Netpluz Managed SOC - MSS Service
Download as PPTX, PDF1 like682 views
The document discusses cybersecurity threats like ransomware, phishing, and data theft that can disrupt business operations and cause monetary or reputational losses. It then describes how a managed security services provider like SK infosec can monitor networks and systems 24/7, detect and respond to cyber threats through security analytics and a security operations center, and help organizations facing challenges with limited security resources. Case studies are provided showing how SK infosec's managed security services protected clients from a web-shell upload attack and C&C callback as part of an advanced persistent threat.
Ad
More Related Content
What's hot (20)
Similar to Netpluz Managed SOC - MSS Service (20)
Ad
More from Netpluz Asia Pte Ltd (20)
Ad
Recently uploaded (20)
Netpluz Managed SOC - MSS Service
- 3. How Cyber Attack/Threats Affect You? Business Disruption, Monetary and/or Reputation Losses Ransonware Disrupting your network and operations Data theft (From internal or external) Phishing (Social engineering) Commercial Espionage Loss of project, finance and other sensitive data Government Regulatory Requirement for Big Projects Cannot participate in government related projects Regulatory and legal liabilities Steal Company E-Resources Malicious crypto mining (Crypto jacking) Crypto hi-jacking Why are they doing this? Who are these people? What motivates them?
- 4. What is Managed Security Services (MSS)? Playback Situation Security Guard 24x7 Guarding / Monitoring the Premises Incoming & Outgoing Traffic Alert Owner When Threats Happens
- 5. Security Operation Center (SOC) Explained Security Operation Center Team Shifts Dedicated Facilities Prevent, Detect and Respond to Cyber Threats & Incident
- 6. SOC Alternative Managed Security Services Provider (MSSP) Outsourced Monitor & Management 24x7 Services Hire, Train & Retain Enhance Security Posture
- 7. Challenges That IT Team Is Facing 1. To Do More With Less (24x7 Security Monitoring) 2. Single Point Product Won’t Identify All Threats 3. SIEM Complexity 32% Average % of incidents detected by IDP / IPS technologies 35%Too many false positive responses
- 8. Why SK infosec MSS? TechnologyProcessPeople
- 9. Elite Threat Intelligence Arm1,000+ Cyber Security Experts Intelligence Community Procedures Tactics Techniques People
- 10. International standards Methodology • Service Methodology • Threat Detection & Response Task Flow • MSS Event monitoring Process • Escalation Matrix Quality & Service Management Rule Management: Monitor & manage detection rule for new vulnerabilities Process
- 11. Big Data Analytics Complex Event Processing Real time threat identification with automated correlation •100millionlogsperday •100,000 events perseconds •3TBperday •Automated ticketing &response •Multipledatasources •Inferevents /patterns A V Sandbox : File, URL Behavior Analyzer Web Crawler : URL Malicious Checker Security Information Gathering - Security RSS/Blog/Site/CVE/CVSS/SNS Google Dock Private Virustotal Exploit Checker Security Alliance OSINT Open Source Intelligence HUMINT Human Intelligence Threat Intelligence Network & Integration Technology
- 13. Case Study: Web-Shell Upload Attack IPS Event : “Detect Web-Shell Upload” Ticket : “Web-Shell Correlation event” CERT Analysis: “Deep Analysis” Response : Rename Delete Detect Ticket Analysis Response Agent Agent Internet IPS IPS F/W Agent Web-shell upload attack • On 2018-XX-XX, MSS Client web server affected by “Web Shell Up Load “ and alert is triggered by IPS However, since the customer have MSS Service… ...here’s what happened
- 14. Case Study: Web-Shell Upload Attack How did our team protect our client? 1. Events of this IPS nature is often consider “typical” web exploit event hence it is handle with normal priority 2. Our analysts PROACTIVELY suggest to our client to install Anti-Web-Shell agent on the web server 3. BIG DATA analysis to correlate session data from the IPS and Anti-Web-Shell agent 4. Our ANALYST found out that similar web shell event occur on the web server.
- 15. Case Study: Web-Shell Upload Attack OUTCOME • Client is comfortable with the detail information provide and work closely with the analysts on installation of anti web shell agent • Additional commentary, context and remediation advice was provided real-time via email Web Shell installation, hacker got authority to the system and this can lead to additional hacking damage such as information leakage. It is possible to prevent the spread of damage through the analysis accuracy of Managed Security Services and the proactive response.
- 16. Case Study: C&C Call Back Internet IPS IPS F/W APT ① Malware Infection ② C&C Call back APT Event : “C&C Call back” Ticket : “Call back +T.I Correlationn event” CERT Analysis : “T.I Analysis Deep Analysis” Forensic : Malware Analysis & Delete Detect Ticket Analysis Response • On 2018-XX-XX, MSS client PC was infected by malware called “Backdoor.Adwind” and an alert was generated by their APT solution. However, since the customer have MSS Service… ...here’s what happened
- 17. Case Study: C&C Call Back How did our team protect our client? 1. Events of APT nature is highly suspicious with high risk of data exfiltration 2. BIG DATA analysis on proximity of the occurrence to the SUSPECTED destination URL is harmful 3. VALIDATION against past occurrence in event history 4. Our analysts performed TRIAGE on the computer and found numerous incident traces and utility installation. 5. ADVISE the client to disconnect this computer from the network and block outgoing traffic to the malicious IP on the firewall 6. Perform REMEDIATION activities
- 18. Case Study: C&C Call Back OUTCOME • Quick detection and Proactive Alerting allows this incident to be remediated • Client is enabled with the detailed information to justify forensic on affected node. • Additional commentary, context and remediation advice was provided real-time via email C&C Call back is a secondary action in the APT cyber kill chain. It is hard to verify exact hacked system with simple detection and blocking only. It is possible to prevent the spread of damage through the analysis accuracy of Managed Security Services and the suitable response.
Editor's Notes
- #12: Event processing is a method of tracking and analyzing (processing) streams of information (data) about things that happen (events),[1] and deriving a conclusion from them. Complex event processing, or CEP, is event processing that combines data from multiple sources[2] to infer events or patterns that suggest more complicated circumstances. The goal of complex event processing is to identify meaningful events (such as opportunities or threats)[3] and respond to them as quickly as possible.
- #14: The generated event is often consider “typical” web exploit event hence it is handle with normal priority