what you need to know about ngsoc. presented at #csxasia #scavengerhunt about next generation...

45
!"#$ &"'"()$*+' ,"-.(*$/ 01"()$*+'2 3"'$(" 4!&,035 67)$ 8+. !""9 :+ ;'+<= ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF CCSK ITIL !"#$# &#'#("!# $)*+!,!$#+!-. #./ 0*-,)"!-.#' /)1)'-0&).+ /!*)$+-* 2345647 !"#$# &#'#("!# "0)$!#' !.+)*)"+ 8*-90 4 : $;#!*0)*"-. !"#$# &#'#("!# $(<)*")$9*!+( .)=9" '!#!"-. -,,!$)* $;!), +)$;.!$#' -,,!$)* #+ "("#*&(

Upload: alan-yau-ti-dun

Post on 22-Jan-2018

227 views

Category:

Technology


0 download

TRANSCRIPT

Page 1: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

!"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'2%3"'$("%4!&,035%67)$%8+.%!""9%:+%;'+<=

ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF CCSK ITIL!"#$#%&#'#("!#%%$)*+!,!$#+!-.%#./%0*-,)"!-.#'%/)1)'-0&).+%/!*)$+-*%2345647%!"#$#%&#'#("!#%%"0)$!#'%!.+)*)"+%8*-90%4%: $;#!*0)*"-.!"#$#%&#'#("!#%%$(<)*")$9*!+(%.)=9"%'!#!"-.%-,,!$)*$;!),%+)$;.!$#'%-,,!$)*%#+%"("#*&(%

Page 2: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

! 3/L"(2"-.(*$/%:7(")$%MH+<! 3/L"(2"-.(*$/%%3+.'$"(%N")2.("! !"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'%3"'$"(! O2"%3)2"%P Q.*H9*'>%!&,03! ,.FF)(/" RSG

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

Page 3: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

Page 4: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

:DTU%V%WU0:T3:D0!

XNY

U)'2+F<)("%MH+<%%

D!:TU!GZT[:TU!GZ

XNY

D!:TU!GZT[:TU!GZ

BJ%T\NGDZ@J%6TQVJ%]W!

^J 3ZDT!:%,TU]TU%GWW

BJ%MDUT6GZZ@J%WU0[8 &G:T6G8VJ%NGDZ &G:T6G8

^J%G!:D]DUO, &G:T6G8_J%DW,%`%DX,

BJ%!T:60U;%XT]D3T@J%,T3OUD:8 XT]D3T

VJ ,TU]TU^J%T!XW0D!:

BJ%MDUT6GZZ@J DW,%`%DX,VJ%T!XW0D!:

BJ%D!Q0[@J%QU06,TUVJ Z03GZ%MDZT

^J%UTN0]GQZT%MDZT_J%!T:60U;%MDZT

XG:GQG,T

X*2)LH"% N)-(+%D'N*-(+2+E$%0EE*-"

3(")$"%S%U.'%Q)$-7%M*H"%a%,-(*1$

:*"(%B%:*"(%@:*"(%V%

W(+$"-$*+'

X+<'H+)9%%S%T#"-.$"%N)H<)("

:*"(%B%:*"(%@:*"(%V%

W(+$"-$*+'

X)$) Q(")-7!"$<+(b%0.$)>"X"E)-"F"'$cJJ

U.'%U)'2+F<)("J"#"

U)'2+F)<)("%!">+$*)$"

T'-(/1$*+'%;"/

:*"(%B%:*"(%@:*"(%V%

W(+$"-$*+'

U)'2+F<)("%T'-(/1$%X)$)

U)'2+F<)("%MH+<%%

U)'2+F<)("%X"H"$"%Q)-b.1%

M*H"2

CJ%6GMdJ%GW:eJ%XX0,

BJ ,*>')$.("%O19)$"@J%W+H*-/%M*'"%:.'*'>VJ%Z+>%N+'*$+(*'>

0EEH*'"%Q)-b.1

:DTU%B%WU0:T3:D0!

