What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC.
•
0 likes•1,079 views
Next Generation Security Operation Centre NGSOC
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC.
Similar to What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC. (20)
Recently uploaded
Recently uploaded (20)
What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC.
- 1. !"#$%&"'"()$*+'%,"-.(*$/% 01"()$*+'2%3"'$("%4!&,035% 67)$%8+.%!""9%:+%;'+<= ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF CCSK ITIL !"#$#%&#'#("!#%%$)*+!,!$#+!-.%#./%0*-,)"!-.#'%/)1)'-0&).+%/!*)$+-*%2345647% !"#$#%&#'#("!#%%"0)$!#'%!.+)*)"+%8*-90%4%: $;#!*0)*"-. !"#$#%&#'#("!#%%$(<)*")$9*!+(%.)=9"%'!#!"-.%-,,!$)* $;!),%+)$;.!$#'%-,,!$)*%#+%"("#*&(%
- 2. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' ! 3/L"(2"-.(*$/%:7(")$%MH+< ! 3/L"(2"-.(*$/%%3+.'$"(%N")2.(" ! !"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'%3"'$"( ! O2"%3)2"%P Q.*H9*'>%!&,03 ! ,.FF)(/ " RSG !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'
- 4. :DTU%V%WU0:T3:D0! XNY U)'2+F<)("%MH+<%% D!:TU!GZT[:TU!GZ XNY D!:TU!GZT[:TU!GZ BJ%TNGDZ @J%6TQ VJ%]W! ^J 3ZDT!:%,TU]TU%GWW BJ%MDUT6GZZ @J%WU0[8 &G:T6G8 VJ%NGDZ &G:T6G8 ^J%G!:D]DUO, &G:T6G8 _J%DW,%`%DX, BJ%!T:60U;%XT]D3T @J%,T3OUD:8 XT]D3T VJ ,TU]TU ^J%T!XW0D!: BJ%MDUT6GZZ @J DW,%`%DX, VJ%T!XW0D!: BJ%D!Q0[ @J%QU06,TU VJ Z03GZ%MDZT ^J%UTN0]GQZT%MDZT _J%!T:60U;%MDZT XG:GQG,T X*2)LH"% N)-(+%D' N*-(+2+E$%0EE*-" 3(")$"%S%U.'% Q)$-7%M*H"%a%,-(*1$ :*"(%B% :*"(%@ :*"(%V% W(+$"-$*+' X+<'H+)9%%S% T#"-.$"%N)H<)(" :*"(%B% :*"(%@ :*"(%V% W(+$"-$*+' X)$) Q(")-7 !"$<+(b%0.$)>" X"E)-"F"'$cJJ U.'% U)'2+F<)("J"#" U)'2+F)<)("% !">+$*)$" T'-(/1$*+'%;"/ :*"(%B% :*"(%@ :*"(%V% W(+$"-$*+' U)'2+F<)("% T'-(/1$%X)$) U)'2+F<)("%MH+<%% U)'2+F<)("% X"H"$"%Q)-b.1% M*H"2 CJ%6GM dJ%GW: eJ%XX0, BJ ,*>')$.("%O19)$" @J%W+H*-/%M*'"%:.'*'> VJ%Z+>%N+'*$+(*'> 0EEH*'"%Q)-b.1 :DTU%B%WU0:T3:D0! CJ%!G3 dJ%XQ%MDUT6GZZ eJ%WUD]DZG&T% DXT!:D:8 fJ%GX]G!3T% T!XW0D!: W(*K*H">"%S%G11%Z+-b9+<'% BJ O2"(%G<)("'"22 BJ ,*>')$.("%O19)$" @J%W+H*-/%M*'"%:.'*'> VJ%Z+>%N+'*$+(*'> :DTU%V%WU0:T3:D0! :DTU%@%WU0:T3:D0! N)H*-*+.2%OUZ W7*2*'> a%N*27*'> 3'3%Q+$!"$ G.$+(.' 0'%U"F+K)LH" W(*K*H">"%S%G11%Z+-b9+<'% W(*K*H">"%S%G11%Z+-b9+<'%
- 7. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' ,$"1%B g M.'9)F"'$)H%,"-.(*$/%N")2.("2 ,$"1%@,$"1%@ g G9K)'-"9%,"-.(*$/%N")2.("2 ,$"1%V,$"1%V g ,1"-*E*-%G9K)'-"%:7(")$%3+.'$"(F")2.("2 ,$"1%^,$"1%^ g Q"2$%GK)*H)LH"%,"-.(*$/%W()-$*-"2
