Napier University, profile picture
Uploaded byNapier University
PPTX, PDF1,262 views

Design and Evaluation of [vSoC]: Virtualised Security Operations Centre

This document describes the design and evaluation of a virtualized Security Operations Centre ([vSoC]). [vSoC] leverages virtualization technology to provide a shared training environment for public sector, academia, and industry. It currently hosts over 2,500 virtual machines across various operating systems and security tools. Modules in the [vSoC] have been used to teach over 500 students across various cybersecurity courses. Current work is focused on integrating additional security tools like F5 Big-IP, RSA Security Analytics, and Splunk, as well developing mobile access and capture the flag exercises.

Technology
Related topics:
Cyber-Security

Embed presentation

Downloaded 18 times
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Prof William J Buchanan, Charley Celice, Peter Aaby, Bruce Ramsay, Richard Macfarlane, Adrian Smales, Dr Gordon Russell and Bobby Soutar http://thecyberacademy.org [vSoC]
Sharing of resources DFET Training Cloud – Infrastructure for training and sharing of material Public Sector  Evaluation of systems.  Training. Academia  Training/sharing materials  Virtualised environments Industry  Training/sharing materials.  Professional certification Software Vendors:  Test environments.  Promoting products.  Providing floating licences Government  Define standards  Evaluate products Public clouds Existing Academic Clouds Law Enforcement  Triage systems  Training
Building vSoC Intrusion Detection System Firewall Internet Switch Router (NAT) Email server Web server DMZ FTP server Firewall Eve Bob Alice Data Centre Load balancer Syslog server [vSoC]
vSoC/DFET Cloud The current DFET Cloud contains five main cluster nodes, where each cluster node runs: • VMware vSphere 5.5 with VMware vCenter used to manage the instances. • 170GHz CPU, 767GB of memory. • 40TB of disk space. • 72 Processors. • Running over 2,500 running VMs.
The Move Toward Security Analytics Big Data/SIEM [vSoC]
Data Analysis • Increasing number of jobs are in Security Analytics (SOC Analysts). • Companies require skills for before, during and after incidents (mix of security and forensics). IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
Increasing Complexity of Knowledge • Increasing requirement for a wide range of skills for security professionals. IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
Data Integration • Increasing move toward the integration of data for security analysis eg with SIEM tools. IntroductionIncResponse Security Operations Centre Eve Eve Logs/alerts Bob SIEM Package (Splunk) News feeds Security alerts
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Splunk Lab Integration [vSoC]
vSoC SIEM Architecture U001 - Ubuntu Server 192.168.x.7/24) Main gateway/ fireweall Firewall (pfSense) W001 - Windows 2003 Server (192.168.y.7/24) K001 - Kali (DHCP) K002 - Kali (192.168.y.9/24) em0 (DHCP) em1 em2 10.200.0.1/24 W003 – Windows 2008 with Splunk Enterprise (192.168.y.8/24) _Public _Private _DMZ Splunk forwarder 192.168.y.254/24 192.168.x.254/24
Splunk Lab Integration
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Splunk Testing Environment – Buttercupgames [vSoC]
http://asecuritysite.com/tests/tests?sortBy=siem http://asecuritysite.com:8000
Capture The Flag British Broadband, and RSA SA [vSoC]
British Broadband • Video: https://www.youtube.com/watch?v=V7o03eLolqA
British Broadband
Cyber Security Insight Camp
Big Data in Cyber Security
RSA SA
CTF – Big Data in Cyber Security
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Results [vSoC]
Current Range of VMs • Specialised: EnCase, Windows XP (with Malware), GNS3. • Linux Kali. • Ubuntu. • Windows 2003, Windows 2008, Windows 7 and Windows 8. • Firewalls: pfSense, vyatta, F5 Big-IP (in development). • Caine. • Metasploitable.
Example $tubuntu = "t_ubuntu_205" if ($args[1].contains("u")) { $ins = $prefix+$iubuntu +$i.ToString("000")+"_private"; ... Write-Output "Creating: $($ins) from $($temp) in $($folder) for $($folder) disk: $($disk) " new-vm -name $ins -template $temp -datastore $disk -resourcepool DFETLab - DiskStorageFormat thin -location $folder $apt = Get-NetworkAdapter -VM $ins Set-NetworkAdapter -NetworkAdapter $apt -NetworkName $private - confirm:$false Write-Output "Creating: $($ins) from $($temp) in $($folder) for $($folder) disk: $($disk) " new-snapshot -VM $ins -Name snapshot } Setup network Create VM Create known snapshot
Results Modules used on: Semester 1: Cryptography and Network Forensics (80 students); Network Security (60 students – GNS3); Host-based Forensics (60 students - EnCase). Semester 2: Security Testing (70 students); e-Security (100 students); Incident Response and Malware Analysis (100 students). Cloud upgrade
Current Work • Integrating F5 Big-IP (30 licences). • Integration of SDN within Cloud (with Hutchinson Networks). • Integration of RSA SA and Splunk for teaching in 2016/2017. • Integration of HPE Arcsight. • Roll-out of two CTF: British Broadband and RSA SA (Network Forensics. • Development of a mobile Cloud environment, for onsite training/CTF.
Design and Evaluation of [vSoC]: Virtualised Security Operations Centre Prof William J Buchanan, Charley Celice, Peter Aaby, Bruce Ramsay, Richard Macfarlane, Adrian Smales, Dr Gordon Russell and Bobby Soutar http://thecyberacademy.org [vSoC]