CJ%!G3dJ%XQ%MDUT6GZZeJ%WUD]DZG&T%DXT!:D:8

fJ%GX]G!3T%T!XW0D!:

W(*K*H">"%S%G11%Z+-b9+<'%

BJ O2"(%G<)("'"22BJ ,*>')$.("%O19)$"@J%W+H*-/%M*'"%:.'*'>VJ%Z+>%N+'*$+(*'>

:DTU%V%WU0:T3:D0!

:DTU%@%WU0:T3:D0!

N)H*-*+.2%OUZ W7*2*'> a%N*27*'> 3'3%Q+$!"$ G.$+(.' 0'%U"F+K)LH"

W(*K*H">"%S%G11%Z+-b9+<'% W(*K*H">"%S%G11%Z+-b9+<'%

Page 5: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

Page 6: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

0)$1%+*%2(!.%)!$"',*!!",$"3%3"4),"+%1*0%0)55%.*-%&*)!&%$*%/'*$",$%.*-'%"!$"'/')+"66

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

Page 7: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

,$"1%Bg M.'9)F"'$)H%,"-.(*$/%N")2.("2

,$"1%@,$"1%@ g G9K)'-"9%,"-.(*$/%N")2.("2

,$"1%V,$"1%Vg ,1"-*E*-%G9K)'-"%:7(")$%3+.'$"(F")2.("2

,$"1%^,$"1%^ g Q"2$%GK)*H)LH"%,"-.(*$/%W()-$*-"2

Page 8: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

789:;%+<;=>:?@%2<89=><9! G'$*K*(.2%,/2$"F2

! D'$(.2*+'%X"$"-$*+'%,/2$"F2

! M*("<)HH2

! G--"22%3+'$(+H

(AB8C;<A%+<;=>:?@%2<89=><9! D'$(.2*+'%W("K"'$*+'%,/2$"F2

! X)$)%Z")b%W("K"'$*+'

! ].H'"()L*H*$/%,-)''*'>

! W"'"$()$*+'%:"2$*'>

! X)$)L)2"%G-$*K*$/%N+'*$+(*'>%4XGN5

Page 9: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

+D<;:E:;%(AB8C;<%$F><8?%,G=C?<>H<89=><9! G9K)'-"%T'91+*'$%W(+$"-$*+'

! !"$<+(b%W)-b"$%D'21"-$*+'

! G9K)'-"%:7(")$%X"$"-$*+'

! XX0,

! M*H"%D'$">(*$/%N+'*$+(*'>

! ,"-.(*$/%D'E+(F)$*+'%)'9%TK"'$%N)')>"F"'$

7<9?%(B8:I8JI<%+<;=>:?@%/>8;?:;<9! ,"-.(*$/%X"K"H+1F"'$%Z*E"-/-H"

! X*2)2$"(%U"-+K"(/

Page 10: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

Page 11: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

:7" $7(")$ H)'92-)1" 7)2 "K+HK"9J 3/L"(2"-.(*$/ *2 +EF)h+( -+'-"(' '+< $+ L+$7 $7" 1.LH*- )'9 1(*K)$" 2"-$+(I)'9 >+K"('F"'$ 2"-$+( )(" <+(b*'> $*("H"22H/ $(/*'> $+9"E"'9 $7"*( "'$*(" "'$"(1(*2" E(+F ) L(")-7J

:7*2 2"22*+' <*HH -+K"( $7" ("i.*("F"'$ E+( L.*H9*'> +(+.$2+.(-" /+.( !&,03 I )'9 9*2-.22 7+< *$ -)' 7"H1+(>)'*j)$*+'2 1("1)(" E+( F*$*>)$*'> )>)*'2$ E.$.(" -/L"()$$)-b2J

