Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threats—without adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
7 Steps to Build a SOC with Limited ResourcesLogRhythm
Most organizations don't have the resources to staff a 24x7 security operations center (SOC). This results in events that aren't monitored around the clock, major delays in detecting and responding to incidents, and the inability for the team to proactively hunt for threats. It's a dangerous situation.
But there is a solution. By using the Threat Lifecycle Management framework to combine people, process, and technology to automate manual tasks, your team can rapidly detect and respond to threats—without adding resources. Read on to learn 7 steps to building your SOC, even when your resources are limited.
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
According to Cisco’s 2018 Cyber security automation Study, organizations overwhelmingly favor specialized tools to get the most robust capabilities across their environment. The more disparate technology a SOC uses, the greater the need for security orchestration and automation platform to help tie everything together.
Visit - https://www.siemplify.co/
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Security Management is very complex and does not limit itself to products and technologies. It is important to consider alternatives when setting up a Security Operation Center (SOC), from insight into the business plan requirements, ability and the skill set of people who will handle the SOC, the responsibilities for the team, budget and more.
Security Operations Center (SOC) Essentials for the SMEAlienVault
Closing the gaps in security controls, systems, people and processes is not an easy feat, particularly for IT practitioners in smaller organizations with limited budgets and few (if any) dedicated security staff. So, what are the essential security capabilities needed to establish a security operations center and start closing those gaps?
Join Javvad Malik of 451 Research and Patrick Bedwell, VP of Product Marketing at AlienVault for this session covering:
*Developments in the threat landscape driving a shift from preventative to detective controls
*Essential security controls needed to defend against modern threats
*Fundamentals for evaluating a security approach that will work for you, not against you
*How a unified approach to security visibility can help you get from install to insight more quickly
An in-depth look at:
1. Disruptive Technology and its impact on organizations.
2. Need for a Security Operations Center (SOC) for the 21st century businesses
3. Designing and operating an effective SOC - what it takes to run a successful SOC starting from how we should prepare our minds in terms of approach to the actual implementation and operation.
4. Qualities any SOC Analyst should possess
5. Measuring the success of a SOC - We discuss critical factors to consider when determining the success of a SOC.
Insight is one of the best security operation center that influences all the necessary things that reduce the advanced threats and security risk all over your company and protects your network infrastructure across the organization. https://insightmsp.co.in/soc-as-service.php
SOC Architecture - Building the NextGen SOCPriyanka Aash
Why are APTs difficult to detect
Revisit the cyber kill chain
Process orient detection
NextGen SOC Process
Building your threat mind map
Implement and measure your SOC
Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
According to Cisco’s 2018 Cyber security automation Study, organizations overwhelmingly favor specialized tools to get the most robust capabilities across their environment. The more disparate technology a SOC uses, the greater the need for security orchestration and automation platform to help tie everything together.
Visit - https://www.siemplify.co/
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
Summarize the design and build approach for SOC (Security Operation Center) for both end user company and service providers. Defines the approach flow for SOC building and various components and phases involved. Defines design thumb rules and parameters for SOC Design.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
Security Operation Center (SOC) is the most sensible move in order to save your business during an attempted cyber security attack. SOC Represents the Overall Security in an organization/environment which includes Cyber, Digital & Information security and the operations center is responsible for assessing and implementing the Security Posture of an Organization. Through SOC, multiple layers of security are put in place where the objective is to protect Information valuable to an organization.
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...IBM Security
Learn about Sogeti’s journey of creating a new Security Operation Center, and how and why we leveraged QRadar solutions. We explore the full program lifecycle, from strategic choices to technical analysis and benchmarking on the product. We explain how QRadar accelerates the go-to-market of the SOC, and how we embed IBM Security Intelligence offerings in our solution. Having a strong collaboration between different IBM stakeholders such as Software Group, Global Technology Services, as well as the Labs, was key to client satisfaction and operational effectiveness. We also show the value of integrating new QRadar features in our SOC roadmap, in order to constantly stay ahead in the cyber security game.
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
Abstract: Modern day cyber threats are ever increasing in sophistication and evasiveness against Process Control Networks. Organizations in the industry are facing a constant challenge to adopt modern techniques to proactively monitor the security posture within the SCADA infrastructure whilst keeping cyber attackers and threat actors at bay.
