Shah Sheikh, profile picture
Uploaded byShah Sheikh
17,347 views

Building a Cyber Security Operations Center for SCADA/ICS Environments

The document outlines the essential steps for building a SCADA Cyber Security Operations Center (SOC), emphasizing the integration of people, processes, and technology to enhance cybersecurity posture and incident response. Key objectives include managing cyber threats, monitoring incidents, ensuring compliance with regulations, and developing effective communication and reporting structures. The SOC framework is designed to proactively monitor security infrastructures, automate incident response, and incorporate risk management aligned with business needs.

Embed presentation

Downloaded 1,469 times
Building a SCADA Cyber Security Operations Center - PCN www.dts-solution.com Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com
Agenda – Building a Security Operations Center • Information Security in Depth – put into practice • Understand overall security architecture • Identify ingress points of attack vectors • Physical and Logical Security • Build a SOC around the above … and more importantly build it around; People, Process and Technology Security Operations Center
Cyber Security - Defense In Depth
• Cost Savings – Reduced down time and maintenance costs – Improved productivity – Enhanced business continuity • Simplified Regulatory and Standards Compliance – FERC / NERC CIP – ANSI/ISA-99 – IEC 62443 – NIST 800-82 • Enhanced Security and Safety – Improved safety for the plant, employees and community – Improved defense against malicious attacks Why is Cyber Security important?
Critical Infrastructure Operations – The Emerging Threat
ICS Security - Defense-in-Depth
External Network Control LAN Plant Network Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Pathways into the Plant Floor SIEM NMS Backup / Recovery
Corporate IT Automation Systems IT Not life threatening Safety first Availability important Non-interruption is critical Transactional orientation Real-time focus IBM, SAP, Oracle, ….. ABB, Emerson, GE, Honeywell, Siemens... People ~= Devices Few people; Many, many devices PCs and Servers Sensors, Controllers, Servers Web services model is dominant Polled automation control model MS Windows is dominant OS Vendor-embedded operating systems Many commercial software products installed on each PC Purpose-specific devices and application Protocol is primarily HTTP/HTTPS over TCP/IP -- widely known Many industrial protocols, some over TCP/IP – vendor and sector- specific Office environment, plus mobile Harsh operating plant environments Cross-industry IT jargon Industry sector-specific jargon Cross-industry regulations (mostly) Industry-specific regulations Automation Systems Security Really Unique?
Current Challenges
Current Challenges
The current SOC landscape…
Outsourced or In-house ?!? … VS …
Why build a SOC?
Key Objectives for SOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
Key Objectives for SOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
Key Objectives for SOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with national CERT
Key Objectives for SOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
Components of a SOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0 SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
Key Success Factors in a SOC The Goal – Keep Things Simple 
SOC – Core Components Core Components for a SOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioural / Anomaly
SOC – Core Components Core Components for a SOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
SOC – Core Components Core Components for a SOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
SOC – Core Components Core Components for a SOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
SOC – Core Components Proposed Architecture for the SOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active DirectoryDB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
SOC – Core Components Integration of Core SOC Components
SOC Technologies … So now the technologies … SIEM Solutions • Event Collector – Syslog, Log Files, Application Log Export • Flow Collection – NetFlow, J-Flow, S-Flow, IPIX • Asset Database • Event and Flow Correlation • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation Compliance Management and Policy Conformance • Configuration Audit • ISO27001 / PCI-DSS3.0 Policy Compliance • Risk Management • Baseline Configuration Violation Monitoring • Network Topology Mapping and Visualization • Vulnerability Assessment
SOC Technologies … So now the technology … Network and Security Monitoring • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation Security Intelligence • Network Forensics • Situation Awareness • Artifacts and Packet Reconstruction • Monitor all Internet Activity • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH)
SOC (before) ….. < The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
SOC (after) …. Automation Technology Integration … the new … WORKFLOW SIEM 2.0Compliance and Monitoring NMS
