SECURITY OPERATION CENTER - Models, Strategies and development - By Ali Mohammadi Desember 12,13, 2017 1
Outline Organizational Security Concept Security Operations Center (SOC) Concept SOC Models SOC Architecture SOC Strategies & Approaches SOC Develop & Plan 2
Organizational Security Concept 3
The current environment is putting new demands on security operations New Business Models, New Technologies Velocity of Threats Mobile Collaboration / BYOD Cloud / Virtualization Social Business Blurring Social Identities Large existing IT infrastructures with a globalized workforce, 3 rd party services, and a growing customer base Evolving Regulations - Potential Impacts Data or Device Loss or Theft Malware infection Loss of productivity $$$ Regulatory Fines Data Leakage 4 4
Why do we build operational security controls & capabilities? Reduce enterprise risk. Protect the business. Move from reactive response to proactive mitigation. Increase visibility over the environment. Meet compliance/regulatory requirements. 5
The organization drives the Security Model
GRC Information & Event Mgmt. Data Security Identity, Entitlement, Access Application Security Cryptography Host Security Network Security Physical Security Security Technology Stack
Data Security Host Security Monitor and control data flows on network Interconnected hosts on network Establish secure channel Control hosts on network Network Security Use identity Retrieve access control Send security logs Detect security incidents Identity and Access Security Info & Event Management Monitor and control applications running on network Key management Crypto offload Application Security Cryptography Network Security, and its relationships to the stack
Security Operations Center (SOC) Concept 9
What is a Security Operations Center, or SOC? A Security Operations Center is a highly skilled team following defined definitions and processes to manage threats and reduce security risk Security Operations Centers (SOC) are designed to: protect mission-critical data and assets prepare for and respond to cyber emergencies help provide continuity and efficient recovery fortify the business infrastructure The SOC s major responsibilities are: Monitor, Analyze, Correlate & Escalate Intrusion Events Develop Appropriate Responses; Protect, Detect, Respond Conduct Incident Management and Forensic Investigation Maintain Security Community Relationships Assist in Crisis Operations 10
Designing and building a SOC requires a solid understanding of the business needs and the resources that IT can deploy Multiple stakeholders, processes and technologies to consider Personnel skills: Security analysts, shift leads, SOC managers People In-house staff Partners Customers Outsourced Providers Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment Process Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt An operational process framework Log Management Compliance Reporting Event Correlation Threat Reporting Technology Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking Physical space requirements and location 11
Building a Security Operations Center involves multiple domains People Process Do you need 24x7x365 staff? What are the skills needed? Where do you get staff? What about training? How do you keep staff? Metrics to measure performance Capacity planning Technology SIEM architecture & use cases Log types and logging options Platform integrations; ticketing governance, big data Web services to integrate them Technology should improve effectiveness and efficiency What does the plan look like? How do we measure progress and goals? What is the optimal design of core processes? (eg. incident management, tuning, etc.) Process and continual improvement Governance / Metrics Dashboard visibility and oversight Policy, measurement and enforcement Integrated governance that balances daily operations with strategic planning Ministry objectives Informing stakeholders Informing employees
CyberSecurity Operations Center Security Operations Center (SOC) term is being taken over by physical surveillance companies We re building a Cyber Security Operations Center (CSOC) that doesn t have any physical surveillance capability. It could be a component of a SOC in the future 13
(C)SOC vs. NOC Network Operations Center usually responsible for monitoring and maintaining the overall network infrastructure. Its primary function is to ensure uninterrupted network service. CSOC leverages security related network activity to refine security incidents response. CSOC and NOC should complement each other and work in tandem. 14
SOC Models 15
