4 SOC Consulting

IBM Security Services
Building a Security Operations Center
Engin Özbay
IBM Security, Turkey
[email protected]
© 2015 IBM Corporation

IBM Security Systems
Security operations in a
changing environment
2 © 2015
2012 IBM Corporation
The current environment is putting new demands on security

operations
New Business Models, Velocity of Threats
New Technologies
Large existing IT
infrastructures with a
globalized workforce,
Mobile Collaboration / Cloud / 3rd party services,
BYOD Virtualization and a growing
customer base
Social Business Evolving Regulations

Blurring “Social” Identities
Potential Impacts
Malware infection $$$

Regulatory Fines
Data or Device Loss of productivity Data Leakage
Loss or Theft
3 © 2015 IBM Corporation

Why do we build operational security controls & capabilities?
Reduce enterprise risk. Protect the business.
Move from reactive response to proactive mitigation.
Increase visibility over the environment.
Meet compliance/regulatory requirements.

What is a Security Operations Center, or SOC?
 A Security Operations Center is a highly skilled team following defined

definitions and processes to manage threats and reduce security risk
 Security Operations Centers (SOC) are designed to:

– protect mission-critical data and assets
– prepare for and respond to cyber emergencies
– help provide continuity and efficient recovery
– fortify the business infrastructure
 The SOC’s major responsibilities are:

– Monitor, Analyze, Correlate & Escalate Intrusion Events
– Develop Appropriate Responses; Protect, Detect, Respond
– Conduct Incident Management and Forensic Investigation
– Maintain Security Community Relationships
– Assist in Crisis Operations
Security operations centers must be responsive to the evolving

threats and provide management the information and control that it
needs
The SOC ….
 Must demonstrate compliance with regulations

 Protect intellectual property and ensure privacy properly
 Manage security operations effectively and efficiently
 Provide real-time insight into the current security posture of your
organization
 Provide security intelligence and the impact of threats on the organization
 Enable your organization to know who did what, when - and prove it
(evidence)
But it’s not that simple...

Designing and building a SOC requires a solid understanding of the

business’ needs and the resources that IT can deploy
Multiple stakeholders, processes and
technologies to consider Personnel skills: Security analysts,
shift leads, SOC managers
People In-house staff Partners Customers Outsourced Providers
Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

•
Process •
Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt
•
•
An operational process framework
Log Management Compliance Reporting Event Correlation Threat Reporting
Technology
Identity &
Vulnerability Scanners Ticketing System Change Tracking
Desktop Mgmt
Physical space
requirements and
location

There is no app for that…
Client Success Undefined >

Compliance & Reporting >
Technology Scope
Identity & Application Brand

Log Integrity Firewall IDPS DLP
Access Monitoring Monitoring
People
In-House Co-Deliver Outsource
Functionality
Security Intelligence ON Security Monitoring ON
Compliance Management OFF Correlation Rules ON
Device Management OFF Incident Escalation ON
Policy Management OFF Incident Response OFF
Escalations & Notifications >
….Don’t be a FOOL and think you just need to buy a TOOL

Building a Security Operations Center involves multiple domains

People Process
• Do you need 24x7x365 staff? • What does the plan look like?
• What are the skills needed? • How do we measure progress and
goals?
• Where do you get staff?
• What is the optimal design of core
• What about training?
processes? (eg. incident
• How do you keep staff? management, tuning, etc.)
• Metrics to measure performance • Process and continual improvement
• Capacity planning
Technology Governance / Metrics

• SIEM architecture & use cases • Dashboard visibility and oversight
• Log types and logging options • Policy, measurement and enforcement
• Platform integrations; ticketing • Integrated governance that balances
governance, big data daily operations with strategic planning
• Web services to integrate them • Ministry objectives
• Technology should improve • Informing stakeholders
effectiveness and efficiency
• Informing employees
9 IBM Confidential © 2015 IBM Corporation
SOC Models
© 2012 IBM
© 2015 IBMCorporation
Corporation
The changing requirements for enterprise security & risk management

coupled with technology advancements have triggered a paradigm shift in
the design and ongoing administration of a SOC.
Legacy SOC Optimized SOC
Technology or service Build a dedicated security
Mission & Strategy
Charter
only operations capability
Cross-functional
Governance Self governed (IT Security)
(IT, Business, Audit, etc.)
Budget based, 3+ year cycle, priorities

Strategy
12 month planning cycle set by enterprise
Proactive.
Detect & Tools SIEM tool only
SIEM, ticketing, portal/ Visible.
dashboard, Big Data
Anticipate
Technology
react to Standard rules Tailored rules based on

threats.
Use Cases
Minimal customization risk & compliance drivers threats.
Referential Minimal importance, Required data, used to
Mitigate
Data Secondary priority prioritize work risks.
Management
Silos, ticket/technology Cross-functional, efficiency,