SOC – Processes …. Look familiar… Creating the SOC Processes … now that we have discussed technology, lets discuss processes … DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
SOC – Processes Creating the SOC Processes … now that we have discussed technology, lets discuss processes … EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness
SOC – Processes Creating the SOC Processes … now that we have discussed technology, lets discuss processes … INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • SIRT Integration
SOC – Processes Creating the SOC Processes … now that we have discussed technology, lets discuss processes … SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart
SOC – Processes Creating the SOC Processes … now that we have discussed technology, lets discuss processes … ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • SIRT Integration • Law Enforcement • 3rd Party Service Providers and Vendors
SOC – Processes Creating the SOC Processes … now that we have discussed technology, lets discuss processes … DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure
SOC – Processes SECURITY INCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behaviour Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee)
SOC – Processes VULNERABILITY AND PATCH MANAGEMENT • Vulnerability Research • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
SOC – Processes TOOLS OPERATING MANUAL FOR SOC PERSONNEL • Operating Procedure for SIEM Solutions – Event Management and Flow Collector/Processor • Firewall Security Logs • IDS/IPS Security Logs • DMZ Jump Server / SSL VPN logs • Endpoint Security logs (AV, DLP, HIPS) • User Activity / Login Logs • Operating Procedure for Policy and Configuration Compliance • Operating Procedure for Network Monitoring Systems • Operating Procedure for Vulnerability Assessment Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
SOC – Processes SECURITY ALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition Non-Critical and Information Alarms Alarm reporting and SLA to resolve the alarms Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
SOC – Processes SECURITY METRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
• Environments • Location • Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
….Know your infrastructure….
Industrial Control Systems Security
SCADA Network… What is the problem?
SCADA Network… Isolation and Zoning
SCADA Network… Secured Zones
Defense in Depth Strategy
• Knowledge on how service flow across your infrastructure…. BUILD A SECURITY SERVICES CATALOG …. Service Flows ……
• Understanding the service flows will allow you to VISUALIZE… ….. HEAT MAP ….. …. Service Flows ……
Build an Asset Database and Integrated into SIEM; Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location Build an Asset Repository
SCADA / ICS – ASSET REPOSITORY
Now that we have the processes, technology and people what next….. • Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
Sample: Firewall GAP Analysis Report
Sample: Firewall GAP Analysis Report
Sample: Firewall GAP Analysis Report
ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN
ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS (system threat case and ePO integration) EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control –
ADVANCED THREAT CASES - ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
Develop Threat Cases – RHEL
Develop Threat Cases – RHEL
Important Note: "OS.WIN.010.Offense: Multiple Logon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
*NIX AUTHENTICATION … FOLLOW THE PROCESS
Sample SCADA/ICS Dashboard
Sample SCADA/ICS Dashboard
Sample SCADA/ICS Dashboard SUSPICIOUS
Offense Management Naming Convention
Offense Management Workflow
SOC Wiki SOC-Wiki https://SOC-wiki.intranet.com
SOC-Wiki - Goals • Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and Searchable • Integrations with other Toolsets
SOC Wiki – SIEM Integration • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
SOC Wiki – SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
SOC Wiki – SIEM Threat Cases • Example:
Security Assurance Level • Security Assurance Levels (SALs) in Critical Infrastructure • Functional Requirements • Security Levels • Based on 7 x Functional Requirements • a) Access control (AC) • b) Use control (UC) • c) Data integrity (DI) • d) Data confidentiality (DC) • e) Restrict data flow (RDF) • f) Timely response to an event (TRE) • g) Resource availability (RA)
Security Assurance Level • Security Assurance Levels (SALs) in Critical Infrastructure • Functional Requirements • Security Levels • Based on 4 x Security Levels
Security Assurance Level
Security Assurance Level Achieved SL vs. Target SL 0 1 2 3 4 Access control (AC) Use control (UC) Data integrity (DI) Data confidentiality (DC) Restrict data flow (RDF) Timely response to an event (TRE) Resource availability (RA) Achieved Security Level Target Security Level
Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK shah@dts-solution.com

