DTS Solution - Building a SOC (Security Operations Center)

Building a Cyber Security Operations Center
www.dts-solution.com
Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com

Cyber Security Operations Center
Agenda – Building a Cyber Security Operations Center
1. The need to build an enterprise-wide CSOC.
2. CSOC 2.0 and its components to form an eco-system.
3. SIEM 2.0 – Log Collection, Log Aggregation, Security Analytics and Correlation.
4. Specific Contextual Threat and Use Cases and Situational Awareness
5. Building Threat Intelligence and Early Warning Detection System
6. CSOC Processes, Procedures and Workflows.
7. CSOC Incident Response Handling
8. Cyber Incident Offense Management
9. CSOC vs. Security Maturity Levels
People, Process and Technology

• Around 62% of the incidents targeted just 3 industries
last year.
Quick Facts about IT Security

• Unauthorized access was nearly twice as prevalent in
2014 as in 2013 among the top 5 industries; followed
by Reconnaissance activities and Malicious code
Quick Facts…

• Who are these attackers?
Much of them are insiders indeed.
Quick Facts…

• Organizations are more and more concerned about
the security of their IT assets.
Quick Facts…

• Security Incident Categories Trend:
Quick Facts…

Here are the top 5 impacts of a security breach:
1. Ruined Reputation: Once the news about breach is put on the web, you
can bet that it will forever live on – no matter how hard you try to erase it.
2. Theft: If hackers are able to get into your website or network, you can
guarantee they will be able to access your bank account information or any such
confidential information.
3. Revenue Lost: If a hacker gets into your site and crashes it or causes a long
period of downtime, your operations will cease and you will lose revenue.
4. Damaged Intellectual Property: While stealing your identity and money can be
incredibly bad, stealing your intellectual property can be just as damaging to a
business. If a hacker gets in and steals ideas, plans, or blueprints, you could miss out
on being able to fully implement new products or designs.
5. Vandalism: Vandalism is the planting of false information and is a tactic that
major hacking groups like to use to ruin your company’s reputation.
Why Should You be Concerned?

Cyber Kill Chain
This is how an attack is executed:

Outsourced or In-house ?!?
… VS …
In-Housed SOC

Key Objectives for CSOC … (1)
• Manages and Coordinates the response
to Cyber Threats and Incidents
• Monitors the Cyber Security posture and
reports deficiencies
• Coordinates with regulatory bodies
• Performs Threat and Vulnerability Analysis
• Performs Analysis of Cyber Security Events
• Maintains an Internal Database of Cyber
Security Incidents
• Provide Alerts and Notifications to General
and Specific Threats
• Provide regular reporting to Management and Cyber Incident Responders

• Reduce the response time of security incident from initial
findings, to reporting to containment
• Recovery Time Objective (RTO) in case of security incident
materializing
• Proactive Security Monitoring based on predefined security
metrics / KPI
• Raise Awareness of Information Security across community of
leaders and sub-ordinates
• Ability to correlate system, application, network, server, security
logs in a consistent way

• Ability to automate the requirement to meet compliance –
vulnerability assessment and risk management
• Ensure change control function is integrated into the SOC process
• Identification for all security attack vectors and classification of
incidents
• Define disaster recovery plans for ICE (in-case of emergency).
• Build a comprehensive reporting dashboard that is aligned to
security metrics
• Build a local in-house SIRT (security incident response team) that
collaborates with National CERT

• To build SOC processes that are aligned to existing ISO27001
security policies
• Build a physical and virtual team of SOC personnel for 24 x 7
monitoring
• Build forensics capabilities to be able to reconstruct series of
events during an incident
• Proactive monitoring of network and security infrastructure
devices

