Beruflich Dokumente
Kultur Dokumente
Escalation
TECHNOLOGY
PEOPLE 5 Customers
2
1
Incident
Handler
Level 1 Level 2
6 Case closed
4
Engineer
3
PROCESS
What is SOC?
Automated Monitoring – SNMP Automated Alert and Notification – SNMP Traf / IF- Contextual correlation of events
Categorization of Monitored Objects MAP event Situational awareness
Automated Monitored Object Reporting Alerts categorized based on Risk Level Maped to business process
Integrated to Business Process Notification to Business Process Owner
Automated Assignment of Risk Level
SOC Core Components
Information and Network Security $$ Automation $$
To natively built-in compliance and audit functions
To manage control process through integrated ITILv3 CM and SD
Configuration Management of Infrastructure Components
Vulnerability Network
SIEM
Assessment Monitoring
SOC Technology Integration (Automation)
Technology Integration … the new … WORKFLOW
Networks Forensics and
Incident Response
Vulnerability
NMS Assessment
Reporting Security
Dashboard
Ticket Generation
Ticket Generation
Service Desk
Compliance and Vulnerabilities and Scanned Data
Ticketing
SIEM 2.0
Monitoring
Ticket Generation
Log Management
Microsoft Cisco
Configuration Management Solaris Load Routers Malware ERP
Firewall IPS
Redhat Balancer and Antivirus APPS
Unix Switches (Endpoint
Policy Compliance Security)
Security Incident
Advantages Disadvantages
✓ Dedicated Staff ❖ Larger up-front investment
✓ Knows environment better than a third-party ❖ Higher pressure to show ROI quickly
✓ Solutions are generally easier to customize ❖ Higher potential for collusion between analyst and
✓ Potential to be most efficient attacker
✓ Most likely to notice correlations between ❖ Less likely to recognize large-scale, subtle patterns that
internal groups include multiple groups
✓ Logs stored locally ❖ Can be hard to find competent SOC analysts
Internal SOC Success Factors
Trained Staff
Good SOC Management
Adequate Budget
Good Processes
Integration into incident response
If you organization can’t commit to these five factors, do not build an internal SOC – it will fail
Will waste money and time and create false sense of security
If you need a SOC but can’t commit to these factors, strongly consider outsourcing
Outsourced SOC
ADVANTAGES DISADVANTAGES
✓ Avoid capital expenses – it’s their hardware & software ❖ Contractors will never know your environment like internal
✓ Exposure to multiple customers in similar industry employees
segment ❖ Sending jobs outside the organization can lower
✓ Often cheaper than in‐house morale
✓ Less potential for collusion between monitoring team and ❖ Lack of dedicated staff to a single client
attacker ❖ Lack of capital retention
✓ Good security people are difficult to find ❖ Risk of external data mishandling
✓ Unbiased ❖ Log data not always archived
✓ Potential to be very scalable & flexible ❖ Log data stored off‐premises
✓ Expertise in monitoring and SIM tools ❖ Lack of customization
✓ SLA MSSP standardize services to gain economies of scale
in providing security services to myriad clients
SOC Roles
Security Intelligence
Manager
Level-1 Analyst
Level-2 Analyst
SIEM Content Specialist
Key Organizations
Incident Management
Forensic Analyst
SIEM Engineer
SOC Analysts
Abstract Thinker
Can correlate IDS incidents and alerts in real-time
Ethical
Deals with low-level details while keeping big-picture view of situation
Can communicate to various groups that have very different requirements
Responds well to frustrating situations
SOC Analysts Burnout
SOC analysts can burnout
Have a plan to address this
Extensive training
Bonuses
Promotions
Management Opportunities
Job Rotation
SOC Management
Botnet activity Firewall, IDS, Proxy, Mail, Threat Connection to or from known Display in analyst active channel
Intelligence malicious host or domain
Virus outbreak Antivirus 3 viruses detected with same name Page desktop team / display in
in 10 minutes dashboard
Successful attack / malicious IDS/IPS, Vulnerability Targeted asset exhibits vulnerability, Page server team / display in active
code relevance=10 channel / display in dashboard
SQL injection Web Server, DAM, IDS/IPS 5 injection attempts within Display in analyst active channel
specified time frame
Phishing Threat Intelligence, Firewall, Connection to or from known Display in analyst active channel
IDS, Proxy, Mail malicious host or domain
Unauthorized remote access VPN, Applications Successful VPN authentication from Display in analyst active channel
a non domain member / Page network team
New vulnerability on DMZ host Vulnerability New vulnerability identified on Email daily report to
publicly accessible host vulnerability team
Suspicious activity Firewall, IDS, Mail, Proxy, VPN Escalating watch lists (recon, Email daily suspicious user
exploit, brute force, etc.) activity report to level 1
Statistical anomaly IDS, Firewall, Proxy, Mail, VPN, Moving average variation of X Display alerts in situational
Web Server magnitude in specified time frame awareness dashboard
New pattern of activity IDS, Firewall, Proxy, Mail, VPN, Previously unseen pattern detected Display in analyst active channel
Web Server
Event Funnel
2
Target Maturity Level
1
Current Maturity Level
Security Capability Maturity Assessment
SOMM Level Name Description
Level 1 Performed Reliant on people and relationships, not standardized nor repeatable
Level 3 Defined Recommended maturity level target for most enterprise SOCs. Sufficient structure exists to meet
business objectives and demonstrate ROI while still being able to adapt to enterprise requirements and
changing threat landscape without excessive overhead in processes.
