SlideShare a Scribd company logo

Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx

Download as PPTX, PDF
M
mohamadchiri

dffdg

Data & Analytics
1 of 59
Building a Cyber Security Operations Center (CSOC) Shah H Sheikh – Co-Founder & Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK CCSA DTS Solution - UAE shah@dts-solution.com
Cyber Security Operations Center Agenda – Building a Cyber Security Operations Center • 1. The need to build an enterprise-wide CSOC. • 2. CSOC 2.0 and its components to form an eco-system. • 3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation. • 4. Specific Contextual Threat and Use Cases and Situational Awareness • 5. Building Threat Intelligence and Early Warning Detection System • 6. CSOC Processes, Procedures and Workflows. • 7. CSOC Incident Response Handling • 8. Cyber Incident Offense Management • 9. CSOC vs. Security Maturity Levels People, Process and Technology
Current Challenges
Current Challenges
The current CSOC landscape…
Outsourced or In-house ?!? … VS … In-Housed SOC
Why build a CSOC?
Key Objectives for CSOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
Key Objectives for CSOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
Key Objectives for CSOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with National CERT
Key Objectives for CSOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
Components of a CSOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
Key Success Factors in a CSOC The Goal – Keep Things Simple 
CSOC – Core Components Core Components for a CSOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioural / Anomaly
CSOC – Core Components Core Components for a SOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
CSOC – Core Components Core Components for a CSOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact analysis (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
CSOC – Core Components Core Components for a CSOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
CSOC – Core Components Proposed Architecture for the CSOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active Directory DB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
CSOC – Core Components Integration of Core SOC Components
CSOC Technologies … SIEM 2.0 Solutions (NOT just Log Management) • Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources • Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX • Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner) • Event and Flow Correlation – Advanced Threat Analytics • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation > Offense Management Compliance Management and Policy Conformance • Configuration Audit across Infrastructure Systems and Devices • ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance • Risk Management – Identification and Mitigation • Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring) • Network Topology Mapping and Visualization • Vulnerability Assessment and Management
CSOC Technologies … Network and Security Monitoring (Traditionally owned by the Networking Team) > Integrate with Security Requirements • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation Security Analysis and Threat Intelligence • Network Forensics (Raw Packet Capture > Session Reconstruction) • Situation Awareness • Artifacts and Packet Reconstruction (Chain of Custody) • Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs) • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH) • Threat Intelligence and Global Landscape
CSOC (before) ….. < The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
CSOC (after) …. Automation Technology Integration … the new … WORKFLOW SIEM 2.0 Compliance and Monitoring NMS
CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • National CERT Integration CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • National CERT Integration • Law Enforcement • 3rd Party Service Providers and Vendors CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behaviour Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee) CSOC – Developing Processes
VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research (Threat Intelligence) • Notifications sent to respective system owners • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
TOOLS OPERATING MANUAL FOR CSOC PERSONNEL • Operating Procedure for SIEM 2.0 Solution – Event Management and Flow Collector/Processor and Advanced Correlation • NGFW Firewall Security Logs • IPS Security Logs • SSL VPN / IPSEC VPN / Remote Access logs • WAF Security / DB Activity Monitoring / ERP Security logs • User Activity / Login / Active Directory / AAA Logs • Endpoint Security (AV, Malware Protection, SCOM) • Operating Procedure for Configuration and Policy Compliance • Operating Procedure for Vulnerability Assessment CSOC – Developing Processes Creating the CSOC Operating Manuals
SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition Non-Critical and Information Alarms Alarm reporting and SLA to resolve the alarms CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
Cyber Security Operations Center You can only monitor what you know 
• Environments • Location • Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
• Knowledge on how service flow across your infrastructure … …. Service Flows (Published Services) …… BUILD A SECURITY SERVICES CATALOG
• Understanding the service flows will allow you to VISUALIZE… …. Service Flows (Internal Services) …… Integration with Vulnerability Management
Build an Asset Database and Integrated into SIEM; Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location • Risk and Vulnerability Information (CVEs) Build an Asset Repository
Build Policy Compliance: Firewalls
Build Policy Compliance: Firewalls
Build Policy Compliance: Firewalls
Now that we have the processes, technology and people what next….. • Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
• To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN DEVELOP THREAT CASES
ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS and Application Whitelisting EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
Develop Threat Cases – RHEL
Develop Threat Cases – RHEL
Important Note: "OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
*NIX AUTHENTICATION … FOLLOW THE PROCESS
Offense Management Naming Convention
Offense Management Workflow
Cyber SOC Wiki CSOC-Wiki https://SOC-wiki.intranet.xyz
CSOC-Wiki - Goals Purpose of the WiKi • Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and searchable (Google Like) • Integrations with other toolsets Challenges within CSOC • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
CSOC Wiki – SIEM Integration CSOC - WiKi Processes Threat Cases Workflows Security Maturity Level 4 to 5
CSOC Wiki – SIEM Integration 1 2 Current Maturity Level Target Maturity Level
CSOC Wiki – SIEM Integration SIEM Threat Cases
SOC Wiki – SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
SOC Wiki – SIEM Threat Cases • Example:
Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com

