Concept of Operations for Deutsche Telekom

Summary:

The article you provided outlines a comprehensive approach to managing and improving a Security Operations Center (SOC) at Deutsche Telekom, utilizing various tools and techniques for efficient incident handling and performance monitoring. Here's a summary of key points from the text: 1. **Use of ArcSight ESM and Logger:** The SOC uses ArcSight Enterprise Security Manager (ESM) for initial alerting and real-time investigation, with ArcSight Logger used for detailed searches and deep dive analysis. Regular training ensures proper use of these systems among SOC staff members. 2. **Led Wiki in SOC:** A wiki has been established within the SOC to facilitate sharing procedures, documentation, and shift information. It serves as a central repository for all relevant SOC documents and supports continuous improvement through effective communication across the team. 3. **Integration with Case Management Systems:** The SOC is planning to integrate an external case management system like Remedy with ArcSight ESM to automate ticket updates, creation, rule firings, and reporting. This integration aims to improve operational efficiency and response times within the SOC. 4. **SOC Performance Metrics:** Deutsche Telekom's SOC identifies three classes of metrics: Business Processes, Technology Processes, and Operational Processes. These metrics are used to measure performance, provide management insights, facilitate continuous improvement, and demonstrate ROI in various aspects such as analyst skills and staffing justification. 5. **Metrics Tables and Appendixes:** The article references specific tables (Operational Metrics and Analytical Metrics) and an appendix (Analyst Skills Matrix), which detail measurable indicators for incident management, threat intelligence, vulnerability management, and other analytical processes within the SOC. These metrics are part of ongoing improvement programs and are based on detailed information available at a specific URL related to ArcSight documentation. In summary, this approach involves leveraging advanced technology tools like ArcSight for real-time monitoring and investigation, maintaining a collaborative knowledge base through wiki platforms for effective communication and document sharing, integrating multiple case management systems for efficiency, and measuring performance using structured metrics that support strategic decision-making within the SOC.

Details:

The document "Deutsche Telekom - Security Operations Center Concept of Operations" outlines the structure, roles, responsibilities, and operational procedures for the Security Operations Center (SOC) within Deutsche Telekom. Key components include: 1. **Executive Summary**: Provides a brief overview of the SOC's establishment and its alignment with HP SIOC. 2. **Purpose and Applicability**: Clarifies that this document outlines the operational structure for the SOC, which is intended to be used by Deutsche Telekom staff and other relevant stakeholders. 3. **Mission and Function**: Defines the purpose of the SOC as enhancing security posture through detection, analysis, and response to cyber threats across all Deutsche Telekom networks and systems. 4. **Staffing Model and Division**: Describes the staffing structure including roles from SOC Manager to ArcSight SIEM engineers, along with their responsibilities. 5. **Roles and Responsibilities**: Details specific roles such as SOC Manager, Lead, Level 2 and 3 Analysts, and content/engineers in detail. 6. **Alignment**: Includes an organizational chart and workflow diagrams to illustrate the functional integration of various teams. 7. **Facility**: Describes the physical setup of the SOC including layout and interaction spaces with other groups. 8. **Interaction with Other Groups**: Specifies interactions with security, user, and help desk departments. 9. **Detection Methods, Tools, and Procedures**: Outlines primary tools like ArcSight and a collaboration tool (wiki), along with specific use cases for incident detection. 10. **Measuring SOC Performance**: Details the metrics used to evaluate performance in business, technology, operational, and analytical processes. 11. **Appendix A – Analyst Skills Matrix**: Provides a reference table detailing the required skills for each role within the SOC. This document serves as a comprehensive guide for understanding and managing the Deutsche Telekom SOC, ensuring efficient operations and effective response to security threats. In April 2014, a project was completed through collaboration between SOC Analysts, Engineers, Project Sponsors, and HP SIOC consultants. This effort transformed Deutsche Telekom's Security Operations Center (SOC) into a team capable of conducting security monitoring with skills in intrusion analysis, security awareness, and reporting. The project aimed to improve people, processes, and technology within the SOC. The project focused on three main areas: enhancing people through training for security analysis and investigations, improving processes using a wiki-based knowledge framework for continuous process improvement, and advancing technology by upgrading monitoring infrastructure and adding new tools like RepSM for better event filtering. The goal was to not only improve technical capabilities but also develop the skills of SOC personnel. Currently, the SOC is primarily staffed for malware detection during day shift, with an ongoing effort to expand capability to support current requirements and