More Related Content

PDF
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
PDF
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
PPTX
Soc
byMukesh Chaudhari
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
PPTX
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
PDF
Governance of security operation centers
byBrencil Kaimba
 
PDF
SOC Architecture - Building the NextGen SOC
byPriyanka Aash
 
PDF
Strategy considerations for building a security operations center
byCMR WORLD TECH
 
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
Soc
byMukesh Chaudhari
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
Governance of security operation centers
byBrencil Kaimba
 
SOC Architecture - Building the NextGen SOC
byPriyanka Aash
 
Strategy considerations for building a security operations center
byCMR WORLD TECH
 

What's hot

PPTX
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PPTX
SOC and SIEM.pptx
bySandeshUprety4
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
Security operation center (SOC)
byAhmed Ayman
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PDF
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
Building A Security Operations Center
bySiemplify
 
PDF
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
byVijilan IT Security solutions
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PDF
What is SIEM? A Brilliant Guide to the Basics
bySagar Joshi
 
PPTX
WHY SOC Services needed?
bymanoharparakh
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PPTX
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
SOC and SIEM.pptx
bySandeshUprety4
 
Next-Gen security operation center
byMuhammad Sahputra
 
Security operation center (SOC)
byAhmed Ayman
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Building Security Operation Center
byS.E. CTS CERT-GOV-MD
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Building A Security Operations Center
bySiemplify
 
5 BEST PRACTICES FOR A SECURITY OPERATION CENTER (SOC)
byVijilan IT Security solutions
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
Security Operation Center - Design & Build
bySameer Paradia
 
What is SIEM? A Brilliant Guide to the Basics
bySagar Joshi
 
WHY SOC Services needed?
bymanoharparakh
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
Effective Security Operation Center - present by Reza Adineh
byReZa AdineH
 
Building an effective Information Security Roadmap
byElliott Franklin
 

Similar to Building a Cyber Security Operations Center for SCADA/ICS Environments

PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
Introduction-to-Security-Operations-Center (SOC)
bysumank281995
 
PPTX
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
byVikas Singh Yadav
 
PDF
Aujas incident management webinar deck 08162016
byKarl Kispert
 
PPTX
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
bymohamadchiri
 
PDF
Security Operations Center scenario Interview based Questions
bypriyanshamadhwal2
 
PPTX
Fundamentals of SOCs and CERTS for decision makers
byfarhad712
 
PPTX
Security Operation Center Presentat.pptx
byImranKhan441149
 
PPTX
A SOC: Building Blocks of Digital Defense
bywininlifeacademy5
 
PPTX
LIBRARY RESEARCH PROJECT, SECURITY OPERATION CENTER.pptx
bySonuSingh81247
 
PPT
Ca world 2007 SOC integration
byMichael Nickle
 
PDF
31779261-NOC-and-SOC.pdf
byssusera5b321
 
PDF
security operations center by Manage Engigne
byhackeronehero
 
PDF
The Complete Security Operations Center Guide for 2023
bySkillmine Technology Pvt Ltd
 
PDF
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
byInfosecTrain Education
 
PDF
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
byinfosecTrain
 
PDF
Security Operations Center (SOC) by aadit technologies
bysumank281995
 
PDF
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
byinfosecTrain
 
PPTX
Communicating SOC Status
byAdam Alhafid
 
PPTX
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
byAzim191210
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Introduction-to-Security-Operations-Center (SOC)
bysumank281995
 
Security Operations Cloud vs On Prem ISC2 Bangalore SlideShare.pptx
byVikas Singh Yadav
 
Aujas incident management webinar deck 08162016
byKarl Kispert
 
Shah Sheik Building a CSoC v1.2 DEFCAMP.pptx
bymohamadchiri
 
Security Operations Center scenario Interview based Questions
bypriyanshamadhwal2
 
Fundamentals of SOCs and CERTS for decision makers
byfarhad712
 
Security Operation Center Presentat.pptx
byImranKhan441149
 
A SOC: Building Blocks of Digital Defense
bywininlifeacademy5
 
LIBRARY RESEARCH PROJECT, SECURITY OPERATION CENTER.pptx
bySonuSingh81247
 
Ca world 2007 SOC integration
byMichael Nickle
 
31779261-NOC-and-SOC.pdf
byssusera5b321
 
security operations center by Manage Engigne
byhackeronehero
 
The Complete Security Operations Center Guide for 2023
bySkillmine Technology Pvt Ltd
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER.pdf
byInfosecTrain Education
 
Unlock Your Future in Cybersecurity with the ULTIMATE SOC CAREER GUIDE FOR BE...
byinfosecTrain
 
Security Operations Center (SOC) by aadit technologies
bysumank281995
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
byinfosecTrain
 
Communicating SOC Status
byAdam Alhafid
 
Prezentare_ANSSI.pptx gfdsry crsru drdrsy
byAzim191210
 

More from Shah Sheikh

PDF
DTS Solution - Cyber Security Services Portfolio
byShah Sheikh
 
PDF
DTS Solution - Company Presentation
byShah Sheikh
 
PDF
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 
PDF
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
byShah Sheikh
 