Components of a CSOC
• To build the SOC with simple acceptance and execution model
• Maximize the use of technology.
• To build security intelligence and visibility that was previously
unknown; build effective coordination and response unit and to
introduce automation of security process.
• Develop SOC processes that are inline to industry best practices and
accepted standards – ISO27001:2013, PCI-DSS3.0, IEC-62443, NIST
SECURITY INCIDENT MANAGEMENT
· PRE AND POST INCIDENT ANALYSIS
· FORENSICS ANALYSIS
· ROOT CAUSE ANALYSIS
· INCIDENT HANDLING
· aeCERT INTEGRATION
·
REPORTING
· EXECUTIVE SUMMARY
· AUDIT AND ASSESSMENT
· SECURITY METRIC REPORTING
· KPI COMPLIANCE
· SLA REPORTING
·
REAL-TIME MONITORING
· DATA AGGREGATION
· DATA CORRELATION
· AGGREGATE LOGS
· CORDINATE RESPONSE
· AUTOMATED REMEDIATION

CSOC – Core Components
Core Components for a CSOC 2.0
• OSS – Operational Support System
• SIEM – Security Information and Event Management
• Proactive Monitoring - Network and Security and Server Infrastructure
• Alert and Notification – Security Incident Reporting
• Events Correlation and Heuristics / Behavioral / Anomaly

• Information and Network Security $$ Automation $$
• To natively build-in compliance and audit functions
• To manage change control process through integrated ITILv3 CM and SD
• Configuration Management of Infrastructure Components

• Alignment of Risk Management with Business Needs
• Qualified Risk Ranking
• Risks are ranked based on business impact analysis (BIA)
• Risk framework is built into the SIEM solution;
• incident = risk severity = appropriate remediation and isolation action
• SOC is integrated with Vulnerability and Patch Management

• IRH – Incident Response Handling
• How effective the SOC is measured by how incidents are managed, handled,
administered, remediated and isolated.
• Continuous cyclic feedback mechanism drives IRH
• Critical functions include Network Forensics and Surveillance Tech..
• Reconstruct the incident …. Evidence gathering … Effective Investigation
• Escalation Management – know who to communicate during an
incident

Sample Architecture for the CSOC
Perimeter and Boundary Points
Network Nodes
Internet
DMZ / Published Services
IPS
WWW SSL VPN
Applications
Active DirectoryDB
Middleware
SMTP
Internal Resources
MAINFRAME
Servers
WAF FW
(HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE
DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)
EVENT CORRELATION LAYER
· Event Correlation Engine
· Analysis and Filtering
· Event Management
· Integration with NMS Systems
· Trouble Ticket Integration
· Flow Analysis
SECURITY VULNERABILITY
· Common Vulnerability Exploits CVE
· Risk Ranking
· Configuration Audit
· Security Metric Dashboard
DATA COLLABORATION
· Policy Management
· Asset Repository
· Problem Incident Management
· Security Incident Reporting
· Change Control
· Security Automation
Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management
REPORTING AND MANAGEMENT LAYER

Integration of Core SOC Components

Key Success Factors in a CSOC
The Goal – Keep Things Simple 

The SOC’s structure must correspond to that of its
organization. The key drivers for determining which
SOC model is best for the enterprise are:
• Size of the organization, in terms of users, IP addresses,
and/or devices
• Frequency of incidents
• Timeliness and accuracy of incident response expected
PEOPLE - Structuring the SOC

PEOPLE - Structuring the SOC…

PEOPLE - Skill-Sets Required
It is important to determine which skills an analyst should have in
order to be a part of SOC. The 2 areas are:
Technical Skills:
 TCP/IP
 SIEM, IDS/IPS, NetFlow, tools such as Snort, Argus, tcpdump, WireShark, etc.
 Cryptographic algorithms like 3DES, AES, RSA, MD5, SHA, SSL/TLS, DH, etc.
 Vulnerability Assessment, Penetration Testing
 Security engineering, Scripting
 Etc……
Soft Skills:

