysts, Security Engineers, and SOC Management. Each role has specific shifts assigned to them over two weeks, with clear delineations between days and nights. The schedule is designed to facilitate learning and training of new analysts by experienced staff members in the first week, while more senior personnel handle on-call responsibilities during the second week. The text then discusses SOC processes and procedures, highlighting their role as a support system between people and technology within the SOC. These procedures help guide new analysts through complex tasks when they are less skilled and fill gaps where technological features may be lacking by providing manual solutions for specific business needs. To effectively manage these processes and ensure continuous improvement, the text references the Capability Maturity Model® Integration (CMMI), a framework designed to improve organizational processes in various domains including project management, software engineering, and quality assurance. This passage discusses how CMMI (Capability Maturity Model Integration) can be used to improve and organize security operations center (SOC) processes, especially in environments with numerous procedures and standards. It states that for most organizations, achieving CMMI Level 3 is a suitable goal as it ensures documented and continuously improving processes. This means standardized procedures followed by all analysts regardless of their shift, allowing for immediate improvements to be shared across the team via an on-the-spot correction system. The passage emphasizes the importance of using knowledge management and collaboration environments like a knowledge-based system, which allows users to contribute and modify content easily. It also suggests that dual monitors in SOC operation pods can be useful for monitoring consoles while having access to procedural references and research materials. Additionally, the hierarchy of processes in a SOC includes fourteen main categories (like business processes) and around thirty-six subordinate procedures, all interconnected as shown in the diagram. This document outlines several key components in managing a Security Operations Center (SOC), focusing on operational processes, analytical processes, and organizational relationships. 1. **Operational Processes**: These include documenting the mechanics of daily operations such as shift schedules and turn-over procedures. This ensures smooth functioning of the SOC under normal circumstances. 2. **Analytical Processes**: This involves activities to detect and understand threats and malicious events, producing actionable security intelligence. These processes are crucial for identifying potential risks and enhancing cybersecurity measures in response to threats. 3. **Technological Operational Daily Operations**: Refers to the practical implementation of technological aspects within daily operations, which includes system administration and configuration management. This is about maintaining and managing systems effectively to prevent issues and ensure security protocols are followed. 4. **Analytical Design Event Management Configuration Management**: These elements form part of the analytical processes. They focus on event detection and analysis, configuration settings for optimal performance, and continual improvement based on feedback and evolving threats. 5. **Organizational Relationships**: The SOC must maintain a variety of external relationships with internal teams like Incident Response, Security Management, Legal, Human Resources, Public Relations, and Lines of Business, as well as external entities such as CERT/CC, ISAC, local law enforcement, and vendors. These help in managing crises effectively by ensuring clear communication channels and coordinated actions among all stakeholders. 6. **Detection vs. Analysis**: The document differentiates between the immediate detection phase where threats are identified quickly and the subsequent analysis phase to understand the implications of these threats and decide on appropriate responses. This dual focus is critical for timely action without compromising on thorough analysis. This comprehensive approach to SOC management ensures a layered defense mechanism against cyber threats, with a proactive as well as reactive strategy tailored to detect and mitigate risks effectively. The article discusses a process used in detecting and responding to threats, involving both operational time (the immediate period during which an incident occurs) and analytical time (a subsequent period up to 90 days later). Analysts initially identify potential threats such as SQL injection attacks on web servers. They then conduct initial research using multiple sources of intelligence about the target, attacker, and associated threats and exploits to assess whether it is a genuine attack or not. Based on this assessment, they prioritize events and annotate them accordingly, which can range from noting misconfigurations in security devices, false positives due to poor web app design, needing additional monitoring attention, requiring further research, to confirming intrusion attempts that need escalation. In the analytical time frame, analysts continue researching events using advanced techniques such as analyzing trends, long-term patterns with visual data mining and other sophisticated methods. As threats are detected during this phase, they notify relevant parties, report incidents, and perform forensic analysis when necessary. This dual timeframe structure helps to organize processes within a Security Operations Center (SOC) more effectively, clearly delineating roles and actions among analysts. The white paper outlines the procedures for a Security Operations Center (SOC), focusing on business and technology processes. It details how to define key performance indicators, manage user access to systems, handle shift turnovers with review of information gaps, analyze intrusion data and threats, and other specific tasks. The flow of these procedures is visualized in Figure 4, highlighting the importance of core procedures which are crucial for recognizing and responding effectively to detected malicious events. Supporting processes such as technology system administration, reporting KPIs, managing applications, and compliance with configuration management are also emphasized as they contribute to efficient daily security operations. The article discusses the importance of conducting full-scale exercises as part of achieving a fully mature Security Operations Center (SOC). These exercises aim to test the resilience of SOC processes and procedures under stress, including challenges such as degraded communications, tool unavailability, and time constraints. Following the exercise, teams should review what was learned collectively and address identified weaknesses through additional training or improved technology and process. The article also highlights the challenge of managing large volumes of data generated by modern organizations, which may include structured logs, unstructured data like chats or tweets, and required to be stored due to legal or regulatory reasons. To effectively deal with this, SOC should deploy a Security Information and Event Management (SIEM) solution, such as HP ArcSight ESP. This platform is designed for monitoring, investigating, and responding to malicious events, providing an advanced solution for detecting threats and Indicators of Compromise (IOCs). HP ArcSight provides comprehensive solutions for real-time monitoring and analysis in the digital world, managing higher risk associated with business operations through data collection, aggregation, alerting, and automated response capabilities. Key features include: 1. Real-time event management and "forensics on the fly": Ability to trace alerts back to their source events for detailed investigation. 2. Scalability: Handles increasing deployments by collecting additional sources of information seamlessly without extra hardware or architectural changes. 3. Easy deployment: Utilizes existing infrastructure with agentless collection methods, SmartConnectors supporting over 300 products, and FlexConnectors for custom log requirements. 4. Secure communication: Uses secure IP or IPsec protocols over existing networks, adhering to standard security policies. 5. Comprehensive data aggregation strategy: Captures status, alarms, and alerts from various monitored devices such as firewalls, intrusion detection systems, ensuring all fields of events are available for real-time correlation and display. This passage discusses HP ArcSight SmartConnectors and their capabilities in data processing for security operations, specifically within the context of SIEM (Security Information and Event Management) technology. Key features highlighted include: 1. **Normalization**: The ability to convert various alarm and alert types into a standardized security schema, which aids in cross-platform analysis and comparison across different devices or systems. 2. **Filtering Unwanted Traffic**: This helps in reducing network traffic by excluding non-essential data, ensuring that the SIEM focuses on pertinent information for effective analysis. 3. **Severity Setting**: Utilizing a common taxonomy to assign severity levels to events, which aids in prioritization and response strategy within security operations. 4. **Intelligent Bandwidth Management**: This feature helps in optimizing network usage by managing bandwidth consumption efficiently, ensuring that critical data is not overwhelmed by unnecessary traffic. Additionally, the passage emphasizes the importance of a robust SIEM technology capable of:

