Power of Security Operation Center

Project Name: Power of Security Operation Center

Description: – Power of Security Operation Center is a concept of a highly skilled expert team working towards continuously monitoring and improving organizations security in the process of prevention, careful planning, detection and responding with a well-defined process. In order to keep the organization secured continuous effort and team communication and improvement is required in the process. The information regarding these critical activities, data, tools should be prepared in hand so that there wouldn’t arise any need to hunt for resolution information while the attacker is already entered in the system.

Author: Rohit D Sadgune / Amruta Sadgune

FAQ:-

1. Security Operation Center components
2. What is Power of Security Operation Center
   

   PROCESSES

   Adoption to a process has become a necessity to be successful, more efficient and effective. It acts like a connection between people and the technology. At multiple instances, people need to take proactive decisions, as it’s not a simple task to make the machine run 24 hours a day and 7 days a week. Setting up the right team and getting them to follow the right tasks is achieved through a well-defined process.

   Incident Triage

   Can be said as a first post –detection Incident response process, it can be a false positive as well. Here the respondent need to acknowledge the incidents and also determine the relevance and urgency. Triage Specialist are responsible for configuring security monitoring tools.

   Incident Reporting

   Reporting is an essential component in order for an incremental understanding of risks and opportunities. Team members are responsible for reviewing the attacks forwarded from Incident triage. Determine the appropriate response for the incidents and also to determine the potential impact of the incidents.

   Incident Analysis

   SOC incidents are based on the alerts, SIEM (Security Information Event Management) alerts could be false positive or false negative. For validating the results SOC Analyst needs to have a detailed knowledge about the source of the alerts. Identifying the affected system and scope of the attacks. Digging into to find out the root cause of the issue.

   Incident Closure

   Once the incident is being identified and the SOC analyst has validated the result as true positive. The remediation process needs to be considered as a top priority. In an incident closure the primary objective of SOC analyst is to co-relate all the different devices and form a context from it. Once the context is clear the SOC Analyst will give proper recommendation for the respective indicator of compromise or indicator of attack.

   Post incident

   Once an incident is being closed different teams which includes the infrastructure team, DEVOPS team and DB operations team etc. Would share all their inputs to the Security Operation Center and based on all these inputs the SOC Analyst will be creating new use cases and would keep a separate eye for all the use cases for a specific period of time. This monitoring will be done to track back for any backdoor or residue that has been left by an adversary.

   Vulnerability Discovery

   We can imagine this model to be the similar to the process of finding the defects in a software during the testing phase. Vulnerabilities can re-present a very high risk for any organizations. Vulnerability Discovery is divided into 4 phases

   1. Discovery of Device or Application.
   2. Service Enumeration
   3. Scanning.
   4. Verification

   Vulnerability Remediation

   Each organization needs to work on the remediation process before attackers take benefit from the organization weakness. This process involves

   1. The implementation of threat modelling and monitoring which allows the security operations team to constantly gather intelligence about the past, current and the upcoming threats that may affect the enterprise posture.
   2. Enforcing standard baselines and configuration for each device which comes under critical enterprise posture.
   3. Continuous Vulnerability Assessment of all the critical devices as well as application once they have been changed even on the a small modification in the configuration or code.
   4. The system developers need to release the patches on priority once the vulnerability is discovered. Before applying the patch, one needs to verify the effects of patches in a separate network environment.

    

   

    

   PEOPLE

   A SOC team may comprise of different skilled people operating at different levels. We can figure out few titles as below

   Alert Analyst:  This member is responsible for continuously monitoring alert queue for security alerts. Collect and document data for Suspicious Activity, account and transaction data and to provide it as an input to the next level for investigation.

   Required Skills of People

   • Governance
   • Structure
   • Experience
   • Training and Certification

    TECHNOLOGY

   In Security operations Center technology places a very important role. Multi-dimensional and multilevel technology needs to collaborate in effective way so that they can secure enterprise posture for a longer period of time. The technology involves Next generation SIEM Solutions, End point protections, threat hunting technologies, vulnerability assessment technologies. APT (Advance Persistence Technologies), Deception Technologies.

   Vulnerability Tracking

   Vulnerability tracking can be identified using different vulnerability feeds, Vulnerability Databases,

   Mitre common vulnerabilities and exposure (CVE), CERT Vulnerability Databases, Defense Information System Agency (DISA) Databases, Information Assurance vulnerability Alerts (IAVA) Database, securitytracker.com, Open Vulnerability and assessment language (OVAL), Security Technical Implementation Guides (STIG) which are common vulnerability assessment sources.

    Vulnerability Assessment

   The technologies in this area needs to support the following aspect of vulnerability assessment.

   Vulnerability Assessment is majorly dived into 6 parts

   1. External Assessment : Identifying weakness from on outside network
   2. Internal Assessment: Identify vulnerabilities for the internal posture of the network.
   3. Social Engineering : Explore gaps of human interactions in the enterprise in training’s.
   4. Wireless Assessment : Identifying weakness from inside/outside wireless network.
   5. Physical Security Assessment : Identifying weakness from inside/outside network.
   6. Application and Database Assessment : Identifying weakness from inside/outside network.

   The SOC analyst will ensure following things using vulnerability assessment technology

   1. Continuously scan and monitor vulnerabilities of enterprise posture.
   2. Run automatic scan after specific duration
   3. Validate all the vulnerabilities or the weakness for the devices, applications, database or the infrastructure which is public facing
   4. Create custom policies. Identify new threats and add those threats for regular scan.
   5. Monitor Network infrastructure passively.
   6. Identify the sectors, zones of the network infrastructure where it is the most vulnerable.
   7. Mark intrusion threats as critical ones and keep a separate eye on them.
   8. Create custom dashboards which should be categorized as critical assets, top vulnerabilities and compliance.

   Log management

   Collecting the aggregation of right data for analysis considering all the log sources that is, events of your complete enterprise posture of in centralized repository. Converting log data in usable, searchable and understandable format which is nothing but normalization.

   Which logs needs to be considered for the security operation process?

   1. End point protection logs
   2. Home grown application logs
   3. IDS/ IPS Logs
   4. Firewall
   5. Identity and Access management logs
   6. Network devices like Routers and Switches
   7. All Operating System Logs
   8. Vulnerability Management and Proxy Logs

   Control

   For more information please follow the below

   Link: Cyber Security Controls

   Cyber Visibility

   In Security Operation Center visibility is a very crucial factor to play. SOC analyst need to have visibility on following point

   1. Critical Assets
   2. Network Devices and how they are functioning
   3. Systems (Servers / Workstations)
   4. Network Flow (Packet Analytics)
   5. Digital Forensics & Incident Response

   Events Collection, Correlation and Analysis

   Security Operation Center analyst will spend more time on event collection which is about aggregation, correlating different data sources back to IP, system(host) or entity(account/user).

   Log Analysis is the process of inspecting logs for monitoring security aspects. Log analysis covers following point.

   1. Collection of Log Data
   2. Clearing unwanted data (Filter Data it is required)
   3. Normalization of Data
   4. Analysis of Data

Benefits of Log Analysis

• Proactive Log Processing
• Integration of Different Data Sources
• Log Monitoring
• Use Cases Alerts and Incident Notifications
• Compliance Management
• Creating Complex use cases
• Threat discovery and hunting