Draft – Preliminary Work Product Click to edit Master text styles Second level Third level Fourth level Fifth level Telstra Enterprise and Government [Insert Title Here] Version 1.2 Telstra Security Operations Centre (T-SOC) QuestNet Andy Solterbeck September 2009
Security Context Major Security Themes: Frequency, size and duration of attacks are increasing Attacks are being mounted from all layers of the network Attacks from outsiders are increasing as a percentage of all attacks Attacks from organised crime now form the majority of attacks Security incidents have significant consequences: Damage to reputation and brand Loss of stakeholder confidence Loss of revenues Loss of customers Regulatory action/sanction Litigation/legal action Within the last 6 weeks more than 12 Organisations have been under attack
Telstra has the Capability to Deliver A Unique Value Proposition 1.Ensure business continuity 2.Realise ROI in security (including opportunity cost of capital) 3.Business risk mitigation: Compliance, Brand, Shareholder Price 1. Recognise threats quickly and accurately Target market capability requirements Target market value drivers 2. Rapidly respond with right solution to prevent and to recover 3. Demonstrate the investment in security precautions reflects the risk profile of my enterprise TSOC View Security Events core and Customer People (Cleared) Process (DSD Approved) Tool (End to End Visibility, Portal) Business Case in Development Highly Secure Network Encrypted Overlay (Service) People (Cleared) Process (DSD Approved) Tools (Project Enterprise) Business Case in Development Better AE Engagement Marketing Engagement Project Enterprise Secure Services Secure Gateways, UC & Voice Requires Data Centre Facility (T4) People (Cleared) Process (DSD Approved) Tools (Cisco/EMC/RSA/VMWare) Secure TIPT See VisibilityCapacityCapability Certification
Security Consideration: Capacity Telstra maintains 100% physically separate Internet and Private IP networks: -Significant events on one network are isolated from the other logically and physically. -Internet and corporate traffic is physically separated from the Internet. Capacity is maintained in both networks at a level exceeding all other Australian providers allowing Telstra to manage extreme traffic events without customer interruption: -An Internet based DoS attack is isolated from critical business traffic. Even an attack of unprecedented scale on Telstra infrastructure would not affect traffic within the private IP Network (branch, call centre, corporate) Telstra NextIP Optus Internet Cleaning Large Attack Internet/IP Core Good Traffic Large Attack Good Traffic Corporate IP Voice Corporate IP Data Corporate IP Voice
Security Consideration: Visibility Telstra gathers detailed telemetry from all layers and devices in our networks to understand emerging threats and challenges. All data is integrated into Telstra Security Operations Centre monitoring. Telstra engages in a worldwide security community enabling the engagement of global peers in mitigation of security incidents and the gathering of intelligence where required. To fully protect customer, the Service Provider must have end-end visibility of all circuits that carry ANZ traffic. Any handoff to alternate carrier network is a vulnerability. Physical Data Link Network Transport Telstra Physical Data Link Network Transport OptusMonitor & Manager Gap Telstra Provides visibility at all network layers ensuring attacks are dealt with regardless of origin
Security Consideration: Capability Core The Telstra Security Operations Centre provides 24/7 monitoring across Telstra infrastructure using state of the art correlation tools and process all within a ASIO T4 certified centre. Any issues are escalated to the Telstra Computer Emergency Response Team (T-CERT), a dedicated security team to manage incidents. T-CERT engages any required resources from all operational and SME teams to investigate, mitigate and resolve any identified issue. T-CERT engages Telstra’s Network Hardening Teams to review the incident, quantify the lessons learned from the incidents and protect all other Telstra environments against similar classes of attack vector.
Security Consideration: Certification Independent verification and validation of Security capability allows ANZ to more quickly and easily meet regulatory compliance requirements Regulations: Why Telstra is Uniquely Capable of handling this requirement: -Telstra has achieved ISO on it IPMAN, IPWAN and IPWireless -Telstra has achieved T4 certification of the NPC facilities -Telstra has Secret cleared staff in the Network Protection Centre -Telstra has DSD approved Secure Gateways Infrastructure to meet the security requirements of Commonwealth customers Telstra can assist in meeting ANZ’s Network Centric Regulatory Compliance requirements to decrease risk and cost of compliance
Security Consideration: Governance Telstra takes security seriously and is organised to ensure that it is central to all capability development -Executive Steering Committee: Overall Governance: Group Managing Directors, CFO, Head of Corporate Security, CTO, CIO -Security Working Group: Executive Directors, Directors, SME Manage all security programs across the company -Security Centre of Excellence Internal and External Security Consulting Engaged with all large customers -Network Security General Manager Network manages all aspects of Network and Internal Security -Enterprise & Government Security Services Director Security Services manages all customer facing Security capabilities -Security Customer Advisory Group CSO’s from key accounts meet to discuss key issues. Telstra sets out plans and issues for discussion Telstra has more than 350 dedicated Security personnel
Offerings Security Consulting Network Based Security Solutions Internet Gateways Extranet Gateways Internet protection (mail & web protect & control) Remote Working Denial of Service Protection Policy, frameworks and strategy Risk Management Security auditing & assurance Business continuity Security arch & design Certifications Managed Security Solutions Managed Firewall Managed Intrusion Protection Managed Antivirus & Content Security Vulnerability Management Security Certified IP Networking Products IPWAN IPMAN IPWireless All certified to ISO security standard Security Solutions - Service Management (SIEM) Single View of Customer Security Posture Additional Security Services Operate the Network Securely
