Downloaded 2,243 times
Uploaded byAhmad Haghighi
An introduction to SOC (Security Operation Center)
The document discusses building a security operations center (SOC). It defines a SOC as a centralized unit that deals with security issues on an organizational and technical level. It monitors, assesses, and defends enterprise information systems. The document discusses whether to build an internal SOC or outsource it. It also covers SOC technologies, personnel requirements, and the five generations of SOCs. It provides resources for learning more about designing and maturing a SOC.
More Related Content
Similar to An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
- 1. Security Operations Center Presenter: AhmadHaghighi [email protected] September 2014
- 2. Foreword Introduction Build vs. Outsource 5G/SOC Personnel Q&A Table of Context
- 3.
- 6. "We were atthe point in the company where security was distributed over many teams -IT, the network guys, some dedicated network engineers, corporate security, and so on," "We didn't have a single view into our assets." Fischbach (Colt Telecom Services) Integrity Get visibility into your environment Centralized Management Modern & Complicated attack methods
- 7.
- 8. A security operationscenter (SOC) is a centralized unit in an organization that deals with security issues, on an organizational and technical level. An SOC within a building or facility is a central location from where staff supervises the site, using data processing technology. Typically, it is equipped for access monitoring, and controlling of lighting, alarms, and vehicle barriers. SOC An information security operations center (or "SOC") is a location where enterprise information systems are: monitored assessed, and defended. ISOC
- 9. Alternative names Security defensecenter (SDC) Security intelligence center security intelligence and operations center (SIOC) Cyber security center Threat defense center Infrastructure Protection Centre (IPC)
- 10. ServerIDS SAN Firewall IPS Access Control Data Base Antivirus DataCenter User Activity Applications Event management consoles Penetration testing tools Web Sites Vulnerability DetectionsUTM SOC SIEM Aggregate Correlate Web Server Honeypot Mail VPN Switch Router Web Cache • Alerts • Reports • Advisories OS logs
- 11.
- 12. SOC Technology People Process& Procedure Environment
- 14. Nick Bradley(senior operationsmanager for IBM): "Think worse-case scenario -what type of data would be accessed if you were breached, and would you have the resources to recover, or could you recover?“ "If the answer is terrifying and keeping you up at night, then the answer is yes, you need a security operations center." Expensive (Infrastructure, Personnel, Training, …) Current equipment is not enough? Do We need a SOC? TCO – TBO ROI Do we need a SOC?
- 15. Survey of SecureEnterprise readers (2005) 72 percent of respondents with fewer than 5,000 employees had no plans to build a SOC Among the 28 percent who have a SOC or plan to build one 53 percent will collocate in the NOC The rest plan to house the SOC in a separate location, either a building (25 percent) or a room (22 percent).
- 16. • Microsoft (3SOC) • IBM • Dell SecureWorks (7 SOC) • HP (ArcSight) ->BMW • Verizon • Symantec MSSP Challenges (Limitations) Some Providers: Advantages Build-in vs. Outsource Hybrid
- 17. • Firewalls • IDS/IPS •Data Loss Prevention • Behavior Based Detection • Anti-Spyware • Rogue Host Detection • Policy Auditor • Devise Control (USBs, etc.) • Asset Management • Baseline Monitoring (FDCC) • Application White listing • Patch Management • Remote Forensics • Etc. Possible Shopping Lists Hosts:
- 18. • Log Aggregationand SIM • Flow Monitoring • Full Packet Capture • Next Generation Firewalls – shift from blocking IPs and Ports to controlling applications • Web Application Firewall • Web Proxy • Content Monitoring (Network Based DLP) • New IDSs – Code Behavior/ Reputation • Continuous Vulnerability Scanning • Honeypot Possible Shopping Lists Network:
- 19. • SOC --provide Incident Response, Forensics Capabilities, Threat Monitoring, Intelligence Gathering • Continuous Monitoring • Better User Training and Awareness – First line of defense: Informed Users! • Contingency Planning • Red Team/Blue Team (inc. Third Party Penetration Testing & Web/Application Testing) • Encryption • 2 Factor Authentication • Identify, classify, and tag what you need to protect, what are your crown jewels, what will affect your organizational viability. • MORE FUNDING & RESOURCES!!! Possible Shopping Lists Other:
- 20.
- 21. 1st Generation SOC:1975-1995
- 22. 2nd Generation SOC:1996 2001
- 23. 3rd Generation SOC:2002 2005
- 24. 4th Generation SOC:2006 today
- 25. 5th Generation SOC:2013 ?
- 26. Security Operations MaturityModel (CMMI Based)
- 27.
- 28. People Skills • 724 •Forensics knowledge • Proficiency in coding, scripting and protocols • Managing threat intelligence • Breach management • Penetration testing • Data analysts • Minimum two years of experience in NID monitoring and incident response. • Familiarity with network security methodologies, tactics, techniques and procedures. • Experience with IPS/IDS, SIEMs and other CND security tools. • Ability to read and write Snort IDS signatures. • Experience reviewing and analyzing network packet captures. • Experience performing security/vulnerability reviews of network environments. • Possess a comprehensive understanding of the TCP/IP protocol, security architecture, and remote access security techniques/products. • Experience with enterprise anti-virus solutions, virus outbreak management, and the ability to differentiate virus activity from directed attack patterns.
