Security Operation Center - Design & Build
-
Upload
sameer-paradia -
Category
Design
-
view
1.707 -
download
5
description
Transcript of Security Operation Center - Design & Build
Design and BuildSecurity Operation Center
Sameer Paradia
Contents
• Presentation Objective • Security Operation Center(SOC)
– What is it? Why is it required?
• Designing SOC• Building Blocks
– Infrastructure– People– Process– Tools– Securing the SOC
• New Trends• Acronyms
Objective of this Presentation
Useful to both enterprise and
service provider
Insight in design methodology & components
Define framework from design to
build SOC
Define and roll out SOC services
Ali
gn
ing
Bu
sin
ess
4
SOC
CFO: “Reduce TCO now, limit liability in future”
IT: “Reduce risk, improve incident management ”
Business Head: “Protect Brand, ALWAYS!”
Why SOC?, Overcome Challenges
Aligned with Business goals
Shared service to reduce cost
Improves Risk posture
SOC Goals
• Operates 24x7 from central offsite location• Proactive response to security incidents • Predict security attacks and reduce its impact• Implements security policy across the enterprise • Reduce cost of security support by providing centralized
remote support• SOC Delivers
– Incident Management – Governance Risk Compliance – Monitoring and Management of Devices / Events– Implement security policy
• Operates 24x7 from central offsite location• Complete & proactive in response to security incidents • Predict security attacks and minimize the impact• Implement security policy across the enterprise • Reduce cost of security support by providing centralized
remote support• SOC Delivers
– Incident Management – Governance Risk Compliance – Monitoring and Management of Devices / Events– Implement security policy
What is SOC?
7
DESIGN
Design Criteria
• Infrastructure • Human Resources • Process Management • SOC Tools and Technologies • Security Controls – Secure the SOC• Link with Government agency and knowledge sites
Two ThreeOne
Inputs for SOC designa) Service
catalogue based on business need / client requirements
b) EPSc) Number and
types of devices under management
Tools selection and designinga) EPS, number of
devices, b) SLA, Reportingc) SIEMd) Web portal
Storage/ Back upe) Connectivity f) Integration of
tools
Human resources a) One resource for
50 Devices management in shift of 8 hours
b) One admin per 5-7 resources,
c) One analyst for 10 resources
d) Tool management and Consultants based on tools and GRC services
Design Flow
Five SixFour
Service deska) Separate
functionb) Receive and
forward calls/ ticket opening, initial support.
c) 12 -15 calls per shift of 8 hours per resource
Infrastructure a) 55 Square Feet
per seat(Agent)b) One seat means
overall usable area including all facilities
Power usage and UPS capacity to be calculated based on rated power usage of all tools and uptime SLA
Design Flow
Eight NineSeven
Security Controls – Secure the SOCa) Physical Securityb) Information
Securityc) Authentication
& Access Management
Compliance Management a) Law of the
regionb) ISMSc) Data protection
laws
Process Management a) BAU Day to day
process/ SOPb) Foundation
processc) Service
improvement d) Governance
process
Design Flow
Build SOC Approach
RUN & SUPPORT
BUILD & TRANSIT
DESIGN/ SECURE
MANAGE
BUSINESS CASE
ENGAGE
STRATEGIC TACTICAL
Risk AssessmentBusiness requirement
Business CasePlanningDesigning
Project ManagementResource Management
Infra/ Tools implementSOC process setup
SOC Detailed DesignProcess Framing
SOC Security Design
Day to day operationsDeliver service catalog
Improvement plan
OPERATIONAL
• SOC service catalog need to put in place• Phased wise rollout of services is advisable
BUILDING SOC APROACH- DETAILED STEPS BU
ISEN
SS
Busi
ness
Req
uire
men
t Ana
lysi
sD
eman
d M
anag
emen
t
Risk
Ass
essm
ent
