Deutsche Telekom State of Operations Engagement Assessment

Summary:

This passage outlines a structured approach for improving the Security Operations Center (SOC) within a telecom organization using ArcSight technology. The approach includes role-sharing, knowledge transfer through mentoring, and rotations through various roles such as monitoring and triage. Here’s how this structured approach can be implemented: 1. **Role-Sharing:** - Assign different responsibilities to team members based on their expertise and experience. This helps in leveraging the full potential of each member while ensuring that tasks are distributed evenly across the team. - For example, some analysts may specialize in monitoring alerts, while others focus on identifying threats or managing logs. 2. **Knowledge Transfer through Mentoring:** - Implement a mentoring program where more experienced members (mentors) train and guide less experienced members (mentees). This can be done through regular training sessions, one-on-one meetings, or shadowing the mentor during their work hours. - Encourage knowledge sharing by having periodic review sessions where team members discuss new threats they have identified or issues they faced while working on cases. 3. **Rotations Through Various Roles:** - Regularly rotate analysts through different roles within the SOC, such as monitoring, triage, and incident response. This not only broadens their experience but also helps them understand how various aspects of security operations are interconnected. - For instance, an analyst might start by monitoring alerts and gradually move to identifying threats or managing logs, providing a comprehensive understanding across all phases of SOC activities. 4. **Leveraging the Weekly Threat Report:** - Use the weekly threat report as a basis for initiating a security awareness program within the SOCT. This can involve regularly reviewing significant threats identified in the reports and discussing how to better prepare for similar scenarios in future incidents. - Encourage proactive engagement by involving analysts in discussions about possible improvements or changes needed in technology, processes, or procedures based on the threat trends reported each week. 5. **Technical Recommendations:** - Implement skills training programs such as workshops focusing on various technologies including IDS (Intrusion Detection System), firewalls, Windows and Linux systems, expanding to include major network changes, technology upgrades, new features, etc., depending on analysts’ awareness level. - Integrate vulnerability management with a common program for patch management that updates the list of scanned assets regularly, assigning criticality ratings to help in assessing system criticality using tools like ESM (Enterprise Security Manager). - Train analysts in using technologies such as McAfee IntrusionShield, which complements existing capabilities and supports monitoring of SOC Triage channel. 6. **Annual Skills Assessments:** - Conduct annual skills assessments for new analysts to ensure they are up-to-date with the latest technological advancements and industry practices within their roles. 7. **Implementing Programs:** - Adopt common vulnerability management programs, patch management programs, and other relevant security initiatives that have proven success in similar telecom environments or organizations with extensive asset databases. By following this structured approach, the SOC can enhance its capabilities to effectively respond to security threats, improve incident and change management processes, and continuously adapt to new technological advancements while maintaining a proactive stance towards potential risks.

Details:

