In this presentation we will look at the cause and effect of the problem, analyze preparedness and learn how you can better prepare, detect, respond and recover from cyber-attacks.
2. 2
Copyright @2016 Aujas Information Risk Services
Typical Security Incident
One Day at a Utilities Company
Customers calling
about slow network
(Discovery of large
amounts of suspicious
traffic)
7:00 AM
Normal business
disrupted
(Unknown malware
discovered. Wave of
DDOS attacks)
8:00AM
Attack on internal
systems. Data Breach.
(Malware and DDOS was
just a distraction for
backdoor entry)
12:30 PM
Story in media as the
attacks continue and
spreads to partners.
(Incident response team
still struggling to restore
services)
2:30 PM
All business operations
grinds to halt
(Real-time applications
down. Remote employees
disconnected. Connection
to DB lost …)
5:00 PM
Every attempt to
recover - unsuccessful
(Lack of a unified and
tested incident response
process is expensive)
7:00 PM
3. 3
Copyright @2016 Aujas Information Risk Services
Design documents and source codes
of company’s flagship products have
been stolen.
Business partners can also be
impacted by the attack.
The organization’s reputation is in
jeopardy.
Clients and business partners are
angry and decide to terminate
contracts.
Law enforcement and regulators
start investigations.
Claims that cyber attackers are
taking down the organization are
spreading throughout media channels.
Sensitive client information is posted
to public domains.
Password list is stolen and made
public.
Production databases have been
deleted.
Internal communications and other
critical applications are down.
12-Hours Can Become Devastative
4. 4
Copyright @2016 Aujas Information Risk Services
Best Defense
Early Detection and Rapid Response !
Source: Verizon Data Breach Report
It just takes minutes to
compromise and steal data.
But it takes weeks to months to
discover and contain.
How can you reduce the
gap ?
5. 5
Copyright @2016 Aujas Information Risk Services
IS-IM Governance
Creation of cross functional
teams, interaction models,
reporting and defining their
roles and responsibilities.
Use Framework
Go for a framework based approach
IS-IM Policies &
Procedures
Policies and procedure for
operating IS-IM model.
Incident Database
Knowledge base of response for
common scenarios based on
knowledge, as well as actual
incident learning.
Training & Awareness
Operation process training, create
awareness of applicable
organization policies, and do
simulations.
Emergency
Response Service
Coverage for emergency
response with specialization,
assistance and forensics.
.
Monitoring & Reporting
Reactive and proactive
monitoring services.
Technology Integration
Integration with event/log
correlation tools and threat
intelligence tools.
6. 6
Copyright @2016 Aujas Information Risk Services
Incident Monitoring
Upgrade SOC Competency
Internal Threat
Intelligence
Visualize assets based on
criticality, and vulnerabilities to
those assets.
Threat intelligence feeds and
SIEM alerts to take a risk based
view on prioritization of risk
mitigation.
Adding reverse malware
analysis and forensics as
capabilities.
Go beyond reputation
(IP/URLs) and focus on
customization based on
industry feeds, company URL
and profile of people.
Indicators of compromise
based on reverse malware
analysis for scanning, infection
and information about zero day
vulnerabilities.
Behavioral profiling for users
and systems.
Database searches and
statistical modeling, reporting
and visualization.
External Threat
Intelligence
Strength of
Analytics
Context and enrichment. Post
correlation, joining the dots to
see the attack chain.
Visibility. Visualization to the
state of security.
Situational
Awareness
7. 7
Copyright @2016 Aujas Information Risk Services
Situational
Awareness
Ability to identify what is
happening in the network.
Weaponization
and Delivery
Transmission or Injection of
malicious payload into the
target.
Reconnaissance
Identification and selection
of the target/s host or
network by active scanning.
Lateral Movement
Detect, exploit and
compromise other
vulnerable hosts.
Kill Chain
Military Strategy: A model for stages of attack, and very valuable for prevention of attack.
Data Exfiltration
Steal and transfer data
outside.
Corporate Policy Violation
Do not comply with security
policy.
Persistency
Establish a foothold in the
corporate network.