Operations Management Technology Mission & Strategy The changing requirements for enterprise security & risk management coupled with technology advancements have triggered a paradigm shift in the design and ongoing administration of a SOC. Legacy SOC Optimized SOC Charter Technology or service only Build a dedicated security operations capability Governance Self governed (IT Security) Cross-functional (IT, Business, Audit, etc.) Detect & react to threats. Strategy Tools Use Cases Referential Data Budget based, 12 month planning cycle SIEM tool only Standard rules Minimal customization Minimal importance, Secondary priority 3+ year cycle, priorities set by enterprise SIEM, ticketing, portal/ dashboard, Big Data Tailored rules based on risk & compliance drivers Required data, used to prioritize work Proactive. Visible. Anticipate threats. Mitigate risks. Measures Silos, ticket/technology driven Cross-functional, efficiency, quality, KPI/SLO/SLA Reporting Ticket/technology driven Metrics, analytics, scorecards, & dashboards 16
SOC Technology SOC Operations SOC Governance Security Operations Operating Model Cyber-Security Command Center (CSCC) Executive Security Intelligence Briefings Local Reg. Security Oversight SOC Governance Consolidated Security Analytics & Dashboards Local/Reg. Intel. Briefings SOC Service Delivery Management Service Level Management Operational Efficiency Service Reporting Escalation Architecture & Projects Incident Hunting PM Security Intelligence Use Case Recommendations Security Analytics & Incident Reporting Corporate Business Units Legal Audit Business Operations Business Ops Investigations Public Relations Legal / Fraud Emergency Admin Support Services Tool Integration Rule Admin Threat Monitoring Threat Analysis Impact Analysis Threat Triage Investigations Incident Triage Threat Response Adv. Event Analysis Escalations Incident Mgmt. CSIRT Management Corp. Incident Response Table-top Exercises Response IT Operations Incident Mgmt Problem Mgmt Change Mgmt Release Mgmt SOC Platform Components Security Device Data Event Data (Int./Ext.) Event Patterns Correlation Aggregate Security Events Log Data (Transactional) Unstructured Data (Big Data) Custom Rules SIEM Ticketing & Workflow Portal Integration Tools (e.g. Web Srvcs) Reporting / Dashboard Big Data IT Operations SOC Data Sources Logs (Transactional) Network Hierarchy & Design Business Data from Structure & Geography Unstructured (Big Data) Asset & Data Classifications Threat Intelligence SOC Legend IT / Corp
We understand that an effective SOC has the right balance of People, Process and Technology components People In-house staff Partners Customers Outsourced Providers Threat Analysis Compliance Mgmt Change Mgmt Risk Assessment Process Vulnerability Mgmt Identity & Access SLA Mgmt Incident Mgmt Log Management Compliance Reporting Event Correlation Threat Reporting Technology Vulnerability Scanners Identity & Desktop Mgmt Ticketing System Change Tracking 18
The SOC organization is organized around the standard plan, build and run model SOC Organization Chart SOC / Security Intel Architect (Plan) SOC Delivery Manager Governance Security Intelligence Manager (Build / Plan) IT Op era tio ns IT Operations Incident Mgmt SOC Engineering Manager (Build) SOC Monitoring Tier 1 (Run) SOC Triage Tier 2 (Run) SOC Escalation Tier 3 (Run) Problem Mgmt Security System Administrator Senior Threat Analyst Senior Threat Response Analyst Incident Case Manager Change Mgmt Security Policy Administrator Threat Analyst Threat Response Mitigation Analyst (Reactive) Senior ERS Incident Response Technical Analyst Release Mgmt Device Administrator Threat Analyst Trainee Threat Response Remediation Analyst (Proactive) Device Mgmt 19
A responsibility matrix for all SOC roles should be defined across each SOC service. SOC Analyst: Monitoring SOC Analyst: Triage SOC Analyst: Response Security Intelligence Analyst Security Incident Handler (Certified) SOC Tools Admin SOC Manager Security Forensic Analyst IT Security Admin IT Operations CERT Security Monitoring R C A Core Security Services Incident Triage C R C A Incident Response C C R C R A R I Delivery Management A I Use Case Design C C C R C A C C Deployment Services Log Source Acquisition R C R A C C Service Testing & Tuning R A I I Custom Playbook Development C C C R C C A C C Operations Training C C C R C A Security Intelligence Services Security Intelligence Analysis C C C A C C C Security Intelligence Briefings A C C C Use Case Reccomendations C C C A C C C SIEM Admininstration R A I I Administrative Services Contextual Data Management C R A C C Log Source Management C R A C C Log Source Heartbeat Monitoring C R A C C Reporting Services Security Reporting C C C C C A C I Efficiency Reporting C C C A C I Financial Reporting C C C C A I Enterprise Incident Management C A Optional Services Forensics Investigation C C C C C A C C Policy Violation Handling C C C C A C 20
SOC Architecture 21
Why? We ve been collecting security related data for a number of years and needed a focal point to help us see the big picture Data from Security Reviews Vulnerability scans (push/pull) IPS/IDS data System logs We want to build a security history for a host 22
Why? The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy Preventing Network Based Attacks Preventing Host Based Attacks Eliminating Security Vulnerabilities Supporting Authorized Users Providing tools for Minimizing Business Loss 23
Where? OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow CSOC needs to be able to analyze and display this data quickly Data resides on separate, distributed servers CSOC pulls data from these servers as needed CSOC lives in the IT Security Office & Lab 24
