CYBER SECURITY OPERATION CENTER (CSOC)

Transcription

1 WHITE PAPER ON CYBER SECURITY OPERATION CENTER (CSOC) THE CHANGING LANDSCAPE

2 Introduction Thanks to Internet and developments around Internet! The world has changed its data dimensions and has opened up new ways of data communication gravitating around the Internet highway to build cyber economy. Variety of data with varying velocity travels through cyber highway leading to overexposure of organizational data assets. Cyber adversaries are constantly monitoring information technology infrastructure by deploying novel and sophisticated techniques to collect organizational data, identify organizational weakness, and plan new generation attacks to uphold their strategic strengths. The sophistication and advanced techniques deployed by them are mind boggling and demands special focus. New generation data exposure has instigated the need for advanced monitoring capabilities within the organization to validate data flow from security stand point. Such advanced solutions are designed under the umbrella term 'Cyber Security Operations Center (CSOC)'. The focus of this white paper is to provide an outline of CSOC, skill matrix required, responsibilities of associated security personnel in CSOC, and the associated big data technology stack as a concept note. With multi faced threats stalking the data, perfection in security deployments is not only impossible but unrealistic. Cyberattacks and intrusions are almost difficult to prevent given the openness of today's network and the growing sophistication of advanced threat calls for constant and continuous vigilance. 1

3 Cyber Threat Intelligence Cyber Intelligence It is evident that cyber threat landscape is dynamic in nature and has always been driven by human adversaries. They are addressed mostly by security point products and point solutions built around signatures, faults, and behavioral aspects of data flow. Such point solutions lack the ability to address the changing threat landscape. Threat intelligence has to be built within the organization to strengthen cyber security. Cyber Intelligence (CI) is designed to comprehend, characterize, and classify cyber data traffic and its associated risk levels. It is essential to understand that cyber intelligence enables an organization to equip itself for prevention and recovery. In CI, the spectrum of attacks and associated actions in terms of detection and recognition systems coupled with check points to mitigate risks are documented. Thus CI becomes integral to the growth of an organization and acts as knowledge hub to drive decisions within the organization's framework. HTC has its own research and development team that works in this space to comprehend the dynamics of cyber threat. Tactics, Techniques, and Procedures (TTP) Cyber Intelligence is the collective knowledge based on years of experience. The threat actors / agents with associated motive and technical capabilities are documented in the form of Tactics, Techniques, and Procedures (TTP). It is a term borrowed from defense and is used to provide increasing level of details to cyber adversaries. It is imperative to understand TTP, since it can be leveraged by competent adversaries in exposing organizational data. Some of the prominent use cases include the analysis and characterization of security information such as types of attack and actions that have occurred and are likely to occur on their cyber infrastructure, and the ways and means of detection with intentions. The use cases also include risks, risk mitigations, differing profiles of threat actors, and their capabilities in the form of tactics, techniques, and procedures (TTP) based on their past performance, studies on vulnerability status, misconfigurations, or weaknesses they are likely to target. Data intensive firms and national entities have started realizing their weakness and have privately initiated cyber task forces to strengthen threat intelligence apart from their regular operations. 'Cyber Threat Intelligence' capability is evolving as key ingredient of an organization's defense system. 2

4 Cyber Security Operations Center (CSOC) Security is evolving as a critical organizational entity. As a responsible entity, it needs the right mix of technologies to work together as part of an intelligencedriven security program. However, given the current conditions this is a challenging requirement. To address this challenge, organizations are investing in upskilling their work force and strengthening their security in terms of advanced solutions and visualizations. Given this backdrop, it is clear that informatics and data security calls for cyber savvy security specialist to constantly scrutinize the data traffic of organizations. This new generation scrutiny is nick named 'Cyber Security Operations Center (CSOC)'. The new generation CSOC is a culmination of advanced and sophisticated knowledge on various facets of cyber data flow with big data used to tackle the streaming traffic. Skill Matrix Building a CSOC can be a difficult task. Although the finer aspects of CSOC deployment are very much network-specific, there are several components that every deployment will include in terms of people, process, and technology. CSOCs will need to build collaborative teams encompassing skills in cyber forensics, coding and scripting with spectrum of protocols over TCP stack, understanding cyber intelligence, breach management, and penetration testing. Baselining tools, skills, and process methodologies in security operations is essential to establish solutions to protect organizational critical information assets. Apart from the technology stack, the associated security personnel are expected to develop an investigative mindset which is usually a rare skill. They are considered as resources who have the capability to visualize organization's assets and vulnerabilities through the eyes of adversaries and anticipate attacks. Cyber decision makers and cyber operations personnel work together to prevent or detect cyber threat activity and investigate and respond to any detected incidents. 3

5 The following types of profiles are emerging as guardians of CSOC: Cyber Security Analyst (CSA) CSAs are more of operations personnel and are deployed as first line of defense to monitor data flow. These analysts witness cyber traffic in its raw form on the super highway. They work on structured and unstructured data flow on the cyber highways and understand data from a variety of manual or automated sources. CSAs address dynamic changes witnessed in the traffic and create first level of incident tickets which gets pushed to Cyber Threat Analyst (CTA) for further analysis. They play the role of traffic doctors to identify and isolate unusual traffic through filters built on data distillation designs. These filters are provided by security experts and are custom-built in the organization. These filters have the capability to filter various traffic insights based on organizational design constraints. Cyber Threat Analyst S.Event T.Event Existing Sources Alerts Cases Profiles Log Files Network Traffic Data Collector & Cons olidator A.Event Hadoop Cluster Analytics Engine Cyber Security Analyst Cyber Security Expert Feed Analysis Cyber Security Operating Center 4