Serv
ice
Leve
l M
anag
emen
t
IT Strategy Planning IT Governance
Security Architecture, Policies and Standards
Develop & Approve Business case Program Portfolio Management
BUSINESS CASE AND PLANENGAGE
STRA
TEG
IC
IT Finance & Resource Management
IT Human Resource Management
Project Management
Knowledge Management
Work Request Management Monitor &Report Performance Quality and Improvement
MANAGE
Security Service Catalog Supplier Management
Availability and Capacity Management
IT Service Continuity ManagementSecurity
Management
DESIGN AND SECURE
Service Request Fulfillment
Incident Management
Problem Management
Access Management
SUPPORT
TACT
ICAL
BUILD AND TRANISTIONBuild SOC
Service Transition & Planning
Service Validation/ Testing
Service Evaluation
Release and Deployment Management Change Management
Event Management Operations Device
ManagementApplication
Management
Service Asset and Configuration Management
RUN (OPERATE AND CONTROL)
OPE
RATI
ON
AL
SOC Detailed Engineering
SOC Service Catalogue Consult
Assess
Define
Deliver
Monitor
DeviceManagement
Management-IncidentChangeAsset
Design
Build
Plan
Assessment
Risk Management
Security Management Framework Assessment Policy GAP Assessments
Penetration Testing &Vulnerability Assessment Governance Monitoring
Technology &Architecture Reviews
Other Services from SOC
Endpoint Security
Anti-virus
Web Security
URL Filtering
Mail Security
Application Security
Analytics
Multi factor
Authentication
Encryption
Federation
SSO
OPERATION
Project Managem
ent
Analyze
Security Assurance Services
Remote Configuration & back up of logsNew projects – Remote support
Firewalls/VPN
IDS / IPS
UTM
Gateway level
Datacentre
DLP
Patch management / Software upgradation
Security Technology
Device level security
End user security
Log analysis
Event Management
Reporting
Content Security Identity / Access Management
Perimeter/ Datacentre
PolicyCompliance
Advance ServicesForensic /
InvestigationGovernance Risk Management Compliance
Service Assurance
Abuse Prevention
Call Service Management
IPT Availability
Malware analysis
Black box testing
Suspicious Activity monitoring
Security Strategy
Define Security framework
Security Policy framing
Audit
Policy Enforcement
Advisory Services
CERT Integration
Risk Assessment
Risk Mitigation plan
VA/ PT
Ethical Hacking
Gap Analysis
Threat Management/ Assessment
Data, Voice, Video- Technological architecture assessment
Risk repository
Log analysis
Security Policy Assessment
Data Protection Assessment
DLP Management
Information Act compliance assessment
Violation of security policy
End point policy assessment
Reporting
Maintain
BCP / DR Management
Other Services
Advisory Services
Black box testing
White box testing
Phase wise Service Launch
1st Phase 2nd Phase 3rd Phase
• Start with basic Perimeter / Datacentre security services
• Event Monitoring, Device/ Policy Management, Incident/ Change/Asset management
• Integrate networking equipment security into SOC
• Expand to endpoint and cloud based security
• Bring in Endpoint machines / BOYD under SOC monitoring/ management
• GRC related services• Consultancy services• Forensic service• Application level testing/
security• Business process
monitoring and alert frauds
Service Description
a. Firewall/VPN (IPSEC/ SSL)b. IPS / IDSc. UTM (Unified Threat
Management d. Vulnerability Assessment e. Event Co relation and
Incident/ Change/ Asset management
f. Gateway level Antivirusg. Datacenter security
a. In the Cloud services- Clean Internet pipe, DDOS protection, Secure Mail, Secure Web access
b. Endpoint Securityc. URL Filter / Secure Proxy d. Information Leak
Preventione. Datacenter / Application
level: Penetration Testing, Ethical Hacking
a. Identity Managementb. Database Securityc. Application Security for
Web, SAP, Portal, Database etc.
