how ibm views soc and situational awareness

Posted by deaguero at 2020-03-18

How IBM views SOC and situational awareness

Friday, May 5, 2017

SOC, that is, security operation center, from the perspective of Name: S - > security, that is, the events or processes handled by SOC should be related to enterprise network security; O - > operations, which represents a dynamic action, including but not limited to real-time detection and response; C - > center, systematic construction, multi domain security products and services "superposition" Comprehensive defense line.

As we all know, the implementation of security operation center (SOC) in China has not been a success. Only relying on log analysis, terminal security and other tools, lack of sufficient knowledge and talents to operate, and difficult to carry out organic linkage with IT, business and regulatory departments. These problems make many domestic self built SOC almost equivalent to SIEM, but far from reaching the capacity of a mature security operation center.

IBM has 10 self built security operation centers around the world to help customers carry out remote security operation and maintenance, and has more than 18 years of SOC construction and operation experience. At the beginning of this year, IBM security officially released Watson's capabilities in the field of network security in the form of qradar's component "Watson Advisor", and took this opportunity to launch the concept of "cognitive SOC" to promote Watson's application in the field of network security and the construction of the next generation SOC.

So how does IBM, with rich SOC experience and cutting-edge AI technology, view the "security operation center"?

1、 Operation and maintenance core of SOC

As a complex real-time response system, SOC is an organic combination of personnel, process and technology. It can assist managers in event analysis, risk analysis, early warning management and emergency response. For the construction and operation of SOC, the following three points are crucial:

1. How SOC works internally

The following process is probably the most common in SoC:

SOC on duty personnel find suspected attacks - > IT department makes statistics of relevant asset status, configuration and other information, and verifies attacks - > Security & IT department submits attack report to enterprise change committee - > Change Committee makes decision on whether to stop service change:

All the above processes are completed by each department of the enterprise issuing work orders in the internal ITSM (IT service management) system.

So, from the perspective of capacity-building, what should SOC have?

2. Three layers of capabilities for mature SOC

IBM believes that mature SOC should focus on three levels of capacity building:

First of all, it should be an operation level capability, such as the ability to open the event response work order in time after discovering (suspected) threats or receiving the security threat warning submitted by the internal / external personnel of the enterprise; second, it should be the ability to judge the false alarm, locate, qualitatively and classify the threats, so as to contact different departments for technical or business level support; third, it should be able to contact the relevant security manufacturers Trusteeship service providers, industry supervision departments, public security and even relevant national departments establish contact and exchange mechanisms.

Among them, SOC managers should focus on the second level of capacity building, which is also the most focused layer of detection and response capabilities.

It should be noted that security products are only tools of SOC at the operation level, and simply stack them up is "dead"; people who can flexibly use these tools in combination with the enterprise network environment and business characteristics are also the core of mature SOC.

In addition, SOC emphasizes the accumulation of scenario library, that is, the detection and response model of known security threats, and even the policy configuration of specific security products. In addition to the feedback and sharing of SOC security products deployed in customers by some security giants, this part also belongs to the scope of customers' own capabilities.

3. Enterprise self built safety emergency response center (SRC)

At present, many domestic Internet enterprises, such as Tencent, ant financial services, JD, etc., have their own security emergency response center (SRC) to establish internal IT / security departments and external communication channels. The main responsibility of SRC is to collect and summarize external intelligence, which is complementary to the analysis and judgment of SOC on internal intelligence.

If an enterprise does not have enough budget to build its own SOC or query the Threat Intelligence Platform of a third party, the only way for the enterprise to obtain the source of Threat Intelligence / white hat to report security issues is SRC (after is shut down).

Of course, in addition to intelligence collection, SRC is also responsible for the operation of white hat community, contacting relevant internal departments of the enterprise for vulnerability verification, it asset review / repair, reporting to internal / external regulatory departments, assisting in staff safety awareness training, etc.

Self built SOC costs a lot, and the mature SRC model in China can be seen as the embryonic form of SOC at the level of external intelligence collection and event processing.

4. Soapa - Evolution of SOC?

Although many people are not clear about the real mature SOC, the concept of SOC is likely to be replaced by new terms in recent years.

At this year's RSA conference, it was proposed to integrate the integrated platforms such as terminal detection and response, event response, sandbox, threat intelligence, etc. in SoC to form a security operation and analysis platform architecture (soapa), so that security analysts can use different tools to conduct real-time data mining and threat disposal.

This is also the direction for many safety manufacturers to build their own SOC product system.

2、 Watson & Cognitive SOC

So what new surprises will Watson bring to SOC?

Watson has been committed to using machine learning, natural language processing and other technologies in the field of security to help enterprise security analysts reduce the time spent on text content such as threat reports, blog articles that need to be collected, read and understood manually before, and provide suggestions and basis to assist decision-making.

