More Related Content
Similar to SOC Foundation
Similar to SOC Foundation (20)
SOC Foundation
- 2. ©Copyrights 2014-2017 by Masoud Ostad
Course Outline Part I
IT Operation and IT Security Crossroad
Traditional Security Architecture
Traditional IT Security Problem
Introduction New Threat
What is APT and SCADA?
Feature Security Big Picture and Roadmap
Introduction Next Generation Security
2
- 3. ©Copyrights 2014-2017 by Masoud Ostad
Course Outline Part II
What is SIEM?
Security Log Protocol
Log Correlation and Analyzing
SIEM Architecture
SIEM Gartner Leadership Introduction
HP and IBM Architecture and Model
Small Model
Enterprise Model
What is SOC?
What is SOC and SIEM Differential?
3
- 4. ©Copyrights 2014-2017 by Masoud Ostad
Course Outline Part III
Introduction SOC Main Module
Threat Management
Vulnerability Management
Security Intelligence Service
Fraud Detection
Security Change Management
Service and Security Dashboard
Manage Security Service Provider
Risk Management
4
- 5. ©Copyrights 2014-2017 by Masoud Ostad
Course Outline Part IV
Introduction SOC Sub Module
Data Loss Prevention
Database Activity Monitor
Patch and Vulnerability Awareness
Forensic Framework
Full Packet Capture
Exploit Framework
File Integrity Management
Security Configuration Management
User Auditing Management
Web Security Assessment
5
- 7. ©Copyrights 2014-2017 by Masoud Ostad
ایران در سایبری حمالت گزارش 7
73%هایسایت ازدولتیهستند امنیتی ضعف دارای
Resource:
http://www.khabaronline.ir
- 11. ©Copyrights 2014-2017 by Masoud Ostad
Traditional Security Element
First Generation
Anti Virus with Signature Engine
Firewall or Network Firewall
State less
State full
IDS or Intrusion Detection System
IPS or Intrusion Prevention System
Security Module
Cisco 6500 FWSM
Proxy or Access Control
Second Generation
Basic Application or Protocol Firewall
11
- 12. ©Copyrights 2014-2017 by Masoud Ostad
Previous Security Cycle 12
Antivirus
Firewall, IDS
and IPS
DMZ
Access
Control
System
Encryption
,VPN , CA ,
…
- 13. ©Copyrights 2014-2017 by Masoud Ostad
Traditional System Weak Point
یکپارچگی عدم
دفاعی های سیستم
هدفمند بررسی عدم
وقایع و ها رخداد
فنی بررسی دشواری
بسیار سرعت ها رخداد
باال خطای و پایین
در تمرکز و دقت عدم
امنیت گذاری سیاستی
و اتخاذ در دشواری
و مناسب واکنش اجرای
موقع به
13
- 18. ©Copyrights 2014-2017 by Masoud Ostad
What is SCADA ? 18
SCADA (supervisory control and data acquisition) is a system operating with coded
signals over communication channels so as to provide control of remote equipment
SCADA (supervisory control and data acquisition) is a category of software
application program for process control, the gathering of data in real time from
remote locations in order to control equipment and conditions
- 19. ©Copyrights 2014-2017 by Masoud Ostad
What is SCADA Used for
SCADA systems are the backbone of modern industry
Energy
Food and beverage
Manufacturing
Oil and gas
Power
Recycling
Transportation
Water and waste water
And many more
19
- 30. ©Copyrights 2014-2017 by Masoud Ostad
30
Firewal
l
Router
s
IDS
Unix App
Databa
se
Preserved
Data
Syslog
s
Legal/Audit/IT
Security
Mgmt.
Console
Correlation and
analyze Engine
Personal
Devices
Warnings
Area
SIEM Simple View
- 31. ©Copyrights 2014-2017 by Masoud Ostad
SIEMهمانSOCنیست!
31
SIEM
Engine
Anti-Virus
HIPS
APP-Logger
Smart
Security
….