In this presentation we will cover the fundamental building blocks of building a SCADA cyber security operations center with key responsibilities such as Incident Response Management, Vulnerability and Patch Management, Secure-by-design Architecture, Security Logging and Monitoring and how such security domains drive accountability and act as a line of authority across the PCN.
Evolving technologies and business models have led to advanced network security threats that never existed a few years back. Moreover, enterprises are also relying on outdated security solutions to shut out such threats and this is leading to bigger and frequent data breaches. So if your company recognizes the need for a reliable IT security solution, then you should join our webinar to learn the following:
- An overview of the prevalent enterprise security threats
- The evolving security landscape and the obsolete security mechanisms
- What Seqrite does to ensure enterprise security and network compliance
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksAngeloluca Barba
A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries.
Asset visibility and network baselining
Continuous network monitoring
Threat intelligence ingestion
Thorough incident response plans
5 Steps to an Effective Vulnerability Management ProgramTripwire
Revelations about recent breaches have certainly put the question to security professionals across the world, “What can I do to prevent an attack from happening?” Current threats are complicated and driven by highly motivated adversaries.
You can’t defend what you don’t know. This can be a big challenge when it comes to network visibility. Many organizations don’t have a true sense of all that is on their network. Network situational awareness represents the foundation of comprehensive vulnerability management.
In this informative webcast, Tripwire and Lumeta provide insight on how to:
-Identify and fingerprint more assets in your environment
-Ensure greater coverage for scanning devices on your network, including BYOD
-Compile a proper and complete inventory of assets, even those that are unused
-Intelligently prioritize vulnerabilities
-Effectively reduce risk on critical systems
Learn how to overcome security challenges, such as: identity theft, spoofed transactions, DDoS business disruption, criminal extortion and more. You'll learn how a security strategy promotes confidence in the cloud.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Digitalization has transformed the way business’s function. With the evolution of technologies, attackers are also evolving. They are finding innovative and more invasive ways to attack organizations. Due to this, the organization's security operations center (SOC) is expected to be
more agile and dynamic in detecting and responding to attacks. Most organizations' security operations and incident response teams are overworked due to high volumes of security threats and alerts that they need to manage every day.
Most of the money thrown at securing information systems misses the weak spots. Huge amounts are spent securing infrastructure while web applications are left exposed. It is a crisis that is largely ignored.
Software development teams, under pressure to deliver features and meet deadlines, often respond to concerns about the security of their web applications by commissioning a last-minute security assessment and then desperately attempt to address only the most glaring findings. They may even simply throw up a web application firewall to mitigate the threats. Such bolted-on solutions are not long-term answers to web application security.
Instead, we advocate a built-in approach. We will show that by weaving security into the software development life cycle, and using mature resources for security coding standards, toolkits and frameworks such as those from OWASP, development teams can consistently produce secure systems without dramatically increasing the development effort or cost.
This slide deck was most recently presented at a SPIN meeting in Cape Town In September 2012 by Paul and Theo from ThinkSmart (www.thinksmart.co.za).
For more information, contact Paul at ThinkSmart (dot see oh dot zed ay).
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …Andris Soroka
World's #1 SIEM technology in GRC (Governance, Risk, Compliance). QRadar Risk Manager provides organizations with a pre-exploit solution that allows network security professionals to assess what risks exist during and after an attack, while also answering many "What if?" questions ahead of time, which can greatly improve operational efficiency and reduce network security risks.
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed BedewiShah Sheikh
Anonymization techniques are a double-edged sword invention as they can be used by journalists to communicate more safely with whistle blowers or by malicious users to commit cyber-crimes without getting caught but the problem is that neither party is anonymous nor safe from being exposed. In the presentation Mohamed discussed a tool that he developed "dynamicDetect" to de-anonymize TOR clients and browsers and abstracting the user's original IP address and fingerprint. The tool then uses this information as a launchpad to perform defensive and offensive against that TOR user.
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
Mohamed Bedewi, Offense Security Division Head and Sr. Penetration Testing Consultant at DTS presented also during one of the security sessions titled - "Your Network in the Eyes of a Hacker – The 0ff3ns!v3 Version" which raised a few eyebrows to say the least. The presentation slides can be found here….
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah SheikhShah Sheikh
ISACA Journal Publication Volume 5 written by Shah Sheikh - published in Q4 2013. Based on the Cloud Security Alliance Framework whitepaper titled "Does your Cloud have a Secure Lining?"
