Security operations centre

How to Build A SOC

Agenda Mission

Business Case Components Regulatory requirements

SOC Terminology Technology Components

Events categories Staff Requirements

Organiza>on’s Considera>ons Training Requirements Staff Opera>ons Plans

Overall SOC Infrastructure Design Facili>es & Building Requirements Processes and Procedures Diagram

Social Media Profile

Mission

•  All successful teams need a unifying sense of purpose to help mo>vate team members, priori>ze work, and respond effec>vely to the changing needs of the business.

•  Time spent in this phase of planning will benefit the SOC long-‐term. •  Prior to building a SOC, organiza>ons must answer the following ques>ons: •  What needs will the SOC meet for the organiza>on? •  What are the specific tasks assigned to the SOC? (e.g., detec>ng aSacks from the

Internet, monitoring PCI compliance, detec>ng insider abuse on the financial systems, incident response and forensic analysis, vulnerability assessments, etc.)

•  Who are the consumers of the informa>on collected and analyzed by the SOC? What requirements do they hope to impose on the SOC?

•  Who is the ul>mate project sponsor for the SOC? Who will “sell” the SOC to the rest of the organiza>on? What requirements will he or she levy on the SOC?

•  What types of security events will eventually be fed into the SOC for monitoring?

Business Case Components •  Facili>es: Furniture, computer equipment, special badging requirements, power, HVAC, telephony •  SOC Labor: Security analysts, shi[ leads, SOC managers •  Suppor>ng Labor: Network support, system support, database support, telephony support, security device

management (if not performed by the SOC) •  Educa>on and Training: Classes, conferences, con>nuing educa>on •  Threat intelligence subscrip>ons: Up-‐to-‐the-‐minute informa>on on the latest threats •  Monitoring technology: Hardware, so[ware, storage, and implementa>on services •  Addi>onal technologies: Problem and change management, email, knowledge sharing •  Recovering these costs is a much tougher problem to solve. The following list outlines some common

approaches in jus>fying the expense of a SOC: •  Cost avoidance: Building the SOC will cost far less than not detec>ng, preven>ng, and responding to

aSacks. •  Cost efficiencies: Chances are that many of the SOC processes or technologies can help automate

func>ons already taking place within the organiza>on. By accep>ng a new data feed and producing automated repor>ng, a SOC can o[en save the organiza>on money by reducing manual effort.

•  Cost sharing: In many cases, other groups are currently tasked with the responsibili>es outlined for the future SOC. Are those groups willing to “outsource” these responsibili>es to the SOC? Having other organiza>ons help to foot the bill can minimize the overall impact to all.

•  Revenue /Cost Recovery: Can SOC services be offered to customers – either internal or external? There is more work in determining separa>on of informa>on among customers, pricing models, and other business aspects, but actual revenue (or cost recovery in the case of internal customers) is a powerful argument where SOC services can be leveraged to perform security services for other organiza>ons.

SOC Terminology

•  Security defense center (SDC)"•  Security Intelligence Center (SIC)"•  Cyber Security Center (CSC)"•  Threat Defense Center (TDC)"•  Security Intelligence and Operations

Center (SIOC) "•  Infrastructure Protection Centre (IPC)"•  Cyber Security Operations Centre (CSOC)

Regulatory requirements Establishing and opera>ng a SOC is expensive and difficult, IN SOME INSTANCES ITS COST EXCEEDS $4 USD. 1. Protec>ng sensi>ve data such online & e services, Ecommerce, Banking, Egovernment, Online transac>ons 2. Complying with industry rules such as PCI DSS 3. Complying with government rules, such as CESG GPG53

SOC Regulatory Requirements

Technology Components

Technology Components Security Events & Informa>on Management Network Discovery Vulnerability Assessment Governance, Risk & Compliance Website Assessments Monitoring Systems Applica>ons & Database Scanners Penetra>on Tes>ng Tools Intrusion Detec>on Tools Intrusion Preven>on Tools Log management Tools Network Behaviour Analysis tools DDOS & DOS Service Monitoring tools Wireless Intrusion Preven>on Systems NGFW “ Next Genera>on Firewall’s” Enterprise An>virus, An>spyware Malware Analysis Kit Unified threat Management Infrastructure “ Servers, Storage, Network, Cabling, End Users, Virtualisa>on, PC’s & Monitors, Videowall” PCOIP “PC over IP connec>vity” Mul>ple Networks Access & Security An> Phishing Service Converged Surveillance IP Network “ Cameras, Masts, VMS, Cabling, Infrastructure, Connec>vity” Iden>ty & Access Management “ IAM & SSO, Physical Access Control” Test Lab Data Centre Requirements Command & Control Centre design & requirements

SOC Events Categories

•  CAT 0 •  Exercise/Network Defense Tes>ng •  CAT 1 •  Successful unauthorized Access •  CAT 2 •  Denial of service •  CAT 3 •  Successful installa>on or post-‐install beaconing of malicious code •  CAT 4 •  Improper Usage •  CAT 5 •  Scans/probes/ASempted Access •  CAT 6 •  Inves>ga>on

Staffing Requirements

Opera;ons •  Shi[ Managers •  Team Leads •  Management •  Escala>ons •  Incident Handlers •  Execu>ve Support •  External En>>es such as

Government, law enforcement

Technical •  GIAC •  GCIA •  Engineers •  Researchers •  Cryptography •  CISSP •  SME’s •  Forensics •  Network Engineers

Organiza>ons Considera>ons

Organiza>on's Considera>ons

•  In some instances an org may need more than one SOC, or a NOC & SOC deployed.

•  Deployments may be on a con>nent or global scale or within same campus depending on requirements.

•  NOC will be responsible in such cases for monitoring overall network infrastructure while SOC is responsible for protec>ng networks.

Training Components •  Formal training should include the SANS (System Administra>on and Network

Security) “Intrusion Detec>on in Depth” training module and the GCIA (GIAC Cer>fied Intrusion Analyst) cer>fica>on. This is the industry standard in training analysts in the fundamentals of TCP/IP, TCP/IP monitoring tools, and skills associated with advanced intrusion analysis.

•  On-‐the-‐job training programs should provide an overview of important informa>on security concepts, training on specific intrusion detec>on tools in use, analy>cal processes and procedures, and effec>ve communica>on techniques.

•  The SOC analyst will be required to effec>vely communicate and brief all levels of engineers and senior management during >mes of extreme stress, thus training in managing comba>ve communica>on is invaluable.

•  This training should also include the hierarchy of communica>on methods. Learning when to page, call, e-‐mail or assign a >cket is a cri>cal skill. Addi>onally, it is important that any analyst learn to communicate in concise well-‐wriSen papers and e-‐mails. SOC managers should create a program that has aspiring analysts wri>ng analy>cal papers and then presen>ng their findings to their peers to hone wriSen and verbal communica>on skills.

Staff Opera>on Plans •  Staffing plans will evolve directly out of the needs of the mission. Is the SOC a virtual en>ty where events are collected, analyzed, alerted, and reported?

•  Must the SOC have full-‐>me personnel to monitor consoles, analyze, alert, and report?

•  Or, does the SOC need full staffing twenty-‐four hours a day, 7 days a week, all year round?

•  These mission needs will dictate the staffing models that must be implemented.

Overall SOC Infrastructure Design

Process & Procedures Overflow

Ihab Ali

Social Media Profile

hAp://blogs.forbes.com/people/ihabali/

Data & Analytics

Security operations centre