Security Operation Centre (SOC) Services

Contents

SectionPage

1 Executive Summary 03

2 Introduction to Services 06

3 SOC Operations - Day to Day activities 11

4 Use Cases 24

1. Executive Summary

EXECUTIVE SUMMARY

Background

Client’s Information security function currently provides detection and prevention services, such as, monitoring, incident response and investigations across the Client’s technology environment. TheSecurity strategy is to enhance and address gaps in the security monitoring function through a Security Operations Centre (SOC) service.

Our understanding of your needs

We are aware that a key objective of this engagement is to assist you with Monitoring of Information Security Threat Detection and Response Services.

Monitoring of alerts 24*7

1. Perform 24*7 monitoring of alerts generated from the implemented Splunk Enterprise Security App from BlueSwarm Facility,

Investigation and Notification

1. Analyze and investigate alerts and logs that generate the alerts2. Eliminate false positives and confirm the alerts as incidents3. Assess and prioritize potential incidents for communication and action4. Notify Client on potential and confirmed incidents5. Observer deviations from normal behaviour (Like authentication failures, incoming/outgoing traffic, changes, audit logs, etc.) and uncover activities that could undermine security of information

assets

Preliminary Incident Response

1. Provide incident details and outline preliminary incident response activities that can help contain the impact of the threat and additional investigation that may be subsequently required

Reporting

1. Provide monthly summary reports and dashboards highlighting the security posture of the Client's monitored infrastructure

2. Provide suggestions and recommendations that would enhance security of the monitoring infrastructure based on information gathered during monitoring

2. Introduction to Services

BlueSwarm Approach - SOC Framework

Event Management

Incident Management

Threat Intelligence

Investigation

Daily Operations

Knowledge Management

KPIs/ Metrics

Business Continuity / Disaster Recover

Internal processes

ENHANCED

SECURITYRISK

MANAGEMENT

THREAT &

VULNERABILITY

MANAGEMENT

INCIDENT

RESPONSE

COUNTERMEASURE

PLANNING

METRICS &

REPORTING

BlueSwarm- Overview of ServicesFlexible service offerings that allows you to consume selective components of people, process and technology

Forensic Investigation

Cyber Dashboard

Threat Hunting

Incident Response

Threat Intelligence

Security Monitoring

Monitoring of Information Security Threats

BlueSwarm

BlueSwarmProcess

BlueSwarmTools

BlueSwarmPeople

Security Monitoring offering to meet your 24x7x365 requirements through our Analysts

Threat Intelligence offering with comprehensive intelligence feeds and

reporting of current threats

Incident Response offering with “boots on the ground” service to support with incident

investigation

Threat Hunting offering to hunt for symptoms with a hypothesis that the environment is

compromised

Forensic Investigation offering with “boots on the ground” service to provide detailed

analysis of compromised systems

BlueSwarm provides flexible and customisable options that will allow you to selectively consume components of people, process and technologydepending on your strategy.

Our integrated approach provides an ability to integrate broader cyber security services, security monitoring, incident response, threat hunting,threat intelligence, forensic investigation, and cyber dashboard. This will provide additional support in handling cyber security incidents, and assessingyour defence in depth controls.

Cyber Dashboard offering with advanced detection and response capability against

threat actors

Offered Components

Optional Components

BlueSwarm SOC ARCHITECTURE

Monitoring and Incident ResponseLog Collection Secure Communication

BlueSwarm Facility

SIEM Monitoring Workflow

BlueSwarm- Delivery ModelOur delivery model provides cost-effective services using offshore resources

► Dedicated Team Lead will act as an extension to your team, and be the key contact for assisting security, compliance and general queries.

