Scribd
Upload
949 views34 pages

Kaspersky Security Operations Center Overview

The document discusses a Security Operations Center (SOC) services presentation by Kaspersky. It includes an agenda for the presentation covering welcome remarks, SOC challenges and Kaspersky services, and a Q&A session. It then provides overviews of what a SOC is, common challenges faced by SOCs, best practices for SOCs, Kaspersky's approach to helping SOCs, and Kaspersky SOC training on incident response.

Uploaded by

Triệu Hồng Biên
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
949 views34 pages

Kaspersky Security Operations Center Overview

The document discusses a Security Operations Center (SOC) services presentation by Kaspersky. It includes an agenda for the presentation covering welcome remarks, SOC challenges and Kaspersky services, and a Q&A session. It then provides overviews of what a SOC is, common challenges faced by SOCs, best practices for SOCs, Kaspersky's approach to helping SOCs, and Kaspersky SOC training on incident response.

Uploaded by

Triệu Hồng Biên
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Security Operation Center

Powered by Kaspersky

22.04.2020
AGENDA 2

1. Welcome by Siang Tiong Yeo, Kaspersky GM of SEA

2. Welcome by Ngo Khanh, Country Manager

3. SOC Challenges & Services - Dmitry Chernetsky, Global Presales Expert

4. How Kaspersky can help? - Nguyen Trong Huan, Presale Managers

5. Q & A
Welcome 3

Siang Tiong Yeo Ngo Khanh


Kaspersky GM of SEA Country Manager
SOC
Services
Dmitry Chernetsky
Solution Architect,
Global Presales Expert
What is SOC? 5

Security Operations Center

People Processes Technology

• Endpoint
• Formal training • Preparation
• Netflow
• On-the-Job • Identification
• Network
Experience • Containment
Monitoring
• Vendor-Specific • Eradication
• Threat Intel
Training • Recovery
• Forensics
• Internal Training • Lessons Learned
• Incident Detection/
Management
Challenges faced by SOCs 6

Uncertain about the mission Management Support


Vague Scope Budget availability

Selection and Use of


Technology
Lack of Integration

Skills Shortage Governance Issues


High attrition rate Lack of documented processes
What it TAKES 7

PLAN
ACT
— Define mission, goals,
— Adjust processes scope and stakeholders
— Tune SOC tools — Create strategy and
roadmap
— Define an action
point for a new — Build a service portfolio
PDCA cycle

Driven by
Global Threat
Intelligence DO
CHECK — Hire people
— Formal assessment — Train
— Red teaming — Deploy tools
— Lessons Learned — Implement processes

PDCA cycle
1-2 years+
SOC Best Practices 8

Item # Document name

1 ISO/IEC 27001:2013 "Information technology—Security techniques—Information security management systems—Requirements"

2 ISO/IEC 27002:2013 "Information technology—Security techniques—Code of practice for information security management"

3 ISO/IEC 27035:2016 "Information technology—Security techniques—Information security incident management"

4 SOC capability maturity model (SOC-CMM)

5 MITRE ATT&CK framework

6 Incident Management Capability Metrics (IMCM)

7 NIST800-61rev2 - Computer Security Incident Handling Guide

8 Control Objectives for Information and related Technology (COBIT)

9 SANS Institute - Creating and Managing an Incident Response Team for a Large Company

10 Public recommendations of leading vendors and integrators on the issues of information security incident management
Step-by-step Cybersecurity Strategy
STEP

INTEGRATED High levels of expertise, advanced users of APT actors, Targeted


3 CYBERSECURITY threat intelligence, manual threat hunting
0.1 %
attacks using unknown TTPs Mature IT
APPROACH Security
Team or
SOC
Focus on automated detection
STEP

Advanced and Targeted


2 ADVANCED
DEFENSE
and a fast response to complex
threats missed by preventive 9.9 % attacks using known TTPs
protection
IT Security
Manager
Automated
STEP

SECURITY Prevention Commodity


1 FOUNDATIONS technologies to block threats

90
the maximum possible
number of threats

%
IT Manager
Our Approach 10

Module Necessary steps Module Necessary steps

SOC Trainings Kaspersky technologies

 Incident Response  Kaspersky Threat Lookup


 Malware Analysis & Reverse Engineering  Research Sandbox
 Digital Forensics Technology  Cloud Sandbox
 Advance Malware Analysis & Reverse  Kaspersky CyberTrace
Engineering  Kaspersky Managed Protection on Premise
People  Advance Digital Forensics  Kaspersky Anti-Targeted Attack Platform
 Efficient Detection with Yara  Kaspersky EDR

