Security Operation Center for NCHC
Professor Ce-Kuen ShiehGeneral Director, National Center for High-performance
ComputingNational Cheng Kung University
2
Outline
• Brief Introduction to NCHC • Purpose of Security Operation
Center• Architecture of SOC• Features of NCHC SOC• Main Achievements• Summary
NARLabs Organization
企劃考核室
業務推廣室
行政管理室
財務會計室
稽核室
資訊管理室
Board of Directors
Vice President
National Space Organization
National Chip Implementation Center
National Center for High-performance Computing
Science & Technology Policy Research and Information Center
Taiwan Ocean Research Institute
Taiwan Typhoon & Flood Research Institute
National Nano Device Laboratories
National Laboratory Animal Center
National Center for Research on Earthquake Engineering
Instrument Technology Research Center
President
Consultation Committee
4
NCHC Milestones
1991Officially Founded
1993Hsinchu Headquarters
Opened
2003Became
Incorporated
2005Tainan Office
Opened
2008Taichung Office
Opened
Categories of NCHC’s Tasks
• Service– Computing– Storage– Networking
• Research & Development– Modeling & Simulation – Big Data Applications– Open Source Software Development– Software Defined Network
5
HPC, Storage and Network Services• Open to academic, research, and Industrial users• Supporting 700+ research projects per year
ALPS, 2011 : Rmax 177 TFLOPS, 442.00 MFLOPS/W
6
Storage Capacity• Three-site, 3-tier backup• Total capacity 5.4 PB
TaiWan Advanced Research and Education Network (TWAREN)• 20Gbps backbone (Toward 100 G)• 5Gbps international connection
2008 2009 2010 2011 2012 20130
50 100 150 200 250 300 350
31.7 31.7 46.9
289.4 308.9 308.9
NCHC Total Computing Capacity
Rmax
(TF)
Year
Formosa series built by ourselves
7
Self-built Cluster Computers
2005Formosa 2
• The first 64-bit PC Cluster for online service
• 64-bit Dual-Core CPU and InfiniBand
2010Formosa 3
• Cloud Cluster• Virtualization and
Green Computing• Cloud IaaS Service
• Cloud Cluster• Big memory • Hybrid-Computing
Platform
2003Formosa 1• The first PC
Cluster for online service
2003 TOP500 #135
2012Formosa 5
2011Formosa 4
2011 TOP500 #234
2011 Green500 #37
• Cloud Cluster• GPU accelerator
2011 TOP500 #232
2011 Green500 #62
Backbone Network Service
8
TWAREN 跨國連網圖TWAREN Domestic Backbone TWAREN International Connection
TWARENTaiWan Advanced &
REsearch Network• TWAREN
– Domestic backbone : 20Gbps• 12 regional networks• 95 universities & research institutes• 500K users
– International connection : 5Gbps• w/35 int’l research networks
– Network usability : 99.99%– Shared with TANET (managed by MOE)
• 4000 schools, 4M users
•100Gbps backbone is coming by the end of this year
9
Cyber Threats to Taiwan
Source from: AKAMEAI’s state of the Internet, Q4 2013 reportSource from: Symantec 2014 Internet Security Threat Report, Volume 19
Top Attack Traffic Originating Countries
Country Q4'13 Traffic % Q3'13 %
China 43% 35%
US 19% 11%
Canada 10% 0.40%
Indonesia 5.70% 20%
Taiwan 3.40% 5.20%
Netherlands 2.70% 0.50%
Russia 1.50% 2.60%
Brazil 1.10% 2.10%
Romania 0.90% 1.70%
Germany 0.80% 0.90%
Other 12% 17%
• Taiwan is at the frontline in an emerging global battle for cyberspace – No.4 of Most Botnet Activity in 2013– No.5 of Top Attack Traffic Originating Countries in
2013
54
10
• Security Operation Center (SOC) is to ensure information security of internet users by– Security device management– Vulnerability management– Network threat detection– Security event management– Incident response
Purpose of SOC
11
Architecture of SOC
Device Management
Threat and Vulnerability Management
Incident Response
Level 1
Level 2
Security Operators
Security Analysts
Software Engineers
Incident Handlers
Security Information and Event Management(SIEM)
Hardware
Software
People
Procedure
Security and Network Devices
12
Features of NCHC SOC
• Hybrid Intrusion Detection System• Security Intelligence Dashboard and
Visualization of Information Security • Sharing intelligences with Information
Sharing and Analysis Center (A-ISAC) • Joint Defense among TANet partners
13
Hybrid Intrusion Detection System
Network Intrusion Detection System
Distributed Honeynet System
SIEM
DDoS
Hackers
Network Worms
Detecting Known network attacks by signatures and patterns.
Collecting Unknown network threats and malware samples for further analysis.
Event Correlation and incident identification
Phishing emails
14
• Network Intrusion Detection System– Enterprise and Open-source solutions– APT Mail Detector– Secure Web Gateway
• Distributed Honeynet System– Low-interaction honeypots– Simulating vulnerable systems for network
threats– Collecting malware samples and suspicious
exploit traffic for further research– Analyzing Malware behavior for potential
threats
Hybrid Intrusion Detection System
15
• Using 6000+ IP address for sensor deployment and data collection
• Cooperating with 11 National Universities
• Collecting 1,500,000+ malware samples
• Providing network threat list for TANet partners weekly
• Establishing Malware Database
Distributed Honeynet System
16
• A web-based system for monitoring, managing, reporting and notifying of events for IP enabled devices
• A Self-developed system based on open source software toprovides cost-efficient network management services
Cyber Intelligence Dashboard
18
Information Sharing and Analysis
ISPsNCC-ISAC
Government Service
NetworkG-ISAC
Taiwan Academic Network A-ISAC
GSN Incidents
GSN Incidents
Hinet Incidents
HiNet Incidents
NCHC SOC
NCHC SOC shares intelligence with other partners through Information Sharing and Analysis Centers .
19
Incident Reported by NCHC SOC
Incidents from TANet users
Incidents from Taiwan ISPs
Over 6,000 Incidents reported by NCHC SOC in one month.
NCHC SOC detected more than 10,000 Incidents of network attacks in one
month
20
Joint Defense of TANet partners
• 24/7 operation for ensuring the efficiency of incident handling.
• NCHC cooperates with 7 regional network centers of Taiwan Academic Network for network monitoring and threat detection.
• Providing digital forensics, malware analysis and other technical supports
21
• Ensuring Information Security– Protecting 4,000+ schools and
5 Million users
• Reporting real-time Incidents(Avg.)
– Taiwan: 12,000+ tickets/month– International: 2,500+
tickets/month
• Malware Collection– Malware Samples: 1.5 Million(since
2009)
• Big Data(Avg.)
– Honeypot: 60GB/day– Malware: 1200+ sample/day
Main Achievements
Search Engine
NetflowAnalysis
Malicious list
HoneynetAnalysis
SPAM MailsAnalysis
TWARENNetflow
CampusNetflow
MalwareAnalysis
Forensics Incident Management
TWMAN Analysis
ISACCERT CSIRT
G-ISAC
TelecomISAC
AcademicISAC
GOV Agencies
TWNICTWCERT/CC
EC-Cert
MSSP/SOC
NCHCASOC
NTUASOC
22
• To adapt with the changing network threats, Hybrid Intrusion Detection Systems is essential for bettering security protection and provide efficient security services.
• Distributed Honeynet System not only collects network threat samples, but also brings values to information security researches.
• Strengthening International technological exchange and academic-industry cooperation to extend the scope of our Joint Defense Alliance are the our future job.
Summary