► BlueSwarm Manager to provide management oversight of the service

► Security Admins (Level 1), Security Analysts (Level 2), Threat Hunters andIncident Handlers (Level 3) operate from BlueSwarm Offices in India,Dubai and UK to meet your Tier-1, Tier-2 and Tier-3 requirements across24x7x365

► All data will reside on cloud infrastructure

► A secure connection will be established between Client premises and BlueSwarm SOC Centre

BlueSwarm Team Lead

India – Level 1/ Level 2/ Level 3

► Incident Response service that enables the ability to perform rapidinvestigation of incident, invocation of forensic investigation as required,effective containment of threat vectors and lateral movement, proactiveeradication of indicators of compromise and risk-based recovery ofbusiness operations.

Client Data and Connectivity Client

Cloud

Premises

Client Premises

CISO / Security Manager

Client

Premises

Enterprise Service Management

Client Technology Environment

24x7x365

BlueSwarmTeam Lead

Onshore Information Security Team Members

Offshore Lv1/Lv2/Lv3 Security Personnel

Offshore Incident Handlers

Technical Teams

IND

IA|

UK

|D

UB

AI

Data Sources

BlueSwarmPremises

EU |

UK

| U

SA |

DU

BA

I

DNSDatabases

Servers FirewallsAntivirus

IDS/I

PS

BlueSwarm - Delivery ModelOur delivery model can be tailored to achieve 24*7 detection and response whilst balancing cost

Weekday Shift Model [24 hours effective coverage per day]

Weekend/Public Holiday Shift Model [24 hours effective coverage per day]

00:0012pm

8.30am

24:00

Handover and Operational Support

8.00am

Offshore

3:30pm

Below is an illustrative model for how 24*7 coverage can be achieved Monday – Friday, as well over weekends and public holidays.

8.00pm


Shift 1 Shift 2 Shift 2

Health Check

Health Check

Health Check

Health Check

6:30pm

Health Check

Health Check

1.00am

Health Check

4.00am

12pm

8.30am

24:00


8.00am

Offshore

3:30pm

8.00pm


Shift 1 Shift 2 Shift 2

Health Check

Health Check

Health Check

Health Check

Health Check

1.00amHealth Check

4.00am

Health Check

6:30pm

00:00

1. SIEM – Monitoring Workflow Project Approach and Methodology

BlueSwarmSecurity

Analysts

BlueSwarm Facility,

Splunk Console

Structured Process Flow

Security Incident ?

False Positive or known issue

Issue closed

Detailed investigation

Discuss with client, gather more data

Incident Resolution & Response

ATL resolves and responds to incident

BlueSwarm assist ATL for incident resolution and response

Notify Client as Security Incident

Security Incident ?

PROCESS WORKFLOWALERT HANDLING WORKFLOW

Ticketing Portal

Preliminary Analysis

Initial Triage:

An actual incident or false alarm

Scope

and

Impact

Systems involved,

applications, OS, business

& technical owners,

Has confidential

data been exposed or exfiltrated?

CRITICAL INCIDENT HANDLING FLOW

Malware Alert Triggers

Initial Triage• An actual incident or false alarm,• The scope and impact,• Systems involved including applications, operating systems, and business and

technical owners,• Is the incident still ongoing,• has confidential or personal data possibly been exposed or infiltrated• has there been illegal activityNotify internal management chain• Based on the severity and scope of the incident, determine if preliminary internal

notification is appropriate and to whom. • Document and execute as appropriate.

Detection/Analysis Phase

• Disconnect or isolate malware-infected systems• Analyze malware-infected systems and studying malicious file characteristics.• Review the output and status of anti-virus software• Research AV vendor databases• Analyzing network traffic for malware activity (C&C)• Research current attack intelligence and recent vulnerabilities

Response

• Notify stakeholders (status update)• Apply type-specific malware containment measures• Ensure updated antivirus signatures are deployed for host and network-based AV

products • Notify your ISP and other external parties as appropriate.• Take backups, Reformat the drive and rebuild it. Harden other relevant machines

Recommendations

• Antivirus signature check• Security Patches update• OS and Kernel level updates• Preserving the malware for further forensic investigation• Blockage of Non-standard ports

Malware Incidents (Viruses, Worms, Trojans, Rootkits, Ransomware)

CRITICAL INCIDENT HANDLING FLOW

Initial Triage

• An actual incident or false alarm,• The scope and impact,• Systems involved including applications, operating systems, and business and

technical owners,• Is the incident still ongoing,• has confidential or personal data possibly been exposed or exfiltrated,• has there been illegal activity

Notify internal management chain• Based on the severity and scope of the incident, determine if preliminary internal

notification is appropriate and to whom. • Document and execute as appropriate.

