Transcript of "Bulding Soc In Changing Threat Landscapefinal"
building a Security Opera2ons Center and KPI for a SOC Mahmoud YassinLead Security Architect Mahmoud.firstname.lastname@example.org
2 Overview Companies like yours ? Insights into building a SOC team in a changing threat landscape? Measuring the effectiveness of SOC using key performance indicators Using 24*7 monitoring to minimize overall risk across an organization Conclusions
4 Threat changed landscape § Who is targeting you? § What are they after? § Have they succeeded? § How long have they been succeeding? § What have I lost so far? § What can I do to counter their methods? § Are there legal actions I can take?
Today’s Threat Landscape Undetected Attacks External Attacks Vulnerabilities and compromised Trojans, viruses, worms, phishing .. machines may lay dormant for Not protected by firewalls. Requires months, awaiting an attacker to IPS exploit them. Requires vulnerability Intrusion Vulnerability awareness and end-point intelligence. Prevention Assessment Network Intelligence User Intelligence Physical / Data Center Security Network Network Behavior Access Porous Perimeter Analysis (NBA) Information Leakage Control (NAC) Every machine a peering point Point-point VPNs + desktop and Laptops carry infection past mobile internet connections firewalls. Requires IDS provide ample opportunity. Requires compliance monitoring and enforcement
Visibility of Advanced Persistence Threats -- Invisible -- Source from : Douwe.Leguit@govcert.nl April 2010 6
Security by Service’s layers Application Presentation Session Transport Firewall, Routers, Access Control Lists (ACLs), IP schemes, E-Mail Attachment Network Scanning Data Link Physical
Security by Service’s layers Application OS Hardening, Security Health Checking, Vulnerability Presentation Scanning, Pen-Testing, Session Transport Network Data Link Physical
Security by Service’s layers Application User Account Management on Systems, Role/Rule Bases Access Control, Application Security, Virus Updates, Virus Signatures Presentation Session Transport Network Data Link Physical
The Enterprise Today - Mountains of data, many stakeholders 13 Malicious Code Detection Real-Time Monitoring Spyware detection Troubleshooting Access Control Enforcement Configuration Control Privileged User Management Lockdown enforcement Unauthorized False Positive Service Detection Reduction IP Leakage Web server Web cache & proxy logsUser Monitoring activity logs SLA Monitoring Content management logs Switch logs IDS/IDP logs VA Scan logs Router logs Windows Windows logs VPN logs domain logins Firewall logs Wireless access logs Linux, Unix, Oracle Financial Windows OS logs Logs Mainframe Client & file logs DHCP logs server logs San File VLAN Access Access & Control logs Database Logs Logs Sources from RSA
Top Technical Issues § Increase Speed of Aggregation and Correlation § Maximize Device and System Coverage § Improve Ability to Respond Quickly § Deliver 24 x 7 Coverage § Support for Federated and Distributed Environments § Provide Forensic Capabilities § Ensure Intelligent Integration between SOCs and NOCs § Time for Remediation
SOC FrameworkIndustry Standards and Service Delivery Tools Web Portal Best Practices (Helpdesk, Monitoring, Mgmt., (Operational Reporting, Windows Configuration, Automation/ (ITIL, BS7799/ISO17799, Advisories) (24x7, 8x5, 12x7 ) SANS, CERT) Workflow) Security Center of Excellence Command Center Knowledgebase (Test bed, Technology (Incident & Problem Mgmt.,Innovation, Knowledge Mgmt., Testing, Product evaluation) Trainings ) Infra. Mgmt. Stream Security Mgmt. StreamProgram Management Device Supervision Security (Performance, Incident, Monitoring People Resource (Customer interface, Monitoring) (cross skilling, rotation, Escalation mgmt., Strategic training, ramp-up and scale assistance, Operational supervision, quality control) Security Change down) Device Operations (Change, Vendor Mgmt., Installation, Configuration) Security Advisory Incident Management Service Delivery Operational Models (Onsite, Near Shore and (SOC and ODC) Offshore) Reporting
SOC or Operational SOC… Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database Report Baseline Alert/Correlation Asset Ident. Forensics Compliance Operations Security Operations Access Control Access Control Enforcement Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt. Malicious Software False Positive Reduction Policy Enforcements Real-time Monitoring User Monitoring & Management Unauthorized Network Service Detection Environmental & Transmission Security More… All the Data Log Management Any enterprise IP device – Universal Device Support (UDS) No filtering, normalizing, or data reduction Security events & operational information No agents required …For Compliance & Security Operations
