Security Operation Centre 5th generation

(1)

Security Operation

Centre

– 5th generation

transition

Cezary Prokopowicz

Regional Manager SEE

(2)

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

(3)

(4)

(5)

(6)

Challenges you are facing

Nature and motivation of attacks

(Fame to fortune, market adversary)

1 Research

Infiltration

Discovery

Capture

Exfiltration

Transformation of enterprise IT

(Delivery and consumption changes)

2 Consumption

Traditional DC

Private cloud

Managed cloud

Public cloud

Virtual desktops

Notebooks

Tablets

Smart phones

Regulatory pressures

(Increasing cost and complexity)

3

(7)

(8)

ORGANIZE

SPECIALIZE

(9)

(10)

(11)

HP Security Research

Ecosystem

Partner

FSRG

ESS

• SANS, CERT, NIST, OSVDB, software & reputation vendors

• 2650+ Researchers

• 2000+ Customers sharing data

• www.hp.com/go/HPSRblog

• 6X the Zero Days than the next 10 competitors combined.

• Top security vulnerability research organization for the past three

years —Frost & Sullivan

• HP Security Research Teams: DV Labs, ArcSight, Fortify,

HPLabs, Application Security Center and Enterprise Security

Services

• Collect network and security data from around the globe

(12)

(13)

HP TippingPoint protects users, apps and data

with market leading network security

Reliable

NGIPS with

99.99999%

network uptime

track record

Simple

Easy-to-use,

configure and install

with centralized

management

Effective

Industry leading

security intelligence

with weekly DVLabs

updates

(14)

• HP TippingPoint has been in the

leadership quadrant 9 years in a

row!

• “The TippingPoint IPS products

have a broad model range of

purpose-built appliances, and are

known for low latency and high

throughput.”

• “Customers often cite ease of

installation as a positive in

product evaluations, especially for

deployments with many devices.”

Gartner Leadership Quadrant 2013

(15)

―After a rigorous open bid

process with lab tests utilizing

our own network traffic, we

selected the HP TippingPoint

Next Generation IPS 7500NX.

We searched for an IPS with

minimal administrative effort,

and this solution allows us to

protect our network

infrastructure using

TippingPoint’s easy-to-use but

powerful security policies.‖

(16)

84 %

of breaches occur at the

application layer

9/10

mobile applications are

(17)

Assess

Find security

vulnerabilities in any type

of software

Assure

Fix security flaws in source

code before it ships

Protect

Fortify applications against

attack in production

Software

security assurance

Application

assessment

Application

protection

HP Fortify helps you protect your applications

In-house

Outsourced

Commercial

Open source

(18)

HP Fortify named leader in Gartner AST MQ

Once again, Gartner not only

acknowledged Fortify’s years of successful

market execution but also called out

several areas in which HP is leading in

delivering on new technologies to stay

ahead of the bad guys.

Strengths:

· Comprehensive SAST capabilities - the most

broadly adopted SAST tool in the market.

· Evolved AST to address iOS and Android mobile

apps.

· Innovative IAST capabilities

· Early innovator with runtime application

self-protection (RASP) technology.

(19)

Enterprise software

SAP

Client outcome

• Significantly enhanced the security of SAP

software, with increased number of security

patches since 2010

• Met board requirements for product security

• Protected revenue-generating applications

(20)

(21)

Transform

Big Data

into actionable

security intelligence

Cyber forensics,

fix

what matters most first

Analyze

Collect

Prioritize

HP ArcSight, act with laser

clarity

against

threats that matter

Real-time correlation of

data across devices to

find threats

(22)

HP ArcSight named leader in Gartner SIEM MQ

2013

• HP ArcSight named a leader in

the Gartner Magic Quadrant for

Security Information and Event

Management (SIEM), 10 years in

a row.

• The most visionary product in

the Gartner SIEM MQ

(23)

Vodafone

Telecommunications

―We receive 550 million events per

week from our security systems.

Due to the aggregation and

correlation capabilities of HP

ArcSight ESM, those events are

reduced to about 50,000

prioritized events. That’s an

efficiency factor of 1 to 11,000!‖

— Manfred Troeder, Head of Global Security

(24)

(25)

Encrypt

and protect keys

and data in public, hybrid,

and private clouds

Embed security

at the

point of creation for

sensitive enterprise data

Cloud and Data

Security

Information

Protection &

Control

HP Atalla helps you secure your sensitive

information

Secure payments

and

transacting systems

Payments

security

(26)

―As the largest processor of Visa debit transactions

globally, Visa Debit Processing Services is

responsible for securing more than 23 billion debit

transactions in the U.S. and prepaid transactions in

the U.S. and Canada on an annual basis. HP Atalla

is a critical piece of our enterprise IT portfolio,

delivering innovative security solutions with the

operational excellence, performance and reliability

that helps Visa DPS enable secure access to

business-critical payment processing data.‖

Chris James, Senior Vice President

Product Development, Issuer Processing, Visa Inc.

