SlideShare a Scribd company logo

DTS Solution - Building a SOC (Security Operations Center)

Shah Sheikh, profile picture
Shah Sheikh

This document discusses building a cyber security operations center (CSOC). It covers the need for a CSOC, its core components including security information and event management (SIEM), and integrating components like monitoring, alerting, and reporting. Key aspects that are important for a successful CSOC are people, processes, and technology. The roles and skills required for people in the CSOC and training needs are outlined. Developing standardized processes, procedures and workflows that align with frameworks like ISO are also discussed.

Technology
1 of 97
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Most read
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Most read
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
Most read
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
Building a Cyber Security Operations Center www.dts-solution.com Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com
Cyber Security Operations Center Agenda – Building a Cyber Security Operations Center 1. The need to build an enterprise-wide CSOC. 2. CSOC 2.0 and its components to form an eco-system. 3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation. 4. Specific Contextual Threat and Use Cases and Situational Awareness 5. Building Threat Intelligence and Early Warning Detection System 6. CSOC Processes, Procedures and Workflows. 7. CSOC Incident Response Handling 8. Cyber Incident Offense Management 9. CSOC vs. Security Maturity Levels People, Process and Technology
• Around 62% of the incidents targeted just 3 industries last year. Quick Facts about IT Security
• Unauthorized access was nearly twice as prevalent in 2014 as in 2013 among the top 5 industries; followed by Reconnaissance activities and Malicious code Quick Facts…
• Who are these attackers? Much of them are insiders indeed. Quick Facts…
• Organizations are more and more concerned about the security of their IT assets. Quick Facts…
• Security Incident Categories Trend: Quick Facts…
Here are the top 5 impacts of a security breach: 1. Ruined Reputation: Once the news about breach is put on the web, you can bet that it will forever live on – no matter how hard you try to erase it. 2. Theft: If hackers are able to get into your website or network, you can guarantee they will be able to access your bank account information or any such confidential information. 3. Revenue Lost: If a hacker gets into your site and crashes it or causes a long period of downtime, your operations will cease and you will lose revenue. 4. Damaged Intellectual Property: While stealing your identity and money can be incredibly bad, stealing your intellectual property can be just as damaging to a business. If a hacker gets in and steals ideas, plans, or blueprints, you could miss out on being able to fully implement new products or designs. 5. Vandalism: Vandalism is the planting of false information and is a tactic that major hacking groups like to use to ruin your company’s reputation. Why Should You be Concerned?
Cyber Kill Chain This is how an attack is executed:
Current Challenges
Current Challenges
The current CSOC landscape…
Outsourced or In-house ?!? … VS … In-Housed SOC
Why build a CSOC?
Key Objectives for CSOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
Key Objectives for CSOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
Key Objectives for CSOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with National CERT
Key Objectives for CSOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
Components of a CSOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
CSOC – Core Components Core Components for a CSOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioral / Anomaly
CSOC – Core Components Core Components for a CSOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
CSOC – Core Components Core Components for a CSOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact analysis (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
CSOC – Core Components Core Components for a CSOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
CSOC – Core Components Sample Architecture for the CSOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active DirectoryDB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
CSOC – Core Components Integration of Core SOC Components
Key Success Factors in a CSOC The Goal – Keep Things Simple 
PEOPLE
The SOC’s structure must correspond to that of its organization. The key drivers for determining which SOC model is best for the enterprise are: • Size of the organization, in terms of users, IP addresses, and/or devices • Frequency of incidents • Timeliness and accuracy of incident response expected PEOPLE - Structuring the SOC
PEOPLE - Structuring the SOC…
PEOPLE - Structuring the SOC…
PEOPLE - Structuring the SOC…
PEOPLE - Skill-Sets Required It is important to determine which skills an analyst should have in order to be a part of SOC. The 2 areas are: Technical Skills:  TCP/IP  SIEM, IDS/IPS, NetFlow, tools such as Snort, Argus, tcpdump, WireShark, etc.  Cryptographic algorithms like 3DES, AES, RSA, MD5, SHA, SSL/TLS, DH, etc.  Vulnerability Assessment, Penetration Testing  Security engineering, Scripting  Etc…… Soft Skills:
