bga some/soc etkinliği - kurumsal some’ler için soc modeli nasıl olmalı?

CYBER SECURITY INCIDENT RESPONSE TEAM (CSIRT) andCYBER SECURITY OPERATION CENTER (SOC)BY BGA INFORMATION SECURITY & CONSULTING

THX TO MITRE.ORG

BGA INFORMATION SECURITY & CONSULTING

About meCandan BÖLÜKBAŞ

• about.me/bolukbas

• METU Computer Eng.

• CCNA, CCNP, CEH, CHFI, ITIL, MCP, ECSP

• Enterprise Security Services Manager

• 7-year .Net & Obj-C Developer

• T.C. Cumhurbaşkanlığı Network & Security Admin

• [email protected]

• @candanbolukbas


Agenda• Introduction

• Cyber Attack in the world

• CSIRT statistics from the world

• CSIRT efficiency measurement

• Best Practices for Creating a CSIRT

• What is SOC?

• SOC Best Practices

• SIEM & SOC & CSIRT Relation

• Questions


Challenges that today’s security organizations have to deal with:

Malware campaigns launched by organized criminal groups who look to steal information that can be sold on the black market

Increasingly powerful distributed denial-of-service (DDoS) attacks that can take out large websites

State-sponsored espionage that can penetrate even well-defended networks.


As attacks have become more sophisticated, the need for Computer Security Incident Response Teams (CSIRTs) has grown.

BotnetsDistributed denial-of-service (DDoS) attacks

Insider threatsAdvanced persistent

threats (APTs).

CSIRT


What Are Some Best Practices for Creating a CSIRT?

• Obtain management supportStep #1

• Determine the CSIRT strategic planStep #2

• Design the CSIRT visionStep #3

• Begin CSIRT implementationStep #4

• Evaluate CSIRT effectivenessStep #5


Step 1: Obtain Management Support and Buy-In

• Executive and business or department managers and their staffs committing time to participate in this planning process; their input is essential during the design effort.

• Along with obtaining management support for the planning and implementation process, it is equally important to get management commitment to sustain CSIRT operations and authority for the long term.

• It is important to elicit management's expectations and perceptions of the CSIRT's function and responsibilities.


1%

2%5%

11%

31%

50%

What percentage of your organization’s security budget is allocated to incident response?

More than 50%

41% to 50%

31% to 40%

21% to 30%

10% to 20%

Less than 10%


Step 2: Determine the CSIRT Development Strategic Plan

• Are there specific time frames to be met? Are they realistic, and if not, can they be changed?

• Is there a project group? Where do the group members come from? You want to ensure that all stakeholders are represented.

• How do you let the organization know about the development of the CSIRT?

• If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed?


Step 3: Design Your CSIRT Vision


In creating your vision, you should identify your constituency• Who does the CSIRT support and serve?

• Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified constituency?

• Select the CSIRT services to provide to the constituency (or others). How does the CSIRT support its mission?

• Determine the organizational model. How is the CSIRT structured and organized?

• Identify required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT?

• Determine your CSIRT funding. How is the CSIRT funded for its initial startup and its long-term maintenance and growth?

Step 4: Begin CSIRT ImplementationOnce management and constituency buy-in is obtained for the vision, begin the implementation:• Hire and train initial CSIRT staff.

• Buy equipment and build any necessary network infrastructure to support the team.

• Develop the initial set of CSIRT policies and procedures to support your services.

• Define the specifications for and build your incident-tracking system.

• Develop incident-reporting guidelines and forms for your constituency.


45%

28%

14%

11%

2%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

0

1

2-5

5-10

10+

How many team members are fully dedicated to CSIRT?


Step 5: Evaluate the Effectiveness of the CSIRT

Information on effectiveness can be gathered through a variety of feedback mechanisms, including: • Benchmarking against other CSIRTs

• General discussions with constituency representatives

• Evaluation surveys distributed to constituency members on a periodic basis

• Creation of a set of criteria or quality parameters

• Compare with Expectations for Computer Security Incident Response (RFC 2350)

• Remember that Patience Can Be a Key!


