The document discusses the critical role of Security Operations Centers (SOCs) in cybersecurity, emphasizing their functions in threat detection, response, and regulatory compliance. It outlines various SOC models, their adoption trends, cost considerations, and operational requirements, including a focus on personnel, technology, and processes. The importance of a mature SOC is highlighted, particularly in an evolving threat landscape where breaches occur rapidly and often go undetected for extended periods.

1. SECURITY OPERATION
CENTER(SOC)
Reza Adineh
Cyber Security Specialist
SOC Expert
Forensic Researcher
Contact me:
https://ir.linkedin.com/in/rezaadineh
Dec-2017

2. UNDERSTANDING THE PROBLEM
2

3. WHAT IS THE PROBLEM ???

4. Cyber Security Breach :

5. A GOOD HINT … TO BE CARE ABOUT …

7. The Verizon 2015 Data Breach Investigation Report showed that 60 percent of
businesses being breached happened within minutes or less. The report also showed
that half of these incidents took anywhere from months to even years before being
uncovered. So in summary, breaches tend to happen very quickly and on average
take a long time to be detected by the targeted organization. These numbers
demonstrate the importance of having an effective security operations program in
which a mature SOC plays a significant role

14. ‫%فجار‬%‫ن‬‫ا‬
‫%ات‬‫ع‬‫%ال‬‫ط‬‫ا‬
‫%ی‬‫س‬‫%تر‬‫س‬‫د‬
‫%ا‬‫ه‬‫%کر‬‫ه‬ ‫%تر‬%‫ش‬‫بی‬
‫%ات‬‫ع‬‫%ال‬‫ط‬‫ا‬ ‫%ه‬‫ب‬
‫%ختلف‬%‫م‬
‫داده‬ ‫%نوع‬‫ت‬
‫%راوان‬%‫ف‬

16. A kill chain is a term used by the US
military to describe the steps or stages an
adversary takes to attack you.

19. Advanced Persistence Threat Methodology:

27. GO FOR SOLUTIONS …

29. RISK

30. Vulnerability Assessment & Penetration Testing

31. SANS Vulnerability Model:

32. COMPREHENSIVE SECURITY ASSESSMENT

33. SECURITY MODEL & CYBER SECURITY FRAMEWORKS

36. MONITORING AND REPORTING
! Continuous security monitoring
! System log monitoring
NTP
Time stamps and log rotation, retention
OS: Vendorbase vs. FreeBSD logging
! Reporting and monitoring systems

37. SolarWinds, OpManager Manage Engine, PRTG,
Desktop Central, Zeus, Zabbix, Microsoft SOCM,
Nagios, …
Monitoring Tools :

38. APPLICATION LOGS
7 primary types of log entries captured by Microsoft Event viewer:
! Application
Information
Verbose
Warning
Error
Critical
! Security
Audit Success
Audit Failure

41. ! Alerts
! Alarms
! Trends
! Thresholds

42. Event Types & more

43. Logging Severity:

44. Example of Mapping Facility Values to Categories:

45. MOST USEFUL SECURITY LOG
! Security logs can contain :
Account logons
Access logs
Account management events
Directory service events
Object access details

46. SysLog Protocol

47. Log Management , Logzila , Snare, Power shell, Secmon, FIM, HIDS , …
Sysmon, ….
Some Microsoft Directory Service Event ID -> 5136 modified, 5137created,
5138 undeleted, 5139 moved, 5141 deleted

60. Incident Response Timeline :

61. Incident Detection Start Phase :

62. ❑‫شامل‬ ‫تهدیدات‬ ‫انواع‬ ‫آوری‬ ‫جمع‬ ‫برای‬ ‫مرکزی‬ ‫سیستم‬ ‫یک‬
▪‫خارجی‬ ‫تهدیدات‬
▪‫داخلی‬ ‫تهدیدات‬
▪‫کاربر‬ ‫فعالیت‬
▪‫سیستمی‬ ‫و‬ ‫شخصی‬ ‫حساس‬ ‫های‬ ‫داده‬ ‫رفنت‬ ‫دست‬ ‫از‬
▪‫تهدیدات‬ ‫به‬ ‫رسیدگی‬ ‫زمان‬ ‫در‬ ‫کافی‬ ‫مدارک‬ ‫کردن‬ ‫فراهم‬
❑‫سازمان‬ ‫های‬‫سیستم‬ ‫و‬ ‫شبکه‬ ‫داشنت‬ ‫نگه‬ ‫سالمت‬
‫#ت؟‬‫س‬‫نی‬ ‫#ی‬‫ف‬‫#ا‬‫ک‬ ‫#بکه‬‫ش‬ ‫#نیت‬‫م‬‫ا‬ ‫#فظ‬‫ح‬ ‫#رای‬‫ب‬ (IDS) ‫#فوذ‬‫ن‬ ‫#شخیص‬‫ت‬ ‫#ای‬‫ه‬‫#تم‬‫س‬‫سی‬ ‫و‬ ‫#ا‬‫ه‬‫#روس‬‫ی‬‫و‬ ‫#تی‬‫ن‬‫آ‬ ،‫#ا‬‫ه‬‫#روال‬‫ی‬‫#ا‬‫ف‬ ‫از‬ ‫#تفاده‬‫س‬‫ا‬ ‫#ا‬‫ی‬‫آ‬

65. SECURITY OPERATION CENTER
A security operations center provides centralized and consolidated cybersecurity incident
prevention, detection and response capabilities. This research outlines the five most
common SOC models and how CISOs can decide which one makes sense for the
organization.
Overview
Key Findings
• Security operations centers (SOCs) are being increasingly adopted by organizations to
provide threat detection, response and prevention capabilities; consolidate and
centralize security operations functions; and meet regulatory and legal requirements for
security monitoring, threat and vulnerability, and incident response management.
• 24/7 SOC operations is cost-prohibitive for many organizations.
• A co-managed SOC working with a managed security service provider (MSSP) is a
credible option for organizations of any size.
• SOCs will fail in their mission if their deliverables are not tightly coupled to business
outcomes.

