Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SOC and ICS/SCADA Security

530 views

Published on

Educational presentation about security operation center in industrial control systems.

Published in: Internet

SOC and ICS/SCADA Security

  1. 1. ‫حساس‬ ‫های‬ ‫زیرساخت‬ ‫در‬ ‫امنیت‬ ‫عملیات‬ ‫مراکز‬ 1SOC and ICS/SCADA Security
  2. 2. 80% 20% ‫از‬ ‫کمتر‬20%‫اند‬ ‫کرده‬ ‫فراهم‬ ‫را‬ ‫سایبری‬ ‫مخاطرات‬ ‫با‬ ‫رویایی‬ ‫برای‬ ‫تدابیرامنیتی‬ ‫سازمانها‬! 2SOC and ICS/SCADA Security
  3. 3. ‫امنیتی‬ ‫مخاطرات‬ ‫و‬ ‫رویدادها‬ ‫به‬ ‫پاسخگویی‬ ‫ساختن‬ ‫هماهنگ‬ ‫و‬ ‫مدیریت‬ ‫مانیتورینگ‬24*7*365 ‫نظارتی‬ ‫نهادهای‬ ‫با‬ ‫هماهنگی‬ ‫ها‬ ‫پذیری‬ ‫آسیب‬ ‫و‬ ‫مخاطرات‬ ‫آنالیز‬ ‫امنیتی‬ ‫رویدادهای‬ ‫آنالیز‬ ‫امنیتی‬ ‫رویدادهای‬ ‫از‬ ‫پایگاهی‬ ‫ایجاد‬ ‫خاص‬ ‫و‬ ‫عمومی‬ ‫مخاطرات‬ ‫بابت‬ ‫امنیتی‬ ‫هشدارهای‬ ‫ایجاد‬ ‫سایبری‬ ‫حوادث‬ ‫دهندگان‬ ‫پاسخ‬ ‫و‬ ‫مدیران‬ ‫برای‬ ‫هایی‬ ‫گزارش‬ ‫ایجاد‬ ‫آن‬ ‫مهار‬ ‫گزارش‬ ‫تا‬ ‫اولیه‬ ‫لحظه‬ ‫از‬ ‫امنیتی‬ ‫رویدادهای‬ ‫به‬ ‫گویی‬ ‫پاسخ‬ ‫زمان‬ ‫مدت‬ ‫کاهش‬ ‫منابع‬ ‫و‬ ‫زمان‬ ‫در‬ ‫جویی‬ ‫صرفه‬ ‫شده‬ ‫نععین‬ ‫پیش‬ ‫از‬ ‫معییارهای‬ ‫اساس‬ ‫بر‬ ‫بالدرنگ‬ ‫امنیتی‬ ‫نظارت‬(KPI) ‫سازمان‬ ‫در‬ ‫امنیتی‬ ‫رسانی‬ ‫آگاهی‬ ‫سطح‬ ‫بردن‬ ‫باال‬ ‫یافته‬ ‫ساختار‬ ‫بصورت‬ ‫امنیتی‬ ‫رویدادهای‬ ‫و‬ ‫شبکه‬ ،‫کاربردی‬ ‫های‬ ‫برنامه‬ ،‫ها‬ ‫سیستم‬ ‫بین‬ ‫همبستگی‬ ‫ایجاد‬ ‫قابلیت‬ ‫ریسک‬ ‫مدیریت‬ ‫و‬ ‫امنیتی‬ ‫ارزیابی‬ ‫فرآیندهای‬ ‫خودکارسازی‬ ‫شبکه‬ ‫در‬ ‫تغییرات‬ ‫سازی‬ ‫یکپارچه‬ ‫تمامی‬ ‫شناسایی‬ ‫قابلیت‬Attack vector‫رخدادها‬ ‫بندی‬ ‫دسته‬ ‫و‬ ‫ها‬ ‫عملیات‬ ‫انجام‬Forensic‫مراکز‬ ‫با‬ ‫تعامل‬ ‫و‬CSIRT ‫مرکز‬ ‫با‬ ‫تامل‬CERT‫ملی‬ ‫مانند‬ ‫المللی‬ ‫بیت‬ ‫استانداردهای‬ ‫با‬ ‫امنیتی‬ ‫معیارهای‬ ‫انطباق‬ISO27001 3SOC and ICS/SCADA Security ‫های‬ ‫ویژگی‬SOC
  4. 4. Real-Time Monitoring - Data Aggregation - Data Correlation - Aggregates Logs - Coordinates Response - Automates Remediation Reporting - Executive Summary - Audit and Assessment - Security Metric Reporting - KPI Compliance - SLA Reporting Security Incident Management - Pre and Post Incident Analysis - Forensics Analysis - Root Cause Analysis - Incident Handling - aeCERT Integration ‫امنیت‬ ‫عملیات‬ ‫مرکز‬ ‫یک‬ ‫اجزای‬ 4SOC and ICS/SCADA Security
  5. 5. 10‫امنیت‬ ‫عملیات‬ ‫مرکز‬ ‫سازی‬ ‫پیاده‬ ‫در‬ ‫موفقیت‬ ‫برای‬ ‫نیاز‬ ‫مورد‬ ‫الزام‬ ‫مدیران‬ ‫سوی‬ ‫از‬ ‫پشتیبانی‬‫گیر‬ ‫تصمیم‬ 1 ‫گذاری‬ ‫سرمایه‬ 2 ‫استراتژی‬ 3 ‫انسانی‬ ‫نیروی‬ 4 ‫فرآیندها‬ 5 ‫تکنولوژی‬ 6 ‫محیط‬ 7 ‫تجزیه‬‫تحلیل‬ ‫و‬ 8 ‫فیزیکی‬ ‫فضای‬ 9 ‫تداوم‬ 10 5SOC and ICS/SCADA Security
  6. 6. ‫گیر‬ ‫تصمیم‬ ‫مدیران‬ ‫سوی‬ ‫از‬ ‫پشتیبانی‬ ‫تعریف‬‫مشکالت‬‫و‬‫تأثیرات‬ ‫چشم‬‫انداز‬ ‫نیاز‬‫سنجی‬ ‫بودجه‬ ‫ارزش‬‫آفرینی‬(‫بازگشت‬‫سرمایه‬) 6SOC and ICS/SCADA Security
  7. 7. ‫گذاری‬ ‫سرمایه‬ ‫خبره‬ ‫انسانی‬ ‫نیروی‬ ‫سرمایه‬ ‫تزریق‬ ‫و‬ ‫مناسب‬ ‫بستر‬ ‫سازی‬ ‫فراهم‬ 7SOC and ICS/SCADA Security
  8. 8. ‫استراتژی‬ ‫سازمان‬ ‫با‬ ‫مرتبط‬ ‫مخاطرات‬ ‫به‬ ‫نسبت‬ ‫کلی‬ ‫دید‬ ‫تعیین‬ ‫و‬ ‫بینی‬ ‫پیش‬ ‫و‬ ‫تجاری‬ ‫اهداف‬ ‫ضمانت‬Business Continuity ‫تطابق‬ ‫عدم‬ ‫و‬ ‫پذیر‬ ‫آسیب‬ ‫نقاط‬ ‫ساختن‬ ‫آشکار‬ 8SOC and ICS/SCADA Security
