Design and BuildSecurity Operation Center

Sameer Paradia

Contents

• Presentation Objective • Security Operation Center(SOC)

– What is it? Why is it required?

• Designing SOC• Building Blocks

– Infrastructure– People– Process– Tools– Securing the SOC

• New Trends• Acronyms

Objective of this Presentation

Useful to both enterprise and

service provider

Insight in design methodology & components

Define framework from design to

build SOC

Define and roll out SOC services

Ali

gn

ing

Bu

sin

ess

4

SOC

CFO: “Reduce TCO now, limit liability in future”

IT: “Reduce risk, improve incident management ”

Business Head: “Protect Brand, ALWAYS!”

Why SOC?, Overcome Challenges

Aligned with Business goals

Shared service to reduce cost

Improves Risk posture

SOC Goals

• Operates 24x7 from central offsite location• Proactive response to security incidents • Predict security attacks and reduce its impact• Implements security policy across the enterprise • Reduce cost of security support by providing centralized

remote support• SOC Delivers

– Incident Management – Governance Risk Compliance – Monitoring and Management of Devices / Events– Implement security policy

• Operates 24x7 from central offsite location• Complete & proactive in response to security incidents • Predict security attacks and minimize the impact• Implement security policy across the enterprise • Reduce cost of security support by providing centralized

remote support• SOC Delivers

– Incident Management – Governance Risk Compliance – Monitoring and Management of Devices / Events– Implement security policy

What is SOC?

7

DESIGN

Design Criteria

• Infrastructure • Human Resources • Process Management • SOC Tools and Technologies • Security Controls – Secure the SOC• Link with Government agency and knowledge sites

Two ThreeOne

Inputs for SOC designa) Service

catalogue based on business need / client requirements

b) EPSc) Number and

types of devices under management

Tools selection and designinga) EPS, number of

devices, b) SLA, Reportingc) SIEMd) Web portal

Storage/ Back upe) Connectivity f) Integration of

tools

Human resources a) One resource for

50 Devices management in shift of 8 hours

b) One admin per 5-7 resources,

c) One analyst for 10 resources

d) Tool management and Consultants based on tools and GRC services

Design Flow

Five SixFour

Service deska) Separate

functionb) Receive and

forward calls/ ticket opening, initial support.

c) 12 -15 calls per shift of 8 hours per resource

Infrastructure a) 55 Square Feet

per seat(Agent)b) One seat means

overall usable area including all facilities

Power usage and UPS capacity to be calculated based on rated power usage of all tools and uptime SLA

Design Flow

Eight NineSeven

Security Controls – Secure the SOCa) Physical Securityb) Information

Securityc) Authentication

& Access Management

Compliance Management a) Law of the

regionb) ISMSc) Data protection

laws

Process Management a) BAU Day to day

process/ SOPb) Foundation

processc) Service

improvement d) Governance

process

Design Flow

Build SOC Approach

RUN & SUPPORT

BUILD & TRANSIT

DESIGN/ SECURE

MANAGE

BUSINESS CASE

ENGAGE

STRATEGIC TACTICAL

Risk AssessmentBusiness requirement

Business CasePlanningDesigning

Project ManagementResource Management

Infra/ Tools implementSOC process setup

SOC Detailed DesignProcess Framing

SOC Security Design

Day to day operationsDeliver service catalog

Improvement plan

OPERATIONAL

• SOC service catalog need to put in place• Phased wise rollout of services is advisable

BUILDING SOC APROACH- DETAILED STEPS BU

ISEN

SS

Busi

ness

Req

uire

men

t Ana

lysi

sD

eman

d M

anag

emen

t

Risk

Ass

essm

ent

Serv

ice

Leve

l M

anag

emen

t

IT Strategy Planning IT Governance

Security Architecture, Policies and Standards

Develop & Approve Business case Program Portfolio Management

BUSINESS CASE AND PLANENGAGE

STRA

TEG

IC

IT Finance & Resource Management

IT Human Resource Management

Project Management

Knowledge Management

Work Request Management Monitor &Report Performance Quality and Improvement

MANAGE

Security Service Catalog Supplier Management

Availability and Capacity Management

IT Service Continuity ManagementSecurity

Management

DESIGN AND SECURE

Service Request Fulfillment

Incident Management

Problem Management

Access Management

SUPPORT

TACT

ICAL

BUILD AND TRANISTIONBuild SOC

Service Transition & Planning

Service Validation/ Testing

Service Evaluation

Release and Deployment Management Change Management

Event Management Operations Device

ManagementApplication

Management

Service Asset and Configuration Management

RUN (OPERATE AND CONTROL)

