Bulding Soc In Changing Threat Landscapefinal
Upcoming SlideShare
Loading in...5

Bulding Soc In Changing Threat Landscapefinal



my presentation at E-Crime abu dhabi conference about Security operation center Building and measure performance

my presentation at E-Crime abu dhabi conference about Security operation center Building and measure performance



Total Views
Views on SlideShare
Embed Views



2 Embeds 9

http://www.linkedin.com 5
https://www.linkedin.com 4



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Bulding Soc In Changing Threat Landscapefinal Bulding Soc In Changing Threat Landscapefinal Presentation Transcript

  • building  a  Security  Opera2ons  Center  and   KPI  for  a  SOC  Mahmoud YassinLead Security Architect Mahmoud.yassin@outlook.com
  • 2 Overview Companies like yours ? Insights into building a SOC team in a changing threat landscape? Measuring the effectiveness of SOC using key performance indicators Using 24*7 monitoring to minimize overall risk across an organization Conclusions
  • 3 Companies like yours ?
  • 4 Threat changed landscape §  Who is targeting you? §  What are they after? §  Have they succeeded? §  How long have they been succeeding? §  What have I lost so far? §  What can I do to counter their methods? §  Are there legal actions I can take?
  • Today’s Threat Landscape Undetected Attacks External Attacks Vulnerabilities and compromised Trojans, viruses, worms, phishing .. machines may lay dormant for Not protected by firewalls. Requires months, awaiting an attacker to IPS exploit them. Requires vulnerability Intrusion Vulnerability awareness and end-point intelligence. Prevention Assessment Network Intelligence User Intelligence Physical / Data Center Security Network Network Behavior Access Porous Perimeter Analysis (NBA) Information Leakage Control (NAC) Every machine a peering point Point-point VPNs + desktop and Laptops carry infection past mobile internet connections firewalls. Requires IDS provide ample opportunity. Requires compliance monitoring and enforcement
  • Visibility of Advanced Persistence Threats -- Invisible -- Source from : Douwe.Leguit@govcert.nl April 2010 6
  • 7 What to Monitor
  • Security by Service’s layersApplicationPresentationSessionTransport Wiring closets, cableNetwork plant, building access control,Data Link power, HVACPhysical
  • Security by Service’s layersApplicationPresentationSessionTransportNetwork NIDS, HIDS , Perimeter Devices Virus ScanningData LinkPhysical
  • Security by Service’s layers Application Presentation Session Transport Firewall, Routers, Access Control Lists (ACLs), IP schemes, E-Mail Attachment Network Scanning Data Link Physical
  • Security by Service’s layers Application OS Hardening, Security Health Checking, Vulnerability Presentation Scanning, Pen-Testing, Session Transport Network Data Link Physical
  • Security by Service’s layers Application User Account Management on Systems, Role/Rule Bases Access Control, Application Security, Virus Updates, Virus Signatures Presentation Session Transport Network Data Link Physical
  • The Enterprise Today - Mountains of data, many stakeholders 13 Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized False Positive Service Detection Reduction IP Leakage Web server Web cache & proxy logsUser Monitoring activity logs SLA Monitoring Content management logs Switch logs IDS/IDP logs VA Scan logs Router logs Windows Windows logs VPN logs domain logins Firewall logs Wireless access logs Linux, Unix, Oracle Financial Windows OS logs Logs Mainframe Client & file logs DHCP logs server logs San File VLAN Access Access & Control logs Database Logs Logs Sources from RSA
  • Top Technical Issues §  Increase Speed of Aggregation and Correlation §  Maximize Device and System Coverage §  Improve Ability to Respond Quickly §  Deliver 24 x 7 Coverage §  Support for Federated and Distributed Environments §  Provide Forensic Capabilities §  Ensure Intelligent Integration between SOCs and NOCs §  Time for Remediation
  • SOC FrameworkIndustry Standards and Service Delivery Tools Web Portal Best Practices (Helpdesk, Monitoring, Mgmt., (Operational Reporting, Windows Configuration, Automation/ (ITIL, BS7799/ISO17799, Advisories) (24x7, 8x5, 12x7 ) SANS, CERT) Workflow) Security Center of Excellence Command Center Knowledgebase (Test bed, Technology (Incident & Problem Mgmt.,Innovation, Knowledge Mgmt., Testing, Product evaluation) Trainings ) Infra. Mgmt. Stream Security Mgmt. StreamProgram Management Device Supervision Security (Performance, Incident, Monitoring People Resource (Customer interface, Monitoring) (cross skilling, rotation, Escalation mgmt., Strategic training, ramp-up and scale assistance, Operational supervision, quality control) Security Change down) Device Operations (Change, Vendor Mgmt., Installation, Configuration) Security Advisory Incident Management Service Delivery Operational Models (Onsite, Near Shore and (SOC and ODC) Offshore) Reporting