Detection/Analysis Phase

• Comprehensive logging flow at the application tier leading to the detection of misuse and fraud.

• Looking for unusual traffic outbound from web servers.• Looking for extra accounts or other configuration changes on servers.• Searching the special chars or phrases such as union select join and inner.

Response

• Notify stakeholders• Block source IP address and exploited account.• Mitigate the vulnerability by applying appropriate patches.• Limit the permission of web app when accessing database.

Recommendations

• Review every point where user-supplied data is handled and processed• Clean any input of characters or strings that could possibly be used maliciously

before passing it on to scripts and databases• Schedule a penetration test for Web applications that handle sensitive data of

any kind.• Developers can use automated code and vulnerability scanners to uncover

potential security issues.

Application Level Attacks (XSS,SQL Injection, Directory Traversal, Automated Scanners, etc.)

ApplicationAlert Triggers

Event/Incident Analysis Life Cycle - 1

I. Initial Assessment Phase

B. False Positive / Known Issue ManagementInitial analysis of

the Notable Event

Known security Problem or a possible

false positive

Immediate notification to Client based

on severity / criticality ?

N

Y

Y

Y

N

Known problem with acceptable risk

False PositiveKnown false

positive

Notable Event closure

Validate against past false positives

and known problems list

Update False Positive / Known problem list

II. Information Gathering &

Investigation Phase

III B. Initiation of Incident Resolution

Phase

Notify stake holdersAnalysis /Action on

notification by Client

Incident Confirmed?

N

Notable Alerts /Events

Alert with High

Criticality

ValidationInfosec

NOC/Techops/IT Explanation

False Positive OR Environment Issue?

Y

AcceptReject

N

EVENT / INCIDENT ANALYSIS LIFE CYCLE - 1

An actual incident or false alarm

Scope

and

Impact

Systems involved,

applications, OS, business

& technical owners,

INITIAL TRIAGE


II. Information gathering & Investigation phase

Information required

Request input Agree timescale

to respondResponds

with in timeframe Failure to respond

within agreed timeframe

N

Y Y

Escalation to next level

Escalationto next level

Document delays and escalation

process

Issue resolution

Y

N

III. Final Assessment & Initiation of Incident Resolution Phase

I. Information Gathering & Investigation Phase

N

Adequate input? or Additional information

required?

Y

Involved delays and overheads

Data provided to SOC Team

Detailed investigation by SOC Team

Briefing

Detailed investigation by SOC Team

Briefing

Follow up & Support through Remedy, Email

and calls


III. Final Assessment & Initiation of Incident Resolution

B. Initiation of Incident ResolutionA. Final Assessment

Security Incident ?

SOC Team final analysis

Y

False PositiveI B. Update False Positive / Known

environment issue

Preliminary/Detailed Incident handling suggestions

Incident Response

Notable Event closure

Communicate to respective stake holders with required suggestions

Monitoring Required post

Incident handling

Incident Closure

Initial Assessment Phase or Information Gathering & Investigation Phase

Y N

N

II. Information Gathering & Investigation Phase

Issue Resolved

Update of Ticket by Client

Monitor for issue Resolution

EVENT / INCIDENT ANALYSIS LIFE CYCLE - 4 TICKET UPDATE

A. Ticket updates/follow ups

B. E-mail Response

Check mail box/Remedy for ticket updates

Respond to queries and updates as requested

Check Mail box

Send critical notificationas per monitoring in

Splunk

Ticket status

Fetch required details in

SIEM as requested in ticket and Update it

Y

N

Check for ticket status if

closed/resolved/long pending

If closed/resolved check in logs if alerts are repeating in

Splunk

Reopen the ticket

Y

Update the Incidenttracker

in Remedy with closure

comments

N

Loop the team in e-mail forfurther communications

/follow up's

Tickets with further Data inputs/Analysis required

A Day In The Life Of Security Analyst - Level 1

Day Shift (8AM to 8PM)

Night Shift (8PM to 8AM)

8 AM Analysts check-in Facility

8.10 AM Hand-over of activity & Information

from analysts of previous shift.