prepare for future expansion once agreements are secured from the ‘Workers’ Council’. These agreements would include adding servers, accounts, DNS servers, and web proxies to monitor internet traffic leaving the core network, enhancing the organization's cyber incident detection capabilities. The project culminated in a 'Concept of Operations' report that outlined these achievements and improvements within Deutsche Telekom's SOC. This document outlines the establishment of a Security Operations Center (SOC) for Deutsche Telekom, focusing on its mission, functions, staffing, processes, and procedures, as well as interactions with existing cyber security and IT support groups. The SOC aims to enhance the detection and response capabilities against threats to the organization's infrastructure, aligning with the company's broader security strategy and policies. This marks the initial step in a maturity process for the SOC, which can be further supported through executive commitment and empowerment across the entire company. As part of Deutsche Telekom’s effort to improve its cyber defense capabilities, the document emphasizes the importance of ongoing support and development in conjunction with HP SIOC to ensure future growth and effectiveness. The Security Operations Center (SOC) plays a crucial role in the telecommunications company by analyzing and investigating alerts or security events to classify them as incidents. They are responsible for incident triage, including determining scope, urgency, and potential impact, identifying specific vulnerabilities, and making recommendations for expeditious remediation. In rare cases where external entities notify the SOC of possible events, they follow an Information Fusion process to incorporate this information into established procedures. The SOC is tasked with identifying and classifying incidents, which includes performing forensic analysis on company assets and documenting attacker profiles. They generate daily, weekly, and monthly reports on security activity and workload metrics such as tickets opened, events per analyst hour, open or pending items, top firing IDS/IPS signatures, talking sources and destinations, and various other pre-determined SOC metrics. The SOC also identifies the impact of incidents on systems to determine if data was exfiltrated using available tools, and escalates incidents for remediation. Additionally, they document and maintain a knowledge base of alarms (false positives and false negatives, blacklists, whitelists) that IPS systems and firewalls encounter. The text outlines the role of a Security Operations Center (SOC) at Deutsche Telekom, focusing on enhancing security and information assurance policies for the company. The SOC serves as an expert in providing security recommendations and acting as a central hub for security assurance across all departments within Telekom. To achieve these goals, the SOC gathers intelligence from various sources including internal data collection, external agencies like NSA (National Security Agency) and US-Cert (United States Computer Emergency Readiness Team), to create threat assessments and reports. Additionally, the SOC works to strengthen security by building relationships with other business units outside of STTS (Subterranean Telecommunications Tunnel System). The staffing model at the SOC is crucial for its success, as it requires adequate and well-trained personnel. The current state indicates that although fragmented between multiple contracts and programs, enhancing full staffing aligned with strict experience and training standards would improve security operations, detection capabilities, and meet demands in event detection and remediation across Telekom's environment. The SOC is structured into two internal analysis groups: Daily Operations and Focused Operations. The division of duties within the SOC includes a day shift for 8 hours with rotation between two analysts, offering scope to add a third dedicated analyst who could progress to a Level 2 or 'lead' operational capability. This would help in handling alerts more efficiently as the SOC expands its services across more business units and devices. To support the analysts during non-onsite hours, an active channel provides alerting services that function when the analysts are not present physically at their workstations. The article discusses the increasing workload in a Security Operations Center (SOC) as more business units integrate their systems and applications for monitoring. To manage this increased demand effectively, analysts need to closely monitor their workloads through daily and weekly metrics reporting. As the demands on the SOC grow and new services are agreed upon, it is expected that more staff will be required and longer hours onsite will be necessary to meet future demands. The article also envisions a future state for the SOC where staff operates under a 12-hour shift, 24/7 model, with analysts rotating between two days on and two days off, followed by three days on and three days off every other week. This schedule not only provides one full weekend off per cycle but also encourages better information sharing due to multiple shift overlaps between day and night shifts. For optimal performance at full staffing levels, the SOC should divide its shifts into daily operations, focused operations, and forensics operations. Daily operations include normal day-to-day event detection and analysis, administrative tasks, and event escalation and ticketing. SOC