Building, Maturing &

Rocking a Security
Operations Center
Brandie Anderson
Sr. Manager, Global Cyber Security Threat & Vulnerability Management
Hewlett-Packard
  To be or Not to be…
 What is a SOC?
 Use Case Creation
 People
 Process & Procedure
 Documentation
Agenda
 Workflow
 Metrics
 I don’t want to grow up
 Rocking a SOC
 Questions

2
  Building a SOC is a business decision
 Organization size
 Compliance factors
 Reduce the impact of an incident
 ROI
 Proactive reaction

To be or
Not to be…

3
 Through people, processes and technology, a SOC is dedicated to
detection, investigation, and response of log events triggered through
security related correlation logic

What is a SOC?

4
ArcSight Correlation

5
 91% of Targeted Attacks Start
with Spear-phishing Email

Large-Scale Water
Holing Attack Microsoft's Patch Tuesday
Use Case Campaigns Hitting Leaves Out Crucial
Creation Key Targets Internet Explorer Fix

Adobe Data Breach Exposes

Military Passwords
6
People

7
 Roles and Responsibilities

 Level-1 and Level-2 Analysts

 Operations Lead
Staffing Models
 Incident Handler
 SEIM Engineer
 Content Developer  Establishing coverage
 SOC Manager  Determining the right number of resources
 8x5 = Min 2 Analyst w/ on-call
 12x5/7 = Min 4-5 Analysts w/on-call
 24x7 = Min 10-12 Analysts
 Finding the right skills
 Ensuring on-shift mentoring
• Security Device Engineers
 Continuous improvement
• System Administrators
 Resource Planning
• Network Administrators
• Physical Security

8
 Training
 Information security basics
 On-the-job training
 SEIM training
 SANS GCIA and GCIH

Career development

 Avoiding burnout
 Providing challenges
 Outlining career progression
 Exactly how do I get from
level 1 to level 2 to lead, etc
 Skill assessments
 Certifications

9
 Business &
Operational Analytical Technology

• Call Out • Event Analysis • Access

• Case Management • Incident Management
• Event Handling Response • Architecture
• Monitoring • Reporting • Compliance
Process & • On-boarding • Research • DR/BCP
• Process
Procedure •
•
Shift Log
Shift Turn Over
• Threat
Intelligence Improvement
• Triage • Use Cases

10
 Microsoft SharePoint
Pro Con
 Approved by Policy Complicated to use
 Already deployed, supported Typically hard to find information
both internal & by Microsoft (search)
 Integrates with Active Not very flexible
Directory & MS Office No real revision File Shares
 Allows for Calendars, Task control Pro
Assignment, Notifications,  Everyone has MS Office
Documentation Document Revision Tracking  Everyone knows how to use a
file share
Repository Wiki
 Does not require specific
technology knowledge
Choices Pro
 Open Source
Con
Open Source
Con
 Editor utilizes Markup  Cluttered
Not Vendor supported
Language (HTML-like)  Overlap of information
 Easy to Search  Nearly impossible to search
 Malleable for information
 Revision Control  Requires someone in charge
 Plugins allow extensive of upkeep
customization
 No revision control

11
12
 Rule Fires
Queued

 Event
Level 1 Triage Level 2
 Incident
 Case
Level 1 Triage Level 2
Workflows  SOC Investigating Investigating

 Departmental
Engineering –
Close Events
 Organizational Filter/Tuning

Incident Response
Closed or Ticket

13
 • How many events are coming in? • What is coming out?
• Raw Events • Correlated Events
• Incidents / Cases
• How many data endpoints are
collected / monitored
Metrics • How may different types of data
• How quickly are things handled?
• Event recognition
• How many use cases • Event escalation
• Event resolution

• Further defined
• Per hour/day/week/month
• Per analyst
• Per hour of day/ per day of week
• Incident / case category / severity

14
  Understand the 80/20 rule
 Leverage metrics
 Expand senior leader dashboard view
 Institute CMM methodology
 Monitor organizational health
 Increase complexity

Maturing

15
 According to the book Pragmatic Security Metrics – Applying Metametrics to Information Security*, an
information security version of the Capability Maturity Model (CMM) looks loosely like this:

“Level 1: Ad hoc: information security risks are handled on an entirely

informational basis. Processes are undocumented and relatively unstable.
Level 2: Repeatable but intuitive: there is an emerging appreciation of
information security. Security processes are not formally documented,
depending largely on employee’s knowledge and experience.
Level 3: Defined process: information security activities are formalized
throughout the organization using policies, procedures, and security
CMM Example awareness.
Level 4: Managed and measurable: information security activities are
standardized using policies, procedures, defined and assigned roles and
responsibilities, etc., and metrics are introduced for routing security
operations and management purposes.
Level 5: Optimized: Metrics are used to drive systematic information security
improvements, including strategic activities.”
*Brotby & Hinson, 2013 p. 47

CMM – Capability Maturity Model is registered to Carnegie Mellon University

16
 Lessons
Learned
Recovery
Eradication
Containment
Rocking It Identification
Preparation

17
Questions
Thank you!