Operations
Measures
driven quality, KPI/SLO/SLA
Metrics, analytics,
Reporting Ticket/technology driven
scorecards, & dashboards

IBM Security Operations Operating Model

Cyber-Security Command Center (CSCC) Corporate
Governance
Business Units
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings Legal
SOC
Audit
SOC Service Delivery Management

Service Level Management Operational Efficiency Service Reporting Escalation Business
Operations
Business Ops
Investigations
Architecture & Security Intelligence Security Analytics & Public Relations
Projects Incident Reporting
Incident Hunting PM Use Case Recommendations Legal / Fraud
Operations
Emergency
SOC
Response
Admin Support Threat Threat Threat CSIRT
Services Monitoring Triage Response Management IT Operations
Tool Integration Threat Analysis Investigations Adv. Event Analysis Corp. Incident Response Incident Mgmt
Escalations
Rule Admin Impact Analysis Incident Triage Table-top Exercises Problem Mgmt
Incident Mgmt.
Change Mgmt
Release Mgmt
SOC Platform Components

Security Device Data Event Data (Int./Ext.) Event Patterns Correlation IT Operations
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Technology
Ticketing & Integration Tools Reporting /

SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC
Legend
SOC Data Sources SOC

Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
IT / Corp
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
We understand that an effective SOC has the right balance of People,

Process and Technology components
Process
Technology
Identity &
Desktop Mgmt

It starts with the right people …

Process
Technology
Identity &
Desktop Mgmt
The SOC is only as good as its people, and upfront planning for the unique people management
aspects of a 24x7 security centric organization will provide significant long term returns.
Points of Consideration:
 SOC staff have a specialized skill set and experienced staff are often difficult to find
 Training is expensive, time consuming, and improves marketability of staff. Compensation strategies
must be evaluated accordingly.
 Retention of staff is difficult in a non-security centric organization due to continuous need for updated
training, lack of expansive career path options, and burn-out.
 Beyond analysts for 24x7 coverage, other supporting functions must be considered:
- System admins, Intelligence resources, Escalation resources, Compliance officers,
Management / Supervision

IILLUSTRATIVE
The SOC organization is organized around the standard plan, build

and run model
IT
SOC Organization Chart Op
SOC Delivery
Governance er
Manager
ati
on
s
IT Operations
SOC / Security Intel Security
Architect Intelligence Manager
(Plan) (Build / Plan)
Incident Mgmt
SOC Engineering SOC Monitoring SOC Triage SOC Escalation

Manager Tier 1 Tier 2 Tier 3
(Build) (Run) (Run) (Run)
Problem Mgmt
Security System Senior Threat Incident Case

Senior Threat Analyst
Administrator Response Analyst Manager
Change Mgmt
Threat Response Senior ERS Incident

Security Policy Mitigation Analyst
Threat Analyst Response Technical
Administrator
(Reactive) Analyst Release Mgmt
Threat Analyst Threat Response

Device Administrator Remediation Analyst Device Mgmt
Trainee (Proactive)

IILLUSTRATIVE
A responsibility matrix for all SOC roles should be defined across

each SOC service.
Security
Security Security
SOC Analyst: SOC Analyst: SOC Analyst: Incident SOC Tools IT Security
Intelligence SOC Manager Forensic IT Operations CERT
Monitoring Triage Response Handler Admin Admin
Analyst Analyst
(Certified)
Security Monitoring R C A
Core Security Incident Triage C R C A

Services Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Deployment
Service Testing & Tuning R A I I
Services
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security
Intelligence Security Intelligence Briefings A C C C
Services
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I
Administrative Contextual Data Management C R A C C

Services Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C
Security Reporting C C C C C A C I
Reporting
Efficiency Reporting C C C A C I
Services
Financial Reporting C C C C A I
Enterprise Incident Management C A
Optional Services Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C