PEOPLE - Skill-Sets Across Different Roles Role/Title Desired Skills Tier 1 Analyst Few years in security, basic knowledge of systems and networking Tier 2 Analyst Former Tier 1 experience, deeper knowledge of security tools, strong networking / system / application experience, packet analysis, incident response tools SOC Lead All the above + can adjust the security intelligence platform, knows reverse engineering/threat intelligence/forensics SOC Director Hiring and staffing, interfacing with execs to show value and get resources, establishing metrics and KPIs SOC Architect Experience designing large scale security operations, security tools and processes
Mature SOCs should have a robust training program that brings new recruits up to speed to execute the operations and to develop and enhance the skills of existing SOC employees. Some of the training areas include: • Informal on-the-job training in tools and techniques • External training on certifications like GIAC, CISSM, CISM, etc. • Training courses for specialties like forensics and intrusion analysis, SIEM, IDS, malware analysis and reverse engineering, VA-PT, etc. • Etc…. PEOPLE - Training Needs
PROCESSES
CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) RISK MANAGEMENT • Context Establishment • Risk Identification • Risk Analysis • Risk Evaluation • Risk Treatment
INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • National CERT Integration
SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • National CERT Integration • Law Enforcement • 3rd Party Service Providers and Vendors CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure CSOC – Developing Processes
SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behavior Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee) CSOC – Developing Processes
VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research (Threat Intelligence) - Notifications sent to respective system owners • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
Vulnerability Management
TOOLS OPERATING MANUAL FOR CSOC PERSONNEL • Operating Procedure for SIEM 2.0 Solution – Event Management and Flow Collector/Processor and Advanced Correlation • NGFW Firewall Security Logs • IPS Security Logs • SSL VPN / IPSEC VPN / Remote Access logs • WAF Security / DB Activity Monitoring / ERP Security logs • User Activity / Login / Active Directory / AAA Logs • Endpoint Security (AV, Malware Protection, SCOM) • Operating Procedure for Configuration and Policy Compliance • Operating Procedure for Vulnerability Assessment CSOC – Developing Processes Creating the CSOC Operating Manuals
SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition • Non-Critical and Information Alarms • Alarm reporting and SLA to resolve the alarms CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
Monthly Activities Status Reporting • Summary of all areas of operations • Scheduled automated reports from SIEM • Trends and statistics based on incidents • Reports of most targeted vulnerable assets, highest number of incidents, etc. CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
TECHNOLOGY
CSOC Technologies … SIEM 2.0 Solution (NOT just Log Management) • Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources • Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX • Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner) • Event and Flow Correlation – Advanced Threat Analytics • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation > Offense Management
CSOC Technologies … .…SIEM 2.0 Solution SIEM solution provides you with the following benefits:
SIEM Advance Use Case Implementation DTS Solution specializes in creating advance threat cases on SIEM, wherein the customer environment is assessed and accordingly threat cases are created. Sample threat cases that can be implemented: CSOC Technologies … Rule ID Title Log Sourc es Description of Threat Case Threat Reason SIEM Logic INT_001 Worm Propagation All A system gets attacked or infected with a malware and it in turn spreads the malware to several other systems. This rule would detect worm propagation in the network. 1. Host A compromises host B with log classification as Attack, Compromise, Malware, etc. 2. Host B compromises several other hosts with similar log classification. INT_002 Reconnaissance followed by suspicious activities All There was a reconnaissance attack detected on a server which was followed by some suspicious activities such as user account creation, deletion, privilege escalation, etc. Reconnaissance activities like port scan, etc. can give information about the system which can then be used by an attacker to gain access and alter the system configurations according to his requirements. 1. Reconnaissance was detected on a particular system. 2. Suspicious activities were reported on the same server within specified time interval.0
CSOC Technologies … Compliance Management and Policy Conformance • Configuration Audit across Infrastructure Systems and Devices • ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance • Risk Management – Identification and Mitigation • Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring) • Network Topology Mapping and Visualization • Vulnerability Assessment and Management
CSOC Technologies … Network and Security Monitoring (Traditionally owned by the Networking Team) > Integrate with Security Requirements • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation
CSOC Technologies … Security Analysis and Threat Intelligence • Network Forensics (Raw Packet Capture > Session Reconstruction) • Live Situational Awareness Intelligence Feeds • Artifacts and Packet Reconstruction (Chain of Custody) • Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs) • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH) and SIEM • Threat Intelligence and Global Threat Actor Map