More Related Content

PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PPTX
Managing Multiple Assessments Using Zero Trust Principles
byControlCase
 
PPTX
Company Profile
by3SC World
 
PDF
SIEM enabled risk management , SOC and GRC v1.0
byRasmi Swain
 
PPTX
Soc
byMukesh Chaudhari
 
PPTX
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
byManoj Purandare ☁
 
PDF
Ooredoo%20Security%20Managed%20Services
byMuhammad Mudassar
 
PDF
Building an Intelligence-Driven Security Operations Center
byEMC
 
Security Operation Center - Design & Build
bySameer Paradia
 
Managing Multiple Assessments Using Zero Trust Principles
byControlCase
 
Company Profile
by3SC World
 
SIEM enabled risk management , SOC and GRC v1.0
byRasmi Swain
 
Soc
byMukesh Chaudhari
 
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...
byManoj Purandare ☁
 
Ooredoo%20Security%20Managed%20Services
byMuhammad Mudassar
 
Building an Intelligence-Driven Security Operations Center
byEMC
 

What's hot

PDF
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
PPTX
PCI DSS Compliance in the Cloud
byControlCase
 
PDF
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
byIBM Security
 
PDF
Accelerating OT - A Case Study
byDigital Bond
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
PPTX
Vulnerability Testing Services Case Study
byNandita Nityanandam
 
PPTX
FedRAMP Certification & FedRAMP Marketplace
byControlCase
 
PDF
SIEM brochure A4 8pp FINAL WEB
byMerlin Govender
 
PPTX
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
PPTX
The RIPE Experience
byDigital Bond
 
PPTX
Project Forecasting from the Perspective of an EVMA and EIA-748
byUnanet
 
PDF
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
byUnanet
 
PPTX
Post Wannacry Update
byThomas Springer
 
PDF
What's Next : A Trillion Event Logs, A Million Security Threat
byAlan Yau Ti Dun
 
PPT
2008: Web Application Security Tutorial
byNeil Matatall
 
PDF
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
byAlan Yau Ti Dun
 
PDF
Bridging the Gap Between Your Security Defenses and Critical Data
byIBM Security
 
PDF
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
byLisa Niles
 
PDF
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
byAlan Yau Ti Dun
 
PDF
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
PCI DSS Compliance in the Cloud
byControlCase
 