After testing the security environment (including malware, network crime, abnormal behavior, etc.) in the real network of 40 top 500 enterprises in finance, tourism, energy, automobile and other industries, Watson formally introduced cognitive technology into the security operation center through qradar component in the IBM app exchange platform, and proposed the concept of cognitive SOC.

What can Watson do to help security analysts in SoC? A previous study by IBM showed that the security team screened out the really important issues from 200000 security incidents every day on average. Watson's most important task is to help them quickly prioritize security incidents and show how threats can be hidden in the network environment.

Cognitive technology can understand the vast amount of structured and unstructured data and help junior analysts quickly improve their business level. By automatically ingesting information such as research reports, best practices, and providing real-time input, such skills and insights in the past can only be obtained from years of experience. At the same time, cognitive technology can use analysis methods such as machine learning, clustering, graph mining and entity relationship modeling to identify potential threats. It can accelerate the detection of high-risk user behavior, data leakage and malware before the attack.

Watson, of course, doesn't make decisions on behalf of security personnel. On the contrary, by comparing the results of Watson's analysis every day with the conclusions of human security analysts, Watson is learning, and the overall defense ability of cognitive SOC against threats is also improving.

In terms of practical application cases, IBM has reached a cooperation with the Swiss financial sector at the end of March this year, using the cognitive network security tools Watson can provide to help infrastructure operator six to provide more cutting-edge network security services for the Swiss financial market.

Of course, this new service will be open to both sixand IBM customers, and will give priority to banking customers who need local security, regulatory, compliance and audit capabilities to help them comply with relevant data privacy and data protection specifications. At the same time, the two companies will cooperate to develop and define the evolution roadmap of "next generation security operation center", and focus on using cognitive technologies such as artificial intelligence to respond to threats at terminals, networks and clouds.

3、 From SOC to situational awareness

The core of security operation center is platform human, and one of its important goals is to support the awareness of network security situation.

Situation awareness itself is a relatively large concept, covering three levels of perception, understanding and prediction. According to the changes of the environment, it makes dynamic and rapid judgments and disposal decisions. But at present, there are still many problems in the practice of situation awareness in the enterprise network. Because of the lag in obtaining evidence, the difficulty in fully controlling it assets, busy with compliance inspection, lack of talents and other reasons, the current work of SOC is more about post response, even difficult to achieve real-time detection.

In terms of the ability requirements to achieve situational awareness, IBM believes that the following five points are critical:

1. Comprehensive control over the current IT assets and environment of the enterprise

It includes a comprehensive assessment and detailed record of the existing hardware, software assets and network environment security status of the enterprise, which can quickly locate the problem assets after finding the problem once and for all.

2. Combination of internal and external threat intelligence

Logs collected on the network and security devices, suspicious behavior inside the network, and the collection of external intelligence such as access to the third party Threat Intelligence enquiry / subscription platform, domestic and foreign threat intelligence manufacturers Union, National Internet Emergency Center, and even "eye liner" in the enemy's interior, including regular attention to the leakage of data in the black market, etc., all of these are the initiatives that enterprises should take the initiative to do. . Only after the internal and external threat intelligence is collected can the security situation of the whole enterprise network be judged.

There is also a special kind of information acquisition, namely penetration testing, or even crowd testing services. Under the premise of enterprise authorization, actively look for the vulnerable points of enterprise network, site or application from the outside, and then repair them after verification.

3. Management of loopholes and risks

Including the detection and repair of security vulnerabilities, the qualitative analysis of security events, etc., which should be defined according to the internal asset status of the enterprise and the business characteristics.

4. Emphasize the linkage of detection and response

"Detection - > detection of suspected attacks - > judgment (i.e. verify whether it is a false alarm) - > response" is the main workflow of most of Party A's security personnel. At present, the security architecture focuses on defense, detection and response. It is impossible for an enterprise to defend against all security threats, but it can be perceived in the early stage of the event / attack. This is also the reason why situational awareness puts more emphasis on "detection" technology.

At the same time, the linkage between detection and response is very important. Rapid response can help enterprises reduce losses as much as possible. Specific event response processes have different compliance requirements in different industries. The response processes should be refined and standardized for different levels of security events and different assets affected.

5. Visualization ability

Visualization is not a dynamic demonstration of "gorgeous" attacks, but a deep insight into the (Security) state of the network environment and assets. In early February, IBM announced the completion of the acquisition of agile 3 solutions. The advantage of agile 3 solutions lies in that its own software can provide better visualization and risk management capabilities related to sensitive data protection, and provide a comprehensive, intuitive and business friendly data risk management and control center platform for senior management of enterprises.

It is reported that IBM has divided it into the data security service department of IBM security business department to help Guardium analyze the risk of enterprise sensitive data, and focus on the monitoring and protection of sensitive data.

Related reading

It's time to realize SOC 2.0 cognitive security: security analyst's super Assistant Security bull High End Salon: let's talk about situation awareness