Mais conteúdo relacionado Semelhante a Building a Next-Generation Security Operations Center (SOC) (20) Building a Next-Generation Security Operations Center (SOC)2. © 2015 Sqrrl | All Rights Reserved 2
WHAT ARE WE TALKING ABOUT TODAY?
• Who I Am
• Defining the SOC
– Functions of a SOC
– Do you even need a SOC?
• Organization and Staffing of a SOC
• SOC Workflow
• SOC Technology
• Hunting with Linked Data
3. © 2015 Sqrrl | All Rights Reserved 3
WHY LISTEN TO ME?
• Over 15 years information security
experience
• Ph.D. from SecLab at UC Davis
• Proposed a SOC for Department of Energy
• Implementation Lead for the SOC of a
large Federal agency
• Consulted on information security to
multiple Federal organizations and
commercial clients
4. © 2015 Sqrrl | All Rights Reserved 4
(Information) Security Operations Center
WHAT IS A SOC?
What a SOC Usually Looks Like What a SOC Should Look Like
Vs.
Public domain image from NASA,
no endorsement implied
5. Incident
Detection
Hunting
© 2015 Sqrrl | All Rights Reserved 5
WHAT DOES A SOC DO?
Receive
Reports
Incident
Handling
Threat Intelligence
Incident
ResponseInsider
Monitoring
Forensics
Communications
/ Education
Vulnerability
Management
Core SOC
Functions
Extended SOC Functions
Alert
Processing
Engineering
SOC
6. © 2015 Sqrrl | All Rights Reserved 6
DO YOU NEED A SOC?
You are a target –
almost anything of
value can be targeted
by an attacker
Cost: Instrumentation,
Engineering, Staffing,
Management
Add-ons, Economies
of Scale
Build or Buy or Hybrid?
See: Trost, “Pulling Up Your
SOCs: Best Practices for
Building and Operating a
Security Operations Center
(SOC)”, Interop Las Vegas 2015
7. © 2015 Sqrrl | All Rights Reserved 7
Flat, wide, and all-encompassing model
WHO WORKS IN A SOC?
CIO / CSO
CISO
SOC Manager
Call Center
Lead
Tier-1 Analysts
Detection Lead
Tier-2 Analysts
Hunting Lead
Tier-3 Analysts
Threat Lead
Threat Analysts
Engineering
Lead
Engineers
Incident
Response Lead
Incident
Responders
Forensics Lead
Forensic
Analysts
Comm / Ed
Lead
Trainers
Comm
Specialists
Insider Lead
Insider Analysts
8. © 2015 Sqrrl | All Rights Reserved 8
Distributed enterprise model
WHO WORKS IN A SOC?
CIO / CSO
CISO
SOC Manager
Call Center
Lead
Tier-1 Analysts
Detection Lead
Tier-2 Analysts
Hunting Lead
Tier-3 Analysts
Threat Lead
Threat
Analysts
Engineering
Lead
Engineers
Site Lead
Incident
Response
Lead
Incident
Responders
Forensics
Lead
Forensic
Analysts
Insider Lead
Insider
Analysts
Education
Lead
Trainers
Comm Lead
Comm
Specialists
9. © 2015 Sqrrl | All Rights Reserved 9
Nested duties model
WHO WORKS IN A SOC?
CIO / CSO
CISO
SOC Manager
Call Center Lead
Tier-1 Analysts
Incident
Detection and
Response Lead
Tier-2 Analysts
Incident
Responders Insider Analysts Threat Lead
Threat Analysts
Advanced
Analysis Lead
Hunters
Engineers
Forensic
Analysts
Comm & Ed
Lead
Trainers
Comm
Specialists
10. © 2015 Sqrrl | All Rights Reserved 10
Hybrid model
WHO WORKS IN A SOC?
