Security Operation Center Concepts and Implementation - - PDF document

SLIDE 1

Security Operation Center

Concepts and Implementation

renaud.bidou@intexxia.com

> SOC Modules > Global Architecture > Collection & Storage > Correlation

SLIDE 2

> SOC Modules

E Box C Box D Box A Box E Box E Box E Box E Box C Box

E Boxes C Boxes D Box A Box

R Box

R Box

event generators : sensors & pollers collection boxes formated messages database incident analysis reaction and reporting K Box

K Box

knowledge base

+

> SOC Modules

> E Boxes

• event generation
• passive : sensors
• active : pollers

> Sensors

• IDS, filtering eq., syslog, apps, honeypots …
• running in hostile environment
• lack of standard for host-based sensors

> Pollers

• third-party tool
• status evaluation
• may encounter performance problems

SLIDE 3

> SOC Modules

> C & D Boxes

• event collection & storage
• standard formating

> Collection

• set of multi-protocol / application agents
• lack of standard format
• availability and performance concerns

> Storage

• duplicates merging
• performance concerns with huge volume of events

> SOC Modules

> A & K Boxes

• multi-level analysis
• intrusion scenarii
• system status

> Analysis & Correlation

• heavy research focus
• proof of concept implementation
• proprietary technologies

> Knowledge Base

• vulnerabilities & intrusion scenarii
• system security status
• security policy

SLIDE 4

> SOC Modules

> R Boxes

• reaction & reporting
• operators interfaces
• end-user interfaces

> Interfaces

• subjectivity
• relies on best-practices and experience return
• MANDATORY

> Global Architecture

Messages Correlation Stats

Permanent Risk Evaluation

Client System Modelisation

OS Host based IDS Applications Firewall alerts Network IDS Integrity Checking Network equipment Alerts

Monitored System

Incident Handling Client Configuration Record Security Policy Customer Status Vulnerability Database Analysis

.........

A Box (Correlation Engine) E Box (Event Generators)

Status Integrity

C Box (Collection & Formating Modules) K Box (Knowledge Base) SNMP syslog Proprietary SMTP HTTP / XML

.........

Linux Windows 2k / XP Cisco Pix Firewall-1 Oracle Apache IIS

.........

D I S P A T C H E R Tripwire ISS Snort

Events

D Box (Local events database) Real-time Monitoring Statistical Analysis

System Status Security Activity

R'' Box (Customer Portal) R' Box (SOC Console)

Distributed Architecure Distributed Architecure Polling

SLIDE 5

> Global Architecture

> Data acquisition

• technical inventory
• security policy review

> Technical reviews

• intrusive & non-intrusive data acquisition techniques
• need for attack taxonomy and classification
• relative vulnerability impact

> Organizational reviews

• acceptable behavior definition
• access rights
• permitted operations

> Global Architecture

> Status Evaluation

• vulnerabilities definition
• security level evaluation
• permanent audit

> Vulnerability database

• structural vulnerabilities
• functional vulnerabilities
• topology-based vulnerabilities

> Permanent security evaluation

• attack trees generation
• new evaluation performed when KB updated
• history management

SLIDE 6

> Global Architecture

> Events management

• generation
• collection
• formating & storage

> Exhaustivity vs. performance

• events overload
• structural & policy pre-filter
• difficulty to manage distributed filters

> Collection and storage

• protocol agents
• source type identification
• message formatting

> Global Architecture

> Analysis & reporting

• event correlation
• operational reporting
• strategic reporting

> Alerts

• structural and behavior alert generation
• criticity handling
• statistical analysis

> Interfaces

• operators consoles
• debugging consoles
• end-user portal

SLIDE 7

> Collection & Storage

> Data collection

• heterogeneous sources
• scalable architecture

> Protocol agents

• server-side agents dedicated to one protocol
• multiple forwarding channels support
• no shared data = easy clustering / farming

> Reliability & security

• TCP encapsulation
• collection channel encryption

> Collection & Storage

> Data collection

• source sensor identification
• « standard » formatting

> Dispatcher

• pattern-based analysis
• forwarding to dedicated application agent
• multiple listening and forwarding channels support

> Application agents

• dedicated to specific (sensor, Xmit protocol)
• message formating
• may be merged with dispatcher

SLIDE 8

> Collection & Storage

> Sample architectures

protocol agent protocol agent protocol agent dispatcher dispatcher Encryption Decryption

Events

HA & LB application agent application agent application agent E Box E Box E Box Unsecure Network socket socket socket sockets sockets HA & LB HA & LB protocol agent protocol agent protocol agent mqueue mqueue mqueue mqueue mqueue mqueue dispatcher application agent application agent application agent

