next-gen security operations...security operations center (soc) “a team primarily composed of...
TRANSCRIPT
Next-Gen Security Operations: From SOC to CSOC
Narayan Neelakantan&
Abhijit Dhongade
September 20, 2017
www.blockarmour.com
1
Restricted Use Only
Agenda
• Background
• Security Operations Center
• SOC – Building Blocks
• Cyber Security Operations Center
• Use Cases
• Case Study
1
www.blockarmour.com
2
Restricted Use Only
Threat Landscape
E-mail malware rate jumped from 1 in 220 e-mails in 2014 to 1 in 131 e-mails in 2016
Threats were perpetrated by 75%
outsiders , 25% insiders
357 million Unique malware variants identified in 2016
27% breaches discovered by Third
parties
Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices
61% data breach victims are businesses with under 1000 employees
Source: Verizon, Symantec – 2017 report
www.blockarmour.com
3
Restricted Use Only
Underground Marketplace
Source: Symantec – 2017 report
www.blockarmour.com
4
Restricted Use Only
Security Operations Center (SOC)
“A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity incidents”
- Carson Zimmerman
Ten Strategies of a world class Cyber Security Operations Center
www.blockarmour.com
5
Restricted Use Only
Security Operations Center
Central Location to Detect and Respond to Incidents
AssetsData
People
Logs
Alerts
Correlation
Containment
Eradication
Recovery
Evidence
Chain Of Custody
Forensics
5
www.blockarmour.com
6
Restricted Use Only
Traditional SOC – Functions
Restricted Use Only 6
www.blockarmour.com
7
Restricted Use Only
Implementation
SOC Engineering
• Manage Tooling
• Use Cases
• Fine-Tuning Rules
Incident Analysis & Triage
• Monitoring & Analysis
• Escalation
Incident Response
• Investigation
• Containment
• Eradication
• Recovery
www.blockarmour.com
8
Restricted Use Only
Traditional SOC - Sample Org Structure
Restricted Use Only 8
SOC
Incident Analysis &
Triage
Engineer (L1)
Analyst (L2)
SOC Engineering
Subject Matter
Expert (SME)
Incident Response
Incident Handler (L3)
Forensics
www.blockarmour.com
9
Restricted Use Only
Traditional SOC – Limitations
• Limited Visibility
• Cannot detect sophisticated attacks
• Response mechanism not adequate to deal with today’s cyber threats
• Highly dependent on people skills
www.blockarmour.com
10
Restricted Use Only
CSOC – Key Objectives
Enhanced Visibility
Effective Detection
Near real-time
Incident Response
CSOC
www.blockarmour.com
11
Restricted Use Only
• Organizations & Corporates
• Critical Infrastructure
• Government agencies
• Cyber Criminal
• Script-Kiddie
• Internal
• Corporate Espionage
• Hacktivists
• Nation State
Threat Actor
Attack Vectors
Motive
Target• Web
• Removable media
• Network
• Social media
• Financial gain
• Data Exfiltration
• Intellectual property
theft
• Espionage
• Damage reputation
Elements of a Cyber Attack
www.blockarmour.com
12
Restricted Use Only
Threat Model
www.blockarmour.com
13
Restricted Use Only
CSOC – Functions
13
www.blockarmour.com
14
Restricted Use Only
CSOC – Implementation
THREAT INTELLIGENCE
Strategic
Tactical
Operational
Integration
STIX/TAXI
ANALYTICS & HUNTING
Predictive Analysis
Scenarios
Big Data Capability
Historical Data
www.blockarmour.com
15
Restricted Use Only
CSOC - Sample Org Structure
15
SOC
Incident Analysis &
Triage
Engineer (L1) Analyst (L2)
SOC Engineering
Subject Matter
Expert (SME)
Incident Response
Incident Handler (L3)
Analytics & Hunting
Subject Matter
Expert (SME)
Threat Intelligence
Subject Matter
Expert (SME)
Forensics
www.blockarmour.com
16
Restricted Use Only
CSOC - Tooling
• SIEM
• Anomaly Detection
• Threat Intelligence
• Analytics
• EDR
• Deception Technology
• Response automation
16
www.blockarmour.com
17
Restricted Use Only
CSOC – Trends