Don’t Drown in a Sea of Cyberthreats: Mitigate Attacks with IBM BigFix & QRadar
byIBM Security
 
Accelerating OT - A Case Study
byDigital Bond
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #1
byLisa Niles
 
Vulnerability Testing Services Case Study
byNandita Nityanandam
 
FedRAMP Certification & FedRAMP Marketplace
byControlCase
 
SIEM brochure A4 8pp FINAL WEB
byMerlin Govender
 
Information Assurance Metrics: Practical Steps to Measurement
byEnclaveSecurity
 
The RIPE Experience
byDigital Bond
 
Project Forecasting from the Perspective of an EVMA and EIA-748
byUnanet
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
byUnanet
 
Post Wannacry Update
byThomas Springer
 
What's Next : A Trillion Event Logs, A Million Security Threat
byAlan Yau Ti Dun
 
2008: Web Application Security Tutorial
byNeil Matatall
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
byAlan Yau Ti Dun
 
Bridging the Gap Between Your Security Defenses and Critical Data
byIBM Security
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
byLisa Niles
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
byAlan Yau Ti Dun
 
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 

Viewers also liked

PPTX
Incident Response: SIEM
byNapier University
 
PPTX
Incident response: Advanced Network Forensics
byNapier University
 
PDF
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
CSN09112: Introduction to Computer Security
byNapier University
 
PPT
Aerospace Capability Overview
bypaulferguson6
 
PPTX
Incident response: Introduction
byNapier University
 
PPTX
Trust and Governance in Health and Social Care
byNapier University
 
PPTX
TASL
bypaddu325
 
PPTX
Blockchain and Health - James Little-john
byNapier University
 
PPTX
e-Frality - Adrian Smales and Brian Brown (CM2000)
byNapier University
 
PPTX
Population Health Management - Angus McCann
byNapier University
 
PPTX
Incident Response: Tunnelling
byNapier University
 
PDF
Using Big Data to Create Engagement Agility
byNapier University
 
PPTX
Incident Response: SIEM Part II
byNapier University
 
PDF
Venturefest 2016 Cyber Security Innovation
byNapier University
 
PPT
Incident Response: Network Forensics
byNapier University
 
PPTX
Big Data Big Picture - Professor Derek Bell
byNapier University
 
PPTX
LIquidity and Validity - Jan Gill
byNapier University
 
PPTX
SIMD 2016 - Alistair McAlpine
byNapier University
 
PDF
T A S L
byHannah Little
 
Incident Response: SIEM
byNapier University
 
Incident response: Advanced Network Forensics
byNapier University
 
Untuk penggiat Cyber Security dan Sertifikasi dari isaca csx-update-18_apr - ...
bySarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
CSN09112: Introduction to Computer Security
byNapier University
 
Aerospace Capability Overview
bypaulferguson6
 
Incident response: Introduction
byNapier University
 
Trust and Governance in Health and Social Care
byNapier University
 
TASL
bypaddu325
 
Blockchain and Health - James Little-john
byNapier University
 
e-Frality - Adrian Smales and Brian Brown (CM2000)
byNapier University
 
Population Health Management - Angus McCann
byNapier University
 
Incident Response: Tunnelling
byNapier University
 
Using Big Data to Create Engagement Agility
byNapier University
 
Incident Response: SIEM Part II
byNapier University
 
Venturefest 2016 Cyber Security Innovation
byNapier University
 
Incident Response: Network Forensics
byNapier University
 
Big Data Big Picture - Professor Derek Bell
byNapier University
 
LIquidity and Validity - Jan Gill
byNapier University
 
SIMD 2016 - Alistair McAlpine
byNapier University
 
T A S L
byHannah Little
 

Similar to Design and Evaluation of [vSoC]: Virtualised Security Operations Centre