Red Team/Blue Team Training Kaspersky services

Incident Communication  Kaspersky Managed Protection


 Incident Response
Security Awareness (ASAP platform & CITO online
 Malware Analysis
training)
Supporting  Digital Forensics
SOC Strategy Services  Security Assessment
 APT Intelligence Reporting
SOC Framework development  Country-Specific TI Reporting
Process
SOC Playbooks  Customer-Specific TI Reporting
 Threat Data Feeds
SOC Maturity Assessment
SOC Training – Incident Response 11

To make the right decisions, specialists should possess the


appropriate knowledge to carry out the activities in an
investigation and response process.

INCIDENT RESPONSE TRAINING SKILLS GAINED


PROGRAM
• Differentiate APTs from other threats
• Introduction to incident response • Understand various attacker techniques and targeted attack
• Detection aand primary analysis anatomy
• Digital analysis • Apply specific methods of monitoring and detection
• Create detection rules (YARA, Snort, Bro) • Follow incident response workflow
• Reconstruct incident chronology and logic
• Create detection rules and reporting
SOC Training – Digital Forensics 12

Forensic analysis involves acquiring the evidence


materials, interpreting it and presentation of the
conclusions

DIGITAL FORENSICS TRAINING SKILLS GAINED


PROGRAM

• Be able to perform deep file system analysis


• Build a Digital Forensics lab
• Be able to recover deleted files
• Collect digital evidence and deal with it properly
• Be able to analyze network traffic
• Reconstruct an incident and use time stamps
• Reveal malicious activities from memory
• Find traces of intrusion on investigation artifacts in Windows OS
dumps
• Find and analyze browser and email history
• Be able be use the tools and instruments of digital forensics • Reconstruct an incident timeline
SOC Training – Malware Analysis 13

Malware analysis is the process of determining the


purpose and components of a given malware sample

MALWARE ANALYSIS TRAINING SKILLS GAINED


PROGRAM

• Be able to analyze a modern APT toolkit, from receiving


• Build a secure environment for malware analysis: deploy
the sandbox and all necessary tools the initial sample, all the way to producing a technical
• Understand the principles of Windows program description with IOCs
execution • Be able to follow best practices in reverse engineering
• Unpack, debug and analyze malicious objects, identify • Be able to analyze exploit shellcode embedded in
their functions
different file types
• Detect malicious sites through script malware analysis
• Conduct express malware analysis
SOC Training – Incident Communication 14

Empowering corporate communications professionals to handle crisis communications,


including developing and applying appropriate assets, while under attack from an unknown
cyber-incident or Advanced Persistent Threat (APT).

INCIDENT COMMUNICATION TRAINING SKILLS GAINED


PROGRAM
• Understand the cyberthreats heading your way

• Keynote Presentation • Know what should be done and how

• Standard training - participants emerge armed with • Coordinate effectively with your IT Security team

the knowledge, the tools, and he confidence needed • Gain experience through practical exercises

to perform effectively during and in the aftermath of • Know what is essential, and safe, to say

a cyber crisis • Update and implement your Cyber-Crisis

• Tailored Workshop - custom-built for your Communications Plan

organization • Stay informed and up-to-date


SOC Processes
Operations & Monitoring &
maintenance, detection
management
IOCs
TTPs Lessons
learned

Vulnerability IOC
Priority s Incident Response
management Kaspersky Context
Threat
Intelligence

Statistics,
detects

Vulnerability
Incident
assessment Reporting statistics and
reports
KPIs
Kaspersky
Threat Intelligence
• Improve threat hunting mission • Understand the risk
LONG-TERM

• Inform security operations and • Develop proactive mitigation


• Develop effective monitoring • Justify budget and staffing
and
requirements
detection use cases
ATTACKER HIGH LEVEL STRATEGIC
TACTICAL TECHNIQUES, TOOLS INFORMATION
AND TACTICS ON RISK
APT and Financial Tailored
Threat Intelligence Threat Intelligence
Reporting Reporting
SHORT-TERM

Threat Data Feeds Threat Lookup


MACHINE-READABLE DETAILS OF THE
CyberTrace THREAT SPECIFIC INCOMING
Cloud Sandbox
INDICATORS ATTACK
• Enhance security controls • Increase visibility into the
• Enable effective alert scope of incident
prioritization • Boost incident response
• Prevent analyst burnout reducing possible damage
TECHNICAL OPERATIONAL

