![Page 1: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/1.jpg)
Next-Gen Security Operations: From SOC to CSOC
Narayan Neelakantan&
Abhijit Dhongade
September 20, 2017
![Page 2: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/2.jpg)
www.blockarmour.com
1
Restricted Use Only
Agenda
• Background
• Security Operations Center
• SOC – Building Blocks
• Cyber Security Operations Center
• Use Cases
• Case Study
1
![Page 3: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/3.jpg)
www.blockarmour.com
2
Restricted Use Only
Threat Landscape
E-mail malware rate jumped from 1 in 220 e-mails in 2014 to 1 in 131 e-mails in 2016
Threats were perpetrated by 75%
outsiders , 25% insiders
357 million Unique malware variants identified in 2016
27% breaches discovered by Third
parties
Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices
61% data breach victims are businesses with under 1000 employees
Source: Verizon, Symantec – 2017 report
![Page 4: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/4.jpg)
www.blockarmour.com
3
Restricted Use Only
Underground Marketplace
Source: Symantec – 2017 report
![Page 5: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/5.jpg)
www.blockarmour.com
4
Restricted Use Only
Security Operations Center (SOC)
“A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity incidents”
- Carson Zimmerman
Ten Strategies of a world class Cyber Security Operations Center
![Page 6: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/6.jpg)
www.blockarmour.com
5
Restricted Use Only
Security Operations Center
Central Location to Detect and Respond to Incidents
AssetsData
People
Logs
Alerts
Correlation
Containment
Eradication
Recovery
Evidence
Chain Of Custody
Forensics
5
![Page 7: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/7.jpg)
www.blockarmour.com
6
Restricted Use Only
Traditional SOC – Functions
Restricted Use Only 6
![Page 8: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/8.jpg)
www.blockarmour.com
7
Restricted Use Only
Implementation
SOC Engineering
• Manage Tooling
• Use Cases
• Fine-Tuning Rules
Incident Analysis & Triage
• Monitoring & Analysis
• Escalation
Incident Response
• Investigation
• Containment
• Eradication
• Recovery
![Page 9: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/9.jpg)
www.blockarmour.com
8
Restricted Use Only
Traditional SOC - Sample Org Structure
Restricted Use Only 8
SOC
Incident Analysis &
Triage
Engineer (L1)
Analyst (L2)
SOC Engineering
Subject Matter
Expert (SME)
Incident Response
Incident Handler (L3)
Forensics
![Page 10: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/10.jpg)
www.blockarmour.com
9
Restricted Use Only
Traditional SOC – Limitations
• Limited Visibility
• Cannot detect sophisticated attacks
• Response mechanism not adequate to deal with today’s cyber threats
• Highly dependent on people skills
![Page 11: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/11.jpg)
www.blockarmour.com
10
Restricted Use Only
CSOC – Key Objectives
Enhanced Visibility
Effective Detection
Near real-time
Incident Response
CSOC
![Page 12: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/12.jpg)
www.blockarmour.com
11
Restricted Use Only
• Organizations & Corporates
• Critical Infrastructure
• Government agencies
• Cyber Criminal
• Script-Kiddie
• Internal
• Corporate Espionage
• Hacktivists
• Nation State
Threat Actor
Attack Vectors
Motive
Target• Web
• Removable media
• Network
• Social media
• Financial gain
• Data Exfiltration
• Intellectual property
theft
• Espionage
• Damage reputation
Elements of a Cyber Attack
![Page 13: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/13.jpg)
www.blockarmour.com
12
Restricted Use Only
Threat Model
![Page 14: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/14.jpg)
www.blockarmour.com
13
Restricted Use Only
CSOC – Functions
13
![Page 15: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/15.jpg)
www.blockarmour.com
14
Restricted Use Only
CSOC – Implementation
THREAT INTELLIGENCE
Strategic
Tactical
Operational
Integration
STIX/TAXI
ANALYTICS & HUNTING
Predictive Analysis
Scenarios
Big Data Capability
Historical Data
![Page 16: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/16.jpg)
www.blockarmour.com
15
Restricted Use Only
CSOC - Sample Org Structure
15
SOC
Incident Analysis &
Triage
Engineer (L1) Analyst (L2)
SOC Engineering
Subject Matter
Expert (SME)
Incident Response
Incident Handler (L3)
Analytics & Hunting
Subject Matter
Expert (SME)
Threat Intelligence
Subject Matter
Expert (SME)
Forensics
![Page 17: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/17.jpg)
www.blockarmour.com
16
Restricted Use Only
CSOC - Tooling
• SIEM
• Anomaly Detection
• Threat Intelligence
• Analytics
• EDR
• Deception Technology
• Response automation
16
![Page 18: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/18.jpg)
www.blockarmour.com
17
Restricted Use Only
CSOC – Trends
Incident Response is primarily managed in-house except for reverse engineering
Endpoint Detection & Response (EDR) is the most used capability for response
Outsourced activities are primarily Threat research, Forensics & Security Monitoring & Detection
Working cohesively with IT Operations team continues to be one of the biggest challenges
Organizations have started using threat hunting with automated data collection and correlation to help remediate unknown threats
Majority of organizations are in the process of developing plans to monitor IOT devices
Organizations are considering adoption of response automation tools to speed up remediation
Source: SANS Future SOC Survey – May 2017
![Page 19: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/19.jpg)
www.blockarmour.com
18
Restricted Use Only
Summary
• Identification of crown jewels crucial
• Tooling must be continuously fine-tuned
• Well defined processes within CSOC for triage, analysis and escalation
• People strategy
• Robust organization wide Incident response process
• Simulations & Drills to measure effectiveness
• Response automation
18
![Page 20: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/20.jpg)
www.blockarmour.com
19
Restricted Use Only
Use Case 1 – Detecting a Targeted Attack
Reconnaissance
Event
Capture Attacker
IP and add to
Active List
Is it for
open ports
?