CSOC Technologies … Vulnerability Management & Penetration Testing • Vulnerability Assessment • Penetration Testing • Unified Communications Audit • SCADA Security Evaluation Toolkit • Mobile Network Security • Endpoint IP Discovery and Network Leakage Detection • Availability Assessment • Core Network Security
CSOC BUILD CONSIDERATIONS
CSOC (before) ….. < The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
CSOC (after) …. Automation Technology Integration … the new … WORKFLOW SIEM 2.0Compliance and Monitoring NMS
SOC Workflow
• Attackers work 24x7. Does the SOC also need to work round the clock? • Finding the right staffing plan can be challenging and depends on a number of considerations, including: – Criticality of business – Size of SOC staff – Is the host facility open 24x7 – Size of the organization and its normal business hours – Etc….. CSOC SHIFT GUIDELINES
Benefits: • Availability – Anytime, Anywhere, Anyhow • 24x7 monitoring and proactive intervention • Service consistency & reliability • Service excellence & innovation • Market leadership • Compliance with your security policy 24x7 Operations Challenges: • 24x7 SOCs must maintain a minimum staff of two analysts at all times • Expensive as compared to 8x5 • Productivity of engineers working in night shifts is affected • Difficult to manage shift timings • Health Concerns
Sample 24x7 SOC Shift Working Plan: 24x7 Operations….
Alternatives: • Staff only certain portions of the SOC 24x7, such as Tier 1; leave other sections with “on-call” availability. • Expand operations beyond 8x5 to 12x5 or 12x5 plus 8x2. • ‘Follow the Sun’ approach. 24x7 Operations….
SOC Leads SOC Escalation Procedure SOC Roles & Internal Escalation
Cyber Security Operations Center You can only monitor what you know 
• Environments • Location • Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
Build an Asset Database and Integrate into SIEM Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location • Risk and Vulnerability Information (CVEs) Build an Asset Repository
• Knowledge on what are the service flows across your infrastructure … …. Service Flows (Published Services) …… BUILD A SECURITY SERVICES CATALOG
• Understanding the service flows will allow you to VISUALIZE… …. Service Flows (Internal Services) …… Integration with Vulnerability Management
Build Policy Compliance: Firewalls
Build Policy Compliance: Firewalls
Build Policy Compliance: Firewalls
• Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
• To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN DEVELOP THREAT CASES
ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS and Application Whitelisting EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
Develop Threat Cases – RHEL
Develop Threat Cases – RHEL
Important Note: "OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
DTS Solution assists you to consider below aspects of controlling staffing levels while sticking to the allocated budget: 1. What are the factors that Influence SOC Staffing Levels? 2. Whom do we hire? 3. How many people do we need? 4. How do we retain them? Controlling SOC Staff According to Budget
DTS recognizes below elements of SOC that should be under one command structure: • Real-time monitoring and triage (Tier 1) • Incident analysis, coordination, and response (Tier 2 and above) • Cyber intel collection and analysis • Sensor tuning and management and SOC infrastructure Operations & Maintenance • SOC tool engineering and deployment Bringing All Core SOC Functions Together Under 1 Roof
There are a number of IT and cybersecurity policies that enable effective functioning of security operations that should be implemented: • User consent to monitoring • Acceptable use policy • Privacy and sensitive data handling policies • Internally permitted ports and protocols • Externally permitted ports and protocols • Host naming conventions • Other IT configuration and compliance policy • Bring your own device and mobile policies • Approved OSes, applications, and system images • Authorized third-party scanning • Audit policy • Etc….. Policies Authorizing SOC to do its Job
SOC Floor Conference Room SOC Manager & Supervisor Cabins Computer Room CSOC PHYSICAL INFRASTRUCTURE
CSOC Layout Design CSOC Layout Design - Sample
DTS Solution provides following list of SOC documents which will help in planning, building and operating the SOC: • Information Security Incident Management Procedure • Threat Management Standard Operating Procedure • Major Incident Management Process • Information Security Infrastructure Review Report • Major Incident Report • Security Infrastructure Recommended Solution • Major Incident Management Process Flowchart • Incident Management Process Flowchart • List of SIEM Advance Threat Cases • Procedure for the Handling of Virus and Denial of Service Attacks • Security Hardening Guidelines for various Security Tools SOC DOCUMENTS
*NIX AUTHENTICATION … FOLLOW THE PROCESS
Offense Management Naming Convention
Offense Management Workflow
Cyber SOC Wiki CSOC-Wiki https://SOC-wiki.intranet.xyz
CSOC-Wiki - Goals Purpose of the WiKi • Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and searchable (Google Like) • Integrations with other toolsets Challenges within CSOC • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
CSOC Wiki – SIEM Integration CSOC - WiKi Processes Threat Cases Workflows Security Maturity Level 4 to 5
CSOC Wiki – SIEM Integration 1 2 Current Maturity Level Target Maturity Level
CSOC Wiki – SIEM Integration
SOC Wiki – SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
SOC Wiki – SIEM Threat Cases
Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com