Events E Box E Box E Box

> Collection & Storage

> Host Entry

• unique host identification

> Identification

• by IP
• by FQDN
• unique host token

> Needed to support

• multihoming
• NAT & Virtual IP
• virtual servers

Host Token @Host_IP_Table @Host_FQDN_Table ID IP Address ID FQDN

Host Table Host IP Table Host IP Table

SLIDE 9

> Collection & Storage

> Messages format

• basic message formatting
• correlation ready

Field Attributes Description id Unique Unique message ID sensor_id Not Null Unique Sensor ID msg_type Not Null Type of message (ipchains, snort-1.8.x-alert etc.) epoch_time Not Null Date in epoch format of event generation source Intrusion Source Host Token target Intrusion Target Host Token proto Protocol number src_port Intrusion source port number tgt_port Intrusion target port number info Additional info int_type_id Not Null Intrusion type ID (Filter, Access etc.) int_id Intrusion ID message Not Null Original message

> Collection & Storage

• additional information

> Sensor & Sensor Type tables

• sensor identification

> Intrusion & Intrusion Type tables

• intrusion identification
• matches between different references

> 3rd Party info > Message Type table

• human readable message type description

SLIDE 10

> Correlation

Alert Stats

www.cust1.com hack1.com hack2.com mail.cust1.com hack1.com hack3.com www.cust2.com hack3.com hack2.com Dispatch Message Analysis Vulnerability Database System Exposure System Status Structural Analysis Security Policy Date / Time / Source Match Behavior Analysis hack2.com www.cust1.com www.cust2.com hack3.com mail.cust1.com www.cust2.com hack1.com www.cust1.com mail.cust1.com Contexts Intrusion Path Functional Analysis Formated messages

> Overview

• duplicate identification
• sequence pattern matching
• time pattern matching
• system exposure & criticity
• security policy matching

> Correlation

> Contexts

• event grouping
• correlation preparation

> Definition

• container of formatted data matching common criteria
• multiple level of contexts may be created

> Main context tree

• source (target) token
• target (source) token
• target proto.port
• intrusion type ID
• intrusion ID

SLIDE 11

> Correlation

> Contexts

Target proto.port Target proto.port Target proto.port Target Host Token Target Host Token Target Host Token Target Host Token Target Host Token

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID Target Host Token Target proto.port Target proto.port Target Host Token Target proto.port Target proto.port Source Host Token Target Host Token Target proto.port Target proto.port Array of source contexts

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID Intrusion ID Intrusion ID Intrusion ID Intrusion ID Intrusion ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID

• Int. Type

ID Target Host Token Target Host Token Target Host Token Target Host Token

• functional architecture

> Correlation

> Contexts

%AttackSources source attack hashtable address $AttackSources{$source} target detail hashtable address start_time First reception time stop_time Last reception time ${$AttackSources{$source}}{$target} proto.tgt_port (protocol, target port) id start_time First reception time stop_time Last reception time Unknown array address 100 Filtered array address 530 Integrity array address Intrusion Type Table ${{$AttackSources{$source}}{$target}}[$int_type] attack_info_id attack info hashtable address start_time First reception time stop_time Last reception time ${{{$AttackSources{$source}}{$target}}[$int_type]}[attack_info_id] intrusion_id Intrusion id start_time First reception time stop_time Last reception time duplicate Duplicate info Intrusion Type Table Hosts Table

• functional architecture

> Time

• epoch format
• start_ & stop_ defined

at each level

> Intrusion type ID

• arbitrary definition
• linked to definition ID

SLIDE 12

New Messages Timeout Closure Code New Message Active Inactive Closed

> Correlation

> Contexts

• context management

> Status

• active : on-going intrusion
• inactive : wait state
• closed : self-explanatory

> Correlation

> Structural analysis

• intrusion identification
• processes analysis

> Structure

• independant modules
• set of logical operators
• header w/ activation criteria

> Activation

• message matching header
• timer

Analysis Module Message Correlation Message Correlation

||

Field Condition Field Condition Field Condition

&& && field operator <field | value> [!]

SLIDE 13

> Correlation

> Advanced correlation

• intrusion path analysis
• security policy matching

> Functional analysis

• request to the K Box for Intrusion ID & Host Token
• criticity evaluation
• new message generation
• context closure

> Behavior analysis

• same modular process as structural analysis

> Conclusion

> Complexity of SOC setup

• integration of heterogeneous modules
• emerging standards to reduce the gap with theory

> Supervision NOW

• keep in touch with actual researches
• need for a pragmatic approach