Next-Gen Security Operations: From SOC to CSOC

Narayan Neelakantan&

Abhijit Dhongade

September 20, 2017

www.blockarmour.com

1

Restricted Use Only

Agenda

• Background

• Security Operations Center

• SOC – Building Blocks

• Cyber Security Operations Center

• Use Cases

• Case Study

1

www.blockarmour.com

2

Restricted Use Only

Threat Landscape

E-mail malware rate jumped from 1 in 220 e-mails in 2014 to 1 in 131 e-mails in 2016

Threats were perpetrated by 75%

outsiders , 25% insiders

357 million Unique malware variants identified in 2016

27% breaches discovered by Third

parties

Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices

61% data breach victims are businesses with under 1000 employees

Source: Verizon, Symantec – 2017 report

www.blockarmour.com

3

Restricted Use Only

Underground Marketplace

Source: Symantec – 2017 report

www.blockarmour.com

4

Restricted Use Only

Security Operations Center (SOC)

“A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity incidents”

- Carson Zimmerman

Ten Strategies of a world class Cyber Security Operations Center

www.blockarmour.com

5

Restricted Use Only

Security Operations Center

Central Location to Detect and Respond to Incidents

AssetsData

People

Logs

Alerts

Correlation

Containment

Eradication

Recovery

Evidence

Chain Of Custody

Forensics

5

www.blockarmour.com

6

Restricted Use Only

Traditional SOC – Functions

Restricted Use Only 6

www.blockarmour.com

7

Restricted Use Only

Implementation

SOC Engineering

• Manage Tooling

• Use Cases

• Fine-Tuning Rules

Incident Analysis & Triage

• Monitoring & Analysis

• Escalation

Incident Response

• Investigation

• Containment

• Eradication

• Recovery

www.blockarmour.com

8

Restricted Use Only

Traditional SOC - Sample Org Structure

Restricted Use Only 8

SOC

Incident Analysis &

Triage

Engineer (L1)

Analyst (L2)

SOC Engineering

Subject Matter

Expert (SME)

Incident Response

Incident Handler (L3)

Forensics

www.blockarmour.com

9

Restricted Use Only

Traditional SOC – Limitations

• Limited Visibility

• Cannot detect sophisticated attacks

• Response mechanism not adequate to deal with today’s cyber threats

• Highly dependent on people skills

www.blockarmour.com

10

Restricted Use Only

CSOC – Key Objectives

Enhanced Visibility

Effective Detection

Near real-time

Incident Response

CSOC

www.blockarmour.com

11

Restricted Use Only

• Organizations & Corporates

• Critical Infrastructure

• Government agencies

• Cyber Criminal

• Script-Kiddie

• Internal

• Corporate Espionage

• Hacktivists

• Nation State

Threat Actor

Attack Vectors

Motive

Target• Web

• E-mail

• Removable media

• Network

• Social media

• Financial gain

• Data Exfiltration

• Intellectual property

theft

• Espionage

• Damage reputation

Elements of a Cyber Attack

www.blockarmour.com

12

Restricted Use Only

Threat Model

www.blockarmour.com

13

Restricted Use Only

CSOC – Functions

13

www.blockarmour.com

14

Restricted Use Only

CSOC – Implementation

THREAT INTELLIGENCE

Strategic

Tactical

Operational

Integration

STIX/TAXI

ANALYTICS & HUNTING

Predictive Analysis

Scenarios

Big Data Capability

Historical Data

www.blockarmour.com

15

Restricted Use Only

CSOC - Sample Org Structure

15

SOC

Incident Analysis &

Triage

Engineer (L1) Analyst (L2)

SOC Engineering

Subject Matter

Expert (SME)

Incident Response

Incident Handler (L3)

Analytics & Hunting

Subject Matter

Expert (SME)

Threat Intelligence

Subject Matter

Expert (SME)