More Related Content

PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PDF
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PDF
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
Security Operation Center - Design & Build
Sameer Paradia
 
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Next-Gen security operation center
Muhammad Sahputra
 

What's hot (20)

PPTX
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PPTX
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PPTX
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
PDF
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
SOC and SIEM.pptx
SandeshUprety4
 
PDF
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
PPTX
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
PDF
Governance of security operation centers
Brencil Kaimba
 
PDF
When and How to Set up a Security Operations Center
Komand
 
PPTX
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PDF
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Security operation center (SOC)
Ahmed Ayman
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Security Information and Event Management (SIEM)
k33a
 
SOC and SIEM.pptx
SandeshUprety4
 
What We’ve Learned Building a Cyber Security Operation Center: du Case Study
Priyanka Aash
 
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
IBM Security
 
Governance of security operation centers
Brencil Kaimba
 
When and How to Set up a Security Operations Center
Komand
 
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Ad

Similar to DTS Solution - Building a SOC (Security Operations Center) (20)

PPTX
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
mohamadchiri
 
PPTX
SOAR and SIEM.pptx
Ajit Wadhawan
 
PDF
Security Monitoring Course - Ali Ahangari
Ali Ahangari
 
PPTX
Managing security threats in today’s enterprise
Quick Heal Technologies Ltd.
 
PPTX
PKI.pptx
Ajit Wadhawan
 
PPTX
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
PPTX
Be the Hunter
Rahul Neel Mani
 
PDF
security operations center by Manage Engigne
hackeronehero
 
PDF
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
PPTX
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
PDF
attack-surface-management-with-an-attackers-and-defenders-view.pdf
shreyash551762
 
PPTX
5 Steps to an Effective Vulnerability Management Program
Tripwire
 
PPTX
RMS Security Breakfast
Rackspace
 
PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
PDF
Building a Security Operations Center (SOC).pdf
TapOffice
 
PPTX
CSO CXO Series Breakfast
CSO_Presentations
 
PPT
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
PDF
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
Happiest Minds Technologies
 
KEY
Application Security Done Right
pvanwoud
 
PPTX
Communicating SOC Status
Adam Alhafid
 
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
mohamadchiri
 
SOAR and SIEM.pptx
Ajit Wadhawan
 
Security Monitoring Course - Ali Ahangari
Ali Ahangari
 
Managing security threats in today’s enterprise
Quick Heal Technologies Ltd.
 
