Security Operation Center - FIRST · 1 Security Operation Center Concepts and Implementation...
Transcript of Security Operation Center - FIRST · 1 Security Operation Center Concepts and Implementation...
1
Security Operation CenterConcepts and Implementation
> SOC Modules> Global Architecture> Collection & Storage> Correlation
2
> SOC Modules
E Box
C Box
D Box
A Box
E Box E Box E Box E Box
C Box
E Boxes
C Boxes
D Box
A Box
R BoxR Box
event generators : sensors & pollers
collection boxes
formated messages database
incident analysis
reaction and reporting
K BoxK Boxknowledge base
+
> SOC Modules> E Boxes
- event generation- passive : sensors- active : pollers
> Sensors- IDS, filtering eq., syslog, apps, honeypots …- running in hostile environment- lack of standard for host-based sensors
> Pollers- third-party tool - status evaluation- may encounter performance problems
3
> SOC Modules> C & D Boxes
- event collection & storage- standard formating
> Collection- set of multi-protocol / application agents- lack of standard format- availability and performance concerns
> Storage- duplicates merging - performance concerns with huge volume of events
> SOC Modules> A & K Boxes
- multi-level analysis- intrusion scenarii- system status
> Analysis & Correlation- heavy research focus- proof of concept implementation- proprietary technologies
> Knowledge Base- vulnerabilities & intrusion scenarii- system security status- security policy
4
> SOC Modules> R Boxes
- reaction & reporting- operators interfaces- end-user interfaces
> Interfaces- subjectivity- relies on best-practices and experience return- MANDATORY
> Global Architecture
Messages Correlation
Stats
Permanent Risk Evaluation
Client SystemModelisation
OS
Host based IDS
Applications
Firewall alertsNetwork IDS
Integrity Checking
Network equipment
Alerts
Monitored System
IncidentHandling
ClientConfiguration
Record
Security Policy
CustomerStatus
VulnerabilityDatabase
Analysis
.........
A Box(CorrelationEngine)
E Box (Event Generators)
StatusIntegrity
C Box (Collection & Formating Modules)
K Box (Knowledge Base)
SNMP
syslog
Proprietary
SMTP
HTTP / XML
.........
Linux
Windows 2k / XP
Cisco Pix
Firewall-1
Oracle
Apache
IIS
.........
DISPATCHER
Tripwire
ISS
Snort
Events
D Box (Local events database)
Real-timeMonitoring
StatisticalAnalysis
System Status
Security Activity
R'' Box (Customer Portal)R' Box (SOC Console)
Dis
tribu
ted
Arch
itecu
reD
istri
bute
d Ar
chite
cure
Polling
5
> Global Architecture> Data acquisition
- technical inventory- security policy review
> Technical reviews- intrusive & non-intrusive data acquisition techniques- need for attack taxonomy and classification- relative vulnerability impact
> Organizational reviews- acceptable behavior definition- access rights- permitted operations
> Global Architecture> Status Evaluation
- vulnerabilities definition- security level evaluation- permanent audit
> Vulnerability database- structural vulnerabilities- functional vulnerabilities- topology-based vulnerabilities
> Permanent security evaluation- attack trees generation- new evaluation performed when KB updated- history management
6
> Global Architecture> Events management
- generation- collection- formating & storage
> Exhaustivity vs. performance- events overload- structural & policy pre-filter- difficulty to manage distributed filters
> Collection and storage- protocol agents- source type identification- message formatting
> Global Architecture> Analysis & reporting
- event correlation- operational reporting- strategic reporting
> Alerts- structural and behavior alert generation- criticity handling- statistical analysis
> Interfaces- operators consoles- debugging consoles- end-user portal
7
> Collection & Storage> Data collection
- heterogeneous sources- scalable architecture
> Protocol agents- server-side agents dedicated to one protocol - multiple forwarding channels support- no shared data = easy clustering / farming
> Reliability & security- TCP encapsulation- collection channel encryption
> Collection & Storage> Data collection
- source sensor identification- « standard » formatting
> Dispatcher- pattern-based analysis- forwarding to dedicated application agent- multiple listening and forwarding channels support
> Application agents- dedicated to specific (sensor, Xmit protocol)- message formating- may be merged with dispatcher
8
> Collection & Storage> Sample architectures
protocolagent
protocolagent
protocolagent
dispatcher dispatcher
Encryption
Decryption
Events
HA & LB
applicationagent
applicationagent
applicationagent
E Box E Box E Box
Unsecure Network
socket socket socket
sockets sockets
HA & LB
HA & LB
protocolagent
protocolagent
protocolagent
mqueue mqueue mqueue
mqueue mqueue mqueue
dispatcher
applicationagent
applicationagent
applicationagent