Do not trigger
alert
Trigger Medium
priority alert and
add to active list 2
Does Vulnerability exist ?
Monitor the
attacker for further
activities
Trigger high
priority alert
Check if more
traffic is observed
from attacker
Check for
vulnerability
being exploited
No
Yes
No
Yes
Dramatically improved identification of Real Incidents
False positives reduced by 85%
![Page 21: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/21.jpg)
www.blockarmour.com
20
Restricted Use Only
Use Case 1 – Detecting a Targeted Attack
Actors
• Cyber Criminals
• Hactivists
• Script Kiddies
• Cyber Espionage
Log Sources
• Firewall
• IPS
• Vulnerability Scanner Reports
SIEM Content
• Rules
• Reports
• Dashboards
• Live Monitoring Channels
• Watch Lists
![Page 22: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/22.jpg)
www.blockarmour.com
21
Restricted Use Only
Use Case 2 – Detecting APT Attack
Capture IoCs
from Threat Intel
and populate
Active List
Malicious Email /
URL detection
Events
Monitor the Source IP for
further suspicious activities
Capture Source
IP and add to
Active List
No
No
Yes
Check for events
from other hosts
and Match with
IoC Active List
Check for
connections with
other internal
hosts from Source
IP
Check for events
from Source IP
and Match with
IoC Active List &
C&C IP
Matching
Events?
Trigger Very High
Priority Alert
Matching
Events?
Block Access to C&C
Server and contain the host
Yes
Early Stage Detection &Containment of APT attacks
Improved visibility of attacker activities
One-to-one correlation with Cyber Kill Chain
![Page 23: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/23.jpg)
www.blockarmour.com
22
Restricted Use Only
Use Case 2 – Detecting APT Attack
Actors
• Cyber Criminals
• Cyber Espionage
• Nation State
Log Sources
• Firewall, IPS, URL Filtering / Proxy, Mail Gateways
• Vulnerability Scanner Reports
• Anomaly Detection Events
• ATP Events
• TIP Events
• EDR Events
• OS Events
SIEM Content
• Rules
• Reports
• Dashboards
• Live Monitoring Channels
• Watch Lists
![Page 24: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/24.jpg)
www.blockarmour.com
23
Restricted Use Only
Case Study – Detection of C&C Communication (Low & Slow attack)
Building Blocks
Incident Response
• Investigation of infected systems
• Identification of OS Processes
• Identification of files associated with the Process
• Analysis of files
Use Case
• Identify potentially infected systems
Log Source
• Firewall• AV• Threat Intel
SIEM Content
• Dashboard displaying Source IP with Drop Events
![Page 25: Next-Gen Security Operations...Security Operations Center (SOC) “A team primarily composed of security analysts organized to detect, analyze, respond to, report on and prevent cybersecurity](https://reader035.vdocuments.us/reader035/viewer/2022062607/604a4347f1e5e53778425dd2/html5/thumbnails/25.jpg)
www.blockarmour.com
24
Restricted Use Only
References
• Computer Security Incident Handling Guide –published by NIST, USA
• Seven Steps to creating an effective CSIRT – Gartner
• Ten Strategies of a world class Cyber Security Operations Center – Mitre.org
• Future SOC: SANS 2017 Security Operations Center Survey
Restricted Use Only 24