PKI.pptx
Ajit Wadhawan
 
Managed Security Operations Centre Alternative - Managed Security Service
Netpluz Asia Pte Ltd
 
Be the Hunter
Rahul Neel Mani
 
security operations center by Manage Engigne
hackeronehero
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
New Horizons SCYBER Presentation
New Horizons Computer Learning Centers / 5PE
 
attack-surface-management-with-an-attackers-and-defenders-view.pdf
shreyash551762
 
5 Steps to an Effective Vulnerability Management Program
Tripwire
 
RMS Security Breakfast
Rackspace
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Building a Security Operations Center (SOC).pdf
TapOffice
 
CSO CXO Series Breakfast
CSO_Presentations
 
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
AUTOMATING CYBER RISK DETECTION AND PROTECTION WITH SOC 2.0
Happiest Minds Technologies
 
Application Security Done Right
pvanwoud
 
Communicating SOC Status
Adam Alhafid
 
Ad

More from Shah Sheikh (20)

PDF
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
PDF
DTS Solution - Company Presentation
Shah Sheikh
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
PDF
DTS Solution - Company Presentation
Shah Sheikh
 
PDF
DTS Solution - Red Team - Penetration Testing
Shah Sheikh
 
PDF
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
PDF
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
PDF
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 
PDF
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
Shah Sheikh
 
PDF
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
Shah Sheikh
 
PDF
DTS Solution - Hacking ATM Machines - The Italian Job Way
Shah Sheikh
 
PDF
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh
 
PPTX
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
PDF
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
Shah Sheikh
 
PDF
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
PDF
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
PDF
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
Shah Sheikh
 
DTS Solution - Company Presentation
Shah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
Shah Sheikh
 
DTS Solution - Company Presentation
Shah Sheikh
 
DTS Solution - Red Team - Penetration Testing
Shah Sheikh
 
DTS Solution - Cyber Security Services Portfolio
Shah Sheikh
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
Shah Sheikh
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
Shah Sheikh
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
Shah Sheikh
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
Shah Sheikh
 
DTS Solution - Outsourcing Outlook Dubai 2015
Shah Sheikh
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
Shah Sheikh
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
DTS Solution - Wireless Security Protocols / PenTesting
Shah Sheikh
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
Shah Sheikh
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
Shah Sheikh
 
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 

Recently uploaded (20)

PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Teaching material agriculture food technology
LiaRayya
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
KodekX | Application Modernization Development
KodekX
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 

DTS Solution - Building a SOC (Security Operations Center)

