Cybersecurtiy Operatoi ns Center If you manage, work in, or …

1 MITREC arson Zimmerman Ten Strategies of a World-Class Cybersecurity Operations Center Ten Strategies of a World-Class Cybersecurity Operations CenterMITRE saccumulatedexpertise on enterprise-grade computernetworkdefenseMITRETen Strategies of a World-Class Cybersecurity Operations Center conveys MITRE s accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, to processes that best enable effective and efficient operations, to approaches that extract maximum value from CSOC technology investments. This book offers perspective and context for key decision points in structuring a CSOC and shows how to:The MITRE Corporation is a not-for-profit organization that operates federally funded research and development centers (FFRDCs).

2 FFRDCs are unique organizations that assist the government with scientific research and analysis, development and acquisition, and systems engineering and integration. We re proud to have served the public interest for more than 50 MITRE Corporation202 Burlington RoadBedford, MA 01730-1420(781) 271-20007515 Colshire DriveMcLean, VA 22102-7539(703) 2014 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution unlimited. Case number 13-1028. Find the right size and structure for the CSOC team Achieve effective placement within a larger organization that enables CSOC operations Attract, retain, and grow the right staff and skills P repare the CSOC team, technologies, and processes for agile, threat-based response Architect for large-scale data collection and analysis with a limited budget Prioritize sensor placement and data feed choices across enteprise systems, enclaves, networks, and perimetersBleed rule--remove from fileBleed rule--remove from fileBleed rule--remove from fileBleed rule--remove from fileIf you manage, work in, or are standing up a CSOC.

3 This book is for you. It is also available on MITRE s website, Zimmerman is a Lead Cybesecurity Engineer with The MITRE Corporation. He has ten years of experience working with various CSOCs to better defend against the adversary. He has held roles in the CSOC ranging from tier 1 analyst to architect. MITREC arson ZimmermanTen Strategies of a World-Class Cybersecurity Operations Center 2014 by The MITRE Corporation. All rights by MITRE Corporate Communications and Public AffairsInternational Standard Book Number: 978-0-692-24310-7 Printed in the United States of America on acid-free paperThe views, opinions, and/or findings contained in this book are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation.

4 This book discusses observations and ideas, and The MITRE Corporation expressly disclaims any warranty of any kind. Although products are discussed in this book, nothing in this book should be construed as an endorsement of any kind. The trademarks used herein belong to their respective holders. Approved for public release; distribution unlimited. Case Number MITRE Corporation202 Burlington Road Bedford, MA 01730-1420 (781) 271-20007515 Colshire Drive McLean, VA 22102-7539 (703) feedback or questions on this book to are many individuals whose hard work has contributed to the creation of this of all, I would like to recognize Eric Lippart, whose many years of work in computer network defense (CND) contributed to every aspect of this book.

5 The ten strategies outlined in the book emerged from the years we worked together to share best practices and solutions for CND across the federal sections of this book are based, in part, on material from other MITRE work. The following sections incorporate ideas and expertise from other MITRE staff members: Scott Foote, Chuck Boeckman, and Rosalie McQuaid: Cyber situ-ational awareness, Section Julie Connolly, Mark Davidson, Matt Richard, and Clem Skorupka: Cyber attack life cycle, Section Susan May: CSOC staffing, S e c t i o n 7. 2 Mike Cojocea: security information and event management (SIEM) and log management (LM) best practices, Section Joe Judge and Eugene Aronne: Original work on intrusion detection systems (IDS) and SIEM, Section and Section Frank Posluszny: Initial concept and development of material on Cyber Threat Analysis Cells, Sections Kathryn Knerler: CND resources and websites, Section Therese Metcalf: Material on various government CSOCs, which was used throughout this book Bob Martin: Technical editing and glossary Robin Cormier: Public release and project management Robert Pappalardo and John Ursino.

6 Cover design Susan Robertson: Book layout and diagramsThe following individuals are recognized as peer reviewers for this book: Chuck Boeckman, Mike Cojocea, Dale Johnson, Kathryn Knerler, Eric Lippart, Rick Murad, Todd O Boyle, Lora Randolph, Marnie Salisbury, Ben Schmoker, Wes Shields, and Dave book would not have been possible without the funding and mentorship provided by MITRE s cybersecurity leadership: Gary Gagnon, Marnie Salisbury, Marion Michaud, Bill Neugent, Mindy Rudell, and Deb Bodeau. In addition, Lora Randolph s and Marnie Salisbury s advice and support were instrumental in making this book book was also inspired by the excellent work done by the Carnegie Mellon University (CMU) software Engineering Institute (SEI) Computer Emergency Response Team (CERT ), whose materials are referenced herein.

7 Their copyrighted material has been used with permission. The following acknowledgement is included per CMU SEI:This publication incorporates portions of the Handbook for Computer security Incident Response Teams, 2nd Ed., CMU/SEI-2003-HB-002, Copyright 2003 Carnegie Mellon University and Organizational Models for Computer security Incident Response Teams, CMU/SEI-2003-HB-001, Copyright 2003 Carnegie Mellon University with special permission from its software Engineering material of Carnegie Mellon University and/or its software Engineering Institute contained herein is furnished on an as-is basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or mer-chantability, exclusivity, or results obtained from use of the material.

8 Carnegie Mellon University does not make any warranty of any kind with respect to free-dom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its software Engineering is a registered trademark of Carnegie Mellon would like to recognize the tireless efforts of the many operators, analysts, engineers, managers, and executives whose contributions to cyber defense have helped shape this book. AcknowledgementsTen Strategies of a World-Class Cybersecurity Operations CentervThis book is dedicated to Kristin and the Cover Now, here, you see, it takes all the running you can do, to keep in the same place.

9 If you want to get somewhere else, you must run at least twice as fast as that! The Red Queen, to Alice, in Lewis Carroll s Through the Looking GlassThe adversary is constantly advancing its capabilities. Enterprise networks are always adapting to accommodate new technologies and changing business practices. The defender must expend all the effort it can just to stay in the same relative place, relative to what it must protect and defend against. Actually advancing its capabilities matching or getting ahead of the adversary takes that much more a concept from evolutionary biology, we draw a parallel others in cybersecu-rity have to the Red Queen Hypothesis.

10 The Cybersecurity Operations Center must con-stantly evolve its tactics, techniques, procedures, and technologies to keep pace. This is a frequent refrain throughout the iiiExecutive Summary 1 Introduction 3 Fundamentals 8 Strategy