The 3 (main) functions of a SOC § The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency § What does the SOC do? 1. Real-time monitoring / management § Aggregate logs § Aggregate more than logs § Coordinate response and remediation § “Google Earth” view from a security perspective 2. Reporting / Custom views § Security Professionals § Executives § Auditors § Consistent 3. After-Action Analysis § Forensics § Investigation § Automate Remediation § Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to the business, transparency, passing audits, consistency, reproduce-ability § Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk, failing audits, inconsistency
Prioritization and Remediation § Deal with what’s most relevant to the business first! − Gather asset data − Gather business priorities − Understand the business context of an incident § Break-down the IT silos − Automate the Action after incident discovery − Coordinate responses − Inform all who need to know of an incident − Work with existing ticketing / workflow systems § Threat * Weakness * Business Value = Risk § Deal with BUSINESS RISK
SOC and business Expectation Historical Todays Scenario Business Oriented Technology Based Services IT Risk Management • IT Risk Dashboard Monitoring & Management : • Sustaining Enterprise Security • Firewalls Control • IDS/IPS • Meeting Industry Process • VPN Concentrators • Antivirus Compliance Driven • Content-Filtering • Security Control Assessment • Enforcing enterprise security policies • Log Management • Incident Management • Audits
SOC Architecture Data-Center 1 To Other Business Units Data-Center n SERVER FARM SERVER FARM Corporate WAN SERVER FARM SERVER FARM Storage Storage SOC Centralized Management L2 Risk Monitoring L3 Portal L1 • Threat Analysis - Risk Mitigation Plan • Risk Assessment - Control Verification • Manage Performance • Performance Monitoring - Compliance impact • Manage Availability • Security Monitoring analysis • Trend analysis and Reporting • Availability Monitoring - Manage new requirements • Compliance Management • Scheduled Reporting Support Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
SOC Operational model (process) Network SOC Industry Sources Tool Foot Print Dashboard view via portalFirewalls N F C O I N I T E O R N L E SD R HEWLETT PACKARD R L G M T E L I A E L A I N L R G I T E I I E E Z N O N G R E N C E S IDS Agent Manager Asset Asset Syslogs Alerts & normalize Vulnerability Criticality SNMP log data Raw log data Information & Action Real Time Normalised Alerts Real Time Security Analysis Alert Management Consolidated Logs Response & Remote management from -SOC Management
SOC Operational Model (technology) Correlated Integrated Incident Baseline Report Realtime Remediate Alerts Forensics Mgmt. Analysis Event Explorer Analyze Manage Collect Collect Collect UDS Windows Netscreen Cisco Juniper Microsoft Trend Micro Device Device Server Firewall IPS IDP ISS Antivirus Supported Devices Legacy
Integrated CMDB CMDB Data§ Configuration Management Database (CMDB) features: § Connectors sync data with external systems Config Work § Create, update, and view CIs Items Items § Create relationships among CIs, WIs, IT staff, and Active Directory® Domain Services (AD DS) users § Automatically track CI change history Relationships § Service definition and mapping Integrated | Efficient | Business
Incident ManagementKeep users and data center services up and running, and restore service quickly § Process workflows − Escalations − Notifications − Remediation § Customizable templates § Knowledge & History § Automatic incident creation − Desired Configuration Monitor (DCM) errors − Operations Manager alerts − Inbound Email − Portal
Case ManagementEnables organizations to identify and track problems • Problem creation from similar incidents or Attacks • Link Incidents and Change requests to problem • Auto resolution of Incidents linked to the Problem
Change ManagementMinimize errors and reduce risk § Typical Change Models − Standard, Major, Emergency… − Review and Manual activities § Customizable Templates § Workflows and Notifications § Analyst Portal − Approvals via Web § Relate Change Requests to Incidents, Problems and Configuration Items
Investigations and Forensics § Being able to investigate and manipulate data § Visualization § Post-event correlation § Managing by case / incident § Chain of custody § Integrity of data § Remediation Automation
33 SOC Recommendation for APT(cont.,)§ SOC Process automation§ have VIM service feeding your SOC and follow-up with different parties .§ Scan for zero days§ Insure security of your security products (patches zero days focus on perimeter devices ).§ Forensic is not an luxury service SOC should have the tools and ability to analyze. (payloads – sandbox…..)
34 SOC Recommendation for APT (cont,…) § Correlate across layers (perimeter with end point output of IDS & IPS) § Monitor privileges on suspected or alerted workstation. § Enforce Privilege change if there is an infection. § Manage Exceptions § Contact Authorities (Cert , ISP’s , Law Enforcement)
Q&AMahmoud.email@example.com firstname.lastname@example.org THANK YOU 15/05/2012 35
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.