OPE

RATI

ON

AL

SOC Detailed Engineering

SOC Service Catalogue Consult

Assess

Define

Deliver

Monitor

DeviceManagement

Management-IncidentChangeAsset

Design

Build

Plan

Assessment

Risk Management

Security Management Framework Assessment Policy GAP Assessments

Penetration Testing &Vulnerability Assessment Governance Monitoring

Technology &Architecture Reviews

Other Services from SOC

Endpoint Security

Anti-virus

Web Security

URL Filtering

Mail Security

Application Security

Analytics

Multi factor

Authentication

Encryption

Federation

SSO

OPERATION

Project Managem

ent

Analyze

Security Assurance Services

Remote Configuration & back up of logsNew projects – Remote support

Firewalls/VPN

IDS / IPS

UTM

Gateway level

Datacentre

DLP

Patch management / Software upgradation

Security Technology

Device level security

End user security

Log analysis

Event Management

Reporting

Content Security Identity / Access Management

Perimeter/ Datacentre

PolicyCompliance

Advance ServicesForensic /

InvestigationGovernance Risk Management Compliance

Service Assurance

Abuse Prevention

Call Service Management

IPT Availability

Malware analysis

Black box testing

Suspicious Activity monitoring

Security Strategy

Define Security framework

Security Policy framing

Audit

Policy Enforcement

Advisory Services

CERT Integration

Risk Assessment

Risk Mitigation plan

VA/ PT

Ethical Hacking

Gap Analysis

Threat Management/ Assessment

Data, Voice, Video- Technological architecture assessment

Risk repository

Log analysis

Security Policy Assessment

Data Protection Assessment

DLP Management

Information Act compliance assessment

Violation of security policy

End point policy assessment

Reporting

Maintain

BCP / DR Management

Other Services

Advisory Services

Black box testing

White box testing

Phase wise Service Launch

1st Phase 2nd Phase 3rd Phase

• Start with basic Perimeter / Datacentre security services

• Event Monitoring, Device/ Policy Management, Incident/ Change/Asset management

• Integrate networking equipment security into SOC

• Expand to endpoint and cloud based security

• Bring in Endpoint machines / BOYD under SOC monitoring/ management

• GRC related services• Consultancy services• Forensic service• Application level testing/

security• Business process

monitoring and alert frauds

Service Description

a. Firewall/VPN (IPSEC/ SSL)b. IPS / IDSc. UTM (Unified Threat

Management d. Vulnerability Assessment e. Event Co relation and

Incident/ Change/ Asset management

f. Gateway level Antivirusg. Datacenter security

a. In the Cloud services- Clean Internet pipe, DDOS protection, Secure Mail, Secure Web access

b. Endpoint Securityc. URL Filter / Secure Proxy d. Information Leak

Preventione. Datacenter / Application

level: Penetration Testing, Ethical Hacking

a. Identity Managementb. Database Securityc. Application Security for

Web, SAP, Portal, Database etc.

d. Compliance of ISMS, Country specific IT / Data protection act

e. Fraud Management f. Forensic / Investigation

16

INFRASTRUCTURE

Infrastructure Blocks of SOC

• SOC office Space: Minimum 55 Sq ft per seat– Structured and secured LAN cabling– Same types of furniture and PC/ Monitors, Hardware– Video Walls– Scalable area on same floor/ Building– Card access and biometric access controls

• Power: Mains and Back up UPS/ DG set. Electrician available for emergency– PDP-Power Distribution Panels / Emergency power switching panel– DG set: Diesel storage area– Lighting in facility / Energy saving plan