LOWER LEVEL HIGHER LEVEL


SOC Roles Training Mapping 17

Security Incident Malware Digital Incident


Role
Awareness Response Analysis Forensics Communications

SOC Manager

Tier1 Operators

Tier2 Analysts

Threat intelligence
and research team
Operations and
maintenance team
A critical incident
response
committee
SOC Maturity Assessment - Overview 18

• Complete vendor-agnostic assessment of existing SOC (~750 questions)


• Based on open maturity model SOC-CMM (CMMI-based)
• 5 domains: Business, People, Process, Technology, Services
• All domains are evaluated for maturity
• Technology and Services are evaluated for maturity and capability
SOC Assessment - Deliverables 19
SOC Assessment - opportunities for improvement 20

Weak domains Strong domains

Current Target
Red Teaming & Penetration Test 21

Penetration Testing Red Teaming

Discover as much vulnerabilities as possible, Simulate adversary behavior evading detection


Main goals
demonstrate access to critical assets to test reaction of defending side

Limitations Strict scope, ethics, timeframe Based on threat model, none by default

List of vulnerabilities, remediation Conclusions on defensive capabilities,


Deliverables
recommendations improvement recommendations
Kaspersky for Security Operations Center 22

Kaspersky Threat Lookup


Research Sandbox
Cloud Sandbox APT Intelligence Reporting
Kaspersky CyberTrace Country-Specific TI Reporting
Kaspersky Managed Customer-Specific TI Reporting
Protection on Premise Threat Data Feeds
Kaspersky Anti-Targeted
Attack Platform
Kaspersky Kaspersky EDR
Kaspersky
Data Center Threat Intelligence
Security

SOC Strategy
SOC Framework
SOC Playbooks
SOC MA
Incident Response
Malware Analysis
SOC Kaspersky Managed Protection
Digital Forensics
Consulting Incident Response
Advanced Malware Analysis
Malware Analysis
Advanced Digital Forensics
Digital Forensics
YARA Training
Security Assessment
Kaspersky Incident Communication
Kaspersky Kaspersky Kaspersky Security Awareness
Cybersecurity Training
Services
23

People

Technology Process

Unified framework for


SOC Building projects
SOC
Technologies
Kaspersky
for Security Operations Centers
INTELLIGENCE-DRIVEN SOC

Advanced security Threat Intelligence

KASPERSKY FOR SECURITY


Threat hunting

OPERATIONS CENTERS
training services services

Malware analysis and Security assessment Pentest and red


Digital Forensics services teaming

KASPERSKY ANTI TARGETED KASPERSKY ENDPOINT KASPERSKY KASPERSKY THREAT


ATTACK PLATFORM DETECTION AND RESPONSE RESEARCH SANDBOX ATTRIBUTION ENGINE

CLASSIC SOC

CORE
Log collection Monitoring and Case Incident
& correlation alerting management reporting
Kaspersky products
SOC Technologies and services 26
3rd party
products

TI
Vulnerability response
management Kaspersky Endpoint
feeds, intel reports Kaspersky EDR
Security
logs detects
assets
info

Kaspersky logs Data sources, target


CyberTrace
IOC SIEM
s
logs detects
assets

Kaspersky Kaspersky Threat


various TI automation VM Object
reports Anti Targeted lookup
Intelligence Portal
IOC
s Attack
automation

Case management
SOAR response
Attack Kaspersky Threat
tactics
& IOCs
Intelligence Reports

response
Incident
Response
aggregated
Reporting & Suspicious Kaspersky Research
info visualization objects
Sandbox

response
Kaspersky
Endpoint Security for Business The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and
service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All
rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective
opinions of individual end-user reviews, ratings, and data applied against a documented
methodology; they neither represent the views of, nor constitute an endorsement by,
Gartner or its affiliates. *All reviews and ratings are current as of February 12, 2019.