d. Compliance of ISMS, Country specific IT / Data protection act
e. Fraud Management f. Forensic / Investigation
16
INFRASTRUCTURE
Infrastructure Blocks of SOC
• SOC office Space: Minimum 55 Sq ft per seat– Structured and secured LAN cabling– Same types of furniture and PC/ Monitors, Hardware– Video Walls– Scalable area on same floor/ Building– Card access and biometric access controls
• Power: Mains and Back up UPS/ DG set. Electrician available for emergency– PDP-Power Distribution Panels / Emergency power switching panel– DG set: Diesel storage area– Lighting in facility / Energy saving plan
• Precision Air conditioning• Datacentre: Rack space to host tools and customer facing portals
– Hosts customer facing portal, SIEM, NMS, Service desk ,Storage, Back up tools
– Storage for logs and configurations of IT assets – Back up devices and Tape library
• Various control rooms need to be in place as below:– Building Management System (BMS) room: Centralized room to
monitor integrated with video surveillance, visitor management system and Fire management system
– Security surveillance room: same room as BMS– Fire management systems: Same room as BMS
• Connectivity: – To connect various Telecom from customer premise- MUX room– Feasibility for same must be in place,– VPN concentrator: To connect to customer over Internet using
IPSEC VPN/ SSL VPN
Infrastructure Blocks of SOC
Visitor lounge / Presentation area
Visitor lounge• Customers visit SOC to audit the infra as per contract signed• Must be in quarantine area to interact with SOC staff• Secured PC to be provided, in case visitors need to access their
systems • NDA must be signed by visitors Presentation area• SOC need a separate area at entrance which is physically isolated
using a glass wall with curtain from SOC sitting area• Presentation conference hall should be able to accommodate enough
people • Equipped with projectors/ Video Conferencing facility
War Room
• War room is a dedicated space where entire team responsible for major incident resolution meet up and handle the issue.
• They need to interact with customers and partners to resolve the incident• Equipped with communication like LAN, voice, Video Conference • Separate War room is required to ensure other SOC operations teams are
not disturbed and customer issue confidentiality is ensured
21
-
PEOPLE
SOC TEAM
SOC Governance ModelBoard/ Share
Holders
SOC Manager
CISO
CFO/ CIO
CEO/ COO
Risk Manager
Auditor/ Consultant
Incident Response
Monitoring Team
Technical/ Tools Admin
Analyst/ SME
Organization Risk Management
Information Security
Forensic Expert
Service Desk
Business Head
Admin/HR
Legal
Compliance
Sales
Branding
Partners
Vendors/Suppliers
InternalTeams
ExternalStake Holders
Country LegislationData Protection LawsIndustry specific ComplianceIndustry Best Practice
SOC PEOPLE
23
Analyst• Expert of Security Technology and
process• Understand attacks and threat matrix• Good at low level programming
language • Extremely good at reaching to root cause• Think out of box• Understand Virus, Trojans, backdoor,
malicious code• Drive people • Proactive by nature
Tech admins• Expert of Security, OS, Network, Web
technology, Database• Configure tools and security technologies • Great at low level designing • Frame and implement security policies in
technologies under SOC• Forensic expert • Quick at Incident response• Can interact and drive vendors, OEM,
Government bodies
Management • Leadership to take all stakeholders together• Stitch the solutions from different teams and drive it to conclusion• Understand security posture and able to guide the team• Good communication skills
PROCESS-
SOC Process Framework
BAU SOC Operation Process
Tool
s &
Tech
nolo
gy
Human Resources
Process
GRC Forensic Consultancy
BCP-DR
Foundation ProcessPeople Operations, Shift Scheduling, Daily Checklist, Training, Talent Management, New Project Management
Reporting, Realtime Dashboard, Analysis, Portal
KGI
Best Practice
CERTFeed
SOC ISMS/ Law Compliance Support
Log Management
Testing Advisory
QM
S / KEDB / D
ocumentation/
Improvem
ent
SOP- Develop/Review
QMS / SOC
Process
KPI
System Modeling
Configuration Management
Access/ User Management
Event Triage of Correlation, Monitoring,
Routing
SOC Infra/ Application Management
Event Fusion
Use CasesProject
Management
Fusi
on,
Anal
ysis
, Re
porti
ng
Existing Tool Management, Updation, Testing
Security tools like SIEM, VA, NMS/EMS, Service Desk, Web Portal, Back up, Storage, Middleware
Integration with current & new tools, Client systems