8.10 AM – 8.15 AM Check Mails and ticketing portal to

be updated on ongoing incidents or things that are

suspicious that need monitoring

8.20 AM – 8.30 AMCheck the assigned clients and

commence with the monitoring & reporting part.

8.30 AM Health check of all log sources

and it happens once every 3 hours from now.

8.30 AM – 8 PM Real Time Monitoring with respect to

assigned clients and notifying stakeholders as and when

alerts/abnormality observed.

End of Shift Analysts share the Shift Handover

and Health monitoring sheet internally

8 PM Next cycle Analysts check-in Facility

8.10 PM Hand-over of activity & Information

from Day Shift analysts.

8.10 PM – 8.15 PM Check Mails and ticketing portal to

be updated on ongoing incidents or things that are

suspicious that need monitoring

8.20 PM – 8.30 PM Check the assigned clients and

commence with the real-time monitoring & reporting part.

8.30 PM Health check of all log sources

which happens once every 3 hours from now.

8.30 PM – 8 AM Real Time Monitoring with respect to

assigned clients and notifying stakeholders as and when

alerts/abnormality observed.

End of Shift Analysts share the Shift Handover

and Health monitoring sheet internally

Level 2

Level 3

SOC Manager

Interaction & Escalation Echelon Layout

Tier 1 Analysts who ascertain alerts that signal an incident, get across Tier 2 leads for Incident Response review

Level 1

A Day In The Life Of Security Analyst - Level 2 Shift Leads

Early Morning Shift (6AM to 4PM)

Late Evening Shift (12PM to 10PM)

6 AM Lead 1 Check-in facility6 AM - 6.15 AM Sit with

Analysts and help them with their queries.

6.15 AM – 6.45 AM Check Mails and address adhoc requests

raised by clients. Assign clients to Level 1 Analysts.

6.45 AM – 9.00 AM Sharing the daily reports along with Insights

to respective stake holders

9.00 AM – 4.00 PM Working on Ad-hoc requests / Weekly /Monthly reports / Detailed

Incident Observations/ Client calls.

End of Shift (Lead 1)

12 PM Lead 2 Check-in facility

12.30 PM Understanding critical requirements from day shift

lead/ Support Level 1 with their queries if any.

12.30 PM – .4.00 PM Working on Ad-hoc requests / Weekly /Monthly reports / Detailed Incident Observations/ Client

calls.

4 PM – 4.15 PM Lead 1 leaves with hand-over of

activity & information to Lead 2.

4.15 PM – 10 PM Working on Ad-hoc requests / Weekly /Monthly

reports / Detailed Incident Observations/ Client calls.

End of Shift (Lead 2)

