Cyber Security Trends
Business Concerns
Cyber Threats
The Solutions
Security Operation Center
requirement
SOC Architecture model
SOC Implementation
SOC & NOC
SOC & CSIRT
SIEM & Correlation
-----------------------------------------------------------
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device management rather than detecting and responding to cybersecurity incidents. Coordination between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider may offer services from a SOC. A managed service is a shared resource and not solely dedicated to a single organization or entity. Similarly, there is no such thing as a managed SOC.
Most of the technologies, processes and best practices that are used in a SOC are not specific to a SOC. Incident response or vulnerability management remain the same, whether delivered from a SOC or not. It is a meta-topic, involving many security domains and disciplines, and depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
مرکز عملیات امنیت
7. The Verizon 2015 Data Breach Investigation Report showed that 60 percent of
businesses being breached happened within minutes or less. The report also showed
that half of these incidents took anywhere from months to even years before being
uncovered. So in summary, breaches tend to happen very quickly and on average
take a long time to be detected by the targeted organization. These numbers
demonstrate the importance of having an effective security operations program in
which a mature SOC plays a significant role
36. MONITORING AND REPORTING
! Continuous security monitoring
! System log monitoring
NTP
Time stamps and log rotation, retention
OS: Vendorbase vs. FreeBSD logging
! Reporting and monitoring systems
65. SECURITY OPERATION CENTER
A security operations center provides centralized and consolidated cybersecurity incident
prevention, detection and response capabilities. This research outlines the five most
common SOC models and how CISOs can decide which one makes sense for the
organization.
Overview
Key Findings
• Security operations centers (SOCs) are being increasingly adopted by organizations to
provide threat detection, response and prevention capabilities; consolidate and
centralize security operations functions; and meet regulatory and legal requirements for
security monitoring, threat and vulnerability, and incident response management.
• 24/7 SOC operations is cost-prohibitive for many organizations.
• A co-managed SOC working with a managed security service provider (MSSP) is a
credible option for organizations of any size.
• SOCs will fail in their mission if their deliverables are not tightly coupled to business
outcomes.
66. Security operations centers (SOCs) have historically been adopted by very large organizations
requiring centralized and consolidated security operations primarily for efficiency and cost reasons.
The evolving and escalating threat environment and the shift in security defense from "Prevent" to
"Detect and Respond" (see "Best Practices for Detecting and Mitigating Advanced Persistent
Threats" and "Designing an Adaptive Security Architecture for Protection From Advanced
Attacks" ) has prompted a renewed adoption of SOCs by a wider user base — repurposed to focus
on the detection, response, and prevention of cybersecurity incidents and threats.
Definition
Gartner defines a SOC as both a team, often operating in shifts around the clock, and a facility
dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and
incidents, and to fulfill and assess regulatory compliance. The term "cybersecurity operation
center "is often used synonymously for SOC.
A network operations center (NOC) is not a SOC, which focuses on network device
management rather than detecting and responding to cybersecurity incidents. Coordination
between the two is common, however.
A managed security service is not the same as having a SOC — although a service provider
may offer services from a SOC. A managed service is a shared resource and not solely
dedicated to a single organization or entity. Similarly, there is no such thing as a managed
SOC.
67. Description
SOCs are used to provide the following functions:
• Security device management and maintenance
• Threat and vulnerability management
• Security monitoring and auditing
• Cyber security incident response management
• Security compliance management
• Security training
68. Alternative names for SOC :
Security defense center (SDC)
Security intelligence center
Cyber security center
Threat defense center
security intelligence and operations center (SIOC)
Infrastructure Protection Centre (IPC)
69. Most of the technologies, processes and best practices that are used in a
SOC are not specific to a SOC. Incident response or vulnerability
management remain the same, whether delivered from a SOC or not. It is a
meta-topic, involving many security domains and disciplines, and
depending on the services and functions that are delivered by the SOC.
Services that often reside in a SOC are:
• Cyber security incident response
• Malware analysis
• Forensic analysis
• Threat intelligence analysis
• Risk analytics and attack path modeling
• Countermeasure implementation
• Vulnerability assessment
• Vulnerability analysis
• Penetration testing
• Remediation prioritization and coordination
• Security intelligence collection and fusion
• Security architecture design
• Security consulting
• Security awareness training
• Security audit data collection and distribution
70. The defining attributes of excellence in a SOC all stem from the quality, not quantity, of
people and the maturity of processes. Depending on the fulfilled functions, a fully
functional SOC running at 24/7 requires a minimum of eight to 10 people just to maintain
two people per shift, working three days on, three days off, four days on and four days off in
opposing 12 hour shifts. It requires two people per shift to enable one to monitor while the
other investigates, and to cover health and safety concerns. This does not include
management, staff turnover, personal time off or other specialist functions like malware
reverse engineering, forensics and threat analysis.