Recommended

Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariAli Ahangari
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC StatusAdam Alhafid
 
Soc
SocSoc
SocMukesh Chaudhari
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 

Recommended

Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsShah Sheikh
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariAli Ahangari
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC StatusAdam Alhafid
 
Soc
SocSoc
SocMukesh Chaudhari
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Tripwire
 
Building Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS ProjectBuilding Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS ProjectJohn Cusimano, CFSE, CISSP, GICSP
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Anton Chuvakin
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Precisely
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptxAjit Wadhawan
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster ProjectsRisk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster ProjectsSecureIoT H2020 funded project
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptxAjit Wadhawan
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementTim Bass
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxBoston Institute of Analytics
 

More Related Content

Similar to Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx

Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingJisc
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesJohn Gilligan
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Symantec
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Ryan Hodgin
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Precisely
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpointrandalje86
 
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster ProjectsRisk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster ProjectsSecureIoT H2020 funded project
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...Vsevolod Shabad
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk ManagementAhmed Sayed-
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementTim Bass
 

Similar to Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx (20)

Building Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS ProjectBuilding Cybersecurity into a Greenfield ICS Project
Building Cybersecurity into a Greenfield ICS Project
 
Tech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharingTech 2 Tech: increasing security posture and threat intelligence sharing
Tech 2 Tech: increasing security posture and threat intelligence sharing
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practicesFederal Cybersecurity: The latest challenges, initiatives and best practices
Federal Cybersecurity: The latest challenges, initiatives and best practices
 
Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]Wipro's Compliance as a Service [CAAS]
Wipro's Compliance as a Service [CAAS]
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management Introducing Ironstream Support for ServiceNow Event Management
Introducing Ironstream Support for ServiceNow Event Management
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Risk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection PowerpointRisk Based Security and Self Protection Powerpoint
Risk Based Security and Self Protection Powerpoint
 
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster ProjectsRisk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
Risk Assessment Solutions of H2020 IoT Security/Privacy Cluster Projects
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...
 
PKI.pptx
PKI.pptxPKI.pptx
PKI.pptx
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Security & Risk Management
Security & Risk ManagementSecurity & Risk Management
Security & Risk Management
 
CEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk ManagementCEP and SOA: An Open Event-Driven Architecture for Risk Management
CEP and SOA: An Open Event-Driven Architecture for Risk Management
 

Recently uploaded

B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...Pooja Nehwal
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxFurkanTasci3
 
Spark3's new memory model/management
Spark3's new memory model/managementSpark3's new memory model/management
Spark3's new memory model/managementakshesh doshi
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationshipsccctableauusergroup
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationBoston Institute of Analytics
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Sapana Sha
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 

Recently uploaded (20)

B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
Deep Generative Learning for All - The Gen AI Hype (Spring 2024)
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
{Pooja: 9892124323 } Call Girl in Mumbai | Jas Kaur Rate 4500 Free Hotel Del...
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 
Data Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptxData Science Jobs and Salaries Analysis.pptx
Data Science Jobs and Salaries Analysis.pptx
 
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Spark3's new memory model/management
Spark3's new memory model/managementSpark3's new memory model/management
Spark3's new memory model/management
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships04242024_CCC TUG_Joins and Relationships
04242024_CCC TUG_Joins and Relationships
 
Data Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health ClassificationData Science Project: Advancements in Fetal Health Classification
Data Science Project: Advancements in Fetal Health Classification
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
Saket, (-DELHI )+91-9654467111-(=)CHEAP Call Girls in Escorts Service Saket C...
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 

Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx

  • 1. Building a Cyber Security Operations Center (CSOC) Shah H Sheikh – Co-Founder & Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK CCSA DTS Solution - UAE shah@dts-solution.com
  • 2. Cyber Security Operations Center Agenda – Building a Cyber Security Operations Center • 1. The need to build an enterprise-wide CSOC. • 2. CSOC 2.0 and its components to form an eco-system. • 3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation. • 4. Specific Contextual Threat and Use Cases and Situational Awareness • 5. Building Threat Intelligence and Early Warning Detection System • 6. CSOC Processes, Procedures and Workflows. • 7. CSOC Incident Response Handling • 8. Cyber Incident Offense Management • 9. CSOC vs. Security Maturity Levels People, Process and Technology
  • 5. The current CSOC landscape…
  • 6. Outsourced or In-house ?!? … VS … In-Housed SOC
  • 7. Why build a CSOC?
  • 8. Key Objectives for CSOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
  • 9. Key Objectives for CSOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
  • 10. Key Objectives for CSOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with National CERT
  • 11. Key Objectives for CSOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
  • 12. Components of a CSOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
  • 13. Key Success Factors in a CSOC The Goal – Keep Things Simple 
  • 14. CSOC – Core Components Core Components for a CSOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioural / Anomaly
  • 15. CSOC – Core Components Core Components for a SOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
  • 16. CSOC – Core Components Core Components for a CSOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact analysis (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
  • 17. CSOC – Core Components Core Components for a CSOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
  • 18. CSOC – Core Components Proposed Architecture for the CSOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active Directory DB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
  • 19. CSOC – Core Components Integration of Core SOC Components
  • 20. CSOC Technologies … SIEM 2.0 Solutions (NOT just Log Management) • Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources • Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX • Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner) • Event and Flow Correlation – Advanced Threat Analytics • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation > Offense Management Compliance Management and Policy Conformance • Configuration Audit across Infrastructure Systems and Devices • ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance • Risk Management – Identification and Mitigation • Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring) • Network Topology Mapping and Visualization • Vulnerability Assessment and Management
  • 21. CSOC Technologies … Network and Security Monitoring (Traditionally owned by the Networking Team) > Integrate with Security Requirements • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation Security Analysis and Threat Intelligence • Network Forensics (Raw Packet Capture > Session Reconstruction) • Situation Awareness • Artifacts and Packet Reconstruction (Chain of Custody) • Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs) • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH) • Threat Intelligence and Global Landscape
  • 22. CSOC (before) ….. < The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
  • 23. CSOC (after) …. Automation Technology Integration … the new … WORKFLOW SIEM 2.0 Compliance and Monitoring NMS
  • 24. CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
  • 25. EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 26. INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • National CERT Integration CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 27. SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 28. ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • National CERT Integration • Law Enforcement • 3rd Party Service Providers and Vendors CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 29. DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 30. SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behaviour Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee) CSOC – Developing Processes
  • 31. VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research (Threat Intelligence) • Notifications sent to respective system owners • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 32. TOOLS OPERATING MANUAL FOR CSOC PERSONNEL • Operating Procedure for SIEM 2.0 Solution – Event Management and Flow Collector/Processor and Advanced Correlation • NGFW Firewall Security Logs • IPS Security Logs • SSL VPN / IPSEC VPN / Remote Access logs • WAF Security / DB Activity Monitoring / ERP Security logs • User Activity / Login / Active Directory / AAA Logs • Endpoint Security (AV, Malware Protection, SCOM) • Operating Procedure for Configuration and Policy Compliance • Operating Procedure for Vulnerability Assessment CSOC – Developing Processes Creating the CSOC Operating Manuals
  • 33. SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition Non-Critical and Information Alarms Alarm reporting and SLA to resolve the alarms CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 34. SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 35. Cyber Security Operations Center You can only monitor what you know 
  • 36. • Environments • Location • Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
  • 37. • Knowledge on how service flow across your infrastructure … …. Service Flows (Published Services) …… BUILD A SECURITY SERVICES CATALOG
  • 38. • Understanding the service flows will allow you to VISUALIZE… …. Service Flows (Internal Services) …… Integration with Vulnerability Management
  • 39. Build an Asset Database and Integrated into SIEM; Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location • Risk and Vulnerability Information (CVEs) Build an Asset Repository
  • 43. Now that we have the processes, technology and people what next….. • Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
  • 44. • To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN DEVELOP THREAT CASES
  • 45. ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS and Application Whitelisting EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
  • 48. Important Note: "OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
  • 49. *NIX AUTHENTICATION … FOLLOW THE PROCESS
  • 53. CSOC-Wiki - Goals Purpose of the WiKi • Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and searchable (Google Like) • Integrations with other toolsets Challenges within CSOC • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
  • 54. CSOC Wiki – SIEM Integration CSOC - WiKi Processes Threat Cases Workflows Security Maturity Level 4 to 5
  • 55. CSOC Wiki – SIEM Integration 1 2 Current Maturity Level Target Maturity Level
  • 56. CSOC Wiki – SIEM Integration SIEM Threat Cases
  • 57. SOC Wiki – SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
  • 58. SOC Wiki – SIEM Threat Cases • Example:
  • 59. Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com