The document provided appears to be a comprehensive report detailing the security operations assessment of Deutsche Telekom, carried out by HP's Security Intelligence & Operations Consulting (SIOC) team. The report is dated March 2, 2015, and covers various aspects including maturity methodology, strategy, roadmap, engagement delivery phases, areas of improvement, issues with the engagement, and recommendations. The assessment followed a structured approach involving four main phases: Assess and Design (Phase 1), Analyst Skills Assessment and Training (Phase 2), Solution Implementation and Maturity (Phase 3), and Manage and Operate (Phase 4). Key deliverables from each phase included requirements gathering, SIEM architecture review, use case implementation, skills assessment, gap analysis training, SOC foundation implementation, incident management, reporting, and documentation. Areas of improvement identified in the report include deficiencies in business maturity, analytical maturity, operational maturity, and technology maturity. Recommendations focused on enhancing process improvements, people development, and technological enhancements to improve overall security operations. The document also outlines specific roles and responsibilities for each phase of the engagement, as well as outstanding deliverables and recommendations for future ArcSight support tickets. In summary, this report serves as a detailed assessment and improvement plan for Deutsche Telekom's security operations post-engagement with HP SIOC, aiming to enhance their overall security posture and operational efficiency. During the week of June 17, 2013, HP Intelligence & Operations Consulting (HP SIOC) conducted a maturity assessment to evaluate Deutsche Telekom's security operations center using standardized HP maturity and best practices. This assessment aimed to provide recommendations for improving the operational capability towards establishing a mature and highly capable Security Operations Center (SOC). As a result of this assessment, an action plan led by HP SIOC was initiated in September 2014 with joint efforts from SOCT analysts, engineers, and project sponsors, as well as HP SIOC specialists. The combined efforts have transformed the SOCT into a security monitoring team capable of conducting intrusion analysis, raising security awareness, and producing comprehensive reports. The project focused on three main areas: people, processes, and technology. A significant portion of the initiative was dedicated to training analysts to perform security analysis and investigations. To support process development, a wiki-based knowledge framework was introduced as a platform for continuous improvement in processes. Additionally, the monitoring infrastructure has been significantly enhanced to better monitor and respond to critical security events, providing incident response capabilities. Currently, Deutsche Telekom only employs cyber incident detection personnel specifically trained for malware-related incidents on dayshift. The efforts have led to advancements in technology, process improvements, and skill development among analysts, contributing to the overall maturity of the organization's SOC. This document discusses the improvements made to Deutsche Telekom's Security Operations Center (SOC) during a collaboration with HP SIOC Consulting. The goal was to enhance the day-shift capabilities and prepare for future expansion, particularly focusing on network traffic monitoring and security events detection. Key achievements include the addition of servers, accounts, DNS servers, web proxies, and new tools like RepSM to improve filtering of critical security incidents requiring analyst response. The report acknowledges that these improvements are just the initial steps towards maturity in providing effective security monitoring services. To support this growth, executive support and empowerment throughout the company are essential. The Deutsche Telekom Security Operations Center project involved both internal expertise from Deutsche Telekom and external assistance from HP SIOC Consulting, with a team of experienced consultants dedicated to enhancing telecommunications security operations. Lee Whatford is a Solutions Architect at Darren Humphries, working alongside SOC Consultants John Rouffas, Sean Clapper, Trainer Leroy Ranel, and Support Consultants Bret Bennett, Raj Kalsi, and Aniekan Andrew-Essien. Their primary focus involves establishing and refining security operations through the implementation of both repeatable processes and industry standard practices as outlined in the HP ESP maturity assessment model, which is a hybrid of the SEI-CMMI. The goal is to achieve a defined level of 3.00 in their security intelligence operations by demonstrating the use of metrics for continuous improvement. Deutsche Telekom's current security intelligence operation falls under the "Incomplete and Performed" category with an overall maturity assessment score of Level 0.81, indicating room for development in repeatable processes and procedures. The Capability and Maturity Roadmap in Chapter 4 of Deutsche Telekom's program focuses on enhancing their Security Operations Center (SOC) by focusing on People, Process, and Technology aspects. This roadmap involves a structured approach overseen by HP SIOC, aiming to establish a stable SOC setup that can support enhanced security operations capabilities across Germany and Europe. The initial phase of this roadmap includes the assessment and design process where detailed requirements are gathered from business and compliance needs, reviewed for SIEM architecture, and identified use cases for SIEM implementation. The project timeline follows a four-phase approach: 1. **Phase 1 - Assess and Design**: This phase involves gathering comprehensive business and compliance requirements by interviewing key stakeholders. Additionally, it includes the assessment of current operating environment and infrastructure, along with reviewing the SIEM architecture to strengthen its framework. 2. **Phase 2 - Implement**: In this phase, HP SIOC focuses on deploying the necessary technology solutions and tools as per the designed SIEM architecture. This involves setting up the required systems for data collection, analysis, and response capabilities. 3. **Phase 3 - Operate**: The SOC starts its operation with three initial SOC analysts trained by HP SIOC consultants. These analysts are empowered to provide essential services within STTS (State Technical Telecommunication Service) and extend their support to other NATCOs (National Operations Control Centers) of Deutsche Telekom. 4. **Phase 4 - Optimize**: This final phase involves continuous monitoring, performance evaluation, and optimization based on real-time feedback and evolving threats. The goal is to refine the SOC's capabilities by leveraging new technologies and adapting to changing security landscapes. The roadmap not only aims to establish a robust SOC for Deutsche Telekom in Germany but also outlines a strategy to replicate this successful model across other European regions, thereby demonstrating capability and maturity in managing sophisticated IT security operations. The document outlines a multi-phase project plan for enhancing Telekom's Security Operations Center (SOC) capabilities using the ArcSight solution. Here’s a summary of each phase: **Phase 1 - Develop and Validate Mission and Vision:** This involves creating a clear mission and vision statement for the SOC to position it as a strategic part of Telekom's defense structure. HP SIOC will collaborate with Telekom to define these elements, helping to ensure that the SOC's objectives align with the company’s broader security goals. **Phase 2 - Analyst Skills Assessment and Training:** Focuses on skill enhancement for SOC analysts:

• **ArcSight Training:** Both classroom and hands-on training were conducted to maximize the use of ArcSight tools, including monitoring, correlation, and alerting, integrating with other security tools and techniques.

• **Skills Assessment:** The skills of all SOC analysts are evaluated against Telekom’s requirements. A tailored training plan is developed for each analyst, focusing on specific needs identified during the assessment.

**Phase 3 - Solution Implementation and Maturity:** This phase involves:

• **Develop Process Improvement Framework:** Documentation of existing security operations processes and procedures, capturing these within a company Wiki. The goal is to establish a repeatable, documented process framework for security operations, which supports Telekom’s personnel in carrying out their duties effectively.

• **Outline Triage and Escalation Procedures:** Efforts are made to improve the SOC's triage capabilities, ensuring clear procedures for handling incidents efficiently.

• **Integrate Incident Response:** Development of comprehensive processes and procedures for incident response, guided by Telekom’s TSVM (Technical Support Vector Management) and STTS (Security Threat Technical Team) teams.

• **Mature SIEM Implementation:** Continuous refinement of the SIEM model within ESM to enhance event monitoring that aligns with identified use cases or innovative configurations. This includes improvements in reporting capabilities, such as ad-hoc and scheduled technical, operational, and trend analyses.

Throughout these phases, HP SIOC collaborates closely with Telekom’s stakeholders to ensure that the implemented solutions are not only effective but also aligned with the company's strategic objectives and operational needs. The article discusses how ArcSight ESM (Enterprise Security Manager) provides organizations with tools for maintaining continuous situational awareness regarding their security status, which also satisfies regulatory reporting requirements. This system includes features such as dashboards and rules that facilitate quick, convenient, and intuitive access to security information, along with a powerful correlation engine capable of processing millions of log entries down to critical events requiring review by security administrators. In the Operate and Optimize phase, HP SIOC (Held & Company) assisted in guiding the operation of the new capability within Telekom, focusing on optimizing operations, closing gaps, and implementing continual improvement plans. During this phase, comprehensive knowledge transfer was conducted in areas such as incident response, intrusion analysis, SIEM configuration, and content development to empower Telekom with the ability to sustain their operations environment long-term and develop customized content for monitoring tools. Furthermore, HP SIOC worked alongside Telekom to define career paths for security analysts, providing a template that includes recommendations on future education, training, and skills necessary for advancing within Telekom's information security program. Additionally, the article mentions the implementation of a process improvement framework aimed at enhancing overall efficiency and effectiveness in Telekom's security operations. This summary outlines a collaboration between HP SIOC and Deutsche Telekom focused on enhancing the security operations center (SOC) framework. The main activities included assessing and designing requirements, conducting training for analysts in security operations, identifying opportunities for tool development, and addressing key processes such as incident response. Throughout the project, which began in September 2014, HP SIOC facilitated workshops to gather business requirements and regulatory compliance, defining the mission and vision of the SOC and its use cases. The engagement also focused on improving process authoring responsibilities, review and approval roles, and conducting closeout activities including documentation and presentation to executive management. Key processes like incident response were emphasized in addressing gaps within the SOC framework. The inability to onboard DNS servers, Web servers, and Windows Servers without consent from the 'Workers' Council affected the quality of work delivered to SOC consoles. Use Cases for enhancing operating experiences required information from these devices connected to the Internet. A SIEM Architecture review was conducted as part of this program before implementing Use Cases; it revealed instability in the ArcSight ESM system due to database performance issues, with HP SIOC recommending the removal of internally developed content and configuration issues with the OPSEC LEA connector for Checkpoint. After removing all content by November 9th, 2014, a performance assessment confirmed that the system was stable enough to receive new content. The project team, including Deutsche Telekom key stakeholders, defined Use Case Categories which were approved by Telekom Management. Additional use cases have been developed for the CRD Third party portal as part of this implementation process. The SOC Triage channel is a critical component of the organization's security operations center (SOC), serving as the primary means to alert and monitor activities based on pre-defined use cases. This