G2 $7" 38QTU,T3OUD:8 -+K"( ) L(+)9 2-+1" +E )("))'9 E+( $7*2 2"22*+' <" <*HH L" E+-.2*'> F+(" +' !"#$&"'"()$*+' ,"-.(*$/ D'-*9"'$ )'9 TK"'$ N+'*$+(*'>4,DTN5 )2 +.( )(") +E 9*2-.22*+'J

Page 12: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

Page 13: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

'<;GB<>U"-+K"(/%WH)''*'> 3+FF.'*-)$*+'2 3+'$*'.+.2%DF1(+K"F"'$2

'<9DGCAN*$*>)$*+'

'<9DGCA'<9DGCA'<9DGCAG')H/2*2 3+FF.'*-)$*+'2

3<?<;?G'+F)H*"2%)'9%TK"'$2 ,"-.(*$/%3+'$*'.+.2%N+'*$+(*'> X"$"-$*+'%W(+-"22"2

/>G?<;?G--"22%3+'$(+H G<)("'"22%)'9%

:()*'*'> X)$)%,"-.(*$/ D'E+(F)$*+'%W(+$"-$*+'%W(+-"22"2%)'9%W(+-"9.("2

)A<C?:E@G22"$%

N)')>"F"'$Q.2*'"22%

T'K*(+'F"'$

)A<C?:E@)A<C?:E@)A<C?:E@&+K"(')'-" U*2b%G22"22F"'$ U*2b

N)')>"F"'$

Page 14: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

g !+(2"%]*9"+

Page 15: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

:7"%37)HH"'>"%M+(%Z+>%G')H/2*2Z+>%N)')>"F"'$%K2%%,DTN%K2%!"#$&"' ,DTN

,"-.(*$/%G')H/$*-%a%,$+()>"%a%G-$*+')LH"%D'$"HH*>"'-"Q.*H9*'>%!"#&"' ,"-.(*$/%01"()$*+'%3"'$"(

Page 16: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

$>N+'$7klA_l%$>m+.(klBel%$>X)/klBVl%$>N*'.$"klAdl%T3kl_^Al%3kl@l%3,klZ+>+'n`Z+>+EEl%Zkl,"-.(*$/l%D,klZNOUWm8%I:[X0:B%I4A#B_IA#TeeGA^ee5%IVI;"(L"(+2%I;"(L"(+2%I%Io-9dL^CV)\d@C"\B)"-\^E9_\9)L"d9-A@VB"p%I\I\ I\ I\ I\ IB^^J^_JBVeJCf%IBAffl%,!kl,"-.(*$/l%U!kl^^CBAel%[Nkl,.--"22E.H !"$<+(b%Z+>+'q%%%%%O2"(%!)F"q%ZNOUWm8%%%%%X+F)*'q%%:[X0:B%%%%%Z+>+'%DXq%%4A#B_IA#TeeGA^ee5%%%%%Z+>+'%:/1"q%V%%%%%Z+>+'%W(+-"22q%;"(L"(+2%%%%%G.$7"'$*-)$*+' W)-b)>"q%;"(L"(+2%%%%%6+(b2$)$*+'%!)F"q%%%%%%Z+>+'%&ODXq%o-9dL^CV)\d@C"\B)"-\^E9_\9)L"d9-A@VB"p%%%%%3)HH"(%O2"(%!)F"q%\ 3)HH"(%X+F)*'q%\ 3)HH"(%Z+>+'%DXq%\ 3)HH"(%W(+-"22%DXq%\ :()'2*$"9%,"(K*-"2q%\ ,+.(-"%!"$<+(b%G99("22q%B^^J^_JBVeJCf%%%%%,+.(-"%W+($q%BAff%%%%l%$>,"-+'9klB@l%Okl:[X0:BnnZNOUWm8l%:klG.9*$%,.