Establishing detection and response capabilities

310

Sector: Engineering
Area of expertise: Cyber Security
Service area: Executing projects

THE SITUATION

A global engineering company had become even more reliant on technology and was increasing its global footprint through acquisitions. Different IT security assessments concluded that the  company’s cyber security posture was not satisfactory when compared to their risk appetite.

Secondly, the detection and response processes were handled on an ad hoc basis and usually initiated via employee contact.

Finally, the client company had underinvested in creating a scalable IT setup – The setup is increasingly complex due to expansion and acquisitions  . Infrastructure was legacy based and in need of investment, simplification and better protection.

WHAT WE DID

The Chief Information Security Officer (CISO), the Head of Detection and Response, and Kopenhagen Konsulting agreed to improve detection and response capabilities and support the organization of a Security Operations Center (SOC). The project-related work included;

  1. Project plan (including governance, reporting and timeline)
  2. Structuring, planning, and support of procurement activities
    • Specify/identify people, process, and technology requirements necessary to establish SOC i.e. improve IT security posture  
    • Identify assessment framework (in collaboration with team and Procurement)
    • Market analysis and initial meetings with potential vendors
    • Create “shortlist” of contenders
    • Employ assessment framework during RFP (in collaboration with team and Procurement)
  3. Planning and execution of implementation activities
    • Deploy technology/services
      • Endpoint detection and response (EDR) – Microsoft Defender for Endpoint
      • Managed detection and response (MDR) – Managed Defense by Mandiant
      • Security Information and Event Management (SIEM) – Splunk
      • Case management/SOAR platform – Service Now SIR module
    • Write processes
      • Major IT Security Incident Response (MISIR) process document
      • Logging guideline (How to log -> Part of ISMS)
    • Optimize organization (people)
      • Describe different roles in SOC (and how they interface with technology and processes)
      • Create and execute training regime (Service Now SIR)
  4. Support project planning activities for 2022
  5. Handover activities

1) Creation of project management artifacts for planning, management, and reporting purposes

During the project, Kopenhagen Konsulting created and managed the project management artifacts as provided by the Cyber Information Security Programme. During certain stages of the project execution, it was found necessary to create and manage additional project management artifacts as well as ad hoc forms, to ensure progression.

The project management artifacts comprised:

  • Project plan/roadmap
  • Risk and issue log
  • Change log
  • Decision log
  • Meeting logs

Ad hoc artifacts:

  • IT Architecture board presentation (detailing the IT security product(s) to be implemented)
  • High-level target functional map (showing technology, people, processes, information flows etc.

2) Structuring, planning, and support of procurement activities

Kopenhagen Konsulting drove the structure, planning and support of procurement-related activities as well as all the pre-procurement activities. This was done in close collaboration with the internal IT security team and Procurement team.

The first task was to pinpoint the people, process, and technology needs necessary to establish an initial operating capability for the SOC i.e. increase IT security posture.

The next step was to identify and select an assessment framework apples-to-apples comparison between potential vendors. The framework was formed in a collaborative effort between the IT security team and the Procurement team. Based on desk research/market research, several vendors were invited for introductory sessions.

Initial meetings were held with potential vendors. These were for informative/explorative purposes and preliminary to creating the shortlist of vendors, that would eventually participate in the RFP.

During the RFP all vendors on the shortlist were invited to respond to the questionnaire listed in the assessment framework. A holistic approach to vendor selection was important due to the fact that several tools/services had to fit together. This also underlines the importance and reasoning for bundling 3 IT security purchases into one RFP.

The recommendation was presented to the Steering Committee for final decision.

3) Planning and execution of implementation activities

The planning and execution activities were handled individually for all 4 technologies/services;

  • Endpoint detection and response (EDR) facilitated through MDE (Microsoft)

Step 1 in implementing the EDR agent was to ensure that the client company had an overview of its endpoints including both servers and laptops as well as their attributes (software version, use, owner, and geographic placement). This overview was based on various sources, as the client did not own and maintain a single repository. After the general overview was created an initial scope was set (percentage goal of >75% coverage across all supported servers and laptops).

As the deployment would result in an increased level of monitoring of the end-user, communication and in certain countries ‘acceptance’, needed to be established.

The deployment was executed and verified in increments and in groups

The end-result of the deployment was >98% across supported servers and laptops. Only Germany had to be left out of scope as legal complications prevented a rollout

  • Managed detection and response (MDR) facilitated through Managed Defense (Mandiant)

Setting up MDR with Mandiant was a simple task. The data from EDR (must be based on either their agent HX or Microsoft’s MDE) is sent to Mandiant’s online instance.

Afterwards, it is mostly a matter of proving that data is flowing at an adequate speed and that Mandiant is responding to/seeing what the client perceives as potential threats.

  • Security Information and Event Management (SIEM) – Splunk

The technology works by having universal forwarders located on each server and will then, depending on what has been decided to be most effective, either forward the data to a heavy forwarder (hub-and-spoke principle) or directly to the cloud. The SIEM solution required the following elements to be deployed;

  • A high-level architecture map/network drawing detailing how the information would flow to the Splunk cloud
    • A decision on what the immediate scope would be. Phase 1 of the rollout was DCs, DNSs, and DHCPs (globally).
    • VMs  for the heavy forwarders
    • Firewall change requests

The solution was deployed incrementally

  • Case management/SOAR platform – Service Now SIR module

The Service Now module was acquired outside of the concluded RFP process and required internal application and platform owners to agree to the implementation. An external team from Service Now was brought in to ensure implementation was done according to best practice.

Stories detailing the sought-after functionality were created as a collaborative effort between ServiceNow and the client.

In addition to the deployment of technologies and services, new documents and processes were detailed and published in compliance with existing processes.

Finally, a target organization for 2022 was created as well as descriptions of each role in the SOC. This was accompanied by a high-level document showing how all the added technology, services, information and process flows interacted.

4) Support project 2022 planning activities

Overall ambitions for 2022 were framed by the client in collaboration with programme management. This resulted in the high-level goal to fulfil all CIS critical security controls – at which point Kopenhagen Konsulting and other project managers, and teams were involved to do the more detailed planning of Q1.

The planning activities included high-level gap-analysis and roadmap, as well as more detailed action and resource planning for Q1. The activities were completed in collaboration with the involved teams and relevant stakeholders.

5) Handover activities

All activities were planned and executed in collaboration with the next project manager as well as current programme manager to ensure that everything was completed in accordance with client wishes. An inexhaustive list of activities and deliverables included; handover document, progress reports, introductions, organizational charts, stakeholder overviews, roadmaps, etc.

THE OUTCOME

The EDR and SIEM technology implementations have provided the client with increased visibility into what is “moving” in their IT environment, a vital part of incident response (both across their endpoints but also anything/everything that eventually is onboarded into Splunk).  A SIEM logging guideline was written and published as a part of the ISMS. This informs the rest of the company on ‘how’ they can live up to the logging requirements set in other documents.

The acquisition and deployment of MDR provided a quick IT security posture increase, as all the data from the EDR was funneled to Mandiant for analysis. Mandiant would subsequently provide reports and recommendations based on their algorithms.

Service Now (SIR module) was stood up as an automation platform to make it easier for a small team to manage and respond adequately, timely, and correctly to incidents. The process

Finally, the project ideated and documented a MISIR plan, which is essential in any case where normal incident response does not suffice.

Summarizing the value generated – The client now has visibility into its own network/IT environment across most of its digital footprint. Also, they can act on alarms/incidents adequately, and timely.