  • 1. Building a Cyber Security Operations Center www.dts-solution.com Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com
  • 2. Cyber Security Operations Center Agenda – Building a Cyber Security Operations Center 1. The need to build an enterprise-wide CSOC. 2. CSOC 2.0 and its components to form an eco-system. 3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation. 4. Specific Contextual Threat and Use Cases and Situational Awareness 5. Building Threat Intelligence and Early Warning Detection System 6. CSOC Processes, Procedures and Workflows. 7. CSOC Incident Response Handling 8. Cyber Incident Offense Management 9. CSOC vs. Security Maturity Levels People, Process and Technology
  • 3. • Around 62% of the incidents targeted just 3 industries last year. Quick Facts about IT Security
  • 4. • Unauthorized access was nearly twice as prevalent in 2014 as in 2013 among the top 5 industries; followed by Reconnaissance activities and Malicious code Quick Facts…
  • 5. • Who are these attackers? Much of them are insiders indeed. Quick Facts…
  • 6. • Organizations are more and more concerned about the security of their IT assets. Quick Facts…
  • 7. • Security Incident Categories Trend: Quick Facts…
  • 8. Here are the top 5 impacts of a security breach: 1. Ruined Reputation: Once the news about breach is put on the web, you can bet that it will forever live on – no matter how hard you try to erase it. 2. Theft: If hackers are able to get into your website or network, you can guarantee they will be able to access your bank account information or any such confidential information. 3. Revenue Lost: If a hacker gets into your site and crashes it or causes a long period of downtime, your operations will cease and you will lose revenue. 4. Damaged Intellectual Property: While stealing your identity and money can be incredibly bad, stealing your intellectual property can be just as damaging to a business. If a hacker gets in and steals ideas, plans, or blueprints, you could miss out on being able to fully implement new products or designs. 5. Vandalism: Vandalism is the planting of false information and is a tactic that major hacking groups like to use to ruin your company’s reputation. Why Should You be Concerned?
  • 9. Cyber Kill Chain This is how an attack is executed:
  • 12. The current CSOC landscape…
  • 13. Outsourced or In-house ?!? … VS … In-Housed SOC
  • 14. Why build a CSOC?
  • 15. Key Objectives for CSOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
  • 16. Key Objectives for CSOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
  • 17. Key Objectives for CSOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with National CERT
  • 18. Key Objectives for CSOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
  • 19. Components of a CSOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
  • 20. CSOC – Core Components Core Components for a CSOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioral / Anomaly
  • 21. CSOC – Core Components Core Components for a CSOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
  • 22. CSOC – Core Components Core Components for a CSOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact analysis (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
  • 23. CSOC – Core Components Core Components for a CSOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
  • 24. CSOC – Core Components Sample Architecture for the CSOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active DirectoryDB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
  • 25. CSOC – Core Components Integration of Core SOC Components
  • 26. Key Success Factors in a CSOC The Goal – Keep Things Simple 
  • 28. The SOC’s structure must correspond to that of its organization. The key drivers for determining which SOC model is best for the enterprise are: • Size of the organization, in terms of users, IP addresses, and/or devices • Frequency of incidents • Timeliness and accuracy of incident response expected PEOPLE - Structuring the SOC
  • 29. PEOPLE - Structuring the SOC…
  • 30. PEOPLE - Structuring the SOC…
  • 31. PEOPLE - Structuring the SOC…
  • 32. PEOPLE - Skill-Sets Required It is important to determine which skills an analyst should have in order to be a part of SOC. The 2 areas are: Technical Skills:  TCP/IP  SIEM, IDS/IPS, NetFlow, tools such as Snort, Argus, tcpdump, WireShark, etc.  Cryptographic algorithms like 3DES, AES, RSA, MD5, SHA, SSL/TLS, DH, etc.  Vulnerability Assessment, Penetration Testing  Security engineering, Scripting  Etc…… Soft Skills:
  • 33. PEOPLE - Skill-Sets Across Different Roles Role/Title Desired Skills Tier 1 Analyst Few years in security, basic knowledge of systems and networking Tier 2 Analyst Former Tier 1 experience, deeper knowledge of security tools, strong networking / system / application experience, packet analysis, incident response tools SOC Lead All the above + can adjust the security intelligence platform, knows reverse engineering/threat intelligence/forensics SOC Director Hiring and staffing, interfacing with execs to show value and get resources, establishing metrics and KPIs SOC Architect Experience designing large scale security operations, security tools and processes
  • 34. Mature SOCs should have a robust training program that brings new recruits up to speed to execute the operations and to develop and enhance the skills of existing SOC employees. Some of the training areas include: • Informal on-the-job training in tools and techniques • External training on certifications like GIAC, CISSM, CISM, etc. • Training courses for specialties like forensics and intrusion analysis, SIEM, IDS, malware analysis and reverse engineering, VA-PT, etc. • Etc…. PEOPLE - Training Needs
