security operation center
play

Security Operation Center Concepts and Implementation - PDF document

Jan 28, 2024 •526 likes •673 views

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box

  1. Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation

  2. > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box K Box incident analysis knowledge base D Box D Box formated messages database C Boxes C Box C Box collection boxes E Boxes E Box E Box E Box E Box E Box event generators : sensors & pollers > SOC Modules > E Boxes - event generation - passive : sensors - active : pollers > Sensors - IDS, filtering eq., syslog, apps, honeypots … - running in hostile environment - lack of standard for host-based sensors > Pollers - third-party tool - status evaluation - may encounter performance problems

  3. > SOC Modules > C & D Boxes - event collection & storage - standard formating > Collection - set of multi-protocol / application agents - lack of standard format - availability and performance concerns > Storage - duplicates merging - performance concerns with huge volume of events > SOC Modules > A & K Boxes - multi-level analysis - intrusion scenarii - system status > Analysis & Correlation - heavy research focus - proof of concept implementation - proprietary technologies > Knowledge Base - vulnerabilities & intrusion scenarii - system security status - security policy

  4. > SOC Modules > R Boxes - reaction & reporting - operators interfaces - end-user interfaces > Interfaces - subjectivity - relies on best-practices and experience return - MANDATORY > Global Architecture Real-time Permanent Risk Evaluation Monitoring Statistical Security Activity Analysis Incident System Status Handling R' Box (SOC Console) R'' Box (Customer Portal) Distributed Architecure Vulnerability Alerts Database Stats Correlation Customer Messages Analysis Status A Box D Box (Local events database) Security Policy (Correlation Engine) Client Configuration Record Windows 2k / XP Linux K Box (Knowledge Base) Apache D syslog I Distributed Architecure IIS S SNMP Oracle P Events SMTP Host based IDS A Firewall-1 T HTTP / XML OS Cisco Pix C Proprietary H Integrity Checking Snort E ......... Network equipment ISS R Network IDS Tripwire Client System Status Firewall alerts Polling Integrity Modelisation ......... Applications ......... C Box (Collection & Formating Modules) Monitored System E Box (Event Generators)

  5. > Global Architecture > Data acquisition - technical inventory - security policy review > Technical reviews - intrusive & non-intrusive data acquisition techniques - need for attack taxonomy and classification - relative vulnerability impact > Organizational reviews - acceptable behavior definition - access rights - permitted operations > Global Architecture > Status Evaluation - vulnerabilities definition - security level evaluation - permanent audit > Vulnerability database - structural vulnerabilities - functional vulnerabilities - topology-based vulnerabilities > Permanent security evaluation - attack trees generation - new evaluation performed when KB updated - history management

  6. > Global Architecture > Events management - generation - collection - formating & storage > Exhaustivity vs. performance - events overload - structural & policy pre-filter - difficulty to manage distributed filters > Collection and storage - protocol agents - source type identification - message formatting > Global Architecture > Analysis & reporting - event correlation - operational reporting - strategic reporting > Alerts - structural and behavior alert generation - criticity handling - statistical analysis > Interfaces - operators consoles - debugging consoles - end-user portal

  7. > Collection & Storage > Data collection - heterogeneous sources - scalable architecture > Protocol agents - server-side agents dedicated to one protocol - multiple forwarding channels support - no shared data = easy clustering / farming > Reliability & security - TCP encapsulation - collection channel encryption > Collection & Storage > Data collection - source sensor identification - « standard » formatting > Dispatcher - pattern-based analysis - forwarding to dedicated application agent - multiple listening and forwarding channels support > Application agents - dedicated to specific (sensor, Xmit protocol) - message formating - may be merged with dispatcher