8. 8
Copyright @2016 Aujas Information Risk Services
Incident Response
SOC 2.0 Operations – Incident response based on kill chain
Know your
adversaries
and their
methods
Detect
threat
activity in kill
chain
Disrupt the
kill chain
and stop the
attack
Eradicate
threat agent
and remove
the threat
Threat Intelligence
Security Operation
Incident Response
Response StrategyThreat Indicators
9. 9
Copyright @2016 Aujas Information Risk Services
Advanced SOC
Strategy and Roadmap SIEM Optimization SOC Governance
SOC Processes and
Workflows
1 2 3 4
• Maturity assessment
across governance,
operation, technology and
integration and processes
• Strategy development
from Current State and
Future State
• Roadmap with milestone
and financial budgeting
• Use Case Fine tuning
and framework
• New use case creation
• Response run book
• Log source integration
• Reporting and
visualization
• SOC Organization
• Roles and Responsibilities
and RACI
• Performance indicator and
management
• Skill Analysis, metrics &
Training
• Roster management
• Incident Management –
Monitoring, Validation,
Analysis, Triage,
Escalation, Response and
Resolution
• Problem Management
• Forensics Process
• Device on-boarding
SOC Reporting
and Analytics
SOC Operations
5
• SOC Advanced
Reporting
• Visualization
• Analytical
Reporting and
Dashboards
L - 1
Monitoring and
Validation
L - 2
Triage and
Escalation
L – 3
Response and
Coordination
Security Integration
Vulnerability Mgmt
Asset Management
Identity Mgmt,
Data Security
Incident /ticketing tool
Security Analytics & Incident
Reporting
SIEM Architecture
SOC Engineering
Rule Dev/Tuning
Tool Integration
Device Mgmt
SIRT
Incident Handling
Forensic Handling
Security 2.0 Operations
Incident Monitoring
IOC Management
SIEM Rules and Use Case
Response Playbooks
Threat HuntingSimulations and Stress Test
6
11. Q1. What is a Threat Pursuit team? How can it help?
Threat pursuit teams are critical component for next generation SOCs and their main job is to watch out for threats
proactively. It ideally consist of 1-2 people with “hunter” skills, defined as below:
This team is typically responsible for the following:
Review and analyze external threat intelligence feeds from industry, open source and security partners.
Evaluate emerging threats.
Internal proactive analysis of events, offenses and exploits.
Proactive risk mitigation and analysis of emerging threats relevant to the organization.
Operationalize threat detection and threat response based on intelligence feeds.
Research, create, modify use cases/rules.
Provide actionable to respective resolutions team.
Create hypothesis for hunts and hunt missions.
Test hypothesis and identify patterns.
Provide actionable inputs.
12. Q2. How do we know there is an attack? How important is SOC here?
There are 3 ways to know if you are already under attack.
1. By leveraging IoC tools like RSA ECAT which has large database of indicators of compromise and scans all end points to
look for those indicator of compromise.
2. By hunting for threats. This is possible by two mechanisms. One is to look for threat indicators either coming from threat
intelligence feeds or your hypothesis which is being tested and second method is behavior anomalies which might point
to compromise. Popular tools in these domains are cyber reason and SQRRL.
3. By using Kill Chain based SIEM rules which are chained to identify attacks in the cycle and identify.
All three models are considered as next generation SOC and SOCs do play a critical role in threat hunting and cyber security
attack detection. Once detected, then the work of containment and eradication is done by respective resolver groups from
systems, applications, network and database which typically form the CERT/ ISIRT teams.
Q3. How to make use of Threat Intelligence feeds to detect Cyber attacks pro-actively?
Threat intelligence is very valuable in preventing cyber attacks, and can be used both manually and in an automated
manner in an SOC.
A. Threat hunter can use the threat intelligence feed to view, validate and research the vulnerabilities, applicability of the
malwares, bad IPs, URLs and map to organization’s assets etc. to proactively protect the systems.
B. The automated process is via STIX/TAXII compliant ingestion and acting for auto blocking bad IP and URLs, file names
and checksums etc.
13. Q4. What are some of the best practices to track employee network behavior without
infringing on privacy? Example: social media activities.
There are policies to track user behavior which provide exceptions to monitor employee financial transactions and related
traffic. Some of the advanced threat hunting platforms can pull everything from network traffic, logs, authentication
information to full packet capture but they are useful in big data and machine learning scenarios to identify anomalies and not
really to look into details of individual transactions.