66. Security operations centers (SOCs) have historically been adopted by very large organizations
requiring centralized and consolidated security operations primarily for efficiency and cost reasons.
The evolving and escalating threat environment and the shift in security defense from "Prevent" to
"Detect and Respond" (see "Best Practices for Detecting and Mitigating Advanced Persistent
Threats" and "Designing an Adaptive Security Architecture for Protection From Advanced
Attacks" ) has prompted a renewed adoption of SOCs by a wider user base — repurposed to focus
on the detection, response, and prevention of cybersecurity incidents and threats.
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility
dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and
incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation
center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device
management rather than detecting and responding to cybersecurity incidents. Coordination
between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider
may offer services from a SOC. A managed service is a shared resource and not solely
dedicated to a single organization or entity. Similarly, there is no such thing as a managed
SOC.

67. Description
SOCs are used to provide the following functions:
• Security device management and maintenance
• Threat and vulnerability management
• Security monitoring and auditing
• Cyber security incident response management
• Security compliance management
• Security training

68. Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)

69. Most of the technologies, processes and best practices that are used in a
SOC are not specific to a SOC. Incident response or vulnerability
management remain the same, whether delivered from a SOC or not. It is a
meta-topic, involving many security domains and disciplines, and
depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution

70. The defining attributes of excellence in a SOC all stem from the quality, not quantity, of
people and the maturity of processes. Depending on the fulfilled functions, a fully
functional SOC running at 24/7 requires a minimum of eight to 10 people just to maintain
two people per shift, working three days on, three days off, four days on and four days off in
opposing 12 hour shifts. It requires two people per shift to enable one to monitor while the
other investigates, and to cover health and safety concerns. This does not include
management, staff turnover, personal time off or other specialist functions like malware
reverse engineering, forensics and threat analysis.

71. A SOC ideally should be located in a dedicated facility purpose-built to facilitate
operational security. Due to the sensitive nature of incident investigations, as well as the
potential for tampering with potential evidence and hiding malicious tracks, physical
access to the facility is restricted to authorized personnel only. The SOC's command
control infrastructure should be heavily segmented away from the production network to
prevent internal breaches affecting the operations of the SOC. Ideally, the technology
infrastructure used for monitoring and investigations within the SOC should be isolated
and separated from the Internet. Finally, the SOC will often have its own independent
Internet connectivity so that it can continue to operate and perform investigations even if
the corporate network is, for example, under a DDoS attack.
Beyond the typical preventative technologies such as firewalls, IPSs and proxies, a SOC will
utilize a broad technology stack providing security telemetry gathering, analysis and incident
management capabilities. A security information and event management (SIEM) solution is
the most commonly encountered platform used for this, integrated with a GRC and/or help
desk solution. Incident response management platforms are increasingly being added to this
stack to provide purpose and prebuilt incident management workflows and features (see
"Technology Overview for Security Incident Response Platforms" ), as well as various
advanced threat and security analytics technologies, for example, user and entity behavior
analytics (see "Market Guide for User and Entity Behavior Analytics" ), to enhance their
advanced threat detection capabilities. Threat intelligence platforms (see "Technology
Overview for Threat Intelligence Platforms" ) also aid the SOC in bringing in external threat
landscape context in a more efficient manner and assist with incident response, threat
forecasting and threat intelligence sharing, ingesting many flavors of threat intelligence and
then actioning it.

74. Phase of Building a SOC :

75. MATURITY MODELS

77. :‫هدف‬
‫ابعاد‬ ‫و‬ ‫سطوح‬ ‫تمام‬ ‫در‬ ‫امنیت‬ ‫ایجاد‬
‫کار‬ ‫و‬ ‫کسب‬ ‫برای‬

78. OPERATIONAL SOC MODEL

79. SOC Model Attributes Typical Adopter
Virtual SOC
• No dedicated facility
• Part-time team members
• Reactive, activated when a critical alert or incident occurs
• Primary model when fully delegated to MSSP
SMBs, small enterprises
Multifunctio
n SOC/NOC
Dedicated facility with a dedicated team performing not just
security, but some other critical 24/7 IT operations from the
same facility to reduce costs
Small, midsize and low-risk large
enterprises where network and
security functions are already
performed by the same or an
overlapping group of people and
teams
Distributed/
Co-managed
SOC
• Dedicated and semidedicated team members
• Typically 5x8 operations
• When used with an MSSP it is co-managed
Small and midsize enterprises
Dedicated
SOC
• Dedicated facility
• Dedicated team
• Fully in-house
• 24/7 operations
Large enterprises, service
providers, high risk organizations
Command
SOC
• Coordinates other SOCs
• Provides threat intelligence, situational awareness and
additional expertise
• Rarely directly involved in day—to-day operations
Very large enterprises and service
providers; governments, military,
intelligence
SOC Models
There are 5 primary operational SOC models:

80. Virtual SOC
A virtual SOC does not reside in a dedicated facility. Instead, it is composed of team members
who have other duties and functions. There is no dedicated SOC infrastructure, relying instead
on decentralized security technologies and becoming active in case of an incident.
A virtual SOC is the least mature of SOC models and suited to smaller enterprises who
experience only infrequent incidents or work with a managed security service provider or other
third party. Gartner also sees this model being adopted as an interim approach during the
transition to a more dedicated SOC capability. A virtual SOC is usually purely reactive,
although a more proactive posture can be achieved in this model by leveraging automated
monitoring capabilities such as correlation or rule-based alerting, and in high-risk environments
anomaly detection and behavioral-analytics-based alerting
Multifunction NOC and SOC
In some end-user organizations, there is a convergence of sharing resources between a SOC
and NOC. It can be a successful model; however politics, budget, process maturity levels, etc.
can lead to doing multiple things, but none of them well. This is the risk with this model.
Where there is a workable relationship with other IT areas, this can be pursued as it can save
significant capital outlay on tools and facilities in terms of budget. However, IT security
leaders must never be distracted by this convergence in terms, or else it may affect the
mission of the SOC and its ability to help deliver and enable business outcomes.