channel not only alerts but also drives further investigation, procedures, and escalation through related channels. Analysts within the SOC have access to monitor various elements of the environment including RepSM, which has been optimized by HP SIOC consultants. Phase 2 focused on enhancing analyst skills through comprehensive training. The analysts spent at least four hours daily over two months with HP SIOC trainers and consultants, covering a wide range of topics from networking basics to advanced analytical packet analysis techniques. The core modules for this phase were designed around networking concepts and interfacing with ArcSight systems. During the Skills Assessment phase, each analyst underwent an evaluation to identify their strengths and weaknesses in security monitoring skills. While basic networking skills were generally solid across all analysts, issues were found in understanding security concepts and navigating through ArcSight systems. To address these gaps, additional training workshops using a "Dev." system were provided, which helped improve the analysts' capabilities in anomaly detection, exploit recognition analysis, firewall management, log analysis, malware analysis, network intrusion detection, technical skills with ArcSight ESM, McAfee IDS, Symantec AV, and security threat intelligence. The overall goal of this training was to strengthen the core competencies of SOC analysts through a structured learning program tailored to enhance their capabilities in monitoring and analyzing potential threats within the organization's IT infrastructure. The document discusses HP SIOC's approach to training and support for Telekom's Security Operations Center (SOC) analysts. Key points include: 1. **Training Specificity**: Training at HP SIOC is tailored to meet the individual needs of each analyst, with a preference for hands-on training as preferred by most analysts. 2. **Skill Assessment and Development**: The skill matrix analysis identified areas where networking skills are strong but require more focus on security incident handling. To address this, templates for service level agreements (SLAs), onboarding, and incident triage have been developed to standardize business processes in the SOC. 3. **Documentation and Process Improvement**: There is a lack of clear business processes within the SOC, which is being addressed through the development of standardized documentation templates, processes, and reviews. This will be crucial as more devices and technologies are integrated into the SOC. 4. **Training Records and Assessment**: Training records for each analyst were submitted to Telekom as part of Milestone 2 requirements. Regular assessments every six months are encouraged to continuously improve skills in areas such as ArcSight, security skills, investigative techniques, and incident handling. 5. **Training Plan for New Analysts**: A detailed training plan has been created for new SOC analysts, focusing on ArcSight skills, security skills, investigative techniques, and career paths into engineering and content roles with a strong emphasis on incident handling. 6. **Long-term Impact**: The implementation of the new SOC foundation involves defining, implementing, and documenting solutions, setting the stage for future enhancements and improvements in the SOC's capabilities. The article outlines the implementation of key procedures and processes in a Security Operations Center (SOC) based on HP SIOC best practices. This includes collaboration with STTS leadership teams and focus on regulatory compliance requirements. The foundation for this was laid by implementing analyst core processes such as Incident Management, which followed workflows designed after working with TSVM incident response managers. Customizations were made to the ArcSight Case Management system to fit SOC workflow needs. Reporting in the HP SIOC involved creating numerous metrics reports that measure cases, alerts, and health checks. Dashboards were developed for monitoring SIEM health, case management, and triage processes. All documentation produced as part of this project is housed within the SOC Wiki, including all use cases. The final phase involves analysts running a proper SOC, with HP SIOC providing shift reporting and support until handover to operational control. Deutsche Telekom underwent a transition in January and February 2015, shifting the ownership of their Security Operations Center (SOC) to Deutsche Telekom while HP SIOC continued to direct and improve it. Documentation and knowledge transfer were facilitated through an SOCT wiki server where all project information was stored, and SOC analysts received training for its use. Roles and responsibilities are clearly defined within this platform. A notable omission in deliverables is vulnerability management reporting due to the absence of a unified asset database across two separate scanning systems (Qualys and McAfee). ArcSight support tickets related to performance issues were resolved through system tuning, while unresolved issues with the Oracle database were planned for an upgrade by HP ESS. Beyond contract requirements, HP SIOC provided added value services including the installation of ArcSight 'Reputation Service Monitor' (RepSM), ping reporting for CRD portal from ArcSight ESM, three