DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Bulding Soc In Changing Threat Landscapefinal
1. building
a
Security
Opera2ons
Center
and
KPI
for
a
SOC
Mahmoud Yassin
Lead Security Architect Mahmoud.yassin@outlook.com
2. 2
Overview
Companies like yours ?
Insights into building a SOC team in a changing threat
landscape?
Measuring the effectiveness of SOC using key
performance indicators
Using 24*7 monitoring to minimize overall risk across an
organization
Conclusions
4. 4
Threat changed landscape
§ Who is targeting you?
§ What are they after?
§ Have they succeeded?
§ How long have they been succeeding?
§ What have I lost so far?
§ What can I do to counter their methods?
§ Are there legal actions I can take?
5. Today’s Threat Landscape
Undetected Attacks
External Attacks Vulnerabilities and compromised
Trojans, viruses, worms, phishing .. machines may lay dormant for
Not protected by firewalls. Requires months, awaiting an attacker to
IPS exploit them. Requires vulnerability
Intrusion Vulnerability awareness and end-point intelligence.
Prevention Assessment
Network
Intelligence
User
Intelligence
Physical / Data Center Security
Network Network
Behavior Access
Porous Perimeter Analysis (NBA) Information Leakage
Control (NAC)
Every machine a peering point Point-point VPNs + desktop and
Laptops carry infection past mobile internet connections
firewalls. Requires IDS provide ample opportunity.
Requires compliance
monitoring and enforcement
6. Visibility of Advanced Persistence Threats
-- Invisible --
Source from : Douwe.Leguit@govcert.nl April 2010
6
8. Security by Service’s layers
Application
Presentation
Session
Transport
Wiring closets, cable
Network plant, building
access control,
Data Link power, HVAC
Physical
9. Security by Service’s layers
Application
Presentation
Session
Transport
Network NIDS, HIDS , Perimeter Devices
Virus Scanning
Data Link
Physical
10. Security by Service’s layers
Application
Presentation
Session
Transport Firewall, Routers, Access
Control Lists (ACLs), IP
schemes, E-Mail Attachment
Network
Scanning
Data Link
Physical
11. Security by Service’s layers
Application OS Hardening, Security Health
Checking, Vulnerability
Presentation Scanning, Pen-Testing,
Session
Transport
Network
Data Link
Physical
12. Security by Service’s layers
Application User Account Management on Systems, Role/Rule
Bases Access Control, Application Security, Virus
Updates, Virus Signatures
Presentation
Session
Transport
Network
Data Link
Physical
13. The Enterprise Today - Mountains of data, many stakeholders
13
Malicious Code Detection Real-Time Monitoring
Spyware detection Troubleshooting
Access Control Enforcement Configuration Control
Privileged User Management Lockdown enforcement
Unauthorized False Positive
Service Detection Reduction
IP Leakage
Web server Web cache & proxy logs
User Monitoring activity logs
SLA Monitoring
Content management logs
Switch logs IDS/IDP logs
VA Scan logs Router logs
Windows Windows logs VPN logs
domain
logins
Firewall logs
Wireless
access
logs Linux, Unix,
Oracle Financial Windows OS logs
Logs
Mainframe Client & file
logs DHCP logs server logs
San File VLAN Access
Access & Control logs Database Logs
Logs
Sources from RSA
14. Top Technical Issues
§ Increase Speed of Aggregation and Correlation
§ Maximize Device and System Coverage
§ Improve Ability to Respond Quickly
§ Deliver 24 x 7 Coverage
§ Support for Federated and Distributed Environments
§ Provide Forensic Capabilities
§ Ensure Intelligent Integration between SOCs and NOCs
§ Time for Remediation
15. SOC Framework
Industry Standards and Service Delivery Tools
Web Portal
Best Practices (Helpdesk, Monitoring, Mgmt.,
(Operational Reporting, Windows Configuration, Automation/
(ITIL, BS7799/ISO17799,
Advisories) (24x7, 8x5, 12x7 )
SANS, CERT) Workflow)
Security Center of
Excellence Command Center Knowledgebase
(Test bed, Technology (Incident & Problem Mgmt.,
Innovation, Knowledge Mgmt., Testing, Product evaluation)
Trainings )
Infra. Mgmt. Stream Security Mgmt. Stream
Program Management Device Supervision Security
(Performance, Incident, Monitoring People Resource
(Customer interface,
Monitoring) (cross skilling, rotation,
Escalation mgmt., Strategic
training, ramp-up and scale
assistance, Operational
supervision, quality control) Security Change down)
Device
Operations
(Change, Vendor Mgmt.,
Installation, Configuration)
Security Advisory
Incident Management Service Delivery
Operational Models (Onsite, Near Shore and
(SOC and ODC)
Offshore)
Reporting
16. SOC or Operational SOC…
Server Engineering Business Ops. Compliance Audit Risk Mgmt. Security Ops. Desktop Ops. Network Ops. Application & Database
Report
Baseline Alert/Correlation
Asset Ident. Forensics
Compliance Operations Security Operations
Access Control Access Control Enforcement
Log Mgmt. Configuration Control SLA Compliance Monitoring Incident Mgmt.
Malicious Software False Positive Reduction
Policy Enforcements Real-time Monitoring
User Monitoring & Management Unauthorized Network Service Detection
Environmental & Transmission Security More…
All the Data
Log Management
Any enterprise IP device – Universal Device Support (UDS)
No filtering, normalizing, or data reduction
Security events & operational information
No agents required
…For
Compliance &
Security Operations
17. The 3 (main) functions of a SOC
§ The reason for a SOC: Business Continuity, Risk Mitigation, Cost Efficiency
§ What does the SOC do?