81. Distributed/Co-managed SOC
A distributed SOC consists of some dedicated staff and infrastructure, augmented by additional
team members from other teams, departments or service providers. One or more dedicated people
are responsible for ongoing SOC operations, involving semi dedicated team members and third
parties as required. If an organization cannot operate 24/7, the resulting gap can be covered by a
managed security service provider, resulting in a distributed SOC model.
The co-managed model can greatly reduce the cost of 24/7 operations while maintaining the
primary security function within the organization. In addition, it can augment in-house capabilities
with specialist knowledge, such as forensics, and reduce gaps in expertise.
Driving the adoption of this model are a shortage and gap in availability for skills and expertise,
general budget restrictions and the considerable cost of 24/7 operations. As a consequence, 5x8
operations with an MSSP covering the weekends and nights are a popular model that Gartner
clients are following.
This model is suited for small to midsize organizations and especially for those working
extensively with third parties, such as outsourcers and managed security service providers

82. Dedicated SOC
A centralized SOC has a dedicated facility, infrastructure and team. It is self-contained, possessing
all of the resources required for continuous day-to-day security operations. The team is typically
composed of security engineers, security analysts and a SOC manager. In the case of multishift
operations, each shift will also have a shift lead or duty manager.
A fully centralized SOC is suited for large and midsize enterprises with multiple business units and
geographically dispersed locations, sensitive environments and high security requirements, as well
as those that provide internal security services. This specifically includes MSSPs and service
providers more generally.
Command SOC
Very large organizations, service providers and those providing shared services (for example,
government agencies) may have more than one SOC. Where these are required to run
autonomously, they will function as centralized or distributed SOCs. In some instances though, the
SOCs will be working together, and must be managed hierarchically. In that case, one SOC should
be designated the command SOC. The command SOC coordinates security intelligence gathering,
produces threat intelligence and fuses these for consumption by all other SOCs, in addition to
providing additional expertise and skills such as forensics or threat analysis.

83. HISTORY …

84. SOC Generation & Capabilities :

85. SOC Generation & History

86. SOC- PEOPLE

88. SOC People:

89. SOC People:

95. • Forensics knowledge
• Proficiency in coding, scripting and protocols
• Managing threat intelligence
• Breach management
• Penetration testing
• Data analysts
• Minimum two years of experience in NID monitoring and incident response.
• Familiarity with network security methodologies, tactics, techniques and
procedures.
• Experience with IPS/IDS, SIEMs and other CND security tools.

96. • Ability to read and write Snort IDS signatures.
• Experience reviewing and analyzing network packet captures.
• Experience performing security/vulnerability reviews of network
environments.
• Possess a comprehensive understanding of the TCP/IP protocol, security
architecture, and remote access security techniques/products.
• Experience with enterprise anti-virus solutions, virus outbreak management,
and the ability to differentiate virus activity from directed attack patterns

97. • Working knowledge of network architecture.
• Strong research background, utilizing an analytical approach.
• Candidate must be able to react quickly, decisively, and deliberately in
high
stress situations.
• Strong verbal/written communication and interpersonal skills are
required to document and communicate findings, escalate critical
incidents, and interact with customers.
• Highly motivated individual with the ability to self-start, prioritize,
multi-task and work in a team setting.
• Ability and willingness to work shifts ranging within 7:00 AM EST
11:00 PM EST.

98. SOC- PROCESS
➤ Implement Process for every
Situation
➤ Consider All Conditions

100. ‫%نیت‬%‫م‬‫ا‬ ‫%ملیات‬%‫ع‬ ‫%ز‬‫ک‬‫%ر‬‫م‬ ‫%ی‬‫ت‬‫%ملیا‬‫ع‬ ‫%ند‬‫ی‬‫%رآ‬‫ف‬ ‫%ه‬‫ن‬‫%مو‬‫ن‬
•‫#ه‬‫م‬‫#ا‬‫ن‬‫#ر‬‫ب‬ ‫و‬ ‫#ا‬‫ه‬ ‫#تگاه‬‫س‬‫د‬
‫#ی‬‫ن‬‫#یرو‬‫ب‬ ‫#ردی‬‫ب‬‫#ار‬‫ک‬ ‫#ای‬‫ه‬
‫#نند‬‫ک‬ ‫#ی‬‫م‬ ‫#ید‬‫ل‬‫#و‬‫ت‬ ‫#داد‬‫خ‬‫ر‬
1
•‫#داد‬‫خ‬‫ر‬ ،‫#ی‬‫ت‬‫#ملیا‬‫ع‬ ‫#زاء‬‫ج‬‫ا‬
‫#ند‬‫ی‬‫#ما‬‫ن‬ ‫#ی‬‫م‬ ‫#ید‬‫ل‬‫#و‬‫ت‬
2 •،‫آوری‬ ‫#مع‬‫ج‬ ‫#ا‬‫ه‬ ‫#داد‬‫خ‬‫ر‬
‫و‬ ‫#ده‬‫ش‬ Normalize
‫#زی‬‫ک‬‫#ر‬‫م‬ ‫#رور‬‫س‬ ‫#ه‬‫ب‬
‫#د‬‫ن‬‫#و‬‫ش‬ ‫#ی‬‫م‬ ‫#ال‬‫س‬‫ار‬
3
•‫#زی‬‫ک‬‫#ر‬‫م‬ ‫#رور‬‫س‬
‫و‬ ‫#سک‬‫ی‬‫ر‬ ‫#ی‬‫ب‬‫#ا‬‫ی‬‫ارز‬
‫و‬ Correlation
‫#ازی‬‫س‬ ‫#یره‬‫خ‬‫ذ‬
‫در‬ ‫را‬ ‫#ا‬‫ه‬‫#داد‬‫خ‬‫ر‬
‫#ا‬‫ه‬ ‫داده‬ ‫#گاه‬‫ی‬‫#ا‬‫پ‬
‫#د‬‫ه‬‫د‬ ‫#ی‬‫م‬ ‫#جام‬‫ن‬‫ا‬
4 •‫وب‬ ‫#حت‬‫ت‬ ‫#ری‬‫ب‬‫#ار‬‫ک‬ ‫#ط‬‫ب‬‫را‬
•‫#رای‬‫ب‬ ‫را‬ ‫#ر‬‫ی‬‫ز‬ ‫#ای‬‫ه‬‫#زار‬‫ب‬‫ا‬
‫#ز‬‫ک‬‫#ر‬‫م‬ ‫#ل‬‫م‬‫#ا‬‫ک‬ ‫#ار‬‫ک‬ ‫#ردش‬‫گ‬
‫در‬ ‫#بکه‬‫ش‬ ‫#نیت‬‫م‬‫ا‬ ‫#ت‬‫ی‬‫#ر‬‫ی‬‫#د‬‫م‬
‫#وزش‬‫م‬‫آ‬ ‫#ور‬‫ت‬‫#را‬‫پ‬‫ا‬ ‫#تیار‬‫خ‬‫ا‬
‫#ی‬‫م‬ ‫#رار‬‫ق‬ ‫#نیتی‬‫م‬‫ا‬ ‫#ده‬‫ی‬‫د‬
:‫#ند‬‫ه‬‫د‬
‫#زارش‬‫گ‬ ،‫#طار‬‫خ‬‫ا‬ ،‫#لیل‬‫ح‬‫ت‬
،Ticketing ،‫#ی‬‫ه‬‫د‬
‫#ری؛‬‫ی‬‫#ذ‬‫پ‬ ‫#یب‬‫س‬‫آ‬ ‫#ت‬‫ی‬‫#ر‬‫ی‬‫#د‬‫م‬
‫#ش‬‫ن‬‫دا‬ ‫#ت‬‫ی‬‫#ر‬‫ی‬‫#د‬‫م‬
5
Alar
m
Correlati
on
Normalizati
on
Event Gathering
Event
Generation

