SOC Foundation

©Copyrights 2014-2017 by Masoud Ostad
SOC Foundation
Course
©2015 DESIGN AND DEVELOPMENT BY
MASOUD OSTAD
1

Course Outline Part I
 IT Operation and IT Security Crossroad
 Traditional Security Architecture
 Traditional IT Security Problem
 Introduction New Threat
 What is APT and SCADA?
 Feature Security Big Picture and Roadmap
 Introduction Next Generation Security
2

Course Outline Part II
 What is SIEM?
 Security Log Protocol
 Log Correlation and Analyzing
 SIEM Architecture
 SIEM Gartner Leadership Introduction
 HP and IBM Architecture and Model
 Small Model
 Enterprise Model
 What is SOC?
 What is SOC and SIEM Differential?
3

Course Outline Part III
 Introduction SOC Main Module
 Threat Management
 Vulnerability Management
 Security Intelligence Service
 Fraud Detection
 Security Change Management
 Service and Security Dashboard
 Manage Security Service Provider
 Risk Management
4

Course Outline Part IV
 Introduction SOC Sub Module
 Data Loss Prevention
 Database Activity Monitor
 Patch and Vulnerability Awareness
 Forensic Framework
 Full Packet Capture
 Exploit Framework
 File Integrity Management
 Security Configuration Management
 User Auditing Management
 Web Security Assessment
5

‫امنیتی‬ ‫آمارهای‬ 6

‫ایران‬ ‫در‬ ‫سایبری‬ ‫حمالت‬ ‫گزارش‬ 7
73%‫های‬‫سایت‬ ‫از‬‫دولتی‬‫هستند‬ ‫امنیتی‬ ‫ضعف‬ ‫دارای‬
Resource:
http://www.khabaronline.ir

‫سایبری‬ ‫های‬ ‫حمله‬ ‫رشد‬ ‫آمار‬ 8

‫خطرات‬ ‫و‬ ‫تهدیدات‬ ‫انواع‬ ‫پیچیدگی‬ ‫رشد‬ ‫نمودار‬ 9

Old Security … 10

Traditional Security Element
 First Generation
 Anti Virus with Signature Engine
 Firewall or Network Firewall
 State less
 State full
 IDS or Intrusion Detection System
 IPS or Intrusion Prevention System
 Security Module
 Cisco 6500 FWSM
 Proxy or Access Control
 Second Generation
 Basic Application or Protocol Firewall
11

Previous Security Cycle 12
Antivirus
Firewall, IDS
and IPS
DMZ
Access
Control
System
Encryption
,VPN , CA ,
…

Traditional System Weak Point
‫یکپارچگی‬ ‫عدم‬
‫دفاعی‬ ‫های‬ ‫سیستم‬
‫هدفمند‬ ‫بررسی‬ ‫عدم‬
‫وقایع‬ ‫و‬ ‫ها‬ ‫رخداد‬
‫فنی‬ ‫بررسی‬ ‫دشواری‬
‫بسیار‬ ‫سرعت‬ ‫ها‬ ‫رخداد‬
‫باال‬ ‫خطای‬ ‫و‬ ‫پایین‬
‫در‬ ‫تمرکز‬ ‫و‬ ‫دقت‬ ‫عدم‬
‫امنیت‬ ‫گذاری‬ ‫سیاست‬‫ی‬
‫و‬ ‫اتخاذ‬ ‫در‬ ‫دشواری‬
‫و‬ ‫مناسب‬ ‫واکنش‬ ‫اجرای‬
‫موقع‬ ‫به‬
13

Advanced Persistent Threat 14

APT Work Step 15

APT Components 16

New Malware 17

What is SCADA ? 18
SCADA (supervisory control and data acquisition) is a system operating with coded
signals over communication channels so as to provide control of remote equipment
SCADA (supervisory control and data acquisition) is a category of software
application program for process control, the gathering of data in real time from
remote locations in order to control equipment and conditions

