How to Build an Efficient

Security Operation Center with

the ArcSight SIEMFebruary 14, 2018

Hosted By

Dominic J. Listermann

Agile Coach

Blue Agility

Housekeeping

- This “LIVE” session is being recorded

Recordings are available to all Vivit members

Session Q&A:

Please type questions in the Questions Pane

Webinar Control Panel

Questions

Toggle View Window

between

Full screen/window mode.

Today’s Speaker

Today’s Speaker:

Soma Ismael Bola

IT Security Consultant

LayereDefense & IT INCEPT

What is a SOC?

• The security operations center (SOC) is a centralized command center for network security event monitoring and incident response.

• A SOC is responsible for detecting, analyzing, and reporting unauthorized or malicious network activity by employing advanced threat-hunting capabilities.

• The 3 basic types of SOCs:

Threat-centric | Compliance Based |Operational Based

Threat-Centric SOC

• Proactively hunts for malicious threats on networks

• Focuses on addressing security across the entire attack continuum—before, during and after an attack

Compliance-Based SOC

• Focuses on comparing the posture of network systems to reference configuration templates or standard system builds

• Focuses on addressing security across the entire attack continuum—before, during and after an attack

Operational-Based SOC

•An internally focused organization that monitors the security posture of an organization’s internal network

• Focused on the administration of firewall ACL rules, and so on

Building the SOC

• A SOC requires an investment in Process, People and Technology

Process

Threat Modeling : process where IT securityand business people gather to determine keycyberthreats, prioritize them, model out what they would look like in machine data, and then determine how to detect and remediate them

Basic Threat Modeling Process

The objective is to be able address the following questions for any security incident investigation :

• Who: What IP/Domain was associated with the threat?

• What: What type of threat is on the system?

• When: When did the event occur?

• Where: Where is the geolocation of the originating source of attack?

• Why: Why was the malware designed for this intended purpose?

• How: How did the malware get onto the system?

People

A critical part of any SOC is the process for responding to alerts and incidents, and most SOCs use a multi-tier approach

• Alerts are generated through a variety of devices on the networks

• And they go to the first tier of analysts for initial review. If the first tier cannot resolve the incident, it gets escalated to the next tier, which is staffed by personnel with more advanced knowledge and incident response tools.

• These alerts are generally diverse sources and the type of device will determine which events can be extracted.

• DHCP Server

-Transaction Data: Dynamic IP address assignments

Attribution to a host by MAC address

• DNS Server

- Transaction Data: DNS queries/responses transactions

• AAA Server

- Alert Data: Successful and failed authentication and authorization events.

• IPS

- Alert Data: IPS alerts triggered by the IPS rules and signatures.

• Firewall

- Session Data: Connection events, NAT Translations

- Packet captures: PCAP are collected manually by the firewall administrator

- Statistical data: Top sources and destinations, top access rules

• Proxy (web and email)

- Transactional Data: Documents client requests and server responses.

- Extracted data: Malicious email attachment

Technology

• A balanced security solution that is capable of providing both proactive protection and adaptable expansion

• Automatically assign a severity level to the incident (H/M/L) and gather all your security information in one place

• Able to index all relevant machine data and log file from security and non-security sources in real time

• Able to take the data and enrich it with external data, such as data fromActive Directory, asset databases, third-party threat feeds and more

Technology

• Has the flexibility to detect threats through a range of highly accurate, customizable detection methods including correlation rules, risk scoring and anomaly detection before they become breaches

• be user-friendly enough to be used by all SOC personnel and flexible enough so it can be customized to meet the specific needs of every process and role in the SOC (Regulatory Compliance – PCI , HIPAA & FFIEC)

• The ArcSight SIEM Solution respect all these requirement

A SIEM is more than

•Machine Learning System

• IDS/IPS

•A log aggregation tool

The ArcSight SIEM Solution

• An award-winning set of products for monitoring threat and risk

• ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments

• ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management.

The ArcSight SIEM Solution

• ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to identify security threat in real-time& virtual environments

• ArcSight Logger: Log storage and Search solution

• ArcSight Identity View: User Identity tracking/User activity monitoring

• ArcSight Auditor Applications: Automated continuous controls monitoring for

both mobile& virtual environments

The ArcSight SIEM Solution

• ArcSight Connectors (Smart Connectors) collect event data from a variety of data sources.

• Then normalize, categorize, and aggregate event data, and securely and efficiently deliver events to ArcSight ESM or ArcSight Express (which combines ArcSight Logger and ESM functions for smaller installations).

• ArcSight Console provides the dashboard for the security operations center (SOC).

• ArcSight web-based consoles can be used for IT operations staff for searching through archived log data and generating compliance reports

ArcSight Express Deployment Overview

The ArcSight SIEM SolutionBuilt-in dashboards for real-time security analytics:- Malware Activity

- Firewall

- IPS

- Endpoint Logs

- User Activity

- Malware Activity

- Firewall

- IPS

- Endpoint Logs

- User Activity

ArcSight Logger

ArcSight ESM

• Also included are dashboards that monitor critical infrastructure, such as Cisco appliances, Microsoft Windows, and Linux servers to quickly report on business critical infrastructure

Develop Key Relationships with External Resources

• SOCs require effective tools, security analysts with comprehensive technical backgrounds, and also strong relationships with external organizations

Question & Answers

• Please type your questions in the Questions Pane

Upcoming Vivit Webinars

February 28, 2018

Unlock your ALM Investment – Micro Focus ALM and ALM Octane9:00 - 10:00 AM PST (Los Angeles), 12:00 PM - 1:00 PM EST (New York), 18:00 - 19:00 CET (Frankfurt)http://www.vivit-worldwide.org/events/EventDetails.aspx?id=1071812&group=

Thank You