Firewall
IPS & IDS
Router/Switch
Server
…
Auditing System
Schedule Pentest
Vul Awareness
Incidence Response
Risk Management
Log Correlation
Log Analyze
Technical Policy
SIEM is a
Technology
SOC is a
Total
Solution
10
- 33. ©Copyrights 2014-2017 by Masoud Ostad
SOCچیست؟
ارتباطات و اطالعات امنیت خصوص در جامع و تخصصی مرکز
امنیت و فرایند مدیریت تخصصی کار و ساز
مدیریت های سیستم و اطالعات امنیت پویش نوین های ابزار از گیره بهره
مصنوعی هوش های معماری اساس بر وقایع بررسی هوشمند های سامانه
موقع به و سریع دهی پاسخ سامانه
ریسک مدیریت پیشرفته ساختارهای
فنی و کالن های گذاری سیاست امکان-مدیریتی
33
- 34. ©Copyrights 2014-2017 by Masoud Ostad
اجزایکالنSOC 34
Threat Management
Vulnerability Management
Security Intelligence Services
Service Desk & Security Dashboard
Fraud Management
Security Configuration Management
- 35. ©Copyrights 2014-2017 by Masoud Ostad
جزیی اجزایSOC
Threat
Management
SIEM
DLP
TRM
DAM
Vulnerability
Management
Patch & Vul
Management
Web App
Security
Assessment
Database Vul
Assessment
Network Vul
Assessment
Security
Intelligence
Service
Exploit
Frameworks
Forensics
Toolkits
Security
Advisories
Vulnerability
Feeds
Fraud
Detection
Transaction
Fraud Monitor
Phishing
Monitor
Service Desk &
Security
Dashboard
Service Desk
Security
Dashboard
Security
Configuration
Management
File Integrity
Management
Change
Management
& Deployment
Configuration
Assessment
UAM
35
- 36. ©Copyrights 2014-2017 by Masoud Ostad
دیگر خدماتSOC 36
Attack Tracking and FPC for Forensic
Security Strategy Planning
Incident Reporting and Management Response
Managed Security Service Providers
Intelligent Security Inside Laboratory
Enterprise Risk Management , BCP and Disaster Recovery
- 39. ©Copyrights 2014-2017 by Masoud Ostad
تفاوتNOCوSOC
NOC
Coverage
Network
Fault
Tolerance
Switch/Router
Configuration
Sniffing
and
Troubleshooting
System
& Traffic
Monitor
SOC
Coverage
Network
Behavior
anomaly
detection
Intrusion
Detection &
Prevention
Log
Management
Network
Forensics
Vulnerability
detection and
Awareness
Risk & Change
Management
Policy
39
- 41. ©Copyrights 2014-2017 by Masoud Ostad
سازی پیاده مراحلSOC
دستاوردهای و سیاستها تعریفSOCسازمان نیاز بر منطبق
سازی پیاده بندی فاز و فاز تعریفSOCمنظور به سازمان اهداف با منطبق
وسعت تبیین و تعریفSOC
شدن مانیتور قابل تجهیزات نمودن مشخص و تعریف
رخدادها بررسی عمق و وسعت تعریف
اطالعات آنالیز نحوه تعریف
سیستم مدیریتی اجزای بر و فرآیندها تعریف
فعالیت حوزه متنوع سرویسهای و ها معماری تبیینSOCسازمان نیاز بر منطبق
کامل بلوغ تا سیستم سازی بهینه منظور به ای دوره بررسی
41
- 46. ©Copyrights 2014-2017 by Masoud Ostad
HP Arcsight Components
• Enterprise Database for save any log and
information
Arcsight Database engine
( CORR-ENGINE )
• For any asset with normal log generatorArcsight Smart Connector
• For special asset with special log formatArcsight Flex Connector
• Arcsight Manage Part EngineArcsight Manager
• Arcsight Application console management
• Arcsight Web Console Management
Arcsight Console
• Analyze Classification Data for find any
Threat
Arcsight Threat Detector
46