PDF
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
byShah Sheikh
 
PDF
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
byShah Sheikh
 
PDF
DTS Solution - Hacking ATM Machines - The Italian Job Way
byShah Sheikh
 
PDF
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
byShah Sheikh
 
PDF
DTS Solution - Company Presentation
byShah Sheikh
 
PDF
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
byShah Sheikh
 
PDF
DTS Solution - Penetration Testing Services v1.0
byShah Sheikh
 
PDF
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
byShah Sheikh
 
PDF
DTS Solution - Wireless Security Protocols / PenTesting
byShah Sheikh
 
PDF
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
byShah Sheikh
 
PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
PDF
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
PDF
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
PPTX
DTS Solution - Outsourcing Outlook Dubai 2015
byShah Sheikh
 
PDF
DTS Solution - Red Team - Penetration Testing
byShah Sheikh
 
PDF
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
byShah Sheikh
 
DTS Solution - Cyber Security Services Portfolio
byShah Sheikh
 
DTS Solution - Company Presentation
byShah Sheikh
 
Cyber Security 101 - Back to Basics (HP Secure Print Event 2018)
byShah Sheikh
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
byShah Sheikh
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
byShah Sheikh
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
byShah Sheikh
 
DTS Solution - Hacking ATM Machines - The Italian Job Way
byShah Sheikh
 
ISACA 2019 Amman Chapter - Shah Sheikh - Cyber Resilience
byShah Sheikh
 
DTS Solution - Company Presentation
byShah Sheikh
 
Shah Sheikh / ISACA UAE - Deep Dive on Evasive Malware
byShah Sheikh
 
DTS Solution - Penetration Testing Services v1.0
byShah Sheikh
 
BalCcon 2015 - DTS Solution - Attacking the Unknown by Mohamed Bedewi
byShah Sheikh
 
DTS Solution - Wireless Security Protocols / PenTesting
byShah Sheikh
 
DefCamp - Mohamed Bedewi - Building a Weaponized Honeypot
byShah Sheikh
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
byShah Sheikh
 
National Oil Company Conference 2014 - Evolving Cyber Security - A Wake Up Ca...
byShah Sheikh
 
ISACA Journal Publication - Does your Cloud have a Secure Lining? Shah Sheikh
byShah Sheikh
 
DTS Solution - Outsourcing Outlook Dubai 2015
byShah Sheikh
 
DTS Solution - Red Team - Penetration Testing
byShah Sheikh
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
byShah Sheikh
 

Recently uploaded

PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
MathML Core in WebKit
byIgalia
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
MathML Core in WebKit
byIgalia
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
In this document
Powered by AI

Overview of the presentation and speaker's credentials.

Topics on information security architecture, security rounds including people, process, and technology.

Introduction to Defense in Depth strategy for Cyber Security.

Discusses cost savings, compliance, and enhanced safety due to Cyber Security.

Highlights the risks associated with critical infrastructure operations.

Further discussion on defense-in-depth strategies applied to ICS security.

Identification of various attack vectors affecting control networks.

Comparative analysis of corporate IT and ICS environments highlighting unique challenges.

Details on existing SOC landscape and challenges faced.

Discussion on in-house versus outsourced SOC models and the rationale for building a SOC.

Primary responsibilities and objectives of a Security Operations Center.

Focus on incident response times and proactive monitoring.

Compliance automation, incident classification, and disaster recovery planning.

Processes aligned with ISO27001 standards and building SOC teams.

Essential elements needed to establish a functional SOC model.

Simple design principles for effective SOC operation.

Overview of operational support systems, threat analysis, and incident response strategies.

Details on the proposed architecture and components essential for SOC.

Technologies required for SIEM solutions and network monitoring in SOC.

Detailed processes for data security, event management, incident response, and recovery.

Emphasis on understanding infrastructure for effective monitoring.

Overview of SCADA network challenges and strategies for isolation and zoning.

Creating an asset repository integrated into SIEM.

Procedure for developing contextual threat cases across different environments.

Workflow and naming conventions for managing security offenses in SOC.Establishing SOC Wiki for team collaboration and threat case management.

Assessment and documentation of security assurance levels and functional requirements.

Graphic representation of achieved vs target security levels.

Speaker's credentials and contact details.