PEOPLE - Skill-Sets Across Different Roles
Role/Title Desired Skills
Tier 1 Analyst Few years in security, basic knowledge of systems and networking
Tier 2 Analyst Former Tier 1 experience, deeper knowledge of security tools, strong
networking / system / application experience, packet analysis, incident
response tools
SOC Lead All the above + can adjust the security intelligence platform, knows
reverse engineering/threat intelligence/forensics
SOC Director Hiring and staffing, interfacing with execs to show value and get
resources, establishing metrics and KPIs
SOC Architect Experience designing large scale security operations, security tools and
processes

Mature SOCs should have a robust training
program that brings new recruits up to speed
to execute the operations and to develop and
enhance the skills of existing SOC employees.
Some of the training areas include:
• Informal on-the-job training in tools and techniques
• External training on certifications like GIAC, CISSM, CISM, etc.
• Training courses for specialties like forensics and intrusion analysis, SIEM, IDS,
malware analysis and reverse engineering, VA-PT, etc.
• Etc….
PEOPLE - Training Needs

CSOC – Developing Processes
Creating the CSOC Processes
CSOC Processes, Procedures and Workflows developed should be aligned to
Corporate ISMS (if it exists)
DATA SECURITY AND MONITORING
• Data Asset Classification
• Data Collection
• Data Normalization
• Data at Rest and In Motion
• Data Protection
• Data Distribution

EVENT MANAGEMENT
• Event Correlation
• Identification
• Triage
• Roles
• Containment
• Notification
• Ticketing
• Recovery
• Forensics and Situational
Awareness

CSOC Processes, Procedures and
Workflows developed should be
aligned to Corporate ISMS (if it exists)
RISK MANAGEMENT
• Context Establishment
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment

INCIDENT RESPONSE PRACTICE
• Security Incident Reporting Structure
• Security Incident Monitoring
• Security Incident Escalation Procedure
• Forensics and Root Cause Analysis
• Return to Normal Operations
• Post-Incident Planning and Monitoring
• Communication Guidelines
• National CERT Integration

SOC OPERATING GUIDELINES
• SOC Workflow
• Personnel Shift Description
• Shift Reporting
• Shift Change
• Information Acquisition
• SOC Monitoring Suite
• SOC Reporting Structure
• Organizational Chart

ESCALATION MANAGEMENT
• Escalation Procedure
• Pre-Escalation Tasks
• IT Security
• Network Operation Center
• Security Engineering
• National CERT Integration
• Law Enforcement
• 3rd Party Service Providers and Vendors

DATA RECOVERY PROCEDURES
• Disaster Recovery and BCP
Procedure
• Recovery Time Objective
• Recovery Point Objective
• Resiliency and High
Availability
• Facilities Outage Procedure

SECURITY INCIDENT PROCEDURES
• Email Phishing - Email Security Incident
• Virus and Worm Infection
• Anti-Virus Management Incident
• NetFlow Abnormal Behavior Incident
• Network Behavior Analysis Incident
• Distributed Denial of Service Incident
• Host Compromise - Web Application Security Incident
• Network Compromise
• Internet Misuse
• Human Resource - Hiring and Termination
• Domain Hijack or DNS Cache Poisoning
• Suspicious User Activity
• Unauthorized User Access (Employee)

VULNERABILITY AND PATCH MANAGEMENT
• Vulnerability Research (Threat Intelligence)
- Notifications sent to respective system owners
• Patch Management - Microsoft SCOM
• Identification
• Dissemination
• Compliance Monitoring
• Network Configuration Baseline
• Anti-Virus Signature Management
• Microsoft Updates

TOOLS OPERATING MANUAL FOR CSOC PERSONNEL
• Operating Procedure for SIEM 2.0 Solution – Event Management and
Flow Collector/Processor and Advanced Correlation
• NGFW Firewall Security Logs
• IPS Security Logs
• SSL VPN / IPSEC VPN / Remote Access logs
• WAF Security / DB Activity Monitoring / ERP Security logs
• User Activity / Login / Active Directory / AAA Logs
• Endpoint Security (AV, Malware Protection, SCOM)
• Operating Procedure for Configuration and Policy Compliance
• Operating Procedure for Vulnerability Assessment
Creating the CSOC Operating Manuals