--"22l%T:kl^l%$7*2kl"K"'$l%3!klm0O\X3l%TDkl_^Al%$>8")(kl@ABArBB@A%%%AAAAAAAAAAAAAAAAAAA@:,]@ABA\AC\A@\B@J^eJ^VJV^VddCRWGXT]AAA3R,T30MU%%%CAAAfB%%R3NX%%%%%%R,8,%%%%%%s,8,QG,%%%B%%%%%%%%%%%%%AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAR,T30MU%%%0N!DG,@%tutututututututututuAAAAAABA_dAB@fB_AAdAee@VA^GOXU3]AAAeR,8,%%%%%%s,8,QG,%%%B%%%%%%B%%%%%%tutututututututQAAAAAAAAAAAAAAA@^VCfA%%VCBVCVVCA;VCBVC@VCd;VC_;VCCVCduuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuD!AfA@BAIT,T3XQGIGWWZGQ,nnXZMX:GWWAeAVIXZMX:GWWAeAVI@ABAn`A^n`@d%BeqAdqV^I@ABAn`A^n`@d%BeqAeq_@I@ABAn`A^n`@d%BeqAeq_@IBABIZ0&0MMIIG.$7"'$*-)$"9%L/q%XG:GQG,Tv%3H*"'$%)99("22q%4GXXUT,,k4WU0:030Zk$-154m0,:kBf@JBCeJBdAJBB54W0U:k@dee55IBABedIBIBIAIIIIVA__VIIIII9HE9$)11@BCAI0()-H"%X)$)L)2"%BA>%T'$"(1(*2"%T9*$*+'%U"H")2"%BAJ@JAJVJA%P W(+9olGZTU:lqolNG!X:lqlAABlIlN,&lqlZ+>+'%,.--"22E.H%4:/1"kO5lIlUTW0U:TXQ8lql,"-.(*$/G.9*$lIlN:N3!GNTlql2)12"(K"(wXNAwABlIlGU&:8WT@lql3lIlT[:D!XT[lqlAAAAAAAAB@lIl0QxT3:!GNTlql,"-.(*$/lIlN,&GU&@lqlOSAlIlN:3ZG,,lqlBABlIlN,&GU&BlqlGOBlIlO,TUDXlql,GWx,MlIl,:G:O,lql^AlIlGU&:8WT^lql3lIl,:G:3m&XG:lql:."%N)(%@^%AAqAAqAA%WX:%@AAflIlN:D!XT[lqlAAAAAAABdClIl]GZOTlql@lIlN,&:T[:lql,"-.(*$/%G.9*$q%Z+>+'%TK"'$lIl,T]TUD:8lql@__lIl,:G:3m&Q8lql,"-.(*$/G.9*$lIlGZ,8,DXlqlXNAlIlGU&:8WTVlql3lIlN,T&!GNTlql,GWw33N,w2)12"(K"(wXNAwABlIlN,3&ZDXlqlGOBlIlN:!ONUG!&TlqlAVVlIlGZTU:XG:Tlql:."%N)(%@^%AAqAAqAA%WX:%@AAflIlMDTZX!GNTlqlZ+>+'lIlGZO!DR!ONlqlAAAACf^V_@lIlN:,8,DXlqlXNAlIlGZTU::DNTlql:7.%x)'%AB%AeqBfq@^%W,:%BfdAlIl,:G:3m&:DNlql:7.%x)'%AB%AeqBfq@^%W,:%BfdAlIlU3lqlAlIlN,&DXlqlGOBlIlGZD!XT[lqlAAAAAAdV^AlIlGU&:8WTBlql3lIlN,&3ZG,,lql,GW\8,Z0&lIlN:ODXlqlAAAABAAABAlpIl,8,!UlqlABlIlm0,:lqlBf@JBCeJVJdlp

:7"%37)HH"'>"%M+(%Z+>%G')H/2*2

X+%/+.%F)')>"%$+%)')H/j"%"K"(/%2*'>H"%H*'"%E(+F%$7"2"%$7+.2)'9%H*'"2%+E%H+>%E+(%"K"(/%F*'.$"2=

Page 17: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

67)$%*2%*'2*9"%$7"%H+>===

Page 18: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

,=9?GH<>%$@D< 5GK%4GI=H<%L&79%M38@N

"B<C?9%M%38@ "B<C?9%M%+<;

