© 2016 HITRUST Alliance.

Cyber Security Operations: Building or Outsourcing Michael Levin, Optum Stephen Moore, Anthem Jeff Schilling, Armor

© 2016 HITRUST Alliance.

Introduction

•  Michael J. Levin, JD, CISSP, EnCE, GLEG, GSLC –  Director of Cyber Defense for

Optum –  Former Director of Security Design

and Innovation with U.S. Dept. Health and Human Services, Senior Associate with Deloitte, and Investigative Counsel with U.S. Office of Special Counsel

–  https://www.linkedin.com/in/michaellevin/

© 2016 HITRUST Alliance.

Cyber Defense •  Provides Cyber Security Services to UnitedHealth

Group, monitoring security for over 150,000 endpoints •  Cyber Defense consists of

–  Security Operations Center –  Cyber Forensic Investigations –  Persistent Threat Analysis –  Cyber Intelligence Services –  Active Cyber Defense –  Data Analytics and Security Innovation

© 2016 HITRUST Alliance.

Cyber Defense Structure CD

Director

SOC

ACD

CFI PTA

DASI

CIS

© 2016 HITRUST Alliance.

Magnitude of Security Data

•  Monitoring 150,000 end nodes results in: –  ~2 TB of raw logs each day –  1.5 Billion Network, Security, and End Point events

daily (17,000 a second) •  This requires 24 hour, in house, security analyst

support

© 2016 HITRUST Alliance.

RawLogs

Network,Security,HostBasedEvents

SecurityIncidents

Security Operations Center •  Utilizing the SIEM

and manual analysis the SOC reduces the 1.5 billion daily events, to an average of 50 security incidents each day.

•  On average, 20 incidents are escalated daily to CFI for advanced Incident Response and investigation.

© 2016 HITRUST Alliance.

Manpower – Investigative Teams •  SOC – 24/7 support across 3 shifts, 28 analysts, approx.

1 analyst per 5,000 end nodes •  CFI – 13 Incident Responders, approx. 1 per 10,000 end

nodes •  PTA – 7 Security Hunters, sufficient manpower and

experience to effectively hunt within the enterprise for unidentified threats.

•  CIS – 9 Intelligence Analysts, No easy rule to determined team size, rather gauged on output and success.

© 2016 HITRUST Alliance.

In-House vs Outsourcing •  Pros:

–  Organizational Data maintained within org. –  Better organizational knowledge, access, and expertise, all in-

house –  No contract re-negotiation or arguments when specific security

work is needed –  Immediate Incident Response activity

•  Cons: –  Significant initial capital investment –  Upfront and on-going talent acquisition and retention

© 2016 HITRUST Alliance.

Options for building a SOC

Jeff Schilling, CSO Armor

© 2016 HITRUST Alliance.

Great guide •  Carson Zimmerman •  MITRE •  Free!!!

© 2016 HITRUST Alliance.

The security process PROTECT DETECT

RESPONDRECOVER

• Defense technologies such as DDOS mitigation, IPRM, WAF, etc.

• Threat intelligence feeds our rules engines, making intelligence systems smarter over time

• Detection technologies (e.g., AV/AM, FIM, SIEM and log correlation) tuned to the behaviors of real threat actors

• Experienced personnel on hand 24x7x365 differentiating real security events from false positives

• Technologies to limit blast radius and prevent spread (e.g., hypervisor-based firewalls)

• Experienced personnel trained in preventative measures

• Proactive processes in place for notifying customers and other relevant parties (e.g., law enforcement agencies where appropriate)

• Automation technologies to perform necessary cleaning measures and/or update policies and rules engines in real-time

• Precise processes and trained personnel to remove compromises and secure against repeat attacks

CYBER &PHYSICALSECURITY

© 2016 HITRUST Alliance.

The threat’s process

ACTION ON TARGET

Search the target Destroy or disrupt

Package and prepare for and exfil data

7

COMMAND & CONTROL

Malware or compromised system

reaches out for instructions

6

Registry Key changedPrivilege Escalation

Look for open connections

PERSIST/LATERAL MOVEMENT

5

Infected Word Doc or PDF is opened

Java script exploitedin browser

Command line SQL inject

EXPLOITATION

4

DISTRIBUTION & STRATEGY

Phishing emailWebsite drive bySQL inject script

3

WEAPONIZATION

Combine the exploit tool with the method

2

RECONNAISSANCE

Open source researchSocial network

researchPort scan, IP sweep

Google research

1

© 2016 HITRUST Alliance.

Options •  SOC completely insourced

–  Big Security budget –  Access to both technology and talent –  Defendable architecture

•  SOC partially insourced partially outsourced –  Most likely solution –  Tuned to your team’s technical capabilities and skills

•  SOC completely outsourced –  Smaller, less complex environment

© 2016 HITRUST Alliance.

Assessing your capabilities

TALENT

TECHNIQUESTECHNOLOGY

© 2016 HITRUST Alliance.

Functions to assess SecurityOperaCon

Center

ThreatIntelligence

IndicaConsandWarnings

IncidentResponseandForensics

SecurityInfrastructureManagement

VulnerabilityThreat

Managementü  RealCmemonitoring§  Triage§  IncidentEscalaCon§  IncidentHandling§  CallCenter

ü  Threatassessmentü  ThreatInteldataanalysisü  TradecraLanalysisü  Threattrendingü  CustomsignaturewriCngü  AdvancedThreatHunCngü  PenetraContesCng

ü  Memoryanalysisü  Hostanalysisü  Networkanalysisü  MalwareRevEng§  Containment§  EradicaCon

§  Securitydevicemgtü  Securitycontrolsigmgtü  Securitydevicepatching§  Securitydeviceavailability

§  ManagingCMDBü  Scanningtheenvironmentü  IdenCfyingvulnerabiliCes§  RemediaCon/patchmgt

© 2016 HITRUST Alliance.

QUESTIONS?