Upload
others
View
18
Download
1
Embed Size (px)
Citation preview
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchananhttp://thecyberacademy.org
[vSoC]
Sharingofresources
DFET Training Cloud – Infrastructure for training and sharing of material
Public Sector Evaluation of systems.
Training.
Academia Training/sharing
materials Virtualised environments
Industry Training/sharing materials.
Professional certification
Software Vendors: Test environments. Promoting products. Providing floating licences
Government Define standards Evaluate products
Public clouds
Existing AcademicClouds
Law Enforcement Triage systems Training
BuildingvSoC
Intrusion Detection System
Firewall
Internet
Switch
Router (NAT)
Emailserver
Webserver
DMZ
FTPserver
Firewall
EveBob
Alice
Data Centre
Load balancer
Syslogserver [vSoC]
vSoC/DFETCloud
ThecurrentDFETCloudcontainsfivemainclusternodes,whereeachclusternoderuns:• VMwarevSphere5.5withVMwarevCenterusedtomanagetheinstances.• 170GHzCPU,767GBofmemory.• 40TBofdiskspace.• 72Processors.• Runningover2,500runningVMs.
TheMoveTowardSecurityAnalyticsBigData/SIEM
[vSoC]
DataAnalysis
• IncreasingnumberofjobsareinSecurityAnalytics(SOCAnalysts).• Companiesrequireskillsforbefore,duringandafterincidents(mixofsecurityandforensics).
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
TimelineData At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights, Domain Rights, etc.
File changes, File CRUD (Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web logs, Security logs
Network scanners, Intrusion Detection Systems, Firewall
logs, etc
Processes, Threads, Memory, etc.
Security Log, Application Log, Registry, Domain Rights.
Intruder
IncreasingComplexityofKnowledge
• Increasingrequirementforawiderangeofskillsforsecurityprofessionals.
Intro
duct
ion
Inc
Res
pons
e
Data Capture
Webserver
IT Ops
Nagios.NetApp.
Cisco UCS.Apache.
IIS.
Web Services
Firewall
Router
Proxyserver
Emailserver
FTPserver
Switch
Eve
Bob
Microsoft Infrastructure
Active Directory.Exchange.SharePoint.
Structured Data
CSV.JSON.XML.
Database Sys
Oracle.My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.Cisco NetFlow.
Snort.
Intrusion Detection System
Alice
Cloud
AWS Cloudtrail.Amazon S3.
Azure.
Application Serv
Weblogic.WebSphere.
Tomcat
DataIntegration
• Increasingmovetowardtheintegrationofdataforsecurityanalysiseg withSIEMtools.
Intro
duct
ion
Inc
Res
pons
e
Security Operations Centre
EveEve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk LabIntegration
[vSoC]
vSoC SIEMArchitecture
U001 - Ubuntu Server192.168.x.7/24)
Main gateway/fireweall Firewall
(pfSense)
W001 - Windows 2003 Server(192.168.y.7/24)
K001 - Kali(DHCP)
K002 - Kali (192.168.y.9/24)
em0(DHCP)
em1em2
10.200.0.1/24
W003 – Windows 2008 with Splunk Enterprise(192.168.y.8/24)
_Public _Private
_DMZ Splunkforwarder
192.168.y.254/24
192.168.x.254/24
Splunk LabIntegration
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk TestingEnvironment–Buttercupgames
[vSoC]
http://asecuritysite.com/tests/tests?sortBy=siem
http://asecuritysite.com:8000
CaptureTheFlagBritishBroadband,andRSASA
[vSoC]
BritishBroadband
• Video:https://www.youtube.com/watch?v=V7o03eLolqA
BritishBroadband
CyberSecurityInsightCamp
BigDatainCyberSecurity
RSASA
CTF– BigDatainCyberSecurity
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreResults
[vSoC]
CurrentRangeofVMs
• Specialised:EnCase,WindowsXP(withMalware),GNS3.• LinuxKali.• Ubuntu.• Windows2003,Windows2008,Windows7andWindows8.• Firewalls:pfSense,vyatta,F5Big-IP(indevelopment).• Caine.• Metasploitable.
Example $tubuntu ="t_ubuntu_205"
if($args[1].contains("u")){$ins=$prefix+$iubuntu +$i.ToString("000")+"_private";...Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"new-vm -name$ins-template$temp-datastore $disk-resourcepool DFETLab -DiskStorageFormat thin-location$folder
$apt=Get-NetworkAdapter -VM$insSet-NetworkAdapter -NetworkAdapter $apt-NetworkName $private-confirm:$false
Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"
new-snapshot-VM$ins-Namesnapshot
}
Setupnetwork
CreateVM
Createknownsnapshot
Results
Modulesusedon:Semester1:CryptographyandNetworkForensics(80students);NetworkSecurity(60students– GNS3);Host-basedForensics(60students- EnCase).Semester2:SecurityTesting(70students);e-Security(100students);IncidentResponseandMalwareAnalysis(100students).
Cloudupgrade
SDNIntegrationProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org
[vSoC]
CurrentWork
• IntegratingF5Big-IP(30licences).• IntegrationofSDNwithinCloud(withHutchinsonNetworks).• IntegrationofRSASAandSplunk forteachingin2016/2017.• IntegrationofHPEArcsight.• Roll-outoftwoCTF:BritishBroadbandandRSASA(NetworkForensics.• DevelopmentofamobileCloudenvironment,foronsitetraining/CTF.
CurrentWork
CurrentWork
CurrentWork
CurrentWork
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org
[vSoC]