SECURITY ALARMS AND ALERT CLASSIFICATION
• Critical Alarms and Alerts with Action Definition
• Non-Critical and Information Alarms
• Alarm reporting and SLA to resolve the alarms

SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY
• Definition of Security Metrics based on Center of Internet
Security standards
• Security KPI reporting definition
• Security Balanced Scorecard and Executive Reporting

Monthly Activities Status Reporting
• Summary of all areas of operations
• Scheduled automated reports from SIEM
• Trends and statistics based on incidents
• Reports of most targeted vulnerable assets,
highest number of incidents, etc.

CSOC Technologies …
SIEM 2.0 Solution (NOT just Log Management)
• Event Collector and Processor – Syslog, Log Files, SMB, ODBC > All Log Sources
• Flow Collection and Processor – NetFlow, J-Flow, S-Flow, IPIX
• Asset Database (Based on Asset Criticality, Risk and Vulnerability, System and Business Owner)
• Event and Flow Correlation – Advanced Threat Analytics
• Centralized Management Console for Security Dashboard and Reporting
• Integration with service desk for automated ticket creation > Offense Management

.…SIEM 2.0 Solution
SIEM solution provides you with the following benefits:

SIEM Advance Use Case Implementation
DTS Solution specializes in creating advance threat cases on SIEM, wherein the customer environment is
assessed and accordingly threat cases are created.
Sample threat cases that can be implemented:
Rule ID Title Log
Sourc
es
Description of Threat Case Threat Reason SIEM Logic
INT_001 Worm
Propagation
All A system gets attacked or
infected with a malware and it
in turn spreads the malware to
several other systems.
This rule would detect
worm propagation in the
network.
1. Host A compromises host B
with log classification as
Attack, Compromise,
Malware, etc.
2. Host B compromises several
other hosts with similar log
classification.
INT_002 Reconnaissance
followed by
suspicious
activities
All There was a reconnaissance
attack detected on a server
which was followed by some
suspicious activities such as
user account creation, deletion,
privilege escalation, etc.
Reconnaissance activities
like port scan, etc. can give
information about the
system which can then be
used by an attacker to gain
access and alter the system
configurations according to
his requirements.
1. Reconnaissance was
detected on a particular
system.
2. Suspicious activities were
reported on the same server
within specified time
interval.0

Compliance Management and Policy Conformance
• Configuration Audit across Infrastructure Systems and Devices
• ISO27001 / PCI-DSS3.0 / IEC-62443 Security Policy Compliance
• Risk Management – Identification and Mitigation
• Baseline Configuration Violation Monitoring (Continuous Compliance / Monitoring)
• Network Topology Mapping and Visualization
• Vulnerability Assessment and Management

Network and Security Monitoring (Traditionally owned by the Networking
Team) > Integrate with Security Requirements
• Network Performance Monitor - SNMP
• Network Monitoring
• Link Utilization
• Availability Monitoring
• SLA reporting
• Integration with service desk for automated ticket creation

Security Analysis and Threat Intelligence
• Network Forensics (Raw Packet Capture > Session Reconstruction)
• Live Situational Awareness Intelligence Feeds
• Artifacts and Packet Reconstruction (Chain of Custody)
• Monitor all Internet Activity (Linked to Identity (username) as opposed to IPs)
• Record metadata for recursive analysis during incident response
• Integration with Incident Response Handling (IRH) and SIEM
• Threat Intelligence and Global Threat Actor Map

Vulnerability Management & Penetration Testing
• Vulnerability Assessment
• Penetration Testing
• Unified Communications Audit
• SCADA Security Evaluation Toolkit
• Mobile Network Security
• Endpoint IP Discovery and Network
Leakage Detection
• Availability Assessment
• Core Network Security

CSOC (before) ….. < The Silos >…
Technology Integration … the old practice
SIEM
Vulnerability
Assessment
Network
Monitoring