Events
E Box E Box E Box
> Collection & Storage> Host Entry
- unique host identification
> Identification- by IP- by FQDN- unique host token
> Needed to support- multihoming- NAT & Virtual IP- virtual servers
Host Token
@Host_IP_Table
@Host_FQDN_Table
ID
IP Address
ID
FQDN
Host Table
Host IP TableHost IP Table
9
> Collection & Storage> Messages format
- basic message formatting- correlation ready
Field Attributes Description id Unique Unique message ID sensor_id Not Null Unique Sensor ID msg_type Not Null Type of message (ipchains, snort-1.8.x-alert etc.) epoch_time Not Null Date in epoch format of event generation source Intrusion Source Host Token target Intrusion Target Host Token proto Protocol number src_port Intrusion source port number tgt_port Intrusion target port number info Additional info int_type_id Not Null Intrusion type ID (Filter, Access etc.) int_id Intrusion ID message Not Null Original message
> Collection & Storage
- additional information
> Sensor & Sensor Type tables- sensor identification
> Intrusion & Intrusion Type tables- intrusion identification- matches between different references
> 3rd Party info
> Message Type table- human readable message type description
10
> CorrelationAlert Stats
www.cust1.com hack1.com hack2.com
mail.cust1.com hack1.com hack3.com
www.cust2.com hack3.com hack2.com
Dispatch
MessageAnalysisVulnerability
Database
SystemExposure
System Status
StructuralAnalysis
Security Policy
Date /Time / Source
MatchBehaviorAnalysis
hack2.com www.cust1.com www.cust2.com
hack3.com mail.cust1.com www.cust2.com
hack1.com www.cust1.com mail.cust1.com
Contexts
Intrusion Path
FunctionalAnalysis
Formated messages
> Overview
- duplicate identification- sequence pattern matching- time pattern matching- system exposure & criticity- security policy matching
> Correlation> Contexts
- event grouping- correlation preparation
> Definition- container of formatted data matching common criteria- multiple level of contexts may be created
> Main context tree- source (target) token- target (source) token- target proto.port- intrusion type ID- intrusion ID
11
> Correlation> Contexts
Targetproto.portTarget
proto.portTargetproto.port
TargetHost Token
TargetHost Token
TargetHost Token
TargetHost TokenTarget
Host Token
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
TargetHost Token
Targetproto.port
Targetproto.port
TargetHost Token
Targetproto.port
Targetproto.port
SourceHost Token
TargetHost Token
Targetproto.port
Targetproto.port
Array of source contexts
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
IntrusionID
IntrusionID
IntrusionID
IntrusionID
IntrusionID
Int. TypeID
Int. TypeID
Int. TypeID
Int. TypeID
TargetHost Token
TargetHost TokenTarget
Host TokenTarget
Host Token
- functional architecture
> Correlation> Contexts
%AttackSourcessource attack hashtable address
$AttackSources{$source}target detail hashtable address
start_time First reception time
stop_time Last reception time
${$AttackSources{$source}}{$target}proto.tgt_port (protocol, target port) id
start_time First reception time
stop_time Last reception time
0 Unknown array address
100 Filtered array address
530 Integrity array address
Intrusion Type Table
${{$AttackSources{$source}}{$target}}[$int_type]attack_info_id attack info hashtable address
start_time First reception time
stop_time Last reception time
${{{$AttackSources{$source}}{$target}}[$int_type]}[attack_info_id]
intrusion_id Intrusion id
start_time First reception time
stop_time Last reception time
duplicate Duplicate info
Intrusion Type Table
Hosts Table
- functional architecture
> Time- epoch format- start_ & stop_ defined
at each level
> Intrusion type ID- arbitrary definition- linked to definition ID
12
New Messages
Timeout
Closure Code
New Message
Active Inactive
Closed
> Correlation> Contexts
- context management
> Status- active : on-going intrusion- inactive : wait state- closed : self-explanatory
> Correlation> Structural analysis
- intrusion identification- processes analysis
> Structure- independant modules- set of logical operators- header w/ activation criteria
> Activation- message matching header- timer
Analysis Module
Message Correlation Message Correlation||
Field Condition Field Condition Field Condition&& &&
field operator <field | value> [!]
13
> Correlation> Advanced correlation
- intrusion path analysis- security policy matching
> Functional analysis- request to the K Box for Intrusion ID & Host Token- criticity evaluation- new message generation- context closure
> Behavior analysis- same modular process as structural analysis
> Conclusion
> Complexity of SOC setup- integration of heterogeneous modules- emerging standards to reduce the gap with theory
> Supervision NOW- keep in touch with actual researches- need for a pragmatic approach