  8. > Collection & Storage > Sample architectures E Box E Box E Box Events Encryption Unsecure Network E Box E Box E Box Decryption Events HA & LB protocol protocol protocol agent agent agent socket socket socket protocol protocol protocol agent agent agent HA & LB mqueue mqueue mqueue dispatcher dispatcher dispatcher sockets sockets mqueue mqueue mqueue HA & LB application application application agent agent agent application application application agent agent agent > Collection & Storage > Host Entry - unique host identification > Identification Host Table Host Token - by IP @Host_IP_Table @Host_FQDN_Table - by FQDN - unique host token Host IP Table Host IP Table > Needed to support ID ID IP Address FQDN - multihoming - NAT & Virtual IP - virtual servers

  9. > Collection & Storage > Messages format - basic message formatting - correlation ready Field Attributes Description id Unique Unique message ID sensor_id Not Null Unique Sensor ID msg_type Not Null Type of message (ipchains, snort-1.8.x-alert etc.) epoch_time Not Null Date in epoch format of event generation source Intrusion Source Host Token target Intrusion Target Host Token proto Protocol number src_port Intrusion source port number tgt_port Intrusion target port number info Additional info int_type_id Not Null Intrusion type ID (Filter, Access etc.) int_id Intrusion ID message Not Null Original message > Collection & Storage > 3 rd Party info - additional information > Sensor & Sensor Type tables - sensor identification > Message Type table - human readable message type description > Intrusion & Intrusion Type tables - intrusion identification - matches between different references

  10. > Correlation > Overview Alert Stats Date / Time / Source Behavior Match Security Policy Analysis - duplicate identification - sequence pattern matching System - time pattern matching Exposure System Status Functional - system exposure & criticity Analysis Intrusion Path - security policy matching Message Structural Analysis Vulnerability Analysis Database www.cust1.com hack1.com hack1.com www.cust1.com hack2.com mail.cust1.com mail.cust1.com hack2.com Contexts hack1.com www.cust1.com hack3.com www.cust2.com www.cust2.com hack3.com hack3.com mail.cust1.com hack2.com www.cust2.com Dispatch Formated messages > Correlation > Contexts - event grouping - correlation preparation > Definition - container of formatted data matching common criteria - multiple level of contexts may be created > Main context tree - source (target) token - target (source) token - target proto.port - intrusion type ID - intrusion ID

  11. > Correlation > Contexts - functional architecture Array of source contexts Source Host Token Target Target Target Target Target Target Target Target Target Target Target Target Host Token Host Token Host Token Host Token Host Token Host Token Host Token Host Token Host Token Host Token Host Token Host Token Target Target Target Target Target Target Target Target Target proto.port proto.port proto.port proto.port proto.port proto.port proto.port proto.port proto.port Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type ID ID ID ID ID ID ID ID ID ID ID ID Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Int. Type Intrusion Intrusion Intrusion Intrusion Intrusion ID ID ID ID ID ID ID ID ID ID ID ID ID ID ID > Correlation > Contexts - functional architecture %AttackSources source attack hashtable address Hosts Table $AttackSources{$source} > Time target detail hashtable address start_time First reception time stop_time Last reception time ${$AttackSources{$source}}{$target} Intrusion Type Table - epoch format proto.tgt_port (protocol, target port) id start_time First reception time - start_ & stop_ defined stop_time Last reception time 0 Unknown array address 100 Filtered array address at each level 530 Integrity array address > Intrusion type ID ${{$AttackSources{$source}}{$target}}[$int_type] attack_info_id attack info hashtable address start_time First reception time - arbitrary definition stop_time Last reception time ${{{$AttackSources{$source}}{$target}}[$int_type]}[attack_info_id] Intrusion Type Table - linked to definition ID intrusion_id Intrusion id duplicate Duplicate info start_time First reception time stop_time Last reception time

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation.

Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Post-quantum Security of the CBC, CFB, OFB, Modes of Operation. CTR, and XTS Modes of Operation. Mayuresh Anand Motivation Mayuresh Anand, Ehsan Ebrahimi Targhi, Gelo Noel Tabia,

235 views • 22 slides
Employment Security Department Update August 3, 2020 Milestones Met for Operation 100% by 7/31!

Employment Security Department Update August 3, 2020 Milestones Met for Operation 100% by 7/31!