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
DTS Solution - Building a SOC (Security Operations Center)
1. Building a Cyber Security Operations Center
www.dts-solution.com
Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com
2. Cyber Security Operations Center
Agenda – Building a Cyber Security Operations Center
1. The need to build an enterprise-wide CSOC.
2. CSOC 2.0 and its components to form an eco-system.
3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation.
4. Specific Contextual Threat and Use Cases and Situational Awareness
5. Building Threat Intelligence and Early Warning Detection System
6. CSOC Processes, Procedures and Workflows.
7. CSOC Incident Response Handling
8. Cyber Incident Offense Management
9. CSOC vs. Security Maturity Levels
People, Process and Technology
3. • Around 62% of the incidents targeted just 3 industries
last year.
Quick Facts about IT Security
4. • Unauthorized access was nearly twice as prevalent in
2014 as in 2013 among the top 5 industries; followed
by Reconnaissance activities and Malicious code
Quick Facts…
5. • Who are these attackers?
Much of them are insiders indeed.
Quick Facts…
6. • Organizations are more and more concerned about
the security of their IT assets.
Quick Facts…
8. Here are the top 5 impacts of a security breach:
1. Ruined Reputation: Once the news about breach is put on the web, you
can bet that it will forever live on – no matter how hard you try to erase it.
2. Theft: If hackers are able to get into your website or network, you can
guarantee they will be able to access your bank account information or any such
confidential information.
3. Revenue Lost: If a hacker gets into your site and crashes it or causes a long
period of downtime, your operations will cease and you will lose revenue.
4. Damaged Intellectual Property: While stealing your identity and money can be
incredibly bad, stealing your intellectual property can be just as damaging to a
business. If a hacker gets in and steals ideas, plans, or blueprints, you could miss out
on being able to fully implement new products or designs.
5. Vandalism: Vandalism is the planting of false information and is a tactic that
major hacking groups like to use to ruin your company’s reputation.
Why Should You be Concerned?
15. Key Objectives for CSOC … (1)
• Manages and Coordinates the response
to Cyber Threats and Incidents
• Monitors the Cyber Security posture and
reports deficiencies
• Coordinates with regulatory bodies
• Performs Threat and Vulnerability Analysis
• Performs Analysis of Cyber Security Events
• Maintains an Internal Database of Cyber
Security Incidents
• Provide Alerts and Notifications to General
and Specific Threats
• Provide regular reporting to Management and Cyber Incident Responders
16. Key Objectives for CSOC … (2)
• Reduce the response time of security incident from initial
findings, to reporting to containment
• Recovery Time Objective (RTO) in case of security incident
materializing
• Proactive Security Monitoring based on predefined security
metrics / KPI
• Raise Awareness of Information Security across community of
leaders and sub-ordinates
• Ability to correlate system, application, network, server, security
logs in a consistent way
17. Key Objectives for CSOC … (3)
• Ability to automate the requirement to meet compliance –
vulnerability assessment and risk management
• Ensure change control function is integrated into the SOC process
• Identification for all security attack vectors and classification of
incidents
• Define disaster recovery plans for ICE (in-case of emergency).
• Build a comprehensive reporting dashboard that is aligned to
security metrics
• Build a local in-house SIRT (security incident response team) that
collaborates with National CERT
18. Key Objectives for CSOC … (4)
• To build SOC processes that are aligned to existing ISO27001
security policies
• Build a physical and virtual team of SOC personnel for 24 x 7
monitoring
• Build forensics capabilities to be able to reconstruct series of
events during an incident
• Proactive monitoring of network and security infrastructure
devices
19. Components of a CSOC
• To build the SOC with simple acceptance and execution model
• Maximize the use of technology.
• To build security intelligence and visibility that was previously
unknown; build effective coordination and response unit and to
introduce automation of security process.
