Network operations center is usually responsible for monitoring and maintenance of over all network infrastructure. Its primary function is to ensure uninterrupted network service. CSOC leverages security related network activity to refine security incidents response. CSOC and NOC should complement each other and work in tandem.
Purpose of Cyber Security Operations Center
• Keeping someone from getting inside has failed miserably
• Firewalls are not effective PROTECTION devices.
• They are effective DETECTION devices
• Change the strategy
• Assume they are in so go hunt for the compromised hosts
• Monitor outbound traffic
• Prevent their command and control communication
• Inbound monitors server side attacks; outbound monitors client side attacks
The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy
• Detecting Network Based Attacks
• Detecting Host Based Attacks
• Eliminating Security Vulnerabilities
• Supporting Authorized Users
• providing tools for Minimizing Business Loss
This is really helpful to us when we want to measure and report compliance with our IT policies, state/federal laws and regulations
• FERPA, HIPAA, PCI, ITAR, GLB, SOX
• OS Syslog/event logs, IDS logs, IPS logs,
PID logs, Firewall logs, Pen Test Logs, PCI, netflow
• CSOC needs to be able to analyze and display this data quickly
• Data resides on separate, distributed servers
• CSOC pulls data from these servers as needed
• CSOC lives in the IT Security Office & Lab
Cyber Security Operation Center,
• Provides real-time view of the VT network’s security status
• Provides info to assess risk, attacks, mitigation
• Provide data for network forensics
• Provides metrics
Generators in CSOC:
• Event Generators (E boxes)
• Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active Directory servers, Remedy, vulnerability scanners, TACACS, application software
• Most are Polling Generators
• Generate specific event data in response to a specific action
• Example: IDS or firewall
• Events Databases (D boxes)
• Provide basic storage, search and correlation tools for events collected and sent to the CSOC • Vulnerability databases contain info about security breaches, etc.
• Events Reactions (R boxes)
• SOC Console
• Used for internal analysis
• Real-time monitors (Snort, Base, IPS, Dshield)
• Incident Handling
• Service Now trouble ticket system
• Location tools
• Statistical analysis
• End User Portals
• Multi level reporting for various target audiences
• Sysadmin, management
• Analysis Engines (A Boxes)
• Helps ID Analyst determine if an incident has occurred, its spread, its impact, etc.
• Knowledge Base Engines (K boxes)
• Store security configs of critical assets, tips/tricks and effective solutions to previous
• Reaction and Report Engines (R boxes)
• Switches, routers, IPS and associated management tools
Intrusion vs. Extrusion:
• Intrusion detection is the process of identifying unauthorized activity by inspecting inbound network traffic
• Extrusion detection is the process of identifying unauthorized activity by inspecting outbound network
• Network forensics is the art of collecting, protecting, analyzing and presenting network traffic to support remediation or prosecution
CM Security Principles
• Some intruders are smarter than you
• Many intruders are unpredictable
• Prevention eventually fails
• Defensible networks can be watched; they are monitored
• Defensible networks limit an intruder’s freedom to maneuver; they are controlled
• Defensible networks offer a minimum number of services and client-side applications; they are minimized
• Defensible networks can be kept current
Interfaces in CSOC:
Two kind of interfaces are made available: The SOC console and the End-user portal.
The SOC console (R Box) is designed for internal analysis and presents mostly unformatted data from different parts of the K Boxes. The three interfaces are:
- real-time monitoring interfaces, which provide raw data from the messages part of the K box. This allows basic filtering functions such as “egrep” in order to isolate specific messages and is used for debugging, in depth analysis of specific events and replay of events.
- Incident handling interface, is the internal engine used for generation and follow-up of incident tickets and reaction procedures described below. It provides qualified alert information as well as numerous debugging data and checkpoints. It is the more complex interface, as it must fit either with operational performance, ergonomics and advanced filters or, research and identification functions. Such an interface is the very corner-stone of a timely and appropriate human reaction to intrusions.
- statistical analysis interface, provides raw data of security activity statistics over short, medium and long term periods. This is mainly used as an under-layer for graphical representation.
The end-user portal provides formatted data of activity. It is designed in order to provide multi-level reporting, for targets ranging from security engineers to high-level management through Security Officers. It is divided into three main parts:
- permanent risk evaluation interface, gives information about the current security level of supervised systems configuration and software versions. It provides information on the overall security level, vulnerability characteristics and criticity, intrusion scenarios and patch or configuration details. - security activity, is a mid-term to long-term reporting, providing macro data about intrusion types, frequency, sources and consequences on the supervised system. At a lower level, it is to be used in order to determine trends and identify specific items such as a recurring attack sources or mostly targeted services to watch for.
- system status, which is the “pseudo real-time” interface for end-user, allowing a close follow-up of open incidents, systems under attack and intrusion paths activated by intruders. It also provides information about the reaction and escalation procedure currently occurring in order to circumscribe the attack.
Reaction and escalation procedures
Eventually, reacting appropriately to an attack is mostly a question of organization and procedures to be applied by the incident response teams . Reaction ranges from passive monitoring for further information through to target system emergency halt through CERT incident reporting . Of course, appropriate reaction should be determined before an attack takes place and procedures must be validated then securely (mainly in terms of integrity) stored and made accessible to supervision teams. In simple terms, a certain level of escalation must be defined in order to ensure quick and effective reaction, in parallel with the use of appropriate human resources. Escalation procedures are given in figure below. Another aspect to be specified is the delay, defined in the figure above, in which the reaction procedure must be launched, according to attack criticity. Once this delay is exhausted, escalation to the next (upper) level should be automatic.