71. A SOC ideally should be located in a dedicated facility purpose-built to facilitate
operational security. Due to the sensitive nature of incident investigations, as well as the
potential for tampering with potential evidence and hiding malicious tracks, physical
access to the facility is restricted to authorized personnel only. The SOC's command
control infrastructure should be heavily segmented away from the production network to
prevent internal breaches affecting the operations of the SOC. Ideally, the technology
infrastructure used for monitoring and investigations within the SOC should be isolated
and separated from the Internet. Finally, the SOC will often have its own independent
Internet connectivity so that it can continue to operate and perform investigations even if
the corporate network is, for example, under a DDoS attack.
Beyond the typical preventative technologies such as firewalls, IPSs and proxies, a SOC will
utilize a broad technology stack providing security telemetry gathering, analysis and incident
management capabilities. A security information and event management (SIEM) solution is
the most commonly encountered platform used for this, integrated with a GRC and/or help
desk solution. Incident response management platforms are increasingly being added to this
stack to provide purpose and prebuilt incident management workflows and features (see
"Technology Overview for Security Incident Response Platforms" ), as well as various
advanced threat and security analytics technologies, for example, user and entity behavior
analytics (see "Market Guide for User and Entity Behavior Analytics" ), to enhance their
advanced threat detection capabilities. Threat intelligence platforms (see "Technology
Overview for Threat Intelligence Platforms" ) also aid the SOC in bringing in external threat
landscape context in a more efficient manner and assist with incident response, threat
forecasting and threat intelligence sharing, ingesting many flavors of threat intelligence and
then actioning it.
79. SOC Model Attributes Typical Adopter
Virtual SOC
• No dedicated facility
• Part-time team members
• Reactive, activated when a critical alert or incident occurs
• Primary model when fully delegated to MSSP
SMBs, small enterprises
Multifunctio
n SOC/NOC
Dedicated facility with a dedicated team performing not just
security, but some other critical 24/7 IT operations from the
same facility to reduce costs
Small, midsize and low-risk large
enterprises where network and
security functions are already
performed by the same or an
overlapping group of people and
teams
Distributed/
Co-managed
SOC
• Dedicated and semidedicated team members
• Typically 5x8 operations
• When used with an MSSP it is co-managed
Small and midsize enterprises
Dedicated
SOC
• Dedicated facility
• Dedicated team
• Fully in-house
• 24/7 operations
Large enterprises, service
providers, high risk organizations
Command
SOC
• Coordinates other SOCs
• Provides threat intelligence, situational awareness and
additional expertise
• Rarely directly involved in day—to-day operations
Very large enterprises and service
providers; governments, military,
intelligence
SOC Models
There are 5 primary operational SOC models:
80. Virtual SOC
A virtual SOC does not reside in a dedicated facility. Instead, it is composed of team members
who have other duties and functions. There is no dedicated SOC infrastructure, relying instead
on decentralized security technologies and becoming active in case of an incident.
A virtual SOC is the least mature of SOC models and suited to smaller enterprises who
experience only infrequent incidents or work with a managed security service provider or other
third party. Gartner also sees this model being adopted as an interim approach during the
transition to a more dedicated SOC capability. A virtual SOC is usually purely reactive,
although a more proactive posture can be achieved in this model by leveraging automated
monitoring capabilities such as correlation or rule-based alerting, and in high-risk environments
anomaly detection and behavioral-analytics-based alerting
Multifunction NOC and SOC
In some end-user organizations, there is a convergence of sharing resources between a SOC
and NOC. It can be a successful model; however politics, budget, process maturity levels, etc.
can lead to doing multiple things, but none of them well. This is the risk with this model.
Where there is a workable relationship with other IT areas, this can be pursued as it can save
significant capital outlay on tools and facilities in terms of budget. However, IT security
leaders must never be distracted by this convergence in terms, or else it may affect the
mission of the SOC and its ability to help deliver and enable business outcomes.
81. Distributed/Co-managed SOC
A distributed SOC consists of some dedicated staff and infrastructure, augmented by additional
team members from other teams, departments or service providers. One or more dedicated people
are responsible for ongoing SOC operations, involving semi dedicated team members and third
parties as required. If an organization cannot operate 24/7, the resulting gap can be covered by a
managed security service provider, resulting in a distributed SOC model.
The co-managed model can greatly reduce the cost of 24/7 operations while maintaining the
primary security function within the organization. In addition, it can augment in-house capabilities
with specialist knowledge, such as forensics, and reduce gaps in expertise.
Driving the adoption of this model are a shortage and gap in availability for skills and expertise,
general budget restrictions and the considerable cost of 24/7 operations. As a consequence, 5x8
operations with an MSSP covering the weekends and nights are a popular model that Gartner
clients are following.
This model is suited for small to midsize organizations and especially for those working
extensively with third parties, such as outsourcers and managed security service providers
82. Dedicated SOC
A centralized SOC has a dedicated facility, infrastructure and team. It is self-contained, possessing
all of the resources required for continuous day-to-day security operations. The team is typically
composed of security engineers, security analysts and a SOC manager. In the case of multishift
operations, each shift will also have a shift lead or duty manager.