Forensics

www.blockarmour.com

16

Restricted Use Only

CSOC - Tooling

• SIEM

• Anomaly Detection

• Threat Intelligence

• Analytics

• EDR

• Deception Technology

• Response automation

16

www.blockarmour.com

17

Restricted Use Only

CSOC – Trends

Incident Response is primarily managed in-house except for reverse engineering

Endpoint Detection & Response (EDR) is the most used capability for response

Outsourced activities are primarily Threat research, Forensics & Security Monitoring & Detection

Working cohesively with IT Operations team continues to be one of the biggest challenges

Organizations have started using threat hunting with automated data collection and correlation to help remediate unknown threats

Majority of organizations are in the process of developing plans to monitor IOT devices

Organizations are considering adoption of response automation tools to speed up remediation

Source: SANS Future SOC Survey – May 2017

www.blockarmour.com

18

Restricted Use Only

Summary

• Identification of crown jewels crucial

• Tooling must be continuously fine-tuned

• Well defined processes within CSOC for triage, analysis and escalation

• People strategy

• Robust organization wide Incident response process

• Simulations & Drills to measure effectiveness

• Response automation

18

www.blockarmour.com

19

Restricted Use Only

Use Case 1 – Detecting a Targeted Attack

Reconnaissance

Event

Capture Attacker

IP and add to

Active List

Is it for

open ports

?

Do not trigger

alert

Trigger Medium

priority alert and

add to active list 2

Does Vulnerability exist ?

Monitor the

attacker for further

activities

Trigger high

priority alert

Check if more

traffic is observed

from attacker

Check for

vulnerability

being exploited

No

Yes

No

Yes

Dramatically improved identification of Real Incidents

False positives reduced by 85%

www.blockarmour.com

20

Restricted Use Only

Use Case 1 – Detecting a Targeted Attack

Actors

• Cyber Criminals

• Hactivists

• Script Kiddies

• Cyber Espionage

Log Sources

• Firewall

• IPS

• Vulnerability Scanner Reports

SIEM Content

• Rules

• Reports

• Dashboards

• Live Monitoring Channels

• Watch Lists

www.blockarmour.com

21

Restricted Use Only

Use Case 2 – Detecting APT Attack

Capture IoCs

from Threat Intel

and populate

Active List

Malicious Email /

URL detection

Events

Monitor the Source IP for

further suspicious activities

Capture Source

IP and add to

Active List

No

No

Yes

Check for events

from other hosts

and Match with

IoC Active List

Check for

connections with

other internal

hosts from Source

IP

Check for events

from Source IP

and Match with

IoC Active List &

C&C IP

Matching

Events?

Trigger Very High

Priority Alert

Matching

Events?

Block Access to C&C

Server and contain the host

Yes

Early Stage Detection &Containment of APT attacks

Improved visibility of attacker activities

One-to-one correlation with Cyber Kill Chain

www.blockarmour.com

22

Restricted Use Only

Use Case 2 – Detecting APT Attack

Actors

• Cyber Criminals

• Cyber Espionage

• Nation State

Log Sources

• Firewall, IPS, URL Filtering / Proxy, Mail Gateways

• Vulnerability Scanner Reports

• Anomaly Detection Events

• ATP Events

• TIP Events

• EDR Events

• OS Events

SIEM Content

• Rules

• Reports

• Dashboards

• Live Monitoring Channels

• Watch Lists

www.blockarmour.com

23

Restricted Use Only

Case Study – Detection of C&C Communication (Low & Slow attack)

Building Blocks

Incident Response

• Investigation of infected systems

• Identification of OS Processes

• Identification of files associated with the Process

• Analysis of files

Use Case

• Identify potentially infected systems

Log Source

• Firewall• AV• Threat Intel

SIEM Content

• Dashboard displaying Source IP with Drop Events

www.blockarmour.com

24

Restricted Use Only

References

• Computer Security Incident Handling Guide –published by NIST, USA

• Seven Steps to creating an effective CSIRT – Gartner

• Ten Strategies of a world class Cyber Security Operations Center – Mitre.org

• Future SOC: SANS 2017 Security Operations Center Survey

Restricted Use Only 24

THANK YOU

narayann@blockarmour.com

abhijitd@blockarmour.com