39
How to organise Cyber Security Operations Center - CSOC? Igor Hitrec (ISC)2 Adriatic Chapter Meeting 20.May 2021
How to organise Cyber Security Operations Center - CSOC?
Igor Hitrec(ISC)2 Adriatic Chapter Meeting 20.May 2021
SOC Manager @beIN.COM» Miramax, Digiturk, USA, France, UK, Singapore, Australia, Qatar
www.linkedin.com/in/igorhitrec-cybersecuritymanager
whoami
Why we need CSOC?
SOC, CSOC, GSOC…
Why?
To consolidate and centralize defense and response capabilities and support business/function/….
Components of CSOC» To protect
• Business
» we need• People• Technology• Processes
» by providing• (X)SOC Services
Business part» Business drivers» Customers» Privacy» Governance» Charter Document
Business part» Information security management system» Risk assessment» Risk management» Incident management -> Service Level Agreement» Deployed security controls
CSOC Strategy – MITRE 10 commandments1. Consolidate computer and network defense under one organization2. Achieve Balance Between Size3. Give SOC Authority to Do its Job4. Do a Few Things Well5. Favour Staff Quality over Quantity6. Maximize the Value of Technology Purchases7. Exercise Discrimination in the Data You Gather8. Protect the SOC Mission9. Be a sophisticated Consumer and Producer of Cyber Threat Intelligence10. Stop. Think. Respond... Calmly
CSOC Operating Models - GartnerSOC Model Attributes Typical Adopter
Virtual SOC
• No dedicated facilityPart-time team membersReactive, activated when a critical alert or incident occursPrimary model when fully delegated to MSSP
SMBs, small enterprises
MultifunctionSOC/NOC
• Dedicated facility with a dedicated team performing not just security, but someother critical 24/7 IT operations from the same facility to reduce costs
Small, midsize and low-risk large enterprises where network and security functions are
already performed by the same or an overlapping group of people and teams
Distributed/Co-managed SOC
• Dedicated and semi dedicated team membersTypically, 5x8 operationsWhen used with an MSSP it is co-managed Small and midsize enterprises
Dedicated SOC
• Dedicated facilityDedicated teamFully in-house24/7 operations
Large enterprises, service providers, high risk organizations
Command SOC
• Coordinates other SOCsProvides threat intelligence, situational awareness and additional expertiseRarely directly involved in day—to-day operations Very large enterprises and service providers;
governments, military, intelligence
CSOC example of operation model
SOC manpower sizing
Estimations alerts/day
Year 1minutes/incident
(SLA!) Hours/day People 3 shifts 24/7
For T1 analysts 100 20 33,3 4,16 2 per shift, overal 8
For T2 analysts 30 60 30 3,75 1 per shift, overal 4
For T3 analysts 3 240 12 1,52 for redundancy with extra
working time
SOC manpower sizing» SOC Administrator» Threat Intelligence» Threat Hunt» Reporting, metrics, analytics
SOC manpower - competencesJob position in SOC Function Courses and certification
T1 AnalystT2 AnalystT3 Analyst Threat analysis
GIAC Security Essentials (GSEC)EC-COUNCIL Certified incident handlerGIAC Certifified Incident Handler (GCIH)(ISC)2 CISSP Certified Information Systems Security Professional
T2 AnalystT3 AnalystSOC Manager
Incident managementISO/IEC 27035 Lead Incident Manager
SOC ManagerCSIRT-CERT
ISO/IEC 27035 Lead Incident Manager,ISACA CISM Certified Information Security Manager,(ISC)2 CISSP Certified Information Systems Security Professional
T2 AnalystT3 Analyst Incident response GIAC Cyber Threat Intelligence (GCTI),
EC-COUNCIL Certified Ethical HackerSOC AdministratorT2 AnalystT3 Analyst Case studies
EC-COUNCIL Certified Ethical Hacker,SANS FOR578: Cyber Threat Intelligence, GIAC Cyber Threat Intelligence (GCTI)GIAC Response and Industrial Defense (GRID)
T3 AnalystThreat Intelligence
SANS FOR578: Cyber Threat Intelligence, GIAC Cyber Threat Intelligence (GCTI)
T3 AnalystForensic analysis
SANS FOR508: Advanced Incident Response, Threat Hunting and Digital Forensics,GIAC Certified Forensic Analyst (GCFA)GIAC Response and Industrial Defense (GRID)
T3 Analyst Reporting Solution provider trainings
T3 Analyst Analitics GIAC Certified Forensic Analyst (GCFA)ARCITURA Big Data Science Certified Professional (BDSCP)
SOC AdministratorT3 Analyst SOC Administration Solution provider trainings
SOC AdministratorT3 Analyst
Log source management
Microsoft MTA, Microsoft MCSE, LPI Linux Enterprise Professional – SecurityGIAC Global Industrial Cyber Security Professional (GICSP)
SOC AdministratorT3 Analyst SOC Integrations Solution provider trainings
SOC Technologies
SOC Tools» SIEM – Security Information and Event Management
Collecting logs and netflow, Offense library, Use Case builder, Dashboards, Alerting, Reports…
» SOAR - Security Orchestration, Automation, and ResponseManaging incident response playbooks, escalation matrix, ticketing service, KPI dashboards, alerting, reporting, capability for automated response…
» Threat Intelligence Platform receiving various threat feeds, scoring capabilities, build your own threat feed and sending it to your SIEM, SOAR and other controls…
» Big Data infrastructure
SOC and security controls
MS Windows infrastructure integration
» MS Windows Events to watch• https://www.microsoft.com/en-us/download/details.aspx?id=52630• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--
events-to-monitor• https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-
practices/monitoring-active-directory-for-signs-of-compromise
MS Windows infrastructure integration
» Monitor PowerShell Events§ Heavily used by attackers§ Powershell v.5 (latest is 7.1.3) is the minimum recommended version for enhanced logging
capabilities§ No Powershell audit is enabled by default§ 501: Powershell Execution§ 4103: Module logging§ 4104: Powershell Scriptblock module loading
MS Windows infrastructure integration
» Windows Registry Persistence Monitoring§ https://www.cyborgsecurity.com/cyborg_labs/hunting-for-persistence-registry-run-keys-startup-
folder/
MS Windows infrastructure integration
» SYSMON• Free tool from Microsoft• No performance issues• Around 3 EPS per machine [Depends on configuration]• Provide massive visibility • Extra logging features for Windows:
• Loaded drivers• Logs process creation with full command line for both current and parent processes• Records the hash of process image files• DLL Injection [CreateRemoteThread]• Include a session GUID in each events to allow correlation of events on same logon session• Optionally logs network connections, including each connection’s source process, IP addresses, port numbers, hostnames and port
names.