101. Summery SOC vs NOC

102. SOC Capabilities to Evaluate :

104. TECHNOLOGY

111. ‫امنیت‬ ‫عملیات‬ ‫مرکز‬ ‫یک‬ ‫شده‬ ‫ارائه‬ ‫های‬ ‫سرویس‬ ‫از‬ ‫برخی‬
o( Vulnerability and Risk Assessment) ‫پذیری‬ ‫آسیب‬ ‫و‬ ‫ریسک‬ ‫ارزیابی‬
o( Event & Incident Management)‫حوادث‬ ‫و‬ ‫رخداد‬ ‫مدیریت‬
oCompliance ‫استانداردها‬ ‫و‬ ‫سازمان‬ ‫سیاستهای‬ ‫بر‬ ‫منطبق‬ ‫مانیتورینگ‬
(Monitoring )
o(Configuration Management) ‫تنظیمات‬ ‫و‬ ‫پیکربندی‬ ‫مدیریت‬
o(Forensics, damage assessment) ‫قانونی‬ ‫بحثهای‬ ‫و‬ ‫آسیبها‬ ‫ارزیابی‬
o(Incident Response) ‫حوادث‬ ‫به‬ ‫پاسخگویی‬

114. PHYSICAL

115. SOC Rooms

116. KEY WORDS

117. an event is “Any observable occurrence in a system and/or network.
Events sometimes provide indication that an incident is occurring” (e.g., an alert
generated by an IDS or a security audit service). An event is nothing more than
raw data. It takes human analysis—the process of evaluating the meaning of a
collection of security-relevant data, typically with the assistance of specialized
tools—to establish whether further action is warranted.
Event :

118. Categorize your events by assigning logging facility values. This will add
further context to event analysis.
Limit the number of collectors for which a client is configured to the
minimum required. Use syslog relays when you require the same message to
be forwarded to multiple collectors. Syslog relays can be configured to
replicate and forward the same syslog message to multiple destinations. This
scenario is common when you have multiple monitoring platforms
performing different tasks such as security, problem management, and
system and network health monitoring.
Baseline and monitor the CPU, memory, and network usage overhead
introduced by the syslog service.

119. triage is the process of sorting, categorizing, and prioritizing incoming events and
other requests for SOC resources.
A SOC typically will designate a set of individuals devoted to real-time triage of
alerts, as well as fielding phone calls from users and other routine tasks. This group
is often referred to as Tier 1.1 If Tier 1 determines that an alert reaches some
predefined threshold, a case is created and escalated to Tier 2. This threshold can be
defined according to various types of potential “badness” (type of incident, targeted
asset or information, impacted mission, etc.). Usually, the time span Tier 1 has to
examine each event of interest is between one and 15 minutes. It depends on the
SOC’s escalation policy, concept of operations (CONOPS), number of analysts, size
of constituency, and event volume. Tier 1 members are discouraged from performing
in-depth analysis, as they must not miss events that come across their real-time
consoles. If an event takes longer than several minutes to evaluate, it is escalated to
Tier 2.
Triage :

120. Tier 2 accepts cases from Tier 1 and performs in-depth analysis to determine what
actually happened—to the extent possible, given available time and data—and
whether further action is necessary. Before this decision is made, it may take weeks
to collect and inspect all the necessary data to determine the event’s extent and
severity. Because Tier 2 is not responsible for real-time monitoring and is staffed
with more experienced analysts, it is able to take the time to fully analyze each
activity set, gather additional information, and coordinate with constituents. It is
generally the responsibility of Tier 2
(or above) to determine whether a potential incident occurred.

121. Logging Recommendations
Enabling logging features on a product can prove useful but also have an
associated cost on performance and functionality. Some settings should be
required before enabling logging, such as time synchronization and local logging
as a backup repository when the centralized logging solution fails. When
designing and configuring your syslog implementation, consider the following
best practices before enabling logging:
In the context of security operation, log events that are of business, technical, or
compliance value.
Configure your clients and servers for NTP, and confirm that clocks are
continuously being synchronized.
Time stamp your log messages and include the time zone in each message.