IILLUSTRATIVE
Sample Job Description: Triage Analyst
Responsibilities Experience and Skills
• Monitoring of security events received through alerts from SIEM • Process and Procedure adherence
or other security tools • General network knowledge, TCP/IP Troubleshooting
• Review alerts escalated by end users • Ability to trace down an endpoint on the network based on ticket
• Handel end user and security services consumer initiated information
incidents and initiating trouble tickets – Sev 4 tickets • Familiarity with system log information and what it means
• Performing Level 1 triage of incoming issues ( initial assessing • Understanding of common network services (web, mail, DNS,
the priority of the event, initial determination of incident to authentication)
determine risk and damage or appropriate routing of security or • Knowledge of host based firewalls, Anti-Malware, HIDS
privacy data request) • General Desktop OS and Server OS knowledge
• Monitoring of alert and downstream dependencies health (logger, • TCP/IP, Internet Routing, UNIX & Windows NT
client agents, etc) • Strong analytical and problem
• Responsible for troubleshooting agents and logs required for
reporting when not reporting to alerting systems Training
• Intake intelligence actions from Intelligence teams and ticket for
appropriate operators for tool policy or tool setting tuning • Required: Security Essentials – SEC401 (optional GSEC
• Provide limited incident response to end users for low complexity certification)
security incidents • Computer Forensic Investigation – Windows In-Depth - FOR408
• Notifying appropriate contact for security events and response • Recommended: Security Incident Handling and Forensic - FOR
• Takes an active part in the resolution of incidents, even after they 508
are escalated
• Work assigned ticket queue
• Understanding and exceeding all tasked SLA commitments
• Track and report on closure of tickets per SLAs
• Escalating issues to Tier II or management when necessary
• Provide daily and weekly metrics for security and vulnerability
incidents
• 24/7 Shift work required

Leveraging tested integrated processes ….

Process
Technology
Identity &
Desktop Mgmt
Process
SOC processes must be documented, consistently implemented, and based upon existing
standards / governance frameworks. Procedures must take into consideration corporate security
policy, business controls, and relevant regulatory requirements.
 The SOC’s mission must be clearly defined – Incident discovery, CERT, etc.
 SOCs differ from NOCs, and an alarm does not always equate to action.
 Processes must take into consideration evaluation and incorporation of a constantly changing stream
of potentially actionable threat intelligence.
 Best practices for incident investigation, response, and mitigation must be maintained and updated as
technologies are added, change, or mature.

People In-house staff Partners Outsourced Providers
Built on a solid technology platform

Customers
Process
Technology
Identity &
Desktop Mgmt
Technology
Identity &
Desktop Mgmt
Technology for a SOC build is the foundation on which the organization demonstrates the ability to
provide security continuously, even under times of duress such as persistent attack, natural
disaster, facilities failure, etc.
 SOC technologies (SIEM, trouble ticketing, incident management, etc.) are often special purpose,
costly, and challenging to maintain due to their overall complexity
 The number of disparate systems and volume of device / event data will typically require a dedicated IT
staff for system administration
 Capacity management can be challenge due to the need to support peak loads which may include
DDoS, monthly batch processing, etc
 The management and reporting systems must be flexible enough to accommodate process and
security policy as well as changes in the technology landscape
SOC Strategies & Approaches
© 2015 IBM
Corporation
Selecting the optimal SOC operating model depends on balancing

business and technical requirements, risk and financial constraints
Centralized Decentralized
Business Requirements
Single Global SOC Multiple SOC’s (Geo. / BU)
CSCC Combined with SOC Single Global CSCC
Lowest Cost High Cost
Easiest to Manage More Difficult to Manage
Standard Highly Customized

Technical Requirements
Simple Platform Complex Platform
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Good Risk Mgmt Capabilities Excellent Risk Mgmt Capabilities
Easy to Scale Operations More Expensive to Scale Operations
Moderate Detail on Threats Rich Detail on Threats
Externally Managed Internally Managed

Risk Tolerance
30-90 Day Implementation Long Implementation Lead Time
Lowest Cost to Implement/Operate High Cost to Implement/Operate
Not Core to Business Core to Business
Leverage Industry Best Practices Frequent Independent Reviews
Low Cost High Cost

Financial Constraints
Lowest Cost to Implement Highest Cost to Implement
Lowest Cost to Operate Highest Cost to Operate
21 IBM and Client Confidential © 2015 IBM Corporation
IBM Security Operations Operating Model: MSSP Hybrid

Cyber-Security Command Center (CSCC) Corporate
Governance
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Business Units
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings Legal
SOC
Audit
SOC Service Delivery Management

Service Level Management Operational Efficiency Service Reporting Escalation
Business
Operations
Business Ops
Architecture & Security Intelligence Security Analytics & Investigations
Projects Incident Hunting Use Case Management Incident Reporting Public Relations
Legal / Fraud
Operations
Emergency
SOC
Response
Admin Support Threat Threat Threat CSIRT
Services Monitoring Triage Response Management
Adv. Event Analysis IT Operations
Investigations Escalations Corp. Incident Response Incident Mgmt
Tool Integration Threat Analysis Problem Mgmt
Impact Analysis Incident Triage Incident Mgmt. Table-top Exercises
Rule Admin Change Mgmt
Release Mgmt
OT Operations
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns Correlation
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Technology
Ticketing & Integration Tools Reporting /