A fully centralized SOC is suited for large and midsize enterprises with multiple business units and
geographically dispersed locations, sensitive environments and high security requirements, as well
as those that provide internal security services. This specifically includes MSSPs and service
providers more generally.
Command SOC
Very large organizations, service providers and those providing shared services (for example,
government agencies) may have more than one SOC. Where these are required to run
autonomously, they will function as centralized or distributed SOCs. In some instances though, the
SOCs will be working together, and must be managed hierarchically. In that case, one SOC should
be designated the command SOC. The command SOC coordinates security intelligence gathering,
produces threat intelligence and fuses these for consumption by all other SOCs, in addition to
providing additional expertise and skills such as forensics or threat analysis.
95. • Forensics knowledge
• Proficiency in coding, scripting and protocols
• Managing threat intelligence
• Breach management
• Penetration testing
• Data analysts
• Minimum two years of experience in NID monitoring and incident response.
• Familiarity with network security methodologies, tactics, techniques and
procedures.
• Experience with IPS/IDS, SIEMs and other CND security tools.
96. • Ability to read and write Snort IDS signatures.
• Experience reviewing and analyzing network packet captures.
• Experience performing security/vulnerability reviews of network
environments.
• Possess a comprehensive understanding of the TCP/IP protocol, security
architecture, and remote access security techniques/products.
• Experience with enterprise anti-virus solutions, virus outbreak management,
and the ability to differentiate virus activity from directed attack patterns
97. • Working knowledge of network architecture.
• Strong research background, utilizing an analytical approach.
• Candidate must be able to react quickly, decisively, and deliberately in
high
stress situations.
• Strong verbal/written communication and interpersonal skills are
required to document and communicate findings, escalate critical
incidents, and interact with customers.
• Highly motivated individual with the ability to self-start, prioritize,
multi-task and work in a team setting.
• Ability and willingness to work shifts ranging within 7:00 AM EST
11:00 PM EST.
117. an event is “Any observable occurrence in a system and/or network.
Events sometimes provide indication that an incident is occurring” (e.g., an alert
generated by an IDS or a security audit service). An event is nothing more than
raw data. It takes human analysis—the process of evaluating the meaning of a
collection of security-relevant data, typically with the assistance of specialized
tools—to establish whether further action is warranted.
Event :
118. Categorize your events by assigning logging facility values. This will add
further context to event analysis.
Limit the number of collectors for which a client is configured to the
minimum required. Use syslog relays when you require the same message to
be forwarded to multiple collectors. Syslog relays can be configured to
replicate and forward the same syslog message to multiple destinations. This
scenario is common when you have multiple monitoring platforms
performing different tasks such as security, problem management, and
system and network health monitoring.
Baseline and monitor the CPU, memory, and network usage overhead
introduced by the syslog service.
119. triage is the process of sorting, categorizing, and prioritizing incoming events and
other requests for SOC resources.
A SOC typically will designate a set of individuals devoted to real-time triage of
alerts, as well as fielding phone calls from users and other routine tasks. This group
is often referred to as Tier 1.1 If Tier 1 determines that an alert reaches some
predefined threshold, a case is created and escalated to Tier 2. This threshold can be
defined according to various types of potential “badness” (type of incident, targeted
asset or information, impacted mission, etc.). Usually, the time span Tier 1 has to
examine each event of interest is between one and 15 minutes. It depends on the
SOC’s escalation policy, concept of operations (CONOPS), number of analysts, size
of constituency, and event volume. Tier 1 members are discouraged from performing
in-depth analysis, as they must not miss events that come across their real-time
consoles. If an event takes longer than several minutes to evaluate, it is escalated to
Tier 2.
Triage :
120. Tier 2 accepts cases from Tier 1 and performs in-depth analysis to determine what
actually happened—to the extent possible, given available time and data—and
whether further action is necessary. Before this decision is made, it may take weeks
to collect and inspect all the necessary data to determine the event’s extent and
severity. Because Tier 2 is not responsible for real-time monitoring and is staffed
with more experienced analysts, it is able to take the time to fully analyze each
activity set, gather additional information, and coordinate with constituents. It is
generally the responsibility of Tier 2
(or above) to determine whether a potential incident occurred.
121. Logging Recommendations
Enabling logging features on a product can prove useful but also have an
associated cost on performance and functionality. Some settings should be
required before enabling logging, such as time synchronization and local logging
as a backup repository when the centralized logging solution fails. When
designing and configuring your syslog implementation, consider the following
best practices before enabling logging:
In the context of security operation, log events that are of business, technical, or
compliance value.
Configure your clients and servers for NTP, and confirm that clocks are
continuously being synchronized.
Time stamp your log messages and include the time zone in each message.
155. Scoping the project
EPS Calculation
Storage & Capacity management
What you need
Select best Implementation model & Architecture
Choose the best SIEM
Considering q1 lab , Gartner & other to choose
Conceptual design