- 8. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' 789:;%+<;=>:?@%2<89=><9 ! G'$*K*(.2%,/2$"F2 ! D'$(.2*+'%X"$"-$*+'%,/2$"F2 ! M*("<)HH2 ! G--"22%3+'$(+H (AB8C;<A%+<;=>:?@%2<89=><9 ! D'$(.2*+'%W("K"'$*+'%,/2$"F2 ! X)$)%Z")b%W("K"'$*+' ! ].H'"()L*H*$/%,-)''*'> ! W"'"$()$*+'%:"2$*'> ! X)$)L)2"%G-$*K*$/%N+'*$+(*'>%4XGN5
- 9. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' +D<;:E:;%(AB8C;<%$F><8?%,G=C?<>H<89=><9 ! G9K)'-"%T'91+*'$%W(+$"-$*+' ! !"$<+(b%W)-b"$%D'21"-$*+' ! G9K)'-"%:7(")$%X"$"-$*+' ! XX0, ! M*H"%D'$">(*$/%N+'*$+(*'> ! ,"-.(*$/%D'E+(F)$*+'%)'9%TK"'$%N)')>"F"'$ 7<9?%(B8:I8JI<%+<;=>:?@%/>8;?:;<9 ! ,"-.(*$/%X"K"H+1F"'$%Z*E"-/-H" ! X*2)2$"(%U"-+K"(/
- 11. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' :7" $7(")$ H)'92-)1" 7)2 "K+HK"9J 3/L"(2"-.(*$/ *2 +E F)h+( -+'-"(' '+< $+ L+$7 $7" 1.LH*- )'9 1(*K)$" 2"-$+(I )'9 >+K"('F"'$ 2"-$+( )(" <+(b*'> $*("H"22H/ $(/*'> $+ 9"E"'9 $7"*( "'$*(" "'$"(1(*2" E(+F ) L(")-7J :7*2 2"22*+' <*HH -+K"( $7" ("i.*("F"'$ E+( L.*H9*'> +( +.$2+.(-" /+.( !&,03 I )'9 9*2-.22 7+< *$ -)' 7"H1 +(>)'*j)$*+'2 1("1)(" E+( F*$*>)$*'> )>)*'2$ E.$.(" -/L"( )$$)-b2J G2 $7" 38QTU,T3OUD:8 -+K"( ) L(+)9 2-+1" +E )(") )'9 E+( $7*2 2"22*+' <" <*HH L" E+-.2*'> F+(" +' !"#$ &"'"()$*+' ,"-.(*$/ D'-*9"'$ )'9 TK"'$ N+'*$+(*'> 4,DTN5 )2 +.( )(") +E 9*2-.22*+'J
- 13. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"' '<;GB<> U"-+K"(/%WH)''*'> 3+FF.'*-)$*+'2 3+'$*'.+.2%DF1(+K"F"'$2 '<9DGCA N*$*>)$*+' '<9DGCA'<9DGCA'<9DGCA G')H/2*2 3+FF.'*-)$*+'2 3<?<;? G'+F)H*"2%)'9%TK"'$2 ,"-.(*$/%3+'$*'.+.2%N+'*$+(*'> X"$"-$*+'%W(+-"22"2 />G?<;? G--"22%3+'$(+H G<)("'"22%)'9% :()*'*'> X)$)%,"-.(*$/ D'E+(F)$*+'%W(+$"-$*+'% W(+-"22"2%)'9%W(+-"9.("2 )A<C?:E@G22"$% N)')>"F"'$ Q.2*'"22% T'K*(+'F"'$ )A<C?:E@)A<C?:E@)A<C?:E@ &+K"(')'-" U*2b%G22"22F"'$ U*2b N)')>"F"'$
- 16. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J $>N+'$7klA_l%$>m+.(klBel%$>X)/klBVl%$>N*'.$"klAdl%T3kl_^Al%3kl@l%3,klZ+>+'n`Z+>+EEl%Zkl,"-.(*$/l%D,klZNOUWm8%I:[X0:B%I4A#B_IA#TeeGA^ee5%IVI;"(L"(+2% I;"(L"(+2%I%Io-9dL^CV)d@C"B)"-^E9_9)L"d9-A@VB"p%II I I I IB^^J^_JBVeJCf%IBAffl%,!kl,"-.(*$/l%U!kl^^CBAel%[Nkl,.--"22E.H !"$<+(b%Z+>+'q%%%%%O2"(%!)F"q% ZNOUWm8%%%%%X+F)*'q%%:[X0:B%%%%%Z+>+'%DXq%%4A#B_IA#TeeGA^ee5%%%%%Z+>+'%:/1"q%V%%%%%Z+>+'%W(+-"22q%;"(L"(+2%%%%%G.