  • 36. CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
  • 37. EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 38. CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) RISK MANAGEMENT • Context Establishment • Risk Identification • Risk Analysis • Risk Evaluation • Risk Treatment
  • 39. INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists) • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • National CERT Integration
  • 40. SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 41. ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • National CERT Integration • Law Enforcement • 3rd Party Service Providers and Vendors CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 42. DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure CSOC – Developing Processes
  • 43. SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behavior Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee) CSOC – Developing Processes
  • 44. VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research (Threat Intelligence) - Notifications sent to respective system owners • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 46. TOOLS OPERATING MANUAL FOR CSOC PERSONNEL • Operating Procedure for SIEM 2.0 Solution – Event Management and Flow Collector/Processor and Advanced Correlation • NGFW Firewall Security Logs • IPS Security Logs • SSL VPN / IPSEC VPN / Remote Access logs • WAF Security / DB Activity Monitoring / ERP Security logs • User Activity / Login / Active Directory / AAA Logs • Endpoint Security (AV, Malware Protection, SCOM) • Operating Procedure for Configuration and Policy Compliance • Operating Procedure for Vulnerability Assessment CSOC – Developing Processes Creating the CSOC Operating Manuals
  • 47. SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition • Non-Critical and Information Alarms • Alarm reporting and SLA to resolve the alarms CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 48. SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 49. Monthly Activities Status Reporting • Summary of all areas of operations • Scheduled automated reports from SIEM • Trends and statistics based on incidents • Reports of most targeted vulnerable assets, highest number of incidents, etc. CSOC – Developing Processes Creating the CSOC Processes CSOC Processes, Procedures and Workflows developed should be aligned to Corporate ISMS (if it exists)
  • 51. CSOC Technologies … SIEM 2.0 Solution (NOT just Log Management) • Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources • Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX • Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner) • Event and Flow Correlation – Advanced Threat Analytics • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation > Offense Management
  • 52. CSOC Technologies … .…SIEM 2.0 Solution SIEM solution provides you with the following benefits:
  • 53. SIEM Advance Use Case Implementation DTS Solution specializes in creating advance threat cases on SIEM, wherein the customer environment is assessed and accordingly threat cases are created. Sample threat cases that can be implemented: CSOC Technologies … Rule ID Title Log Sourc es Description of Threat Case Threat Reason SIEM Logic INT_001 Worm Propagation All A system gets attacked or infected with a malware and it in turn spreads the malware to several other systems. This rule would detect worm propagation in the network. 1. Host A compromises host B with log classification as Attack, Compromise, Malware, etc. 2. Host B compromises several other hosts with similar log classification. INT_002 Reconnaissance followed by suspicious activities All There was a reconnaissance attack detected on a server which was followed by some suspicious activities such as user account creation, deletion, privilege escalation, etc. Reconnaissance activities like port scan, etc. can give information about the system which can then be used by an attacker to gain access and alter the system configurations according to his requirements. 1. Reconnaissance was detected on a particular system. 2. Suspicious activities were reported on the same server within specified time interval.0
  • 54. CSOC Technologies … Compliance Management and Policy Conformance • Configuration Audit across Infrastructure Systems and Devices • ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance • Risk Management – Identification and Mitigation • Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring) • Network Topology Mapping and Visualization • Vulnerability Assessment and Management
  • 55. CSOC Technologies … Network and Security Monitoring (Traditionally owned by the Networking Team) > Integrate with Security Requirements • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation
  • 56. CSOC Technologies … Security Analysis and Threat Intelligence • Network Forensics (Raw Packet Capture > Session Reconstruction) • Live Situational Awareness Intelligence Feeds • Artifacts and Packet Reconstruction (Chain of Custody) • Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs) • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH) and SIEM • Threat Intelligence and Global Threat Actor Map
