Scribd Logo
Upload

Welcome to Scribd!

  • Building A SOC

    Uploaded by

    Pablo Zambrano
    62 views16 pages
    Soc

    Original Title

    Building a SOC

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Soc

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    62 views16 pages

    Building A SOC

    Uploaded by

    Pablo Zambrano
    Soc

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Building a SOC

    Maximizing the Value of a SIEM


    Implementation

    Matt Shelton, Principal Engineer, Managed Security Solutions


    Jim Pasquale, Director, Managed Security Solutions
    Month 00, 2009

    © 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09


    Verizon Business Security Solutions
    • One of the largest global providers of managed
    information security services
    • More than 3,400 customers worldwide
    • We serve the majority of the Fortune 100 and the
    top 100 companies in Forbes’ Global 2000
    • A leading PCI compliance program
    • A leading portfolio of identity management
    • A leading forensics practice
    • First information security certification program
    (1997)
    • ICSA Labs—recognized provider of information
    security product testing and certification
    www.arcsight.com © 2009 ArcSight Confidential 3
    Market Analyst View
    •The Magic Quadrant—copyrighted 2009 by Gartner Inc. Magic Quadrant for MSSPs
    and is reused with permission (North America)
    •Graphical representation of a marketplace at and for a Gartner
    specific time period—depicts Gartner’s analysis of how
    certain vendors measure against criteria for that
    marketplace
    •Gartner does not endorse any vendor, product or service
    depicted in the Magic Quadrant and does not advise
    technology users to select only those vendors placed in
    the Leaders quadrant
    •The Magic Quadrant is intended solely as a research tool
    and is not meant to be a specific guide to action; Gartner
    disclaims all warranties, expressed or implied, with
    respect to this research, including any warranties of
    merchantability or fitness for a particular purpose
    •The Magic Quadrant graphic was published by Gartner,
    Inc., as part of a larger research note and should be
    evaluated in the context of the entire report.
    •The Gartner report is available upon request from Verizon
    Business
    www.arcsight.com © 2009 ArcSight Confidential 4
    Verizon Business SIEM Expertise
    • 10 years of experience in the SIEM market
    • Presented at the 2007, 2008, and 2009
    ArcSight User Conferences
    • Participant in the Washington DC
    ArcSight User Group
    • Provide professional services for ArcSight
    • Manage and monitor SIEM environments
    using ArcSight

    www.arcsight.com © 2009 ArcSight Confidential 5


    Goal 1—Determine Logging Requirements
    •Compliance
    –PCI, HIPPA, SOX, GLBA, FISMA, etc.

    •Retention
    –Online
    –Offline

    •Security Policy

    www.arcsight.com © 2009 ArcSight Confidential 6


    Choose Data Feeds Wisely!

    • More data does not always


    lead to better security!
    • Be careful logging the
    following
    –Firewalls
    –Routers
    –Switches
    Remember: ArcSight Logger
    is optimized for data storage
    and retention and ArcSight
    ESM shines at event
    management—know the
    strengths of each product!
    www.arcsight.com © 2009 ArcSight Confidential 7
    Goal 2—Develop an Event Analysis Strategy

    The 4 CIAP principals can serve as the basis of an event analysis strategy

    Confidentiality The limiting of data to certain places or people

    Integrity Trusting the validity of the data

    Availability Accessing the data when, where,


    and how it is expected

    Policy Specific organization-defined rules

    www.arcsight.com © 2009 ArcSight Confidential 8


    Example CIAP Use Cases

    Confidentiality SQL injection, zeus trojan

    Integrity Password brute force attacks, cross-site scripting

    Availability Denial of service, Microsoft service worm

    Policy Peer-to-peer traffic, unauthorized VoIP traffic

    www.arcsight.com © 2009 ArcSight Confidential 9


    Use Case Sources
    Sources
    –SANS top 20 security vulnerabilities
    –SANS top 25 programming errors
    –SANS 20 most critical security controls

    SANS Top 20 Primary Use Case Secondary Use Case

    Operating Systems

    W1. Internet Explorer Browser Jacking, NetIntel Hit Backdoor Traffic, IRC Activity

    W2. Windows Libraries Microsoft Advisory Microsoft Service Worm

    W3. Microsoft Office Application Vuln, Microsoft Advisory MessageLabs Verizon SMTP Service!

    W4. Windows Services Microsoft Advisory Microsoft Service Worm

    W5. Windows Configuration Weaknesses Policy Violation AUP, Brute Force

    M1. Mac OS X Browser Jacking

    U1. UNIX Configuration Weaknesses Brute Force, Attack Responses SSH Sweeps, Etc Passwd Attacks

    www.arcsight.com © 2009 ArcSight Confidential 10


    Goal 3—Measuring the Value
    Two types of reports
    1. Executive reports
    » Graphics
    » High level
    » Events processed vs. incidents
    investigated
    » Event distribution by
    location/region/business unit
    » Events and incidents per month
    2. Operational reports
    » SANS top 5 essential log reports
    » Attempts to gain access through
    existing accounts
    » Failed file or resource access attempts
    » Unauthorized changes to users,
    groups, and services
    » Systems most vulnerable to attack
    » Suspicious or unauthorized network
    traffic patterns
    www.arcsight.com © 2009 ArcSight Confidential 11
    Goal 4—
    Developing a Security Incident Workflow
    How will security analysts respond to incidents?

    ArcSight provides multiple methods


    –Active channels
    –Notifications
    –Reports
    www.arcsight.com © 2009 ArcSight Confidential 12
    Workflow—Active Channels
    • Primary workflow
    method for Verizon
    Business
    • Allows easy access to
    the security events
    • Event annotations for
    accountability
    • Supports distributed
    SOCs

    www.arcsight.com © 2009 ArcSight Confidential 13


    Workflow—Escalations
    • Email based
    • Triggered by a rule
    • Can use ArcSight web for
    acknowledgements
    –This allows non-security
    staff who may not use
    ArcSight regularly to
    respond to notifications.
    • Multiple escalation levels

    www.arcsight.com © 2009 ArcSight Confidential 14


    Workflow—Reports
    • Good for weekly, monthly, or bulk investigations
    • Policy violations and acceptable use monitoring are
    great examples

    www.arcsight.com © 2009 ArcSight Confidential 15


    Goal 5—Integrating Incident Management into
    External Tools
    • What do you do with a
    security incident has been
    identified in ArcSight?
    • Many organizations choose
    to integrate ArcSight into
    their own ticketing systems
    • Possible ticketing choices
    –ArcSight case system
    –BMC remedy
    –Internal system

    www.arcsight.com © 2009 ArcSight Confidential 16


    Summary
    When building a SOC and deploying a SIEM tool,
    remember the 5 goals

    1. Determine the logging requirements


    2. Develop an event analysis strategy
    3. Measuring the value
    4. Developing a security incident workflow
    5. Integrating incident management into external
    tools

    Questions?
    www.arcsight.com © 2009 ArcSight Confidential 17

    You might also like