• Precision Air conditioning• Datacentre: Rack space to host tools and customer facing portals

– Hosts customer facing portal, SIEM, NMS, Service desk ,Storage, Back up tools

– Storage for logs and configurations of IT assets – Back up devices and Tape library

• Various control rooms need to be in place as below:– Building Management System (BMS) room: Centralized room to

monitor integrated with video surveillance, visitor management system and Fire management system

– Security surveillance room: same room as BMS– Fire management systems: Same room as BMS

• Connectivity: – To connect various Telecom from customer premise- MUX room– Feasibility for same must be in place,– VPN concentrator: To connect to customer over Internet using

IPSEC VPN/ SSL VPN

Infrastructure Blocks of SOC

Visitor lounge / Presentation area

Visitor lounge• Customers visit SOC to audit the infra as per contract signed• Must be in quarantine area to interact with SOC staff• Secured PC to be provided, in case visitors need to access their

systems • NDA must be signed by visitors Presentation area• SOC need a separate area at entrance which is physically isolated

using a glass wall with curtain from SOC sitting area• Presentation conference hall should be able to accommodate enough

people • Equipped with projectors/ Video Conferencing facility

War Room

• War room is a dedicated space where entire team responsible for major incident resolution meet up and handle the issue.

• They need to interact with customers and partners to resolve the incident• Equipped with communication like LAN, voice, Video Conference • Separate War room is required to ensure other SOC operations teams are

not disturbed and customer issue confidentiality is ensured

21

-

PEOPLE

SOC TEAM

SOC Governance ModelBoard/ Share

Holders

SOC Manager

CISO

CFO/ CIO

CEO/ COO

Risk Manager

Auditor/ Consultant

Incident Response

Monitoring Team

Technical/ Tools Admin

Analyst/ SME

Organization Risk Management

Information Security

Forensic Expert

Service Desk

Business Head

Admin/HR

Legal

Compliance

Sales

Branding

Partners

Vendors/Suppliers

InternalTeams

ExternalStake Holders

Country LegislationData Protection LawsIndustry specific ComplianceIndustry Best Practice

SOC PEOPLE

23

Analyst• Expert of Security Technology and

process• Understand attacks and threat matrix• Good at low level programming

language • Extremely good at reaching to root cause• Think out of box• Understand Virus, Trojans, backdoor,

malicious code• Drive people • Proactive by nature

Tech admins• Expert of Security, OS, Network, Web

technology, Database• Configure tools and security technologies • Great at low level designing • Frame and implement security policies in

technologies under SOC• Forensic expert • Quick at Incident response• Can interact and drive vendors, OEM,

Government bodies

Management • Leadership to take all stakeholders together• Stitch the solutions from different teams and drive it to conclusion• Understand security posture and able to guide the team• Good communication skills

PROCESS-

SOC Process Framework

BAU SOC Operation Process

Tool

s &

Tech

nolo

gy

Human Resources

Process

GRC Forensic Consultancy

BCP-DR

Foundation ProcessPeople Operations, Shift Scheduling, Daily Checklist, Training, Talent Management, New Project Management

Reporting, Realtime Dashboard, Analysis, Portal

KGI

Best Practice

CERTFeed

SOC ISMS/ Law Compliance Support

Log Management

Testing Advisory

QM

S / KEDB / D

ocumentation/

Improvem

ent

SOP- Develop/Review

QMS / SOC

Process

KPI

System Modeling

Configuration Management

Access/ User Management

Event Triage of Correlation, Monitoring,

Routing

SOC Infra/ Application Management

Event Fusion

Use CasesProject

Management

Fusi

on,

Anal

ysis

, Re

porti

ng

Existing Tool Management, Updation, Testing

Security tools like SIEM, VA, NMS/EMS, Service Desk, Web Portal, Back up, Storage, Middleware