Security Service Management Key features: Collects, analyses, stores and reports on event data and log information from heterogeneous devices, systems, and applications throughout an enterprise’s ICT infrastructure Value Proposition: Reduce risk of network down time or data loss due to security incidents Achieve this without requiring complex technology or specialist expertise Differentiators: Includes information from network based services Network delivered Integrated view Security Consulting Policy, frameworks and strategy Risk Management Security auditing & assurance Business continuity planning Security architecture & design Certifications (eg to ISO27001) Network Based Security Solutions Internet Gateways Extranet Gateways Internet protection (mail & web protect & control) Remote Working Denial of Service Protection Managed Security Solutions Managed Firewall Managed Intrusion Protection Managed Antivirus & Content Security Vulnerability Management Security Certified IP Networking Products IPWAN IPMAN IPWireless All certified to ISO security standard Security Service Management (SIEM) Single View of Customer Security Posture Additional Security Services Operate the Network Securely Service Interface (Portal + Service Desk) Customer Network Core Network Customer End Points/ Devices Policy Manager Intelligent Analysis Information Sources Customer
T-SOC Program Overview The T-SOC will deliver the following streams of work: Secure Service Management Facility – the building of ASIO T4 accredited facilities in Canberra and Sydney -The building of a primary T4 staff facility in Canberra replacing the Don Gray T4 people facility. This will provide flight deck space for the TSOC as well as workspace for staff supporting Government security accredited products – Managed Security, Secure MNS, Secure TIPT, Secure UC etc. -The building of a secondary T4 staff facility in Elizabeth St Sydney to a disaster recovery site for the T-SOC monitoring staff Toolset (Predominantly delivered by ”Project Enterprise”).- This project is to deliver all the necessary tools required to operate the T-SOC, e.g. SIEM, Scanners. Ticketing, problem and change will be delivered by standard tools. People, Process and Roles, Responsibilities (PPRR) – This project will deliver all the documentation required to operate the T-SOC. Web Portal (Leveraging TE&G Customer Portal) – This project will provide the Web presence for the T-SOC. The Web Portal will be the primary interface with customers providing reporting (security, problem and change management, etc), Security Bulletins, Threat Landscape, etc.
12 Commercial in Confidence – Version 1.0 What would a T-SOC Look Like? CERT team has small # FTE – virtual resources drawn in from OPS and PS as needed for incidents Over time this could merge with Network OPS as skill and technology develops All device up/down and generic health monitoring done here for Network and Security devices Shared, multi –tenanted tool. This will take log feeds from devices under shared management or dedicated In addition to raw security logs from devices, relevant event from the network monitoring tools will be fed into the corelation engine All ticketing performed and managed by the unified service desk Monitor security events from logs and correlation engine as well as announced vulnerabilities and patches
13 Commercial in Confidence – Version 1.0 Function of the T-SOC? In real time, manage and monitor firewalls, intrusion detection and prevention systems, DDoS mitigation systems, anti-x solutions, patch updates, endpoint assets, and other security products. Analyse security log data, vulnerability information, asset information, and alerts Immediately respond to potential security threats and quickly resolve security problems Offer real-time views of the customers security postures Defend customers against emerging network attacks Protect customers technology investments
14 Commercial in Confidence – Version 1.0 What are the benefits of a T-SOC Effectively deal with Security Incidents The T-SOC would give customers the ability to move from a reactionary posture to one of preparedness. Rather than scrambling to respond to a security breach, the T-SOC would have a well-established processes to follow, to move fast and effectively, to isolate, contain, and diffuse the threat. Reduces Risks to Customers The T-SOC will enable customers to minimize security-related network downtime. By keeping pace with evolving threats, the T-SOC will better protect customers’ data traffic from loss or manipulation. Improves Security Response The T-SOC systematically analyses potential reasons for traffic abnormalities and appropriately elevates the events. By moving quickly, the T-SOC can deal with security incidents in minutes – not hours or days – greatly lessening potential disruption to customers critical services and business processes. Enhances Operational Efficiency By defining security rules and policies, the T-SOC specialists will be able to quickly identify threats and apply remedies to customer sites at risk before network attacks hit them. Comply with Regulations Customers often need to comply with regulations and policies governing the use, protection, or privacy of information. Customers can use reports that the T-SOC can generate, to help adhere to these regulations and policies, including the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the data-security storage requirements associated with the payment card industry.
TSOC Solution Architecture
The TSOC
TSOC Solution Architecture Detail NetForensics
Managed DMZ Manage the whole DMZ environment Key features: Security focused management of devices located in a DMZ (eg web content security, proxies, load balances, VPN concentrators etc) Customer site or Telstra Hosted Value Proposition: 24x7 service without the cost Specialist expertise Specific Differentiators: Single Provider Linked to internet delivered features (eg DOSP, Content Security )
End Point Security Key features: Prevent non-compliant devices from Connecting to a customer network Secure the end-point device itself (eg antivirus, Firewall, intrusion prevention) All with centralised policy control and reporting) Value Proposition: Reduced threat from uncontrolled devices. Controlled and managed from within the customer network 24x7 service without the cost Ensure policy compliance Specific Differentiators: Network delivered (phase 2) Integrated view Customer Network The Internet Prevent High Risk devices from connecting to the network Protect end- point devices
Secure Managed Network Services Key features: Overlays on MNS for: Secure Wireless LAN: Who has access for what purposes Encryption over MNS networks Log Management on network devices Value Proposition: Option for high security features to meet to end compliance requirements (eg PCI, Finance industry) Specific Differentiators: Network integrated & managed Integrated view Customer Network Control who has wireless access for what purpose Encrypt traffic from the edge router & manage security relevant log data