SECURITY OPERATION

CENTER - Models, Strategies and development -

By Ali Mohammadi – Desember 12,13, 2017

1

Outline

2

•Organizational Security Concept

•Security Operations Center (SOC) Concept

•SOC Models

•SOC Architecture

•SOC Strategies & Approaches

•SOC Develop & Plan

3

Organizational Security

Concept

4 4

The current environment is putting new demands on security operations

Social Business Blurring “Social” Identities

New Business Models, New Technologies

Cloud /

Virtualization

Large existing IT infrastructures with a

globalized workforce, 3rd party services, and a

growing customer base

Velocity of Threats

Evolving Regulations

-

•

Potential Impacts

Malware infection Loss of productivity Data Leakage Data or Device

Loss or Theft Regulatory Fines

$$$

Mobile Collaboration /

BYOD

5

Why do we build operational security controls &

capabilities?

Reduce enterprise risk. Protect the business. Move from reactive response to proactive mitigation. Increase visibility over the environment. Meet compliance/regulatory requirements.

The organization drives the Security Model

Security Technology Stack

GRC

Identity, Entitlement,

Access

Information & Event Mgmt.

Cryptography

Data Security

Application Security

Host Security

Network Security

Physical Security

Network Security, and its relationships to the stack

Network Security

Data Security Host Security

Identity and Access

Application Security Cryptography

Security Info & Event Management

Interconnected hosts on network Establish secure channel Control hosts on network

Send security logs Detect security incidents

Key management Crypto offload

Monitor and control applications running on network

Use identity Retrieve access control

Monitor and control data flows on network

9

Security Operations

Center (SOC) Concept

10

What is a Security Operations Center, or SOC? A Security Operations Center is a highly skilled team following defined definitions and

processes to manage threats and reduce security risk

Security Operations Centers (SOC) are designed to:

protect mission-critical data and assets

prepare for and respond to cyber emergencies

help provide continuity and efficient recovery

fortify the business infrastructure

The SOC’s major responsibilities are:

Monitor, Analyze, Correlate & Escalate Intrusion Events

Develop Appropriate Responses; Protect, Detect, Respond

Conduct Incident Management and Forensic Investigation

Maintain Security Community Relationships

Assist in Crisis Operations

11

Designing and building a SOC requires a solid understanding of the business’ needs and the resources that IT can deploy Multiple stakeholders, processes

and technologies to consider

An operational process framework

•

•

•

•

Physical space

requirements and

location

Personnel skills: Security analysts,

shift leads, SOC managers

In-house staff Partners Outsourced ProvidersPeople

Process

Technology

Log Management Compliance Reporting Event Correlation Threat Reporting

Vulnerability ScannersIdentity &

Desktop MgmtTicketing System Change Tracking

Threat Analysis Compliance Mgmt

SLA Mgmt

Risk AssessmentChange Mgmt

Vulnerability Mgmt Identity & Access Incident Mgmt

CustomersIn-house staff Partners Outsourced ProvidersPeople

Process

Technology

Log Management Compliance Reporting Event Correlation Threat Reporting

Vulnerability ScannersIdentity &

Desktop MgmtTicketing System Change Tracking

Threat Analysis Compliance Mgmt

SLA Mgmt

Risk AssessmentChange Mgmt

Vulnerability Mgmt Identity & Access Incident Mgmt

Customers

Building a Security Operations Center involves multiple domains

• Do you need 24x7x365 staff?

• What are the skills needed?

• Where do you get staff?

• What about training?

• How do you keep staff?

• Metrics to measure performance

• Capacity planning

• What does the plan look like?

• How do we measure progress and

goals?

• What is the optimal design of core

processes? (eg. incident

management, tuning, etc.)

• Process and continual improvement

• SIEM architecture & use cases

• Log types and logging options

• Platform integrations; ticketing

governance, big data

• Web services to integrate them

• Technology should improve

effectiveness and efficiency

• Dashboard visibility and oversight

• Policy, measurement and enforcement

• Integrated governance that balances

daily operations with strategic planning

• Ministry objectives

• Informing stakeholders

• Informing employees

People Process

Technology Governance / Metrics

CyberSecurity Operations Center

13

• Security Operations Center (SOC) term is being taken over by physical surveillance companies

• We’re building a Cyber Security Operations Center (CSOC) that doesn’t have any physical surveillance capability.

• It could be a component of a SOC in the future

14

(C)SOC vs. NOC

• Network Operations Center usually responsible for monitoring and maintaining the overall network infrastructure. Its primary function is to ensure uninterrupted network service.

• CSOC leverages security related network activity to refine security incidents response.

• CSOC and NOC should complement each other and work in tandem.

15

SOC Models

16

The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC.

Charter

Governance

Strategy

Build a dedicated security operations capability

Cross-functional (IT, Business, Audit, etc.)