122. SIEM

123. ➢‫؟‬ ‫ﭼﯿﺴﺖ‬ SIEM
‫و‬ ‫ﺷـﺒﻜﮫ‬ ‫ﻣـﺪﯾـﺮﯾـﺖ‬ ‫در‬ ‫ﻣـﻮﺟـﻮد‬ ‫راﯾـﺞ‬ ‫ھـﺎي‬ ‫اﺳـﺘﺎﻧـﺪاد‬ ‫و‬ ‫اﻟـﮕﻮھـﺎ‬ ‫اﺳـﺎس‬ ‫ﺑـﺮ‬
‫ﯾـﻜﭙﺎرﭼـﮫ‬ ،‫دﯾﮕﺮ‬ ‫ﺑﺴﯿﺎری‬ ‫و‬ PCI ،TMN ،FCAPS ‫ﻗﺒﯿﻞ‬ ‫از‬ ‫اﻃـﻼﻋـﺎت‬ ‫اﻣﻨﯿﺖ‬
‫ﻣـﺪﯾـﺮﯾـﺖ‬ ‫ﺳـﺎزي‬ ‫ﭘـﯿﺎده‬ ‫در‬ ‫ﻣـﮭﻢ‬ ‫ھـﺎي‬ ‫ﺑـﺨﺶ‬ ‫از‬ ‫ﯾـﻜﻲ‬ ‫ﻣـﺠﺘﻤﻊ‬ ‫ﻣـﺪﯾـﺮﯾـﺖ‬ ‫و‬ ‫ﺳـﺎزي‬
.‫ﺑﺎﺷﺪ‬ ‫ﻣﻲ‬ ‫ﺑﮭﯿﻨﮫ‬ ‫ﺑﺼﻮرت‬ ‫ﺷﺒﻜﮫ‬ ‫اﻣﻨﯿﺖ‬
‫ـﻨﺪي‬‫ﺑ‬ ‫ـﯿﻜﺮه‬‫ﭘ‬ ‫ـﺖ‬‫ﮭ‬‫ﺟ‬ ‫ـﻤﻮﻻ‬‫ﻌ‬‫ﻣ‬ ‫ـﮫ‬‫ﻛ‬ ‫ـﻨﯿﺘﻲ‬‫ﻣ‬‫ا‬ ‫ـﺎي‬‫ھ‬ ‫ـﺘﮕﺎه‬‫ﺳ‬‫د‬ ‫ـﺠﺘﻤﻊ‬‫ﻣ‬ ‫ـﺖ‬‫ﯾ‬‫ـﺮ‬‫ﯾ‬‫ـﺪ‬‫ﻣ‬ ‫از‬ ‫ـﺪا‬‫ﺟ‬
‫ـﺰام‬‫ﻟ‬‫ا‬ ‫ـﻚ‬‫ﯾ‬ ‫ـﯿﺰ‬‫ﻧ‬ ‫ـﺎ‬‫ھ‬ ‫ـﺪاد‬‫ﺧ‬‫ر‬ ‫ـﺖ‬‫ﯾ‬‫ـﺮ‬‫ﯾ‬‫ـﺪ‬‫ﻣ‬ ‫ـﺖ‬‫ﺳ‬‫ا‬ ‫ـﺠﺎم‬‫ﻧ‬‫ا‬ ‫ـﻞ‬‫ﺑ‬‫ـﺎ‬‫ﻗ‬ ‫ـﺪ‬‫ﻧ‬‫ـﺮ‬‫ﺑ‬ ‫ـﻚ‬‫ﯾ‬ ‫از‬ ‫ـﺤﺼﻮﻻت‬‫ﻣ‬
‫اﻣـﺮوزه‬ ‫ﺷـﻮد‬ ‫ﻣـﻲ‬ ‫ﻣـﺤﺴﻮب‬ ‫اﻣـﻨﯿﺘﻲ‬ ‫ﻧـﻮﯾـﻦ‬ ‫ھـﺎي‬ ‫اﺳـﺘﺎﻧـﺪارد‬ ‫در‬ ‫اﻣـﻨﯿﺘﻲ‬
‫ﮔـﯿﺮي‬ ‫ﻛـﺎر‬ ‫ﺑـﮫ‬ ‫ﻟـﺰوم‬ ‫اﻣـﻨﯿﺘﻲ‬ ‫ﺗﮭـﺪﯾـﺪات‬ ‫و‬ ‫ﺣـﻤﻼت‬ ‫اﻓـﺰون‬ ‫روز‬ ‫ﺑـﺎﮔﺴـﺘﺮش‬
‫و‬ ‫اﺳـﺖ‬ ‫ﯾـﺎﻓـﺘﮫ‬ ‫ﮔﺴـﺘﺮش‬ ‫ﺳـﺎزي‬ ‫آﺷـﻜﺎر‬ ‫و‬ ‫ﻣـﺤﺎﻓـﻈﺘﻲ‬ ‫ﺗـﺪاﻓـﻌﻲ‬ ‫ھـﺎي‬ ‫ﺳـﯿﺴﺘﻢ‬
‫ـﺎن‬‫ﺳ‬‫ـﻨﺎ‬‫ﺷ‬‫ـﺎر‬‫ﻛ‬ ‫ـﺮاي‬‫ﺑ‬ ‫را‬ ‫ـﺎ‬‫ھ‬ ‫ـﯿﺴﺘﻢ‬‫ﺳ‬ ‫ـﻦ‬‫ﯾ‬‫ا‬ ‫ـﻚ‬‫ﺗ‬ ‫ـﻚ‬‫ﺗ‬ ‫ـﻨﯿﺘﻲ‬‫ﻣ‬‫ا‬ ‫ـﺎي‬‫ھ‬ ‫ـﺪاد‬‫ﯾ‬‫رو‬ ‫ـﺖ‬‫ﯾ‬‫ـﺮ‬‫ﯾ‬‫ـﺪ‬‫ﻣ‬
‫ھـﺎي‬ ‫رﺧـﺪاد‬ ‫ﻛـﮫ‬ ‫داﺷـﺖ‬ ‫ﺑـﺎﯾـﺪﺗـﻮﺟـﮫ‬ ‫ھـﻤﭽﻨﯿﻦ‬ .‫اﺳـﺖ‬ ‫ﺳـﺎﺧـﺘﮫ‬ ‫ﻣـﺸﻜﻞ‬ ‫اﻣـﻨﯿﺘﻲ‬
‫ـﺪاد‬‫ﺧ‬‫ر‬ ‫ـﺎ‬‫ﯾ‬ ‫ـﻤﻠﮫ‬‫ﺣ‬ ‫ـﻚ‬‫ﯾ‬ ‫ـﻮع‬‫ﻗ‬‫و‬ ‫ـﻨﻨﺪه‬‫ﻛ‬ ‫ـﯿﮫ‬‫ﺟ‬‫ـﻮ‬‫ﺗ‬ ‫ـﻤﻮﻻ‬‫ﻌ‬‫ﻣ‬ ‫ـﯿﺴﺘﻢ‬‫ﺳ‬ ‫ـﻚ‬‫ﯾ‬ ‫از‬ ‫ـﺪه‬‫ﺷ‬ ‫ـﯿﺪ‬‫ﻟ‬‫ـﻮ‬‫ﺗ‬
‫ﯾـﺎ‬ ‫ﺣـﻤﻠﮫ‬ ‫آﯾـﺎ‬ ‫ﻛـﮫ‬ ‫ﮔـﺮﻓـﺖ‬ ‫ﻧـﺘﯿﺠﮫ‬ ‫ﺗـﻮان‬ ‫ﻧـﻤﻲ‬ ‫آن‬ ‫از‬ ‫و‬ ‫ﺑـﺎﺷـﺪ‬ ‫ﻧـﻤﻲ‬ ‫اﻣـﻨﯿﺘﻲ‬
.‫ﺧﯿﺮ‬ ‫ﯾﺎ‬ ‫اﺳﺖ‬ ‫وﻗﻮع‬ ‫درﺣﺎل‬ ‫ﺗﮭﺪﯾﺪي‬