Employment Security Department Update August 3, 2020 Milestones Met for Operation 100% by 7/31! Claims to resolve = 0 Average Weeks Waiting = 4.1 The Operation 100% Cohort Need resolution by ESD on a claim issue Filed between 3/8 -

427 views • 23 slides
Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems

Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems

Network Operation Center NOC NOC Eng. Ali Munir Al-Mudhafar I.C.T Center Network Systems Division Introduction A fter Continuous and widespread use of Network system in many organizations, companies, government agencies, educational

343 views • 31 slides
Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn

CSS441 Block Cipher Operation Modes ECB Block Cipher Operation CBC CFB OFB CSS441: Security and Cryptography CTR Feedback Sirindhorn International Institute of Technology XTS-AES Thammasat University Prepared by Steven Gordon on 20

871 views • 32 slides
Health Strategic Health Strategic Operation Center Operations Center (HSOC) Health

Health Strategic Health Strategic Operation Center Operations Center (HSOC) Health

6/7/2018 What is the Health Strategic Ops. Center? Health Strategic Health Strategic Operation Center Operations Center (HSOC) Health Emergency Operations Center (HEOC) Local Distribution Center (LDC) (warehouse) HSOC Grant Areas of

291 views • 3 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
AI3 Operation SOI-ASIA OW 2002 Achmad Husni Thamrin Agenda AI 3 Overview Internet

AI3 Operation SOI-ASIA OW 2002 Achmad Husni Thamrin Agenda AI 3 Overview Internet

AI3 Operation SOI-ASIA OW 2002 Achmad Husni Thamrin Agenda AI 3 Overview Internet Operation (Security) AI 3 Secure Network Operation About AI 3 Asian Internet Interconnection Initiatives Project http://www.ai3.net/

264 views • 22 slides
Security / VM (start) 1 last time two-phase commit: doing operation together data is split

Security / VM (start) 1 last time two-phase commit: doing operation together data is split

Security / VM (start) 1 last time two-phase commit: doing operation together data is split across several machines redo logging machines know what message to send when rebooting state machine to describe protocol for proving/testing

1.38k views • 78 slides
Security Computer Center, CS, NCTU FreeBSD Security Advisories

Security Computer Center, CS, NCTU FreeBSD Security Advisories

Security Computer Center, CS, NCTU FreeBSD Security Advisories http://www.freebsd.org/security/advisories.html 2 Computer Center, CS, NCTU FreeBSD Security Advisories Advisory Security information Where to find it Web page

552 views • 32 slides
1 Multilevel Security Different security levels for resources Important systems A

1 Multilevel Security Different security levels for resources Important systems A

Last time Threats Introduction Threat analysis Policy Introduction to access Specification control matrix Design Implementation Operation and Maintenance 7/10 - 05 Distributed systems - Jonny Pettersson, UmU 1 Security in the

444 views • 13 slides
Integrated City Operation Center : An Architecture Case Study with ADD & Data Flow Analysis

Integrated City Operation Center : An Architecture Case Study with ADD & Data Flow Analysis

Integrated City Operation Center : An Architecture Case Study with ADD & Data Flow Analysis SATURN, 2007 Changhyun, Baek Software Architect Eng. Methodology Team IT Engineering Center Samsung SDS, South Korea Introduction Introduction

455 views • 17 slides
Qatar's Center for Information Security 2 What is Q-CERT? Qatar's National Center for

Qatar's Center for Information Security 2 What is Q-CERT? Qatar's National Center for

Qatar's Center for Information Security 2 What is Q-CERT? Qatar's National Center for Information Security. An ictQATAR initiative. Works with organizations who deliver critical services in Qatar. 3 Types of Assistance

877 views • 12 slides
DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security

DIGITAL PLANETS SECURITY SOLUTION INTRODUCTION OUR OFFERED SERVICES Vulnerability Security Information Assessment Brand Operation Consultancy & Security Protection Penetration Awareness Centre Testing External Networks

474 views • 44 slides
Future plans and its operation Koji Nakao KDDI, Information Security Fellow 1 CONFIDENTIAL

