1

Security Operation CenterConcepts and Implementation

renaud.bidou@intexxia.com

> SOC Modules> Global Architecture> Collection & Storage> Correlation

2

> SOC Modules

E Box

C Box

D Box

A Box

E Box E Box E Box E Box

C Box

E Boxes

C Boxes

D Box

A Box

R BoxR Box

event generators : sensors & pollers

collection boxes

formated messages database

incident analysis

reaction and reporting

K BoxK Boxknowledge base

+

> SOC Modules> E Boxes

- event generation- passive : sensors- active : pollers

> Sensors- IDS, filtering eq., syslog, apps, honeypots …- running in hostile environment- lack of standard for host-based sensors

> Pollers- third-party tool - status evaluation- may encounter performance problems

3

> SOC Modules> C & D Boxes

- event collection & storage- standard formating

> Collection- set of multi-protocol / application agents- lack of standard format- availability and performance concerns

> Storage- duplicates merging - performance concerns with huge volume of events

> SOC Modules> A & K Boxes

- multi-level analysis- intrusion scenarii- system status

> Analysis & Correlation- heavy research focus- proof of concept implementation- proprietary technologies

> Knowledge Base- vulnerabilities & intrusion scenarii- system security status- security policy

4

> SOC Modules> R Boxes

- reaction & reporting- operators interfaces- end-user interfaces

> Interfaces- subjectivity- relies on best-practices and experience return- MANDATORY

> Global Architecture

Messages Correlation

Stats

Permanent Risk Evaluation

Client SystemModelisation

OS

Host based IDS

Applications

Firewall alertsNetwork IDS

Integrity Checking

Network equipment

Alerts

Monitored System

IncidentHandling

ClientConfiguration

Record

Security Policy

CustomerStatus

VulnerabilityDatabase

Analysis

.........

A Box(CorrelationEngine)

E Box (Event Generators)

StatusIntegrity

C Box (Collection & Formating Modules)

K Box (Knowledge Base)

SNMP

syslog

Proprietary

SMTP

HTTP / XML

.........

Linux

Windows 2k / XP

Cisco Pix

Firewall-1

Oracle

Apache

IIS

.........

DISPATCHER

Tripwire

ISS

Snort

Events

D Box (Local events database)

Real-timeMonitoring

StatisticalAnalysis

System Status

Security Activity

R'' Box (Customer Portal)R' Box (SOC Console)

Dis

tribu

ted

Arch

itecu

reD

istri

bute

d Ar

chite

cure

Polling

5

> Global Architecture> Data acquisition

- technical inventory- security policy review

> Technical reviews- intrusive & non-intrusive data acquisition techniques- need for attack taxonomy and classification- relative vulnerability impact

> Organizational reviews- acceptable behavior definition- access rights- permitted operations

> Global Architecture> Status Evaluation

- vulnerabilities definition- security level evaluation- permanent audit

> Vulnerability database- structural vulnerabilities- functional vulnerabilities- topology-based vulnerabilities

> Permanent security evaluation- attack trees generation- new evaluation performed when KB updated- history management

6

> Global Architecture> Events management

- generation- collection- formating & storage

> Exhaustivity vs. performance- events overload- structural & policy pre-filter- difficulty to manage distributed filters

> Collection and storage- protocol agents- source type identification- message formatting

> Global Architecture> Analysis & reporting

- event correlation- operational reporting- strategic reporting

> Alerts- structural and behavior alert generation- criticity handling- statistical analysis

> Interfaces- operators consoles- debugging consoles- end-user portal

7

> Collection & Storage> Data collection

- heterogeneous sources- scalable architecture

> Protocol agents- server-side agents dedicated to one protocol - multiple forwarding channels support- no shared data = easy clustering / farming

> Reliability & security- TCP encapsulation- collection channel encryption

> Collection & Storage> Data collection

- source sensor identification- « standard » formatting

> Dispatcher- pattern-based analysis- forwarding to dedicated application agent- multiple listening and forwarding channels support

> Application agents- dedicated to specific (sensor, Xmit protocol)- message formating- may be merged with dispatcher