1. Real-time monitoring / management
§ Aggregate logs
§ Aggregate more than logs
§ Coordinate response and remediation
§ “Google Earth” view from a security perspective
2. Reporting / Custom views
§ Security Professionals
§ Executives
§ Auditors
§ Consistent
3. After-Action Analysis
§ Forensics
§ Investigation
§ Automate Remediation
§ Virtues of a SOC: cost efficiency, measurable improvements in availability, lower risk, relevance to
the business, transparency, passing audits, consistency, reproduce-ability
§ Vices of a SOC: expensive, little meaning to the business, opacity to the business, no impact on risk,
failing audits, inconsistency
18. Prioritization and Remediation
§ Deal with what’s most relevant to the business first!
− Gather asset data
− Gather business priorities
− Understand the business context of an incident
§ Break-down the IT silos
− Automate the Action after incident discovery
− Coordinate responses
− Inform all who need to know of an incident
− Work with existing ticketing / workflow systems
§ Threat * Weakness * Business Value = Risk
§ Deal with BUSINESS RISK
19. SOC and business Expectation
Historical Today's Scenario
Business Oriented
Technology Based Services IT Risk Management
• IT Risk Dashboard
Monitoring & Management : • Sustaining Enterprise Security
• Firewalls Control
• IDS/IPS • Meeting Industry Process
• VPN Concentrators
• Antivirus Compliance Driven
• Content-Filtering • Security Control Assessment
• Enforcing enterprise security
policies
• Log Management
• Incident Management
• Audits
20. SOC Architecture
Data-Center 1 To Other Business Units Data-Center n
SERVER FARM SERVER FARM
Corporate WAN
SERVER FARM SERVER FARM
Storage
Storage
SOC Centralized Management
L2 Risk Monitoring
L3
Portal L1
• Threat Analysis
- Risk Mitigation Plan • Risk Assessment
- Control Verification • Manage Performance • Performance Monitoring
- Compliance impact • Manage Availability • Security Monitoring
analysis • Trend analysis and Reporting • Availability Monitoring
- Manage new requirements • Compliance Management • Scheduled Reporting
Support
Process Framework - ITIL , Best Practise - ISO 27001, SANS, FDDI
23. SOC Operational model (process)
Network SOC
Industry
Sources
Tool Foot Print
Dashboard view via portal
Firewalls N F
C
O
I
N
I T
E
O R N
L E
SD
R
HEWLETT
PACKARD
R L G
M T E
L I
A E L
A I N
L R G
I T E
I I E E
Z N O N
G R
E N C
E
S
IDS Agent Manager
Asset Asset
Syslogs Alerts & normalize Vulnerability Criticality
SNMP log data
Raw log data Information & Action
Real Time Normalised Alerts Real Time
Security Analysis Alert Management
Consolidated Logs
Response &
Remote management from -SOC
Management
24. SOC Operational Model (technology)
Correlated Integrated Incident
Baseline Report Realtime Remediate
Alerts Forensics Mgmt.
Analysis
Event
Explorer
Analyze
Manage
Collect Collect Collect
UDS
Windows Netscreen Cisco Juniper Microsoft Trend Micro
Device Device
Server Firewall IPS IDP ISS Antivirus
Supported Devices Legacy
26. Integrated CMDB
CMDB Data
§ Configuration Management Database
(CMDB) features:
§ Connectors sync data with external systems
Config Work
§ Create, update, and view CIs Items
Items
§ Create relationships among CIs, WIs, IT staff,
and Active Directory® Domain Services (AD
DS) users
§ Automatically track CI change history Relationships
§ Service definition and mapping
Integrated | Efficient | Business
27. Incident Management
Keep users and data center services up and running, and restore service quickly
§ Process workflows
− Escalations
− Notifications
− Remediation
§ Customizable templates
§ Knowledge & History
§ Automatic incident creation
− Desired Configuration
Monitor (DCM) errors
− Operations Manager alerts
− Inbound Email
− Portal
28. Case Management
Enables organizations to identify and track problems
• Problem creation from similar
incidents or Attacks
• Link Incidents and Change requests
to problem
• Auto resolution of Incidents linked to
the Problem
29. Change Management
Minimize errors and reduce risk
§ Typical Change Models
− Standard, Major, Emergency…
− Review and Manual activities
§ Customizable Templates
§ Workflows and Notifications
§ Analyst Portal
− Approvals via Web
§ Relate Change Requests to
Incidents, Problems and
Configuration Items
31. Investigations and Forensics
§ Being able to investigate and manipulate
data
§ Visualization
§ Post-event correlation
§ Managing by case / incident
§ Chain of custody
§ Integrity of data
§ Remediation Automation
33. 33
SOC Recommendation for APT(cont.,)
§ SOC Process automation
§ have VIM service feeding your SOC and follow-up with different
parties .
§ Scan for zero days
§ Insure security of your security products (patches zero days focus on
perimeter devices ).
§ Forensic is not an luxury service SOC should have the tools and
ability to analyze. (payloads – sandbox…..)
34. 34
SOC Recommendation for APT
(cont,…)
§ Correlate across layers (perimeter with end point output of
IDS & IPS)
§ Monitor privileges on suspected or alerted workstation.
§ Enforce Privilege change if there is an infection.
§ Manage Exceptions
§ Contact Authorities (Cert , ISP’s , Law Enforcement)