Integration with current & new tools, Client systems

Transition and on boarding of new devices with tools

POC of new release and upcoming technologies

SOC Governance

Incident Management

Major Attack response

Incident Analysis

Event Correlation

Problem Management

Release Management

Configuration

Management

Change Management

Event Monitoring

Service Desk

SOC Process

Number of processes and procedures for an SOC is determined by its scope, how many services are offered, the number of customers supported, and the number of different technologies in use. An established global SOC environment may have tens or even hundreds of procedures. At a minimum, the basic procedures that are required for maintaining the SOC are:• Monitoring procedure• Notification procedure (email, mobile, home, chat, etc.)• Notification and escalation processes• Transition of daily SOC services• Shift logging procedures• Incident logging procedures• Compliance monitoring procedure• Report development procedure• Dashboard creation procedure• Incident investigation procedures (malware, etc.)SIEM monitoring and correlation• Antivirus monitoring and logging• Network and host IDS/IPS monitoring and logging• Network and host DLP monitoring and logging• Centralized logging platforms (syslog, etc.)• Email and spam gateway and filtering• Web gateway and filtering• Threat monitoring and intelligence• Firewall monitoring and management• Application whitelisting or file integrity monitoring• Vulnerability assessment and monitoring

GRC

Define Risk Control - Risk Governance

Framing of Security policy based on Gap analysis

Implementation

Mapping of IT laws with security policy

Set objective and form steering committee

Review of security posture and risk profile

Periodic assessment/ Audit

Reporting of compliance status to Management

Periodic Assessment

Implement & manage IT controls / checkpoints

SustainControls

State of Control State of Control

ComplianceTo Law of region, Data protection law, InfoSec Policy

Forensics

Process• Acquisition

• Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices

• Identification (Technical Analysis)• Identifying what data could be recovered and

electronically retrieving it by running various Computer Forensic tools and software suites

• Evaluation (What the Lawyers Do)• Evaluating the information/data recovered to

determine if and how it could be used again the suspect for employment termination or prosecution in court

• Presentation• Presentation of evidence in a manner

understood by lawyers, non-technically staff and suitable as evidence determined by court of law.

Acquisition Handling Huge volume Indentifying and taking control of equipment

Identification (Technical Analysis) Co relating data from various technologies and

equipments Speed of processing

Evaluation (What the Lawyers Do) Defending evidence in court by Police

Presentation Relating evidence with Law clauses(IPC) Creation of supporting cases

Challenges in Forensics

30

-

TOOLS

SOC Tools Modules

1. Event generators• All devices/ software under SOC • Log generators• External feed viz. CERT

2. Event collectors• Local as well as central devices to collect and normalize huge events/ logs into few

useful messages, device status and alerts• NMS/ EMS / Service Desk

3. Message database• Analyze and display messages as per configured policy

4. Knowledge base• System Modelisation is configured based on Risk Management, Threats and action

taken by security controls/policy deployed • Real time event correlation and create incidents based on Risk posture feed into it

5. Client / User facing portal hosts• Reports, Analysis, Knowledge management, Real-time status & events

Collection & Normalization

Event Generators/

Monitored systems

Working of SOC Tools

VA / RA Tools

IPSNetwork EquipOSApplications

FirewallEvents

Polling

Syslog, SNMP, SMTP, HTTP/XML,

Proprietary

Message Database

Portal – Viewed by Stake holders

Message

Status

Alerts

Incident Handling

Analysis

Real timeMonitor

CorrelationKnowledge Base

Client Config records

Analysis

Security Policy

Customer Status

Vulnerability DB

System Modelisation

Status Integrity

Risk Evaluation

Security Activity

System Status

Key Tools for SOC

-

• Storage & Back up• Syslog server• FTP server

• Client facing Webportal for Reports / Status update

• Device Management servers

Service DeskITIL Process Automation

Strengthen

Service Desk and SOC Process Management

SOC Core Technology & Services Support Tools

Analytics / Reporting

Network and OS scanner

Traffic Generator

Forensic Tools

Certificate Authority

Log analyzer/ Storage

EncryptionKey

Generator

NMS/EMS

OS/DB/ Network Scanner

SIEM

Password Recovery/

EH Tool

VA/ PT Assessment

Registry Scanner

Honeypot

Web PortalDevice

Management Servers

GRC ToolPatch

Management

Packet Analyzer

Authentication / IDM

PreventAssess

Device Management & Client facing portal

Tools Integration

Portal (Reports / Analysis / Realtime Dashboard)