administrative tasks involve answering SOC main phone lines and email, as well as monitoring of shift logs and regular review of open cases by the SOC Manager or their representative. The document outlines the structure and staffing of a Security Operations Center (SOC) at Telekom, focusing on daily operations and focused investigations, with specific details about personnel requirements per shift and overall functional area distribution. In terms of day-to-day activities, the SOC is responsible for monitoring ticket queues for new activity, conducting detailed historical investigations into classified intelligence reports such as APT-related incidents, and serving as subject matter experts in cyber intelligence collection and reporting. This role necessitates a Level 2 analyst to support the Level 1 analysts and ensure effective operation of the SOC. For focused operations, which includes deep or historical investigations based on classified intelligence, Forensics analysts play a crucial part by conducting forensic investigations that might not always be related directly to SOC matters but are vital for comprehensive threat understanding. They also contribute other services like penetration testing and security reviews prior to system deployment, adding value across the organization. The proposed staffing model divides the SOC into three main functional areas: Daily Operations, Focused Operations, and Forensics. The required personnel per shift for these operations are detailed in Figure 2, which is not provided here but implied to be included in a referenced figure or appendix. This model emphasizes the development of lead roles within the SOC to foster effective leadership and operational capabilities. The position of SOC Manager oversees the management and professional development of security operations center personnel, ensuring that analysts, processes, and technology meet established service level objectives and metrics. Responsibilities include addressing issues within the SOC, providing developmental guidance to subordinates according to specific standards, reviewing daily activities including case handling and shift logs, and owning the successful completion of operational processes and procedures. The SOC Lead Analyst is responsible for managing day-to-day operations, ensuring timely detection and tracking of incidents, acting as a senior mentor to staff, interfacing with outside teams, and documenting and tracking analyst training requirements. They also manage tactical issues related to SOC responsibilities and drive process improvement within the center. The Level 3 Analyst handles incident escalations from the Security Operations Center, managing incidents throughout their lifecycle by conducting forensic analysis and other specified tasks. This role is crucial for ensuring that incidents are effectively handled and managed according to established procedures. The description provided outlines the roles of Level 3 and Level 2 analysts within a Security Operations Center (SOC). Both types of analysts play crucial roles in managing incidents, conducting forensic analysis, and enhancing overall SOC capabilities. **Level 3 Analyst Responsibilities:** 1. **Forensic Analysis**: Utilize existing forensics tools to analyze assets for malicious activities such as malware, attack vectors, and network communication methods. 2. **Technical Reports**: Produce detailed technical reports after-action incidents, which help in understanding the root cause and improving future prevention strategies. 3. **Development of Tools and Techniques**: Support the development and maintenance of new tools to exploit specific targets and enhance SOC capabilities. 4. **Training and Mentoring**: Train and mentor Level 2 analysts to improve their skills and contribute to a more capable SOC. 5. **Incident Management**: Serve as the focal point for critical security events, providing recommendations for escalation and remediation. **Level 2 Analyst Responsibilities:** 1. **Documentation and Procedures**: Ensure procedures are documented and continually improved upon, focusing on long-term analysis of subtle network activities. 2. **Information Fusion**: Utilize various data inputs to contribute to operations and engineering processes, driving the Information Fusion Procedure. 3. **Event Monitoring and Response**: Monitor Level 1 analyst investigations, ensuring timely responses to events using available reports and tools. 4. **Performance Improvement**: Contribute to the overall performance of SOC analysts by providing training and guidance. Both levels of analysts are critical in maintaining a robust security framework, with Level 3 analysts acting as expert problem-solvers and Level 2 analysts serving as operational coordinators and support staff for incident management and procedure refinement within their respective roles. The role of a Lead Analyst in a SOC (Security Operations Center) involves overseeing incident detection and analysis efforts, managing escalated incidents, mentoring junior analysts, and ensuring that metrics are driven and monitored effectively. This role is crucial as it helps to maintain the overall health and efficiency of the SOC within its current size and maturity state. The Lead Analyst is responsible for: 1. Approving and further investigating Level 1-escalated events. 2. Mentoring Level 1 analysts to enhance detection capabilities within the SOC. 3. Managing event intake, including intelligence report gathering, monitoring ticket queues, incident investigation, and interaction with other security and network groups. 