SIEM Portal Big Data
Workflow (e.g. Web Srvcs) Dashboard
SOC
Legend
SOC
SOC Data Sources IT / Corp

Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
MSSP
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
Getting Started
Develop a Strategy then a Plan
© 2015 IBM
Corporation
To get started, the organization should consider the following

questions in establishing its objectives
 What is the primary purpose of the SOC?
 What are the specific tasks assigned to the SOC? (e.g., threat intelligence,
security device management, compliance management, detecting insider
abuse on the financial systems, incident response and forensic analysis,
vulnerability assessments, etc.)
 Who are the consumers of the information collected and analyzed by the
SOC? What requirements do they have for the SOC?
 Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC to the
rest of the organization?
 What types of security events will eventually be fed into the SOC for
monitoring?
 Will the organization seek an external partner to help manage the SOC?

The Security Operations Optimization portfolio provides a flexible

approach to the entire SOC/SIEM life cycle.
Assessment
Design & Run &
Workshop Optimize
Build Enhance
Strategy
• Educational, People and Governance
share best
• Define the mission Processes and Practices
practices
• Table-top, guided • Assess current Technology
SOC maturity operations and
capabilities • Laying the • Leveraging acquired • Business aligned
assessments
foundation of knowledge and threat management
• Set high-level • Define future capabilities experience and metrics
vision environment
• Designing effective • Instituting formal • Drive for best
• Develop next steps • Develop roadmap staffing models and feedback and review practices
roadmap for action supporting mechanisms • Integrated operations
for action processes / • Driving further value with improved
technology from the technology communications
• Conducting training • Expanding business • Seek opportunities
and testing coverage and for cost takeout
• Implementing functions • Continuous
tracking and • Tuning and improvement
reporting refinement
capabilities

Security Operations Optimization Consulting Offerings

Sample Duration &
Name Description Details
SOC / SIEM • Review security policies and SOC/SIEM mission/charter • 1-5 Days
Workshop • Review IBM SOC / SIEM Operating Model Point of View • Workshop Readout
• Review components needed to implement security operation center Deliverable
• Platform Arch., processes, organization, metrics/reporting, governance
• Discuss best practices for each components and industry trends
• Develop client feedback report
SOC Maturity • Review security policies and SOC/SIEM mission/charter • 1-5 Days
Assessment • Assess client environment against IBM SOC / SIEM Maturity Model • Maturity Assessment
Workshop • Establish future state target maturity by component Deliverable
• Analyze current and future targets vs. industry maturity benchmarks
• Identify gaps, opportunities for improvement, prioritize improvements
• Develop preliminary recommendations for SOC program
SOC/SIEM • Review security policies and SOC/SIEM mission/charter

• 4-6 Weeks
Strategy and • Conduct detailed current environment by component area; Platform Arch.,
processes, organization, metrics/reporting, governance • Maturity Assessment
Program Deliverable
Mobilization • Review current and planned SOC/SIEM projects/initiatives
• Component baselines
• Asses current environment vs. Maturity Model, est. future state target
• Sample Phase 1 work plan
• Identify and prioritize gaps and opportunities for improvement
• Identify SOC scenarios and tailor the decision model
• Finalize transformation states, service improvements, finalize strategy
• Identify initiatives, group into projects, develop roadmap (timeline)

Security Operations Optimization Consulting Offerings

Sample Duration &
Use Case / • Review security policies and SOC/SIEM mission/charter • 4-8 Weeks
Rule (UCR) • Review business/technical requirements, risk tolerance, cost constraints • Assessment Report
Assessment • Review Use Case Models and rule architecture and design
• Identify gaps, opportunities for improvement
• Prepare high level Use Case / Rule recommendations
Use Case / • Review security policies and SOC/SIEM mission/charter • 4-8 Weeks
Rule UCR • Review business/technical requirements, risk tolerance, cost constraints • Use Case Assessment and
Strategy • Review Use Case Models and rule architecture and design Strategy Deliverable
• Identify gaps, opportunities for improvement
• Identify UCR scenarios and tailor the decision model
• Identify target state, prioritize improvements, finalize UCR strategy
Security • Review security policies and SOC/SIEM mission/charter • 6-12 Weeks

Operations • Review business/technical requirements, risk tolerance, cost constraints • Security Operations
Center • Review current metrics, operational/executive reports Assessment and Strategy
Reporting • Identify gaps, opportunities for improvement Deliverable
Strategy • Identify target state, prioritize improvements, finalize SOC Rpt. strategy