$7"'$*-)$*+' W)-b)>"q%;"(L"(+2%%%%%6+(b2$)$*+'% !)F"q%%%%%%Z+>+'%&ODXq%o-9dL^CV)d@C"B)"-^E9_9)L"d9-A@VB"p%%%%%3)HH"(%O2"(%!)F"q% 3)HH"(%X+F)*'q% 3)HH"(%Z+>+'%DXq% 3)HH"(%W(+-"22%DXq% :()'2*$"9% ,"(K*-"2q% ,+.(-"%!"$<+(b%G99("22q%B^^J^_JBVeJCf%%%%%,+.(-"%W+($q%BAff%%%%l%$>,"-+'9klB@l%Okl:[X0:BnnZNOUWm8l%:klG.9*$%,.--"22l%T:kl^l%$7*2kl"K"'$l% 3!klm0OX3l%TDkl_^Al%$>8")(kl@ABAr BB@A%%%AAAAAAAAAAAAAAAAAAA@:,]@ABAACA@B@J^eJ^VJV^VddCRWGXT]AAA3R,T30MU%%%CAAAfB%%R3NX%%%%%%R,8,%%%%%%s,8,QG,%%%B%%%%%%%%%%%%% AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR,T30MU%%%0N!DG,@%tutututututututututuAAAAAABA_dAB@fB_AAdAee@VA^GOXU3]AAAeR,8,%%%%%% s,8,QG,%%%B%%%%%%B%%%%%%tutututututututQAAAAAAAAAAAAAAA@^VCfA%% VCBVCVVCA;VCBVC@VCd;VC_;VCCVCduuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu D!AfA@BAIT,T3XQGIGWWZGQ,nnXZMX:GWWAeAVIXZMX:GWWAeAVI@ABAn`A^n`@d%BeqAdqV^I@ABAn`A^n`@d%BeqAeq_@I@ABAn`A^n`@d%BeqAeq_@IBABIZ0&0MMIIG.$7"'$*-)$"9%L/q% XG:GQG,Tv%3H*"'$%)99("22q%4GXXUT,,k4WU0:030Zk$-154m0,:kBf@JBCeJBdAJBB54W0U:k@dee55IBABedIBIBIAIIIIVA__VIIIII9HE9$)11@BCAI0()-H"%X)$)L)2"%BA>%T'$"(1(*2"% T9*$*+'%U"H")2"%BAJ@JAJVJA%P W(+9 olGZTU:lqolNG!X:lqlAABlIlN,&lqlZ+>+'%,.--"22E.H% 4:/1"kO5lIlUTW0U:TXQ8lql,"-.(*$/G.9*$lIlN:N3!GNTlql2)12"(K"(wXNAwABlIlGU&:8WT@lql3lIlT[:D!XT[lqlAAAAAAAAB@lIl0QxT3:!GNTlql,"-.(*$/lIlN,&GU&@lql OSAlIlN:3ZG,,lqlBABlIlN,&GU&BlqlGOBlIlO,TUDXlql,GWx,MlIl,:G:O,lql^AlIlGU&:8WT^lql3lIl,:G:3m&XG:lql:."%N)(%@^%AAqAAqAA%WX:% @AAflIlN:D!XT[lqlAAAAAAABdClIl]GZOTlql@lIlN,&:T[:lql,"-.(*$/%G.9*$q%Z+>+'% TK"'$lIl,T]TUD:8lql@__lIl,:G:3m&Q8lql,"-.(*$/G.9*$lIlGZ,8,DXlqlXNAlIlGU&:8WTVlql3lIlN,T&!GNTlql,GWw33N,w2)12"(K"(wXNAwABlIlN,3&ZDXlqlGOBlIlN:! ONUG!&TlqlAVVlIlGZTU:XG:Tlql:."%N)(%@^%AAqAAqAA%WX:%@AAflIlMDTZX!GNTlqlZ+>+'lIlGZO!DR!ONlqlAAAACf^V_@lIlN:,8,DXlqlXNAlIlGZTU::DNTlql:7.%x)'%AB% AeqBfq@^%W,:%BfdAlIl,:G:3m&:DNlql:7.%x)'%AB%AeqBfq@^%W,:%BfdAlIlU3lqlAlIlN,&DXlqlGOBlIlGZD!XT[lqlAAAAAAdV^AlIlGU&:8WTBlql3lIlN,&3ZG,,lql,GW 8,Z0&lIlN:ODXlqlAAAABAAABAlpIl,8,!UlqlABlIlm0,:lqlBf@JBCeJVJdlp :7"%37)HH"'>"%M+(%Z+>%G')H/2*2 X+%/+.%F)')>"%$+%)')H/j"%"K"(/%2*'>H"%H*'"%E(+F%$7"2"%$7+.2)'9%H*'"2%+E%H+>% E+(%"K"(/%F*'.$"2=
- 18. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J ,=9?GH<>%$@D< 5GK%4GI=H<%L&79% M38@N "B<C?9%M%38@ "B<C?9%M%+<; 3H+.9 W(+K*9"( _AIAAA BCCICCCICCCICC d BIf@fIAB@ ,+-*)H%N"9*)% 0(>)'*j)$*+' @_IAAA eVIVVVIVVVIVVV fC^I_AC :"H-+y2 BIAAA VIVVVIVVVIVVV VeI_eA T'$"(1(*2"%z%BAAA% "F1H+/""2 VAA BIAAAIAAAIAAA BBI_d^ ,NT BA VVIVVVIVVV VeC m+<%Q*>%D2%:7"%Z+>%,*j"%===
