Deutsche Telekom Roadmap and Maturity Assessment

Summary:

To address the challenges outlined in the scenario for Telekom's Münster location regarding outdated documentation, inadequate tracking of incidents, lack of centralization in shift logs, and basic metrics for data collection, recommendations focus on improving processes through automation, integration with IT systems, and enhancing overall efficiency within the Security Operations Center (SOC). Here are key points from the document outlining recommendations: ### 1. **Technology Recommendations** - **New SIEM Platform Deployment**: Implement a new SIEM platform to consolidate log management across fixed line and mobile networks. This centralization will benefit both the SOC and secondary IT teams by providing a unified solution for monitoring and analysis. - **Use Case Methodology**: Develop use cases that correlate data sources effectively, ensuring they align with business requirements. Use cases help in detecting issues more accurately based on specific needs by facilitating correlation and cross-device correlation. - **Data Source Addition**: Assess the addition of server, database, OS, and Active Directory logs as additional data sources for enrichment and context with existing data. This should be done only if such additions are supported by valid use cases. ### 2. **Transition to Production** - Implement a structured approach when transitioning to the new SIEM platform. Start with initial focus on use cases and procedures before expanding data sources or adding new analysts without proper training. ### 3. **Resource Allocation** - Allocate dedicated resources for both infrastructure management and content development within the SOC. This includes specialized training for SOC analysts if they are tasked with developing content to ensure better focus on security-related issues. ### 4. **Documentation and Knowledge Management** - Establish a knowledge management framework through a wiki to document all operational tasks associated with the SOC, including processes, procedures, data feeds, use cases, and more. This will help in maintaining up-to-date information and improving overall efficiency. ### 5. **Training and Skill Development** - Provide specialized training for SOC analysts if they are expected to handle content development alongside their analysis roles. Proper training can lead to a better understanding and focus on security issues, reducing reliance on external vendor services. ### Conclusion The recommendations aim to improve the effectiveness of Telekom's SOC by focusing on technology enhancements, process automation, and dedicated resource allocation. By implementing these strategies, Telekom can enhance its ability to detect, analyze, and respond to security incidents more efficiently, thereby potentially limiting the impact of monitoring efforts on organizational objectives while ensuring a robust defense against cyber threats.

Details:

