How to Build an Efficient Security Operation Center … · The security operations center (SOC) is...
Transcript of How to Build an Efficient Security Operation Center … · The security operations center (SOC) is...
![Page 1: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/1.jpg)
How to Build an Efficient
Security Operation Center with
the ArcSight SIEMFebruary 14, 2018
![Page 2: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/2.jpg)
Hosted By
Dominic J. Listermann
Agile Coach
Blue Agility
![Page 3: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/3.jpg)
Housekeeping
- This “LIVE” session is being recorded
Recordings are available to all Vivit members
Session Q&A:
Please type questions in the Questions Pane
![Page 4: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/4.jpg)
Webinar Control Panel
Questions
Toggle View Window
between
Full screen/window mode.
![Page 5: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/5.jpg)
Today’s Speaker
Today’s Speaker:
Soma Ismael Bola
IT Security Consultant
LayereDefense & IT INCEPT
![Page 6: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/6.jpg)
What is a SOC?
• The security operations center (SOC) is a centralized command center for network security event monitoring and incident response.
• A SOC is responsible for detecting, analyzing, and reporting unauthorized or malicious network activity by employing advanced threat-hunting capabilities.
• The 3 basic types of SOCs:
Threat-centric | Compliance Based |Operational Based
![Page 7: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/7.jpg)
Threat-Centric SOC
• Proactively hunts for malicious threats on networks
• Focuses on addressing security across the entire attack continuum—before, during and after an attack
![Page 8: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/8.jpg)
Compliance-Based SOC
• Focuses on comparing the posture of network systems to reference configuration templates or standard system builds
• Focuses on addressing security across the entire attack continuum—before, during and after an attack
![Page 9: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/9.jpg)
Operational-Based SOC
•An internally focused organization that monitors the security posture of an organization’s internal network
• Focused on the administration of firewall ACL rules, and so on
![Page 10: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/10.jpg)
Building the SOC
• A SOC requires an investment in Process, People and Technology
![Page 11: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/11.jpg)
Process
Threat Modeling : process where IT securityand business people gather to determine keycyberthreats, prioritize them, model out what they would look like in machine data, and then determine how to detect and remediate them
![Page 12: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/12.jpg)
Basic Threat Modeling Process
![Page 13: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/13.jpg)
The objective is to be able address the following questions for any security incident investigation :
• Who: What IP/Domain was associated with the threat?
• What: What type of threat is on the system?
• When: When did the event occur?
• Where: Where is the geolocation of the originating source of attack?
• Why: Why was the malware designed for this intended purpose?
• How: How did the malware get onto the system?
![Page 14: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/14.jpg)
People
A critical part of any SOC is the process for responding to alerts and incidents, and most SOCs use a multi-tier approach
![Page 15: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/15.jpg)
• Alerts are generated through a variety of devices on the networks
• And they go to the first tier of analysts for initial review. If the first tier cannot resolve the incident, it gets escalated to the next tier, which is staffed by personnel with more advanced knowledge and incident response tools.
• These alerts are generally diverse sources and the type of device will determine which events can be extracted.
![Page 16: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/16.jpg)
• DHCP Server
-Transaction Data: Dynamic IP address assignments
Attribution to a host by MAC address
• DNS Server
- Transaction Data: DNS queries/responses transactions
• AAA Server
- Alert Data: Successful and failed authentication and authorization events.
• IPS
- Alert Data: IPS alerts triggered by the IPS rules and signatures.
![Page 17: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/17.jpg)
• Firewall
- Session Data: Connection events, NAT Translations
- Packet captures: PCAP are collected manually by the firewall administrator
- Statistical data: Top sources and destinations, top access rules
• Proxy (web and email)
- Transactional Data: Documents client requests and server responses.
- Extracted data: Malicious email attachment
![Page 18: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/18.jpg)
Technology
• A balanced security solution that is capable of providing both proactive protection and adaptable expansion
• Automatically assign a severity level to the incident (H/M/L) and gather all your security information in one place
• Able to index all relevant machine data and log file from security and non-security sources in real time
• Able to take the data and enrich it with external data, such as data fromActive Directory, asset databases, third-party threat feeds and more
![Page 19: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/19.jpg)
Technology
• Has the flexibility to detect threats through a range of highly accurate, customizable detection methods including correlation rules, risk scoring and anomaly detection before they become breaches
• be user-friendly enough to be used by all SOC personnel and flexible enough so it can be customized to meet the specific needs of every process and role in the SOC (Regulatory Compliance – PCI , HIPAA & FFIEC)
• The ArcSight SIEM Solution respect all these requirement
![Page 20: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/20.jpg)
A SIEM is more than
•Machine Learning System
• IDS/IPS
•A log aggregation tool
![Page 21: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/21.jpg)
The ArcSight SIEM Solution
• An award-winning set of products for monitoring threat and risk
• ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments
• ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management.
![Page 22: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/22.jpg)
The ArcSight SIEM Solution
• ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to identify security threat in real-time& virtual environments
• ArcSight Logger: Log storage and Search solution
• ArcSight Identity View: User Identity tracking/User activity monitoring
• ArcSight Auditor Applications: Automated continuous controls monitoring for
both mobile& virtual environments
![Page 23: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/23.jpg)
The ArcSight SIEM Solution
• ArcSight Connectors (Smart Connectors) collect event data from a variety of data sources.
• Then normalize, categorize, and aggregate event data, and securely and efficiently deliver events to ArcSight ESM or ArcSight Express (which combines ArcSight Logger and ESM functions for smaller installations).
• ArcSight Console provides the dashboard for the security operations center (SOC).
• ArcSight web-based consoles can be used for IT operations staff for searching through archived log data and generating compliance reports
![Page 24: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/24.jpg)
ArcSight Express Deployment Overview
![Page 25: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/25.jpg)
The ArcSight SIEM SolutionBuilt-in dashboards for real-time security analytics:- Malware Activity
- Firewall
- IPS
- Endpoint Logs
- User Activity
- Malware Activity
- Firewall
- IPS
- Endpoint Logs
- User Activity
![Page 26: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/26.jpg)
ArcSight Logger
![Page 27: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/27.jpg)
ArcSight ESM
![Page 28: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/28.jpg)
• Also included are dashboards that monitor critical infrastructure, such as Cisco appliances, Microsoft Windows, and Linux servers to quickly report on business critical infrastructure
![Page 29: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/29.jpg)
Develop Key Relationships with External Resources
• SOCs require effective tools, security analysts with comprehensive technical backgrounds, and also strong relationships with external organizations
![Page 30: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/30.jpg)
Question & Answers
• Please type your questions in the Questions Pane
![Page 31: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/31.jpg)
Upcoming Vivit Webinars
February 28, 2018
Unlock your ALM Investment – Micro Focus ALM and ALM Octane9:00 - 10:00 AM PST (Los Angeles), 12:00 PM - 1:00 PM EST (New York), 18:00 - 19:00 CET (Frankfurt)http://www.vivit-worldwide.org/events/EventDetails.aspx?id=1071812&group=
![Page 32: How to Build an Efficient Security Operation Center … · The security operations center (SOC) is a centralized command center for network security event monitoring and incident](https://reader030.fdocuments.in/reader030/viewer/2022021713/5bada14e09d3f2da1b8da6d5/html5/thumbnails/32.jpg)
Thank You