124. SIEM :Security Information & Event Management ‫های‬ ‫سیستم‬
،‫%ار‬%%%%‫ک‬ ‫و‬ ‫%ب‬%%%%‫س‬‫ک‬ ‫در‬ ‫%داوم‬%%%%‫ت‬ ‫%ت‬%%%%‫ه‬‫ج‬ ‫%زرگ‬%%%%‫ب‬ ‫%ای‬%%%%‫ه‬ ‫%ان‬%%%%‫م‬‫%از‬%%%%‫س‬ ‫%زون‬%%%%‫ف‬‫ا‬ ‫روز‬ ‫%یاز‬%%%%‫ن‬ ‫%ه‬%%%%‫ب‬ ‫%ه‬%%%%‫ج‬‫%و‬%%%%‫ت‬ ‫%ا‬%%%%‫ب‬
‫%ای‬%%%%%%‫ه‬ ‫%بکه‬%%%%%%‫ش‬ ‫در‬ ‫%ا‬%%%%%%‫ه‬ ‫%ان‬%%%%%%‫م‬‫%از‬%%%%%%‫س‬ ‫%ی‬%%%%%%‫ت‬‫%یا‬%%%%%%‫ح‬ ‫%ای‬%%%%%%‫ه‬ ‫%تم‬%%%%%%‫س‬‫سی‬ ‫%عیت‬%%%%%%‫ض‬‫و‬ ‫%ی‬%%%%%%‫س‬‫%رر‬%%%%%%‫ب‬ ‫%مینطور‬%%%%%%‫ه‬
‫آوری‬ ‫%مع‬%%%%%‫ج‬ ‫و‬ ‫%ا‬%%%%%‫ه‬ ‫%تم‬%%%%%‫س‬‫سی‬ ‫%عیت‬%%%%%‫ض‬‫و‬ ‫%ت‬%%%%%‫ی‬‫%ر‬%%%%%‫ی‬‫%د‬%%%%%‫م‬ ‫%ت‬%%%%%‫ه‬‫ج‬ ‫%اری‬%%%%%‫ک‬ ‫راه‬ ‫%ه‬%%%%%‫ب‬ ‫%یاز‬%%%%%‫ن‬ ،Enterprise
،‫%ا‬‫ه‬ SIEM .‫%د‬‫ی‬‫آ‬ ‫%ی‬‫م‬ ‫%ظر‬‫ن‬ ‫%ه‬‫ب‬ ‫%ی‬‫ت‬‫%یا‬‫ح‬ ‫%یش‬‫پ‬ ‫از‬ ‫%یش‬‫ب‬ ‫%ان‬‫م‬‫%از‬‫س‬ ‫%ای‬‫ه‬ Asset ‫از‬ ‫%هم‬‫م‬ ‫%ات‬‫ع‬‫%ال‬‫ط‬‫ا‬
‫%مع‬%‫ج‬ ‫%ی‬%‫ی‬‫%ا‬%‫ن‬‫%وا‬%‫ت‬ ‫از‬ ‫%تفاده‬%‫س‬‫ا‬ ‫%ا‬%‫ب‬ ‫%ه‬%‫ک‬ ‫%ند‬%‫ش‬‫%ا‬%‫ب‬ ‫%ی‬%‫م‬ ‫%یاز‬%‫ن‬ ‫%ن‬%‫ی‬‫ا‬ ‫%ع‬%‫ف‬‫ر‬ ‫%تای‬%‫س‬‫را‬ ‫در‬ ‫%ای‬%‫ه‬ ‫%ه‬%‫ن‬‫%ا‬%‫م‬‫%ا‬%‫س‬
‫%ز‬%%%‫ک‬‫%ر‬%%%‫م‬ ‫%ک‬%%%‫ی‬ ‫در‬ ‫%ات‬%%%‫ع‬‫%ال‬%%%‫ط‬‫ا‬ ‫آوری‬ ‫%مع‬%%%‫ج‬ ‫%ث‬%%%‫ع‬‫%ا‬%%%‫ب‬ ،‫%بکه‬%%%‫ش‬ ‫در‬ Critical ‫%ات‬%%%‫ع‬‫%ال‬%%%‫ط‬‫ا‬ ‫%واع‬%%%‫ن‬‫ا‬ ‫آوری‬
‫%ورد‬%‫م‬ ‫%تی‬%‫ح‬‫را‬ ‫%ه‬%‫ب‬ ‫را‬ ‫%ود‬%‫خ‬ ‫%یاز‬%‫ن‬ ‫%ورد‬%‫م‬ ‫%ات‬%‫ع‬‫%ال‬%‫ط‬‫ا‬ ‫%ا‬%‫ت‬ ‫آورد‬ ‫%ی‬%‫م‬ ‫%م‬%‫ه‬‫%را‬%‫ف‬ ‫را‬ ‫%کان‬%‫م‬‫ا‬ ‫%ن‬%‫ی‬‫ا‬ ‫و‬ ‫%ده‬%‫ش‬
‫%مع‬‫ج‬ ‫%ای‬‫ه‬ Log ‫%ر‬‫ت‬ ‫%یق‬‫ق‬‫د‬ ‫و‬ ‫%حیح‬‫ص‬ ‫%لیل‬‫ح‬‫ت‬ ‫%ت‬‫ه‬‫ج‬ ‫%مچنین‬‫ه‬ .‫%یم‬‫ه‬‫د‬ ‫%رار‬‫ق‬ ‫%ی‬‫س‬‫%رر‬‫ب‬ ‫و‬ ‫%لیل‬‫ح‬‫ت‬
‫%ا‬%%%%‫ب‬ ‫%ا‬%%%%‫ه‬ ‫%زارش‬%%%%‫گ‬ ‫%ی‬%%%%‫س‬‫%رر‬%%%%‫ب‬ ‫و‬ ‫ی‬ ‫دوره‬ ‫%ای‬%%%%‫ه‬ ‫%زارش‬%%%%‫گ‬ ‫%ه‬%%%%‫ئ‬‫ار‬ ‫و‬ ‫%ا‬%%%%‫ه‬ ‫%تم‬%%%%‫س‬‫سی‬ ‫از‬ ‫%ده‬%%%%‫ش‬ ‫آوری‬
‫%ی‬‫ی‬‫%ا‬‫ن‬‫%وا‬‫ت‬ ‫از‬ ‫%وان‬‫ت‬ ‫%ی‬‫م‬ ‫%مچنین‬‫ه‬ .‫%ت‬‫س‬‫ج‬ ‫%ره‬‫ه‬‫ب‬ ‫%ا‬‫ه‬ ‫%تم‬‫س‬‫سی‬ ‫%وع‬‫ن‬ ‫%ن‬‫ی‬‫ا‬ ‫از‬ ‫%وان‬‫ت‬ ‫%ی‬‫م‬ ،‫%گر‬‫ی‬‫%کد‬‫ی‬
،‫%ا‬‫ه‬ Log ‫از‬ ‫ای‬ ‫%ه‬‫ع‬‫%مو‬‫ج‬‫م‬ ‫%ی‬‫س‬‫%نا‬‫ش‬ ‫%تار‬‫ف‬‫ر‬ ‫%ت‬‫ه‬‫ج‬ ‫در‬ ،‫%ا‬‫ه‬ ‫%تم‬‫س‬‫سی‬ ‫%ه‬‫ن‬‫%و‬‫گ‬ ‫%ن‬‫ی‬‫ا‬ ‫%اص‬‫خ‬ ‫%ای‬‫ه‬
‫%ه‬%‫ن‬‫%ا‬%‫م‬‫%ا‬%‫س‬ ‫%ط‬%‫س‬‫%و‬%‫ت‬ ‫%ده‬%‫ش‬ ‫%ه‬%‫ئ‬‫ار‬ ‫%ای‬%‫ه‬ ‫%زارش‬%‫گ‬ ‫%ی‬%‫ج‬‫%رو‬%‫خ‬ ‫ی‬ ‫%تیجه‬%‫ن‬ ‫%ی‬%‫س‬‫%رر‬%‫ب‬ ‫%ا‬%‫ب‬ ‫و‬ ‫%د‬%‫ش‬ ‫%ند‬%‫م‬ ‫%ره‬%‫ه‬‫ب‬
.‫داد‬ ‫قرار‬ ‫بررسی‬ ‫مورد‬ ‫و‬ ‫ثبت‬ ‫ها‬ ‫گزارش‬ ‫از‬ ‫دقیق‬ ‫نتایجی‬ ‫توان‬ ‫می‬ ،SIEM ‫های‬