- 47. ©Copyrights 2014-2017 by Masoud Ostad
SmartConnector Platform Support 47
OS
•Windows
Family
•Linux Like
•Oracle Solaris
•IBM AIX
•HP-UX
•HP OpenVMS
Anti Virus
•Kaspersky
•McAfee
•Symantec
•TrendMicro
•Sybari
•Sophos
Firewall
•Cisco ASA-
PIX
•F5 BIG-IP
•Juniper
•Lucent
•Symantec
Network
Monitor
•Nagios
•MSCC
•ISC
Router
•Cisco IOS
•Juniper OS
•HP H3C
Web
Cache&Filter
•Bluecoat
•Microsoft ISA
•Netcache
•Squid
•Websense
•Ironport
Switch
•Cisco Catalyst
•Cisco CSS
•Cisco NX-OS
•Foundry
•HP Ethernet
•HP ProVurve
Webserver
•Apache
•Microsoft IIS
•Sun One
Storage
•NetAPP
•EMC
•HP
Virtualization
•Vmware
ESX/ESXi
•Vmware
vCenter
•Citrix
VPN Device
•Cisco VPN
•Citrix Access
•Juniper VPN
•CheckPoint
VPN-1
•Alcatel VPN
- 48. ©Copyrights 2014-2017 by Masoud Ostad
Arcsight Architecture Details
Single Logger with a Single ESM Instance
Single Logger with a Single ESM Parallel Instance
Multiple Logger with a Single ESM Instance
Multiple Hierarchal ESM Instance
Arcsight Redundancy Architecture
48
- 57. ©Copyrights 2014-2017 by Masoud Ostad
Forensic Framework Tools
Network Forensic Tools
Data Forensic Tools
Forensic Project Tools
57
- 60. ©Copyrights 2014-2017 by Masoud Ostad
60
منبع:Infowatch
•هرChannelاز یکی بیانگر
اطالعات خروج و ورود مجاری
است.
•سهم روبرو نمودار در دقت با
شده پرینت اطالعات و مدارک
،کاغذ روی برWebوEmail
میباشد توجه جالب بسیار.
کانال هر تفکیک به اطالعات نشت نمودار
- 63. ©Copyrights 2014-2017 by Masoud Ostad
63US$
منبع:Ponemon Institute
وقوع علت تفکیک به اطالعات نشت هزینه آمار
- 64. ©Copyrights 2014-2017 by Masoud Ostad
64
هس محرمانه اطالعات نشت عامل بیشترین تجاری شرکای و داخلی کارکنانتند
•میشوند اشتباه دچار محرمانه محتوای با کار هنگام در داخلی کارمندان.
•میدهند افزایش را اطالعات نشت خطر تجاری ناقص فرآیندهای و های رویه.
میدانند الزامی را ها داده از حفاظت مقررات.
•خصوصی های داده حفظ لزوم بر قانونی مراجع تمرکز رشد
•محرمانه های داده روی بر کنترل وجود اثبات به نیاز
تهدیدات بیستر هرچه شدن پیچیده
•میدهند قرار هدف را باال بسیار ارزش با های داده بیرونی تهدیدات.
•دارند قرار کجا در ها داده اینکه مورد در محدود دید.
88%
داده نشت
81%
مالی شرکتهای اطالعات از
از پیروی عدم زمان در
همچون مقرارتPCI
DSSنموده پیدا نشت
6.7$
هزینه میانگین
به داده نشت
دالر میلیون
DLPزیرا است الزام یک:
- 70. ©Copyrights 2014-2017 by Masoud Ostad
70
88%
داده نشت
81%
مالی شرکتهای اطالعات از
از پیروی عدم زمان در
همچون مقرارتPCI
DSSنموده پیدا نشت
Symantec DLP Platform
- 83. ©Copyrights 2014-2017 by Masoud Ostad
McAfee Main Feature 83
• McAfee ePolicy Orchestrator
• McAfee Workflow framework
• Fully SIEM Integrated
• Fully VDI Supported
• MDP Supported
• By Certificate
• By FDE
- 85. ©Copyrights 2014-2017 by Masoud Ostad
First Strategy for Server Protection 85
در قدم اولین میگویدشکل
دهیسرو از حفاظت استراتژیر
سازی پیادهSCMاست!
- 86. ©Copyrights 2014-2017 by Masoud Ostad
Configuration Hardening Critical Step 86
میگوید:
Configuration hardening
2nd
در گذار تاثیر کنترل
است حساس اطالعات امنیت حفظ.
- 87. ©Copyrights 2014-2017 by Masoud Ostad
SCM؟ چیست 87
مشترک فصلIT SecurityوIT Operations
است افزار نرم بر مبتنی جامع حل راه یک.