8

> Collection & Storage> Sample architectures

protocolagent

protocolagent

protocolagent

dispatcher dispatcher

Encryption

Decryption

Events

HA & LB

applicationagent

applicationagent

applicationagent

E Box E Box E Box

Unsecure Network

socket socket socket

sockets sockets

HA & LB

HA & LB

protocolagent

protocolagent

protocolagent

mqueue mqueue mqueue

mqueue mqueue mqueue

dispatcher

applicationagent

applicationagent

applicationagent

Events

E Box E Box E Box

> Collection & Storage> Host Entry

- unique host identification

> Identification- by IP- by FQDN- unique host token

> Needed to support- multihoming- NAT & Virtual IP- virtual servers

Host Token

@Host_IP_Table

@Host_FQDN_Table

ID

IP Address

ID

FQDN

Host Table

Host IP TableHost IP Table

9

> Collection & Storage> Messages format

- basic message formatting- correlation ready

Field Attributes Description id Unique Unique message ID sensor_id Not Null Unique Sensor ID msg_type Not Null Type of message (ipchains, snort-1.8.x-alert etc.) epoch_time Not Null Date in epoch format of event generation source Intrusion Source Host Token target Intrusion Target Host Token proto Protocol number src_port Intrusion source port number tgt_port Intrusion target port number info Additional info int_type_id Not Null Intrusion type ID (Filter, Access etc.) int_id Intrusion ID message Not Null Original message

> Collection & Storage

- additional information

> Sensor & Sensor Type tables- sensor identification

> Intrusion & Intrusion Type tables- intrusion identification- matches between different references

> 3rd Party info

> Message Type table- human readable message type description

10

> CorrelationAlert Stats

www.cust1.com hack1.com hack2.com

mail.cust1.com hack1.com hack3.com

www.cust2.com hack3.com hack2.com

Dispatch

MessageAnalysisVulnerability

Database

SystemExposure

System Status

StructuralAnalysis

Security Policy

Date /Time / Source

MatchBehaviorAnalysis

hack2.com www.cust1.com www.cust2.com

hack3.com mail.cust1.com www.cust2.com

hack1.com www.cust1.com mail.cust1.com

Contexts

Intrusion Path

FunctionalAnalysis

Formated messages

> Overview

- duplicate identification- sequence pattern matching- time pattern matching- system exposure & criticity- security policy matching

> Correlation> Contexts

- event grouping- correlation preparation

> Definition- container of formatted data matching common criteria- multiple level of contexts may be created

> Main context tree- source (target) token- target (source) token- target proto.port- intrusion type ID- intrusion ID

11

> Correlation> Contexts

Targetproto.portTarget

proto.portTargetproto.port

TargetHost Token

TargetHost Token

TargetHost Token

TargetHost TokenTarget

Host Token

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

TargetHost Token

Targetproto.port

Targetproto.port

TargetHost Token

Targetproto.port

Targetproto.port

SourceHost Token

TargetHost Token

Targetproto.port

Targetproto.port

Array of source contexts

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

IntrusionID

IntrusionID

IntrusionID

IntrusionID

IntrusionID

Int. TypeID

Int. TypeID

Int. TypeID

Int. TypeID

TargetHost Token

TargetHost TokenTarget

Host TokenTarget

Host Token

- functional architecture

> Correlation> Contexts

%AttackSourcessource attack hashtable address

$AttackSources{$source}target detail hashtable address

start_time First reception time

stop_time Last reception time

${$AttackSources{$source}}{$target}proto.tgt_port (protocol, target port) id

start_time First reception time

stop_time Last reception time

0 Unknown array address

100 Filtered array address

530 Integrity array address

Intrusion Type Table

${{$AttackSources{$source}}{$target}}[$int_type]attack_info_id attack info hashtable address

start_time First reception time

stop_time Last reception time

${{{$AttackSources{$source}}{$target}}[$int_type]}[attack_info_id]

intrusion_id Intrusion id

start_time First reception time

stop_time Last reception time

duplicate Duplicate info

Intrusion Type Table

Hosts Table

- functional architecture

> Time- epoch format- start_ & stop_ defined

at each level

> Intrusion type ID- arbitrary definition- linked to definition ID

12

New Messages

Timeout

Closure Code

New Message

Active Inactive

Closed

> Correlation> Contexts

- context management

> Status- active : on-going intrusion- inactive : wait state- closed : self-explanatory

> Correlation> Structural analysis

- intrusion identification- processes analysis

> Structure- independant modules- set of logical operators- header w/ activation criteria

> Activation- message matching header- timer

Analysis Module

Message Correlation Message Correlation||

Field Condition Field Condition Field Condition&& &&

field operator <field | value> [!]

13

> Correlation> Advanced correlation

- intrusion path analysis- security policy matching

> Functional analysis- request to the K Box for Intrusion ID & Host Token- criticity evaluation- new message generation- context closure

> Behavior analysis- same modular process as structural analysis

> Conclusion

> Complexity of SOC setup- integration of heterogeneous modules- emerging standards to reduce the gap with theory

> Supervision NOW- keep in touch with actual researches- need for a pragmatic approach