Post on 09-Jun-2015
description
building a Security Opera2ons Center and KPI for a SOC
Mahmoud Yassin Lead Security Architect Mahmoud.yassin@outlook.com
Overview
Companies like yours ?
Insights into building a SOC team in a changing threat landscape?
Measuring the effectiveness of SOC using key performance indicators
Using 24*7 monitoring to minimize overall risk across an organization
Conclusions
2
Companies like yours ?
3
Threat changed landscape § Who is targeting you?
§ What are they after?
§ Have they succeeded?
§ How long have they been succeeding?
§ What have I lost so far?
§ What can I do to counter their methods?
§ Are there legal actions I can take?
4
Today’s Threat Landscape
External Attacks Trojans, viruses, worms, phishing .. Not protected by firewalls. Requires IPS
Undetected Attacks Vulnerabilities and compromised machines may lay dormant for months, awaiting an attacker to exploit them. Requires vulnerability awareness and end-point intelligence.
Information Leakage Point-point VPNs + desktop and mobile internet connections provide ample opportunity. Requires compliance monitoring and enforcement
Porous Perimeter Every machine a peering point Laptops carry infection past firewalls. Requires IDS
Intrusion Prevention
Vulnerability Assessment
Network Behavior Analysis (NBA)
Network Access Control (NAC)
Network Intelligence User Intelligence
Physical / Data Center Security
Visibility of Advanced Persistence Threats
6
Source from : Douwe.Leguit@govcert.nl April 2010
-- Invisible --
What to Monitor 7
Security by Service’s layers
Physical
Data Link
Network
Transport
Session
Presentation
Application
Wiring closets, cable plant, building access control, power, HVAC
Security by Service’s layers
Physical
Data Link
Network
Transport
Session
Presentation
Application
NIDS, HIDS , Perimeter Devices
Virus Scanning
Security by Service’s layers
Physical
Data Link
Network
Transport
Session
Presentation
Application
Firewall, Routers, Access Control Lists (ACLs), IP schemes, E-Mail Attachment Scanning
Security by Service’s layers
Physical
Data Link
Network
Transport
Session
Presentation
Application OS Hardening, Security Health Checking, Vulnerability Scanning, Pen-Testing,
Security by Service’s layers
Physical
Data Link
Network
Transport
Session
Presentation
Application User Account Management on Systems, Role/Rule Bases Access Control, Application Security, Virus Updates, Virus Signatures
The Enterprise Today - Mountains of data, many stakeholders 13
Router logs
IDS/IDP logs
VPN logs
Firewall logs
Windows logs
Wireless access logs
Windows domain logins
Oracle Financial Logs
San File Access Logs
VLAN Access & Control logs
DHCP logs Mainframe
logs
Client & file server logs
Linux, Unix, Windows OS logs
Database Logs
Switch logs
Web server activity logs
Content management logs
Web cache & proxy logs
VA Scan logs
Configuration Control Lockdown enforcement
Access Control Enforcement Privileged User Management
Malicious Code Detection Spyware detection
Real-Time Monitoring Troubleshooting
Unauthorized Service Detection
IP Leakage
False Positive Reduction
User Monitoring SLA Monitoring
Sources from RSA
Top Technical Issues
§ Increase Speed of Aggregation and Correlation § Maximize Device and System Coverage § Improve Ability to Respond Quickly § Deliver 24 x 7 Coverage
§ Support for Federated and Distributed Environments § Provide Forensic Capabilities § Ensure Intelligent Integration between SOCs and NOCs § Time for Remediation
SOC Framework
Operational Models (SOC and ODC)
Industry Standards and Best Practices
(ITIL, BS7799/ISO17799, SANS, CERT)
Service Delivery (Onsite, Near Shore and
Offshore)
Service Delivery Windows
(24x7, 8x5, 12x7 )
Web Portal (Operational Reporting,
Advisories)
Knowledgebase (Incident & Problem Mgmt., Testing, Product evaluation)
Security Center of Excellence
(Test bed, Technology Innovation, Knowledge Mgmt.,
Trainings )
Tools (Helpdesk, Monitoring, Mgmt.,
Configuration, Automation/Workflow)
Command Center
Security Advisory
Reporting
Device Operations
(Change, Vendor Mgmt., Installation, Configuration)
Security Change
Incident Management
Infra. Mgmt. Stream Security Mgmt. Stream
Device Supervision (Performance, Incident,
Monitoring)
Security Monitoring People Resource
(cross skilling, rotation, training, ramp-up and scale
down)
Program Management (Customer interface,
Escalation mgmt., Strategic assistance, Operational
supervision, quality control)
SOC or Operational SOC…
Compliance Operations Security Operations Access Control
Configuration Control Malicious Software
Policy Enforcements User Monitoring & Management
Environmental & Transmission Security
Access Control Enforcement SLA Compliance Monitoring False Positive Reduction Real-time Monitoring Unauthorized Network Service Detection More…
All the Data Log Management
Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information
No agents required
Server Engineering Business Ops. Compliance Audit Application & Database Network Ops. Risk Mgmt. Security Ops. Desktop Ops.
