Upload
nguyenanh
View
222
Download
0
Embed Size (px)
Citation preview
SECURITY OPERATION
CENTER - Models, Strategies and development -
By Ali Mohammadi – Desember 12,13, 2017
1
Outline
2
•Organizational Security Concept
•Security Operations Center (SOC) Concept
•SOC Models
•SOC Architecture
•SOC Strategies & Approaches
•SOC Develop & Plan
4 4
The current environment is putting new demands on security operations
Social Business Blurring “Social” Identities
New Business Models, New Technologies
Cloud /
Virtualization
Large existing IT infrastructures with a
globalized workforce, 3rd party services, and a
growing customer base
Velocity of Threats
Evolving Regulations
-
•
Potential Impacts
Malware infection Loss of productivity Data Leakage Data or Device
Loss or Theft Regulatory Fines
$$$
Mobile Collaboration /
BYOD
5
Why do we build operational security controls &
capabilities?
Reduce enterprise risk. Protect the business. Move from reactive response to proactive mitigation. Increase visibility over the environment. Meet compliance/regulatory requirements.
Security Technology Stack
GRC
Identity, Entitlement,
Access
Information & Event Mgmt.
Cryptography
Data Security
Application Security
Host Security
Network Security
Physical Security
Network Security, and its relationships to the stack
Network Security
Data Security Host Security
Identity and Access
Application Security Cryptography
Security Info & Event Management
Interconnected hosts on network Establish secure channel Control hosts on network
Send security logs Detect security incidents
Key management Crypto offload
Monitor and control applications running on network
Use identity Retrieve access control
Monitor and control data flows on network
10
What is a Security Operations Center, or SOC? A Security Operations Center is a highly skilled team following defined definitions and
processes to manage threats and reduce security risk
Security Operations Centers (SOC) are designed to:
protect mission-critical data and assets
prepare for and respond to cyber emergencies
help provide continuity and efficient recovery
fortify the business infrastructure
The SOC’s major responsibilities are:
Monitor, Analyze, Correlate & Escalate Intrusion Events
Develop Appropriate Responses; Protect, Detect, Respond
Conduct Incident Management and Forensic Investigation
Maintain Security Community Relationships
Assist in Crisis Operations
11
Designing and building a SOC requires a solid understanding of the business’ needs and the resources that IT can deploy Multiple stakeholders, processes
and technologies to consider
An operational process framework
•
•
•
•
Physical space
requirements and
location
Personnel skills: Security analysts,
shift leads, SOC managers
In-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability ScannersIdentity &
Desktop MgmtTicketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
CustomersIn-house staff Partners Outsourced ProvidersPeople
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability ScannersIdentity &
Desktop MgmtTicketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk AssessmentChange Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
Building a Security Operations Center involves multiple domains
• Do you need 24x7x365 staff?
• What are the skills needed?
• Where do you get staff?
• What about training?
• How do you keep staff?
• Metrics to measure performance
• Capacity planning
• What does the plan look like?
• How do we measure progress and
goals?
• What is the optimal design of core
processes? (eg. incident
management, tuning, etc.)
• Process and continual improvement
• SIEM architecture & use cases
• Log types and logging options
• Platform integrations; ticketing
governance, big data
• Web services to integrate them
• Technology should improve
effectiveness and efficiency
• Dashboard visibility and oversight
• Policy, measurement and enforcement
• Integrated governance that balances
daily operations with strategic planning
• Ministry objectives
• Informing stakeholders
• Informing employees
People Process
Technology Governance / Metrics
CyberSecurity Operations Center
13
• Security Operations Center (SOC) term is being taken over by physical surveillance companies
• We’re building a Cyber Security Operations Center (CSOC) that doesn’t have any physical surveillance capability.
• It could be a component of a SOC in the future
14
(C)SOC vs. NOC
• Network Operations Center usually responsible for monitoring and maintaining the overall network infrastructure. Its primary function is to ensure uninterrupted network service.
• CSOC leverages security related network activity to refine security incidents response.
• CSOC and NOC should complement each other and work in tandem.
16
The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC.
Charter
Governance
Strategy
Build a dedicated security operations capability
Cross-functional (IT, Business, Audit, etc.)
3+ year cycle, priorities set by enterprise
Technology or service only
Self governed (IT Security)
Budget based, 12 month planning cycle M
issi
on
& S
trat
egy
Tools
Use Cases
Referential Data
SIEM, ticketing, portal/ dashboard, Big Data
Tailored rules based on risk & compliance drivers
Required data, used to prioritize work
SIEM tool only
Standard rules Minimal customization
Minimal importance, Secondary priority
Tech
no
logy
Measures
Reporting
Cross-functional, efficiency, quality, KPI/SLO/SLA
Metrics, analytics, scorecards, & dashboards
Silos, ticket/technology driven
Ticket/technology driven Op
erat
ion
s M
anag
emen
t
Proactive.
