Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a Next-Generation Security Operations Center (SOC)

2,793 views

Published on

So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.

Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc

Published in: Software

Building a Next-Generation Security Operations Center (SOC)

  1. 1. Target. Hunt. Disrupt. SQRRL ENTERPRISE Building the Modern Security Operations Center (SOC)
  2. 2. © 2015 Sqrrl | All Rights Reserved 2 WHAT ARE WE TALKING ABOUT TODAY? • Who I Am • Defining the SOC – Functions of a SOC – Do you even need a SOC? • Organization and Staffing of a SOC • SOC Workflow • SOC Technology • Hunting with Linked Data
  3. 3. © 2015 Sqrrl | All Rights Reserved 3 WHY LISTEN TO ME? • Over 15 years information security experience • Ph.D. from SecLab at UC Davis • Proposed a SOC for Department of Energy • Implementation Lead for the SOC of a large Federal agency • Consulted on information security to multiple Federal organizations and commercial clients
  4. 4. © 2015 Sqrrl | All Rights Reserved 4 (Information) Security Operations Center WHAT IS A SOC? What a SOC Usually Looks Like What a SOC Should Look Like Vs. Public domain image from NASA, no endorsement implied
  5. 5. Incident Detection Hunting © 2015 Sqrrl | All Rights Reserved 5 WHAT DOES A SOC DO? Receive Reports Incident Handling Threat Intelligence Incident ResponseInsider Monitoring Forensics Communications / Education Vulnerability Management Core SOC Functions Extended SOC Functions Alert Processing Engineering SOC
  6. 6. © 2015 Sqrrl | All Rights Reserved 6 DO YOU NEED A SOC? You are a target – almost anything of value can be targeted by an attacker Cost: Instrumentation, Engineering, Staffing, Management Add-ons, Economies of Scale Build or Buy or Hybrid? See: Trost, “Pulling Up Your SOCs: Best Practices for Building and Operating a Security Operations Center (SOC)”, Interop Las Vegas 2015
  7. 7. © 2015 Sqrrl | All Rights Reserved 7 Flat, wide, and all-encompassing model WHO WORKS IN A SOC? CIO / CSO CISO SOC Manager Call Center Lead Tier-1 Analysts Detection Lead Tier-2 Analysts Hunting Lead Tier-3 Analysts Threat Lead Threat Analysts Engineering Lead Engineers Incident Response Lead Incident Responders Forensics Lead Forensic Analysts Comm / Ed Lead Trainers Comm Specialists Insider Lead Insider Analysts
  8. 8. © 2015 Sqrrl | All Rights Reserved 8 Distributed enterprise model WHO WORKS IN A SOC? CIO / CSO CISO SOC Manager Call Center Lead Tier-1 Analysts Detection Lead Tier-2 Analysts Hunting Lead Tier-3 Analysts Threat Lead Threat Analysts Engineering Lead Engineers Site Lead Incident Response Lead Incident Responders Forensics Lead Forensic Analysts Insider Lead Insider Analysts Education Lead Trainers Comm Lead Comm Specialists
  9. 9. © 2015 Sqrrl | All Rights Reserved 9 Nested duties model WHO WORKS IN A SOC? CIO / CSO CISO SOC Manager Call Center Lead Tier-1 Analysts Incident Detection and Response Lead Tier-2 Analysts Incident Responders Insider Analysts Threat Lead Threat Analysts Advanced Analysis Lead Hunters Engineers Forensic Analysts Comm & Ed Lead Trainers Comm Specialists
  10. 10. © 2015 Sqrrl | All Rights Reserved 10 Hybrid model WHO WORKS IN A SOC? CIO / CSO CISO SOC Manager Call Center Receive Reports MSSP Incident Detection Threat Intelligence Advanced Analysis Lead Hunters Engineers Forensic Analysts Site Leads Incident Responders Insider Analysts Comm & Ed Lead Trainers Comm Specialists