PPT
Building+a+Security+Operations+Center.ppt
byAzim191210
 
PPT
Building a Security Operations Center
byLymanAlphaBlob
 
PDF
Mcse 70293 Exam Prep Planning And Maintaining A Microsoft Windows Server 2003...
byiurrieprap
 
PPT
Building+a+Security+Operations+Center.ppt
byEthioTelecom_Getahun Biratu
 
PDF
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
byPROIDEA
 
PDF
Vmware Seminar Security & Compliance for the cloud with Trend Micro
byGraeme Wood
 
PDF
Vss Security And Compliance For The Cloud
byGraeme Wood
 
PDF
VMworld 2013: IaaS Case Study: How the University of New Mexico Improved Serv...
byVMworld
 
PPTX
Vmug birmingham mar2013 trendmicro
bydvmug1
 
PDF
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
byOpen Data Center Alliance
 
PPT
How I reshaped my lab environment
bysubtitle
 
ODP
Ece seminar 20070927
byTodd Deshane
 
PDF
VMworld 2013: US Air National Guard - DoD Private Cloud Initiative –How Virtu...
byVMworld
 
PPTX
Architecting a Private Cloud - Cloud Expo
bysmw355
 
PDF
DRAFT
byVideoguy
 
PDF
Securing Your Linux System
byNovell
 
PDF
Practice and challenges from building IaaS
byShawn Zhu
 
PDF
Atc ny friday-talk_slides_20080808
byTodd Deshane
 
PDF
Presentation from physical to virtual to cloud emc
byxKinAnx
 
PPTX
E Vm Virtualization
byArturo Saavedra
 
Building+a+Security+Operations+Center.ppt
byAzim191210
 
Building a Security Operations Center
byLymanAlphaBlob
 
Mcse 70293 Exam Prep Planning And Maintaining A Microsoft Windows Server 2003...
byiurrieprap
 
Building+a+Security+Operations+Center.ppt
byEthioTelecom_Getahun Biratu
 
PLNOG19 - Gaweł Mikołajczyk & Michał Garcarz - SOC, studium ciężkich przypadków
byPROIDEA
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
byGraeme Wood
 
Vss Security And Compliance For The Cloud
byGraeme Wood
 
VMworld 2013: IaaS Case Study: How the University of New Mexico Improved Serv...
byVMworld
 
Vmug birmingham mar2013 trendmicro
bydvmug1
 
Forecast 2012 Panel: Security POC NAB, Terremark, Trapezoid
byOpen Data Center Alliance
 
How I reshaped my lab environment
bysubtitle
 
Ece seminar 20070927
byTodd Deshane
 
VMworld 2013: US Air National Guard - DoD Private Cloud Initiative –How Virtu...
byVMworld
 
Architecting a Private Cloud - Cloud Expo
bysmw355
 
DRAFT
byVideoguy
 
Securing Your Linux System
byNovell
 
Practice and challenges from building IaaS
byShawn Zhu
 
Atc ny friday-talk_slides_20080808
byTodd Deshane
 
Presentation from physical to virtual to cloud emc
byxKinAnx
 
E Vm Virtualization
byArturo Saavedra
 

More from Napier University

PDF
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
byNapier University
 
PPTX
ARTiFACTS, Emma Boswood
byNapier University
 
PPTX
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
byNapier University
 
PPTX
Memory, Big Data and SIEM
byNapier University
 
PPTX
IoT device attestation system using blockchain, Alistair Duke
byNapier University
 
PPTX
Open Source Intelligence
byNapier University
 
PDF
2. Defence Systems
byNapier University
 
PPTX
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
byNapier University
 
PPTX
RMIT Blockchain Innovation Hub, Chris Berg
byNapier University
 
PPT
Browser-based Crypto M, C. F Mondschein
byNapier University
 
PPTX
Networks
byNapier University
 
PDF
Intrusion Detection Systems
byNapier University
 
PPTX
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
byNapier University
 
PPTX
What is Cyber Data?
byNapier University
 
PDF
10. Data to Information: NumPy and Pandas
byNapier University
 
PDF
1. Cyber and Intelligence
byNapier University
 
PPTX
Should we transform or adapt to blockchain - a public sector perspective?, Al...
byNapier University
 