- 29. People Skills • Workingknowledge of network architecture. • Strong research background, utilizing an analytical approach. • Candidate must be able to react quickly, decisively, and deliberately in high stress situations. • Strong verbal/written communication and interpersonal skills are required to document and communicate findings, escalate critical incidents, and interact with customers. • Highly motivated individual with the ability to self-start, prioritize, multi-task and work in a team setting. • Ability and willingness to work shifts ranging within 7:00 AM EST 11:00 PM EST.
- 30. Principle Duties andResponsibilities: • Monitor and analyze network traffic and IDS alerts. • Investigate intrusion attempts and perform in-depth analysis of exploits. • Provide network intrusion detection expertise to support timely and effective decision making of when to declare an incident. • Conduct proactive threat research. • Review security events that are populated in a Security Information and Event Management (SIEM) system. • Analyze a variety of network and host-based security appliance logs (Firewalls, NIDS, HIDS, Sys Logs, etc.) to determine the correct remediation actions and escalation paths for each incident. • Independently follow procedures to contain, analyze, and eradicate malicious activity. • Document all activities during an incident and providing leadership with status updates during the life cycle of the incident. • Create a final incident report detailing the events of the incident • Provide information regarding intrusion events, security incidents, and other threat indications and warning information to US government agencies! (NASA) • Assist with the development of processes and procedures to improve incident response times, analysis of incidents, and overall SOC functions.
- 33. Some Points: • SOCSecurity • Environment (Location, Temperature, Humidity, Ergonomics, Lighting) • Collect as much as you can, even if you don't have the capacity to analyze it in real time. Because if you store it, it may become useful to you later on • A network connection to the Internet separate from your corporate network. • Dedicated phone lines • A fax line • Documentation • A secure wireless network • Electrical Power (UPS) • Clear Responsibilities (Duties, Time shifting, …) • Easy of Use
- 34. Resources: • Building asuccessful SOC (HP whitepaper) • 5G/SOC: The NOW of security operations (HP whitepaper) • 5G/SOC: Inside the world’s most advanced SOCs (HP WP) • How mature is your SOC? (HP WP) • SECURITY OPERATION CENTER (Reply communication valley) • arming_your_security_operations_center_with_the_right_technology_and_ser vices (WIPRO.com) • Building Security Operation Center (HP presentation) • Building, Maturing & Rocking a Security Operations Center (Brandie Anderson) • intelligence-driven-security-ops-center (RSA Technical Brief) • Anatomy of a Security Operations Center (By John Wang, NASA SOC) • Best Practices for Building a Security Operations Center (Diana Kelley and Ron Moritz) • Creating an Effective Security Operations Function (RSA Whitepaper) • Wikipedia.com • Build Your Own Security Operations Center (Jay Milne) • Do You Need A Security Operations Center? (Robert Lemos) • Best Practices for SOC Design (David G Aggleton) • …
Editor's Notes
- #5 برای شروع گفتن اینکه سایز کار و سازمان ما مهم است
- #6 SIRT (Security Incident Response Team) IDS به تنهایی جواب نمی دهد مثلا نمیتواند APT ها را تشخیص دهد APT (advanced persistent threat)
- #9 Proactive & predictive
- #11 SEM … /sec SIM SAN=storage area net.
- #12 Botnet: در دست گرفتن کامپیوتر افراد جهت استفاده (جاسوسی، دی.ا.اس و تیلیغات) SQL Inj… information_schema
- #13 SIEM Policy Environmet: کجا باشه؟ تو دیتا سنتر؟ یه واحد یا ساختمان جدا؟ تو ان.او.سی
- #14 ESM=Enterprise Security Manager is a SIEM =Event Security Management HP ArcSight ESM is uniquely able to understand who is on the network, what data they are seeing, which actions they are taking with that data, and how that affects business risk
- #15 هزینه: مثلا esm اچ پی نیاز به 36 گیگ رم و 6*600 گیگ هارد نیاز دارد
- #18 FDCC= Federal Desktop Core Configuration استاندارد ملی لیستی از «تنظیمات امنیتی» برای سیستم هایی که مستقیما به شبکه وصل می شوند Forensics دانشگاه شریف
- #19 DLP=Data Loss Prevention
- #20 Contingency احتمالی=
- #25 مالکیت معنوی
- #26 Subtle=زیرکانه
- #27 Compliance=موافقت Subjectively=کیفی deficiencies-=نقص، فقدان Level5: برنامه هایی تعبیه شده اند تا نقصها و کمبود ها را به طور مستمرپیگیری کنند
- #29 Breach=رخنه، تجاوز NID= Network Interface Devices تجهیزات واسط شبکه CND= Computer Network Defense
- #31 آورن این مطلب کمک میکنه تا بفهمیم چه کار هایی نیازه انجام بشه remediation = تعمیر، تصحیح Assist=همکاری HIDS= Host IDS NIDS= Network IDS
- #32 پرسنل در چند سطح تقسیم می شوند
- #34 تمرکز در یک جا خود چالش های زیادی به دنبال دارد Ease of Use:بهترین راه امن کردن کشیدن کامپیوتر از برق است