3+ year cycle, priorities set by enterprise

Technology or service only

Self governed (IT Security)

Budget based, 12 month planning cycle M

issi

on

& S

trat

egy

Tools

Use Cases

Referential Data

SIEM, ticketing, portal/ dashboard, Big Data

Tailored rules based on risk & compliance drivers

Required data, used to prioritize work

SIEM tool only

Standard rules Minimal customization

Minimal importance, Secondary priority

Tech

no

logy

Measures

Reporting

Cross-functional, efficiency, quality, KPI/SLO/SLA

Metrics, analytics, scorecards, & dashboards

Silos, ticket/technology driven

Ticket/technology driven Op

erat

ion

s M

anag

emen

t

Proactive.

Visible.

Anticipate

threats.

Mitigate

risks.

Detect & react to threats.

Legacy SOC Optimized SOC

Threat

Response Adv. Event Analysis

Escalations

Incident Mgmt.

SOC Data Sources Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography

Unstructured (Big Data) Asset & Data Classifications Threat Intelligence

Threat

Monitoring

Threat Analysis

Impact Analysis

SOC Service Delivery Management

Service Level Management Operational Efficiency Service Reporting Escalation

SOC Platform Components

Security Device Data Event Data (Int./Ext.) Event Patterns Correlation

Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules

Security Analytics &

Incident Reporting

Cyber-Security Command Center (CSCC)

Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance

Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings

SO

C

Go

ve

rna

nce

SO

C

Te

ch

no

log

y

Security Intelligence

Incident Hunting PM Use Case Recommendations

Admin Support

Services

Tool Integration

Rule Admin

CSIRT

Management

Corp. Incident Response

Table-top Exercises

SIEM Ticketing &

Workflow Portal

Integration Tools

(e.g. Web Srvcs)

Reporting /

Dashboard Big Data

Threat

Triage

Investigations

Incident Triage

Security Operations Operating Model

SO

C

Op

era

tio

ns

Corporate

Business Units

Legal

Audit

IT Operations

Incident Mgmt

Problem Mgmt

Change Mgmt

Release Mgmt

Business

Operations

Business Ops

Investigations

Public Relations

Legal / Fraud

Architecture &

Projects

Emergency

Response

IT Operations

Legend

SOC

IT / Corp

18

We understand that an effective SOC has the right balance of People, Process and Technology components

In-house staff Partners Outsourced Providers People

Process

Technology

Log Management Compliance Reporting Event Correlation Threat Reporting

Vulnerability Scanners Identity &

Desktop Mgmt Ticketing System Change Tracking

Threat Analysis Compliance Mgmt

SLA Mgmt

Risk Assessment Change Mgmt

Vulnerability Mgmt Identity & Access Incident Mgmt

Customers

19

The SOC organization is organized around the standard plan, build and run model

SOC Delivery Manager

SOC Engineering

Manager (Build)

Security System Administrator

Security Policy Administrator

Device Administrator

SOC Monitoring Tier 1 (Run)

Senior Threat Analyst

Threat Analyst

Threat Analyst

Trainee

SOC Triage Tier 2 (Run)

Senior Threat Response Analyst

Threat Response Mitigation Analyst

(Reactive)

Threat Response Remediation Analyst

(Proactive)

SOC Escalation Tier 3 (Run)

Incident Case Manager

Senior ERS Incident Response Technical

Analyst

Security

Intelligence Manager

(Build / Plan)

SOC / Security Intel Architect

(Plan)

IT Operations

IT Operations

Incident Mgmt

Problem Mgmt

Change Mgmt

Release Mgmt

Device Mgmt

SOC Organization Chart

Governance

20

A responsibility matrix for all SOC roles should be defined across each SOC service.

SOC Analyst:

Monitoring

SOC Analyst:

Triage

SOC Analyst:

Response

Security

Intelligence

Analyst

Security

Incident

Handler

(Certified)

SOC Tools

AdminSOC Manager

Security

Forensic

Analyst

IT Security

AdminIT Operations CERT

Security Monitoring R C A

Incident Triage C R C A

Incident Response C C R C R A R I

Delivery Management A I

Use Case Design C C C R C A C C

Log Source Acquisition R C R A C C

Service Testing & Tuning R A I I

Custom Playbook Development C C C R C C A C C

Operations Training C C C R C A

Security Intelligence Analysis C C C A C C C

Security Intelligence Briefings A C C C

Use Case Reccomendations C C C A C C C

SIEM Admininstration R A I I

Contextual Data Management C R A C C

Log Source Management C R A C C

Log Source Heartbeat Monitoring C R A C C

Security Reporting C C C C C A C I

Efficiency Reporting C C C A C I

Financial Reporting C C C C A I

Enterprise Incident Management C A

Forensics Investigation C C C C C A C C

Policy Violation Handling C C C C A C

Reporting

Services

Optional Services

Core Security

Services

Deployment

Services

Security

Intelligence

Services

Administrative

Services

21

SOC Architecture

22

Why?

• We’ve been collecting security related data for a number of years and needed a focal point to help us see the big picture

• Data from • Security Reviews

• Vulnerability scans (push/pull)

• IPS/IDS data

• System logs

• We want to build a “security history” for a host

23

Why?

• The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy • Preventing Network Based Attacks

• Preventing Host Based Attacks

• Eliminating Security Vulnerabilities

• Supporting Authorized Users

• Providing tools for Minimizing Business Loss

24

Where?

• OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow

• CSOC needs to be able to analyze and display this data quickly

• Data resides on separate, distributed servers

• CSOC pulls data from these servers as needed

• CSOC lives in the IT Security Office & Lab

25

What?

• Provides real-time view of the VT network’s security status

• Provides info to assess risk, attacks, mitigation

• Provides metrics • Executive

• Operational

• Incident

26

What?

• Event Generators (E boxes) • Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active

Directory servers, Remedy, vulnerability scanners, TACACS, application software

• Most are Polling Generators • Generate specific event data in response to a specific

action

• Example: IDS or firewall

27

What?

• Events Databases (D boxes) • Provide basic storage, search and correlation tools for

events collected and sent to the CSOC

• Vulnerability databases contain info about security breaches, etc.

28

What? • Events Reactions (R boxes)

• SOC Console • Used for internal analysis

• Real-time monitors (Snort, Base, IPS, Dshield)

• Incident Handling

• Remedy trouble ticket system

• Location tools

• Statistical analysis

• End User Portals • Multi level reporting for various target audiences

• Sysadmin, management

29

What? • Analysis Engines (A Boxes)

• Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc.

• Knowledge Base Engines (K boxes) • Store security configs of critical assets, tips/tricks and

effective solutions to previous problems

• Reaction and Report Engines (R boxes) • Switches, routers, IPS and associated management

tools

30

Access Management

Security Operations Center (SOC)

Automation & Integration of Security Operations

31 SOC Architecture

32 SOC Workflow

33

Security Operations Center Infrastructure v1.0 6/4/2008

<F

un

ctio

n>

ITSO Staff

Daily Scan

Nexpose

Acunetix

Core Impact

Vulnerability

Results Database

Central Syslog

ServersDshield

Checknet

Snort

SensorsHost Locator DB

Remedy

Correlation & Report

Generation

text

BASE

IP Ranges, Dept.

Liaisons, DHCP, VPN,

Modem Pool

Nessus

nmap Scanner User

Scan Results

(PDF)

User Initiated

Scan

Green – E boxes

Blue – D boxes

Grey – A boxes

Yellow – K boxes

34

SOC Strategies &

Approaches

35

Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints

Business Requirements

Centralized Decentralized

Single Global SOC CSCC Combined with SOC Lowest Cost Easiest to Manage

Multiple SOC’s (Geo. / BU) Single Global CSCC

High Cost More Difficult to Manage

Technical Requirements

Standard Highly Customized

Simple Platform Lowest Cost to Implement/Operate Good Risk Mgmt Capabilities Easy to Scale Operations Moderate Detail on Threats

Complex Platform High Cost to Implement/Operate Excellent Risk Mgmt Capabilities

More Expensive to Scale Operations Rich Detail on Threats

Risk Tolerance

Externally Managed Internally Managed

30-90 Day Implementation Lowest Cost to Implement/Operate Not Core to Business Leverage Industry Best Practices

Long Implementation Lead Time High Cost to Implement/Operate

Core to Business Frequent Independent Reviews

Financial Constraints

Low Cost High Cost

Lowest Cost to Implement Lowest Cost to Operate

Highest Cost to Implement Highest Cost to Operate

36

SOC Develop & Plan

37

To get started, the organization should consider the following questions in establishing its objectives

• What is the primary purpose of the SOC?

• What are the specific tasks assigned to the SOC? (e.g., threat

intelligence, security device management, compliance management,

detecting insider abuse on the financial systems, incident response

and forensic analysis, vulnerability assessments, etc.)

• Who are the consumers of the information collected and analyzed by

the SOC? What requirements do they have for the SOC?

• Who is the ultimate stakeholder for the SOC? Who will “sell” the SOC

to the rest of the organization?

• What types of security events will eventually be fed into the SOC for

monitoring?

• Will the organization seek an external partner to help manage the

SOC?

38

The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle.

• Define the mission

• Assess current

operations and

capabilities

• Define future

environment

• Develop roadmap

for action

People and Governance

Processes and Practices

Technology

• Laying the

foundation of

capabilities

• Designing effective

staffing models and

supporting

processes /

technology

• Conducting training

and testing

• Implementing

tracking and

reporting

capabilities

• Leveraging acquired

knowledge and

experience

• Instituting formal

feedback and review

mechanisms

• Driving further value

from the technology

• Expanding business

coverage and

functions

• Tuning and

refinement

• Business aligned

threat management

and metrics

• Drive for best

practices

• Integrated operations

with improved

communications

• Seek opportunities

for cost takeout

• Continuous

improvement

Design &

Build

Run &

Enhance Optimize

• Educational,

share best

practices

• Table-top, guided

SOC maturity

assessments

• Set high-level

vision

• Develop next steps

roadmap

for action

Introduction

Assessment

Strategy

39

Refrences

• IBM Security Services

• Meadowville Technology Park, Chesterfield

County, Virginia

• Carl Hill, President, www.gtscloud.com

• Paladion Co, paladion.net

• Randy Marchany, VA Tech IT Security Office and Lab

40

Thank you for your time!

Questions and Answers