SOC Architecture Workshop - Part 1
Download as PPTX, PDF10 likes6,779 views
The document discusses advanced security operations centers (A-SOCs) and their capabilities. It describes how A-SOCs go beyond traditional SOCs by focusing on threat mitigation, proactive monitoring and intelligence. It outlines key A-SOC capabilities like threat assessment and hunting, threat intelligence, situational awareness, and security analytics. The document also provides examples of A-SOC architecture, frameworks, technologies, queries, organization structure, and processes. It proposes a maturity model for advanced SOC services and provides an example use case for the Carbanak attack.
SOC Architecture Workshop - Part 1
- 1. Advanced SOC Advanced SOC Features and Capabilities Use Case Management – Workshop Incident Management
- 2. Traditional SOCs were driven by Compliance and Have the basic features as follows:- 1. Detect and react to threats, mostly triggered by log correlation rules 2. Perform log collection, correlation and monitoring to meet compliance requirements. 3. SIEM tradionally has log collectors/connectors to collect logs from multiple sources and loggers/processors for processing and storing log data for several years (6 months online and 7-8 years offline) and a console for monitoring events. 4. Monitor attacks and detect threats to manage and respond to those attacks Alerting for incidents/ critical actions. 5. A ticketing system is generally used to track tickets for security violations. 6. Generic and compliance focused use cases, mostly single device correlation and generates generic reports 7. Popular models were in house and outsourced / leveraged SOC Next generation SOCs are driven by threat mitigation, proactive monitoring and intelligence 1. More focus on identifying new / unknown threats and anticipate threats and mitigate risks 2. Integrate with NBAD, forensics and Integration with threat intelligence communities and social sites – to predict the attack 3. Big data analysis a part of SOC tool set; Integrated with national agencies and international CERTs. 4. Proactively provide alerts for financial frauds and violations in business processes. SOC will act as a single agency to prevent security incidents, frauds happening in E-Systems, compliance of regional laws across geographic boundaries 5. Automated response run books, real live simulations and IM framework automated by workflow, collaboration and intelligence tools 6. Customized risk and threat aligned use cases, some modeled on kill chain concept and provides risk aligned and analytical reporting and visualization 7. Popular model changed to expertise based onsite and offshore managed SIEM model. 2 Evolution of A-SOC
- 3. 3 Advanced SOC - Features Threat Assessment and Hunting – Knowing Threats and Adversaries – Their tools and methods – Critical assets as targets – Existing Controls and Weakness – Monitoring presence , IOC Management and Hunting Threat Intelligence – Internal threat intelligence – External threat intelligence – Application of threat intelligence – Automated consumption of threat intelligence (updated SIEM rules/ runbook) Situational Awareness – Context and enrichment (Post correlation, joining the dots to see the attack chain) – Visibility (Visualization to the state of security) Security Analytics – Behavioral profiling for users and systems – Database searches and statistical modeling, reporting and visualization – Forensics capability (Netflow/ replay)
- 4. Requirement Capability Sources IAM Integration User Context User Activity Monitoring IAM Packaged Applications Unsupported Sources Network Application Monitoring Logs DLP Integration Data Context Data Monitoring Internal and External Intelligence Pattern Recognition Anomaly Detection Early Attack Detection Event Stream Integration Cloud-Sourced Application Monitoring Internal and Cloud 4 A-SOC Capabilities
- 5. SOC 2.0 Strategy Program vision, objectives, approach, initiatives, roadmap SIEM Admin Operation • Tool / Log Integration • Reporting and Dashboards • Rule Administration • Device Administration Threat Monitoring and Response • Monitoring and Notification • Validation and Triage • Analysis and Escalation Threat Hunting and Intelligence • Internal Threat Intelligence (Assets/ Vulnerabilities/ Alerts • External Threat Intelligence (Feeds, analysis, actionable) SOC 2.0 Governance SOC Organization, Reporting, Service Level Management, Policy Approvals, Recommendations, Escalation. NBAD and Forensics Network flow monitoring and anomaly detection Full packet capture for forensics SOC 2.0 Operation Function • Active Threat Hunting • Run Book / Response Management • IOC Management • Use Case Management • Intelligence Analysis SOC 2.0 Strategy & Governance SOC 2.0 Operations SIEM Technology Log collection, processing and correlation Data sources – structure, referential and unstructured Incident Management Tool Ticketing, run book automation, incident response and collaboration and KPI monitoring SOC 2.0 Technology Analytics Big data – User Behavior Analytics And System Analytics Historical log and network and application data correlation Integration CMDB - Asset Modeling VM – Vulnerability Mapping Incident Mgt – Ticketing / Workflow Threat Intelligence Feeds Business Intelligence Security Dashboard Visualization – Integrated Security Posture Risk and Analysis Report SOC 2.0 Business Function • Requirement Analysis • Risk Management • Audit and Compliance Management • Legal and Fraud Management SOC 2.0 Technology Function • Architecture and Integration • Development • Server Management • Application, User and Data monitoring Soc 2.0 - CSIRT • Incident Response / Emergency Response • Forensics 5 A-SOC Framework
