Proposal for Security Operation Center

Security Operation Center

For Framework Definition Phase

Proposal for Security Operation Center

Table of Contents: 1. 2.
3.

Executive summary Project context Project scope and approach

1.

Executive Summary

Wan to check value proposition etc with Leonard

Proposal for Security Operation Center

Further to the Security Workshop with Telecom Malaysia<CLIENT> and your interest in our services and solutions for Security Operations Center (SOC), we are pleased to provide you with this offer summarizing TRI-IT Networks' proposal to assist Telecom Malaysia<CLIENT> in the framework definition phase of setting up a Security Operation Center within your organization. The framework definition is the first part of TRI-IT Networks delivery methodology and comprehensive SOC program as outlined below. Based on the successful execution of it, TRI-IT Networks will provide you with the following security benefits: Comprehensive analysis and qualification of your requirements on SOC, the integration into you organization, process and security framework and IT / network infrastructure Substantial and complete assessment of the time and efforts needed for a proper implementation This way reducing the implementation risks, by defining and prioritizing the detailed requirements for security monitoring and by selecting the vendor, which can better satisfy the functional and technical requirements. All this is achieved by leveraging the comprehensive security knowledge network of TRI-IT and our expertise in SOC and security consulting and our capability to combine the mandatory security know-how with requirements from IT and telecommunication. Wan to add a statement about Timeline once agreed by all team members. Scope is IT (telco later)

Proposal for Security Operation Center

2.

Project context

Telecom Malaysia<CLIENT> has expressed its needs to adhere to higher standards in the area of Security Monitoring and Management by deploying the Security Operation Center. It is Telecom Malaysia<CLIENT>s intention to start first with the integration and monitoring of the IT infrastructure and to add as soon as possible and in a gradual manner the security-relevant parts of the telecommunication environment, too. The final objective of Telecom Malaysia<CLIENT>s SOC is to offer a comprehensive security monitoring and management that encompasses people, process and infrastructure (solutions). From TRI-IT point of view, a SOC infrastructure shall include at least solutions like Security Information & Event Management (SIEM) or Vulnerability Management, designed, customized and integrated in operators environment by the SOC and security experts of TRI-IT. With this approach, Security information, log data and events are collected, correlated, analyzed and stored for incident management and forensic analysis purpose. Network and systems are scanned for vulnerability identification, reporting and compliance reporting.

Security dashboard is provided to illustrate the effectiveness of controls to achieve compliance and to demonstrate the justification of security investments. A SOC provides organizations with the ability to centralize all critical security information into one single centralized console thereby reducing the need for multiple staff members to manage and monitor the distinct devices. The objective is to empower SOC Analyst with the best information to enable fast, automated responses. SOC solution will bring the following main benefits to the Telecom Malaysia<CLIENT>. Compliance - provides proactive security incident detection and reporting, as well as an easily traversable audit trail, for accountability Forensic investigation - reduce both the time required to research a fraud incident or other investigation, and improve the effectiveness of many such investigations. Reporting - Comprehensive reporting to see the real time security posture of organization, to justify security investments & to satisfy audit requirements. Security of critical assets - Improved overall situational awareness, chain of custody & efficient vulnerability and threat identification, prioritization and management Operational efficiency - Efficient processes resulting in fast response time, high QoS, simplified and improved incident mgmt For the development of a SOC, Telecom Malaysia<CLIENT> has adopted a phase wise approach starting with the proposed Security Framework Definition Phase of TRI-IT,

Proposal for Security Operation Center

followed by the other phases of the overall SOC program of us (incl. SOC integration and implementation). With this proposal, TRI-IT offers to Telecom Malaysia<CLIENT> to conduct the Security Frame Definition Phase, addressing the following key objectives: Gather business, technical, legal, regulatory and user data requirements with respect to security monitoring and management. Perform an assessment of current security operations setup and of vulnerability management program. Perform a vendor analysis. Develop a high level SOC architecture. Develop solution blueprints. Develop a test approach.

Proposal for Security Operation Center

3.

Project scope and approach

3.1 Project scope:

Within the context described in previous section, the project scope described hereafter refers to the SOC Framework Definition Phase - consisting of base components required for successful implementation of a SOC for Telecom Malaysia<CLIENT>. The goals of the SOC Framework Definition Phase is to A. Analysis of detailed functional and technical requirements for logging monitoring and vulnerability assessments: Systems within the scope can include but are not limited to: Platforms: Unix (AIX, Sun Solaris), Linux, Windows Servers. Network Components: Firewalls, Routers, Switches, Remote Access Devices. Other Infrastructure Components. RDBM systems (DB2, SQL Server). Web and Applications servers (IIS, Websphere). Email servers. Security-related systems: Email content filters, anti-virus systems etc.