The document titled "HP ESP Security Intelligence & Operations: Security Intelligence Maturity Assessment and Roadmap" provides an assessment and roadmap for improving the maturity of Deutsche Telekom's Security Operations Center (SOC). Conducted by HP’s Security Intelligence & Operations consulting practice, this report aims to enhance the SOC capabilities through improved People, Process, and Technology aspects. The assessment framework used is a hybrid of the Carnegie Mellon – Software Engineering Institute’s Capability Maturity Model for Integration (SEI-CMMI), which incorporates both process repeatability and industry standard practices for SOC operations. To achieve a defined level (3.00), Deutsche Telekom must have a majority of scores at the advanced level (4.00) with metrics that are clearly defined and utilized to enhance business operations. The report provides detailed observations and recommendations categorized by People, Process, and Technology aspects, aiming to help Deutsche Telekom achieve significant improvements in its SOC capabilities. The roadmap includes actionable steps for enhancing each aspect, providing a clear path towards achieving the goal of a mature and highly capable Security Operations Center. The article highlights the need for Deutsche Telekom to achieve a mature set of security operations processes and procedures, targeting an overall maturity level of Level-3. This would allow the organization to be agile and adapt quickly to changing environments. However, current maturity levels in Security Operations at Deutsche Telekom are described as between Incomplete and Performed (Level 0.81), significantly below the industry standard target of 3.00. To improve this situation, the report recommends focusing on three main areas: defining project scope and business drivers from the beginning to ensure measurable success; enlisting expertise from Subject Matter Experts (SMEs) who have previously built or managed a SOC; and providing proper training for the SOC team, particularly in using specific technology like ArcSight. In summary, Deutsche Telekom should aim for higher maturity levels in its security operations, with clear project scope and business alignment, expert involvement, and comprehensive training to enhance overall effectiveness and adaptability. The SOC (Security Operations Center) team at Deutsche Telekom is tasked with monitoring the IT environment to detect threats, analyzing these threats, assessing their risk level, and handling security issues appropriately. To perform these duties effectively, analysts need a specialized set of skills, which are currently distributed between two teams but could benefit from an ongoing training program for up-to-date knowledge on current threats and tools. Deutsche Telekom's Security Intelligence function is looking to enhance its capabilities through the HP ESP maturity assessment, which combines elements of both process repeatability and industry standard practices for security operations. The goal is to achieve a defined level of 3.00 in this methodology, indicating a clear set of processes and procedures are established within the organization. This involves having numerous scores at a higher level (4.00) that reflect well-defined metrics used for improving business operations. A high overall score on the maturity assessment is indicative of strong capabilities in People, Process, and Technology aspects. Reaching an effective security intelligence operation maturity level of 3, or Level-3, enables Deutsche Telekom to be flexible and quickly adjust to new threats in the dynamic IT environment. Deutsche Telekom's security intelligence maturity is currently rated between "Incomplete" and "Performed," placing it at a Level 0.81, significantly below industry standards targeting 3.00. This implies that while some ad-hoc efforts for security intelligence exist, they are not consistently repeatable or comprehensive. Deutsche Telekom has been assessed using the HP Security Operations Maturity Model (SOMM), showing low maturity in people, process, and technology compared to other industries with similar capabilities. To improve this situation, Deutsche Telekom is advised to follow a phased approach in developing its SOC team: starting with designing the team and processes, then executing a plan to build an 8x5 monitoring team of four SOC analysts initially (with two already identified). Additional steps include identifying two more skilled analysts and training all four on ArcSight technology and associated SOC processes. The decision looms whether to establish an internal MSSP or use an external service provider model, emphasizing the importance of setting manageable service levels based on business needs rather than arbitrary actions that offer little value. At the start of the project, many companies often bring in analysts too late or fail to provide adequate training, which hampers the development of the team as a whole. During this phase, it is crucial to also develop all SOC processes and metrics. Once these are in place, a defined go-live date should be set for introducing services to the larger organization, complete with Key Performance Indicators (KPIs) and possibly Service Level Agreements (SLAs). Following this initial setup, Deutsche Telekom Security Intelligence conducted a maturity assessment that categorized findings and recommendations under three main areas: People, Process, and Technology. This assessment was aimed at guiding the SOC from its current concept to a mature state in detecting security threats and meeting compliance monitoring requirements. The project team has been advised to: 1. Clearly define the project scope and business drivers right from the beginning of the project to ensure measurable success. Proper alignment with business drivers will help in identifying the mission, objectives, and effective measurement of goals. It is recommended that they create limited, achievable goals rather than attempting a broad-scale SOC without a defined scope. 2. Improve use case maturity by focusing on what is most important to protect instead of attempting to cover all possible data. Adequate documentation for each part of the use case should be emphasized and maintained rigorously to ensure comprehensive protection against security threats. These recommendations aim to enhance the capabilities of Deutsche Telekom's SOC, ensuring it becomes a more effective and efficient unit in handling cybersecurity risks and meeting regulatory compliance standards. The article discusses the need for Deutsche Telekom leadership to engage subject matter experts (SMEs) who have experience in building or managing Security Operations Centers (SOCs). Since no team members have this experience, proper training of the SOC team is crucial. The analysts currently working at Bremen are CEH certified and familiar with Enterasys, but they need to learn how to effectively use ArcSight for intrusion analysis. The current method in Bremen for identifying and collecting security events results in over-collection and under-valuation due to limited resources. A better approach would be a use case based monitoring which is currently being used in Münster with limited resources. Instead of indiscriminately collecting all events, the SOC should define what specific threats they are trying to detect and create data sources and criteria for monitoring accordingly. Regarding staffing and training, there are plans to expand the team from two analysts to four, but no formal security training is currently defined for on-boarding or ongoing training. All four new members will need general analysis and vendor-specific training as they transition between legacy platform usage to ArcSight. The current approach to training new analysts at Telekom involves an informal process, with no standardized program in place. To address this gap, the company must establish a formal training framework tailored for all analysts. This