Incident Response is primarily managed in-house except for reverse engineering
Endpoint Detection & Response (EDR) is the most used capability for response
Outsourced activities are primarily Threat research, Forensics & Security Monitoring & Detection
Working cohesively with IT Operations team continues to be one of the biggest challenges
Organizations have started using threat hunting with automated data collection and correlation to help remediate unknown threats
Majority of organizations are in the process of developing plans to monitor IOT devices
Organizations are considering adoption of response automation tools to speed up remediation
Source: SANS Future SOC Survey – May 2017
www.blockarmour.com
18
Restricted Use Only
Summary
• Identification of crown jewels crucial
• Tooling must be continuously fine-tuned
• Well defined processes within CSOC for triage, analysis and escalation
• People strategy
• Robust organization wide Incident response process
• Simulations & Drills to measure effectiveness
• Response automation
18
www.blockarmour.com
19
Restricted Use Only
Use Case 1 – Detecting a Targeted Attack
Reconnaissance
Event
Capture Attacker
IP and add to
Active List
Is it for
open ports
?
Do not trigger
alert
Trigger Medium
priority alert and
add to active list 2
Does Vulnerability exist ?
Monitor the
attacker for further
activities
Trigger high
priority alert
Check if more
traffic is observed
from attacker
Check for
vulnerability
being exploited
No
Yes
No
Yes
Dramatically improved identification of Real Incidents
False positives reduced by 85%
www.blockarmour.com
20
Restricted Use Only
Use Case 1 – Detecting a Targeted Attack
Actors
• Cyber Criminals
• Hactivists
• Script Kiddies
• Cyber Espionage
Log Sources
• Firewall
• IPS
• Vulnerability Scanner Reports
SIEM Content
• Rules
• Reports
• Dashboards
• Live Monitoring Channels
• Watch Lists
www.blockarmour.com
21
Restricted Use Only
Use Case 2 – Detecting APT Attack
Capture IoCs
from Threat Intel
and populate
Active List
Malicious Email /
URL detection
Events
Monitor the Source IP for
further suspicious activities
Capture Source
IP and add to
Active List
No
No
Yes
Check for events
from other hosts
and Match with
IoC Active List
Check for
connections with
other internal
hosts from Source
IP
Check for events
from Source IP
and Match with
IoC Active List &
C&C IP
Matching
Events?
Trigger Very High
Priority Alert
Matching
Events?
Block Access to C&C
Server and contain the host
Yes
Early Stage Detection &Containment of APT attacks
Improved visibility of attacker activities
One-to-one correlation with Cyber Kill Chain
www.blockarmour.com
22
Restricted Use Only
Use Case 2 – Detecting APT Attack
Actors
• Cyber Criminals
• Cyber Espionage
• Nation State
Log Sources
• Firewall, IPS, URL Filtering / Proxy, Mail Gateways
• Vulnerability Scanner Reports
• Anomaly Detection Events
• ATP Events
• TIP Events
• EDR Events
• OS Events
SIEM Content
• Rules
• Reports
• Dashboards
• Live Monitoring Channels
• Watch Lists
www.blockarmour.com
23
Restricted Use Only
Case Study – Detection of C&C Communication (Low & Slow attack)
Building Blocks
Incident Response
• Investigation of infected systems
• Identification of OS Processes
• Identification of files associated with the Process
• Analysis of files
Use Case
• Identify potentially infected systems
Log Source
• Firewall• AV• Threat Intel
SIEM Content
• Dashboard displaying Source IP with Drop Events
www.blockarmour.com
24
Restricted Use Only
References
• Computer Security Incident Handling Guide –published by NIST, USA
• Seven Steps to creating an effective CSIRT – Gartner
• Ten Strategies of a world class Cyber Security Operations Center – Mitre.org
• Future SOC: SANS 2017 Security Operations Center Survey
Restricted Use Only 24