What is SCADA Used for
 SCADA systems are the backbone of modern industry
 Energy
 Food and beverage
 Manufacturing
 Oil and gas
 Power
 Recycling
 Transportation
 Water and waste water
 And many more
19

Stuxnet SCADA Malware 20

Stuxnet inside 21

Flame Malware 22

Flame Malware Target Country 23

Flame Malware Statistics 24

Attack Technique 25

Mobile / Smartphone Malware 26

Equation Group / God Malware 27

Equation Group Timeline 28

29

30
Firewal
l
Router
s
IDS
Unix App
Databa
se
Preserved
Data
Syslog
s
Legal/Audit/IT
Security
Mgmt.
Console
Correlation and
analyze Engine
Personal
Devices
Warnings
Area
SIEM Simple View

SIEM‫همان‬SOC‫نیست‬!
31
SIEM
Engine
Anti-Virus
HIPS
APP-Logger
Smart
Security
….
Firewall
IPS & IDS
Router/Switch
Server
…
Auditing System
Schedule Pentest
Vul Awareness
Incidence Response
Risk Management
Log Correlation
Log Analyze
Technical Policy
SIEM is a
Technology
SOC is a
Total
Solution
10

SIEM Big Picture 32

SOC‫چیست؟‬
‫ارتباطات‬ ‫و‬ ‫اطالعات‬ ‫امنیت‬ ‫خصوص‬ ‫در‬ ‫جامع‬ ‫و‬ ‫تخصصی‬ ‫مرکز‬
‫امنیت‬ ‫و‬ ‫فرایند‬ ‫مدیریت‬ ‫تخصصی‬ ‫کار‬ ‫و‬ ‫ساز‬
‫مدیریت‬ ‫های‬ ‫سیستم‬ ‫و‬ ‫اطالعات‬ ‫امنیت‬ ‫پویش‬ ‫نوین‬ ‫های‬ ‫ابزار‬ ‫از‬ ‫گیره‬ ‫بهره‬
‫مصنوعی‬ ‫هوش‬ ‫های‬ ‫معماری‬ ‫اساس‬ ‫بر‬ ‫وقایع‬ ‫بررسی‬ ‫هوشمند‬ ‫های‬ ‫سامانه‬
‫موقع‬ ‫به‬ ‫و‬ ‫سریع‬ ‫دهی‬ ‫پاسخ‬ ‫سامانه‬
‫ریسک‬ ‫مدیریت‬ ‫پیشرفته‬ ‫ساختارهای‬
‫فنی‬ ‫و‬ ‫کالن‬ ‫های‬ ‫گذاری‬ ‫سیاست‬ ‫امکان‬-‫مدیریتی‬
33

‫اجزای‬‫کالن‬SOC 34
Threat Management
Vulnerability Management
Security Intelligence Services
Service Desk & Security Dashboard
Fraud Management
Security Configuration Management

‫جزیی‬ ‫اجزای‬SOC
Threat
Management
SIEM
DLP
TRM
DAM
Vulnerability
Management
Patch & Vul
Management
Web App
Security
Assessment
Database Vul
Assessment
Network Vul
Assessment
Security
Intelligence
Service
Exploit
Frameworks
Forensics
Toolkits
Security
Advisories
Vulnerability
Feeds
Fraud
Detection
Transaction
Fraud Monitor
Phishing
Monitor
Service Desk &
Security
Dashboard
Service Desk
Security
Dashboard
Security
Configuration
Management
File Integrity
Management
Change
Management
& Deployment
Configuration
Assessment
UAM
35

‫دیگر‬ ‫خدمات‬SOC 36
Attack Tracking and FPC for Forensic
Security Strategy Planning
Incident Reporting and Management Response
Managed Security Service Providers
Intelligent Security Inside Laboratory
Enterprise Risk Management , BCP and Disaster Recovery

