AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations du Telecom, UAE

84% 1,400 Log sources 4,000 Events per second 72 SIEM correlation rules 84% of breaches had available forensic evidence* Integration of Windows Update Server Correlation rules such as failed login and account lockout Source: Verizon 2012 data breach investigation report

The Approach We asked our selves 6 questions. Iterative and not in order

Prioritize The Efforts Business impact assessment Critical business processes Credential repositories Compliance requirements Confidential data High value targets HLR AAA servers High value targets include executive management and privileged users

Recognize The Threats Data leakage Malicious insider Web defacement Loss of revenue Malware infection Denial of service The story of leaked blocked websites list in du network We rely heavily on outsourcing, so malicious insider is one of our biggest threats

Identity and access information Privilege access confinement Understand The Environment Vendors and partners Business processes Security policies Identity and access information Expected activities Privilege access confinement The story of the service account that was trying to access mailboxes Commands that hide caller IDs and parameter not to bill a customer

Enhance Security Visibility Advanced endpoint visibility User behavior analytics Database activity monitoring Open source intelligence Usage of Nexthink; an IT technical support tool. This tool as well as malware analysis contributed to 24% of detected incidents in 2014 The story of sales agent keeps longing in weekends and making huge number of activations compared to his peers.

Advanced Security tools Search For Digital Crumbs SIEM Advanced Security tools User awareness Hunting Building our use cases looking for violation of policies and processes. Looking for abnormal behavior. Looking for indicators of compromise The story of suspecting user whose password was not working revealed a bug in one of our applications that could be used to changed passwords remotely.

Measure The Performance Visibility status Detection method Successful breaches Weaknesses Detection time Response time Phase of detection We stopped worrying about false positives

The Outcome

Visibility Vs Quality The more rules and information sources, the more we discover issues; cyber or insider related. However, the more rules, the more the alerts, the higher the noise

Detection time The increase of 2016 average number of days was due to hunting activities.

Phase of incident detection We are moving towards the left which an indication that we are detecting incidents earlier We compare this with the outcome of the investigations

What’s after detection? <1.5hrs Time between compromise and detection <4hrs <8hrs <24hrs >7 days 1–7 days <1.5hrs Time between detection and start of incident response <4hrs <8hrs <24hrs >7 days 1–7 days <1.5hrs Time between incident response and containment <4hrs <8hrs <24hrs >7 days 1–7 days Our issue is related to engaging of incident response as early as possible.

What We Learned

Insider threat Developers access to production revealed an infected developers machine VVIP data case

Context OOO status Identity Geolocation Threat score Vulnerabilities Access details Vulnerabilities IP reputation True positive score Employment status Compliance status Job role Threat score calculations True positive predictability We detected large amount of e-mails sent to personal e-mail because of he is in Notice Period

User behavior analytics Hunting Endpoint visibility User behavior analytics Known IOCs Experience 18% of 2016 detected incidents happened through hunting

Suspicion If you can’t explain, it might be an attack. The story of billing system connecting to the outside world on port 25

Automation Periodic reports Response actions User notifications Evidence collection 8 minutes between alerts and 20 minutes analysis time. Automation is meant to reduce the mean time between alerts and increase the analysis time. Time saving per rule is 12 days per year.

Automation Sample Average saving is 12 man days per year per rule

Deterrence Insider threats Reduces noise Sending e-mails to users of their suspicious activities. Remote access using VPNs. Access after working hours. Upload of data to external portals

Show your work

Dashboard_Video_v3.0

Apply what we discussed Next week you should: Decide the appropriate security KPIs for your organization and what their targets should be In the first three months following this presentation you should: Identify critical assets, processes, and high value targets within your organization Understand what the major threats you are concerned about are Know your environment and what its good state is Within six months you should: Build different use cases that would look for IOCs in your environment Select the security intelligence solutions that you would consider to implement