CIO / CSO
CISO
SOC Manager
Call Center
Receive
Reports
MSSP
Incident
Detection
Threat
Intelligence
Advanced
Analysis Lead
Hunters
Engineers
Forensic
Analysts
Site Leads
Incident
Responders
Insider
Analysts
Comm & Ed
Lead
Trainers
Comm
Specialists
11. • Call Center Processes
• Internal Incident Report
• External Incident Report
• Internal Inquiry
• …
• Detection Processes
• Malware Detection
• Zeus Alerts
• Custom Alert X
• …
• Shift Changes
• …
• …
© 2015 Sqrrl | All Rights Reserved 11
Or, how I learned to stop worrying and love the process.
HOW DOES A SOC GET WORK DONE?
Observe
Orient
Decide
Act
12. © 2015 Sqrrl | All Rights Reserved 12
Some are linear, others not so much.
WHAT DOES A PROCESS LOOK LIKE?Tools
MONITOR
ETECT
NALYZE
RIAGE
ESPOND
1) Don’t tru
literature
has tran
buzzwo
2) Pilot too
vendor b
3) Tool com
MUST!!
(Trost, 2015)
13. © 2015 Sqrrl | All Rights Reserved 13
As many as it takes for your staff to be comfortable and operate in a
repeatable manner.
HOW MANY PROCESSES DO I NEED?
Define
Process
Execute
Process
Evaluate
Process
Use CMMI as a guide, not a bible: Cheat sheet:
14. WHAT CAN TECHNOLOGY DO FOR US?
© 2015 Sqrrl | All Rights Reserved
After all, it got us into this mess…
14
15. © 2015 Sqrrl | All Rights Reserved 15
SOC TOOLS
Priority Function Tools SANS Top 20
Core Receive Reports Ticketing System; Call Management System 18
Core Alert Processing SIEM, Log Management System, Packet Capture, IDS 14
Core Threat Hunting Linked Data Analysis, Behavioral Analytics 14
Core Incident Handling Ticketing System 18
Core Threat Intelligence Threat Management System
Core Engineering SIEM, IDS, Health Monitoring 14
Extended Insider Monitoring SIEM, Log Management System, Host Loggers 16
Extended Incident Response State Capture Tools, System Inspection Tools 18
Extended Forensics Log Management System, System Forensics Software, Reverse
Engineering Systems
Extended Vulnerability
Management
Vulnerability Management System, Patch Management System 4
Extended Communications /
Education
Communications Management System, Course Creation
Software
9
16. THREAT HUNTING REQUIREMENTS
Linked Data + User and Entity Behavior (Contextual) Analytics
© 2015 Sqrrl | All Rights Reserved
• Use of ontologies to fuse
together disparate datasets
into common data models
• Graph query language and
visualizations
• Petabyte scale
• Fast ad hoc querying and
hypothesis testing
• Various types of anomaly
detection and machine
learning techniques to flag
outlier devices and users
• Links as features for analytics
• Alignment to kill chain
methodology
• Signature-less
Linked Data Behavioral Analytics
+
16
17. HUNTING WITH LINKED DATA ANALYSIS
Different techniques, different perspectives
© 2015 Sqrrl | All Rights Reserved 17
18. EXPLICIT LINKS ARE STATED
1999-03-29T13:01:38-0500 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153
Cr4RV91FD8iPXBuoT6 SMTP 1 MD5 text/x-c - 0.000000 T F 1522
- 0 0 F - 6d01739d1d56c64209098747a5756443 - - -
1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25
1 delta.peach.mil <hamishs@delta.peach.mil> <tierneyr@goose.eyrie.af.mil> Mon, 29
Mar 1999 08:01:38 -0400 - tierneyr@goose.eyrie.af.mil - <19990329080138.CAA2048>
- Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI-
SVR4)x09id: CAA2048; Mon, 29 Mar 1999 08:01:38 -0400 - 250 Mail accepted
172.16.113.204,194.7.248.153 - F Fz892b2SFbpSayzLyl F
1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25
tcp smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty)
© 2015 Sqrrl | All Rights Reserved 18
21. © 2015 Sqrrl | All Rights Reserved
BRINGING IT ALL TOGETHER
21