Building a Cyber Security Operations Center for SCADA/ICS Environments

  • 1.
    Building a SCADACyber Security Operations Center - PCN www.dts-solution.com Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK [email protected]
  • 2.
    Agenda – Buildinga Security Operations Center • Information Security in Depth – put into practice • Understand overall security architecture • Identify ingress points of attack vectors • Physical and Logical Security • Build a SOC around the above … and more importantly build it around; People, Process and Technology Security Operations Center
  • 3.
    Cyber Security -Defense In Depth
  • 4.
    • Cost Savings –Reduced down time and maintenance costs – Improved productivity – Enhanced business continuity • Simplified Regulatory and Standards Compliance – FERC / NERC CIP – ANSI/ISA-99 – IEC 62443 – NIST 800-82 • Enhanced Security and Safety – Improved safety for the plant, employees and community – Improved defense against malicious attacks Why is Cyber Security important?
  • 5.
    Critical Infrastructure Operations– The Emerging Threat
  • 6.
    ICS Security -Defense-in-Depth
  • 7.
    External Network Control LAN PlantNetwork Office LAN Internet  Infected Laptops Infected Remote Support  Mis-Configured Firewalls  Unauthorized Connections  Modems   3rd Party Issues USB Drives  Pathways into the Plant Floor SIEM NMS Backup / Recovery
  • 8.
    Corporate IT AutomationSystems IT Not life threatening Safety first Availability important Non-interruption is critical Transactional orientation Real-time focus IBM, SAP, Oracle, ….. ABB, Emerson, GE, Honeywell, Siemens... People ~= Devices Few people; Many, many devices PCs and Servers Sensors, Controllers, Servers Web services model is dominant Polled automation control model MS Windows is dominant OS Vendor-embedded operating systems Many commercial software products installed on each PC Purpose-specific devices and application Protocol is primarily HTTP/HTTPS over TCP/IP -- widely known Many industrial protocols, some over TCP/IP – vendor and sector- specific Office environment, plus mobile Harsh operating plant environments Cross-industry IT jargon Industry sector-specific jargon Cross-industry regulations (mostly) Industry-specific regulations Automation Systems Security Really Unique?
  • 10.
  • 11.
  • 12.
    The current SOClandscape…
  • 13.
    Outsourced or In-house?!? … VS …
  • 14.
  • 15.
    Key Objectives forSOC … (1) • Manages and Coordinates the response to Cyber Threats and Incidents • Monitors the Cyber Security posture and reports deficiencies • Coordinates with regulatory bodies • Performs Threat and Vulnerability Analysis • Performs Analysis of Cyber Security Events • Maintains an Internal Database of Cyber Security Incidents • Provide Alerts and Notifications to General and Specific Threats • Provide regular reporting to Management and Cyber Incident Responders
  • 16.
    Key Objectives forSOC … (2) • Reduce the response time of security incident from initial findings, to reporting to containment • Recovery Time Objective (RTO) in case of security incident materializing • Proactive Security Monitoring based on predefined security metrics / KPI • Raise Awareness of Information Security across community of leaders and sub-ordinates • Ability to correlate system, application, network, server, security logs in a consistent way
  • 17.
    Key Objectives forSOC … (3) • Ability to automate the requirement to meet compliance – vulnerability assessment and risk management • Ensure change control function is integrated into the SOC process • Identification for all security attack vectors and classification of incidents • Define disaster recovery plans for ICE (in-case of emergency). • Build a comprehensive reporting dashboard that is aligned to security metrics • Build a local in-house SIRT (security incident response team) that collaborates with national CERT
  • 18.
    Key Objectives forSOC … (4) • To build SOC processes that are aligned to existing ISO27001 security policies • Build a physical and virtual team of SOC personnel for 24 x 7 monitoring • Build forensics capabilities to be able to reconstruct series of events during an incident • Proactive monitoring of network and security infrastructure devices
  • 19.
