my presentation at E-Crime abu dhabi conference about Security operation center Building and measure performance

1. building
a
Security
Opera2ons
Center
and
KPI
for
a
SOC
Mahmoud Yassin
Lead Security Architect Mahmoud.yassin@outlook.com

2. 2
Overview
Companies like yours ?
Insights into building a SOC team in a changing threat
landscape?
Measuring the effectiveness of SOC using key
performance indicators
Using 24*7 monitoring to minimize overall risk across an
organization
Conclusions

3. 3
Companies like yours ?

4. 4
Threat changed landscape
§ Who is targeting you?
§ What are they after?
§ Have they succeeded?
§ How long have they been succeeding?
§ What have I lost so far?
§ What can I do to counter their methods?
§ Are there legal actions I can take?

5. Today’s Threat Landscape
Undetected Attacks
External Attacks Vulnerabilities and compromised
Trojans, viruses, worms, phishing .. machines may lay dormant for
Not protected by firewalls. Requires months, awaiting an attacker to
IPS exploit them. Requires vulnerability
Intrusion Vulnerability awareness and end-point intelligence.
Prevention Assessment
Network
Intelligence
User
Intelligence
Physical / Data Center Security
Network Network
Behavior Access
Porous Perimeter Analysis (NBA) Information Leakage
Control (NAC)
Every machine a peering point Point-point VPNs + desktop and
Laptops carry infection past mobile internet connections
firewalls. Requires IDS provide ample opportunity.
Requires compliance
monitoring and enforcement

6. Visibility of Advanced Persistence Threats
-- Invisible --
Source from : Douwe.Leguit@govcert.nl April 2010
6

7. 7
What to Monitor

8. Security by Service’s layers
Application
Presentation
Session
Transport
Wiring closets, cable
Network plant, building
access control,
Data Link power, HVAC
Physical

9. Security by Service’s layers
Application
Presentation
Session
Transport
Network NIDS, HIDS , Perimeter Devices
Virus Scanning
Data Link
Physical

10. Security by Service’s layers
Application
Presentation
Session
Transport Firewall, Routers, Access
Control Lists (ACLs), IP
schemes, E-Mail Attachment
Network
Scanning
Data Link
Physical

11. Security by Service’s layers
Application OS Hardening, Security Health
Checking, Vulnerability
Presentation Scanning, Pen-Testing,
Session
Transport
Network
Data Link
Physical

12. Security by Service’s layers
Application User Account Management on Systems, Role/Rule
Bases Access Control, Application Security, Virus
Updates, Virus Signatures
Presentation
Session
Transport
Network
Data Link
Physical

13. The Enterprise Today - Mountains of data, many stakeholders
13
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized False Positive
Service Detection Reduction
IP Leakage
Web server Web cache & proxy logs
User Monitoring activity logs
SLA Monitoring
Content management logs
Switch logs IDS/IDP logs
VA Scan logs Router logs
Windows Windows logs VPN logs
domain
logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
logs DHCP logs server logs
San File VLAN Access
Access & Control logs Database Logs
Logs
Sources from RSA

14. Top Technical Issues
§ Increase Speed of Aggregation and Correlation
§ Maximize Device and System Coverage
§ Improve Ability to Respond Quickly
§ Deliver 24 x 7 Coverage
§ Support for Federated and Distributed Environments
§ Provide Forensic Capabilities
§ Ensure Intelligent Integration between SOCs and NOCs
§ Time for Remediation

15. SOC Framework
Industry Standards and Service Delivery Tools
Web Portal
Best Practices (Helpdesk, Monitoring, Mgmt.,
(Operational Reporting, Windows Configuration, Automation/
(ITIL, BS7799/ISO17799,
Advisories) (24x7, 8x5, 12x7 )
SANS, CERT) Workflow)
Security Center of
Excellence Command Center Knowledgebase
(Test bed, Technology (Incident & Problem Mgmt.,
Innovation, Knowledge Mgmt., Testing, Product evaluation)
Trainings )
Infra. Mgmt. Stream Security Mgmt. Stream
Program Management Device Supervision Security
(Performance, Incident, Monitoring People Resource
(Customer interface,
Monitoring) (cross skilling, rotation,
Escalation mgmt., Strategic
training, ramp-up and scale
assistance, Operational
supervision, quality control) Security Change down)
Device
Operations
(Change, Vendor Mgmt.,
Installation, Configuration)
Security Advisory
Incident Management Service Delivery
Operational Models (Onsite, Near Shore and
(SOC and ODC)
Offshore)
Reporting