6 Cyber Threat Analyst (CTA) CTAs review and classify cyber threats. They understand the nature of associated threats, identify them, and characterize them such that threatrelated actions, behaviors, capabilities, intents, and attributed actors of the threat are expressed through threat communication standards. They work on tickets created and based on their understanding and characterization of threats, they identify relevant threat indicator patterns, suggest courses of action to respond to such threats, and share information with other trusted parties. Cyber Security Expert (CSE) The CSEs are the knowledge hub of the organization and have clear understanding of security threats and various security domains. They work on big data cyber security platforms to analyze threat indicators and enable organizations validate and protect digital assets. They play a critical role in safeguarding assets of the organization. They are familiar with machine learning solutions and come up with new variants of data distillation designs as preventive measure. Preventive actions may be remedial in nature to mitigate vulnerabilities, weaknesses, or misconfigurations that may be targets of exploit. After detection and investigation of specific incidents, reactive course of actions may be pursued. 5

7 Cyber Threat Standards Standards provide a way to exchange information in a common format. They are essential to establish control to exchange and discuss security threats amongst participating agencies. A good start on this direction are the evolving standards on Structured Threat Information expression (STIX) and related areas. Structured Threat Information expression (STIX) STIX is an excellent collaborative community-driven effort in creating a language for threat communications. The language provides common syntax to define and represent structured cyber threat information which can be exchanged amongst peers. It defines methods for threat specification, threat information capture, characterization, and communication. It shares a common architectural design to unite cyber threat information such as Cyber Observables, Indicators, Incidents, Adversary Tactics, Techniques and Procedures, Exploit Targets, Courses of Action, Cyber Attack Campaigns, and Cyber Threat Actors. Trusted Automated Exchange of Indicator Information (TAXII) TAXII goes with STIX in creating harmony and empowering organizations achieve improved situational awareness on emerging threats. It defines collections of services and related message exchanges. TAXII when implemented, empowers organizations share actionable cyber threat information across the cyber world and product / service boundaries. TAXII with the help of participating member specifications, defines concepts, protocols, and message exchange formats. It has emerged as the preferred method of information exchange. 6

8 Malware Attack Enumeration and Classification (MAEC) MAEC is a language standardized for encoding vital malware information based on attributes such as behaviors, artifacts, and attack patterns. The focus of MAEC is to reduce any reliance on malware signatures. Its primary focus is to improve human-to-human, human-to-tool, tool-to-human, and tooltotool communication on malware information and reduce potential duplication of malware analysis efforts. Cyber Observable Expression (CyBOX) CyBOX is a standardized schema to specify, capture, characterize, and communicate security events observed in the operational aspects of security. It provides a common mechanism for addressing cyber observables across the entire range of security use cases to improve consistency, efficiency, interoperability, and overall situational awareness. A wide variety of high-level cyber security use cases rely on such information including: event management / logging, malware characterization, intrusion detection, incident response / management, and attack pattern characterization. Common Attack Pattern Enumeration and Classification (CAPEC) CAPEC is a comprehensive dictionary and classification taxonomy of known attacks and is built around the common concept of attack trees and attack graphs. It is used by analysts, developers, testers, and educators to spread community understanding and enhance defenses. 7

9 Streaming Data and Analytics The advent of big data solutions is transforming the security domain and has emerged as a boon to analyze high velocity cyber traffic nick named as streaming traffic. It has opened up new ways of visualizing traffic flow with associated analytics. The sudden surge in development of CSOCs built over big data capabilities has started addressing the needs of security analytics throwing open a completely different perspective to address organizational security. Cyber security analytic platforms are emerging to address the needs of the future. The visibility provided by these big data platforms create unprecedented opportunities to isolate traffic irregularities, uncover evidence of hidden threats, and impending attacks. Dynamic data provides rich and more granular view of security incidence. Big data enables presentation of threat landscape in high definition as opposed to conventional reduced visibility. Security-related details can be seen in sharper focus and irregularities can be detected faster. Since security analytics in big data platforms have the capability to integrate threat intelligence from external sources (thanks to standards), organizations witness a panoramic threat landscape to address the needs of cyber security. Enhanced data visibility leads to enhanced security capabilities. 8

10 Conclusion The future is centered on CSOC and organizations around the world have started exploring ways of establishing CSOC. HTC is a trusted partner in the cyber security operations space. With its team of security consultants having rich experience, HTC can address the security needs and help establish Network, Security, and Cyber Security Operation Centers. References About HTC Global Services HTC Global Services, Inc. (HTC) is a leading global provider of IT Solutions and Business Process Outsourcing services. HTC has a strong client base of Global 2000 customers. HTC specializes in innovative and cost effective solutions to shorten the time to market, reduce costs and improve business processes. As a midsized IT company with qualified and experienced professionals, HTC is well positioned to provide its customers fast, focused, and emerging IT solutions that maximize return on their IT investments. Established in 1990, HTC is a US based company with corporate headquarters in Troy, Michigan providing services and solutions at customer locations and at HTC delivery centers located around the world. HTC's process maturity, quality, and information security processes are compliant to SEI CMM Level 5, ISO 9001, ISO 27001, and PCI DSS standards. 9

11 World Headquarters Reaching out through IT 3270 West Big Beaver Road Troy, MI 48084, U.S.A Phone: Fax: USA l UK l Germany l India l Malaysia l Singapore l UAE l Australia l Indonesia 8