new use cases for CRD Portal, a laboratory environment for SOCT testing, redeveloping valuable content into use cases, and onboarding 200 Windows Terminal Servers and 100 Linux Terminal Servers into the ArcSight Management Suite (ESM). This document discusses several aspects of an information security operation center (SOC) for Deutsche Telekom, including its current practices and future plans. The SOC operates with a focus on detecting and responding to threats using various tools and technologies such as Intrusion Detection Systems (IDS), monitoring unusual activities, analyzing traffic from and to known infected systems, and tracking malware threats and authentication failures. The SOC has implemented ArcSight Activate for threat detection and response, developed a comprehensive wiki for knowledge management, and plans to add more content and training materials in the next month. They are also working on improving their maturity by mapping activities against assessment findings from HP SIOC, indicating areas where Deutsche Telekom's current security practices can be improved or enhanced. The SOC operates under a dayshift schedule with three 'Telekom' analysts during the day and one Level-2 analyst from HP SIOC for support. Thorsten Kassing manages infrastructure support remotely in Münster, while Thomas Wierlemann serves as the Security Operations Manager also based in Münster. Despite making progress, the Deutsche Telekom SOC is noted to be in its early stages of development. The initial focus was on laying a foundation with content at the console and within analysts' daily activities. Continuous learning and application of security concepts and processes are still ongoing for the analysts. Despite these challenges, there is potential for growth and scalability within the SOC framework, which could benefit other Telekom SOC environments by providing replicable capabilities and effective incident response strategies. The article discusses the proposed "Federated" Security Operations Center (SOC) for a company and identifies several areas that need improvement to enhance its effectiveness. A well-defined SOC serves as the central security operations hub in an organization, providing visibility into policy adherence and acting as the initial line of defense against threats. To achieve optimal performance, the SOC must integrate inputs from all business units, currently managed by Uwe Werner (STTS overall) and Thomas Wierlemann (remote-based). The proposed SOC needs to be a standalone entity with clear leadership and responsibility for security operations, including monitoring, awareness programs, and incident response. However, during the "Federated" engagement, analysts were pulled away from their core SOC responsibilities due to distractions related to STTS activities and other security operations. As a result, continuity in SOC operations has been compromised, with daily meetings often being canceled because analysts are attending training or working on STTS tasks. The article highlights that the current SOC structure, where it is still an extension of the Security Technology & Technical Security team (STTS), needs to be reevaluated and restructured for better management and focus. This includes setting up a dedicated team lead capable of managing daily activities among analysts, granting the SOC greater responsibility and autonomy in security operations, and establishing it as a central point for all security-related activities. In summary, the SOC (Security Operations Center) has been working on improving its asset management by maintaining consolidated and updated lists of assets and contacts. For incidents, they rely primarily on the ArcSight Case Management system as their source of truth. Engagement with other parts of the organization for incidents is currently managed by TSVM. COMS is one of four major case management systems used at Telekom, and discussions are ongoing about consolidating these systems. During a project, an outage affected the delivery timeline due to lack of communication between the SOCT (Security Operations Technical Contact) and change control procedures. The SOCT needs better integration with change controls for asset updates. Additionally, there is no centralized vulnerability management or patch management program at Telekom; current scanning practices are inconsistent and do not provide a comprehensive view of network device vulnerabilities. The mentorship initiative aims to enhance Telekom's Security Operations Center (SOC) capabilities by promoting security-testing initiatives and improving analytical maturity through enhanced knowledge of relevant technologies and systems. To assist in this process, HP SIOC is willing to help set up necessary devices, roles, interactions with business groups, and data collection for better analyst triage abilities. The analysts have undergone initial training but are still progressing towards full operational maturity. They need guidance and experience sharing from more experienced colleagues to improve their skills in the SOC role. HP SIOC suggests a structured approach that includes role-sharing, knowledge transfer through mentoring, and rotations through various roles such as monitoring and triage. The SOC manager should leverage the weekly threat report to initiate a