125. •‫را‬ ‫ﺷﺒﻜﮫ‬ ‫ﺗﺠﮭـﯿﺰات‬ ‫ﺧﺎم‬ ‫ﮔﺰارﺷﺎت‬ ‫آوري‬ ‫ﺟﻤﻊ‬ ‫در‬ ‫ﺳﻌﻲ‬ ‫اﺑﺘﺪا‬ ‫در‬
.‫داﺷﺘﮫ‬
•‫ﯾﻚ‬ ‫از‬ ‫ﮔﺰارﺷﺎت‬ Aggregation ‫و‬ ‫ﺳﺎزي‬ ‫ﯾﻜﺴﺎن‬ ‫در‬ ‫ﺳﻌﻲ‬ ‫دوم‬ ‫ﻣﺮﺣﻠﮫ‬ ‫در‬
.‫داﺷﺘﮫ‬ ‫را‬ ‫ﺳـﯿﺴﺘﻢ‬
•‫ﭘﺎراﻣﺘﺮ‬ ‫ﺑﮫ‬ ‫ﺗﻮﺟﮫ‬ ‫ﺑﺎ‬ ‫را‬ ‫ھﺎ‬ ‫ﺳﯿﺴـﺘﻢ‬ ‫ﺗﻤﺎم‬ ‫ﮔﺰارش‬ ‫ﺳﻮم‬ ‫ﻣﺮﺣﻠﮫ‬ ‫در‬
.‫ﻧﻤﻮده‬ ‫دھﻲ‬ ‫اراﺗﺒﺎط‬ ‫ﺷﺪه‬ ‫ﺧﻮاﺳﺴﺘﮫ‬ ‫ھﺎي‬
•‫ﺗﻮﻟﯿﺪ‬ ‫ﻣﺨﺘﻠﻔﻲ‬ ‫ﮔﺰارﺷﺎت‬ ‫آﻧﮭﺎ‬ ‫ﺗﺤﻠﯿﻞ‬ ‫و‬ ‫آﻧﺎﻟﯿﺰ‬ ‫ﺑﺎ‬ ‫آﺧﺮ‬ ‫ﻣﺮﺣﻠﮫ‬ ‫در‬ ‫و‬
.‫ﻧﻤﺎﯾﺪ‬ ‫ﻣﻲ‬

