Presentation is loading. Please wait.

Presentation is loading. Please wait.

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Published byMina Mikkelsen Modified over 5 years ago

Similar presentations

Presentation on theme: "AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations."— Presentation transcript:

1 AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations du Telecom, UAE

2 84% 1,400 Log sources 4,000 Events per second 72
SIEM correlation rules 84% of breaches had available forensic evidence* Integration of Windows Update Server Correlation rules such as failed login and account lockout Source: Verizon 2012 data breach investigation report

3 The Approach We asked our selves 6 questions.
Iterative and not in order

4 Prioritize The Efforts
Business impact assessment Critical business processes Credential repositories Compliance requirements Confidential data High value targets HLR AAA servers High value targets include executive management and privileged users

5 Recognize The Threats Data leakage Malicious insider Web defacement
Loss of revenue Malware infection Denial of service The story of leaked blocked websites list in du network We rely heavily on outsourcing, so malicious insider is one of our biggest threats

6 Identity and access information Privilege access confinement
Understand The Environment Vendors and partners Business processes Security policies Identity and access information Expected activities Privilege access confinement The story of the service account that was trying to access mailboxes Commands that hide caller IDs and parameter not to bill a customer

7 Enhance Security Visibility Advanced endpoint visibility
User behavior analytics Database activity monitoring Open source intelligence Usage of Nexthink; an IT technical support tool. This tool as well as malware analysis contributed to 24% of detected incidents in 2014 The story of sales agent keeps longing in weekends and making huge number of activations compared to his peers.

8 Advanced Security tools
Search For Digital Crumbs SIEM Advanced Security tools User awareness Hunting Building our use cases looking for violation of policies and processes. Looking for abnormal behavior. Looking for indicators of compromise The story of suspecting user whose password was not working revealed a bug in one of our applications that could be used to changed passwords remotely.

9 Measure The Performance Visibility status Detection method
Successful breaches Weaknesses Detection time Response time Phase of detection We stopped worrying about false positives

10 The Outcome

11 Visibility Vs Quality The more rules and information sources, the more we discover issues; cyber or insider related. However, the more rules, the more the alerts, the higher the noise

12 Detection time The increase of 2016 average number of days was due to hunting activities.

13 Phase of incident detection
We are moving towards the left which an indication that we are detecting incidents earlier We compare this with the outcome of the investigations

14 What’s after detection?
<1.5hrs Time between compromise and detection <4hrs <8hrs <24hrs >7 days 1–7 days <1.5hrs Time between detection and start of incident response <4hrs <8hrs <24hrs >7 days 1–7 days <1.5hrs Time between incident response and containment <4hrs <8hrs <24hrs >7 days 1–7 days Our issue is related to engaging of incident response as early as possible.

15 What We Learned

16 Insider threat Developers access to production revealed an infected developers machine VVIP data case

17 Context OOO status Identity Geolocation Threat score Vulnerabilities
Access details Vulnerabilities IP reputation True positive score Employment status Compliance status Job role Threat score calculations True positive predictability We detected large amount of s sent to personal because of he is in Notice Period

18 User behavior analytics
Hunting Endpoint visibility User behavior analytics Known IOCs Experience 18% of 2016 detected incidents happened through hunting

19 Suspicion If you can’t explain, it might be an attack.
The story of billing system connecting to the outside world on port 25

20 Automation Periodic reports Response actions User notifications
Evidence collection 8 minutes between alerts and 20 minutes analysis time. Automation is meant to reduce the mean time between alerts and increase the analysis time. Time saving per rule is 12 days per year.

21 Automation Sample Average saving is 12 man days per year per rule

22 Deterrence Insider threats Reduces noise
Sending s to users of their suspicious activities. Remote access using VPNs. Access after working hours. Upload of data to external portals

23 Show your work

24 Dashboard_Video_v3.0

25 Apply what we discussed
Next week you should: Decide the appropriate security KPIs for your organization and what their targets should be In the first three months following this presentation you should: Identify critical assets, processes, and high value targets within your organization Understand what the major threats you are concerned about are Know your environment and what its good state is Within six months you should: Build different use cases that would look for IOCs in your environment Select the security intelligence solutions that you would consider to implement

26

Download ppt "AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.

Security intelligence: solving the puzzle for actionable insight Fran Howarth Senior analyst, security Bloor Research.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
Microsoft Ignite /16/2017 4:54 PM

Microsoft Ignite /16/2017 4:54 PM
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices

Network security policy: best practices
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.

Similar presentations

Ads by Google