هدفSCMبا تطابق بررسیBaseline Configuration
Vulnerability
assessment
Automated
remediation
Configuration
assessment SCM
- 88. ©Copyrights 2014-2017 by Masoud Ostad
SCM Workflow 88
1
Integration of
Network &
Endpoint
Protection
2
Comparing to
the Baseline
Configuration
3
Test failure =
Baseline
deviation
4
Remediation
- 90. ©Copyrights 2014-2017 by Masoud Ostad
FIM or SCM Brother 90
Infrastructure
Configuration
Protection
SCM
OS & System
Files
Protection
FIM
- 92. ©Copyrights 2014-2017 by Masoud Ostad
First Strategy for Client Protection 92
در قدم اولین میگویدده شکلی
از حفاظت استراتژیکالینتها
سازی پیادهPMاست!
- 94. ©Copyrights 2014-2017 by Masoud Ostad
Patch Management Lifecycles 94
1. Discover
2. Assess
3. Prioritize
4. Remediate
5. Report
- 98. ©Copyrights 2014-2017 by Masoud Ostad
Platform Module and Architecture 98
• Unix/Linux/FreeBSD/Cisco IOS Monitoring
– Record SSH, Telnet and Console Sessions
• Windows Monitoring
– Record RDP, Terminal Server and Console Sessions
• Citrix and VMware Monitoring
– Record and analyze all user activity in Citrix XenApp and
VMware published application, XenDesktop and VDI
• Gateway Monitoring
– Record and analyze all activity of remote users connecting via
jump-server gateways
• Employee Desktop Monitoring
– Record and analyze user activity in all desktop application, Web
application and VDI Session
- 107. ©Copyrights 2014-2017 by Masoud Ostad
Billions of Database Records
Breached Globally
107
98% records stolen
from databases
84% records breached
using stolen credentials
92% discovered
by third party
71% fell within minutes
- 108. ©Copyrights 2014-2017 by Masoud Ostad
Why Database is Vulnerable ? 108
Network Security
Data Encryption
Endpoint Security
Web Application
Firewall
Email Security
Authentication & User
Security
- 109. ©Copyrights 2014-2017 by Masoud Ostad
109
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Defense-in-Depth for Maximum Security
Database Security Solution
- 110. ©Copyrights 2014-2017 by Masoud Ostad
110
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Detect and Block Threats, Alert, Audit and Report
Database Security Solution
- 111. ©Copyrights 2014-2017 by Masoud Ostad
111
White List
Applications
Block
Allow
SELECT * from stock
where catalog-no='PHE8131'
SELECT * from stock
where catalog-no=‘
' union select cardNo,0,0
from Orders --’
Databases
• “Allowed” behavior can be defined for any user or application
• Automated white list generation for any application
• Out-of-policy database transaction detected and blocked/alerted
• WAF detect signature on URL but DBF detect Structure on Quarry
Database Firewall Smart Mechanism
- 112. ©Copyrights 2014-2017 by Masoud Ostad
112
SELECT * FROM
v$session
Block
Allow
+ Log
Black List
DBA activity
from Application?
SELECT * FROM
v$session
DBA activity from
Approved Workstation
• Stop specific unwanted SQL interactions, user or schema access
• Blacklisting can be done on factors such as time of day, day of week,
network, application, user name, OS user name etc
• Provide flexibility to authorized users while still monitoring activity
Database Firewall Smart Mechanism
- 113. ©Copyrights 2014-2017 by Masoud Ostad
113
DAM Benefit
Monitor All
Database
Activity
Database
Administration
Control
Monitor
Database
Operation
Protection
Database
System
Advanced
Auditing
SIEM/SOC
Integration
DAM Component
Database Firewall Policy Analyzer
Database Firewall
Management
Server
Database
Administration
Console
Database Activity Monitor Insight
- 115. ©Copyrights 2014-2017 by Masoud Ostad
Database Support Platform
Oracle
Oracle Exadata
Microsoft SQL Server
IBM DB2 (on LUW, z/OS and DB2/400)
IBM IMS on z/OS
IBM Informix
IBM Netezza
SAP Sybase
Teradata
Oracle MySQL
PostgreSQL
Progress OpenEdge
115