    Components of aSOC • To build the SOC with simple acceptance and execution model • Maximize the use of technology. • To build security intelligence and visibility that was previously unknown; build effective coordination and response unit and to introduce automation of security process. • Develop SOC processes that are inline to industry best practices and accepted standards – ISO27001:2013, PCI-DSS3.0 SECURITY INCIDENT MANAGEMENT · PRE AND POST INCIDENT ANALYSIS · FORENSICS ANALYSIS · ROOT CAUSE ANALYSIS · INCIDENT HANDLING · aeCERT INTEGRATION · REPORTING · EXECUTIVE SUMMARY · AUDIT AND ASSESSMENT · SECURITY METRIC REPORTING · KPI COMPLIANCE · SLA REPORTING · REAL-TIME MONITORING · DATA AGGREGATION · DATA CORRELATION · AGGREGATE LOGS · CORDINATE RESPONSE · AUTOMATED REMEDIATION
  • 20.
    Key Success Factorsin a SOC The Goal – Keep Things Simple 
  • 21.
    SOC – CoreComponents Core Components for a SOC 2.0 • OSS – Operational Support System • SIEM – Security Information and Event Management • Proactive Monitoring - Network and Security and Server Infrastructure • Alert and Notification – Security Incident Reporting • Events Correlation and Heuristics / Behavioural / Anomaly
  • 22.
    SOC – CoreComponents Core Components for a SOC 2.0 • Information and Network Security $$ Automation $$ • To natively build-in compliance and audit functions • To manage change control process through integrated ITILv3 CM and SD • Configuration Management of Infrastructure Components
  • 23.
    SOC – CoreComponents Core Components for a SOC 2.0 • Alignment of Risk Management with Business Needs • Qualified Risk Ranking • Risks are ranked based on business impact (BIA) • Risk framework is built into the SIEM solution; • incident = risk severity = appropriate remediation and isolation action • SOC is integrated with Vulnerability and Patch Management
  • 24.
    SOC – CoreComponents Core Components for a SOC 2.0 • IRH – Incident Response Handling • How effective the SOC is measured by how incidents are managed, handled, administered, remediated and isolated. • Continuous cyclic feedback mechanism drives IRH • Critical functions include Network Forensics and Surveillance Tech.. • Reconstruct the incident …. Evidence gathering … Effective Investigation • Escalation Management – know who to communicate during an incident
  • 25.
    SOC – CoreComponents Proposed Architecture for the SOC Perimeter and Boundary Points Network Nodes Internet DMZ / Published Services IPS WWW SSL VPN Applications Active DirectoryDB Middleware SMTP Internal Resources MAINFRAME Servers WAF FW (HTTP, SNMP, SMTP, SYSLOG, API, XML, CUSTOM FILE, LOGFILE DATA ACQUISITION LAYER – SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVENT CORRELATION LAYER · Event Correlation Engine · Analysis and Filtering · Event Management · Integration with NMS Systems · Trouble Ticket Integration · Flow Analysis SECURITY VULNERABILITY · Common Vulnerability Exploits CVE · Risk Ranking · Configuration Audit · Security Metric Dashboard DATA COLLABORATION · Policy Management · Asset Repository · Problem Incident Management · Security Incident Reporting · Change Control · Security Automation Security Management, Systems Management, Network Management, Reporting, KPI, SLA, Benchmark, Compliance Management REPORTING AND MANAGEMENT LAYER
  • 26.
    SOC – CoreComponents Integration of Core SOC Components
  • 27.
    SOC Technologies … Sonow the technologies … SIEM Solutions • Event Collector – Syslog, Log Files, Application Log Export • Flow Collection – NetFlow, J-Flow, S-Flow, IPIX • Asset Database • Event and Flow Correlation • Centralized Management Console for Security Dashboard and Reporting • Integration with service desk for automated ticket creation Compliance Management and Policy Conformance • Configuration Audit • ISO27001 / PCI-DSS3.0 Policy Compliance • Risk Management • Baseline Configuration Violation Monitoring • Network Topology Mapping and Visualization • Vulnerability Assessment
  • 28.
    SOC Technologies … Sonow the technology … Network and Security Monitoring • Network Performance Monitor - SNMP • Network Monitoring • Link Utilization • Availability Monitoring • SLA reporting • Integration with service desk for automated ticket creation Security Intelligence • Network Forensics • Situation Awareness • Artifacts and Packet Reconstruction • Monitor all Internet Activity • Record metadata for recursive analysis during incident response • Integration with Incident Response Handling (IRH)
  • 29.
    SOC (before) …..< The Silos >… Technology Integration … the old practice SIEM Vulnerability Assessment Network Monitoring
  • 30.
    SOC (after) ….Automation Technology Integration … the new … WORKFLOW SIEM 2.0Compliance and Monitoring NMS