Transition and on boarding of new devices with tools
POC of new release and upcoming technologies
SOC Governance
Incident Management
Major Attack response
Incident Analysis
Event Correlation
Problem Management
Release Management
Configuration
Management
Change Management
Event Monitoring
Service Desk
SOC Process
Number of processes and procedures for an SOC is determined by its scope, how many services are offered, the number of customers supported, and the number of different technologies in use. An established global SOC environment may have tens or even hundreds of procedures. At a minimum, the basic procedures that are required for maintaining the SOC are:• Monitoring procedure• Notification procedure (email, mobile, home, chat, etc.)• Notification and escalation processes• Transition of daily SOC services• Shift logging procedures• Incident logging procedures• Compliance monitoring procedure• Report development procedure• Dashboard creation procedure• Incident investigation procedures (malware, etc.)SIEM monitoring and correlation• Antivirus monitoring and logging• Network and host IDS/IPS monitoring and logging• Network and host DLP monitoring and logging• Centralized logging platforms (syslog, etc.)• Email and spam gateway and filtering• Web gateway and filtering• Threat monitoring and intelligence• Firewall monitoring and management• Application whitelisting or file integrity monitoring• Vulnerability assessment and monitoring
GRC
Define Risk Control - Risk Governance
Framing of Security policy based on Gap analysis
Implementation
Mapping of IT laws with security policy
Set objective and form steering committee
Review of security posture and risk profile
Periodic assessment/ Audit
Reporting of compliance status to Management
Periodic Assessment
Implement & manage IT controls / checkpoints
SustainControls
State of Control State of Control
ComplianceTo Law of region, Data protection law, InfoSec Policy
Forensics
Process• Acquisition
• Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices
• Identification (Technical Analysis)• Identifying what data could be recovered and
electronically retrieving it by running various Computer Forensic tools and software suites
• Evaluation (What the Lawyers Do)• Evaluating the information/data recovered to
determine if and how it could be used again the suspect for employment termination or prosecution in court
• Presentation• Presentation of evidence in a manner
understood by lawyers, non-technically staff and suitable as evidence determined by court of law.
Acquisition Handling Huge volume Indentifying and taking control of equipment
Identification (Technical Analysis) Co relating data from various technologies and
equipments Speed of processing
Evaluation (What the Lawyers Do) Defending evidence in court by Police
Presentation Relating evidence with Law clauses(IPC) Creation of supporting cases
Challenges in Forensics
30
-
TOOLS
SOC Tools Modules
1. Event generators• All devices/ software under SOC • Log generators• External feed viz. CERT
2. Event collectors• Local as well as central devices to collect and normalize huge events/ logs into few
useful messages, device status and alerts• NMS/ EMS / Service Desk
3. Message database• Analyze and display messages as per configured policy
4. Knowledge base• System Modelisation is configured based on Risk Management, Threats and action
taken by security controls/policy deployed • Real time event correlation and create incidents based on Risk posture feed into it
5. Client / User facing portal hosts• Reports, Analysis, Knowledge management, Real-time status & events
Collection & Normalization
Event Generators/
Monitored systems
Working of SOC Tools
VA / RA Tools
IPSNetwork EquipOSApplications
FirewallEvents
Polling
Syslog, SNMP, SMTP, HTTP/XML,
Proprietary
Message Database
Portal – Viewed by Stake holders
Message
Status
Alerts
Incident Handling
Analysis
Real timeMonitor
CorrelationKnowledge Base
Client Config records
Analysis
Security Policy
Customer Status
Vulnerability DB
System Modelisation
Status Integrity
Risk Evaluation
Security Activity
System Status
Key Tools for SOC
-
• Storage & Back up• Syslog server• FTP server
• Client facing Webportal for Reports / Status update
• Device Management servers
Service DeskITIL Process Automation
Strengthen
Service Desk and SOC Process Management
SOC Core Technology & Services Support Tools
Analytics / Reporting
Network and OS scanner
Traffic Generator
Forensic Tools
Certificate Authority
Log analyzer/ Storage