- 20. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J g 67+%*2%9+*'>%<7)$= g 67)$%)--"22%9+%$7"/%7)K"= g D2%$7)$%)--"22%)11(+1(*)$"= g 67"("%)("%$7"/%)--"22*'>%E(+F= g D2%$7*2%'+(F)H%L"7)K*+(= g G("%$7"("%+$7"(%D'9*-)$+(2%+E%3+F1(+F*2"%E+(%$7"% 2)F"%)--+.'$`7+2$`2"(K*-"= 67+%*2%9+*'>%<7)$= 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J
- 21. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J Log collection Centralized aggregation Long-term log retention Log rotation Log search and reporting. Log analysis after storage !"#$%&'&#(%(')$*!%+ 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J Same functionality as “LM” Standard Correlation Alerting Dashboards Retention (Correlated Event) Forensic Analysis ,(-./0)1$0'-02(')$&'2$(3(')$ %&'&#(%(')$*,0(%+ 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J Same functionality as “SIEM” Advanced correlation Intelligence Feed Anomalies Detection Support Customization Support Cloud Deployment Integration with Security Solution '(4)$#('(/&)0"'$,0(%$*'#,0(%+ The Challenge g Huge log-volumes g Log-format diversity g Proprietary log-formats g False positive log records The Challenge g Lack of Intelligence Feed g Intensive Human Analytics g Lack of Incident Work Flow g Rigid Deployment Scale The Challenge g Security Analytic Framework g Storage Architecture g Actionable Intelligence g Implementer Skillset g ID Management Integration 52%%%%%%B9 +)"2%%%%%B9 !&+)"252%%%%%%B9 +)"2%%%%%B9 !&+)"2
- 26. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$%&' ()*&' +&,-%.*#./0' 102.0&' 3#/%"4&' !"#$%"&'()*"%+,5' 6/%7&%2)'80/90'",'-*.%-' ,#/%"4&:' 1*#.7.;&<'6/%'=$.-8'9%.#&,'"0<'6",#'%&#%.&>"2:'3#/%&,'#?&' 7/,#'",.,/)-&'.*--,.),0',1,/)'0%)%'%/0')2,'$*()' 3",45,/)-&'(,%".2,0',1,/)'0%)%6' 7,.*/0%"&'()*"%+,5' 6/%7&%2)'80/90'",' /,)8*"9',#/%"4&'6/%' &@"7*2&'3A!:' 1*#.7.;&<'#/'%&<$-&',*"-&'$,"4&'/0'/*#./0"22)'-,((' ,:;,/(#1,'()*"%+,'82#-,'()#--'(5;;*")#/+'3%()'",)"#,1%-6' !B3CDE'"$#/7"#.-"22)'7.4%"#&,'<"#"' *"%#.#./0,'#/'#?&',&-/0<"%)',#/%"4&:' !1(DF'+"#"'%&#&0#./0'*/2.-.&,5',&"%-?&,5'"0<'%&*/%#,'/*&%"#&'/0'&>&0#'<"#"'*"%#.#./0,' %&4"%<2&,,'/6'9?&#?&%'#?&)'"%&'%&,.<.04'/0'*%.7"%)'/%',&-/0<"%)',#/%"4&5'/%'G/#?:' 1662.0&' 3#/%"4&' <".2#1%-'()*"%+,' H",&'/0'%&#&0#./0'*/2.-.&,'"%-?.&>&<'2/4'9.22'G&'G"-8'$*'#/' *33-#/,'()*"%+,'(5.2'%(')%;,'6/%',"6&'8&&*.04:'I?&0'.,' 0&&<&<'.#''-"0'G&'",#$;*")'3*"'5(,'#/'-*/+=),"$'3*",/(#.' %/%-&(#(:' !