• Develop SOC processes that are inline to industry best practices and
accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST
SECURITY INCIDENT MANAGEMENT
· PRE AND POST INCIDENT ANALYSIS
· FORENSICS ANALYSIS
· ROOT CAUSE ANALYSIS
· INCIDENT HANDLING
· aeCERT INTEGRATION
·
REPORTING
· EXECUTIVE SUMMARY
· AUDIT AND ASSESSMENT
· SECURITY METRIC REPORTING
· KPI COMPLIANCE
· SLA REPORTING
·
REAL-TIME MONITORING
· DATA AGGREGATION
· DATA CORRELATION
· AGGREGATE LOGS
· CORDINATE RESPONSE
· AUTOMATED REMEDIATION
20. CSOC – Core Components
Core Components for a CSOC 2.0
• OSS – Operational Support System
• SIEM – Security Information and Event Management
• Proactive Monitoring - Network and Security and Server Infrastructure
• Alert and Notification – Security Incident Reporting
• Events Correlation and Heuristics / Behavioral / Anomaly
21. CSOC – Core Components
Core Components for a CSOC 2.0
• Information and Network Security $$ Automation $$
• To natively build-in compliance and audit functions
• To manage change control process through integrated ITILv3 CM and SD
• Configuration Management of Infrastructure Components
22. CSOC – Core Components
Core Components for a CSOC 2.0
• Alignment of Risk Management with Business Needs
• Qualified Risk Ranking
• Risks are ranked based on business impact analysis (BIA)
• Risk framework is built into the SIEM solution;
• incident = risk severity = appropriate remediation and isolation action
• SOC is integrated with Vulnerability and Patch Management
23. CSOC – Core Components
Core Components for a CSOC 2.0
• IRH – Incident Response Handling
• How effective the SOC is measured by how incidents are managed, handled,
administered, remediated and isolated.
• Continuous cyclic feedback mechanism drives IRH
• Critical functions include Network Forensics and Surveillance Tech..
• Reconstruct the incident …. Evidence gathering … Effective Investigation
• Escalation Management – know who to communicate during an
incident
24. CSOC – Core Components
Sample Architecture for the CSOC
Perimeter and Boundary Points
Network Nodes
Internet
DMZ / Published Services
IPS
WWW SSL VPN
Applications
Active DirectoryDB
Middleware
SMTP
Internal Resources
MAINFRAME
Servers
WAF FW
(HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE
DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
EVENT CORRELATION LAYER
· Event Correlation Engine
· Analysis and Filtering
· Event Management
· Integration with NMS Systems
· Trouble Ticket Integration
· Flow Analysis
SECURITY VULNERABILITY
· Common Vulnerability Exploits CVE
· Risk Ranking
· Configuration Audit
· Security Metric Dashboard
DATA COLLABORATION
· Policy Management
· Asset Repository
· Problem Incident Management
· Security Incident Reporting
· Change Control
· Security Automation
Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management
REPORTING AND MANAGEMENT LAYER
25. CSOC – Core Components
Integration of Core SOC Components
28. The SOC’s structure must correspond to that of its
organization. The key drivers for determining which
SOC model is best for the enterprise are:
• Size of the organization, in terms of users, IP addresses,
and/or devices
• Frequency of incidents
• Timeliness and accuracy of incident response expected
PEOPLE - Structuring the SOC
32. PEOPLE - Skill-Sets Required
It is important to determine which skills an analyst should have in
order to be a part of SOC. The 2 areas are:
Technical Skills:
TCP/IP
SIEM, IDS/IPS, NetFlow, tools such as Snort, Argus, tcpdump, WireShark, etc.
Cryptographic algorithms like 3DES, AES, RSA, MD5, SHA, SSL/TLS, DH, etc.
Vulnerability Assessment, Penetration Testing
Security engineering, Scripting
Etc……
Soft Skills:
33. PEOPLE - Skill-Sets Across Different Roles
Role/Title Desired Skills
Tier 1 Analyst Few years in security, basic knowledge of systems and networking
Tier 2 Analyst Former Tier 1 experience, deeper knowledge of security tools, strong
networking / system / application experience, packet analysis, incident
response tools
SOC Lead All the above + can adjust the security intelligence platform, knows
reverse engineering/threat intelligence/forensics
SOC Director Hiring and staffing, interfacing with execs to show value and get
resources, establishing metrics and KPIs
SOC Architect Experience designing large scale security operations, security tools and
processes
34. Mature SOCs should have a robust training
program that brings new recruits up to speed
to execute the operations and to develop and
enhance the skills of existing SOC employees.
Some of the training areas include:
• Informal on-the-job training in tools and techniques
• External training on certifications like GIAC, CISSM, CISM, etc.