Future plans and its operation Koji Nakao KDDI, Information Security Fellow 1 CONFIDENTIAL

Future plans and its operation Koji Nakao KDDI, Information Security Fellow 1 CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other

55 views • 4 slides
- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

Introduction to Cybersecurity - Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security, Privacy, and Accountability Chair for IT-security & Cryptography General Information Correct formatting

1.05k views • 75 slides
New Prague Aquatic Center Tuesday May 2nd, 2017 Hours of Operation Outdoor Pool Opening

New Prague Aquatic Center Tuesday May 2nd, 2017 Hours of Operation Outdoor Pool Opening

New Prague Aquatic Center Tuesday May 2nd, 2017 Hours of Operation Outdoor Pool Opening Saturday, May 27th 1 - 7 PM Aquatic Center June opening Sunday-10AM - 6 PM Monday-Friday - 5:30AM-9 PM Saturday 7 AM - 7 PM Amenities Events High

344 views • 19 slides
Factors Affecting Performance of Web Flows in Cellular Networks Ermias A. Walelgne , Kim Set

Factors Affecting Performance of Web Flows in Cellular Networks Ermias A. Walelgne , Kim Set

Factors Affecting Performance of Web Flows in Cellular Networks Ermias A. Walelgne , Kim Set al a, Vaibhav Bajpai, Stefan Neumeier, Jukka Manner, J org Ott May 15, 2018 - IFIP Networking, Zurich Introduction Introduction

764 views • 31 slides
Naming & Identification in the Internet R. Atkinson & S. Bhatti UCL Computer Science

Naming & Identification in the Internet R. Atkinson & S. Bhatti UCL Computer Science

Naming & Identification in the Internet R. Atkinson & S. Bhatti UCL Computer Science July 2004 Existing Name Types IP Address ( 1.2.3.4 ) IP Subnet ( 1.2.3.0/26 ) Domain Name ( host.cs.ucl.ac.uk ) Communication End-Point

1.09k views • 14 slides
Tips, Tricks and Tools for managing one or more medium to large CiviCRM installs CiviCon 2012

Tips, Tricks and Tools for managing one or more medium to large CiviCRM installs CiviCon 2012

Tips, Tricks and Tools for managing one or more medium to large CiviCRM installs CiviCon 2012 Maintenance best practices Drush & drush make drupal.org/project/drush drupal.org/project/drush_make Configuring environments Sysadmin

477 views • 20 slides
USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS SPEARPHISHING ATTACKS Imbue the email with a sense of trust or authority LURE Spoof (or log in as) the source / name Make the topic such that theyll

632 views • 25 slides
Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No

Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No

AfriN AfriNIC 11 IC 11 No Novemb ember er 200 2009 Mail Abuse S. Moonesamy Eland Systems sm+afrinic@elandsys.com 1 How do we stop spam No instant solution Social problem AfriNIC 11 - Mail Abuse 2 How we read an email message

336 views • 10 slides
Network Security CS 642 UW Madison Earlence Fernandes UW Madison CS 642 1 Web Security TLS

Network Security CS 642 UW Madison Earlence Fernandes UW Madison CS 642 1 Web Security TLS

Network Security CS 642 UW Madison Earlence Fernandes UW Madison CS 642 1 Web Security TLS DNS and BGP Oct 8, 2019 Network Security UW Madison CS 642 2 128.105.37.141 We dont want to have to remember IP addresses Early days of

615 views • 36 slides
Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification,

Rendezvous-based Traffic Rendezvous-based Traffic Classification, Measurement, Classification, Measurement, and Analysis and Analysis ISC/CAIDA Data Collaboration Workshop October 22, 2012 David Plonka & Paul Barford

1.33k views • 26 slides
Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto

Integrating running apps into federations + JANUS Terena Eurocamp, 11/2009, Budapest Ernesto Revilla erny@yaco.es 1 Integrating running apps into federations Background: Yaco (30 pers Open Source company) Setting up the andalusian

612 views • 16 slides

More recommend