Housekeeping
- This “LIVE” session is being recorded
Recordings are available to all Vivit members
Session Q&A:
Please type questions in the Questions Pane
What is a SOC?
• The security operations center (SOC) is a centralized command center for network security event monitoring and incident response.
• A SOC is responsible for detecting, analyzing, and reporting unauthorized or malicious network activity by employing advanced threat-hunting capabilities.
• The 3 basic types of SOCs:
Threat-centric | Compliance Based |Operational Based
Threat-Centric SOC
• Proactively hunts for malicious threats on networks
• Focuses on addressing security across the entire attack continuum—before, during and after an attack
Compliance-Based SOC
• Focuses on comparing the posture of network systems to reference configuration templates or standard system builds
• Focuses on addressing security across the entire attack continuum—before, during and after an attack
Operational-Based SOC
•An internally focused organization that monitors the security posture of an organization’s internal network
• Focused on the administration of firewall ACL rules, and so on
Process
Threat Modeling : process where IT securityand business people gather to determine keycyberthreats, prioritize them, model out what they would look like in machine data, and then determine how to detect and remediate them
The objective is to be able address the following questions for any security incident investigation :
• Who: What IP/Domain was associated with the threat?
• What: What type of threat is on the system?
• When: When did the event occur?
• Where: Where is the geolocation of the originating source of attack?
• Why: Why was the malware designed for this intended purpose?
• How: How did the malware get onto the system?
People
A critical part of any SOC is the process for responding to alerts and incidents, and most SOCs use a multi-tier approach
• Alerts are generated through a variety of devices on the networks
• And they go to the first tier of analysts for initial review. If the first tier cannot resolve the incident, it gets escalated to the next tier, which is staffed by personnel with more advanced knowledge and incident response tools.
• These alerts are generally diverse sources and the type of device will determine which events can be extracted.
• DHCP Server
-Transaction Data: Dynamic IP address assignments
Attribution to a host by MAC address
• DNS Server
- Transaction Data: DNS queries/responses transactions
• AAA Server
- Alert Data: Successful and failed authentication and authorization events.
• IPS
- Alert Data: IPS alerts triggered by the IPS rules and signatures.
• Firewall
- Session Data: Connection events, NAT Translations
- Packet captures: PCAP are collected manually by the firewall administrator
- Statistical data: Top sources and destinations, top access rules
• Proxy (web and email)
- Transactional Data: Documents client requests and server responses.
- Extracted data: Malicious email attachment
Technology
• A balanced security solution that is capable of providing both proactive protection and adaptable expansion
• Automatically assign a severity level to the incident (H/M/L) and gather all your security information in one place
• Able to index all relevant machine data and log file from security and non-security sources in real time
• Able to take the data and enrich it with external data, such as data fromActive Directory, asset databases, third-party threat feeds and more
Technology
• Has the flexibility to detect threats through a range of highly accurate, customizable detection methods including correlation rules, risk scoring and anomaly detection before they become breaches
• be user-friendly enough to be used by all SOC personnel and flexible enough so it can be customized to meet the specific needs of every process and role in the SOC (Regulatory Compliance – PCI , HIPAA & FFIEC)
• The ArcSight SIEM Solution respect all these requirement
The ArcSight SIEM Solution
• An award-winning set of products for monitoring threat and risk
• ArcSight Enterprise Security Management (ESM) software for large-scale security monitoring deployments
• ArcSight Express, an appliance-based all-in-one offering that's designed for the midmarket, with preconfigured monitoring and reporting, as well as simplified data management.
The ArcSight SIEM Solution
• ArcSight Enterprise Security Manager (ESM): Correlation and analysis engine used to identify security threat in real-time& virtual environments
• ArcSight Logger: Log storage and Search solution
• ArcSight Identity View: User Identity tracking/User activity monitoring
• ArcSight Auditor Applications: Automated continuous controls monitoring for
both mobile& virtual environments
The ArcSight SIEM Solution
• ArcSight Connectors (Smart Connectors) collect event data from a variety of data sources.
• Then normalize, categorize, and aggregate event data, and securely and efficiently deliver events to ArcSight ESM or ArcSight Express (which combines ArcSight Logger and ESM functions for smaller installations).
• ArcSight Console provides the dashboard for the security operations center (SOC).
• ArcSight web-based consoles can be used for IT operations staff for searching through archived log data and generating compliance reports
The ArcSight SIEM SolutionBuilt-in dashboards for real-time security analytics:- Malware Activity
- Firewall
- IPS
- Endpoint Logs
- User Activity
- Malware Activity
- Firewall
- IPS
- Endpoint Logs
- User Activity
• Also included are dashboards that monitor critical infrastructure, such as Cisco appliances, Microsoft Windows, and Linux servers to quickly report on business critical infrastructure
Develop Key Relationships with External Resources
• SOCs require effective tools, security analysts with comprehensive technical backgrounds, and also strong relationships with external organizations
Upcoming Vivit Webinars
February 28, 2018
Unlock your ALM Investment – Micro Focus ALM and ALM Octane9:00 - 10:00 AM PST (Los Angeles), 12:00 PM - 1:00 PM EST (New York), 18:00 - 19:00 CET (Frankfurt)http://www.vivit-worldwide.org/events/EventDetails.aspx?id=1071812&group=