security awareness program by the SOCT, fostering proactive engagement in SOC activities. This passage discusses a project related to implementing content engineering in an organization's Security Operations Center (SOC) using ArcSight technology. The initial focus was on formalizing external threat notification through a weekly report and nominating a content engineer for dedicated roles including content management and certificate management. However, technical limitations such as the absence of certain systems like Windows systems and DNS systems from ArcSight led to practical challenges in implementing use cases effectively. As a temporary solution, 200 windows terminal servers used for third-party access were onboarded, but this was only a fraction of the total windows servers available within the organization. Additionally, while DNS logs were recognized as crucial due to their role in monitoring traffic exiting and entering Telekom's network, other important logs such as those from web and email servers were not being considered. Despite these challenges, the project progressed with limited technical capabilities, and the SOC was moving towards maturity capable of monitoring alerts and identifying applicable threats using available tools. However, there were concerns about the lack of structure and leadership in the SOCT, which hampered effective implementation and progress. Recommendations included focusing on providing structured leadership to enhance the SOC's ability to respond effectively to security threats and implement improvements based on identified issues. The Security Operations Center (SOC) and STTS (Security Technical Team Support Services) are recommended to be split by HP SIOC, with STTS responsible for maintaining and supporting the CRD portal, while the SOC focuses on providing monitoring services for better security assurance. To effectively carry out their roles, the SOC requires dedicated staff and a manager onsite, ensuring proactive rather than reactive approaches. The SOC should remain at level 3, while STTS could be accommodated at level 2 of Neuenstrasse, Bremen. Additionally, HP SIOC recommends appointing an operational experienced team lead for the SOC to enhance its capabilities and support Telekom's services globally. Lastly, consolidating different case management systems used outside the SOC onto a common platform is suggested to improve organizational efficiency. The task at hand involves improving incident management and change management within a telecoms organization by creating a common platform. As more devices are integrated and alert levels increase, there will be a need for increased staffing and shift times. To prepare for this, present analysts should be empowered with responsibility and expertise to train new analysts. Annual skills assessments should be conducted as part of their employment at Telekom. Telekom should aim to appoint a Level 2 Analyst once they are confident in the maturity and skills of each analyst. If there is a lack of leadership at the Bremen office, an experienced Level 2 analyst should be sought for up to three months to assist in building the maturity of the SOCT analysts. HP SIOC recommends that technical teams conduct workshops to train analysts on logging and monitoring capabilities, starting with basic information about Anti Virus Alerts and gradually increasing complexity as their awareness grows. Workshops should cover various technologies including IDS, firewalls, Windows and Linux systems, expanding to include major network changes, technology upgrades, new features, and what to look out for as awareness increases. The requirements of a telecom organization monitoring events from the internet into its environment, necessitate the use of intrusion detection and prevention tools. To enhance the capabilities of SOC (Security Operations Center) analysts, there are several technology recommendations outlined in the passage. Firstly, gaining skills in McAfee IntrusionShield is beneficial as it complements existing firewall capabilities and supports monitoring of the SOC Triage channel for various IDS events from McAfee. Regarding on-boarding new devices and use cases, SOC Engineers should involve analysts in the entire process, documenting these activities within the SOC wiki. Analysts need an up-to-date asset register that includes details such as which alert is related to which asset, the asset owner, its primary function, and criticality. For vulnerability management, adopting a common vulnerability management program and patch management program would benefit by providing an updated list of scanned assets with their criticality ratings. This information could be integrated into ESM (Enterprise Security Manager) for assessing system criticality. The platform can also serve as an entry point for administrators to become SOC analysts, enhancing security awareness while empowering network operators with valuable insights that are not typically available to them. Implementing these programs is a multi-step process but has been successfully executed in other telecom environments and organizations with extensive asset databases. HP SIOC (Security Information and Event Management) can provide assistance in this area to Telekom, helping to manage over 150,000 assets effectively.