Report Alert/Correlation
Incident Mgmt. Log Mgmt.
Asset Ident. Forensics
Baseline
…For Compliance & Security Operations
The 3 (main) functions of a SOC
§ The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency § What does the SOC do?
1. Real-time monitoring / management § Aggregate logs § Aggregate more than logs § Coordinate response and remediation § “Google Earth” view from a security perspective
2. Reporting / Custom views § Security Professionals § Executives § Auditors § Consistent
3. After-Action Analysis § Forensics § Investigation § Automate Remediation
§ Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability
§ Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
Prioritization and Remediation
§ Deal with what’s most relevant to the business first! − Gather asset data − Gather business priorities − Understand the business context of an incident
§ Break-down the IT silos − Automate the Action after incident discovery − Coordinate responses − Inform all who need to know of an incident − Work with existing ticketing / workflow systems
§ Threat * Weakness * Business Value = Risk § Deal with BUSINESS RISK
SOC and business Expectation
Technology Based Services Monitoring & Management :
• Firewalls • IDS/IPS • VPN Concentrators • Antivirus • Content-Filtering
Business Oriented IT Risk Management
• IT Risk Dashboard • Sustaining Enterprise Security
Control • Meeting Industry Process
Compliance Driven
• Security Control Assessment • Enforcing enterprise security
policies • Log Management • Incident Management • Audits
Historical Today's Scenario
SOC Architecture
Corporate WAN
SERVER FARM
Storage
Data-Center 1
SERVER FARM
Risk Monitoring
Portal
• Performance Monitoring • Security Monitoring • Availability Monitoring • Scheduled Reporting
• Threat Analysis • Risk Assessment • Manage Performance • Manage Availability • Trend analysis and Reporting • Compliance Management
Support
Data-Center n
SERVER FARM
Storage SERVER FARM
To Other Business Units
SOC Centralized Management
L1 L2 L3
Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
- Risk Mitigation Plan - Control Verification - Compliance impact
analysis - Manage new requirements
PROACTIVE SOC APPROACH
Logs
Event Correlation
Reports & Statistics
Forensics
Knowledgebase
Security Analytics
Customer service Technical support
Incident Mgmt Problem Mgmt
Release Mgmt Change Mgmt
Configuration Mgmt Automation & Integration
Security Operations & Management
Infrastructure Assessment Service
Vulnerability Assessment & Penetration Testing
Vulnerability Management
Customized Advisories Forensic investigation tools
Proactive Intelligence
Standards – BSI 15000, ITIL, ISO, ISO27001 etc.
SOC Operational Model (people)
- Security Event Monitoring
- Incident Detection & 1st level analysis
- Routine maintenance & operational tasks
- Operational reporting
L1: Security Operators
L3: Security Incident
Managers
L2: Security Analysts
Vendor Management - Technical Support - Incident Escalation - Product Support - Trainings
Knowledgebase/Security Portal
Threat Alert & Advisory
SOC Management Team - Resource management, skill
development - Operational process
Improvement - Program Escalation
Management - Customer Management
SOC Service Delivery Structure
- Administration of SOC security - Implementation projects - Compliance Mgmt. - Incident Mgmt. - Enhancement projects
SOC Security - Management of SOC tool
configuration - Enhancement to SOC tools - Architecture design of SOC - Transformation Projects for
SOC
SOC Engineering
- Performance Mgmt. - Problem Mgmt. - Change & Release Mgmt. - Configuration Mgmt. - Service Level Mgmt. - Availability & Continuity Mgmt.