• Training courses for specialties like forensics and intrusion analysis, SIEM, IDS,
malware analysis and reverse engineering, VA-PT, etc.
• Etc….
PEOPLE - Training Needs
36. CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
DATA SECURITY AND MONITORING
• Data Asset Classification
• Data Collection
• Data Normalization
• Data at Rest and In Motion
• Data Protection
• Data Distribution
37. EVENT MANAGEMENT
• Event Correlation
• Identification
• Triage
• Roles
• Containment
• Notification
• Ticketing
• Recovery
• Forensics and Situational
Awareness
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
38. CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and
Workflows developed should be
aligned to Corporate ISMS (if it exists)
RISK MANAGEMENT
• Context Establishment
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
39. INCIDENT RESPONSE PRACTICE
• Security Incident Reporting Structure
• Security Incident Monitoring
• Security Incident Escalation Procedure
• Forensics and Root Cause Analysis
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
• Return to Normal Operations
• Post-Incident Planning and Monitoring
• Communication Guidelines
• National CERT Integration
40. SOC OPERATING GUIDELINES
• SOC Workflow
• Personnel Shift Description
• Shift Reporting
• Shift Change
• Information Acquisition
• SOC Monitoring Suite
• SOC Reporting Structure
• Organizational Chart
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
41. ESCALATION MANAGEMENT
• Escalation Procedure
• Pre-Escalation Tasks
• IT Security
• Network Operation Center
• Security Engineering
• National CERT Integration
• Law Enforcement
• 3rd Party Service Providers and Vendors
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
42. DATA RECOVERY PROCEDURES
• Disaster Recovery and BCP
Procedure
• Recovery Time Objective
• Recovery Point Objective
• Resiliency and High
Availability
• Facilities Outage Procedure
CSOC – Developing Processes
43. SECURITY INCIDENT PROCEDURES
• Email Phishing - Email Security Incident
• Virus and Worm Infection
• Anti-Virus Management Incident
• NetFlow Abnormal Behavior Incident
• Network Behavior Analysis Incident
• Distributed Denial of Service Incident
• Host Compromise - Web Application Security Incident
• Network Compromise
• Internet Misuse
• Human Resource - Hiring and Termination
• Domain Hijack or DNS Cache Poisoning
• Suspicious User Activity
• Unauthorized User Access (Employee)
CSOC – Developing Processes
44. VULNERABILITY AND PATCH MANAGEMENT
• Vulnerability Research (Threat Intelligence)
- Notifications sent to respective system owners
• Patch Management - Microsoft SCOM
• Identification
• Dissemination
• Compliance Monitoring
• Network Configuration Baseline
• Anti-Virus Signature Management
• Microsoft Updates
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
46. TOOLS OPERATING MANUAL FOR CSOC PERSONNEL
• Operating Procedure for SIEM 2.0 Solution – Event Management and
Flow Collector/Processor and Advanced Correlation
• NGFW Firewall Security Logs
• IPS Security Logs
• SSL VPN / IPSEC VPN / Remote Access logs
• WAF Security / DB Activity Monitoring / ERP Security logs
• User Activity / Login / Active Directory / AAA Logs
• Endpoint Security (AV, Malware Protection, SCOM)
• Operating Procedure for Configuration and Policy Compliance
• Operating Procedure for Vulnerability Assessment
CSOC – Developing Processes
Creating the CSOC Operating Manuals
47. SECURITY ALARMS AND ALERT CLASSIFICATION
• Critical Alarms and Alerts with Action Definition
• Non-Critical and Information Alarms
• Alarm reporting and SLA to resolve the alarms
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
48. SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY
• Definition of Security Metrics based on Center of Internet
Security standards
• Security KPI reporting definition
• Security Balanced Scorecard and Executive Reporting
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
49. Monthly Activities Status Reporting
• Summary of all areas of operations
• Scheduled automated reports from SIEM
• Trends and statistics based on incidents
• Reports of most targeted vulnerable assets,
highest number of incidents, etc.
CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
53. SIEM Advance Use Case Implementation
DTS Solution specializes in creating advance threat cases on SIEM, wherein the customer environment is
assessed and accordingly threat cases are created.