Shift Handover and Health Check

8 AM to 8 PM

8 PM to 8 AM

Shift Rotations – 12 Hour Cycle

SHIFT HANDOVER

HEALTH MONITORINGEnd of Shift Cycle

BlueSwarm Approach: Key Performance Indicators

Event/Incident Management

Analyst Productivity

Attributes Metrics Frequency Source Data

Responsiveness

Total Number of Notable Events Weekly SIEM

Number of Tickets assigned Weekly SIEM

Number of Tickets unassigned Weekly SIEM

Average Time to Respond to Queries / Key incidents Weekly SIEM


Correlations

Total Number of Raw Events Monthly SIEM

Number of Notable Events as False Positives Monthly SIEM

Number of Notable Events as True Positives Monthly SIEM

Number of Notable Events as Incidents Monthly SIEM


Analyst Effectiveness

Event Generation to Assignment Weekly SIEM

Assignment to Ticket Creation Weekly SIEM

Assignment to Closure Weekly SIEM

Ticket Creation to Closure Weekly Remedy

Incident Handling & Response Strategy

Prepare Monitor Alert Triage Contain and RemediateIncident Disrupt

BlueSwarmDeliverables

Daily Weekly Monthly Quarterly

Incident tickets Analysis report

Monthly briefing

Quarterly briefing

Cyber weekly Rule review

Disable account

Remove malware

Block IPs

Block domains/URLs

Run AV scan

Update AV

Contact user

Reimage systems

IT and Security Actions

Client Operations

Client IT and Security

BlueSwarm Operations

BlueSwarm Security Operations Center

BlueSwarmCoreTeam

Secure message

BlueSwarm core technology to augment your current investments

Provides visibility into threats on end points and servers along with timeline analysis

Conducts advanced remote analysis, forensics and malware analysis

Provides event correlation, advanced search, workflow management, dashboards and reporting

Client ticket system

Request for information

Incident ticketAlert Triage

BlueSwarmCoreTeam

BlueSwarm INCIDENT RESPONSE & FORENSICS TOOLS

Incident Response Forensics Malware Analysis

4. Use Cases

BlueSwarm SOCComprehensive visibility throughout the kill chain

Attack (Kill) chain progression

Background

researchSteal dataInitial attack

Establish

foothold

Enable

persistence

Enterprise

recon

Move

laterally

Escalate

privilege

Gather and

encrypt data

Detection that

email is malicious

Detection that

communication with

attacker exists

Detection that programs

or services are malicious

Detection that reconnaissance

behavior exists

Detection that traversal

behavior exists

Detection that staging

behavior exists

Detection that privilege

escalation behavior exists

Detection that

exfiltration

behavior exists

BlueSwarm SOCKill Chain – Use cases Map

Reconnaissance

Port Scan Detected

Potential Host Sweep Attack

Detected

Targeted port scan detected with successful

connections

Web Spider Detection

Weaponization

Inbound Threat IP

Communication

Malware/Attacks Detected on

EPO

Phishing : Email Domain Typo Squatting

Possible SSH Brute-force

Delivery

Email Spoofing Detected

Possible bad attachments being sent to multiple users

Possible mail spoofing with

malicious attachment

Exploitation

Connection from

Suspicious Process

Detected and Blocked by AV

Suspicious shell execution

from web server process

Word or Excel processes with execution of a

scripting engine

Installation

APT Hash Detected

Recurring Malware Infection

GPO Creation

Suspicious Windows

registry activity

Command & Control

APT Domain or IP Detected

Large Outbound

Bytes Transfer

Possible DNS exfiltration

Outbound Threat IP

Communication

Action

Windows firewall rule

was deleted on a system

Outbreak Observed

Network Device Rebooted

High CPU Utilization

Threat-Centric SIEM Use CasesThreat modelling drives actionable use cases in the SIEM

Develop multi-staged complex use cases based on the threats targeting the critical assets

Threat Modelling

Implement specific rules to

alert security violations, suspicious

events, and malicious

behaviours

Security Operations

Sample Use Case Name Description Log Sources Attack Phase

Scanning

In the cloud, scanning activity can include attempts to authenticate to the management console, attempts to list and access cloud resources (instances, databases, storage buckets, etc.), and network activity on unusual ports.

VPC FlowCloudTrail

Reconnaissance

Threat IPWe leverage threat intelligence to provide detection of known threats that have alreadybeen weaponized

Threat IntelVPC FlowCloudTrail

Weaponization

Phishing

Way to get payloads to the cloud are to use traditional phishing andmalware attacks against users. An attacker can then leverage that user’s devices or credentials to deliver their payloads into the cloud environment.