Security Operations Optimization – Design / Deploy

Sample Duration &
SOC/SIEM • Develop Macro / Micro Design for Security Operation Center • 2-3 Months
Design • Key scope elements; platform, process, organization, reports, governance • SOC/SIEM design method
• Data source logical/physical scope and integration architecture • Design phase method/plan
• Develop use case and rule macro and micro design • Workshop decks/schedules
• Develop SOC operational model, logical/physical platform architecture • Key scope element baselines
• Finalize SOC process scope, context diagram, core/non-core processes • SOC capacity modeling tool
• Develop organization conceptual/logical model (roles), governance model
• Develop key metrics, reporting architecture, report list
• Product selection decision model and preliminary recommendations (opt.)
• Finalize SOC / SIEM Macro and Micro Design Deliverables
SOC/SIEM • Prepare SOC implementation plan, conduct SOC build, test, deployment • 4-6 Months
Implementation • Key scope elements; platform, process, organization, reports, governance • Implementation method/plan
• Execute procurement for selected products, services (opt.) • MSS build, test, deploy plans
• Finalize MSS implementation plan and build, test and deploy MSS (opt.) • Workshop decks/schedules
• Build, test and deploy data sources, integration API’s • Use case / rule frameworks
• Build, test, deploy use cases and conduct rule tuning • Key scope element baselines
• Build, test and deploy SOC processes, metrics, SLA’s/SLO’s, Ops Manual • SOC capacity modeling tool
• Build, test and deploy organization design, role descriptions • PoC, pilot, sim. live ops. plan
• Build, test and deploy metrics, reports and executive dashboards
• Build, test and deploy SOC governance processes
• Conduct transition; Proof of Concept, Pilot Op’s, Simulated Live Op’s
• Security Operation Center Go-Live, Update Phase N Design Plan
Helping organizations with their SOC requirements is a core element

of IBM’s 10 essential practices required to effectively manage risk
Essential Practices
1. Build a risk aware culture 6. Control network access

and management system and assure resilience
Maturity based approach

2. Manage security incidents 7. Address new complexity
with intelligence Automated
of cloud and virtualization
3. Defend the mobile and 8. Manage third party

social workplace security compliance
Manual
4. Secure services, 9. Secure data and

by design protect privacy
Reactive Proactive
5. Automate security 10. Manage the identity

“hygiene” lifecycle

IBM can provide unmatched global coverage and security awareness.
Security Operations Centers
Security Research Centers
Security Solution Development Centers
Institute for Advanced Security Branches
10B analyzed web pages and Worldwide managed

IBM Research images security services coverage
150M intrusion attempts daily  20,000-plus devices under contract
 3,300 GTS1 service delivery experts
40M span and phishing attacks  3,700-plus MSS2 clients worldwide
46K documented vulnerabilities  20B-plus events managed per day
and millions of unique malware  3,000-plus security patents
samples  133 monitored countries (MSS)
1IBM Global Technology Services (GTS); 2Managed Security Services (MSS)

Largest Bank in Canada improves security by establishing SOC &

implementing monitoring tools and processes
Client Situation : Profile:

The client had engaged IBM to help them map out their security needs, include
SOC strategy, architecture, analyzing and querying log, threat, vulnerability data Largest Bank in Canada, 3rd
(SIEM) and ongoing management. A few high-level issues were: - largest in North America, top 10
globally. The bank serves 18
 Lack of any SOC model and strategy roadmap million clients and has 80,100
 There were no trained SOC Operations team or staff employees worldwide.
 No Security monitoring tool or processes for security incidents
IBM Solution :
IBM Security Services Team reviewed the client’s business and technical
requirements, risk tolerance and cost constraints. After analyzing the requirements
IBM developed a 3 year SOC Strategy and Roadmap with ongoing Phase
implementations. Additionally the following high-level tasks were performed
 Global Installation of the QRadar monitoring tool
 Archer Ticketing System implementation (security tickets)
 Designed the SOC Organization, Process, People Model
 SOC Capacity Modeling
 Hired and Trained the client’s SOC Staff (~12 resources)
 Implemented SOC Operational Reporting and Executive Dashboards
Client Benefits:
 Reduced risks & costs associated with security incidents and data breaches
 Addressed compliance issues by establishing clear audit trails for incident response
 Improved security posture with enterprise-wide security intelligence correlating
events from IT & business critical systems/applications.
IBM Confidential
A global insurance company in United States improves security by