The scope of the current offer is on Telecom Malaysia<CLIENT>s IT. In a later phase we may also add telecommunication components and systems like Operational Support System or Business Support Systems. B. Analysis of the business and legal requirements: This includes the requirements for integration with existing monitoring systems, third party ticketing tools, asset databases etc. Also included are the compliance requirements with standards/regulation (e.g. SOX related, privacy requirements, etc.) and performance/response requirements C. Assessment of current vulnerability management / security operations setup: This will include the study of current processes around the security operations. These processes can include incident management process, escalation process, communication flow and change and configuration management processes. Also it will include the assessment of current vulnerability management program. D. Vendor Selection: This includes the development of vendor selection criteria and then after selection of vendors to fulfill the need of Security monitoring and vulnerability management. E. Development of high level architecture, test approaches & Solution blueprint: This includes the development of high level architecture keeping scalability, reliability and high availability in view. Also, it will include the development of solution blueprint and test cases which will be followed in later phases of the projects.

Proposal for Security Operation Center

F. Assessment of effort estimates for the Implementation Phase: This will include the effort estimation and time estimation required for deployment of other phases of SOC program (implementation and support phase). G. Assessment of this SOC will be done at 1 site (<CLIENT>)to be determined by <CLIENT>.

3.2 Project approach:

The approach begins with a short project startup to complete the planning and preparation for the requirements gathering, design activities and vendor selection. Detailed planning for activities during the implementation phase will be completed after the design strategy for logging and monitoring has been determined and the vendor has been selected. The objectives and tasks to be conducted during project are described in more detail below. A) Project Startup Objectives: The goal of the Project Startup is to hold an initial kickoff meeting to validate the scope of the project and create the detailed project plan for other phases of work. Major tasks: Review and agree on project scope and activities. Develop detailed project plan. Define major tasks in each phase of project. Identify and assign TRI-IT and Telecom Malaysia<CLIENT>s resources. Identify documentation requirements for regulatory compliance.

Management Checkpoint #1: Review and validate project scope and initial project plan

B) Requirements gathering Objectives: The goal of the requirements gathering will be to develop detailed requirements for logging and monitoring for systems identified in the previous project Scope section. The requirements will be specified in detail to support design of Log Management and Monitoring systems. Major tasks: 1. Review the existing technical documentation for each platform and infrastructure component.

Proposal for Security Operation Center

2. Evaluate completeness of proposed requirements and impact on <CLIENT> systems and potential design approaches. Requirements will be developed for event logging, log management, monitoring and vulnerability management. 3. Prepare proposed requirement specifications in each area for review by Telecom Malaysia<CLIENT>s management. Document proposed requirement specifications for event logging, log management, system monitoring and vulnerability management. Present requirement specifications for Telecom Malaysia<CLIENTS>s review and approval. Modify or update requirement specifications in accordance with feedback.

Management Checkpoint #2: Review and accept requirement specifications and approve initiation of design activities.

C) Logging, Monitoring and Vulnerability Management Design Objectives: The goal of this phase is to create effective designs for logging and monitoring systems that satisfy requirements identified in the requirements Phase. These designs will act as a guide for further phases of SOC development. Major tasks: 1. Development of detailed design for a log management system.

2. Develop a detailed design for security monitoring.

3. Develop a detailed design for vulnerability management. .. Management Checkpoint #3: Approve Log Management, Monitoring and Vulnerability Management Designs.

D) Vendor Selection Objectives: The goal of this phase is to identify maximum 2 vendors for the Proof of Cconcept that meet Telecom Malaysia<CLIENT>s requirements for Security Monitoring & Management and Vulnerability Mmanagement. Major tasks: Shortlist two vendors to be considered for the vendor selection. Develop vendor selection criteria.

Proposal for Security Operation Center

Assess the vendor ability to execute against the different business and technical requirements. Shortlist two vendors to be considered for the vendor selection Prepare a Vendor Selection Report, with a recommendation for preferred vendors. Management Checkpoint #45: Vendor Selection report approved.

E) Implementation Work Plan Objectives: Finalize the SOC deployment scope and define the detailed implementation work plan for other phases, taking into account the results of the technical/functional analysis and the selected vendor. Management Checkpoint #56: Implementation plan approved.