As far as forensics is concerned, private information is still obfuscated and only relevant information is searched that is
needed for data security breaches.
Q5. Can you share case details related to specific industries. E.g. BFSI, Telecom, Utilities, etc.
Given that we have worked with many popular companies in the various industries, we get to know of specific cases, but
would definitely not be sharing the details with others from a privacy perspective. Having said that, we can always share
industry best-practices, and can provide specific suggestions on case-specific basis. You can reach us at www.aujas.com
14. Q6. What to do in the case of Zero Day attack, when the patch is yet to be made available?
All attacks follow the incident lifecycle of detection, validation, containment and eradication. In case of zero day attack, if
detected via threat intelligence/ behavior analysis, and the patch is yet to be made available, than you should figure out
complementary and monitoring controls.
For example, if you see a zero day attack for SSL connection and you do not have any patch and you cannot stop SSL as
that is the primary source of connection but there is a risk of getting sniffed then you start monitoring connection for anomaly
by SSL offloading and full packet inspection and in case you do not have that capability, then you just monitor packet size as
normal HTTP request and response size is 4 to 5KB and it meets that criteria.
15. SOC Organization Structure Template (Ideal Scenario)
1. One SOC Manager
2. Three L3 resources, one specializing in Network, Second in OS and third in Applications for expertise and quick triage
and validation.
3. Three L3 resources with experience in OS, Web App and Network security and each resource to have additional
knowledge and experience in Steal watch, DLP, DRM, DAM and Firewall/ IPS.
4. Eight L1 resources with combination of skills in Network, OS and Application knowledge.
5. Two SIEM administrators; one specializing in customization of connectors and use case configurations while the other
will perform day to day operations like user and group management, reporting and dashboards.
6. One Threat Analyst/ Hunter.
Q7. What is the mix of skill-sets required for an ideal SOC?
One should have a good mix of monitoring, triage, incident response, threat hunter, SIEM administrator and a forensic expert
in the SOC.
If possible, you should cross train few people to hold multiple responsibilities. A SOC Manager to manage skill inventory,
roster, and career progression is recommended.
16. Defined Cyber Risk Governance – Governance framework is vital for managing cyber risks, it is important to establish
various teams with clear roles and responsibilities along with integrations with other teams like Business Continuity, Disaster
Recovery and Crisis Management.
Understand Organization Cyber Landscape – Organization should understand cyber vulnerabilities for multiple locations
where data is stored, transmitted or accessed by various stakeholders (internal employees, partners, clients etc.).
Identify Critical Processes and Assets – Identify most critical revenue generating “Organization unit”, processes and
assets. Understand where they are located and how they are accessed and by whom.
Identify Cyber Threats – Analyze and consolidate the applicable cyber threats which the organization wants to manage.
Robust threat-analysis capability to be established based on internal and external sources.
Plan & Respond – Clear and defined procedures in form of playbook aids in effective cyber risk management. These
procedures needs to clearly define the incident lifecycle, teams to be involved with their roles & responsibility, escalation
mechanism and time to resolve/escalate. Monitoring team should effectively identify, analyze and report the cyber incidents
to the respective team for their action and responses.
Q8. What specific steps you recommend for BFSI to minimize cyber risk?
Define Cyber
Risk
Governance
Understand
Organization
Cyber
Landscape
Identify
Critical
Processes
and Assets
Identify Cyber
Threats
Plan &
Respond
18. Aujas
InformationRiskManagement
We help organizations manage information security risks
by protecting data, software, people and identities in line
with compliance requirements and best practices; we
also help strengthen security governance and intelligence
frameworks.
Global Delivery
Model
Lifecycle Services
Approach
Accelerators for
Customers
Strong Project
Management
Investors: IDG,
IvyCap, RVCF
Professionals
38022
Countries
400
Customers
www.aujas.com
19. Security Analytics &
Visualization Platform
Security Portfolio
Risk Advisory
Identity & Access
Threat
Management
Security Intel & Ops
Digital Security
Vulnerability Intel
Co-Managed
Security
Vendor Risk
Data Protection
Services
Platform as a Service
(PaaS)
US. UAE. India | www.aujas.com Copyright @2016 Aujas Information Risk Services
Functional Practices