  9. 9. ‫انسانی‬ ‫نیروی‬ Talented Trained Experience 9SOC and ICS/SCADA Security
  10. 10. ‫فرآیندها‬ DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution 10SOC and ICS/SCADA Security
  11. 11. ‫فرآیندها‬ EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness 11SOC and ICS/SCADA Security
  12. 12. ‫فرآیندها‬ INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • SIRT Integration 12SOC and ICS/SCADA Security
  13. 13. ‫فرآیندها‬ SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart 13SOC and ICS/SCADA Security
  14. 14. ‫فرآیندها‬ ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • SIRT Integration • Law Enforcement • 3rd Party Service Providers and Vendors 14SOC and ICS/SCADA Security
  15. 15. ‫فرآیندها‬ DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure 15SOC and ICS/SCADA Security
  16. 16. ‫فرآیندها‬ SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behaviour Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee) 16SOC and ICS/SCADA Security
  17. 17. ‫فرآیندها‬ VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates 17SOC and ICS/SCADA Security
  18. 18. ‫فرآیندها‬ TOOLS OPERATING MANUAL FOR SOC PERSONNEL • Operating Procedure for SIEM Solutions – Event Management and Flow Collector/Processor • Firewall Security Logs • IDS/IPS Security Logs • DMZ Jump Server / SSL VPN logs • Endpoint Security logs (AV, DLP, HIPS) • User Activity / Login Logs • Operating Procedure for Policy and Configuration Compliance • Operating Procedure for Network Monitoring Systems • Operating Procedure for Vulnerability Assessment 18SOC and ICS/SCADA Security
  19. 19. ‫فرآیندها‬ SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition Non-Critical and Information Alarms Alarm reporting and SLA to resolve the alarms 19SOC and ICS/SCADA Security
  20. 20. ‫فرآیندها‬ SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting 20SOC and ICS/SCADA Security
  21. 21. ‫تکنولوژی‬ • Penetration testing • Real-Time network security monitoring • Vulnerability scanning and management • Threat intelligence • Incident investigation • Malware forensics • Cybersecurity exercise creation and delivery 21SOC and ICS/SCADA Security
  22. 22. ‫کار‬ ‫و‬ ‫کسب‬ ‫محیط‬ 22SOC and ICS/SCADA Security
  23. 23. ‫تحلیل‬ ‫و‬ ‫تجزیه‬ 23SOC and ICS/SCADA Security
  24. 24. ‫تحلیل‬ ‫و‬ ‫تجزیه‬ 24SOC and ICS/SCADA Security
  25. 25. ‫فیزیکی‬ ‫فضای‬ 25SOC and ICS/SCADA Security
  26. 26. ‫تداوم‬ 26SOC and ICS/SCADA Security
  27. 27. ‫صنعتی‬ ‫کنترل‬ ‫های‬ ‫سیستم‬ 27SOC and ICS/SCADA Security
  28. 28. ‫صنعتی‬ ‫کنترل‬ ‫سیستم‬ ‫یک‬ ‫داشبورد‬ 28SOC and ICS/SCADA Security
  29. 29. ‫پذیر‬ ‫آسیب‬ ‫نقاط‬ 29SOC and ICS/SCADA Security
  30. 30. ‫امنیتی‬ ‫الزامات‬ •Segmentation •Firewalls •IDPS •Honepots •Antivirus •Hardening . . . ‫میباشد‬ ‫کافی‬ ‫موارد‬ ‫این‬ ‫آیا‬...‫؟‬! 30SOC and ICS/SCADA Security