PDF
Using Blockchain for Evidence Purpose, Rafael Prabucki
byNapier University
 
PPTX
The Road Ahead for Ripple, Marjan Delatinne
byNapier University
 
PPTX
Keynote, Naseem Naqvi
byNapier University
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
byNapier University
 
ARTiFACTS, Emma Boswood
byNapier University
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
byNapier University
 
Memory, Big Data and SIEM
byNapier University
 
IoT device attestation system using blockchain, Alistair Duke
byNapier University
 
Open Source Intelligence
byNapier University
 
2. Defence Systems
byNapier University
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
byNapier University
 
RMIT Blockchain Innovation Hub, Chris Berg
byNapier University
 
Browser-based Crypto M, C. F Mondschein
byNapier University
 
Networks
byNapier University
 
Intrusion Detection Systems
byNapier University
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
byNapier University
 
What is Cyber Data?
byNapier University
 
10. Data to Information: NumPy and Pandas
byNapier University
 
1. Cyber and Intelligence
byNapier University
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
byNapier University
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
byNapier University
 
The Road Ahead for Ripple, Marjan Delatinne
byNapier University
 
Keynote, Naseem Naqvi
byNapier University
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
December Patch Tuesday
byIvanti
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
API-First Architecture in Financial Systems
bycyy111112
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 