‫ساخت‬ ‫فنی‬ ‫معماری‬‫یافته‬SOC 37

‫فرآیندی‬ ‫معماری‬SOC 38

‫تفاوت‬NOC‫و‬SOC
NOC
Coverage
Network
Fault
Tolerance
Switch/Router
Configuration
Sniffing
and
Troubleshooting
System
& Traffic
Monitor
SOC
Coverage
Network
Behavior
anomaly
detection
Intrusion
Detection &
Prevention
Log
Management
Network
Forensics
Vulnerability
detection and
Awareness
Risk & Change
Management
Policy
39

‫راهکارهای‬ ‫کنندگان‬ ‫ارائه‬SOC 40

‫سازی‬ ‫پیاده‬ ‫مراحل‬SOC
‫دستاوردهای‬ ‫و‬ ‫سیاستها‬ ‫تعریف‬SOC‫سازمان‬ ‫نیاز‬ ‫بر‬ ‫منطبق‬
‫سازی‬ ‫پیاده‬ ‫بندی‬ ‫فاز‬ ‫و‬ ‫فاز‬ ‫تعریف‬SOC‫منظور‬ ‫به‬ ‫سازمان‬ ‫اهداف‬ ‫با‬ ‫منطبق‬
‫وسعت‬ ‫تبیین‬ ‫و‬ ‫تعریف‬SOC
‫شدن‬ ‫مانیتور‬ ‫قابل‬ ‫تجهیزات‬ ‫نمودن‬ ‫مشخص‬ ‫و‬ ‫تعریف‬
‫رخدادها‬ ‫بررسی‬ ‫عمق‬ ‫و‬ ‫وسعت‬ ‫تعریف‬
‫اطالعات‬ ‫آنالیز‬ ‫نحوه‬ ‫تعریف‬
‫سیستم‬ ‫مدیریتی‬ ‫اجزای‬ ‫بر‬ ‫و‬ ‫فرآیندها‬ ‫تعریف‬
‫فعالیت‬ ‫حوزه‬ ‫متنوع‬ ‫سرویسهای‬ ‫و‬ ‫ها‬ ‫معماری‬ ‫تبیین‬SOC‫سازمان‬ ‫نیاز‬ ‫بر‬ ‫منطبق‬
‫کامل‬ ‫بلوغ‬ ‫تا‬ ‫سیستم‬ ‫سازی‬ ‫بهینه‬ ‫منظور‬ ‫به‬ ‫ای‬ ‫دوره‬ ‫بررسی‬
41

‫عرصه‬ ‫مهم‬ ‫بازیگران‬SOC 42

43

Arcsight Architecture 44

HP Arcsight Introduction
HP Arcsight Express
HP Arcsight ESM
45

HP Arcsight Components
• Enterprise Database for save any log and
information
Arcsight Database engine
( CORR-ENGINE )
• For any asset with normal log generatorArcsight Smart Connector
• For special asset with special log formatArcsight Flex Connector
• Arcsight Manage Part EngineArcsight Manager
• Arcsight Application console management
• Arcsight Web Console Management
Arcsight Console
• Analyze Classification Data for find any
Threat
Arcsight Threat Detector
46

SmartConnector Platform Support 47
OS
•Windows
Family
•Linux Like
•Oracle Solaris
•IBM AIX
•HP-UX
•HP OpenVMS
Anti Virus
•Kaspersky
•McAfee
•Symantec
•TrendMicro
•Sybari
•Sophos
Firewall
•Cisco ASA-
PIX
•F5 BIG-IP
•Juniper
•Lucent
•Symantec
Network
Monitor
•Nagios
•MSCC
•ISC
Router
•Cisco IOS
•Juniper OS
•HP H3C
Web
Cache&Filter
•Bluecoat
•Microsoft ISA
•Netcache
•Squid
•Websense
•Ironport
Switch
•Cisco Catalyst
•Cisco CSS
•Cisco NX-OS
•Foundry
•HP Ethernet
•HP ProVurve
Webserver
•Apache
•Microsoft IIS
•Sun One
Storage
•NetAPP
•EMC
•HP
Virtualization
•Vmware
ESX/ESXi
•Vmware
vCenter
•Citrix
VPN Device
•Cisco VPN
•Citrix Access
•Juniper VPN
•CheckPoint
VPN-1
•Alcatel VPN