&,DTN 2$+()>" 27+.H9 L" 9"2*>' .2*'> $7" $F><< $:<> (>;F:?<;?=>< +?G>8K< $+ ("2+HK"9 $7" 2$+()>" -7)HH"'>"J Q/ 9"E).H$I !&,DTN ("-"*K"2 $<+ 2"1)()$" L.$ ("H)$"9 9)$) 2$(")F2 E(+F $7" 3+HH"-$+( N)')>"(2q $7" 1)(2"9 <B<C? A8?8 )'9 $7" >8Q A8?8J :7" ()< 9)$) *2 :HH<A:8?<I@ 9?G><A :C D>G?<;?<A D8>?:?:GC9 $+ 1(+K*9" ) 9<;=>< <B:A<C;< ;F8:CJ +$*'(&" (',1)$",$-'"
- 27. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !"#$ &"'"()$*+' ,"-.(*$/ D'E+(F)$*+' )'9 TK"'$ N)')>"F"'$ 4!&,DTN5 2+H.$*+' 2*F1H*E*"2 $7" 9"1H+/F"'$I F)')>"F"'$ )'9 9)/$+9)/ .2" +E ,DTNI (")9*H/ )9)1$2 $+ 9/')F*- "'$"(1(*2" "'K*(+'F"'$2 )'9 9"H*K"(2 $7" $(." r(;?:GC8JI< )C?<II:K<C;<l 2"-.(*$/ 1(+E"22*+')H2 '""9 $+ i.*-bH/ .'9"(2$)'9 $7"*( $7(")$ 1+2$.(" )'9 D>:G>:?:R< ><9DGC9<J (,$)*!(75" )!$"55)&"!,"
- 28. !"#$%&'&#() Threats > *+,-./0$12/-3345-26- ,GII<;? !G>H8I:R< />G;<99 ,G>><I8?< '<DG>? Logging Triggered *+,-./0$12/-3345-26-$GGI9%M%$8;?:;9%M%$<;FC:S=<9 (C8I@?:;9 71(%71(% !"#$%&"!%+*,%/"*/5" /'*,"++ $",1!*5*&. g!&,03%N+'*$+(*'> g].H'"()L*H*$/%G22"22F"'$ gW"'"$()$*+'%:"2$ g!03%3+F1+'"'$%N+'*$+(*'>%4W"(E+(F)'-"%)'9%GK)*H)L*H*$/5 g3/L"(%:7(")$%GH"($%G')H/2*2 gM+("'2*-%G')H/2*2 gD'-*9"'$%m)'9H*'>%G'9%U"21+'2"2 g&H+L)H%:7(")$%!+$*E*-)$*+' g0'2*$"I%W7+'"%S%TF)*H%,.11+($%
- 29. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !&+*,%/"*/5" /'*,"++ $",1!*5*&. Team Leader Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night) Threat Analyst Operation SOC Manager Threat Analyst Threat Analyst Security Engineer Threat AnalystThreat Analyst Threat Analyst Security Engineer 30!,OZ:G!:% Threat Analyst Threat Analyst Threat Analyst Threat Analyst Threat Analyst Security Engineer Security Analyst Security AnalystSecurity Analyst :mUTG:%G!GZ8,: Security Engineer Security Analyst Security Analyst Security Analyst Security Analyst Security Analyst Security Analyst Security Analyst Security Analyst Security Analyst T!&D!TTU Incident Respond Threat Analyst />:C;:D8I%,GC9=I?8C? />:C;:D8I%,GC9=I?8C? Team Leader Team Leader Team Leader
- 31. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J :++H%B g !"#$ &"'%,DTN :++H%@:++H%@ g G9K)'-"%T'91+*'$ X"$"-$*+'%S%%U"21+'2" :++H%V:++H%V g !"$<+(b%W)-b"$%G')H/$*- :++H%^:++H%^ g G9K)'-"%W"(2*2$"'$%:7(")$%X"$"-$*+'%S U"21+'9 :++H%_:++H%_ g :7(")$%D'$"HH*>"'-"%D'$">()$*+' 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J !&+*,%/"*/5" /'*,"++ $",1!*5*&.