establishing SOC & implementing monitoring tools and processes
Client Situation :
Profile:
The client had made a board-level commitment to raise the visibility, effectiveness
and efficiency of the global security program. A few high-level issues: Global property and casualty insurer.
Multiple day delays in identifying threats Third largest insurer in the United
Extreme incident false positive ratios with current MSSP States.
Labor intensive program, without clear lines of responsibility Fortune 100 company.
Minimal security analytics & dashboards
Operates in 900 location s distributed
IBM Solution : across 18 countries.
IBM Security Services Team began with a full day SOC optimization workshop to
The company has 50,000+ employees
educate the client program team, review and validate the client’s vision and
worldwide.
strategy. After the workshop and recommendations, the client requested IBM’s
support to help them plan, design and build the SOC including the following:
SOC Architecture development
SIEM operationalization (ArcSight)
Remedy Ticketing System implementation (security tickets)
Designed the SOC organization including capacity models
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Implemented Security Operational Reporting and Executive Dashboards
Managed transition from previous MSSP to IBM Managed Services
Client Benefits:
 Reduced incident identification time from hours to minutes and streamlined
operations further reducing risks & associated costs & improved global security
with end to end incident management
 Created an industry leading view into the overall security position allowing them to
better manage their entire environment
IBM Confidential
A global financial services company in UK improves security by

transforming SOC from compliance to cyber threat monitoring
Client Situation :
Profile:
The client had invested into a SOC that was focused on policy violation and wanted
to expand the capabilities of their existing investment: UK based financial services group.
Compliance focused SOC Retail, commercial, wealth and asset
Significant challenges with existing technology management, international and
SOC manpower outsourced to 3rd Party insurance arms.
Minimal security analytics & dashboards, non-existent Security Intelligence Operates in almost every community in
IBM Solution : the UK.
IBM Security Services Team began with a 2 week SOC maturity assessment to Over 100,000 employees (2014)
gauge the client’s current and future capabilities and to review and validate the
client’s vision and strategy. After the assessment, recommendations were
presented to the client and IBM lead the transformation programme including:
Developed best-practice core SOC process and created supporting
documentation & artifacts & trained client staff
Establish a Security intelligence function
Accelerate development and implementation of a Ticketing System
Reviewed the SOC organisation and identified improvements
Demonstrated the importance of capacity modelling
Implemented Security Operational Reporting and Executive Dashboards
Client Benefits:
 Increased efficiency from the existing SOC staff handling more events in a defined
and repeatable way.
 Increased awareness of their own systems and future threats making use of
Security Intelligence
 Better able to understand and highlight the benefits of the SOC due to improved
metrics and reporting
33 IBM Confidential
ευχαριστώ
Hindi
Tack
Swedish
Greek
Спасибо
Teşekkürler Gracias
Thai
Russian
Spanish
Arabic Thank You ObrigadoPortuguese
Grazie Dankie Danke

Italian
Afrikaans
German
Merci
French
Hvala
Slovenian
Simplified Chinese
Korean
Köszönöm Hungarian
Japanese

We leverage our SOC framework, which covers the multiple

management dimensions of organizing and managing a SOC

We include 14 key processes that encompass both the business and

IT aspects

Which leads to insightful analyses – e.g. Maturity Assessment

IBM offers multiple options in our consulting offerings
 Security Operations Center (SOC) Workshop

– 1 day management workshop to establish goals and objectives for developing the SOC, identifying
stakeholders, types of threats monitored, and the management model
 Security Operations Center (SOC) Assessment

– Consulting assessment for clients that have en existing SOC but are looking for IBM to review their
capabilities and process maturity and make recommendations for improvements
 Security Operations Center (SOC) Strategy Engagement

– Consulting strategy engagement for clients who are seeking to develop a comprehensive strategy and plan to
implement a SOC that addresses both IT and the business for managing security and mitigating threats
 Security Operations Center (SOC) Design / Build Project

– Professional services to help clients design and build one or multiple SOC’s that meets the organization’s
needs for improved security intelligence and risk management
– Components include.
• Organization/People (Develop and implement staffing models, shift schedules, skills training etc.)
• Processes, Procedures, Guidelines (Define, develop and document, update existing)
• Technology (Plan, design, deploy technology components, integrate feeds and other referential
sources)

What you can expect as a result from a SOC implementation
 Better understanding of how your

security program reduces risk in
operations and therefore business risk
 Measurement of the real-time
compliance of particular security controls
in the organization
 Insight into the current state of your
security posture
 Visibility of issues, hacks, infections and
misuse that otherwise would require
human discovery and correlation.
 Easier measurements of compliance
and audit effort reduction

IBM knows security
40 © 2015
IBM is recognized as a leader in Security Consulting
“IBM burst into the Leader category by demonstrating superb global delivery capabilities”
Why IBM SIEM Security Technology? Breadth, deep expertise,

integration
Leadership
 Leader in “Magic Quadrant for Security Information and Event Management”, Gartner,
May 12, 2011, May 13, 2010, May 29, 2009.
 #1 rated by Gartner for Compliance use cases ("Critical Capabilities for Security
Information and Event Management Technology," Gartner, 12 May 2011)
Integration
 Integrated with 400+ products and vendor platforms
 SIEM, log management, network anomaly
detection, and risk management combined in a
single console
Expertise
 Embedded 3rd party security feeds including
IBM X-Force
 Tight integration with InfoSphere Guardium
and IBM Identity Manager & Access Manager
for optimized data & user security