Sample threat cases that can be implemented:
CSOC Technologies …
Rule ID Title Log
Sourc
es
Description of Threat Case Threat Reason SIEM Logic
INT_001 Worm
Propagation
All A system gets attacked or
infected with a malware and it
in turn spreads the malware to
several other systems.
This rule would detect
worm propagation in the
network.
1. Host A compromises host B
with log classification as
Attack, Compromise,
Malware, etc.
2. Host B compromises several
other hosts with similar log
classification.
INT_002 Reconnaissance
followed by
suspicious
activities
All There was a reconnaissance
attack detected on a server
which was followed by some
suspicious activities such as
user account creation, deletion,
privilege escalation, etc.
Reconnaissance activities
like port scan, etc. can give
information about the
system which can then be
used by an attacker to gain
access and alter the system
configurations according to
his requirements.
1. Reconnaissance was
detected on a particular
system.
2. Suspicious activities were
reported on the same server
within specified time
interval.0
54. CSOC Technologies …
Compliance Management and Policy Conformance
• Configuration Audit across Infrastructure Systems and Devices
• ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance
• Risk Management – Identification and Mitigation
• Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring)
• Network Topology Mapping and Visualization
• Vulnerability Assessment and Management
55. CSOC Technologies …
Network and Security Monitoring (Traditionally owned by the Networking
Team) > Integrate with Security Requirements
• Network Performance Monitor - SNMP
• Network Monitoring
• Link Utilization
• Availability Monitoring
• SLA reporting
• Integration with service desk for automated ticket creation
56. CSOC Technologies …
Security Analysis and Threat Intelligence
• Network Forensics (Raw Packet Capture > Session Reconstruction)
• Live Situational Awareness Intelligence Feeds
• Artifacts and Packet Reconstruction (Chain of Custody)
• Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs)
• Record metadata for recursive analysis during incident response
• Integration with Incident Response Handling (IRH) and SIEM
• Threat Intelligence and Global Threat Actor Map
62. • Attackers work 24x7. Does the SOC also need to work round
the clock?
• Finding the right staffing plan can be challenging and depends
on a number of considerations, including:
– Criticality of business
– Size of SOC staff
– Is the host facility open 24x7
– Size of the organization and its
normal business hours
– Etc…..
CSOC SHIFT GUIDELINES
63. Benefits:
• Availability – Anytime, Anywhere,
Anyhow
• 24x7 monitoring and proactive
intervention
• Service consistency & reliability
• Service excellence & innovation
• Market leadership
• Compliance with your security policy
24x7 Operations
Challenges:
• 24x7 SOCs must maintain a
minimum staff of two analysts at all
times
• Expensive as compared to 8x5
• Productivity of engineers working in
night shifts is affected
• Difficult to manage shift timings
• Health Concerns
65. Alternatives:
• Staff only certain portions of the SOC 24x7, such as Tier
1; leave other sections with “on-call” availability.
• Expand operations beyond 8x5 to 12x5 or 12x5 plus 8x2.
• ‘Follow the Sun’ approach.
24x7 Operations….
68. • Environments
• Location
• Device Types
• System Types
• Security Zones
• Demarcation Points
• Ingress Perimeters
• Data Center
• Extranet
• WAN
….Know your infrastructure….
You can only monitor what you know
69. Build an Asset Database and Integrate into SIEM
Following asset details can be adjusted with Asset Manager:
• Name
• Description
• Weight
• Operating System
• Business Owner
• Business Owner Contact Information
• Technical Owner
• Technical Owner Contact Information
• Location
• Risk and Vulnerability Information (CVEs)
Build an Asset Repository
70. • Knowledge on what are the service flows across your infrastructure
…
…. Service Flows (Published Services) ……
BUILD A SECURITY SERVICES CATALOG
71. • Understanding the service flows will allow you to VISUALIZE…
…. Service Flows (Internal Services) ……
Integration with Vulnerability Management
75. • Build contextual threat cases per environment;
– Extranet
– Internet
– Intranet
– Data Center
– Active Directory
– Malware / Virus Infection and Propagation
– NetFlow Analysis
– Remote Sites / WAN
– Remote Access – IPSEC VPN / SSL VPN
– Wireless
– etc…..