126. •:‫شامل‬ ‫كه‬ ‫است‬ ‫متفاوت‬ ‫حل‬ ‫راه‬ ‫دو‬ ‫از‬ ‫برگرفته‬ SIEM
•SIM( Security Information Management)
•SEM(Security Event Management)
•: SIEM ‫های‬ ‫توانمندی‬
•: (Log Management)SIEM/LM ‫ها‬ ‫داده‬ ‫ادغام‬
•‫نرم‬ ،‫اطالعاتی‬ ‫های‬ ‫بانک‬ ،‫سرورها‬ ،‫امنيت‬ ‫شبكه،تجهیزات‬ ‫منابع‬ ‫از‬ ‫را‬ ‫ها‬ ‫داده‬ : (Data Aggregation)
.‫بگیرند‬ ‫قرار‬ ‫نظارت‬ ‫تحت‬ ‫شبكه‬ ‫حياتي‬ ‫حوادث‬ ‫تا‬ ‫ميكند‬ ‫آوري‬ ‫جمع‬ . . . ‫و‬ ‫كاربردي‬ ‫افزارهاي‬
•‫اين بخش سعي در يافنت ويژگي هاي مشترك در اطالعات دارد تا براساس آن‬ : (Correlation)‫ پيوستگي‬
‫ها بتواند بسته ي تحليلي كاملي را ارائه نمايد .اين تكنولوژي سبب ايجاد توانايي به هم مربوط ساخنت داده‬
. ‫مختلف مي گردد تا اطالعات سودمندی بدست آيد‬ ‫هاي‬
•‫هاي‬ ‫فرمت‬ ‫با‬ ،‫ارائه‬ ‫قابل‬ ‫اطالعات‬ ‫قالب‬ ‫در‬ ‫را‬ ‫ها‬ ‫آن‬ ‫و‬ ‫گرفته‬ ‫را‬ ‫وقايع‬ ‫هاي‬ ‫داده‬ : ( (SIEM/LM Dashboard
.‫نمايد‬ ‫مي‬ ‫ارائه‬ ‫یکسان‬ ‫استاندارد‬

127. •
‫اﻣﻨﯿﺘﻲ‬ ‫ﻣﺒﺎﺣﺚ‬ ‫ﺧﻮدﻛﺎر‬ ‫ﺻﻮرت‬ ‫ﺑﮫ‬ ‫ﺗﻮاﻧﺪ‬ ‫ﻣﻲ‬ : Compliance
‫ﺻﻮرت‬ ‫در‬ ‫و‬ ‫داده‬ ‫اﻧﻄﺒﺎق‬ ‫ﺳﺎزﻣﺎﻧﻲ‬ ‫ﺧﺎص‬ ‫ھﺎي‬ ‫ﺧﻮاﺳﺘﮫ‬ ‫ﺑﺎ‬ ‫را‬
.‫ﻧﻤﺎﯾﺪ‬ ‫دھﻲ‬ ‫ﮔﺰارش‬ ‫اﻧﻄﺒﺎق‬ ‫ﻋﺪم‬
‫ﻣﻲ‬ ‫ﻧﮕﮭﺪاري‬ ‫ﻃﻮﻻﻧﯽ‬ ‫ﻣﺪت‬ ‫ﺑﺮای‬ ‫را‬ ‫اﻃﻼﻋﺎت‬ : ( SIEM/SIM Retention)
.‫ﺑﮕﯿﺮﻧﺪ‬ ‫ﻗﺮار‬ ‫اﺳﺘﻔﺎده‬ ‫ﻣﻮرد‬ ‫ﺑﻌﺪی‬ ‫ﻣﺮاﺟﻌﺎت‬ ‫در‬ ‫ﺗﺎ‬ ‫ﻧﻤﺎﯾﻨﺪ‬

128. SOC ‫در‬ SIEM ‫#تم‬‫س‬‫سی‬ ‫#قش‬‫ن‬
Security Operation
Senso
nrs
Attack
Action
Event
Alarm & Ticket
Decision
Internet
Hacker

129. Basic Data Management Workflow

131. Analyze & Disposal :

132. Correlation :

133. Some Type of Correlation :

137. 137

140. ARCHITECTURE

143. Configuration &
Management
Normalized
Events

144. SIEM DEPLOYMENT

145. All-in-one Server Model

146. Distributed Model

147. High Performance Cluster

148. SAMPLE OF SIEM ANATOMY OF A COLLECTOR IN OSSIM ALIENVAULT
[apache-access]
event_type=event
regexp=“((?P<dst>S+)(:(?P<port>d{1,5}))? )?(?P<src>S+) (?P<id>S+) (?P<user>S+) [(?P<date>d{2}/w{3}/d{4}:d{2}:d{2}:d{2})
s+[+-]d{4}] "(?P<request>.*)” (?P<code>d{3}) ((?P<size>d+)|-)( "(?P<referer_uri>.*)" ”(?P<useragent>.*)")?$”
src_ip={resolv($src)}
dst_ip={resolv($dst)}
dst_port={$port}
date={normalize_date($date)}
plugin_sid={$code}
username={$user}
userdata1={$request}
userdata2={$size}
userdata3={$referer_uri}
userdata4={$useragent}
filename={$id}
[Raw log]
76.103.249.20 - - [15/Jun/2013:10:14:32 -0700] "GET /ossim/session/login.php HTTP/1.1"
200 2612 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

149. SIEM RELIABILITY ASSESSMENT SAMPLE IN OSSIM ALIENVAULT
SSH Failed authentication event
SSH successful authentication event 10 SSH Failed authentication events
100 SSH Failed
authentication events
Persistent connections
SSH successful
authentication event
1000 SSH Failed
authentication events
SSH successful
authentication event
Reliability

150. USE CASE & ATTACK DETECTION

151. SIEM ATTACK DETECTION

153. Use Case Samples:

154. HOW CHOOSE SIEM ?

155. Scoping the project
EPS Calculation
Storage & Capacity management
What you need
Select best Implementation model & Architecture
Choose the best SIEM
Considering q1 lab , Gartner & other to choose
Conceptual design

159. CSIRT
➤ Forensics
➤ Evidence Gathering
➤ Reverse
➤ Fuzzing
➤ Sandboxing
➤ Deep Analysis

161. REFERENCES:
➤ SANS
➤ ISC2
➤ NIST
➤ Renaud Bidou
➤ CISCO Threat Intelligence
➤ CISCO SOC
➤ Gartner
➤ HPE ArcSight
➤ Microfocus
➤ SPLUNK
➤ AlienVault
➤ MITRE
➤ RSA
➤ ISO 15408