Client example - a large financial services company

Business Challenge:
A large European financial institution with multiple global locations was
searching for best practices and assistance in creating an in-house,
compliant and effective Security Operations Center. Compounding the
challenge of the sheer magnitude of their operations was the
complications surrounding several recent acquisitions that have not
been fully integrated. The current operation was largely driven by SOX
compliance requirements and resulted in diluting the effectiveness of the
SOC with “unimportant” log sources.
Solution:
A series of business and technical workshops were conducted to start
the assessment as the client needed to refocus their operations on Solution components:
security, while retaining maintain regulatory compliance. These  IBM Q-Radar SIEM
workshops then advanced to a full security operations design,
integrating disparate business unit requirements, focusing analysis on  IBM Security Services
important log sources, and reorganizing the department. Ultimately, the SOC Workshop & Design
client chose to have IBM staff their new SOC, reducing the total number  IBM Security Services
of hired staff and overall cost. Professional Security
Services
Benefits: Overall SOC costs were reduced and the resulting
organization is more focused and effective.

Client example –global pharmaceutical company

Business Challenge:
A large global pharmaceutical company with research locations
scattered around the world faces the ongoing threats of industrial
espionage and is frequently a target of hactivitists. Their current security
operations is decentralized allowing each unit to “fend for themselves”.
After some minor faults but no major incidents, the company has
decided to centralize their security operations and create a holistic view
of security across the entire organization.
Solution:
A business and technical workshop was conducted to start the
assessment and help the client envision the end-state should look like
and how to initiate the centralization process. Leveraging a deployed Solution components:
IBM Q-Radar installation, the solution involves creating a two redundant  IBM Security Services
SOC’s to centralize security intelligence and device management SOC Workshop
operations. These SOC’s will work cooperatively using the best-practice
operational models derived from IBM MSS Global SOC’s providing a  IBM Q-Radar
single, measurable view of security across their global operations.  IBM Security Services
Managed SIEM
Benefits: A centralized operational model allows the economies of scale
to drive costs down, while improving the effectiveness of the security
operations and threat intelligence sharing.

Thank you for your time!

Questions and Answers
45 © 2015
Backup Pages

Typical SOC Project Scope

Consult and Design Build Operate Maintain
• Deliver SOC Workshop • Build Wiki framework for agile • Implement incident management • Perform SOC Maturity Assessment
• Perform SOC Maturity documentation approach process annually
SOC Processes
Assessment • Build new and integrate existing • Continue documentation and • Maintain and update SOC
processes and procedures update as necessary documentation
• Align SOC operations across the • Implement process improvement • Evaluate, measure and improve
enterprise program processes
• Drive business through metrics
• Manage risk and compliance
• Deliver SOC Workshop • Identify stakeholders • Deliver training: on the job, • Maintain dedicated SOC manager
• Perform SOC Maturity • Define roles, responsibilities, and job intrusion analysis, and Technology and analyst positions
SOC People
Assessment descriptions solutions. • Continue on-going boarding and

• Design staffing models • Analyst coaching training of new analysts as necessary
• Develop training plans • Developing key organizational
• Help hire the right staff or linkages
complement existing teams
• Architect & design SIEM • Install & configure SIEM • Operate and maintain SIEM solutions •Operate and Maintain SIEM
solutions solutions • Implement dashboards •Maintain architecture and product
SOC Technology
• Plan Use Cases • Establish data feeds • Develop operational and business documentation
• Map operations to • Implement Use Cases reports • Perform health check on SIEM
regulatory and business • Build content • Investigate using advanced analytics environment at planned intervals
requirements • Design analyst workstations • Manage incidents via cases • Perform capacity planning
• Health check • Integrate threat intelligence • Develop steady-state technology
costs
Client SOC Capability Transformation

Challenge 1: Detecting Threats
Potential Botnet Detected?

This is as far as traditional SIEM
can go
IRC on port 80?

IBM Security QRadar QFlow
detects a covert channel
Irrefutable Botnet Communication

Layer 7 flow data contains botnet
command control instructions
Application layer flow analysis can detect threats others miss

Challenge 2: Consolidating Data Silos

Analyzing both flow and
event data. Only IBM
Security QRadar fully
utilizes Layer 7 flows.
Reducing big data to

manageable volumes
Data Reduction Ratio 1153571 : 1
Advanced correlation for

analytics across silos
Exceptionally Accurate
Extensive Data Sources + Deep Intelligence = and Actionable Insight
Challenge 3: Detecting Insider Fraud
Potential Data Loss

Who? What? Where?
Who?
An internal user
What?
Oracle data
Where?
Gmail
Threat detection in the post-perimeter world

User anomaly detection and application level visibility are critical
to identify inside threats
Challenge 4: Better Predicting Risks to Your Business

Assess assets with high-risk input manipulation vulnerabilities
Which assets are affected?