16. SOC or Operational SOC…
Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database
Report
Baseline Alert/Correlation
Asset Ident. Forensics
Compliance Operations Security Operations
Access Control Access Control Enforcement
Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt.
Malicious Software False Positive Reduction
Policy Enforcements Real-time Monitoring
User Monitoring & Management Unauthorized Network Service Detection
Environmental & Transmission Security More…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
…For
Compliance &
Security Operations

17. The 3 (main) functions of a SOC
§ The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency
§ What does the SOC do?
1. Real-time monitoring / management
§ Aggregate logs
§ Aggregate more than logs
§ Coordinate response and remediation
§ “Google Earth” view from a security perspective
2. Reporting / Custom views
§ Security Professionals
§ Executives
§ Auditors
§ Consistent
3. After-Action Analysis
§ Forensics
§ Investigation
§ Automate Remediation
§ Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to
the business, transparency, passing audits, consistency, reproduce-ability
§ Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk,
failing audits, inconsistency

18. Prioritization and Remediation
§ Deal with what’s most relevant to the business first!
− Gather asset data
− Gather business priorities
− Understand the business context of an incident
§ Break-down the IT silos
− Automate the Action after incident discovery
− Coordinate responses
− Inform all who need to know of an incident
− Work with existing ticketing / workflow systems
§ Threat * Weakness * Business Value = Risk
§ Deal with BUSINESS RISK

19. SOC and business Expectation
Historical Today's Scenario
Business Oriented
Technology Based Services IT Risk Management
• IT Risk Dashboard
Monitoring & Management : • Sustaining Enterprise Security
• Firewalls Control
• IDS/IPS • Meeting Industry Process
• VPN Concentrators
• Antivirus Compliance Driven
• Content-Filtering • Security Control Assessment
• Enforcing enterprise security
policies
• Log Management
• Incident Management
• Audits

20. SOC Architecture
Data-Center 1 To Other Business Units Data-Center n
SERVER FARM SERVER FARM
Corporate WAN
SERVER FARM SERVER FARM
Storage
Storage
SOC Centralized Management
L2 Risk Monitoring
L3
Portal L1
• Threat Analysis
- Risk Mitigation Plan • Risk Assessment
- Control Verification • Manage Performance • Performance Monitoring
- Compliance impact • Manage Availability • Security Monitoring
analysis • Trend analysis and Reporting • Availability Monitoring
- Manage new requirements • Compliance Management • Scheduled Reporting
Support
Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI

21. PROACTIVE SOC APPROACH
Security Analytics
Logs
Security Operations & Management
Event Correlation
Proactive Intelligence Forensics
Incident Mgmt Reports &
Problem Mgmt Statistics
Infrastructure Assessment Service
Release Mgmt
Vulnerability Assessment
Change Mgmt
& Penetration Testing Knowledgebase
Configuration Mgmt
Vulnerability Management Automation & Integration
Customized Advisories
Forensic investigation tools
Standards –service
Customer BSI 15000, ITIL,
Technical support etc.
ISO, ISO27001

22. SOC Operational Model (people)
L3:
Security Incident SOC Service Delivery Structure
Managers
- Incident Handling &
Closure
- Service Mgmt. Reporting
- Compliance impact
analysis L2: Security Analysts
- Manage new requirements
- Performance Mgmt.
- Problem Mgmt.
- Change & Release Mgmt. - Incident Analysis & Validation
- Configuration Mgmt. - Vulnerability Assessment &
- Service Level Mgmt. Remediation support
- Availability & Continuity Mgmt. - Device mgmt. tasks
- Trend monitoring & analysis L1: Security Operators
- Vulnerability Impact Analysis
- Escalation Management
- Compliance reporting
SOC Operations - Security Event
Managers Monitoring
- Incident Detection &
SOC Management Team 1st level analysis
- Resource management, skill - Routine
development maintenance &
- Operational process operational tasks
Improvement - Operational
- Program Escalation reporting
Management Knowledgebase/ Threat
- Customer Management Security Portal Alert & Advisory
- SOC Incident Management
SOC
Engineering SOC Security
Vendor Management COEs
- Management of SOC tool
- Technical Support - Threat A&A - Administration of SOC security
configuration
- Incident Escalation - Innovation - Implementation projects
- Enhancement to SOC tools
- Product Support - Benchmarks - Compliance Mgmt.
- Architecture design of SOC
- Trainings - Reuse Component/solutions - Incident Mgmt.
- Transformation Projects for
- Enhancement projects
SOC