Endpoint logs for users accessing Cloud InfraCloudTrail

Delivery

Unauthorized API Access

Exploiting a hosted service means finding a web vulnerability, weakpassword, or other means to get access to an instance in the cloud. like abnormal API access from the infected instances and unusual network traffic.

CloudTrailVPC FlowDatabase AccessWeb Access

Exploitation

Compromised Instances

Many of the features used to detect compromised user credentials and insider threats can also be used to identify compromised instances. Unusual API access or network traffic coming from a host can indicate the installation of some new tools on that host.

CloudTrailEndpoint LogsVPC flow

Installation

Rogue Network Services

Instances in the cloud generally have fixed workloads and security groupconfigurations to forbid incoming traffic. Once an instance is compromised,and the command and control traffic originates from within the instance,those security groups are ineffective. The predictability of the workloads,however, lends itself the accurate detection of rogue network services,identified through unusual port access or traffic volumes.

VPC flow Command & Control

Mining BitcoinPublic cloud providers offer an easy way to spin up compute-denseinstances to perform lucrative endeavours like mining bitcoin.

CloudTrail Action

The heart of our security monitoring is based on threat modelling. We assess the threats targeting your critical assets and assist in developing use cases, based on realistic scenarios, that also take account of the effectiveness of existing controls.

We then implement enhancement to SIEM rules specific to the use cases to provide actionable alerts to the Security Analysts and Incident Responders.

USE CASE MODELLING

► Business layer - describes how the use case isconnected to the organization’s business needs

► Threat layer - describes the threat that the use case isintended for. Several aspects of the threat areconsidered

► Implementation layer - aspects that are relevant forimplementation of the use case in the operationalsecurity monitoring architecture are described

Business & Compliance

ThreatLandscape

IT Landscape

Purpose Stakeholder

Drivers Output

Threats Actors

Incident Response Analysis

Log Source Scope

Detection Mechanism

Monitoring Rules

Business

Implementation

Threats

The elements that comprise the use case be divided into three layers:

ATTACK SCENARIOS & EXAMPLE I

Reconnaissance Weaponize Delivery Exploitation Installation C2 Action

►Threat Actor Action ► Forcing User to Targeted Drive by Download

►Data sources ► Mail, Proxy, DPI, IDS/IPS

►Applicable Use Cases ► Suspicious file type download (executable, DLL, archive file, …)

► Suspicious mail headers (Intel based)

► Mismatched HREF attribute

ATTACK SCENARIO - I

ATTACK SCENARIOS & EXAMPLE II

Reconnaissance Weaponize Delivery Exploitation Installation C2 Action

►Threat Actor Action► RDP Lateral movement

►Data sources► Win, DPI

►Applicable Use Cases► Chained RDP connections

► RDP with unusual charset

► Multiple RDP from same host in short time

ATTACK SCENARIO - II

USE CASE DESIGNING PROCESS

•Purpose and goal of the procedure

Objective

•The threat which the logic seeks to identify

Threat•Those with

responsibility relating to the procedure

Stakeholder

•Detection Info. sources e.g. logs, packets, host configuration, CTI, etc.

Data Requirements •Content rules and

filters, etc. to process data and identify threat

Logic

•Logic validation process to confirm that it addresses the risk

Testing•Classification

category and level for the threat based on impact and urgency

Priority

•Workflow when responding to the threat

Output

Monitor andalert on

unusual AdminAccountAccess

Attacker LateralMovement anduse of Admin

accounts

L1, L2 AnalystsIncident

Coordinator,ITOPS

Microsoft DomainController,

Windows Server(various)

Reporting Engine;Enterprise Security

Alert Manager

Conduct Testwith Admin

account out ofhours

DMZ: P2DC: P1

Procedure to befollowed whenUnusual AdminAccount access

is detected

Example : Admin Credential Abuse

Thank you

Security Operation Centre (SOC) Services · analysis of compromised systems ... eradication of...

Documents

Transcript of Security Operation Centre (SOC) Services · analysis of compromised systems ... eradication of...