Middleware

API Correlation -Integration Layer

SIEMSD/NMS/ EMS

Device status

Database / KEDBGRC Tools

Polling Engine/ Data Flow

Events

Incidents

Device Management

VA/PT/EH

System Modelisation

Security Policy

USERS

35

-

SOC-SECURITY

Securing the SOC- Security Controls It is imperative to protect SOC environment with following controls • Layered security

– Information security for SOC users and Information– Physical security for SOC users, visitors and Infrastructure – Common security layer for entire information and based on

contract additional security controls implemented • Information Security for SOC users and Infrastructure

– Process level: ISMS(Information Security Management System)– Integration of security controls with SIEM/ Service desk tools– IDM: Authentication and Identity access management, Multi

factor authentication – Network level: Firewall, IPS, VPN, Antivirus, Web filter software`– Desktop level: Antivirus, security compliance, Strong

authentication and access control– Datacentre level: Firewall, IPS, VPN, Antivirus, Host based IDS– Access log: Syslog server for user audit trail and analysis

Securing the SOC- Physical Security Controls

For SOC users, visitors and Infrastructure– Security guards on round the clock duty– Video Surveillance: monitor human movement – Biometric controls: For access to Datacenter and

critical SOC areas– Tape vault: To store the logs generated in tapes and

backup. This is statutory requirements – Access card: to operate doors and movement in and

out of SOC– Visitor Management System: Register entry and

pass generators, badge card for visitors– Glass and other barriers for dedicated space for

certain clients in SOC

38

NEW TRENDS

Summary of future SOC and new trends:• Future SOC will spend more time on security analytics and less time on device

monitoring • New age SOC will use more resources to identify new, unknown threats/ malware/

malicious code and less time blacklisting known threats after attacks• Big Data will be part of SOC tool set• Out of the box SOC with lesser integration with different tool set in SOC• Integrated with Social sites to know human behavior and predict the attacks• Integrated with national agencies and international CERT to have uniform and

instant response to attacks • Able to counter attack and stop all future activities from attackers from internet/

internal users• SOC will act as single agency to prevent security incidents, frauds happening in E-

Systems, compliance of regional laws across geography boundaries• Will proactively provides alerts for financial frauds and violation in business process

New trends

Acronyms

• API- Application Programming Interface• BAU- Business As Usual – Daily operations• BCP/ DR- Business Continuity Plan/ Disaster Recovery

Plan • BYOD- Bring Your Own Device• CEO- Chief Executive Officer• CFO-Chief Finance Officer• COO- Chief Operating Officer• CERT- Computer Emergency Response Team• CISO- Chief Information Security Officer• DDOS- Distributed Denial of Service attack• DG-Diesel Generator• DLP- Data Leak Prevention • EH- Ethical Hacking• EMS- Enterprise Management System, used for

Datacenter device monitoring • EPS- Events Per Second • GRC- Governance, Risk, Compliance• IDS- Intrusion Detection System

• IPS- Intrusion Prevention System• ISMS(Information Security Management System)• ITIL- Information Technology Infrastructure Library • KPI- Key Performance Indicator• KGI- Key Goal Indicator• KEDB- Known Error Database• OEM- Original Equipment Manufacturer • OS- Operating System • NOC- Network Operation center • NDA- Non Disclosure Agreement • NMS- Network Management System• PC- Personal Computer• PT- Penetration testing• SD- Service Desk• SIEM- Security Incident and Event Management • SLA- Service Level Agreement • SOC- Security Operation Center• UTM-Unified Threat Management • VA- Vulnerability Assessment• VPN- Virtual Private Network

Sameer Paradia (CGEIT, CISM, CISSP)(sameer_m_paradia@yahoo.com)Practicing IT Security Services and Outsourcing for past 22+ yearsPhoto acknowledgment: https://www.flickr.com/photos/babalas_shipyards/5339531237/in/photostream/

http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/