- the first level should be what we refer to as agents, i.e. mid-technical level staff, which are able to understand events generated by A Boxes as well as the reaction procedure to apply (this is necessary as it is important to be able to know when the application of such a procedure failed). Agents escalate incidents to level two, if the event does not match “known events” or “pre-defined reaction” criteria or if the time limit (t1) is reached depending upon the incident criticity.
- the second level should be a team of technical experts. These experts are responsible for the analysis of intrusion events that have not been defined a priori. Their priority is to qualify events with the help of SOC console interfaces and provide a workaround to be applied by level one agents, pending further research or permanent solutions.
- the third level should be a “laboratory” in which suspicious packets, system operations and so on will be re-played, in order to determine the nature of the unknown intrusion and provide a fully qualified reaction procedure. The lab will also be responsible for contacting vendors of OS, applications, hardware, etc. for patch design and / or their application.
• Commercial/Freeware + Infrastructure + Staff Salaries
• 1st level needs specialized training
• Not just point & clickers
• Find the data, get access to the data
• Help Desk Trouble Ticket process
• Backbone speeds, MPLS, IPV6
• Sensor placement – inline or span port
• Understandable threats
Security Operations Centers (SOC) are growing Respondents indicated that the SOC’s primary strengths are flexibility and adaptability while its biggest weakness is lack of visibility: SOCs still can’t detect previously unknown threats, which is a consistent problem across many other International surveys including SANS (The SysAdmin, Audit, Network, and Security Institute).The surveys also found a need for more automation across the prevention, detection and response functions—particularly in prevention and detection, where the tools respondents use are mostly the same.
Advance Persistent Threats (APT) are also one of big problems present into Security operations center, Advanced Persistent Threats (APTs) often use social engineering to obtain contact information and send phishing emails to unsuspecting people. They exploit security vulnerabilities in Internet of Things (IoT) devices, and hide in high-value business assets to steal or compromise target information. Attacks are commonly seen in compromised infrastructure, such as the finance sector, resource suppliers, and government agencies, affecting people’s livelihoods. Before launching attacks, perpetrators are usually well-prepared and wait patiently for their opportunity. Once attacks are launched, perpetrators usually use technologies, such as advanced evasion techniques, to exploit known vulnerabilities. This makes traditional security devices that detect attack traffic ineffective.
Cybercriminals have figured out how to evade detection by bypassing traditional defenses. Using toolkits to design polymorphic threats that change with every use, move slowly, and exploit zero-day vulnerabilities, the criminals have broken in through the hole left by traditional and next-generation firewalls, IPS, anti-virus and Web gateways. This new generation of organized cybercrime is persistent, capitalizing on organizational data available on social networking sites to create very targeted 'phishing' emails and malware targeted at the types of applications and operating systems (with all their vulnerabilities) typical in particular industries.
Once inside, advanced malware, zero-day and targeted APT attacks will hide, replicate, and disable host protections. After it installs, it phones home to its command and control (CnC) server for instructions, which could be to steal data, infect other endpoints, allow reconnaissance, or lie dormant until the attacker is ready to strike. Attacks succeed in this second communication stage because few technologies monitor outbound malware transmissions. Administrators remain unaware of the hole in their networks until the damage is done.
APTs can be characterized by the attackers’ quest to gain long-term control of compromised computer systems. Whether attackers use viruses, Trojans, spyware, rootkits, spear phishing, malicious email attachments or drive-by downloads; their malware enables the simple disruption or long-term control of compromised machines. APTs can be nation-state or rogue actors using completely unknown malware or buying access to systems previously compromised with known malware installed through social engineering, spear phishing, or drive-by downloads.
Examples of APT attacks:
Stuxnet is one of examples of APT. Attack on HBO in 2017 and stolen series of Game of thrones is latest example of APT.
Big problem of today is that we don’t have enough resources to view big volume of logs and find solution about them neither this planet have enough experts to stop major attacks in Security Operations Centers. Advance persistent attacks and Zero days are also the problems that cannot be understand by Security Operations Centers L1 or L2. Because Advance Persistent can also be generated manually.
Alkhawarzimi institute of Computer Sciences, UET proposes to Next Generation Threat Awareness
System which will the first BDS (Breach Detection System) product specifically to perceive and defend APT attacks. The system will adopt the application level sandbox and the environmental awareness technology, embedded auxiliary detection modules of AV (Antivirus) and IDS, integrated the threat intelligence service, and effectively compensated for the deficiencies of traditional feature-detection and sandbox technologies. By these means our product will be able to detect and prevent the APT and Zero day attacks precisely and efficiently with the concept of Zero day detection.
We give concept of Zero day detection by holistic monitoring of every process over the time, whether malicious or not.
• File attributes
• File contents
• File heuristics
• Access patterns
• Network activity
• System calls.
This will be excellent solution for Pakistani market in lowest possible cost as this solution will be integrated in Security operations center and will help to make it fool proof secure.
Proposed Industries: (Priority wise)
1. Educational Sector
2. Health sector
3. Financial sector
4. Law and enforcement sector
5. Law and justice