- 33. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J B g :()9*$*+')H%,03%K2%!&,03 @ g N"$7+9+H+>/ V g ,-"')(*+ B%,RZ%D'h"-$*+' ^ g ,-"')(*+ @%U)1*9%,-)''*'>% _ g rNDUGD{%X"$"-$*+' -+"%,(+"
- 34. !"#$%&"'"()$*+'% ,"-.(*$/%01"()$*+'%3"'$"( 4!&,035 )$$)-b*'> WU0:T3:D!& 3/L"(2"-.(*$/% N+'*$+(*'> !&M6% M*("<)HH G--"22%`%DX!"$<+(b%W(+#/ 6"L%G11H*-)$*+'% M*("<)HH 6"L%,"(K"( T'9%O2"( 4!&,035 NEXT GENERATION SOC T'9%W+*'$ GW: H">*$*F)$" !"$<+(b D'$"HH*>"'-" TRADITIONAL SOC
- 36. • Condition 1 SQL Injection Attack detected at WAF • Condition 2 There are abnormal traffic occur on Firewall activity Result: Correlate both Condition 1 & 2 Indicator of Compromise
- 38. • Condition 1 High inbound traffic from one source IP towards multiple port • Condition 2 High GET 200,GET 403, GET 404 request from Web Server Result: Correlate both Condition 1 & 2 Indicator of Compromise
- 40. DDoS attacks are not a new phenomenon and we often hear companies getting hit by these attacks. We need to understand that before DVN DNS attack. There is 2 major DDOS attack which is Brian Kerbs 665Gbps and OVH 1TTbps. Apparently, the attack was a response to his blog post in which he exposed a DDoS service vDOS operators.
- 41. This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn. IOT BOTNET ATTACK 33:] 3)F"()I DW 3)F"()I ,F)($ :]I W(*'$"(I N"9*) WH)/"(
- 42. MIRAI BONET DETECTION USING NGSOC Most SOC have actually detected the Indicator of compromise upon gathering intelligence from news feed and forum ahead of the attack date. The IOC hunting reveal that MIRAI had been scanning for available IOT or DNS Server within this region between July to October 2016. However those attempt were mainly drop by firewall. Here is the chronology of detection at our SOC: 21 Oct 2016 7:00 PM DDOS Started using Mirai AT US….. 21 Oct 2016 6:24PM Threat Intelligence about Nyadrop IOT DDOS Related 21 Oct 2016 5:00PM All client have been notify on IOC result 21 Oct 2016 IOC hunting revealed that 191.96.249.29 and 93.158.200.66 had been preforming scan (Port UDP 53, 123, 19, 53413) in very small volume between 28 July 2016 to 11 October 2016 20 Oct 2016 1:19AM Threat Intelligence about MIrai IOT DDOS Related
- 43. 3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J +-22('. g O'9"(2$)'9%3/L"(,"-.(*$/ :7(")$%MH+< g T'7)'-"9%8+.(%3/L"(2"-.(*$/%X"E"'2"% g X"K"H+1%8+.(%!&,03%U+)9%N)1 g Q.*H9%8+.(%!&,03