  11. 11. •  Call Center Processes •  Internal Incident Report •  External Incident Report •  Internal Inquiry •  … •  Detection Processes •  Malware Detection •  Zeus Alerts •  Custom Alert X •  … •  Shift Changes •  … •  … © 2015 Sqrrl | All Rights Reserved 11 Or, how I learned to stop worrying and love the process. HOW DOES A SOC GET WORK DONE? Observe Orient Decide Act
  12. 12. © 2015 Sqrrl | All Rights Reserved 12 Some are linear, others not so much. WHAT DOES A PROCESS LOOK LIKE?Tools MONITOR ETECT NALYZE RIAGE ESPOND 1) Don’t tru literature has tran buzzwo 2) Pilot too vendor b 3) Tool com MUST!! (Trost, 2015)
  13. 13. © 2015 Sqrrl | All Rights Reserved 13 As many as it takes for your staff to be comfortable and operate in a repeatable manner. HOW MANY PROCESSES DO I NEED? Define Process Execute Process Evaluate Process Use CMMI as a guide, not a bible: Cheat sheet:
  14. 14. WHAT CAN TECHNOLOGY DO FOR US? © 2015 Sqrrl | All Rights Reserved After all, it got us into this mess… 14
  15. 15. © 2015 Sqrrl | All Rights Reserved 15 SOC TOOLS Priority Function Tools SANS Top 20 Core Receive Reports Ticketing System; Call Management System 18 Core Alert Processing SIEM, Log Management System, Packet Capture, IDS 14 Core Threat Hunting Linked Data Analysis, Behavioral Analytics 14 Core Incident Handling Ticketing System 18 Core Threat Intelligence Threat Management System Core Engineering SIEM, IDS, Health Monitoring 14 Extended Insider Monitoring SIEM, Log Management System, Host Loggers 16 Extended Incident Response State Capture Tools, System Inspection Tools 18 Extended Forensics Log Management System, System Forensics Software, Reverse Engineering Systems Extended Vulnerability Management Vulnerability Management System, Patch Management System 4 Extended Communications / Education Communications Management System, Course Creation Software 9
  16. 16. THREAT HUNTING REQUIREMENTS Linked Data + User and Entity Behavior (Contextual) Analytics © 2015 Sqrrl | All Rights Reserved •  Use of ontologies to fuse together disparate datasets into common data models •  Graph query language and visualizations •  Petabyte scale •  Fast ad hoc querying and hypothesis testing •  Various types of anomaly detection and machine learning techniques to flag outlier devices and users •  Links as features for analytics •  Alignment to kill chain methodology •  Signature-less Linked Data Behavioral Analytics + 16
  17. 17. HUNTING WITH LINKED DATA ANALYSIS Different techniques, different perspectives © 2015 Sqrrl | All Rights Reserved 17
  18. 18. EXPLICIT LINKS ARE STATED 1999-03-29T13:01:38-0500 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153 Cr4RV91FD8iPXBuoT6 SMTP 1 MD5 text/x-c - 0.000000 T F 1522 - 0 0 F - 6d01739d1d56c64209098747a5756443 - - - 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1 delta.peach.mil <hamishs@delta.peach.mil> <tierneyr@goose.eyrie.af.mil> Mon, 29 Mar 1999 08:01:38 -0400 - tierneyr@goose.eyrie.af.mil - <19990329080138.CAA2048> - Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI- SVR4)x09id: CAA2048; Mon, 29 Mar 1999 08:01:38 -0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F Fz892b2SFbpSayzLyl F 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty) © 2015 Sqrrl | All Rights Reserved 18
  19. 19. MODELING THE DATA © 2015 Sqrrl | All Rights Reserved 19
  20. 20. TRANSITIVE CLOSURE © 2015 Sqrrl | All Rights Reserved 20
  21. 21. © 2015 Sqrrl | All Rights Reserved BRINGING IT ALL TOGETHER 21
  22. 22. Target. Hunt. Disrupt. QUESTIONS?

×