Operations are quantitatively evaluated, processes are controlled, reviewed consistently, and
proactively improved.
Level 4 Measured Appropriate for a managed service provider environment where financial penalties result from
inconsistent delivery. This environment may not be able to adapt to individual client needs or emerging
threats and requires dedicated staff to sustain the maturity level.
All processes are tightly constrained and continually measured for deficiencies, variation, and are
continually improved.
Level 5 Optimizing
Suitable only for very narrow scope operations focused on point solutions in a tightly controlled and
static environment.
Security Capability Maturity Assessment
People 1.57
General 1.75 Roles and Responsibilities within the SOC are not defined and therefore, cannot be leveraged as
criteria for member evaluation.
Training 1.55 The opportunity exists to develop an overall training program that includes a defined structure for analyst on
boarding and continual growth through the career of the analyst.
Certifications 1.00 Lack of overall industry certifications possessed by the team.
Experience 1.70 The feeder pool to hire analysts is reasonable, yet the experience and background of some of the analysts is
questionable.
Skill Assessments 1.69 A skills assessment program should be adopted and leveraged to improve training plans and the
overall skills composition of the group.
Career Path 1.69 There is an opportunity to develop career progression plans and to help guide analysts into senior positions
within the SOC or internally within the company.
Leadership 1.77 Conducting an organizational climate survey is encouraged in order to collect feedback and incorporate it
into the leadership function.
Process 1.26
Mission 1.27 The SOC mission, vision, and charter should be clearly outlined and articulated within the SOC and to internal
groups within the organization.
Operational Process 1.66 There are several opportunities to further develop operational processes and metrics to measure operational
efficiencies.
Analytical Process 1.15 Efforts to centralize a knowledge management solution for security analysts are currently
underway.
Business Process 0.89 SOC SLA’s and Analysts KPI’s are not developed and therefore cannot be leveraged to capture metrics and
track operational efficiencies
Technology 2.38
SIEM Monitoring 2.45 SIEM meets current business needs. A Test environment does exist, which means that content and data feed
on boarding does/can go through a proper testing cycle.
Architecture 1.95 Document data flow diagrams for troubleshooting purposes.
Correlation 2.56 Event management metrics are captured and used to track events monitored.
Monitored Technologies 2.22 A wide range of technologies are monitored, giving the SOC wider visibility against attack vectors.
ILM 2.61 Data retention and protection policies adhere to company policies.
Overall SOMM Level 1.74
Best Practices for Running a
Security Operations Center
Many security leaders are shifting their focus more on the human element than the
technology element to “assess and mitigate threats directly rather than rely on a script”.
SOC operatives continuously managed known and existing threats while working to identify
emerging risks.
While technology systems such as firewalls
or IPS may prevent basic attacks, human
analysis is required to put major incidents
to rest.
Best Practices for Running a
Security Operations Center
For best results, the SOC must keep up with the latest threat intelligence and leverage this
information to improve detection and defense mechanisms.
SOC consumes data from within the organization and correlates it with information from a
number of external sources that deliver insight into threats and vulnerabilities.