includes defining roles and responsibilities between analyst and engineering teams managed by separate teams currently located in Bremen (for analysis) and Münster (for engineering). Skills assessments are planned to be introduced by SOC management to facilitate better collaboration among analysts based on their shared knowledge and experiences, aiming to enhance individual skills effectively. Currently, there is an absence of any formal assessment mechanism for the existing analyst team apart from informal data collection. In response to staff adjustments or shifts in workload demands, Telekom should develop a staffing metric that justifies changes in staffing levels according to the volume of events processed and reviewed by analysts. This will serve as a strategic basis for expanding SOC coverage hours beyond traditional 8x5 or 12x5 schedules, potentially transitioning to more extensive 12x7 or 24x7 operations at a later stage. The Telekom management team is tasked with creating an ongoing training program designed to skill up new analysts and update the skills of existing ones regarding current cyber threats and defense strategies. Despite the absence of financial resources for formal training, leveraging free online resources will be encouraged to maintain analytical skills. Lastly, the management should appoint specific individuals or a small group within the organization to handle the onboarding training for incoming analysts, ensuring they are well-equipped to contribute effectively to the SOC's operations from day one. To ensure that the training for new analysts is performed properly and they are well-equipped to handle tasks using the ArcSight tool, it is recommended that all analysts undergo the ArcSight AESA training program. This level of training should be included in the training curriculum for new analysts joining the SOC. Management & Oversight: When Telekom plans to create a 24x7 monitoring team and expand the scope of monitoring beyond business hours, it is crucial to consider staffing team leads or shift leads to ensure proper oversight during night and weekend shifts. This helps prevent junior resources from neglecting tasks or getting distracted, which can lead to inefficiencies in the SOC operations. Therefore, having a senior person on all shifts within the SOC is recommended to maintain effective monitoring around the clock. Skills Assessments: To identify suitable candidates for the SOC, a formal interview process should be established alongside skills assessments. Ongoing assessments are also necessary to enhance the overall skillset of the team. To ensure consistency and fairness in evaluating potential analysts, define a standard way of interviewing them with a set of standardized analytical skills questions. Define clear required skill sets for each SOC role, which can be used as benchmarks to measure an analyst's competency. Perform annual assessments to evaluate the current skill level within the team and develop individual training plans accordingly. For Telekom’s initial small dedicated team, establish a minimum set of skills that are essential for meeting monitoring requirements: 1. Entry Level Security Analyst 2. Minimum of 3 years in IT (either civilian or military roles) 3. Minimum of 1 year in IT Security (either civilian or military roles) 4. SANS GCIA Certification or Equivalent 5. Minimum of 1 year performing packet analysis 6. Ability to read packet headers 7. Ability to follow TCP flows to recreate a TCP session These recommendations aim to ensure that Telekom's SOC is well-staffed, trained, and managed to effectively handle security monitoring tasks using the ArcSight tool. This document outlines the requirements for an Advanced Security Analyst at Deutsche Telekom, emphasizing expertise in packet analysis, system security logging, and incident handling. The candidate must possess a SANS GCIA/GCIH/ GREM/GCFE certification or equivalent, with a minimum of 7 years in IT (either civilian or military roles) and at least 3 years specifically in IT Security. The analyst should be able to identify request and response communication in TCP data streams, understand security device logging, and have experience with various types of monitoring such as firewall, proxy, antivirus, IDS/IPS systems. The candidate is expected to have advanced skills in malware reverse engineering and computer forensic analysis, and must be capable of supporting 24x7 analytical capabilities once implemented. The document also notes the absence of standard processes for HP ArcSight deployment within the organization and recommends creating or modifying processes and procedures to improve maturity in this area. The SOC's mission is not clearly defined, which could affect its focus and effectiveness. Additionally, there are no business drivers identified that link monitoring activities directly to key business processes or systems, potentially limiting the impact of the monitoring efforts on the organization's objectives. The documentation for business processes within Telekom's Münster location is outdated and lacks details on current monitoring practices in their ArcSight environment. Incidents are tracked using spreadsheets without complete resolution details or closed-loop information. Additionally, there are no centralized shift logs, making it difficult to review past issues or the actions taken regarding network monitoring. Basic metrics for data collection, event analysis, and security incident investigations are not being captured. Only a quarterly report summarizing incidents from the previous quarter is provided to management. Recommendations include focusing on the full cycle of detection, analysis, escalation, and remediation in operations. Telekom should consider measuring additional items such as devices monitored, correlation content in production, correlated security events delivered to analysts per hour, events triaged by analysts per hour, and security incidents opened and awaiting external team action. To improve tracking of security incidents, a single case management system should be used instead of spreadsheets, leveraging systems like ArcSight or third-party tools for better metrics capture from cases/tickets. Lastly, implementing a knowledge management framework through a wiki is recommended to document all operational tasks associated with the SOC, including processes, procedures, data feeds, use cases, and more. The task involves evaluating current manual security processes for automation, leveraging automatic notifications, and integrating with other IT systems to improve efficiency and effectiveness in security operations. Security metrics should capture KPIs, security posture, and risk measurement such as the number of alerts analysts can monitor, EPAH (events per analyst hour), or event management efficiency. A regular threat report based on threat metrics is recommended for senior management awareness. The SOC lacks a formalized console monitoring process, which becomes crucial with multiple analysts and shifts. The SOC management should establish and enforce a console monitoring schedule to ensure continuous analytical review. During non-monitoring periods, analysts should perform related tasks or self-paced training. During the interview with Telekom team, observations were made about gaps in ArcSight environment: no corporate audit logging standard is in place for capturing all necessary logs from custom applications centrally. The current ArcSight SIEM lacks business continuity planning and disaster recovery plans. A new joint SIEM platform should be considered for BC/DR considerations. Lastly, the Bremen staff use Enterasys alerts but do not utilize defined use cases with business drivers effectively. The document outlines several recommendations and steps for improving the Security Operations Center (SOC) at Telekom, focusing on enhancing their SIEM platform usage. Key points include: 1. **Technology Recommendations**:

• Continue deploying a new SIEM platform to centralize log collection from both fixed line and mobile networks into a single log management solution. This will serve the SOC and secondary IT teams.

• Implement use case methodology to effectively monitor each data source, ensuring business requirements are met in terms of analysis and detection. Use cases facilitate correlation and cross-device correlation.

• Evaluate adding server, database, OS, and Active Directory logs as additional data sources for enrichment and context with existing data.

• Transition the new SIEM platform to production smoothly by starting with a single data feed and associated use cases, avoiding the "collect everything" approach which can lead to failures in processes and integrations. Only migrate current ArcSight use cases and add new ones based on requirements and supporting procedures.

• Do not collect logs that will not be used; focus only on those supporting valid monitoring use cases.

• Ensure dedicated resources for both infrastructure management and content development within the SOC, as a single resource cannot handle all tasks efficiently.

2. **Use Case Methodology**:

• Develop use cases to correlate data sources effectively and ensure they tie into business requirements. This helps in detecting issues more accurately based on specific needs.

3. **Feasibility of Data Source Addition**:

• Assess the addition of server, database, OS, and Active Directory logs based on existing use cases to enrich alerting and monitoring capabilities.

4. **Transition to Production**:

• Implement a structured approach with initial focus on use cases and procedures before expanding data sources or adding new analysts without proper training.

5. **Resource Allocation**:

• Allocate dedicated resources for both infrastructure tasks and content creation within the SOC to maintain efficiency and effectiveness in operations.

The original statement implies that there might be a debate over whether the responsibility for content development should be delegated to Security Operations Center (SOC) analysts or handled by vendors. If SOC analysts are tasked with developing content, they need specialized training since their primary skills in analysis and content development differ. This could lead to better focus on security-related issues if properly trained, rather than just relying on external vendor services.