How long it takes to respond Approximate average MTTI, MTTK, MTTF and MTTV experienced by organizations in an APT

• Mean time to verify

MTTV

• Mean time to fix

MTTF

• Mean time to know

MTTK

• Mean time to identify

MTTI


80%

76%

67%

65%

56%

0% 20% 40% 60% 80% 100%

Most effective security tools for detecting security breaches

Anti-virus

IP reputation & threat feed services

Intrusion prevention/detection systems

SIEM

Analysis of NetFlow or packet captures


Reactive Services Proactive Services Security Quality Management Services

Alerts and Warnings Border Protection Device O&M Risk Analysis

SOC Infrastructure O&M

Incident Handling Custom Signature CreationBusiness Continuity and Disaster Recovery Planning

• Incident analysis (Forensic & Tracking) Tool Research and Development• Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting

• Incident response support Tool Engineering and Deployment

• Incident response coordinationConfiguration and Maintenance of Security Tools, Applications, and Infrastructures

Awareness Building

Vulnerability Handling Audit Data Collection and Distribution Education/Training

• Vulnerability analysis

• Vulnerability response Intrusion Detection Services Product Evaluation or Certification

• Vulnerability response coordination

Security-Related Information Dissemination

Artifact Handling

• Artifact analysis

• Artifact response

• Artifact response coordination


BGA INFORMATION SECURITY & CONSULTINGAPT

DEMO


What Is a SOC?The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities. It includes:

◦ Computer Security Incident Response Team (CSIRT)◦ Computer Incident Response Team (CIRT)◦ Computer Incident Response Center (or Capability) (CIRC)◦ Computer Security Incident Response Center (or Capability) (CSIRC)◦ Security Operations Center (SOC)◦ Cybersecurity Operations Center (CSOC)◦ Computer Emergency Response Team (CERT)


SOC’s mission statement typically includes the following elements:

1. Prevention of cybersecurity incidents through proactive:a. Continuous threat analysis

b. Network and host scanning for vulnerabilities

c. Countermeasure deployment coordination

d. Security policy and architecture consulting.

2. Monitoring, detection, and analysis of potential intrusions in real time and through historical trending on security-relevant data sources

3. Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures

4. Providing situational awareness and reporting on cybersecurity status, incidents, and trends in adversary behavior to appropriate organizations

5. Engineering and operating CND technologies such as IDSes and data collection/analysis systems.


Get Started1. Founding: 0 to 6 Months

2. Build-Out: 6 to 12 Months

3. Initial Operating Capability: 12–18 Months

4. Full Operating Capability: 18 Months and More

The best way to test a SOC is to measure the SOC’s

performance in response to an actual Red Team penetration

of constituency assets.



SOC Roles and Incident Escalation

Reactive Services Proactive Services Security Quality Management Services

Alerts and Warnings Border Protection Device O&M Risk Analysis

SOC Infrastructure O&M

Incident Handling Custom Signature CreationBusiness Continuity and Disaster Recovery Planning

• Incident analysis (Forensic & Tracking) Tool Research and Development• Incident response on site Security Audits or Assessments (Scan & Pentest) Security Consulting

• Incident response support Tool Engineering and Deployment

• Incident response coordinationConfiguration and Maintenance of Security Tools, Applications, and Infrastructures

Awareness Building

Vulnerability Handling Audit Data Collection and Distribution Education/Training

• Vulnerability analysis

• Vulnerability response Intrusion Detection Services Product Evaluation or Certification

• Vulnerability response coordination

Security-Related Information Dissemination

Artifact Handling

• Artifact analysis

• Artifact response

• Artifact response coordination



Typical SOC Tool Architecture Context to Tip-offs: Full-Spectrum CND Data

The most prominent challenge for any monitoring system -particularly IDSes- is to achieve a high true positive rate.


No matter how good the tool or analyst, overzealousefforts to generate and aggregate huge amounts data intoone place diminish the value of good data because it islost in the noise of worthless data.

Monitoring systems such as IDS and SIEM are not “fireand forget”—they require regular care and feeding.



SIEM Overview

• Perimeter network monitoring

• Insider threat and audit• APT detection• Configuration

monitoring.• Workflow and escalation• Incident analysis and

network forensics• Incident analysis and

network forensics• Policy compliance


Overlap Between SIEM, Network Management System, and LM

Observations and Tips for Success◦ Security and network management tools are not interchangeable.