- 6. • Data collection capabilities and compliance benefits of log management, • The correlation, normalization and analysis capabilities of SIEM (security information and event management) • The network visibility and advanced threat detection of NBAD (network behavior anomaly detection), and user behavior anomaly detection by machine learning - User Behavior Analytics • The ability to reduce breaches and ensure compliance provided by Risk Management, • The network traffic and application content insight afforded by Network Forensics. • The automation of Incident Response by Artificial Intelligence / Run Books • IOC / VM Management by Threat Intelligence • Reporting and Visualization provided by Presentation Layer SIEM as a platform should be a truly integrated solution built on a common codebase, with a single data management architecture and a single user interface. 6 A-SOC Technical Capabilities
- 7. Monitor everything Logs, network traffic, user activity Correlate intelligently Connect the dots of disparate activity Detect anomalies Unusual yet hidden behavior Prioritize for action Attack high-priority incidents Threat Intelligence • Logs • Contextual Data • Vulnerability Assessments • Asset Inventories • Reports and Analytics Internal • XFORCE • CrowdStrike • SecureWorks • Deepsight External Threat Ingestion - Structured Threat Information eXpression (STIX™) SIEM Environment Single, Unified and Integrated Management Console Machine Learning – Analytics Artificial Intelligence Incident Management Automation * Source - IBM 7 A-SOC Architecture
- 8. D A T A S O U R C E S L I N K E D D A T A A N A L Y S I S Security Data Network Data End Point/Identity data Firewall /IPS/IDS Threat Intel SIEM Alerts Network Data Flow Data Proxy/WiFi Data Endpoint Data User Data /AD Database Data Client Devices Assets Internal Servers Websites Users Dynamic Knowledge Extraction Source Collaboration ANALYTICSENGINE RISK ENGINE SEARCH EXPLORATION REPORTS RISKS ! • A-SOCs leverages Threat Intelligence from multiple commercial and open sources and integrated into a platform for collaboration, correlation, visualization and actionable analysis. • A-SOCs leverages Big Data Platform for UBA, System analytics, visualization and reporting. • Platform is also used for running hunt missions, query engine, reporting and AI for ticketing and incident remediation. 8 A-SOC Big Data Tool-Set – Analytics/ UBA and TH
- 9. • What all patterns have been built and what algorithm the technology uses for machine learning • How accurate is the system in detecting anomalies for malware and behavior • How does it compare it with other similar products; what criteria should be used for evaluation. • Threat Intelligence comes in many forms, difficult to ingest and requires capabilities and continuous analysis and actionables MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE SECURITY ANALYTICS – NBAD AND END POINT AND USER ANALYTICS THREAT INTELLIGENCE AND HUNTING 9 A-SOC Technical Queries
- 10. Other Internal Teams Systems Applications Network Database Vulnerability / Patch Business Risk / Compliance Information Technology Information Security and Risk Management CISO CEO , COO, CRO Board / Shareholders Incident Responder L2/L3 SOC Analysts Service Desk L-1 Monitoring Team SOC Manager SIEM Admins Incident Response Threat Hunter Country CERT Regulatory Bodies CIO SOC Team Internal SOC organization associated roles and responsibilities should be clearly defined. The following is a sample organization structure. Threat Intelligence 10 A-SOC Organization Structure and Functions
- 11. Event Management • Event monitoring, analysis and correlation • Triage and Escalation • Containment • Proactive intelligence and situational awareness • Response collaboration Vulnerability & Patch Mgmt • Vulnerability research • Patch management • Identification • Dissemination • Compliance monitoring • Configuration / Control baselines • Antivirus signature management • Microsoft updates Incident Response • IM Charter, SIRT and TIG Reporting Structure, R&R • Incident Handling Process and Procedures for: • Identification, validation, declaration, escalation, containment, investigation, forensics, eradication, recovery, post incident • Cross functional RACI and coordindation for response • Forms and Templates Threat Specific Response Procedures • Phishhing / Spear Phishing • Malware (virus, worms, trojans, spyware) • NetFlow Abnormal Behavior Incident • Network Behavior Analysis Incident • (Distributed) Denial of Service • Domain hijack or DNS cache poisoning • Website defacement • Web application incident • Unauthorized access • User account compromise • Host compromise • Network compromise • Advanced persistent threat • Suspicious user activity SOC • Charter • Organization • Roles and responsibilities • Business requirements, scope and architecture • Service Catalogue • SOC operations and management procedures • SOC metrics and KPIs • SOC process and procedure manual (all processes and procedures including tool/solution specific) • SOC security policy • SOC business continuity and disaster recovery Threat Hunting • Threat Intelligence • Threat Hunting • Device / source inclusion and exclusion process 11 A-SOC Processes
- 12. 12 Advanced SOC Services • Custom parser creation and log source addition/integration per device type/days 1. Threat Hunting 2. Perform API integration of Vulnerability Management, Business Systems, CMDB etc. 3. Integrate with threat intelligence and automate responses with actionable Additional Services 1. Incident Management – Monitoring, Validation, Notification, Tracking Response and Closure 2. SIEM Administration – Managing Licenses, Patches, all SIEM Components, Health checks, log sources integrity, users and reports 3. Reporting and Dashboard – Creation and emailing the reports and dashboards to stakeholders with trend analysis 4. Use Case Management – New use case creation and fine tuning of existing use cases based on monitoring 5. Log Source Addition – Additional addition of devices and log sources, custom parser creation BAU Service
- 13. Effort Time 1 2 3 12mths 24 mths 36 mths 1 • Focus on Critical Assets – AD, Network, Core Web application used for transaction, Security Devices like Firewall, IPS, Proxy, Critical OS and Database to be monitored under SIEM • Monitor “what matters the most” (Web Apps, Core OS, Databases, etc.) • Keep the number of correlation rules in the order of risk, initially 10-12 Multi- Device correlation use cases • Create Three basic processes – Monitoring and Notification, Incident Management and Service Desk/ Ticketing Management • Create basic reporting and trends, alerts and notification and Incident Response summary • Start developing SOC related policies, procedures and workflows 2 • Perform 100% coverage for log sources; Include enterprise applications • Customization and Integration of application log sources • Add NetFlow and Forensics module • Create Forensics and Run Book processes • Add Threat Intelligence and build analytics for threat hunting • Monitor and Adapt Rule Bases – Fine tune rules • Create additional 10-12 Use Cases for Applications, Flows like file export/ protocol and IP and Forensics 3 • Automate Threat Intelligence Actionable • Define Threat Intelligence process for threat hunting, asset criticality and vulnerability identification and actionable • Implement User and system behavior analytics • Add use cases with statistical modeling • Additional reporting and visualization for key systems and data 13 Advanced SOC Services – Maturity Model
- 14. 21 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Used Spearphised emails Command & Control 4 web-page + 3 Follow link Lateral Movement Screen capture/ Video recording 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Data upload – Screens and VR
- 15. 22 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Using Spearphised emails Command & Control 4 web-page + 3 Follow link 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Lateral Movement Screen capture/ Video recording Data upload – Screens and VR d) Monitor Web Traffic a) Monitor DNS c) Monitor Port & Protocol Usage b) Monitor NetFlow e) Data in HTML Response - Netflow b) Monitor NetFlow
- 16. Advanced SOC Use Case Management – Workshop
- 17. 17 Use Case Introduction to Use Cases • Different names are used to define rules that generate alerts in SIEM • There common terminologies used are as follows • SIEM Rules • Correlation Rules • Use Cases • SIEM Alert is typically a rule which does not require enumeration and there is no correlation of 2 conditions. It is a simple log condition that is interesting. For example – Administrative password change, file access, new user added, new table created, configuration change, PO approved etc. • SIEM rules/ alerts are typically simple log matching rules, another example is If I see string ABC 123 in HIPS logs that raise an alert or alert me if the configuration of the router has changed. • One can create some conditions in SIEM alerts and call it a SIEM rule which gives context. For Example – Administrative password changed from XX IP for YY user which is in “white list”. Here too, there is nothing abnormal but an alert to state that interesting event has happened. One can investigate to see why the password was changed or similarly why a table was created and is there a change ticket or an approval for the same.