3H+.9 W(+K*9"( _AIAAA BCCICCCICCCICCd

BIf@fIAB@

,+-*)H%N"9*)%0(>)'*j)$*+'

@_IAAA eVIVVVIVVVIVVV fC^I_AC

:"H-+y2 BIAAA VIVVVIVVVIVVV VeI_eAT'$"(1(*2"%z%BAAA%"F1H+/""2

VAA BIAAAIAAAIAAA BBI_d^

,NT BA VVIVVVIVVV VeC

m+<%Q*>%D2%:7"%Z+>%,*j"%===

Page 19: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!

!

!

67+%&"$%Q(")-7===67+%m)K"%Z+>%G')H/2*2===

!

Page 20: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

g 67+%*2%9+*'>%<7)$=

g 67)$%)--"22%9+%$7"/%7)K"=

g D2%$7)$%)--"22%)11(+1(*)$"=

g 67"("%)("%$7"/%)--"22*'>%E(+F=

g D2%$7*2%'+(F)H%L"7)K*+(=

g G("%$7"("%+$7"(%D'9*-)$+(2%+E%3+F1(+F*2"%E+(%$7"%2)F"%)--+.'$`7+2$`2"(K*-"=

67+%*2%9+*'>%<7)$=

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

Page 21: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

Log collectionCentralized aggregationLong-term log retentionLog rotationLog search and reporting.Log analysis after storage

!"#$%&'&#(%(')$*!%+

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

Same functionality as “LM”Standard CorrelationAlertingDashboardsRetention (Correlated Event)Forensic Analysis

,(-./0)1$0'-02(')$&'2$(3(')$%&'&#(%(')$*,0(%+

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

Same functionality as “SIEM” Advanced correlationIntelligence FeedAnomalies DetectionSupport CustomizationSupport Cloud DeploymentIntegration with Security Solution

'(4)$#('(/&)0"'$,0(%$*'#,0(%+

The Challengeg Huge log-volumes g Log-format diversityg Proprietary log-formats g False positive log records

The Challengeg Lack of Intelligence Feedg Intensive Human Analyticsg Lack of Incident Work Flowg Rigid Deployment Scale

The Challengeg Security Analytic Frameworkg Storage Architectureg Actionable Intelligenceg Implementer Skillsetg ID Management Integration

52%%%%%%B9 +)"2%%%%%B9 !&+)"252%%%%%%B9 +)"2%%%%%B9 !&+)"2

Page 22: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&'&#(%(')$*!%+

52%%%%%%B9 +)"2%%%%%B9 !&+)"2

Page 23: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

,(-./0)1$0'-02(')$&'2$(3(')$%&'&#(%(')$*,0(%+

52%%%%%%B9 +)"2%%%%%B9 !&+)"2

Page 24: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

52%%%%%%B9 +)"2%%%%%B9 !&+)"2

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

'(4)$#('(/&)0"'$,0(%$*'#,0(%+

Page 25: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

,"-.(*$/%X"K*-"2

!"$<+(b%X"K*-"2

,"(K"(2%S%T'91+*'$%

]*($.)H*j)$*+'%

G11H*-)$*+'

3+'E*>.()$*+'%S%M*H"%D'$">(*$/

].H'"()L*H*$/%D'E+(F)$*+'

D9"'$*$*"2

3H+.9

N+L*H"

D0:

+",-')$.%(!(5.$),%O'(2"0*'P

D'-*9"'$%U"21+'2"

U"F"9*)$*+'

3+F1H*)'-"

&0]TU!G!3T

]*2.)H*j)$*+'

G')H/2*2

GH"($

U"1+($

]*2.)H*j)$*+']*2.)H*j)$*+'