CSOC (after) …. Automation
Technology Integration … the new … WORKFLOW
SIEM 2.0Compliance and
Monitoring
NMS

• Attackers work 24x7. Does the SOC also need to work round
the clock?
• Finding the right staffing plan can be challenging and depends
on a number of considerations, including:
– Criticality of business
– Size of SOC staff
– Is the host facility open 24x7
– Size of the organization and its
normal business hours
– Etc…..
CSOC SHIFT GUIDELINES

Benefits:
• Availability – Anytime, Anywhere,
Anyhow
• 24x7 monitoring and proactive
intervention
• Service consistency & reliability
• Service excellence & innovation
• Market leadership
• Compliance with your security policy
24x7 Operations
Challenges:
• 24x7 SOCs must maintain a
minimum staff of two analysts at all
times
• Expensive as compared to 8x5
• Productivity of engineers working in
night shifts is affected
• Difficult to manage shift timings
• Health Concerns

Sample 24x7 SOC Shift Working Plan:
24x7 Operations….

Alternatives:
• Staff only certain portions of the SOC 24x7, such as Tier
1; leave other sections with “on-call” availability.
• Expand operations beyond 8x5 to 12x5 or 12x5 plus 8x2.
• ‘Follow the Sun’ approach.
24x7 Operations….

SOC Leads
SOC Escalation Procedure
SOC Roles & Internal Escalation

Cyber Security Operations Center
You can only monitor what you know 

• Environments
• Location
• Device Types
• System Types
• Security Zones
• Demarcation Points
• Ingress Perimeters
• Data Center
• Extranet
• WAN
….Know your infrastructure….
You can only monitor what you know 

Build an Asset Database and Integrate into SIEM
Following asset details can be adjusted with Asset Manager:
• Name
• Description
• Weight
• Operating System
• Business Owner
• Business Owner Contact Information
• Technical Owner
• Technical Owner Contact Information
• Location
• Risk and Vulnerability Information (CVEs)
Build an Asset Repository

• Knowledge on what are the service flows across your infrastructure
…
…. Service Flows (Published Services) ……
BUILD A SECURITY SERVICES CATALOG

• Understanding the service flows will allow you to VISUALIZE…
…. Service Flows (Internal Services) ……
Integration with Vulnerability Management

Build Policy Compliance: Firewalls

• Build contextual threat cases per environment;
– Extranet
– Internet
– Intranet
– Data Center
– Active Directory
– Malware / Virus Infection and Propagation
– NetFlow Analysis
– Remote Sites / WAN
– Remote Access – IPSEC VPN / SSL VPN
– Wireless
– etc…..
Develop Threat Cases

• To define threat cases per environment … not by system…. (silo)
• CONTEXTUAL
• SERVICE ORIENTATED
• USER CENTRIC
ID Threat Case Development
OS.WIN
Microsoft Windows Servers - Threat Case Development Documentation
Microsoft Active Directory - Threat Case Development Documentation
MSIIS
MSSQL
MSEXC
Microsoft Application - Threat Case Development Documentation
• IIS
• MSSQL
• Exchange
IBMAIX
LINUX
SOLARIS
UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation
PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring
N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server
BUSINT Business Internet
EXTRNT Extranet
S2SVPN Site to Site VPN
DEVELOP THREAT CASES

ADVANCED THREAT CASES - ENVIRONMENT
• To define threat cases per environment …
…. Eventually …. Should …. Include …. All …. Environment …..
ID Threat Case Development
INTOFF International Offices – Global MPLS
SSLVPN Juniper SSL VPN
NATIONAL IPVPN –National MPLS IPVPN
WIRLESS Wireless Infrastructure
VOIPUC Voice over IP
VSAT VSAT – Satellite
DIGPKI PKI and X.509 Digital Certificates (systems threat case)
AAA AAA (systems threat case)
HIPS HIPS and Application Whitelisting
EXECACC Executive Account Monitoring
SAP SAP Router and SAP Privilege Activity Monitoring
COMPLIANCE Compliance and Best Practices Configuration
NAC Network Admission Control
IPS-AV IPS and AV Management Console
EMAIL Email Security – Business Internet Gateway
DAM Database Activity Monitoring (DAM)
SFT Secure File Transfer
• IMPORTANT – understand the environment and understand the threats related to
those environment…..