• SYMON CONFIGURATION FILE• https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
MS Windows infrastructure integration
» Windows Event Forwarding• Windows Event Forwarding (WEF) reads any operational or administrative event log on
Windows devices and forwards the events you choose to a Windows Event Collector (WEC) server.
• WEF subscription to be configured to Push logs to WEC server • The WEF client machines local event log is the buffer for WEF for when the connection
to the WEC server is lost. Maximum file size is configurable• Events can be sent to multiple Collectors (optional for high availability)• End Point logs to be forwarded to a dedicated WEF server for endpoint
• https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
Use Cases Framework - MaGMa» Used by Dutch financial institutions» MaGMa Use Case Framework (UCF) is a framework
and tool for use case management and administration that helps organizations to operationalize their security monitoring strategy
» https://www.betaalvereniging.nl/en/safety/magma/
Use Cases Framework - MaGMa
Use Cases Framework - SPEED» Splunk, QRadar, ArcSight, ELK Elastalert
» http://correlatedsecurity.com/introducing-speed-use-case-framework-v1-0/
» https://github.com/correlatedsecurity/SPEED-SIEM-Use-Case-Framework
Use Cases Framework - SPEED
Use Cases for MS Windows Infrastructure» SYSMON MODULAR (MITRE ATT@ACK FW mapping)
https://github.com/olafhartong/sysmon-modular» Atomic Red Team (MITRE ATT@ACK FW mapping)
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md
» Red Team Automation (MITRE ATT@ACK FW mapping)https://github.com/endgameinc/RTA
SOC Processes
Security Intelligence
Threat Hunting
Use Case/Rules
Release &Deployment
Tier 1/2Threat Monitoring
& Triage
Tier 3Incident Response
Lessons Learned
Log Source/Contextual
Data
T3 - Response IntelligenceSOC Manager IT or OTT1/2 – Monitoring & Triage SOC AdminCSIRT
SECURITY INTELLIGENCE SERVICES SOC BUILD SERVICES
SOC RUN SERVICESCrisis Management
ForensicsInvestigation
Fraud/HR
Remediation
ReportingManagement
Security ControlUpdate
ITIL PROCESSES (Reference only)
ConfigurationManagement
ChangeManagement
ProblemManagement
Analytics
CSIRT
Security Intelligence Services» Security Intelligence (Threat Intel (TI) Analyst)
• Process + Threat Intel platform• Reviewing feed input, checking applicability, building internal treat
feed, cooperation with Tx’s in tuning controls and building use cases
» Use Case Management (TI Analyst and Tx’s)• Working upon Threat Intel and Tx’s input, testing and
putting in production» Security Control Update (IT Department)
• Usually with IT, following ITIL change management, SOC should monitor and be informed
Security Intelligence Services» Threat Hunting (T3)
• Input from Threat Intel, Input from Case Studies• Planned and approved activity• Should use all available tools• Metodology TaHiTI
https://www.betaalvereniging.nl/en/safety/tahiti
SOC Build Services» Log sources and contextual data (SOC Admin)
• RegEX Njinja• Constant monitoring and maintaining quality of log sources
» Release and Deployment (TI Analyst and SOC Admin)• Working with IT, upgrading configurations, updating Use
Cases, SOAR playbooks management
SOC Run Services» Monitoring and triaging incidents (Tx’s)
• As per playbooks: Initial phase, identification containment, eradication, recovery, lesson learned
• Escalation, Automation
» Incident Response (T3)• In case of serious incidents who might lead to damage and
interruption
» CSIRT (T3, SOC Manager, CISO…)• Confirmed serious incident, escalation…
SOC Run Services» Lessons Learned
• To formalize need for necessary improvements after incident• To improve current controls, measure SOC effectiveness, start new
strategic initiative
» Crisis Management» Forensic Investigation» Remediation & Disaster Recovery
SOC Metrics» SOC-CMM Model» 5 domains, 25 aspects
» https://www.soc-cmm.com/
SOC Metrics
SOC Metrics
SOC Risks (Gartner)» Breach Response Failures» Skills, Expertise and Staff Retention» Demonstrating a Return on Investment
SOC Alternatives» Informal SOC» Outsources SOC (MSSP)
Recommendations» If money is short -> keep high business value and critical security functions
in-house (architecture design, GRC management, analytics and incident response);
» Outsource to MSSP easier tasks, it might be cheaper and should provide additional eyes to monitoring and help during security incidents, weekends and holidays;
» Develop tightly defined goals first (Strategy!) and clear metrics for SOC needs to deliver;
» Secure budget for 2-3 years for SOC – this amount of time is usually required for people/processes/technology to achieve proper maturity and efficiency.
»The End