G')H/2*2

GH"($

U"1+($

G!GZ8:D3

(;?:GC8JI<%)C?<II:K<C;<%

Page 26: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&' ()*&' +&,-%.*#./0'102.0&'3#/%"4&'

!"#$%"&'()*"%+,5'6/%7&%2)'80/90'",'-*.%-',#/%"4&:'

1*#.7.;&<'6/%'=$.-8'9%.#&,'"0<'6",#'%&#%.&>"2:'3#/%&,'#?&'7/,#'",.,/)-&'.*--,.),0',1,/)'0%)%'%/0')2,'$*()'3",45,/)-&'(,%".2,0',1,/)'0%)%6'

7,.*/0%"&'()*"%+,5'6/%7&%2)'80/90'",'/,)8*"9',#/%"4&'6/%'&@"7*2&'3A!:'

1*#.7.;&<'#/'%&<$-&',*"-&'$,"4&'/0'/*#./0"22)'-,((',:;,/(#1,'()*"%+,'82#-,'()#--'(5;;*")#/+'3%()'",)"#,1%-6'!B3CDE'"$#/7"#.-"22)'7.4%"#&,'<"#"'*"%#.#./0,'#/'#?&',&-/0<"%)',#/%"4&:'

!1(DF'+"#"'%&#&0#./0'*/2.-.&,5',&"%-?&,5'"0<'%&*/%#,'/*&%"#&'/0'&>&0#'<"#"'*"%#.#./0,'%&4"%<2&,,'/6'9?&#?&%'#?&)'"%&'%&,.<.04'/0'*%.7"%)'/%',&-/0<"%)',#/%"4&5'/%'G/#?:'

1662.0&'3#/%"4&'

<".2#1%-'()*"%+,' H",&'/0'%&#&0#./0'*/2.-.&,'"%-?.&>&<'2/4'9.22'G&'G"-8'$*'#/'*33-#/,'()*"%+,'(5.2'%(')%;,'6/%',"6&'8&&*.04:'I?&0'.,'0&&<&<'.#''-"0'G&'",#$;*")'3*"'5(,'#/'-*/+=),"$'3*",/(#.'%/%-&(#(:'

!&,DTN 2$+()>" 27+.H9 L" 9"2*>' .2*'> $7" $F><< $:<> (>;F:?<;?=>< +?G>8K< $+ ("2+HK"9 $7"2$+()>" -7)HH"'>"J Q/ 9"E).H$I !&,DTN ("-"*K"2 $<+ 2"1)()$" L.$ ("H)$"9 9)$) 2$(")F2 E(+F$7" 3+HH"-$+( N)')>"(2q $7" 1)(2"9 <B<C? A8?8 )'9 $7" >8Q A8?8J :7" ()< 9)$) *2 :HH<A:8?<I@9?G><A :C D>G?<;?<A D8>?:?:GC9 $+ 1(+K*9" ) 9<;=>< <B:A<C;< ;F8:CJ

+$*'(&" (',1)$",$-'"

Page 27: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$ &"'"()$*+' ,"-.(*$/ D'E+(F)$*+' )'9 TK"'$ N)')>"F"'$ 4!&,DTN5 2+H.$*+' 2*F1H*E*"2 $7"9"1H+/F"'$I F)')>"F"'$ )'9 9)/\$+\9)/ .2" +E ,DTNI (")9*H/ )9)1$2 $+ 9/')F*- "'$"(1(*2""'K*(+'F"'$2 )'9 9"H*K"(2 $7" $(." r(;?:GC8JI< )C?<II:K<C;<l 2"-.(*$/ 1(+E"22*+')H2 '""9 $+ i.*-bH/.'9"(2$)'9 $7"*( $7(")$ 1+2$.(" )'9 D>:G>:?:R< ><9DGC9<J

(,$)*!(75" )!$"55)&"!,"

Page 28: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

!"#$%&'&#()