Meets requirements Protects Reduces the number of events


prevents mistakes - and scales Mixed and complex environments by to free-up time to spend on critical
issues
Alerts admins to potential errors Mitigating the risk from
Automated EDR
vulnerabilities & unencrypted PCs

Ensures software licensing compliance Server hardening New SaaS offering

Smooth upgrades between


Prevents risky behavior on endpoints Securing mobile users
versions

Unlimited scalability Stopping known TTPs System management

AD instances
cloud/on-premises

On-premises servers
WAN/LAN
Mobile devices Specialist

Roaming and
on-premises hosts
Kaspersky
Sandbox
Complementing Kaspersky Improved protection and No additional Integration with 3rd party
Endpoint Security for Business automated response to advanced investments in solutions via RESTful API
with advanced detection threats across all protected staff and in- facilitating maximum
scenarios for new and targeted endpoints including distributed house benefit from the solution
threats without affecting networks with remote offices expertise in complex environments
endpoint performance
Load
balancing
Object reputation request
(synchronous mode) Internet
KESB
Network interface to control malware interactions with the internet
Response
Shared
cache
of verdicts
KESB
Centralized management/
updates, response policy set-
up and health check
Kaspersky
Suspicious object analysis Sandbox Detection data exported in CEF format
KESB
request (asynchronous mode)

Analysis result
High- SIEM
availability Kaspersky
Endpoints cluster Security
Center
Automation processes in SOC support by KATA.KEDR • +100M users

DETECTION ENGINES • Real-time


object
DATA reputation
Verdicts Object reputation
COLLECTION • Anti-malware detection
• Files
• URL • YARA rules
• ML algorithms
Internet • IoC-scanning
• IoA-mapping • Advanced big
TARGETED ATTACK data processing
• Behavior analysis
ANALYZER
• Cert check • Expert analysis
Data acquisition

• Verdict analysis
GLOBAL THREAT
• Machine learning
Telemetry INTELLIGENCE
Retrospective data • Retrospective analysis
Data • Event correlation
storage
• Macro incident

• Several emulation modes formation

• Dynamic analysis
• Evasion prevention SOC
• Imitation of user actions APT
SANDBOX Targeted Attack
• Monitoring interaction with
internet resources
Telemetry
Event • Module loading Verdicts Incidents
response
AGENTS RESPONSE team
Kaspersky Anti Targeted Attack/
Endpoint Detection and Response

Automation of routine Advanced detection, Centralized incident


operations and visibility Quick IoC search, response process
IoA- analysis, MITRE
mapping, and threat
intelligence access

Reduction of Compliance
IT-security
risks
Interaction with Automatic data
preventive technologies collection and Threat hunting
and enrichment of centralized storage
SIEM/SOC

One software product with a single Cost optimization/reduction of


web console labor costs for handling complex
incidents
SERVICE Kaspersky
Managed Protection
KMP anatomy KMP detects
• New malware that products failed to detect in
Customer’s Kaspersky Security
EPP Network automated mode
Location • Persistent attacks whose activities are below
• Frankfurt
• Toronto the detection thresholds of automated logic
• Moscow
Metadata • Beijing • Non-malware attacks
• Hong Kong
• Fileless malware whose activities are executed
exclusively in RAM memory;

Metadata
Response
Incident

• Pentest-like attacks carried out by


professional attackers

Regular weekly reports


Emergency reports
Customer’s Kaspersky
Security Team SOC
24x7 KMP Cloud KMP On-Premise
Kaspersky
Security Awareness
Kaspersky Cybersecurity Awareness training products are comprised of 3
elements which intermesh, but which are also fully effective if used
separately.

Skills instead of just knowledge


Reduces
Computer-based – easy the number of
delivery, management & human errors by up
measurement
to
Real life examples & practical
exercises – students are
engaged and motivated 80%
Clear training structure and
latest L&D technologies - easy
for administrators, efficient for
students
NATIONAL CERT, CSIRT AND CYBER POLICE POWERED BY KASPERSKY
CERT, Cyber Police, CSIRT,
Multinational institutions

79 Fin CERT, Governmental


SOC use Kaspersky
Products & Services
2 collaboration with
Kaspersky Lab

North
Europe META
America
Canada (1) Belgium (2) Egypt (3)
France (2) Rwanda (2)
LATAM Germany (5) South Africa (3)
Hungary (1) Kuwait (1)
Brazil (3)
Israel (2) Oman (1)
Colombia (2)
Italy (3) Qatar (2)
Chile (1)
Luxemburg (1) Saudi Arabia (4)
APAC Netherlands (1) Singapore (1)
Poland (1) Turkey (2)
China (5)
Romania (1) UAE (1)
India (1)
Russia (12)
Japan (5)
Spain (2)
Korea (4)
Switzerland (1)
Indonesia (1)
UK (4)
Singapore (1)
Thank you!

Q&A

Contact:
Ngo Khanh: Khanh.Ngo@Kaspersky.com
Nguyen Huan: HuanTrong.Nguyen@Kaspersky.com

You might also like