How should I prioritize them?
What are the details?

Vulnerability details, ranked
by risk score
How do I remediate the

vulnerability?
Pre-exploit Security Intelligence

Monitor the network for configuration and compliance risks,
and prioritize them for mitigation
Challenge 5: Addressing Regulatory Mandates
PCI compliance at
risk?
Real-time detection of
possible violation
Unencrypted Traffic
IBM Security QRadar QFlow saw a cleartext service running on the Accounting server
PCI Requirement 4 states: Encrypt transmission of cardholder data across open, public
networks
Compliance Simplified
Out-of-the-box support for major compliance and regulatory standards
Automated reports, pre-defined correlation rules and dashboards

Operational
Managed SIEMOverview
Service Overview
Compliance Policy
Analysis Rules Best Practices Remediation
Guidelines
Monitors
dashboard
24x7 Incident closely
Real Time Data sources Expert Knowledge
Management
Real-Time
Alert/Exception
Real-Time event/log Security Investigation & Escalation

Client Premise- SIEM SOLUTION Incident
REAL TIME INCIDENT

IDENTIFICATION Ticketing Incident Reporting
ENGINE
COMPLIANCE
Log Data
ENGINE
Service
Reporting
Scheduled Log
DASHBOARD and
sources REPORTING Compliance
ENGINE Reporting
Anomaly
Reporting
Custom Reporting
(Anomaly / Forensics)
Raw Log access

© IBM Corporation 2011.
Project Timeline
Ongoing Maturation
Steady State &

Ongoing automation
SOC achieves 100%

Operational Control
• Staff Onboarding & Training

• Documented Process
• Detailed Support Planning

• Governance Model
• Communications Plan
30 days 3 months 6 months 9 months 1 year

Workshop & Roadmap

4 SOC Consulting

Uploaded by

Copyright:

Available Formats

4 SOC Consulting

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4 SOC Consulting

Uploaded by

Copyright:

Available Formats

What are the major responsibilities of a Security Operations Center (SOC)?

What are the major responsibilities of a Security Operations Center (SOC)?

Why do organizations build operational security controls and capabilities?

Why do organizations build operational security controls and capabilities?

IBM Security Services

Building a Security Operations Center

© 2015 IBM Corporation

The current environment is putting new demands on security

Social Business Evolving Regulations

Malware infection $$$

3 © 2015 IBM Corporation

Why do we build operational security controls & capabilities?

Reduce enterprise risk. Protect the business.

Move from reactive response to proactive mitigation.

Increase visibility over the environment.

Meet compliance/regulatory requirements.

© 2015 IBM Corporation

What is a Security Operations Center, or SOC?

 A Security Operations Center is a highly skilled team following defined

 Security Operations Centers (SOC) are designed to:

 The SOC’s major responsibilities are:

Security operations centers must be responsive to the evolving

 Must demonstrate compliance with regulations

But it’s not that simple...

6 © 2015 IBM Corporation

Designing and building a SOC requires a solid understanding of the

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

7 © 2015 IBM Corporation

There is no app for that…

Client Success Undefined >

Identity & Application Brand

In-House Co-Deliver Outsource

Security Intelligence ON Security Monitoring ON

Compliance Management OFF Correlation Rules ON

Device Management OFF Incident Escalation ON

Policy Management OFF Incident Response OFF

Escalations & Notifications >

….Don’t be a FOOL and think you just need to buy a TOOL

Building a Security Operations Center involves multiple domains

Technology Governance / Metrics

The changing requirements for enterprise security & risk management

Budget based, 3+ year cycle, priorities

react to Standard rules Tailored rules based on

Silos, ticket/technology Cross-functional, efficiency,

© 2015 IBM Corporation

IBM Security Operations Operating Model

SOC Service Delivery Management

SOC Platform Components

Ticketing & Integration Tools Reporting /

SOC Data Sources SOC

We understand that an effective SOC has the right balance of People,

People In-house staff Partners Customers Outsourced Providers

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Log Management Compliance Reporting Event Correlation Threat Reporting

13 © 2015 IBM Corporation

It starts with the right people …

Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment

Log Management Compliance Reporting Event Correlation Threat Reporting

People In-house staff Partners Customers Outsourced Providers