Important Note:
"OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is
disabled pending application/system accounts names clarifications to be excluded from the rule's
logic.
Develop Threat Cases – Windows Servers

DTS Solution assists you to consider below aspects of controlling
staffing levels while sticking to the allocated budget:
1. What are the factors that Influence SOC Staffing Levels?
2. Whom do we hire?
3. How many people do we need?
4. How do we retain them?
Controlling SOC Staff According to Budget

DTS recognizes below elements of SOC that should be under one
command structure:
• Real-time monitoring and triage (Tier 1)
• Incident analysis, coordination, and response
(Tier 2 and above)
• Cyber intel collection and analysis
• Sensor tuning and management and SOC
infrastructure Operations & Maintenance
• SOC tool engineering and deployment
Bringing All Core SOC Functions Together Under 1 Roof

There are a number of IT and cybersecurity policies that enable
effective functioning of security operations that should be
implemented:
• User consent to monitoring
• Acceptable use policy
• Privacy and sensitive data handling policies
• Internally permitted ports and protocols
• Externally permitted ports and protocols
• Host naming conventions
• Other IT configuration and compliance policy
• Bring your own device and mobile policies
• Approved OSes, applications, and system images
• Authorized third-party scanning
• Audit policy
• Etc…..
Policies Authorizing SOC to do its Job

SOC Floor Conference Room
SOC Manager & Supervisor Cabins Computer Room
CSOC PHYSICAL INFRASTRUCTURE

CSOC Layout Design
CSOC Layout Design - Sample

DTS Solution provides following list of SOC documents which will
help in planning, building and operating the SOC:
• Information Security Incident Management Procedure
• Threat Management Standard Operating Procedure
• Major Incident Management Process
• Information Security Infrastructure Review Report
• Major Incident Report
• Security Infrastructure Recommended Solution
• Major Incident Management Process Flowchart
• Incident Management Process Flowchart
• List of SIEM Advance Threat Cases
• Procedure for the Handling of Virus and Denial of Service Attacks
• Security Hardening Guidelines for various Security Tools
SOC DOCUMENTS

*NIX AUTHENTICATION … FOLLOW THE PROCESS

Offense Management Naming Convention

Cyber SOC Wiki
CSOC-Wiki
https://SOC-wiki.intranet.xyz

CSOC-Wiki - Goals
Purpose of the WiKi
• Centralized Knowledge Repository for SOC
• Collaborate and Share Information with other Team Members
• Easy of use and searchable (Google Like)
• Integrations with other toolsets
Challenges within CSOC
• Current Issues with SIEM Processes, Documentations, Offence
Handling, Knowledge Sharing
• SIEM Integrations into SOC-Wiki
• SIEM Threat Cases

CSOC Wiki – SIEM Integration
CSOC - WiKi
Processes
Threat Cases
Workflows
Security
Maturity Level
4 to 5

1
2
Current Maturity Level
Target Maturity Level

SOC Wiki – SIEM Threat Cases
• Listed above is how Threat Cases are displayed in SOC-Wiki
• Threat Case Name, Severity, Status
• Information - Centralized, Detailed and Searchable
• Information updated by SIEM and SOC Teams

SOC Wiki – SIEM Threat Cases

Shah H Sheikh – Sr. Security Solutions Consultant
MEng CISSP CISA CISM CRISC CCSK
shah@dts-solution.com

DTS Solution - Building a SOC (Security Operations Center)

Recommended

More Related Content

What's hot (20)

Similar to DTS Solution - Building a SOC (Security Operations Center) (20)

More from Shah Sheikh (20)

Recently uploaded (20)

DTS Solution - Building a SOC (Security Operations Center)