- 18. • Correlation is the act of linking multiple events together to detect strange behavior. It is the association of different but related events to provide broader context than a single event can provide. • Correlation rules aka known as chaining of SIEM rules or SIEM alerts/events and typically make 2 conditions to match. • Correlation is built on rules for known attack patterns. One has to know what elements constitutes an attack patterns or elements of a compliance requirement in order to determine which device and event types should be linked. Also while correlating we have to factor in the time, because events do not happen simultaneously, so there is a window of time within which events are likely to be related. • So in a nutshell a correlation rule is “combining of multiple SIEM rule/alerts”. It can be from the same device or desperate devices. • E.g. Failed login attempts followed by successful login is correlation condition from same device but a scan detected by firewall, followed by access to application from application logs and then creation of a user in the application is a directory service of database logs creating a COMPROMISE condition. 18 Use Case Co-relation Rules
- 19. • The term use case is used for one or more correlation rules to describe a condition. • A Use Case is a set of steps, representing a business goal or defining interactions between a role (or an "actor") and a system to achieve a goal. The actor can be a human or an external system. In a nutshell a use case in our term is a customized set of conditions occurring from a combination of one or more correlation rule, generally industry specific that constitute an attack vector and also has a response mechanism. • Every use case has a Logic Flow, i.e. something unique to the environment and needs to be defined accordingly. • Use Case Response: After implementation, the Use Case need to be made as a valuable resource by Defining a Use Case Response. This is the stage where you would define “What action needs to be taken and how it needs to be taken”. 19 Use Case Co-relation Rules
- 20. • Use Case Name - Privilege Activity Monitoring – Windows and Linux • Category: Access Control (AC) • Limit facility and information access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the authorized activities and transactions. • Use Case Number: 1 and 2 • Accounts having Privileged access, e.g. Admin, Sudo should be monitored on activity performed by ID. • References: • ISO/IEC 27001 A.11 • SANS Top 20: CSC 16 • PCI • Internal Policy Compliance • Use Case Description: • Accounts with administrator and/or root privileges should be monitored and flagged if they are locked due to multiple authentication failures. This could indicate potentially malicious activity and alerted on, accordingly. Generate report. • Log Sources: • Active Directory • UNIX Systems • Sample Rule Description: Privileged Role Violations: • Identify IDs not in Security Administration group that have made changes to user IDs and AD groups • Create an active list with users within the Security Admin group. • Create a rule to fire when a user not on the active list makes a change to a user ID and/or AD groups. • Event Name/Category - Use account got locked out • Event Attribute • - User Name • - Source IP Address/Host Name • - Destination IP Address/Host Name • - Event Name // - Event Time Stamp • - Log Source Event Code // Event description 20 Use Cases Sample Use Case
- 21. Advanced SOC Incident Response
- 22. Situational Awareness Ability to identify what is happening in the networks Reconnaissance Weaponization & Delivery Lateral Movement Data Exfiltration Persistency Identification and selection of the target/s host or network by active scanning Transmission/Inject of the malicious payload in to the target/s Detect, exploit and compromise other vulnerable hosts Steal and exhilarate data Establish a foothold in the corporate network In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks. 22 Incident Response Kill Chain Model for Use Cases Assist in IR
- 23. Know your adversaries and their methods Detect threat activity in kill chain Disrupt the kill chain and stop the attack Eradicate threat agent and remove the threat Our Best Defence against advanced cyber threats has our built in threat intelligence, security operations and incident response working in cordial manner defined by our processes Threat Intelligence Security Operation Incident Response Response StrategyThreat Indicators 23 Incident Response Threat Indicators – Our defence in Cyber Kill Chain
- 24. Topic Descriptions / Actions Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response analysts on the approach to incident remediation. Scope The scope of this guidance includes 3 stages: Containment Eradication Recovery Containment The intention of this stage is to limit the damage caused by the incident without yet removing the cause of the incident. This is typically done as the first step as it may take additional time to understand the cause of the incident and the appropriate eradication strategy. Examples of containment may include shutting down of affected systems, closing firewall ports etc. Eradication This stage is typically done after the containment stage where the cause of the incident is removed. Eradication can only be performed before containment if the incident cause is immediately clear and eradication can be performed swiftly before additional damage is caused by the incident. Examples of eradication include deleting malicious code, removing malicious accounts etc. Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of recovery include restoring from backup, patching servers etc. 24 Incident Response IR response process
- 25. Topic Descriptions / Actions Attack Category Authentication Attack Sub Categories Misc Login Succeeded, General Authentication Failed, User Login Failure, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc Response Remediation Options 1. Containment a. Terminate processes with any active connections with attacker IP or port b. Disable user id in question 2. Eradication a. Work with network team to physically locate internal attacker b. Physically remove internal attacker c. Turn off switch port of internal attacker d. Remove user access 3. Recovery a. Implement strong password policy b. Reconfigure vulnerable service as applicable c. Restore to previous good state from backup or recovery application 25 Incident Response IR response process
- 26. 1. Extract attack source IP from Helpdesk/IR Ticket 2. Notify application owner of attack 3. Implement firewall rule to block attacker IP 4. If attack source is on local network, remote to a machine within same subnet of unauthorized device 5. Ping offending machine IP 6. Run “arp –a” command on command prompt to extract MAC Address 26 Incident Response IR Steps from Playbook SQL Injection
- 27. Questions? Questions, Comments and Feedback