Arcsight Architecture Details
Single Logger with a Single ESM Instance
Single Logger with a Single ESM Parallel Instance
Multiple Logger with a Single ESM Instance
Multiple Hierarchal ESM Instance
Arcsight Redundancy Architecture
48

ArcSight Express (All-in-one security Appliance) 49

Single Logger with a Single ESM
Instance
50

Single Logger with a Single ESM
Parallel Instance
51

Multiple Logger with a Single ESM
Instance
52

Multiple Hierarchal ESM Instance 53

Full Packet Capture / Analytics 54

RSA PA 55

Source fire or Cisco AMP 56

Forensic Framework Tools
 Network Forensic Tools
 Data Forensic Tools
 Forensic Project Tools
57

Digital Forensic Leader 58

59
‫منبع‬:KPMG
‫سال‬ ‫در‬ ‫صنعت‬ ‫هر‬ ‫تفکیک‬ ‫به‬ ‫اطالعات‬ ‫نشت‬ ‫آمار‬2014

60
‫منبع‬:Infowatch
•‫هر‬Channel‫از‬ ‫یکی‬ ‫بیانگر‬
‫اطالعات‬ ‫خروج‬ ‫و‬ ‫ورود‬ ‫مجاری‬
‫است‬.
•‫سهم‬ ‫روبرو‬ ‫نمودار‬ ‫در‬ ‫دقت‬ ‫با‬
‫شده‬ ‫پرینت‬ ‫اطالعات‬ ‫و‬ ‫مدارک‬
،‫کاغذ‬ ‫روی‬ ‫بر‬Web‫و‬Email
‫میباشد‬ ‫توجه‬ ‫جالب‬ ‫بسیار‬.
‫کانال‬ ‫هر‬ ‫تفکیک‬ ‫به‬ ‫اطالعات‬ ‫نشت‬ ‫نمودار‬

Data Leak Channel 61

62Data Leak Channel

63US$
‫منبع‬:Ponemon Institute
‫وقوع‬ ‫علت‬ ‫تفکیک‬ ‫به‬ ‫اطالعات‬ ‫نشت‬ ‫هزینه‬ ‫آمار‬

64
‫هس‬ ‫محرمانه‬ ‫اطالعات‬ ‫نشت‬ ‫عامل‬ ‫بیشترین‬ ‫تجاری‬ ‫شرکای‬ ‫و‬ ‫داخلی‬ ‫کارکنان‬‫تند‬
•‫میشوند‬ ‫اشتباه‬ ‫دچار‬ ‫محرمانه‬ ‫محتوای‬ ‫با‬ ‫کار‬ ‫هنگام‬ ‫در‬ ‫داخلی‬ ‫کارمندان‬.
•‫میدهند‬ ‫افزایش‬ ‫را‬ ‫اطالعات‬ ‫نشت‬ ‫خطر‬ ‫تجاری‬ ‫ناقص‬ ‫فرآیندهای‬ ‫و‬ ‫های‬ ‫رویه‬.
‫میدانند‬ ‫الزامی‬ ‫را‬ ‫ها‬ ‫داده‬ ‫از‬ ‫حفاظت‬ ‫مقررات‬.
•‫خصوصی‬ ‫های‬ ‫داده‬ ‫حفظ‬ ‫لزوم‬ ‫بر‬ ‫قانونی‬ ‫مراجع‬ ‫تمرکز‬ ‫رشد‬
•‫محرمانه‬ ‫های‬ ‫داده‬ ‫روی‬ ‫بر‬ ‫کنترل‬ ‫وجود‬ ‫اثبات‬ ‫به‬ ‫نیاز‬
‫تهدیدات‬ ‫بیستر‬ ‫هرچه‬ ‫شدن‬ ‫پیچیده‬
•‫میدهند‬ ‫قرار‬ ‫هدف‬ ‫را‬ ‫باال‬ ‫بسیار‬ ‫ارزش‬ ‫با‬ ‫های‬ ‫داده‬ ‫بیرونی‬ ‫تهدیدات‬.
•‫دارند‬ ‫قرار‬ ‫کجا‬ ‫در‬ ‫ها‬ ‫داده‬ ‫اینکه‬ ‫مورد‬ ‫در‬ ‫محدود‬ ‫دید‬.
88%
‫داده‬ ‫نشت‬
81%
‫مالی‬ ‫شرکتهای‬ ‫اطالعات‬ ‫از‬
‫از‬ ‫پیروی‬ ‫عدم‬ ‫زمان‬ ‫در‬
‫همچون‬ ‫مقرارت‬PCI
DSS‫نموده‬ ‫پیدا‬ ‫نشت‬
6.7$
‫هزینه‬ ‫میانگین‬
‫به‬ ‫داده‬ ‫نشت‬
‫دالر‬ ‫میلیون‬
DLP‫زیرا‬ ‫است‬ ‫الزام‬ ‫یک‬:

How Work DLP simple view 65

66DLP Main Feature

67DLP Insight and workflow

68How to reduce Risk by DLP

69DLP Leader

70
88%
81%
‫مالی‬ ‫شرکتهای‬ ‫اطالعات‬ ‫از‬
‫از‬ ‫پیروی‬ ‫عدم‬ ‫زمان‬ ‫در‬
‫همچون‬ ‫مقرارت‬PCI
DSS‫نموده‬ ‫پیدا‬ ‫نشت‬
Symantec DLP Platform

71Symantec DLP Architecture

Symantec DLP for Storage 72
88%

Symantec DLP for Endpoint 73
88%
BYOD

Symantec DLP for Network 74

EMC/RSA DLP 75

76RSA DLP Platform

77RSA DLP Architecture

RSA DLP for Datacenter 78

RSA DLP for Network 79

RSA DLP for Endpoint 80
BYOD

McAfee DLP 81

82McAfee DLP Platform

McAfee Main Feature 83
• McAfee ePolicy Orchestrator
• McAfee Workflow framework
• Fully SIEM Integrated
• Fully VDI Supported
• MDP Supported
• By Certificate
• By FDE

Time Champions 84

First Strategy for Server Protection 85
‫در‬ ‫قدم‬ ‫اولین‬ ‫میگوید‬‫شکل‬
‫دهی‬‫سرو‬ ‫از‬ ‫حفاظت‬ ‫استراتژی‬‫ر‬
‫سازی‬ ‫پیاده‬SCM‫است‬!

Configuration Hardening Critical Step 86
‫میگوید‬:
Configuration hardening
2nd
‫در‬ ‫گذار‬ ‫تاثیر‬ ‫کنترل‬
‫است‬ ‫حساس‬ ‫اطالعات‬ ‫امنیت‬ ‫حفظ‬.

SCM‫؟‬ ‫چیست‬ 87
‫مشترک‬ ‫فصل‬IT Security‫و‬IT Operations
‫است‬ ‫افزار‬ ‫نرم‬ ‫بر‬ ‫مبتنی‬ ‫جامع‬ ‫حل‬ ‫راه‬ ‫یک‬.
‫هدف‬SCM‫با‬ ‫تطابق‬ ‫بررسی‬Baseline Configuration
Vulnerability
assessment
Automated
remediation
Configuration
assessment SCM

SCM Workflow 88
1
Integration of
Network &
Endpoint
Protection
2
Comparing to
the Baseline
Configuration
3
Test failure =
Baseline
deviation
4
Remediation

SCM Anatomy 89

FIM or SCM Brother 90
Infrastructure
Configuration
Protection
SCM
OS & System
Files
Protection
FIM

Time Champions 91

First Strategy for Client Protection 92
‫در‬ ‫قدم‬ ‫اولین‬ ‫میگوید‬‫ده‬ ‫شکل‬‫ی‬
‫از‬ ‫حفاظت‬ ‫استراتژی‬‫کالینتها‬
‫سازی‬ ‫پیاده‬PM‫است‬!

