Security Operations in Real Life PDF
Document Details
Uploaded by Deleted User
Marek Kumpošt
Tags
Related
- NTU-Mastercard FlexiMasters in Cybersecurity & Digital Trust - CET940 Corporate Security Structure PDF
- Cyber Security Operations and Administration PDF
- Cloud and Virtualization Security PDF
- Security Operations and Administration (ISC)2 SSCP CBK PDF
- CISSP All-in-One Exam Guide Chapter 21: Security Operations PDF
- L1-6 ICRM Cybersecurity Operations PDF
Summary
This document is a presentation about security operations in different-sized companies, from small to big. It highlights the various aspects and sub-teams involved, and the importance of security practices. The document also covers the security architecture, engineering, and operations centre.
Full Transcript
Security Operations in real life Marek Kumpošt It takes 20 years to build a reputation and few minutes of a cyber-incident to ruin it. ~ Stephane Nappo Small company...
Security Operations in real life Marek Kumpošt It takes 20 years to build a reputation and few minutes of a cyber-incident to ruin it. ~ Stephane Nappo Small company Typically no security team at all One man show Sometimes not even that Security is a function of IT team or IT admin Security is perceived as not much important domain It is mostly about backup and authentication services Pros/Cons + at least one person, who spells Security right J - lack of knowledge/experience of just one person Taking security (more) seriously Typically after a major security incident Or audit Before these two happen Minimal budget Minimal human resources Minimal respect for Security (aka “why we should be a target”) Medium-sized company Small all-purpose team Dealing with operational/infrastructure/application layers Still “nobody knows everything aspect” Security is perceived as unnecessary evil Maybe after a data breach. Pros/Cons + Dedicated security team - Budget aspect - Limited experience with various aspects of Security Big company or large enterprises Big dedicated team or teams Not all of them necessarily focused on security Privacy team, for instance Focused on different areas of security Pros/Cons + Dedicated teams + Detailed experience in various security domains + Might have a dedicated budget - Security costs a lot - Slower speed of innovation Example of focused Security (sub)teams Security Security Security Application Operations Engineering Architecture Security Center Security Pentesting Consulting CISO Team Team Security Architecture Ensures that security best practices are addressed Defines overall security policies/standards/procedures Makes sure that new technologies fits withing existing ones Performs risk assessments Prevent bad designs May focus on Operations/Application/Product Security Engineering “Build tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.” Example of tools for: SIEM (Security Information and Event Management) Build with ELK, Splunk, OSSEC, etc. FIM (File Integrity Monitoring) Technologies like Qualys, Tanium, LogRythm Network segmentation PaloAlto, CISCO, Illumio (Micro)Services management (or container security) Security Operations Centre Breaches in 2020: 3950 Large business victims: 72% Sm./Med. business victims: 28% Targeting web apps: 43% Avg cost of a large breach: $392 million Security Operations Centre – Key objectives Ability to correlate Manages and Monitors the Cyber system, application, Coordinates the Performs Threat and Security posture and network, server, response to Cyber Vulnerability Analysis reports deficiencies security logs in a Threats and Incidents consistent way Provide regular Maintains an Internal Provide Alerts and Performs Analysis of reporting to Database of Cyber Notifications to General Cyber Security Events Management and Cyber Security Incidents and Specific Threats Incident Responders Security Operations Centre – Some more key objectives Ability to automate the Identification for all requirement to meet Ensure change control security attack vectors compliance – function is integrated and classification of vulnerability assessment into the SOC process incidents and risk management Build a comprehensive Proactive Security Define disaster recovery reporting dashboard Monitoring based on plans for ICE (in-case of that is aligned to predefined security emergency). security metrics metrics / KPI Examples of SecOps processes Secure change Secure changemanagement lifecycle management lifecycle Request for change Review/Reporting Impact analysis Implement change Approve/Deny Security Design Review – Operations view Justification for Environments in Logical network Use-cases change scope diagrams Data sensitivity Logging, Network access User access and data monitoring control control encryption auditing Business Vulnerability Secrets continuity and... management management disaster recovery DevSecOps concept DevSecOps in the light of SecOps Software defined Data Centers AWS, Azure, Google Cloud, OCI Security driven by code (Ansible, Terraform,..) Examples of Security Frameworks CIS controls v8 (formerly SANS top 20) Focuses on activities, rather than who manages the devices Consists of 18 controls Aims to cover critical processes/activities in a company Contains 153 safeguards Grouped to implementation groups (IG1/2/3) Provides mapping to well known frameworks CSF, ATT&CK, CSA, PCI, SOC2, … Another Security Framework The Cybersecurity Framework (NIST) Three Primary Components Core Desired cybersecurity outcomes organized in a hierarchy and aligned to more detailed guidance and controls Profiles Alignment of an organization’s requirements and objectives, risk appetite and resources using the desired outcomes of the Framework Core Implementation Tiers A qualitative measure of organizational cybersecurity risk management practices Key Framework Attributes Principles of Current and Future Versions of the Framework Common and accessible language Adaptable to many technologies, lifecycle phases, sectors and uses Risk-based Based on international standards Living document Guided by many perspectives – private sector, academia, public sector The Framework Core Establishes a Common Language Function Describes desired outcomes Identify Understandable by everyone Protect Applies to any type of risk management Detect Defines the entire breadth of Respond cybersecurity Spans both prevention and reaction Recover An Excerpt from the Framework Core The Connected Path of Framework Outcomes 5 Functions 23 Categories 108 Subcategories 6 Informative References Implementation Tiers The Cybersecurity Framework Version 1.1 1 2 3 4 Partial Risk Informed Repeatable Adaptive Risk The functionality and repeatability of cybersecurity risk Management management Process Integrated Risk The extent to which cybersecurity is considered in Management broader risk management decisions Program External The degree to which the organization: Participation monitors and manages supply chain risk1.1 benefits my sharing or receiving information from outside parties https://facilitycyber.labworks.org/ And one more J MITRE ATT&CK (attack.mitre.org) Adversarial Tactics, Techniques & Common Knowledge Aim is to Categorise adversarial behaviours based on real-world observations Used for offensive and defensive activities, measurements, reporting, … Can be heavily customized Enterprise, Mobile, PRE-ATT&CK Security company FireEye release a blog Example: saying a bad hacker or group called UNC2452 has hacked SolarWinds What happened IT Company SolarWinds says it may have been hit in a highly sophisticated attack in 18,000 companies, government SolarWinds agencies, think tanks, universities and NGOs affected https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack The Vector SolarWinds? Software Company Network Management Products Orion is one of their popular products Customers Governments and major corporations SolarWinds Orion was approved for use in many sensitive areas Orion customers were careful and kept SolarWinds patched & updated The Targets SUNBURST only activated if installed at one of a handful of places 18,000 companies installed SUNBURST malware 14 days later SUNBURST would peek out SUNBURST would go live only if it was worth it Everywhere else, SUNBURST went to sleep indefinitely When Actor’s Traits Very Sophisticated Clean up trace evidence Good security on their own servers Good ability to hide their servers Extensive efforts to hide their exploit Motivation Murky Limited target selection among the 18,000 No financial interest No Denial of Service No data destruction or ransomware No Personal Information Theft Company complies with regulations Nobody Legal requirements likes Internal policies and standards compliance Helps companies pass external audits but it is Identifies new compliance issues important Conducts internal audits Thanks! [email protected]