Design and Evaluation of [vSoC]: Virtualised Security Operations Centre

  • 1.
    Design and Evaluationof [vSoC]: Virtualised Security Operations Centre Prof William J Buchanan, Charley Celice, Peter Aaby, Bruce Ramsay, Richard Macfarlane, Adrian Smales, Dr Gordon Russell and Bobby Soutar http://thecyberacademy.org [vSoC]
  • 2.
    Sharing of resources DFETTraining Cloud – Infrastructure for training and sharing of material Public Sector  Evaluation of systems.  Training. Academia  Training/sharing materials  Virtualised environments Industry  Training/sharing materials.  Professional certification Software Vendors:  Test environments.  Promoting products.  Providing floating licences Government  Define standards  Evaluate products Public clouds Existing Academic Clouds Law Enforcement  Triage systems  Training
  • 3.
  • 4.
    vSoC/DFET Cloud The currentDFET Cloud contains five main cluster nodes, where each cluster node runs: • VMware vSphere 5.5 with VMware vCenter used to manage the instances. • 170GHz CPU, 767GB of memory. • 40TB of disk space. • 72 Processors. • Running over 2,500 running VMs.
  • 5.
    The Move Toward SecurityAnalytics Big Data/SIEM [vSoC]
  • 6.
    Data Analysis • Increasingnumber of jobs are in Security Analytics (SOC Analysts). • Companies require skills for before, during and after incidents (mix of security and forensics). IncidentsIntroduction Author: Prof Bill Buchanan Incidents During IncidentBefore Incident After Incident Timeline Data At Rest Data In-Motion Data In-Process Files, Directories, File Rights, Domain Rights, etc. File changes, File CRUD (Create, Delete, Update, Delete), Thumbprints Network packet logs, Web logs, Security logs Network scanners, Intrusion Detection Systems, Firewall logs, etc Processes, Threads, Memory, etc. Security Log, Application Log, Registry, Domain Rights. Intruder
  • 7.
    Increasing Complexity ofKnowledge • Increasing requirement for a wide range of skills for security professionals. IntroductionIncResponse Data Capture Web server IT Ops Nagios. NetApp. Cisco UCS. Apache. IIS. Web Services Firewall Router Proxy server Email server FTP server Switch Eve Bob Microsoft Infrastructure Active Directory. Exchange. SharePoint. Structured Data CSV. JSON. XML. Database Sys Oracle. My SQL. Microsoft SQL. Network/Security Syslog/SNMP. Cisco NetFlow. Snort. Intrusion Detection System Alice Cloud AWS Cloudtrail. Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat
  • 8.
    Data Integration • Increasingmove toward the integration of data for security analysis eg with SIEM tools. IntroductionIncResponse Security Operations Centre Eve Eve Logs/alerts Bob SIEM Package (Splunk) News feeds Security alerts
  • 9.
    Design and Evaluationof [vSoC]: Virtualised Security Operations Centre Splunk Lab Integration [vSoC]
  • 10.
    vSoC SIEM Architecture U001- Ubuntu Server 192.168.x.7/24) Main gateway/ fireweall Firewall (pfSense) W001 - Windows 2003 Server (192.168.y.7/24) K001 - Kali (DHCP) K002 - Kali (192.168.y.9/24) em0 (DHCP) em1 em2 10.200.0.1/24 W003 – Windows 2008 with Splunk Enterprise (192.168.y.8/24) _Public _Private _DMZ Splunk forwarder 192.168.y.254/24 192.168.x.254/24
  • 11.
  • 12.
    Design and Evaluationof [vSoC]: Virtualised Security Operations Centre Splunk Testing Environment – Buttercupgames [vSoC]
  • 13.
  • 14.
    Capture The Flag BritishBroadband, and RSA SA [vSoC]
  • 15.
    British Broadband • Video:https://www.youtube.com/watch?v=V7o03eLolqA
  • 16.
  • 17.
  • 20.
    Big Data inCyber Security
  • 21.
  • 22.
    CTF – BigData in Cyber Security
  • 25.
    Design and Evaluationof [vSoC]: Virtualised Security Operations Centre Results [vSoC]
  • 26.
    Current Range ofVMs • Specialised: EnCase, Windows XP (with Malware), GNS3. • Linux Kali. • Ubuntu. • Windows 2003, Windows 2008, Windows 7 and Windows 8. • Firewalls: pfSense, vyatta, F5 Big-IP (in development). • Caine. • Metasploitable.
  • 27.
    Example $tubuntu ="t_ubuntu_205" if ($args[1].contains("u")) { $ins = $prefix+$iubuntu +$i.ToString("000")+"_private"; ... Write-Output "Creating: $($ins) from $($temp) in $($folder) for $($folder) disk: $($disk) " new-vm -name $ins -template $temp -datastore $disk -resourcepool DFETLab - DiskStorageFormat thin -location $folder $apt = Get-NetworkAdapter -VM $ins Set-NetworkAdapter -NetworkAdapter $apt -NetworkName $private - confirm:$false Write-Output "Creating: $($ins) from $($temp) in $($folder) for $($folder) disk: $($disk) " new-snapshot -VM $ins -Name snapshot } Setup network Create VM Create known snapshot
  • 28.
    Results Modules used on: Semester1: Cryptography and Network Forensics (80 students); Network Security (60 students – GNS3); Host-based Forensics (60 students - EnCase). Semester 2: Security Testing (70 students); e-Security (100 students); Incident Response and Malware Analysis (100 students). Cloud upgrade
  • 29.
    Current Work • IntegratingF5 Big-IP (30 licences). • Integration of SDN within Cloud (with Hutchinson Networks). • Integration of RSA SA and Splunk for teaching in 2016/2017. • Integration of HPE Arcsight. • Roll-out of two CTF: British Broadband and RSA SA (Network Forensics. • Development of a mobile Cloud environment, for onsite training/CTF.
  • 30.
    Design and Evaluationof [vSoC]: Virtualised Security Operations Centre Prof William J Buchanan, Charley Celice, Peter Aaby, Bruce Ramsay, Richard Macfarlane, Adrian Smales, Dr Gordon Russell and Bobby Soutar http://thecyberacademy.org [vSoC]