Develop Threat Cases
76. • To define threat cases per environment … not by system…. (silo)
• CONTEXTUAL
• SERVICE ORIENTATED
• USER CENTRIC
ID Threat Case Development
OS.WIN
Microsoft Windows Servers - Threat Case Development Documentation
Microsoft Active Directory - Threat Case Development Documentation
MSIIS
MSSQL
MSEXC
Microsoft Application - Threat Case Development Documentation
• IIS
• MSSQL
• Exchange
IBMAIX
LINUX
SOLARIS
UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation
PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring
N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server
BUSINT Business Internet
EXTRNT Extranet
S2SVPN Site to Site VPN
DEVELOP THREAT CASES
77. ADVANCED THREAT CASES - ENVIRONMENT
• To define threat cases per environment …
…. Eventually …. Should …. Include …. All …. Environment …..
ID Threat Case Development
INTOFF International Offices – Global MPLS
SSLVPN Juniper SSL VPN
NATIONAL IPVPN –National MPLS IPVPN
WIRLESS Wireless Infrastructure
VOIPUC Voice over IP
VSAT VSAT – Satellite
DIGPKI PKI and X.509 Digital Certificates (systems threat case)
AAA AAA (systems threat case)
HIPS HIPS and Application Whitelisting
EXECACC Executive Account Monitoring
SAP SAP Router and SAP Privilege Activity Monitoring
COMPLIANCE Compliance and Best Practices Configuration
NAC Network Admission Control
IPS-AV IPS and AV Management Console
EMAIL Email Security – Business Internet Gateway
DAM Database Activity Monitoring (DAM)
SFT Secure File Transfer
• IMPORTANT – understand the environment and understand the threats related to
those environment…..
80. Important Note:
"OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is
disabled pending application/system accounts names clarifications to be excluded from the rule's
logic.
Develop Threat Cases – Windows Servers
81. DTS Solution assists you to consider below aspects of controlling
staffing levels while sticking to the allocated budget:
1. What are the factors that Influence SOC Staffing Levels?
2. Whom do we hire?
3. How many people do we need?
4. How do we retain them?
Controlling SOC Staff According to Budget
82. DTS recognizes below elements of SOC that should be under one
command structure:
• Real-time monitoring and triage (Tier 1)
• Incident analysis, coordination, and response
(Tier 2 and above)
• Cyber intel collection and analysis
• Sensor tuning and management and SOC
infrastructure Operations & Maintenance
• SOC tool engineering and deployment
Bringing All Core SOC Functions Together Under 1 Roof
83. There are a number of IT and cybersecurity policies that enable
effective functioning of security operations that should be
implemented:
• User consent to monitoring
• Acceptable use policy
• Privacy and sensitive data handling policies
• Internally permitted ports and protocols
• Externally permitted ports and protocols
• Host naming conventions
• Other IT configuration and compliance policy
• Bring your own device and mobile policies
• Approved OSes, applications, and system images
• Authorized third-party scanning
• Audit policy
• Etc…..
Policies Authorizing SOC to do its Job
86. DTS Solution provides following list of SOC documents which will
help in planning, building and operating the SOC:
• Information Security Incident Management Procedure
• Threat Management Standard Operating Procedure
• Major Incident Management Process
• Information Security Infrastructure Review Report
• Major Incident Report
• Security Infrastructure Recommended Solution
• Major Incident Management Process Flowchart
• Incident Management Process Flowchart
• List of SIEM Advance Threat Cases
• Procedure for the Handling of Virus and Denial of Service Attacks
• Security Hardening Guidelines for various Security Tools
SOC DOCUMENTS
91. CSOC-Wiki - Goals
Purpose of the WiKi
• Centralized Knowledge Repository for SOC
• Collaborate and Share Information with other Team Members
• Easy of use and searchable (Google Like)
• Integrations with other toolsets
Challenges within CSOC
• Current Issues with SIEM Processes, Documentations, Offence
Handling, Knowledge Sharing
• SIEM Integrations into SOC-Wiki
• SIEM Threat Cases
92. CSOC Wiki – SIEM Integration
CSOC - WiKi
Processes
Threat Cases
Workflows
Security
Maturity Level
4 to 5
93. CSOC Wiki – SIEM Integration
1
2
Current Maturity Level
Target Maturity Level
95. SOC Wiki – SIEM Threat Cases
• Listed above is how Threat Cases are displayed in SOC-Wiki
• Threat Case Name, Severity, Status
• Information - Centralized, Detailed and Searchable
• Information updated by SIEM and SOC Teams