(27)

(28)

of breaches

are reported

by a 3rd party

(29)

average time to detect

breach

3

days

2014

January February

March

April

May June July August September October November December

2015

(30)

130

%

(31)

(32)

Cyber Defense Center

(CDC)

Security Operations Center

(SOC)

Threat Operations Center

(TOC)

Security Defense Center

(SDC)

Cyber Security Intelligence

Response Center

(C-SIRC)

Threat Management Center

(TMC)

Security Intelligence and

Operations Center

(SIOC)

Security Intelligence and

Threat Handlers

(SITH)

Security Threat and Intelligence Center

(33)

(34)

SOC Concept of Ops

Technology

Process

Network

& System

Owners

Incident

Handler

Case closed

Escalation

People

Firewall

Network

ID/PS

Web

server

Proxy

ESM

server

3

4

5

6 Level 1

Level 2

Engineer

2

1 Business

7 Intel / Threat

(35)

(36)

Drive to higher ROI / Vision

Data

Analysis

•Correlate

Technologies

•Analyze Forensic

Evidence

•Create

Automated

Reporting

Near Time

Alerting

•Streamline Event

Feeds

•High fidelity

correlation

•Custom Reporting

Log

Management

•Centralize Logs

•Retain Data

•Comply with

Regulations

Real Time

Analysis &

Incident

Response

•Monitor Events in

Real-time

• CIRT - Integrated

Workflow

•Minimize Response

Time

•Continual tuning

Security

Intelligence

•Analysis in depth

•Hunters as well as

Defenders

•Information Fusion

•Uncovering new

threats

(37)

SOC Maturity Assessment

0.00

0.50

1.00

1.50

2.00

2.50 SOMM Level

Business

People

Process

Tech

Company A

Average

Maturity

Assessment

Score

Comments

Business

2.44 Mission

1.86 Accountability

1.21 Sponsorship

2.18 Relationship

2.15 Deliverables

3.00 Vendor Engagement

2.67 Facilities

1.27 People

1.82 General

1.98 Training

2.61 Certifications

1.58 Experience

2.00 Skill Assessments

0.88 Career Path

1.92 Leadership

1.50 Process

0.63 General

2.01 Operational Process

1.67 Analytical Process

0.00 Business Process

0.00 Technology Process

0.00 Technology

2.60 Architecture

1.54 Data Collection

3.69 Monitoring

1.50 Correlation

1.37 General

2.13 Current

Phase 1

Phase 2

Phase 3

Timeline

6 mos

1 yr

2 yr

SOMM

Target

1.6

2.0

2.5

3.0 Use Cases

Logging

Perimeter,

compliance

Insider Threat,

APT

Application

Monitoring

Staffing

Ad hoc

4 x L1, 1x

8 x L1, 2x L2

12 x L1, 2x L2, 2x

(38)

(39)

93 assessments

69 discrete

SOCs

(40)

2/5

on maturity continuum

24%

fail to meet security

requirements

(41)

Security for the New

Reality

5G SOC

©

S

chmid

t

P

eter

son

M

otor

spo

rt

s

(42)

5G/SOC

Acknowledge security threats are driven by

human adversaries

Assume

compromise

Anti-fragile

enterprise –

led by intelligence

, not vulnerabilities

Interaction with peers;

organizations

readily

share information

Hunt teams

search large data sets to find threats and attack patterns

we did not know about previously

Convergence of

IT Security

and

IT Operations

tools to facilitate better visibility

Data visualization

drives how anomalies are discovered and researched

The SOC must

align to the business

and

demonstrate meaningful value

(43)

Get data from all sources

HP ArcSight - #1 real time security correlation

platform

(44)

Collection

Consolidation

Correlation

Collaboration

Collection

Consolidation

Correlation

Collaboration

Collection

Consolidation

Correlation

Collaboration

Collection

Consolidation

Correlation

Collaboration

HP ArcSight differentiates on four key

capabilities

Collection

• Collect events from any system or application

• Add context for assets, users, and business processes

• Extend to new data types easily

Correlation

• Pattern recognition and anomaly detection to identify modern advanced threats

• Analyze roles, identities, histories and trends to detect business risk violations

• The more you collect, the smarter it gets

Collaboration

• Incorporates application security from HP Fortify

• Integrates reputation data from HP DVLabs

• Cloud Connections Program to get visibility into cloud data in addition to physical

and virtual layers

• Bi-directional integration with HP IT management, Autonomy, Vertica and Hadoop

Consolidation

• Universal Log Management of any data to support IT

operations, security, compliance and application development

• Search + report on years’ of data to investigate outages and incidents quickly and