Threats

>

*+,-./0$12/-3345-26-

,GII<;? !G>H8I:R< />G;<99 ,G>><I8?< '<DG>?Logging Triggered

*+,-./0$12/-3345-26-$GGI9%M%$8;?:;9%M%$<;FC:S=<9 (C8I@?:;9

71(%71(%

!"#$%&"!%+*,%/"*/5" /'*,"++ $",1!*5*&.

g!&,03%N+'*$+(*'>g].H'"()L*H*$/%G22"22F"'$gW"'"$()$*+'%:"2$g!03%3+F1+'"'$%N+'*$+(*'>%4W"(E+(F)'-"%)'9%GK)*H)L*H*$/5g3/L"(%:7(")$%GH"($%G')H/2*2gM+("'2*-%G')H/2*2gD'-*9"'$%m)'9H*'>%G'9%U"21+'2"2g&H+L)H%:7(")$%!+$*E*-)$*+'g0'2*$"I%W7+'"%S%TF)*H%,.11+($%

Page 29: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!&+*,%/"*/5" /'*,"++ $",1!*5*&.

Team Leader

Shift 1 (Day) Shift 2 (Day) Shift 3 (Night) Shift 4 (Night)

Threat Analyst

OperationSOC Manager

Threat Analyst

Threat Analyst

Security Engineer

Threat AnalystThreat Analyst Threat Analyst

Security Engineer

30!,OZ:G!:%

Threat Analyst Threat AnalystThreat Analyst

Threat Analyst

Threat Analyst

Security Engineer

Security Analyst Security AnalystSecurity Analyst

:mUTG:%G!GZ8,:

Security Engineer

Security Analyst

Security Analyst Security Analyst Security Analyst Security Analyst

Security Analyst Security Analyst Security Analyst Security Analyst

T!&D!TTU

Incident Respond

Threat Analyst

/>:C;:D8I%,GC9=I?8C?

/>:C;:D8I%,GC9=I?8C?

Team Leader Team Leader Team Leader

Page 30: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!&+*,%/"*/5" /'*,"++ $",1!*5*&.

Page 31: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

:++H%B g !"#$ &"'%,DTN

:++H%@:++H%@ g G9K)'-"%T'91+*'$ X"$"-$*+'%S%%U"21+'2"

:++H%V:++H%V g !"$<+(b%W)-b"$%G')H/$*-

:++H%^:++H%^g G9K)'-"%W"(2*2$"'$%:7(")$%X"$"-$*+'%S U"21+'9

:++H%_:++H%_ g :7(")$%D'$"HH*>"'-"%D'$">()$*+'3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!&+*,%/"*/5" /'*,"++ $",1!*5*&.

Page 32: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

V@

Page 33: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

B g :()9*$*+')H%,03%K2%!&,03

@ g N"$7+9+H+>/

V g ,-"')(*+ B%,RZ%D'h"-$*+'

^ g ,-"')(*+ @%U)1*9%,-)''*'>%

_ g rNDUGD{%X"$"-$*+'

-+"%,(+"

Page 34: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

!"#$%&"'"()$*+'%,"-.(*$/%01"()$*+'%3"'$"(

4!&,035)$$)-b*'>

WU0:T3:D!&

3/L"(2"-.(*$/%N+'*$+(*'>

!&M6%M*("<)HH

G--"22%`%DX!"$<+(b%W(+#/

6"L%G11H*-)$*+'%M*("<)HH

6"L%,"(K"( T'9%O2"( 4!&,035

NEXT GENERATION SOC

T'9%W+*'$

GW:

H">*$*F)$"

!"$<+(b

D'$"HH*>"'-"