- Incident Analysis & Validation - Vulnerability Assessment &
Remediation support - Device mgmt. tasks - Trend monitoring & analysis - Vulnerability Impact Analysis - Escalation Management - Compliance reporting
- Incident Handling & Closure
- Service Mgmt. Reporting - Compliance impact
analysis - Manage new requirements
SOC Operations Managers
- SOC Incident Management
COEs - Threat A&A - Innovation - Benchmarks - Reuse Component/solutions
SOC Operational model (process)
Information & Action
Network Industry Sources
Firewalls SD
HEWLETTPACKARD
Syslogs SNMP
IDS
NORMALIZE
FILTERING
CORRELATION
INTELLIGENCE
ENGINEERS
Tool Foot Print
Manager
Raw log data
Alerts & normalize log data
SOC
Agent
Dashboard view via portal
Real Time Security Analysis
Response & Management
Real Time Alert Management
Normalised Alerts
Consolidated Logs
Remote management from -SOC
Asset Criticality
Asset Vulnerability
Collect Collect Collect
SOC Operational Model (technology)
Baseline Report Forensics
Manage
Device Device Trend Micro Antivirus
Microsoft ISS
Juniper IDP
Cisco IPS
Netscreen Firewall
Windows Server
Correlated Alerts
Realtime Analysis
Legacy Supported Devices
Integrated Incident Mgmt.
Analyze
Event Explorer
UDS
Remediate
SOC KEY DIFFERENTIATION AREAS
§ Configuration Management Database (CMDB) features: § Connectors sync data with external systems § Create, update, and view CIs § Create relationships among CIs, WIs, IT staff,
and Active Directory® Domain Services (AD DS) users
§ Automatically track CI change history § Service definition and mapping
Integrated CMDB
Integrated | Efficient | Business Aligned
Work Items
Config Items
CMDB Data
Relationships
§ Process workflows − Escalations − Notifications − Remediation
§ Customizable templates § Knowledge & History § Automatic incident creation
− Desired Configuration Monitor (DCM) errors
− Operations Manager alerts − Inbound Email − Portal
Incident Management Keep users and data center services up and running, and restore service quickly
• Problem creation from similar incidents or Attacks
• Link Incidents and Change requests
to problem • Auto resolution of Incidents linked to
the Problem
Case Management Enables organizations to identify and track problems
§ Typical Change Models − Standard, Major, Emergency… − Review and Manual activities
§ Customizable Templates § Workflows and Notifications § Analyst Portal
− Approvals via Web
§ Relate Change Requests to Incidents, Problems and Configuration Items
Change Management Minimize errors and reduce risk
Vulnerability Management Process
1. DISCOVERY (Mapping)
2. ASSET PRIORITISATION (and allocation)
3. ASSESSMENT (Scanning)
4. REPORTING (Technical and Executive)
5. REMEDIATION (Treating Risks)
6. VERIFICATION (Rescanning)
Investigations and Forensics
§ Being able to investigate and manipulate data
§ Visualization § Post-event correlation § Managing by case / incident § Chain of custody § Integrity of data § Remediation Automation
SOC Objectives A Framework for Security Operations
Perimeter N
etwork
Operations
eCom
merce
Operations
Internal Systems
& A
pplications
Access Control Enforcement " Privileged user monitoring " Corporate policy conformance
Real-time Monitoring " Troubleshoot network & security
events
" “What is happening?”
False Positive Reduction " Confirm IDS alerts " Enable critical alert escalation
Correlated Threat Detection "Watch remote network areas " Consolidate distributed IDS alerts
Watchlist Enforcement " External threat exposure " Internal investigations
Unauthorized Network Service Detection
" Shutdown rogue services " Intellectual property leakage
SLA Compliance Monitoring " Proof of delivery "Monitor against baselines
= Most critical = Highly desired = Desired
Security Objective
Security Environment
SIEM Capabilities
ü Log Management
ü Asset Identification
ü Baseline
ü Report & Audit
ü Alert
ü Forensic Analysis
ü Incident Management ü Automate learned Incidents Automate Remediation
SOC Recommendation for APT(cont.,)
33
§ SOC Process automation § have VIM service feeding your SOC and follow-up with different
parties .
§ Scan for zero days
§ Insure security of your security products (patches zero days focus on perimeter devices ).
§ Forensic is not an luxury service SOC should have the tools and ability to analyze. (payloads – sandbox…..)
SOC Recommendation for APT (cont,…)
34
§ Correlate across layers (perimeter with end point output of IDS & IPS)
§ Monitor privileges on suspected or alerted workstation.
§ Enforce Privilege change if there is an infection. § Manage Exceptions § Contact Authorities (Cert , ISP’s , Law Enforcement)
Q&A
15/05/2012 35
Mahmoud.yassin@nbad.com
myassin75@gmail.com
THANK YOU