  • 31.
    SOC – Processes…. Look familiar… Creating the SOC Processes … now that we have discussed technology, lets discuss processes … DATA SECURITY AND MONITORING • Data Asset Classification • Data Collection • Data Normalization • Data at Rest and In Motion • Data Protection • Data Distribution
  • 32.
    SOC – Processes Creatingthe SOC Processes … now that we have discussed technology, lets discuss processes … EVENT MANAGEMENT • Event Correlation • Identification • Triage • Roles • Containment • Notification • Ticketing • Recovery • Forensics and Situational Awareness
  • 33.
    SOC – Processes Creatingthe SOC Processes … now that we have discussed technology, lets discuss processes … INCIDENT RESPONSE PRACTICE • Security Incident Reporting Structure • Security Incident Monitoring • Security Incident Escalation Procedure • Forensics and Root Cause Analysis • Return to Normal Operations • Post-Incident Planning and Monitoring • Communication Guidelines • SIRT Integration
  • 34.
    SOC – Processes Creatingthe SOC Processes … now that we have discussed technology, lets discuss processes … SOC OPERATING GUIDELINES • SOC Workflow • Personnel Shift Description • Shift Reporting • Shift Change • Information Acquisition • SOC Monitoring Suite • SOC Reporting Structure • Organizational Chart
  • 35.
    SOC – Processes Creatingthe SOC Processes … now that we have discussed technology, lets discuss processes … ESCALATION MANAGEMENT • Escalation Procedure • Pre-Escalation Tasks • IT Security • Network Operation Center • Security Engineering • SIRT Integration • Law Enforcement • 3rd Party Service Providers and Vendors
  • 36.
    SOC – Processes Creatingthe SOC Processes … now that we have discussed technology, lets discuss processes … DATA RECOVERY PROCEDURES • Disaster Recovery and BCP Procedure • Recovery Time Objective • Recovery Point Objective • Resiliency and High Availability • Facilities Outage Procedure
  • 37.
    SOC – Processes SECURITYINCIDENT PROCEDURES • Email Phishing - Email Security Incident • Virus and Worm Infection • Anti-Virus Management Incident • NetFlow Abnormal Behavior Incident • Network Behaviour Analysis Incident • Distributed Denial of Service Incident • Host Compromise - Web Application Security Incident • Network Compromise • Internet Misuse • Human Resource - Hiring and Termination • Domain Hijack or DNS Cache Poisoning • Suspicious User Activity • Unauthorized User Access (Employee)
  • 38.
    SOC – Processes VULNERABILITYAND PATCH MANAGEMENT • Vulnerability Research • Patch Management - Microsoft SCOM • Identification • Dissemination • Compliance Monitoring • Network Configuration Baseline • Anti-Virus Signature Management • Microsoft Updates Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
  • 39.
    SOC – Processes TOOLSOPERATING MANUAL FOR SOC PERSONNEL • Operating Procedure for SIEM Solutions – Event Management and Flow Collector/Processor • Firewall Security Logs • IDS/IPS Security Logs • DMZ Jump Server / SSL VPN logs • Endpoint Security logs (AV, DLP, HIPS) • User Activity / Login Logs • Operating Procedure for Policy and Configuration Compliance • Operating Procedure for Network Monitoring Systems • Operating Procedure for Vulnerability Assessment Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
  • 40.
    SOC – Processes SECURITYALARMS AND ALERT CLASSIFICATION • Critical Alarms and Alerts with Action Definition Non-Critical and Information Alarms Alarm reporting and SLA to resolve the alarms Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
  • 41.
    SOC – Processes SECURITYMETRIC AND DASHBOARD – EXECUTIVE SUMMARY • Definition of Security Metrics based on Center of Internet Security standards • Security KPI reporting definition • Security Balanced Scorecard and Executive Reporting Creating the SOC Processes … now that we have discussed technology, lets discuss processes …
  • 42.
    • Environments • Location •Device Types • System Types • Security Zones • Demarcation Points • Ingress Perimeters • Data Center • Extranet • WAN ….Know your infrastructure…. You can only monitor what you know 
  • 43.
  • 44.
  • 45.
    SCADA Network… Whatis the problem?
  • 46.
  • 47.
  • 48.
  • 49.
    • Knowledge onhow service flow across your infrastructure…. BUILD A SECURITY SERVICES CATALOG …. Service Flows ……
  • 50.
    • Understanding theservice flows will allow you to VISUALIZE… ….. HEAT MAP ….. …. Service Flows ……
  • 51.