  • 57. CSOC Technologies … Vulnerability Management & Penetration Testing • Vulnerability Assessment • Penetration Testing • Unified Communications Audit • SCADA Security Evaluation Toolkit • Mobile Network Security • Endpoint IP Discovery and Network Leakage Detection • Availability Assessment • Core Network Security
  • 59. CSOC (before) ….. < The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
  • 60. CSOC (after) …. Automation Technology Integration … the new … WORKFLOW SIEM 2.0Compliance and Monitoring NMS
  • 62. • Attackers work 24x7. Does the SOC also need to work round the clock? • Finding the right staffing plan can be challenging and depends on a number of considerations, including: – Criticality of business – Size of SOC staff – Is the host facility open 24x7 – Size of the organization and its normal business hours – Etc….. CSOC SHIFT GUIDELINES
  • 63. Benefits: • Availability – Anytime, Anywhere, Anyhow • 24x7 monitoring and proactive intervention • Service consistency & reliability • Service excellence & innovation • Market leadership • Compliance with your security policy 24x7 Operations Challenges: • 24x7 SOCs must maintain a minimum staff of two analysts at all times • Expensive as compared to 8x5 • Productivity of engineers working in night shifts is affected • Difficult to manage shift timings • Health Concerns
  • 64. Sample 24x7 SOC Shift Working Plan: 24x7 Operations….
  • 65. Alternatives: • Staff only certain portions of the SOC 24x7, such as Tier 1; leave other sections with “on-call” availability. • Expand operations beyond 8x5 to 12x5 or 12x5 plus 8x2. • ‘Follow the Sun’ approach. 24x7 Operations….
  • 66. SOC Leads SOC Escalation Procedure SOC Roles & Internal Escalation
  • 67. Cyber Security Operations Center You can only monitor what you know 
  • 68. • Environments • Location • Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
  • 69. Build an Asset Database and Integrate into SIEM Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location • Risk and Vulnerability Information (CVEs) Build an Asset Repository
  • 70. • Knowledge on what are the service flows across your infrastructure … …. Service Flows (Published Services) …… BUILD A SECURITY SERVICES CATALOG
  • 71. • Understanding the service flows will allow you to VISUALIZE… …. Service Flows (Internal Services) …… Integration with Vulnerability Management
  • 75. • Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
  • 76. • To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN DEVELOP THREAT CASES
  • 77. ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS and Application Whitelisting EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
  • 80. Important Note: "OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
  • 81. DTS Solution assists you to consider below aspects of controlling staffing levels while sticking to the allocated budget: 1. What are the factors that Influence SOC Staffing Levels? 2. Whom do we hire? 3. How many people do we need? 4. How do we retain them? Controlling SOC Staff According to Budget
  • 82. DTS recognizes below elements of SOC that should be under one command structure: • Real-time monitoring and triage (Tier 1) • Incident analysis, coordination, and response (Tier 2 and above) • Cyber intel collection and analysis • Sensor tuning and management and SOC infrastructure Operations & Maintenance • SOC tool engineering and deployment Bringing All Core SOC Functions Together Under 1 Roof
  • 83. There are a number of IT and cybersecurity policies that enable effective functioning of security operations that should be implemented: • User consent to monitoring • Acceptable use policy • Privacy and sensitive data handling policies • Internally permitted ports and protocols • Externally permitted ports and protocols • Host naming conventions • Other IT configuration and compliance policy • Bring your own device and mobile policies • Approved OSes, applications, and system images • Authorized third-party scanning • Audit policy • Etc….. Policies Authorizing SOC to do its Job
  • 84. SOC Floor Conference Room SOC Manager & Supervisor Cabins Computer Room CSOC PHYSICAL INFRASTRUCTURE
  • 85. CSOC Layout Design CSOC Layout Design - Sample
  • 86. DTS Solution provides following list of SOC documents which will help in planning, building and operating the SOC: • Information Security Incident Management Procedure • Threat Management Standard Operating Procedure • Major Incident Management Process • Information Security Infrastructure Review Report • Major Incident Report • Security Infrastructure Recommended Solution • Major Incident Management Process Flowchart • Incident Management Process Flowchart • List of SIEM Advance Threat Cases • Procedure for the Handling of Virus and Denial of Service Attacks • Security Hardening Guidelines for various Security Tools SOC DOCUMENTS
  • 87. *NIX AUTHENTICATION … FOLLOW THE PROCESS
  • 91. CSOC-Wiki - Goals Purpose of the WiKi • Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and searchable (Google Like) • Integrations with other toolsets Challenges within CSOC • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
  • 92. CSOC Wiki – SIEM Integration CSOC - WiKi Processes Threat Cases Workflows Security Maturity Level 4 to 5
  • 93. CSOC Wiki – SIEM Integration 1 2 Current Maturity Level Target Maturity Level
  • 94. CSOC Wiki – SIEM Integration
  • 95. SOC Wiki – SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
  • 96. SOC Wiki – SIEM Threat Cases
  • 97. Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com