Why Patch Management 93

Patch Management Lifecycles 94
1. Discover
2. Assess
3. Prioritize
4. Remediate
5. Report

More than 1400 big company Use… 95

We need … 96

Overall Architecture 97

Platform Module and Architecture 98
• Unix/Linux/FreeBSD/Cisco IOS Monitoring
– Record SSH, Telnet and Console Sessions
• Windows Monitoring
– Record RDP, Terminal Server and Console Sessions
• Citrix and VMware Monitoring
– Record and analyze all user activity in Citrix XenApp and
VMware published application, XenDesktop and VDI
• Gateway Monitoring
– Record and analyze all activity of remote users connecting via
jump-server gateways
• Employee Desktop Monitoring
– Record and analyze user activity in all desktop application, Web
application and VDI Session

Gateway or Jump Server Architecture 99

Window Agent Architecture 100

Unix/Linux Agent Architecture 101

Citrix / Horizon View Architecture 102

Dashboard Demo

Billions of Database Records
Breached Globally
107
98% records stolen
from databases
84% records breached
using stolen credentials
92% discovered
by third party
71% fell within minutes

Why Database is Vulnerable ? 108
Network Security
Data Encryption
Endpoint Security
Web Application
Firewall
Email Security
Authentication & User
Security

109
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Defense-in-Depth for Maximum Security
Database Security Solution

110
Activity Monitoring
Database Firewall
Auditing and Reporting
DETECTIVE
Redaction and Masking
Privileged User Controls
Encryption
PREVENTIVE ADMINISTRATIVE
Sensitive Data Discovery
Configuration Management
Privilege Analysis
Detect and Block Threats, Alert, Audit and Report
Database Security Solution

111
White List
Applications
Block
Allow
SELECT * from stock
where catalog-no='PHE8131'
SELECT * from stock
where catalog-no=‘
' union select cardNo,0,0
from Orders --’
Databases
• “Allowed” behavior can be defined for any user or application
• Automated white list generation for any application
• Out-of-policy database transaction detected and blocked/alerted
• WAF detect signature on URL but DBF detect Structure on Quarry
Database Firewall Smart Mechanism

112
SELECT * FROM
v$session
Block
Allow
+ Log
Black List
DBA activity
from Application?
SELECT * FROM
v$session
DBA activity from
Approved Workstation
• Stop specific unwanted SQL interactions, user or schema access
• Blacklisting can be done on factors such as time of day, day of week,
network, application, user name, OS user name etc
• Provide flexibility to authorized users while still monitoring activity
Database Firewall Smart Mechanism

113
DAM Benefit
Monitor All
Database
Activity
Database
Administration
Control
Monitor
Database
Operation
Protection
Database
System
Advanced
Auditing
SIEM/SOC
Integration
DAM Component
Database Firewall Policy Analyzer
Database Firewall
Management
Server
Database
Administration
Console
Database Activity Monitor Insight

114Sample Architecture Overview

Database Support Platform
Oracle
Oracle Exadata
Microsoft SQL Server
IBM DB2 (on LUW, z/OS and DB2/400)
IBM IMS on z/OS
IBM Informix
IBM Netezza
SAP Sybase
Teradata
Oracle MySQL
PostgreSQL
Progress OpenEdge
115

Database Firewall Architecture 116

Cloud Security Model 117

The Big Data Approach 118

IT Insight and Agility 119

SOC Overview (AT&T Sample) 120

SOC Foundation

More Related Content

What's hot

Viewers also liked

Similar to SOC Foundation

SOC Foundation