4. Serving as the detection authority for initial incident declaration. 5. Providing guidance to junior analysts and making recommendations to organizational managers regarding incident detection and analysis techniques. 6. Driving and monitoring shift-related metrics processes to ensure that applicable reports are gathered and disseminated according to SOC requirements. In the context of Telekom's SOC, the Level 2 analyst is expected to perform a hybrid role between Lead Analyst and traditional Level 2 roles. This requires proficiency in both technical skills (SOC operations, triage, and incident response) and business-level understanding of Telekom functions. The Level 2 analyst should be able to escalate incidents to the broader organization as needed, collaborate with business units to improve processes and awareness of the SOC, and receive significant support from the SOC Manager for successful performance. The Level 1 Analyst plays a foundational role within the SOC by executing daily operational tasks related to event monitoring and handling. This includes maintaining group email addresses and distribution lists, answering main phone lines, and updating relevant systems with information about security events they monitor in the Triage Channel. Their actions are guided by documented processes and subordinate procedures, ensuring that routine tasks are performed consistently and effectively. The Level 1 analyst in a cybersecurity operations center (SOC) plays a crucial role by quickly identifying, categorizing, prioritizing, and investigating cyber events using various log sources such as firewalls, systems, network devices, web proxies, DNS servers, intrusion prevention systems, antivirus systems, and the ArcSight ESM Tool. The analyst monitors incoming event queues for potential security incidents, performs initial investigation and triage, escalates or closes incidents based on severity, and uses available SOC tools for historical analysis. They also manage the SOC ticket queue, maintain shift logs, document investigations, and collaborate with Level 2 analysts for final event analysis. Additionally, the ArcSight SIEM Content Engineer is responsible for all aspects of the ArcSight system administration, management, configuration, testing, and integration related to content development, including reports, dashboards, real-time rules, filters, and active channels. The engineer works closely with network security analysts to optimize performance and efficiency of the SOC's ArcSight systems infrastructure. The ArcSight SIEM Engineer plays a crucial role in maintaining and enhancing the infrastructure and architecture of the ArcSight SIEM tool within an organization's Security Information and Event Management (SIEM) system. Their responsibilities encompass development, management, and configuration tasks related to the administration, backup, disaster recovery, and operation of the systems infrastructure. This includes security hardening, capacity planning, change management, version/patch management, and lifecycle upgrade management. The SIEM Engineer is also responsible for ensuring that all ArcSight components perform as expected and meet established service level objectives for system uptime. They work closely with other engineers to align their efforts in maintaining the integrity of the systems infrastructure and its integration with other security tools like IDS (Intrusion Detection System) for event correlation using ArcSight. In terms of organizational structure, best practices often recommend a clear reporting hierarchy within the SOC (Security Operations Center). In this case, while ArcSight engineering staff do not report directly to the SOC Lead or Manager, they are part of a functional reporting structure that still ensures alignment with overall SOC objectives and goals. The organizational chart illustrates the current state of the SOC against these best practices, highlighting where gaps exist relative to the ideal model. These gaps indicate areas for improvement in developing and refining the SOC's operational processes, including the development of standard procedures and the enhancement of technical architecture. Overall, the ArcSight SIEM Engineer is a key player in maintaining an effective and efficient SIEM system that supports proactive security measures and incident response across the organization. The article discusses a strategic framework within the Deutsche Telekom Security Operations Center (SOC) that focuses on enhancing various aspects to improve its maturity level. It identifies three main areas requiring attention, marked in yellow boxes in their organizational chart, including content development, forensic capability support for business, and leadership development within the Bremen SOC. The article highlights how these identified deficiencies can be addressed through continuous improvement by developing effective Level 2 SOC analysts who will provide necessary leadership, direction, and support for investigative processes and content development, as well as enhancing forensics capabilities both internally in the SOC and externally for the Telekom organization. Furthermore, it emphasizes that events detected across various sources like ArcSight ESM alerts, user communications (phone calls and emails), external information, and internal IT support will be categorized into event categories for investigation within a structured workflow managed