Visible.
Anticipate
threats.
Mitigate
risks.
Detect & react to threats.
Legacy SOC Optimized SOC
Threat
Response Adv. Event Analysis
Escalations
Incident Mgmt.
SOC Data Sources Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography
Unstructured (Big Data) Asset & Data Classifications Threat Intelligence
Threat
Monitoring
Threat Analysis
Impact Analysis
SOC Service Delivery Management
Service Level Management Operational Efficiency Service Reporting Escalation
SOC Platform Components
Security Device Data Event Data (Int./Ext.) Event Patterns Correlation
Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules
Security Analytics &
Incident Reporting
Cyber-Security Command Center (CSCC)
Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance
Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings
SO
C
Go
ve
rna
nce
SO
C
Te
ch
no
log
y
Security Intelligence
Incident Hunting PM Use Case Recommendations
Admin Support
Services
Tool Integration
Rule Admin
CSIRT
Management
Corp. Incident Response
Table-top Exercises
SIEM Ticketing &
Workflow Portal
Integration Tools
(e.g. Web Srvcs)
Reporting /
Dashboard Big Data
Threat
Triage
Investigations
Incident Triage
Security Operations Operating Model
SO
C
Op
era
tio
ns
Corporate
Business Units
Legal
Audit
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
Business
Operations
Business Ops
Investigations
Public Relations
Legal / Fraud
Architecture &
Projects
Emergency
Response
IT Operations
Legend
SOC
IT / Corp
18
We understand that an effective SOC has the right balance of People, Process and Technology components
In-house staff Partners Outsourced Providers People
Process
Technology
Log Management Compliance Reporting Event Correlation Threat Reporting
Vulnerability Scanners Identity &
Desktop Mgmt Ticketing System Change Tracking
Threat Analysis Compliance Mgmt
SLA Mgmt
Risk Assessment Change Mgmt
Vulnerability Mgmt Identity & Access Incident Mgmt
Customers
19
The SOC organization is organized around the standard plan, build and run model
SOC Delivery Manager
SOC Engineering
Manager (Build)
Security System Administrator
Security Policy Administrator
Device Administrator
SOC Monitoring Tier 1 (Run)
Senior Threat Analyst
Threat Analyst
Threat Analyst
Trainee
SOC Triage Tier 2 (Run)
Senior Threat Response Analyst
Threat Response Mitigation Analyst
(Reactive)
Threat Response Remediation Analyst
(Proactive)
SOC Escalation Tier 3 (Run)
Incident Case Manager
Senior ERS Incident Response Technical
Analyst
Security
Intelligence Manager
(Build / Plan)
SOC / Security Intel Architect
(Plan)
IT Operations
IT Operations
Incident Mgmt
Problem Mgmt
Change Mgmt
Release Mgmt
Device Mgmt
SOC Organization Chart
Governance
20
A responsibility matrix for all SOC roles should be defined across each SOC service.
SOC Analyst:
Monitoring
SOC Analyst:
Triage
SOC Analyst:
Response
Security
Intelligence
Analyst
Security
Incident
Handler
(Certified)
SOC Tools
AdminSOC Manager
Security
Forensic
Analyst
IT Security
AdminIT Operations CERT
Security Monitoring R C A
Incident Triage C R C A
Incident Response C C R C R A R I
Delivery Management A I
Use Case Design C C C R C A C C
Log Source Acquisition R C R A C C
Service Testing & Tuning R A I I
Custom Playbook Development C C C R C C A C C
Operations Training C C C R C A
Security Intelligence Analysis C C C A C C C
Security Intelligence Briefings A C C C
Use Case Reccomendations C C C A C C C
SIEM Admininstration R A I I
Contextual Data Management C R A C C
Log Source Management C R A C C
Log Source Heartbeat Monitoring C R A C C
Security Reporting C C C C C A C I
Efficiency Reporting C C C A C I
Financial Reporting C C C C A I
Enterprise Incident Management C A
Forensics Investigation C C C C C A C C
Policy Violation Handling C C C C A C
Reporting
Services
Optional Services
Core Security
Services
Deployment
Services
Security
Intelligence
Services
Administrative
Services
22
Why?
• We’ve been collecting security related data for a number of years and needed a focal point to help us see the big picture
• Data from • Security Reviews
• Vulnerability scans (push/pull)
• IPS/IDS data
• System logs
• We want to build a “security history” for a host
23
Why?
• The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy • Preventing Network Based Attacks
• Preventing Host Based Attacks
• Eliminating Security Vulnerabilities
• Supporting Authorized Users
• Providing tools for Minimizing Business Loss
24
Where?
• OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow
• CSOC needs to be able to analyze and display this data quickly
• Data resides on separate, distributed servers
• CSOC pulls data from these servers as needed
• CSOC lives in the IT Security Office & Lab
25
What?
• Provides real-time view of the VT network’s security status
• Provides info to assess risk, attacks, mitigation
• Provides metrics • Executive
• Operational
• Incident
26
What?
• Event Generators (E boxes) • Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active
Directory servers, Remedy, vulnerability scanners, TACACS, application software
• Most are Polling Generators • Generate specific event data in response to a specific
action
• Example: IDS or firewall
27
What?
• Events Databases (D boxes) • Provide basic storage, search and correlation tools for
events collected and sent to the CSOC
• Vulnerability databases contain info about security breaches, etc.
28
What? • Events Reactions (R boxes)
• SOC Console • Used for internal analysis
• Real-time monitors (Snort, Base, IPS, Dshield)
• Incident Handling
• Remedy trouble ticket system
• Location tools
• Statistical analysis
• End User Portals • Multi level reporting for various target audiences
• Sysadmin, management
29
What? • Analysis Engines (A Boxes)
• Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc.
• Knowledge Base Engines (K boxes) • Store security configs of critical assets, tips/tricks and
effective solutions to previous problems
• Reaction and Report Engines (R boxes) • Switches, routers, IPS and associated management
tools
30
Access Management
Security Operations Center (SOC)
Automation & Integration of Security Operations
33
Security Operations Center Infrastructure v1.0 6/4/2008
<F
un
ctio
n>
ITSO Staff
Daily Scan
Nexpose
Acunetix
Core Impact
Vulnerability
Results Database
Central Syslog
ServersDshield
Checknet
Snort
SensorsHost Locator DB
Remedy
Correlation & Report
Generation
text
BASE
IP Ranges, Dept.
Liaisons, DHCP, VPN,
Modem Pool
Nessus
nmap Scanner User
Scan Results
(PDF)
User Initiated
Scan
Green – E boxes
Blue – D boxes
Grey – A boxes
Yellow – K boxes
35
Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints
Business Requirements
Centralized Decentralized
Single Global SOC CSCC Combined with SOC Lowest Cost Easiest to Manage
Multiple SOC’s (Geo. / BU) Single Global CSCC
High Cost More Difficult to Manage
Technical Requirements
Standard Highly Customized
Simple Platform Lowest Cost to Implement/Operate Good Risk Mgmt Capabilities Easy to Scale Operations Moderate Detail on Threats
Complex Platform High Cost to Implement/Operate Excellent Risk Mgmt Capabilities
More Expensive to Scale Operations Rich Detail on Threats
Risk Tolerance
Externally Managed Internally Managed
30-90 Day Implementation Lowest Cost to Implement/Operate Not Core to Business Leverage Industry Best Practices
Long Implementation Lead Time High Cost to Implement/Operate
Core to Business Frequent Independent Reviews
Financial Constraints
Low Cost High Cost
Lowest Cost to Implement Lowest Cost to Operate
Highest Cost to Implement Highest Cost to Operate
37
To get started, the organization should consider the following questions in establishing its objectives
• What is the primary purpose of the SOC?
• What are the specific tasks assigned to the SOC? (e.g., threat
intelligence, security device management, compliance management,
detecting insider abuse on the financial systems, incident response
and forensic analysis, vulnerability assessments, etc.)
• Who are the consumers of the information collected and analyzed by
the SOC? What requirements do they have for the SOC?
• Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC
to the rest of the organization?
• What types of security events will eventually be fed into the SOC for
monitoring?
• Will the organization seek an external partner to help manage the
SOC?
38
The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle.
• Define the mission
• Assess current
operations and
capabilities
• Define future
environment
• Develop roadmap
for action
People and Governance
Processes and Practices
Technology
• Laying the
foundation of
capabilities
• Designing effective
staffing models and
supporting
processes /
technology
• Conducting training
and testing
• Implementing
tracking and
reporting
capabilities
• Leveraging acquired
knowledge and
experience
• Instituting formal
feedback and review
mechanisms
• Driving further value
from the technology
• Expanding business
coverage and
functions
• Tuning and
refinement
• Business aligned
threat management
and metrics
• Drive for best
practices
• Integrated operations
with improved
communications
• Seek opportunities
for cost takeout
• Continuous
improvement
Design &
Build
Run &
Enhance Optimize
• Educational,
share best
practices
• Table-top, guided
SOC maturity
assessments
• Set high-level
vision
• Develop next steps
roadmap
for action
Introduction
Assessment
Strategy
39
Refrences
• IBM Security Services
• Meadowville Technology Park, Chesterfield
County, Virginia
• Carl Hill, President, www.gtscloud.com
• Paladion Co, paladion.net
• Randy Marchany, VA Tech IT Security Office and Lab