Professional Documents
Culture Documents
Anatomy of A Security Operations Center: (Gfirst 2010
Anatomy of A Security Operations Center: (Gfirst 2010
8/2/2010 2
Sample Problem Statement:
8/2/2010 3
Goal of a SOC
8/2/2010 8
8/2/2010 9
Threat Management Capability
Function
Collect information on threats and methodology from
Incidents, External Sources (Commercial, public, etc.),
Partners, CI
Organize and correlate the information
Analyze the relevance of the information to the Agency
Determine the need and course of action
Act: Block; Watch; other
Assess the results
Utilize Database to Assess new Incidents
Provide Alerts & Notifications
Threat Management System
Unify Threat Management -- Enable Consistent and repeatable threat
management process.
Centralize and Structure Threat Database -- Capture and consolidate
vulnerabilities, malicious code and patches that affect critical technologies and
processes. Centralize repository for threat and vulnerability data from trusted
sources in a searchable, standards-compliant database.
Bring in Threat Content -- Populate customized threat data with information from
Agencys own research, content from a commercial threat feed provider and
threat advisories received via email.
Analyze and Refine Threat Data -- Analyze and react to vulnerabilities and
malicious code based on the impact to Agency
Alert Users to Emerging Threats -- Automatically notify responsible personnel so
they can proactively address emerging threats.
Report on Threat Levels and Activities -- Produce real-time reports and user-
specific dashboards to view threats by technology, severity, type and impact to
Agency organization.
Validate Vulnerability Remediation -- Reporting of activities related to threat
remediation.
8/2/2010
Threat Management System
Console
Threat
Data From Aggregation Correlation Analysis
Sources
Threat Reporting
Mgnt.
Database
8/2/2010
Security Data Sets
Cyber
Incident
Threat
Management
Management
SOC
Synergy
Vulnerability
Management
SMART Action
13
Incident States & Work Elements
8/2/2010 14
SOC Incident Response Process
States: SOC Incident Response Process Flow
SIM
Open
2.Analysis, Tier-2
Tier-2 Analysis
Categorization, &
Impact
Triage
Assessment
OIG Leads
OIG
Investigation(s)
Yes
OIG/CI
Incident? Counter
Counter
Intelligence Leads
Intelligence
No Investigation(s)
Yes
Call-Down Incident Call Down
Required? Manager Procedure
No
3.Containment Confirmed
Potential PII
Incident
No
Incident
Manager
Yes
Tier-2
Notify US-CERT,
Follow PII Breach
Response Process
Tier-3
Containment
Containment Work Tickets
& Recovery
Eradication
Eradication
Work Tickets
Recovery
Recovery
Recovered
Post Incident
Resolution
(Post Incident
Actions)
Work Tickets
Incident
Resolved Manager
Review
Review
5.Post Incident No
OK
Closeout
Yes
6.Review/Closeout
Cyber Threat Risk Assessment
Threat Opportunity/ Impact
Vulnerability
Credibility Capability Intent
High Information from Actors possess Targeted confidentiality, Systems vulnerable Significant impact
(2) highly reliable Expert level integrity, or availability to known vectors or to Agency
source or has been knowledge and (CIA) attack of dataset methodology Programs, Project,
independently extensive or individuals. and/or available to Operations,
confirmed resources Disruption of critical known Actors. People, Data,
indicative of Agency mission or Systems, or Cost.
organized efforts function.
Moderat Information from Actors possess Non-targeted Attacks of Systems potentially Moderate impact
e normally reliable Moderate to high Agency systems vulnerable to to Agency
source but levels of affecting confidentiality, known vectors or Programs, Project,
(1)
unconfirmed sophistication integrity, or availability methodology Operations,
with moderate (CIA) of data. E.g. web and/or potentially People, Data,
resources defacement, botnets, etc. available to known Systems, or Cost.
Actors.
Low Information from Actors possess Drive by or Systems not likely Low impact to
(0) unreliable source or Low level of opportunistic attacks vulnerable to Agency Programs,
source without sophistication (or Unknown) known vectors or Project,
established history with little methodology Operations,
(or Unknown) resources and/or not likely People, Data,
required. available to known Systems, or Cost.
(or Unknown) Actors (or Unknown)
(or Unknown)
US-CERT Incident Categories
Exercise/Network Defense Testing This category is used during state, federal, national, international
CAT 0 exercises and approved activity testing of internal/external network
defenses or responses.
CAT 1 Unauthorized Access In this category an individual gains logical or physical access
without permission to a federal agency network, system, application,
data, or other resource
*Denial of Service (DoS) An attack that successfully prevents or impairs the normal authorized
CAT 2 functionality of networks, systems or applications by exhausting
resources. This activity includes being the victim or participating in
the DoS.
*Malicious Code Successful installation of malicious software (e.g., virus, worm,
CAT 3 Trojan horse, or other code-based malicious entity) that infects an
operating system or application. Agencies are NOT required to
report malicious logic that has been successfully quarantined by
antivirus (AV) software.
Scans/Probes/Attempted Access This category includes any activity that seeks to access or identify a
CAT 5 federal agency computer, open ports, protocols, service, or any
combination for later exploit. This activity does not directly result in
a compromise or denial of service.
Investigation Unconfirmed incidents that are potentially malicious or anomalous
CAT 6 activity deemed by the reporting entity to warrant further review.
Incidents Per Year
3000
2500
2000
1500
1000
500
0
2006 2007 2008 2009
6 1 2
11% 6% 1%
1
2
3
5 4
28% 3
5
43%
6
4
11%
700
600
500
400
400 350
300 250
200 150
100
75
100
15
0
A B C D E F G H I
Reactive
Proactive
Predictive
Definitions
Incident Detection Systems (IDS) Vulnerability Handling Threat Management & Correlation
System
8/2/2010
Staffing
On the Cheap!
State of Art!
Cyber Security from Different
Perspectives
Hosts:
Firewalls
IDS/IPS
Data Loss Prevention
Behavior Based Detection
Anti-Spyware
Rogue Host Detection
Policy Auditor
Devise Control (USBs, etc.)
Asset Management
Baseline Monitoring (FDCC)
Application White listing
Patch Management
Remote Forensics
Etc.
Possible Shopping Lists
Network
Log Aggregation and SIM
Flow Monitoring
Full Packet Capture
Next Generation Firewalls shift from blocking IPs and
Ports to controlling applications
Web Application Firewall
Web Proxy
Content Monitoring (Network Based DLP)
New IDSs Code Behavior/ Reputation
Continuous Vulnerability Scanning
Honeypot
Possible Shopping Lists
Other
SOC -- provide Incident Response, Forensics Capabilities,
Threat Monitoring, Intelligence Gathering
Continuous Monitoring
Better User Training and Awareness First line of defense:
Informed Users!
Contingency Planning
Red Team/Blue Team (inc. Third Party Penetration Testing &
Web/Application Testing)
Encryption
2 Factor Authentication
Identify, classify, and tag what you need to protect, what are
your crown jewels, what will affect your organizational
viability.