TRADITIONAL SOC

Page 35: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

6GM

,-"')(*+%B%P ,RZ%D'h"-$*+'%G$$)-b

|%0U%BkB%\\)L-9B@V^_C@Cf

4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J

18$9$:;<;=;>?:@$8-,AB,C$7D!$42E-6/4B2$/B$/+-$F-G$0-,H-,

M*("<)HH

6"L%,"(K"(

4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J

Page 36: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

• Condition 1SQL Injection Attack detected at WAF

• Condition 2There are abnormal traffic occur on

Firewall activity

Result: Correlate both Condition 1 & 2

Indicator of Compromise

Page 37: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

,-"')(*+%@%P U)1*9%,-)''*'>%G$$)-b

4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J

18$9$:;<;=;>?:@$8-,AB,C$).I4J$76.22425$/B$/+-$F-G$0-,H-,

M*("<)HH

6"L%,"(K"(

4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4V5%,"'9%'+$*E*-)$*+'%$+%,"-.(*$/%G9F*'4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J4^5%W"(E+(F%("F"9/%)-$*+'%L)2"9%+'%$7"%)9K*2+(/%)'9%*'$"H%E(+F%!&,03J

Page 38: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

• Condition 1High inbound traffic from one source IP

towards multiple port

• Condition 2High GET 200,GET 403, GET 404 request

from Web Server

Result: Correlate both Condition 1 & 2

Indicator of Compromise

Page 39: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

G--"H"(+F"$"(

&/(+2-+1"&/(+2-+1"&/(+2-+1"

N)>'"$+F"$"(

Q)(+F"$"(

W(+#*F*$/

Z*>7$%,"'2+(

:+.-7%,-(""',-(""',-(""' &W,

6DMD

QH."$++$7

&,N`3XNG`Z:T

!M3

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

3)F"()%`%N*-

!&+*,%T%)*$

Page 40: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

DDoS attacks are not a new phenomenon and we often hear companies getting hit by these attacks. We need tounderstand that before DVN DNS attack. There is 2 major DDOS attack which is Brian Kerbs 665Gbps andOVH 1TTbps.

Apparently, the attack was a response to his blog postin which he exposed a DDoS service vDOS operators.

Page 41: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send>1.5Tbps DDoS.Type: tcp/ack, tcp/ack+psh, tcp/syn.

IOT BOTNET ATTACK 33:]3)F"()I DW3)F"()I,F)($ :]IW(*'$"(I N"9*)WH)/"(

Page 42: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

MIRAI BONET DETECTION USING NGSOC

Most SOC have actually detected the Indicator of compromise upongathering intelligence from news feed and forum ahead of the attack date.The IOC hunting reveal that MIRAI had been scanning for available IOT orDNS Server within this region between July to October 2016. However thoseattempt were mainly drop by firewall.

Here is the chronology of detection at our SOC:

21 Oct 2016 7:00 PM DDOS Started using Mirai AT US…..21 Oct 2016 6:24PM Threat Intelligence about Nyadrop IOT DDOS Related21 Oct 2016 5:00PM All client have been notify on IOC result21 Oct 2016 IOC hunting revealed that 191.96.249.29 and 93.158.200.66 had beenpreforming scan (Port UDP 53, 123, 19, 53413) in very small volume between 28 July2016 to 11 October 201620 Oct 2016 1:19AM Threat Intelligence about MIrai IOT DDOS Related

Page 43: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

+-22('.

g O'9"(2$)'9%3/L"(,"-.(*$/ :7(")$%MH+<g T'7)'-"9%8+.(%3/L"(2"-.(*$/%X"E"'2"%g X"K"H+1%8+.(%!&,03%U+)9%N)1g Q.*H9%8+.(%!&,03

Page 44: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'

ROT,:D0!%S%G!,6TU

Page 45: What you need to know about NGSOC. Presented at #CSXAsia #ScavengerHunt about Next Generation Security Operation Centre NGSOC

3+1/(*>7$%?%@ABC%D'E+(F)$*+'%,/2$"F2%G.9*$%)'9%3+'$(+H%G22+-*)$*+'I%D'-J%GHH%(*>7$2%("2"(K"9J

!"#$%&"!"'($)*!%+",-')$.%*/"'($)*!+%,"!$"'