  • SOC or Operational SOC… Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database Report Baseline Alert/Correlation Asset Ident. Forensics Compliance Operations Security Operations Access Control Access Control Enforcement Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt. Malicious Software False Positive Reduction Policy Enforcements Real-time Monitoring User Monitoring & Management Unauthorized Network Service Detection Environmental & Transmission Security More… All the Data Log Management Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required …For Compliance & Security Operations
  • The 3 (main) functions of a SOC §  The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency §  What does the SOC do? 1.  Real-time monitoring / management §  Aggregate logs §  Aggregate more than logs §  Coordinate response and remediation §  “Google Earth” view from a security perspective 2.  Reporting / Custom views §  Security Professionals §  Executives §  Auditors §  Consistent 3.  After-Action Analysis §  Forensics §  Investigation §  Automate Remediation §  Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability §  Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
  • Prioritization and Remediation §  Deal with what’s most relevant to the business first! −  Gather asset data −  Gather business priorities −  Understand the business context of an incident §  Break-down the IT silos −  Automate the Action after incident discovery −  Coordinate responses −  Inform all who need to know of an incident −  Work with existing ticketing / workflow systems §  Threat * Weakness * Business Value = Risk §  Deal with BUSINESS RISK
  • SOC and business Expectation Historical Todays Scenario Business Oriented Technology Based Services IT Risk Management •  IT Risk Dashboard Monitoring & Management : •  Sustaining Enterprise Security •  Firewalls Control •  IDS/IPS •  Meeting Industry Process •  VPN Concentrators •  Antivirus Compliance Driven •  Content-Filtering •  Security Control Assessment •  Enforcing enterprise security policies •  Log Management •  Incident Management •  Audits
  • SOC Architecture Data-Center 1 To Other Business Units Data-Center n SERVER FARM SERVER FARM Corporate WAN SERVER FARM SERVER FARM Storage Storage SOC Centralized Management L2 Risk Monitoring L3 Portal L1 •  Threat Analysis -  Risk Mitigation Plan •  Risk Assessment -  Control Verification •  Manage Performance •  Performance Monitoring -  Compliance impact •  Manage Availability •  Security Monitoring analysis •  Trend analysis and Reporting •  Availability Monitoring -  Manage new requirements •  Compliance Management •  Scheduled Reporting Support Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
  • PROACTIVE SOC APPROACH Security Analytics Logs Security Operations & Management Event Correlation Proactive Intelligence Forensics Incident Mgmt Reports & Problem Mgmt Statistics Infrastructure Assessment Service Release Mgmt Vulnerability Assessment Change Mgmt & Penetration Testing Knowledgebase Configuration Mgmt Vulnerability Management Automation & Integration Customized Advisories Forensic investigation tools Standards –service Customer BSI 15000, ITIL, Technical support etc. ISO, ISO27001
  • SOC Operational Model (people) L3: Security Incident SOC Service Delivery Structure Managers -  Incident Handling & Closure -  Service Mgmt. Reporting -  Compliance impact analysis L2: Security Analysts -  Manage new requirements -  Performance Mgmt. -  Problem Mgmt. -  Change & Release Mgmt. -  Incident Analysis & Validation -  Configuration Mgmt. -  Vulnerability Assessment & -  Service Level Mgmt. Remediation support -  Availability & Continuity Mgmt. -  Device mgmt. tasks -  Trend monitoring & analysis L1: Security Operators -  Vulnerability Impact Analysis -  Escalation Management -  Compliance reporting SOC Operations -  Security Event Managers Monitoring -  Incident Detection & SOC Management Team 1st level analysis -  Resource management, skill -  Routine development maintenance & -  Operational process operational tasks Improvement -  Operational -  Program Escalation reporting Management Knowledgebase/ Threat -  Customer Management Security Portal Alert & Advisory -  SOC Incident Management SOC Engineering SOC Security Vendor Management COEs -  Management of SOC tool -  Technical Support -  Threat A&A -  Administration of SOC security configuration -  Incident Escalation -  Innovation -  Implementation projects -  Enhancement to SOC tools -  Product Support -  Benchmarks -  Compliance Mgmt. -  Architecture design of SOC -  Trainings -  Reuse Component/solutions -  Incident Mgmt. -  Transformation Projects for -  Enhancement projects SOC