through a ticketing system. The article also provides details about the current physical location of the SOC operations at Level 3, Neuenstrasse 76 in Bremen, which serves as a central hub for alerting and reporting security events to detect threats effectively. To ensure optimal functionality and efficiency, it's crucial for the Security Operations Center (SOC) to have close proximity to IT support teams and existing infrastructure. This setup is ideal as it allows seamless integration with data center operations and direct access to technical resources. The SOC should be designed to enhance analyst productivity in daily tasks and complex investigations by providing tiered seating, an investigation area, a separate war room, and a dedicated video wall. However, current conditions in the SOC reveal shared facilities with other teams (STTS), causing disruptions in workflow and hindering sole performance of core SOC functions. Meetings are difficult to arrange, and there's lack of dedicated staff for critical SOC duties. Analysts often have to handle requests from STTS, highlighting the need for a clear separation between the two operations and dedicated leadership. For a successful SOC focused solely on security operations, it must have exclusive use of facilities without interference from other teams like STTS. This requires establishing separate physical space for both functions, with the SOC positioned behind a locked entry door to prevent disruptions. Furthermore, Telekom should appoint one dedicated manager responsible for the SOC, ensuring clear and consistent leadership free from conflicts between multiple roles currently held by different individuals in distant locations. This text outlines the interactions between a Security Operations Center (SOC) within Deutsche Telekom and various other groups involved in network and system management, malware remediation, intrusion detection, and user support. The primary means of interaction is through incident handling and escalation using the Arcsight Case Management System. The SOC starts by interacting with the Network Support and Services (NSO), which includes fixed and mobile networks and firewalls, as well as the Telekom’s Incident Management team (TSVM). TSVM provides services for network support and incident management across all business groups within NSO. When incidents are detected, investigated, or escalated to a status, they are ticketed in TSVM queues for resolution, with TSVM having access to and trained on the Arcsight Case Management System. The SOC may also interact with other security teams including:

• The Anti-Virus Team for specific malware incident remediation;

• Intrusion Prevention Systems (IDS/IPS) for support in detecting and mitigating intrusion incidents;

• CRD Portal Support for issues related to the portal, including Linux and Windows servers and proxies.

These interactions are primarily conducted through SOC incident handlers using the Arcsight ticketing system with TSVM for accurate tracking of tickets and accountability throughout the incident lifecycle. Direct contact between users and the SOC should be minimal, as users are encouraged to first contact their respective help desks during normal operations. The SOC is available for security guidance and questions directed towards enhancing user protection within the organization's network and systems. The Security Operations Center (SOC) plays a crucial role in supporting NSO (Network Security Organization) and STTS (Specialized Technology Task Force for Cybersecurity) staff, providing both security awareness and assurance activities. Communication with these teams can occur through phone calls to a common SOC phone number, emails, or the SOC ticketing system, which will integrate with an external case management system in future. The SOC is prepared to handle additional workload demands by ensuring flexibility and directing users appropriately when needed. Direct communication between SOC staff and STTS/NSO personnel occurs during investigations into user activities, reports, and issues suspected of being incident or attack-related, usually managed through Level 2 analysts and support managers following local procedures. In future, with the ability to offer after-hours services, Shift Level 2 will coordinate response procedures with appropriate staff members, ensuring access to on-call rosters for both support and TSVM incident management personnel. All inter-group communications are primarily handled via the SOC ticketing system to manage incidents effectively with TSVM. Detection methods, tools, and procedures within the SOC are centered around use cases that aim to enhance security monitoring and alerting mechanisms. Use case workshops help define what is important to an organization regarding its cybersecurity needs and capabilities. These workshops lead to the development of use cases through a series of steps: specifying the goal, identifying conditions for achieving the use case criteria, applying data sources to identify relevant feeds and alerts, testing rules, and finalizing the use case. This document outlines the primary tools and collaboration platform used within Telekom's Security Operations Center (SOC) in response to cyber threats and incidents. The primary tool highlighted is ArcSight, a SIEM platform that collects and correlates data from various log sources to detect, prioritize, and respond to security events such as compliance violations, policy breaches, cyber-attacks, and insider threats. The