    Build an AssetDatabase and Integrated into SIEM; Following asset details can be adjusted with Asset Manager: • Name • Description • Weight • Operating System • Business Owner • Business Owner Contact Information • Technical Owner • Technical Owner Contact Information • Location Build an Asset Repository
  • 52.
    SCADA / ICS– ASSET REPOSITORY
  • 53.
    Now that wehave the processes, technology and people what next….. • Build contextual threat cases per environment; – Extranet – Internet – Intranet – Data Center – Active Directory – Malware / Virus Infection and Propagation – NetFlow Analysis – Remote Sites / WAN – Remote Access – IPSEC VPN / SSL VPN – Wireless – etc….. Develop Threat Cases
  • 54.
    Sample: Firewall GAPAnalysis Report
  • 55.
    Sample: Firewall GAPAnalysis Report
  • 56.
    Sample: Firewall GAPAnalysis Report
  • 57.
    ADVANCED THREAT CASES- ENVIRONMENT • To define threat cases per environment … not by system…. (silo) • CONTEXTUAL • SERVICE ORIENTATED • USER CENTRIC ID Threat Case Development OS.WIN Microsoft Windows Servers - Threat Case Development Documentation Microsoft Active Directory - Threat Case Development Documentation MSIIS MSSQL MSEXC Microsoft Application - Threat Case Development Documentation • IIS • MSSQL • Exchange IBMAIX LINUX SOLARIS UNIX/LINUX/SOLARIS/AIX – Threat Case Development Documentation PRIVACC Advanced Threat Cases for Privileged User and Special Account Activity and Monitoring N/A Baseline Security Settings on UNIX/LINUX/SOLARIS/AIX server BUSINT Business Internet EXTRNT Extranet S2SVPN Site to Site VPN
  • 58.
    ADVANCED THREAT CASES- ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development INTOFF International Offices – Global MPLS SSLVPN Juniper SSL VPN NATIONAL IPVPN –National MPLS IPVPN WIRLESS Wireless Infrastructure VOIPUC Voice over IP VSAT VSAT – Satellite DIGPKI PKI and X.509 Digital Certificates (systems threat case) AAA AAA (systems threat case) HIPS HIPS (system threat case and ePO integration) EXECACC Executive Account Monitoring SAP SAP Router and SAP Privilege Activity Monitoring COMPLIANCE Compliance and Best Practices Configuration NAC Network Admission Control –
  • 59.
    ADVANCED THREAT CASES- ENVIRONMENT • To define threat cases per environment … …. Eventually …. Should …. Include …. All …. Environment ….. ID Threat Case Development IPS-AV IPS and AV Management Console EMAIL Email Security – Business Internet Gateway DAM Database Activity Monitoring (DAM) SFT Secure File Transfer • IMPORTANT – understand the environment and understand the threats related to those environment…..
  • 60.
  • 61.
  • 62.
    Important Note: "OS.WIN.010.Offense: MultipleLogon for Single User from Different Locations" offense is disabled pending application/system accounts names clarifications to be excluded from the rule's logic. Develop Threat Cases – Windows Servers
  • 63.
    *NIX AUTHENTICATION …FOLLOW THE PROCESS
  • 64.
  • 65.
  • 66.
  • 67.
  • 68.
  • 69.
  • 70.
    SOC-Wiki - Goals •Centralized Knowledge Repository for SOC • Collaborate and Share Information with other Team Members • Easy of use and Searchable • Integrations with other Toolsets
  • 71.
    SOC Wiki –SIEM Integration • Current Issues with SIEM Processes, Documentations, Offence Handling, Knowledge Sharing • SIEM Integrations into SOC-Wiki • SIEM Threat Cases
  • 72.
    SOC Wiki –SIEM Threat Cases • Listed above is how Threat Cases are displayed in SOC-Wiki • Threat Case Name, Severity, Status • Information - Centralized, Detailed and Searchable • Information updated by SIEM and SOC Teams
  • 73.
    SOC Wiki –SIEM Threat Cases • Example:
  • 74.
    Security Assurance Level •Security Assurance Levels (SALs) in Critical Infrastructure • Functional Requirements • Security Levels • Based on 7 x Functional Requirements • a) Access control (AC) • b) Use control (UC) • c) Data integrity (DI) • d) Data confidentiality (DC) • e) Restrict data flow (RDF) • f) Timely response to an event (TRE) • g) Resource availability (RA)
  • 75.
    Security Assurance Level •Security Assurance Levels (SALs) in Critical Infrastructure • Functional Requirements • Security Levels • Based on 4 x Security Levels
  • 76.
  • 77.
    Security Assurance Level AchievedSL vs. Target SL 0 1 2 3 4 Access control (AC) Use control (UC) Data integrity (DI) Data confidentiality (DC) Restrict data flow (RDF) Timely response to an event (TRE) Resource availability (RA) Achieved Security Level Target Security Level
  • 78.
    Shah H Sheikh– Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK [email protected]