Despite best efforts and substantial financial investment, costly breaches continue to happen at an alarming rate. The common approach to securing assets by purchasing sophisticated, layered security technologies is not working. These technologies are necessary, but not enough. A best practice model to minimize risk combines technology with continuous monitoring by security experts in a SOC. This session presents a model for effectively monitoring hybrid, multi-cloud environments. It covers the basic architecture of a modern SOC and proposes a pragmatic approach to providing complete visibility into all potential attack surfaces.
2. Agenda
• About Open Systems
• The Importance of Continuous Monitoring
• Building Blocks Of A Modern Security Operations Center (SOC)
• Case Studies
• Wrap-up
2
3. Open Systems – Deep Expertise, Global Reach
3
2M+
Users
6,000+
Deployments
20+
Years of
customer success
180+
Delivering services
in 180+ countries
24/7
Follow-the-sun
operations
6. Technology-Driven Approach to Security
6
The average large enterprise
has security products or
services from 32 different
vendors in its IT environment
Challenges
• Alert fatigue
• Security silos
• No feedback loop
7. Best Practices Approach to Minimize Risk
7
Security Operations Center (SOC)Technology
Prevention Layer Continuous Monitoring
+
8. What is a SOC?
• Continuous monitoring
• Staffed by security experts
• Advanced threat detection
• Containment
• Incident response
People, Process and Technology
8
9. A SOC Should Provide Comprehensive Monitoring for all
Potential Attack Surfaces
9
Network Endpoint Cloud
10. SOC Work Effort: Primary Phases
Incident
Response and
Containment
Restore Targets
Tune Security
Stack
Techniques and
Technology
Log Data
Collect Detect
RespondRemediate
11. Anatomy of a SOC Platform
11
Sources
Ingestion
Parsing
Analysis
Raw Storage
Security Team
Firewall
NSM Sensor
IDS/IPS
SWG
EPP/EDR
IAM
DNS
Server
3rd party
Servers
IaaS
SaaS
Security SW
Extract Security-Relevant Fields
Normalize Data
Threat Intelligence
Enrichment
Correlation
Collecting Logs
Secure Transport
Investigations
Analyzed Incident
Threat Response
12. Sources, Ingestion and Parsing
Security Layer
Firewall
IDS/IPS
EPP
Web proxy
Cloud
IaaS
SaaS
Security software
Infrastructure
Active Directory
DNS
Critical assets
Identify security-relevant data and create default alert rules
Store all in raw log format
13. Threat Intelligence and Enrichment
Latest Global Threat Intelligence
IDS and EPP Signatures
IP Reputation
DNS Reputation
Malicious URL
Enrichment
Geo-IP
Whois
Passive DNS
Virustotal
Malware Sandbox
14. Use Case 1: The Importance of Correlation
EPP alerted on powershell
originating from Excel
Powershell script executed C2
outreach
Web proxy blocked connection
Log Sources
SOC Correlation Prevented False Positive
EPP Software
IDS/IPS
Web Proxy
15. Use Case 2: The Importance of Correlation
Malicious executable downloaded from WordPress
Web Proxy log noted a blocked connection but
incomplete http header in the capture is
suspicious
Investigating host to determine if it is
compromised
Log Sources
SOC Correlation Used to Identify Suspected True Positive
IDS/IPS
Web Proxy
EPP
16. Use Case 3: The Importance Of Correlation
Compromised system: suspected APT
due to traffic from suspicious source IP
Suspicious IP scanning multiple
sources
IP reputation used to identify malicious
scanner
Log Sources
SOC Correlation Used to Properly Categorize Threat
Server/Network
Secure Web Gateway
17. Use Case 4: The Importance of Correlation
Reported BEC - $1M+ USD lost
Analysis of fraudulent emails; 400+ related
domains and at least one additional victim
Malicious domains confirmed
Log Sources
SOC Correlation Identified True Positive
Business Email Compromise (BEC)
Mail Headers
DNS
18. SOC Roadmap: Evolving Threat Detection
• Continuous root cause analysis
• Should be built into SOC workflow
• Cover both false positives and false
negatives
• Proactive
• MITRE framework
• Breach and attack simulation tools
• Pen testing
• Red team/blue team exercise
19. Using A SOC to Minimize Risk
Feedback loop for tuning of
security layer
Support compliance initiatives Expert advice to improve
security posture
Firewall
Secure Web
Gateway
IDS/IPS
20. Summary
BEST PRACTICE TO MINIMIZE
RISK IS TO COMBINE
SECURITY LAYER WITH
CONTINUOUS MONITORING
SOC USED TO DETECT
ADVANCED THREATS USING
TI, ENRICHMENT AND
CORRELATION
SOC PROVIDES EXPERT
ADVICE TO MINIMIZE RISK
AND IMPROVE SECURITY
POSTURE