SOC uses ArcSight's ESM for initial alerting, real-time investigation, and event workflow, while the Logger is utilized for detailed searches and deep dive analysis. All SOC staff members are trained regularly on proper use of the system to enhance investigative capabilities. Additionally, a collaboration tool in the form of a wiki has been established within the SOC to facilitate the sharing of procedures, documentation, and recent shift information among analysts. This wiki serves as a central repository for all relevant SOC documents and serves as a platform for continuous improvement and effective communication across the team. The Led Wiki is crucial for maintaining a successful and efficient Security Operations Center (SOC). Initially, it serves as a repository for procedures, processes, roles, and responsibilities within the SOC, shift logs, information sharing about threats, and details related to ArcSight. As the SOC evolves, the wiki allows all staff members to contribute by updating documentation on various topics once approved. The Led Wiki has been expanded to include detailed procedures, processes, and reference material specifically tailored for the SOC, organized under a dedicated "SOC Ticketing System." This system facilitates better accounting of IT activities using ArcSight Case Management System from Deutsche Telekom. The wiki also helps in customizing workflow efficiency for easier ticket submission and follow-up through this case management tool. Future plans involve integrating an external case management system like Remedy with Enterprise Security Manager (ESM) to automate ticket updates, creation, rule firings, and reporting. This integration will streamline processes by automatically creating tickets from high-priority events, annotating cases within ESM to generate tickets in Remedy, and collecting status information from Remedy to update SOC cases. These enhancements aim to improve operational efficiency and response times within the SOC. The article discusses the integration of multiple case management systems at Deutsche Telekom to improve efficiency within their Security Operations Center (SOC). The goal is to unify these systems into a single, common system that would offer greater organizational benefits by providing better visibility and coordination across various business processes. The article also highlights the importance of measuring SOC performance using metrics, which serve several purposes including giving management insight into analyst performance, workload distribution, and uncovering issues. These metrics are designed to demonstrate ROI, facilitate continuous improvement through process optimization, developer analyst skills, provide business justification for additional staffing, and prove the due diligence of SOC performance and capability. The Telekom SOC has identified three classes of metrics: Business Processes, Technology Processes, and Operational Processes. The Business Metrics relate to the performance of various business processes involved in security operations such as people management and process improvement. The Technology Metrics focus on IT processes including device uptime, problem and change management, and configuration management with response times. Finally, the Operational Processes metrics measure the performance of Security Operations Center processes like event management, incident call-outs, and customer service inquiries. These metrics are planned to be captured as part of an ongoing SOC improvement program, using examples from ArcSight_SOC_Metrics available online for reference. This text refers to two resources available at a specific URL (https://irock.arcsight.com/docs/DOC-2652), which likely provide detailed information about operational and analytical metrics within a SOC (Security Operations Center) environment, as well as the skills required for analysts in such roles. **Table 5 - Operational Metrics** This table focuses on advanced work processes within a SOC, including incident management, threat intelligence, and vulnerability management. It suggests that these metrics are crucial for understanding the performance and effectiveness of the SOC's functions. The text encourages referencing another document (ARCSIGHT_SOC_METRICS.PDF) available at the same URL for more examples and detailed information about these metrics. **Table 6 - Analytical Metrics** This table is related to analytical aspects within the SOC, possibly detailing specific measurable indicators that help in assessing the performance of the center's analytical processes. The mention of a planned metric section implies that there might be future additions or more detailed entries as part of ongoing development and refinement within the organization. **Appendix A – Analyst Skills Matrix** This appendix provides a matrix that outlines the required knowledge in core competency areas for SOC analyst positions. Depending on the specific role, analysts are expected to possess varying levels of competence in these competencies. The competencies include but may not be limited to incident management, threat intelligence, and vulnerability management, with each having its own minimum requirement for expertise level. **Skills Matrix Reference** This section likely serves as a legend or reference guide to help understand the competency levels defined within the matrix mentioned above. It provides clarity on how different competencies are assessed according to preset standards or guidelines set by the organization.