What? Provides real-time view of the VT network s security status Provides info to assess risk, attacks, mitigation Provides metrics Executive Operational Incident 25
What? Event Generators (E boxes) Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active Directory servers, Remedy, vulnerability scanners, TACACS, application software Most are Polling Generators Generate specific event data in response to a specific action Example: IDS or firewall 26
What? Events Databases (D boxes) Provide basic storage, search and correlation tools for events collected and sent to the CSOC Vulnerability databases contain info about security breaches, etc. 27
What? Events Reactions (R boxes) SOC Console Used for internal analysis Real-time monitors (Snort, Base, IPS, Dshield) Incident Handling Remedy trouble ticket system Location tools Statistical analysis End User Portals Multi level reporting for various target audiences Sysadmin, management 28
What? Analysis Engines (A Boxes) Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc. Knowledge Base Engines (K boxes) Store security configs of critical assets, tips/tricks and effective solutions to previous problems Reaction and Report Engines (R boxes) Switches, routers, IPS and associated management tools 29
Security Operations Center (SOC) Access Management Automation & Integration of Security Operations 30
SOC Architecture 31
SOC Workflow 32
<Function> Security Operations Center Infrastructure v1.0 6/4/2008 Nessus Scan Results (PDF) User Initiated Scan User nmap Scanner ITSO Staff Daily Scan Nexpose Vulnerability Results Database Correlation & Report Generation text Acunetix Core Impact IP Ranges, Dept. Liaisons, DHCP, VPN, Modem Pool BASE Snort Sensors Central Syslog Servers Dshield Checknet Host Locator DB Remedy Green E boxes Blue D boxes Grey A boxes Yellow K boxes 33
SOC Strategies & Approaches 34
Selecting the optimal SOC operating model depends on balancing business and technical requirements, risk and financial constraints Centralized Business Requirements Single Global SOC CSCC Combined with SOC Lowest Cost Easiest to Manage Standard Decentralized Multiple SOC s (Geo. / BU) Single Global CSCC High Cost More Difficult to Manage Highly Customized Technical Requirements Simple Platform Lowest Cost to Implement/Operate Good Risk Mgmt Capabilities Easy to Scale Operations Moderate Detail on Threats Complex Platform High Cost to Implement/Operate Excellent Risk Mgmt Capabilities More Expensive to Scale Operations Rich Detail on Threats Externally Managed Internally Managed Risk Tolerance 30-90 Day Implementation Lowest Cost to Implement/Operate Not Core to Business Leverage Industry Best Practices Long Implementation Lead Time High Cost to Implement/Operate Core to Business Frequent Independent Reviews Low Cost High Cost Financial Constraints Lowest Cost to Implement Lowest Cost to Operate Highest Cost to Implement Highest Cost to Operate 35
SOC Develop & Plan 36
To get started, the organization should consider the following questions in establishing its objectives What is the primary purpose of the SOC? What are the specific tasks assigned to the SOC? (e.g., threat intelligence, security device management, compliance management, detecting insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.) Who are the consumers of the information collected and analyzed by the SOC? What requirements do they have for the SOC? Who is the ultimate stakeholder for the SOC? Who will sell the SOC to the rest of the organization? What types of security events will eventually be fed into the SOC for monitoring? Will the organization seek an external partner to help manage the 37 SOC?
The Security Operations Optimization portfolio provides a flexible approach to the entire SOC/SIEM life cycle. Introduction Educational, share best practices Table-top, guided SOC maturity assessments Set high-level vision Develop next steps roadmap for action Assessment Strategy Define the mission Assess current operations and capabilities Define future environment Develop roadmap for action Design & Build Laying the foundation of capabilities Designing effective staffing models and supporting processes / technology Conducting training and testing Implementing tracking and reporting capabilities Run & Enhance People and Governance Processes and Practices Technology Leveraging acquired knowledge and experience Instituting formal feedback and review mechanisms Driving further value from the technology Expanding business coverage and functions Tuning and refinement Optimize Business aligned threat management and metrics Drive for best practices Integrated operations with improved communications Seek opportunities for cost takeout Continuous improvement 38
Refrences IBM Security Services Meadowville Technology Park, Chesterfield County, Virginia Carl Hill, President, www.gtscloud.com Paladion Co, paladion.net Randy Marchany, VA Tech IT Security Office and Lab 39
Thank you for your time! Questions and Answers 40