  • SOC Operational model (process) Network SOC Industry Sources Tool Foot Print Dashboard view via portalFirewalls N F C O I N I T E O R N L E SD R HEWLETT PACKARD R L G M T E L I A E L A I N L R G I T E I I E E Z N O N G R E N C E S IDS Agent Manager Asset Asset Syslogs Alerts & normalize Vulnerability Criticality SNMP log data Raw log data Information & Action Real Time Normalised Alerts Real Time Security Analysis Alert Management Consolidated Logs Response & Remote management from -SOC Management
  • SOC Operational Model (technology) Correlated Integrated Incident Baseline Report Realtime Remediate Alerts Forensics Mgmt. Analysis Event Explorer Analyze Manage Collect Collect Collect UDS Windows Netscreen Cisco Juniper Microsoft Trend Micro Device Device Server Firewall IPS IDP ISS Antivirus Supported Devices Legacy
  • Integrated CMDB CMDB Data§  Configuration Management Database (CMDB) features: §  Connectors sync data with external systems Config Work §  Create, update, and view CIs Items Items §  Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users §  Automatically track CI change history Relationships §  Service definition and mapping Integrated | Efficient | Business
  • Incident ManagementKeep users and data center services up and running, and restore service quickly §  Process workflows −  Escalations −  Notifications −  Remediation §  Customizable templates §  Knowledge & History §  Automatic incident creation −  Desired Configuration Monitor (DCM) errors −  Operations Manager alerts −  Inbound Email −  Portal
  • Case ManagementEnables organizations to identify and track problems •  Problem creation from similar incidents or Attacks •  Link Incidents and Change requests to problem •  Auto resolution of Incidents linked to the Problem
  • Change ManagementMinimize errors and reduce risk §  Typical Change Models −  Standard, Major, Emergency… −  Review and Manual activities §  Customizable Templates §  Workflows and Notifications §  Analyst Portal −  Approvals via Web §  Relate Change Requests to Incidents, Problems and Configuration Items
  • Vulnerability Management Process 1. DISCOVERY (Mapping) 2. ASSET 6. VERIFICATION PRIORITISATION (Rescanning) (and allocation) 5. REMEDIATION 3. ASSESSMENT (Treating Risks) (Scanning) 4. REPORTING (Technical and Executive)
  • Investigations and Forensics §  Being able to investigate and manipulate data §  Visualization §  Post-event correlation §  Managing by case / incident §  Chain of custody §  Integrity of data §  Remediation Automation
  • SOC Objectives A Framework for Security OperationsSecurity Environment SIEM Perimeter Network Internal Systems & Applications eCommerce Capabilities Operations Operations Security Objective ü Log Management " Privileged user monitoring ü Asset Identification Access Control Enforcement " Corporate policy conformance ü Baseline " Troubleshoot network & security Real-time Monitoring events ü Report & Audit " “What is happening?” " Confirm IDS alerts ü Alert False Positive Reduction " Enable critical alert escalation ü Forensic Analysis " Watch remote network areas Correlated Threat Detection " Consolidate distributed IDS alerts ü Incident Management " External threat exposure ü Automate learned Inciden Watchlist Enforcement " Internal investigations Automate Remediation Unauthorized Network Service " Shutdown rogue services Detection " Intellectual property leakage " Proof of delivery SLA Compliance Monitoring " Monitor against baselines = Most critical = Highly desired = Desired
  • 33 SOC Recommendation for APT(cont.,)§  SOC Process automation§  have VIM service feeding your SOC and follow-up with different parties .§  Scan for zero days§  Insure security of your security products (patches zero days focus on perimeter devices ).§  Forensic is not an luxury service SOC should have the tools and ability to analyze. (payloads – sandbox…..)
  • 34 SOC Recommendation for APT (cont,…) §  Correlate across layers (perimeter with end point output of IDS & IPS) §  Monitor privileges on suspected or alerted workstation. §  Enforce Privilege change if there is an infection. §  Manage Exceptions §  Contact Authorities (Cert , ISP’s , Law Enforcement)
  • Q&AMahmoud.yassin@nbad.com myassin75@gmail.com THANK YOU 15/05/2012 35