  31. 31. ‫امنیتی‬ ‫الزامات‬ 31SOC and ICS/SCADA Security
  32. 32. ‫حیاتی‬ ‫الزامات‬ ‫فیزیکی‬ ‫امنیت‬: •Security Camera •Fencing •Guards •Gates •Smart Locks 32SOC and ICS/SCADA Security
  33. 33. ‫حیاتی‬ ‫الزامات‬ ‫زیرساخت‬: •Switch •Router •Firewalls •Modems •… 33SOC and ICS/SCADA Security
  34. 34. ‫حیاتی‬ ‫الزامات‬ ‫ناحیه‬DMZ: •Web Server •FTP •SMTP •DNS •… 34SOC and ICS/SCADA Security
  35. 35. ‫حیاتی‬ ‫الزامات‬ ‫ارتباطات‬: •Profibus •Modbus •OPC •… 35SOC and ICS/SCADA Security
  36. 36. ‫حیاتی‬ ‫الزامات‬ ‫تجهیزات‬: •PLC •RTU •IEDs •HMI •… 36SOC and ICS/SCADA Security
  37. 37. ‫حیاتی‬ ‫امنیتی‬ ‫الزامات‬ • Security Plans, Policies • Asset Inventory, System Documentation • Change management • Risk Management • Patch Management • Assessment • Crisis Management • Backup and Recovery 37SOC and ICS/SCADA Security
  38. 38. ‫طریق‬ ‫از‬ ‫ها‬ ‫دارایی‬ ‫کردن‬ ‫لیست‬Asset Management • Name • Description • Weight • OS • Location • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information 38SOC and ICS/SCADA Security
  39. 39. ‫طریق‬ ‫از‬ ‫ها‬ ‫دارایی‬ ‫کردن‬ ‫لیست‬Asset Management 39
  40. 40. ‫نواحی‬ ‫اساس‬ ‫بر‬ ‫تهدیدات‬‫نوع‬ ‫و‬Vector • Extranet • Intranet • Internet • Data Center • Active Directory • Malware / Virus Infection and Propagation • NetFlow Analysis • Remote Sites / WAN • Remote Access – IPSEC VPN / SSL VPN • Wireless ... 40SOC and ICS/SCADA Security
  41. 41. ‫تهدید‬ ‫موارد‬ ‫بندی‬ ‫دسته‬ 41SOC and ICS/SCADA Security
  42. 42. ‫تهدید‬ ‫موارد‬ ‫بندی‬ ‫دسته‬ 42SOC and ICS/SCADA Security
  43. 43. ‫تهدید‬ ‫موارد‬ ‫بندی‬ ‫دسته‬ 43SOC and ICS/SCADA Security
  44. 44. Workflow 44SOC and ICS/SCADA Security
  45. 45. ‫حساس‬ ‫های‬ ‫زیرساخت‬ ‫در‬ ‫امنیت‬ ‫تضمین‬ ‫ضریب‬ .1‫حیاتی‬ ‫نیازهای‬ ‫پیش‬ .2‫امنیتی‬ ‫سطوح‬ 1.1 Access Control 1.2 Use Control 1.3 Data Integrity 1.4 Data Confidentiality 1.5 Restrict Data Flow 1.6 Timely Response to An Event 1.7 Resource Availability 45SOC and ICS/SCADA Security
  46. 46. ‫حساس‬ ‫های‬ ‫زیرساخت‬ ‫در‬ ‫امنیت‬ ‫تضمین‬ ‫ضریب‬ 46
  47. 47. ‫عملکرد‬ ‫ارزیابی‬‫امنیت‬ ‫تضمین‬ ‫ضریب‬ 47SOC and ICS/SCADA Security
  48. 48. Author: Ali Abdollahi • References: • "Managed Services at the Tactical FLEX, Inc. Network Security Operations Center (NSOC)". Tactical FLEX, Inc. Retrieved 20 September 2014. • “Transaction Monitoring for HMG Online Service Providers" . CESG. Retrieved 22 June 2014 • "Managed Services at the Tactical FLEX, Inc. Network Security Operations Center (NSOC)". Tactical FLEX, Inc. Retrieved 20 September 2014. • Dts building scada security operation center • EY-security Security Operations Centers— helping you get ahead of cybercrime • Nadel, Barbara A. (2004). Building Security: Handbook for Architectural Planning and Design. McGraw-Hill. p. 2.20. ISBN 978-0-07-141171-4. SOC and ICS/SCADA Security 48

×