23. SOC Operational model (process)
Network SOC
Industry
Sources
Tool Foot Print
Dashboard view via portal
Firewalls N F
C
O
I
N
I T
E
O R N
L E
SD
R
HEWLETT
PACKARD
R L G
M T E
L I
A E L
A I N
L R G
I T E
I I E E
Z N O N
G R
E N C
E
S
IDS Agent Manager
Asset Asset
Syslogs Alerts & normalize Vulnerability Criticality
SNMP log data
Raw log data Information & Action
Real Time Normalised Alerts Real Time
Security Analysis Alert Management
Consolidated Logs
Response &
Remote management from -SOC
Management

24. SOC Operational Model (technology)
Correlated Integrated Incident
Baseline Report Realtime Remediate
Alerts Forensics Mgmt.
Analysis
Event
Explorer
Analyze
Manage
Collect Collect Collect
UDS
Windows Netscreen Cisco Juniper Microsoft Trend Micro
Device Device
Server Firewall IPS IDP ISS Antivirus
Supported Devices Legacy

25. SOC KEY DIFFERENTIATION AREAS

26. Integrated CMDB
CMDB Data
§ Configuration Management Database
(CMDB) features:
§ Connectors sync data with external systems
Config Work
§ Create, update, and view CIs Items
Items
§ Create relationships among CIs, WIs, IT staff,
and Active Directory® Domain Services (AD
DS) users
§ Automatically track CI change history Relationships
§ Service definition and mapping
Integrated | Efficient | Business

27. Incident Management
Keep users and data center services up and running, and restore service quickly
§ Process workflows
− Escalations
− Notifications
− Remediation
§ Customizable templates
§ Knowledge & History
§ Automatic incident creation
− Desired Configuration
Monitor (DCM) errors
− Operations Manager alerts
− Inbound Email
− Portal

28. Case Management
Enables organizations to identify and track problems
• Problem creation from similar
incidents or Attacks
• Link Incidents and Change requests
to problem
• Auto resolution of Incidents linked to
the Problem

29. Change Management
Minimize errors and reduce risk
§ Typical Change Models
− Standard, Major, Emergency…
− Review and Manual activities
§ Customizable Templates
§ Workflows and Notifications
§ Analyst Portal
− Approvals via Web
§ Relate Change Requests to
Incidents, Problems and
Configuration Items

30. Vulnerability Management Process
1. DISCOVERY
(Mapping)
2. ASSET
6. VERIFICATION
PRIORITISATION
(Rescanning)
(and allocation)
5. REMEDIATION 3. ASSESSMENT
(Treating Risks) (Scanning)
4. REPORTING
(Technical and
Executive)

31. Investigations and Forensics
§ Being able to investigate and manipulate
data
§ Visualization
§ Post-event correlation
§ Managing by case / incident
§ Chain of custody
§ Integrity of data
§ Remediation Automation

32. SOC Objectives A Framework for Security Operations
Security Environment
SIEM
Perimeter Network
Internal Systems
& Applications
eCommerce Capabilities
Operations
Operations
Security Objective
ü Log Management
" Privileged user monitoring ü Asset Identification
Access Control Enforcement
" Corporate policy conformance
ü Baseline
" Troubleshoot network & security
Real-time Monitoring events
ü Report & Audit
" “What is happening?”
" Confirm IDS alerts ü Alert
False Positive Reduction
" Enable critical alert escalation
ü Forensic Analysis
" Watch remote network areas
Correlated Threat Detection
" Consolidate distributed IDS alerts ü Incident Management
" External threat exposure ü Automate learned Inciden
Watchlist Enforcement
" Internal investigations
Automate Remediation
Unauthorized Network Service " Shutdown rogue services
Detection " Intellectual property leakage
" Proof of delivery
SLA Compliance Monitoring
" Monitor against baselines
= Most critical = Highly desired = Desired

33. 33
SOC Recommendation for APT(cont.,)
§ SOC Process automation
§ have VIM service feeding your SOC and follow-up with different
parties .
§ Scan for zero days
§ Insure security of your security products (patches zero days focus on
perimeter devices ).
§ Forensic is not an luxury service SOC should have the tools and
ability to analyze. (payloads – sandbox…..)

34. 34
SOC Recommendation for APT
(cont,…)
§ Correlate across layers (perimeter with end point output of
IDS & IPS)
§ Monitor privileges on suspected or alerted workstation.
§ Enforce Privilege change if there is an infection.
§ Manage Exceptions
§ Contact Authorities (Cert , ISP’s , Law Enforcement)

35. Q&A
Mahmoud.yassin@nbad.com
myassin75@gmail.com
THANK YOU
15/05/2012
35