EncryptionKey
Generator
NMS/EMS
OS/DB/ Network Scanner
SIEM
Password Recovery/
EH Tool
VA/ PT Assessment
Registry Scanner
Honeypot
Web PortalDevice
Management Servers
GRC ToolPatch
Management
Packet Analyzer
Authentication / IDM
PreventAssess
Device Management & Client facing portal
Tools Integration
Portal (Reports / Analysis / Realtime Dashboard)
Middleware
API Correlation -Integration Layer
SIEMSD/NMS/ EMS
Device status
Database / KEDBGRC Tools
Polling Engine/ Data Flow
Events
Incidents
Device Management
VA/PT/EH
System Modelisation
Security Policy
USERS
35
-
SOC-SECURITY
Securing the SOC- Security Controls It is imperative to protect SOC environment with following controls • Layered security
– Information security for SOC users and Information– Physical security for SOC users, visitors and Infrastructure – Common security layer for entire information and based on
contract additional security controls implemented • Information Security for SOC users and Infrastructure
– Process level: ISMS(Information Security Management System)– Integration of security controls with SIEM/ Service desk tools– IDM: Authentication and Identity access management, Multi
factor authentication – Network level: Firewall, IPS, VPN, Antivirus, Web filter software`– Desktop level: Antivirus, security compliance, Strong
authentication and access control– Datacentre level: Firewall, IPS, VPN, Antivirus, Host based IDS– Access log: Syslog server for user audit trail and analysis
Securing the SOC- Physical Security Controls
For SOC users, visitors and Infrastructure– Security guards on round the clock duty– Video Surveillance: monitor human movement – Biometric controls: For access to Datacenter and
critical SOC areas– Tape vault: To store the logs generated in tapes and
backup. This is statutory requirements – Access card: to operate doors and movement in and
out of SOC– Visitor Management System: Register entry and
pass generators, badge card for visitors– Glass and other barriers for dedicated space for
certain clients in SOC
38
NEW TRENDS
Summary of future SOC and new trends:• Future SOC will spend more time on security analytics and less time on device
monitoring • New age SOC will use more resources to identify new, unknown threats/ malware/
malicious code and less time blacklisting known threats after attacks• Big Data will be part of SOC tool set• Out of the box SOC with lesser integration with different tool set in SOC• Integrated with Social sites to know human behavior and predict the attacks• Integrated with national agencies and international CERT to have uniform and
instant response to attacks • Able to counter attack and stop all future activities from attackers from internet/
internal users• SOC will act as single agency to prevent security incidents, frauds happening in E-
Systems, compliance of regional laws across geography boundaries• Will proactively provides alerts for financial frauds and violation in business process
New trends
Acronyms
• API- Application Programming Interface• BAU- Business As Usual – Daily operations• BCP/ DR- Business Continuity Plan/ Disaster Recovery
Plan • BYOD- Bring Your Own Device• CEO- Chief Executive Officer• CFO-Chief Finance Officer• COO- Chief Operating Officer• CERT- Computer Emergency Response Team• CISO- Chief Information Security Officer• DDOS- Distributed Denial of Service attack• DG-Diesel Generator• DLP- Data Leak Prevention • EH- Ethical Hacking• EMS- Enterprise Management System, used for
Datacenter device monitoring • EPS- Events Per Second • GRC- Governance, Risk, Compliance• IDS- Intrusion Detection System
• IPS- Intrusion Prevention System• ISMS(Information Security Management System)• ITIL- Information Technology Infrastructure Library • KPI- Key Performance Indicator• KGI- Key Goal Indicator• KEDB- Known Error Database• OEM- Original Equipment Manufacturer • OS- Operating System • NOC- Network Operation center • NDA- Non Disclosure Agreement • NMS- Network Management System• PC- Personal Computer• PT- Penetration testing• SD- Service Desk• SIEM- Security Incident and Event Management • SLA- Service Level Agreement • SOC- Security Operation Center• UTM-Unified Threat Management • VA- Vulnerability Assessment• VPN- Virtual Private Network
Sameer Paradia (CGEIT, CISM, CISSP)([email protected])Practicing IT Security Services and Outsourcing for past 22+ yearsPhoto acknowledgment: https://www.flickr.com/photos/babalas_shipyards/5339531237/in/photostream/
http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/