• **Normalization**: Providing a comprehensive schema to accommodate all necessary information from various devices and systems.

• **Categorization**: Offering an adaptable taxonomy for event classification in an easy-to-understand manner, along with rules that are independent of specific vendors for seamless integration.

• **Simple Event Correlation**: The ability to aggregate events and detect patterns or anomalies that might not be apparent otherwise.

• **Multi-stage Event Correlation**: Analyzing a variety of disparate event types to identify complex threats or suspicious activities across multiple stages.

These features are crucial for effective data processing in security operations, enabling better correlation and analysis of information from diverse sources, which is essential for detecting potential threats and vulnerabilities effectively. This passage discusses the capabilities required in a Security Information and Event Management (SIEM) solution, which is used by Security Operations Centers (SOC) to monitor and analyze security events. The main points covered are: 1. **Event Correlation**: The SIEM should be able to identify relationships between different events, such as how firewall traffic that accepts attack data is connected to the attacked system communicating back out to the attacker. This involves complex analysis among millions of events passing through a correlation engine. 2. **Prioritization**: The solution must prioritize incidents based on their business relevance. Critical systems or those containing sensitive information should be given high priority, while less critical systems can be addressed later if time permits. 3. **Statistical Analysis**: The SIEM should be able to detect significant events by identifying anomalies in traffic patterns such as sudden increases in activity on specific ports or protocols. This helps in quickly identifying potential threats that might have been missed otherwise. 4. **Historical and Forensic Analysis**: A good SIEM provides the ability to review past data for forensic insights, which is crucial for understanding what was previously overlooked during an incident. This includes detecting slow reconnaissance attacks before a full-scale attack occurs. 5. **Physical and Logical Analysis/Location Correlation**: The solution should be able to correlate physical access systems with logical security devices like operating system logs or VPN data. This helps in detecting incidents such as unauthorized account sharing, which might not be immediately apparent from just the digital logs alone. These features collectively enhance the effectiveness of a SIEM tool in effectively monitoring and responding to potential threats within an organization's IT infrastructure. The provided text discusses the concept of automating operational tasks to add efficiencies and reduce errors, emphasizing the importance of extensibility in integrating with external tools and processes such as enterprise IT service management products, asset and configuration management systems, and APIs for customized reporting or displays. It also highlights how HP Services, through its Global Services, takes a holistic approach by using a combination of operational expertise to design, build, and manage an Internal Security Operations Center (SOC). This SOC is designed to improve the organization's ability to swiftly recognize and respond to malicious information security events, ensuring that organizations leverage the full value of their expensive security technology investments while meeting regulatory compliance requirements. This is a description of a security platform from Hewlett-Packard (HP) that helps businesses protect their hybrid IT infrastructure against advanced threats. It uses HP ArcSight, HP Fortify, and HP TippingPoint products to provide enhanced correlation, application protection, and network defenses. The platform aims to reduce risk in hybrid environments and defend against sophisticated cyber threats. To learn more about this solution, you can visit hp.com/go/sioc.