Peter WatsonHead of Security Services APJCFriday 20th July 2018
Cyber Security Seminar
The future of SOC ….. What to Expect
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IBM the 90’s• Don’t just identify the problem• Secure the datacenter
• Microsoft early 2000’s• I hate Monday’s• Protect the user• A week with Bill
• National Broadband Network early 2010’s• Building the plane while flying• Security in the network
• CGI – pre cisco• Critical infrastructure• How to secure first wave IoT
Who am I …..
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Slower Response = Greater Risk
66%of breaches took months or even
years to discover
60% of breaches have data exfiltrated in
first 24 hours
60,000 Number of alerts hackers set off at
Global Retailer
184Median number
of days advanced attackers present before detection
27
33%Of organizations
discover breaches through
their own monitoring
Time
ResponseDetection
Is Our Security Posture Effective?
Threat
Outcome trying to reach
Time
ResponseDetection
Is Our Security Posture Effective?
Threat
Outcome trying to reach
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is required : Next Generation SOC
Malware Reverse Engineering
Triage / Incident Response
Forensic Investigation
Advanced Threat Intelligence
Automation
AdvancedSecurity Analytics
Advanced Reporting: KPIs,
KRIs
Advanced Case Management
Event Driven Response
Proactive Threat Hunting
Security Monitoring
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PROTECTING CISCO
Anomalies
Security Events Network flow System and App Logs Environment Configuration Identity Attributes
Threat Indicators
All about the Data
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Analytics is the discovery, interpretation and communication of meaningful patterns in dataEvolution of Analytics:
1. Descriptive analyticso Summary of history data
2. Decision analyticso Organized descriptive analytics to reflect reasoning, details
3. Predictive analyticso Provide a future diagnostic based on past patterns
4. Prescriptive analyticso Provide recommendations using optimization and simulation
Analytics
Target state
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Supported Reporting Systems
Control and Remediation
Support
Supported Communications and Collaboration Systems
Investigation Platforms
Security Analytics
Intel and Enrich Telemetry and Other Data Sources
Supported Security Provider Solutions
Supported Service
Management
AV Intel Providers
Service Provider Solutions
Supported Forensics Platforms
Security Case Management
Enrichment Providers
Threat Intel Providers
Intelligence PlatformsThreat
Intelligence
Malware Analysis
System and App Logs
Identity Attributes
ControlsCatalog
Wiki
Comm & Collab Apps
VulnerabilityManagement
Ticketing
SOC Architecture is more than SIEM
Environment Configuration
Packet capture
Reporting Services
SOAR
Security Events
ConfigurationCompliance
Event correlation
Machine Learning
Behavioral Threat Analysis
Anomaly detection
Encrypted Threat Analysis
Automated Threat Modeling
Contextual Knowledge Base
Security Event Database
Malware Reverse
Engineering
Vulnerability Advisories
UEBA ETA
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Point of Care Servers
PACs Imaging Servers
Telemedicine Servers
EMR System
Enclave Assets
Point of Care Servers
PACs Imaging Servers
Telemedicine Servers
EMR System
Enclave Assets
Growth of Segmentation
Enclave Assets
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Coverage of Operational Technology
Smart Cites/Building management
Transportation: Air, Train, Sea, Road
Utilities: Power, Water, Gas
First responders: Fire, Ambulance, Police
Public Services: Hospitals/Schools
Traditionally SOC be designed for IT not for operational networks
Not just cyber issue but also safety
• Traditional IT Security Threat Impact:• Computer or Data Damage • Data Theft
• ICS Security Threat Impact: • Abnormal pressure in a pipeline • Changed field device parameter settings • Closing/Opening a motorized Valve • Causing a Denial Service Attack• Increasing/Decreasing Motor Speeds
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security in OT is different from IT
Security Control Information Technology Operations Technology
Vulnerability management Active scanning Passive scanning
Concept of least privilege Layered RBAC Limited access segmentation
Authenticator Complex password, 2FA, unique Code, pin, key sequence, common
Change Management Regular Scheduled Highly managed and complexTime Critical Content Generally delays accepted Delays are unacceptableAvailability Generally delays accepted 24x365 (continuous)
Patching/Malware Regular Scheduled Rare, Unscheduled; Vendor specific
Traffic flows Ability to block in-line No inhibitors for flow
Logical Access People ~= Devices Few people; Many, many devices
Event logging Standardized corelation Proprietary protocols
Failover capability critical component has a redundant counterpart Parts replacement and repairs
Physical Security Secure (server rooms, etc.) Remote / Unmanned Secure
=
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Distributed Deployment
Case Mgmt
TIP
Cisco TG
OpenDNS
Recorded Future
Stream
NFS Server (packets)
ForwarderIndexer Cluster
All data but packets
ES and other SHs Internet Edge
Fire
Pow
er
Cisco Talos
security analyst
Event sources
Packet capture location
Environment
SOC
OpenDNS
NGSP
MS AD
Met
adat
a
security analyst
Shared services LDAPS, NTP
Security analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automating the SOC TasksEscalation and
Notification
AdvancedAnalytics
Environment Context
Case Management
Data Enrichment
Adaptive Response
Automation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
PLAYBOOKSCREATE AND EXECUTE
TO RUN COURSES OF ACTIONS FOR YOU SECURITY TEAM WITH
A SIMPLE CLICK
DECISIONExecute Playbookautomatically or
manually.
Gain relevant data through orchestrationof other tools in your network.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integration leads to Automation
I have NBAR info!I need identity…
I have firewall logs!I need identity…
I have sec events!I need reputation…
I have NetFlow!I need entitlement…
I have reputation info!I need threat data…
I have MDM info!I need location…
I have app inventory info!I need posture…
I have identity and device-type!I need app inventory and vulnerability…
I have application info!I need location and auth-group…
I have threat data!I need reputation…
I have location!I need identity…
SIO
ProprietaryAPIs aren’tthe solution
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Event Driven Response
• Collaborative intelligence. • Event driven activity to contain
and isolate• Decisions at the edge.• Smarts and automation in
network to enable this• Continuous and adaptive threat
mitigation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Inventory of Control’s
Security as a Service
Controls Store
• Leverage existing investments• Always have untapped features• Control adoption as well as threat metrics• Initial contain vs long term protection• Goal is to drive adoption of controls
“More than a risk register”
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Required ResourcesSANS incident handling: 5-step methodology
1 Preparation 2 Detection & Notification
4Handling & Remediation
5 Post Mortem
● Align procedures and tools● Have accurate information at hand● Ensure communications are ready Align and integrate methods for input;
● Threat Feeds● Monitoring Tools● Analytics tools● Control catalog
● Limit the scope and magnitude of incident● Determine and communicate the most appropriate containment
method● Update security incident report as required● Get confirmation that service has returned to normal
parameters
● Document the chronology of events, lessons learned reviews, support of any efforts to sanction malicious acts, updating policies or processes.
3Analysis & Assessment● Investigate incident identity, nature and extent to
determine its severity and impact● Alert client and open incident in ticketing system
Threat Researcher
VulnerabilityAssessor
SOCAnalysts
ThreatHunter
DataScientist
AutomationAnalyst
Incident Manager
MalwareAnalyst
ServiceManager
ReportingAnalyst
SOC Manager
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Proactive vs reactive
Hunters go out and look for intruders before any alerts are generated
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SUMMARY
• To be predictive : It’s all about the data• Require multiple lenses for threat hunting• Need multiple technology tools• Need to prepare for operational technology• Automation and integration is key• Controls catalog can quickly apply• SOC is virtual and federated both for resources and technology