◦ The best SIEMs were built from the ground up as SIEMs.

◦ Consider the whole package.

◦ A day to install; a year to operationalize.

◦ Each part of the SOC will use SIEM differently.

◦ A SIEM is only as good as the data you feed it.

◦ Automated response capabilities present the same challenges as IPS.


Let’s consider some dos and don’ts when we think the SOC has found something bad:◦ Follow your SOPs.

◦ Don’t panic.

◦ Don’t jump to conclusions.

◦ Be careful about attribution.

◦ Assess the full extent of the intrusion.

◦ Understand the “so what?”

◦ Follow rules of evidence collection and documentation, when appropriate.

◦ Provide measured updates at measured times.

◦ Carefully assess the impact of countermeasures and response actions.

◦ Ensure the entire SOC is working toward the same goal.

◦ Don’t be afraid to ask for help.


References[1] West-Brown, Moira J.; Stikvoort, Don; & Kossakowski, Klaus-Peter. Handbook for Computer Security Incident Response Teams (CSIRTs) (CMU/SEI-98-HB-001). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 1998. Note that this document was superceded by the 2nd edition (CMU/SEI-2003-HB-002), published in April 2003.

[2] Kossakowski, Klaus-Peter. Information Technology Incident Response Capabilities. Hamburg: Books on Demand, 2001 (ISBN: 3-8311-0059-4).

[3] Kossakowski; Klaus-Peter & Stikvoort, Don. A Trusted CSIRT Introducer in Europe. Amersfoort, Netherlands: M&I/Stelvio, February, 2000.

[4] Exposing One of China’s Cyber Espionage Units http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

[5] M-Trends® 2013: Attack the Security Gap http://pages.fireeye.com/MF0D0O0PDVp6y106k0TI0B3

[6] M-Trends® 2011: When Prevention Fails http://www.mandiant.com/assets/PDF_MTrends_2011.pdf

[7] M-Trends® 2012: An Evolving Threat http://www.mandiant.com/assets/PDF_MTrends_2012.pdf

[8] Cyber Security Incident Response 2014 http://www.lancope.com/files/documents/Industry-Reports/Lancope-Ponemon-Report-Cyber-Security-Incident-Response.pdf

[9] Create a CSIRT https://www.cert.org/incident-management/products-services/creating-a-csirt.cfm

[10] CSIRT Services list from CERT/CC https://www.enisa.europa.eu/activities/cert/support/guide/appendix/csirt-services


References[1] Wikimedia Foundation, Inc., “Advanced Persistent Threat,” 3 Feb 2014. [Online]. Available: http://en.wikipedia.org/wiki/Advanced_persistent_threat. [Accessed 13 Feb 2014].

[2] R. G. Bace, Intrusion Detection, Indianapolis: Macmillan Technical Publishing, 2000.

[3] G. Killcrece, K.-P. Kossakowski, R. Ruefle and M. Zajicek, “State of the Practice of Computer Security Incident Response Teams (CSIRTs),” October 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=6571. [Accessed 13 Feb 2014].

[4] Killcrece, Georgia; Kossakowski, Klaus-Peter; Ruegle, Robin; Zajicek, Mark, “Organizational Models for Computer Security Incident Response Teams,” December 2003. [Online]. Available: www.cert.org/archive/pdf/03hb001.pdf. [Accessed 13 Feb 2014].

[5] S. Northcutt, Network Intrusion Detection (3rd Edition), Indianapolis: New Riders Publishing, 2002.

[6] T. Parker, E. Shaw, E. Stroz, M. G. Devost and M. H. Sachs, Cyber Adversary Characterization: Auditing the Hacker Mind, Rockland, MA: Syngress Publishing, Inc., 2004.

[7] L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Professional, 2002.

[8] M. J. West-Brown, D. Stikvoort, K.-P. Kossakowski, G. Killcrece, R. Ruefle and M. Zajicekm, “Handbook for Computer Security Incident Response Teams (CSIRTs),” April 2003. [Online]. Available: http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=6305. [Accessed 13 Feb 2014].


Questions
