All about Security Operation Centre

Security Operation Centre (SOC)

Security Operation Centre (SOC) also known as Cyber Security Operation Centre (CSOC) plays very crucial part in terms of preventing, detecting, monitoring, containing, and remediating Information Security threats and vulnerabilities from critical applications, device and systems in an organization.

It centralizes by integrating people, process and technology. SOC implementation has been started since 2015/ 2016 at various Banking sectors, enterprise sectors. 

It acts like a central command and control centre connected to all the Organization’s IT Infrastructure, network devices, applications, servers etc. Depending upon variety of technology, SOC team can depend on latest threat intelligence to identify whether the threat is active or not.

Many people have a simple misconception that I have a SIEM (Security Information and Event Management; one post is there in this blog on SIEM) so I am operating a SOC.  But this is not practically how SOC works. It is not an easy task in setting up a Security Operations Centre supported by multiple security monitoring technologies and real-time threat updates. But yes, SIEM is one prime critical device used at SOC. The SIEM is also combined with other components such as Logger, Connector and UBA (User Behaviour Analysis). Connector connects the devices. A Logger is used for collecting the logs by deploying loggers at end point network. Then these logs are being correlated and analyzed by UBA. So the key indicators of compromise can be found, may be it user activity or any system events.

An illustrative components of SOC, provided below

 

So to establish SOC, you need to identify the key processes. These include event classification, event prioritization, event analysis, Event remediation, Monitoring and reporting.

What makes a SOC unique is the ability to monitor all systems on an ongoing basis, as employees work in shifts, rotating and logging activity around the clock. In addition to monitoring activity, a SOC should do Vulnerability Assessment and Penetration Testing with all the network devices and applications integrated with it. In turn it will help a lot to finding the gaps and close those gaps in a preventive approach. The logs need to be analyzed such as;

• The logs on which a SOC works;
• Log from Firewall Device
• Log from End point Devices
• Log from proxy servers
• Service Logs
• Malwares

Earlier in my post I have provided the list of Security Incidents. Those security incidents can arise at any organization during the operation. Such as;

• Targeted Scanning/Reconnaissance of network and IT infrastructure.
• Large scale defacement and sematic attacks on websites.
• Large scale spoofing
• Malicious code attacks (virus/worm/Trojans/Botnets)
• Large scale spam attacks
• Ransomware attacks.
• Identity theft and Phishing attacks
• Social Engineering
• Denial of Service attack (DoS) and Distributed Denial of Service attack (DDoS)
• Application level attack
• Infrastructure attack
• Router level attack
• Attacks on trusted infrastructure
• Cyber Espionage and Advanced Persistent Threat

When building a SOC there are similar requirement of IT and Non-IT devices we use in Data Centre projects. We also need a large video wall system for centralized monitoring. There are multiple designing factors to be considered for effective design of the SOC.

So here the key IT components that will be required as mentioned below, however this list is just an indicative, it depends on the organization depending upon its network size and requirement. 

• Web Application Firewall
• Anti-Phishing Appliance
• Anti-APT Appliance
• SIEM
• DDoS appliance
• Log Management Appliance
• Network Flow Analyzer
• Network Switches/ Access Switches
• Router
• KVM devices
• Storage Devices

Besides the above devices, orchestration can be done using SOAR application (Security Orchestration, Automation and Response) is the technology just introduced recently that allows an organization to define incident analysis and response procedures in automatic or digital way. 

As well there are probability of many false positive events that could be arise or logged through the incident management system automatically. That should be minimized while planning for the risk mitigation or report. 

False positive events are generally those are system information events and those have neither any impact on the system or network. Means it incorrectly indicates any vulnerability or malicious activity but not a legitimate security threat.

Therefore there are more depth in to its operation and resource requirements. Different cyber skilled people are required with segregated duty and defined roles and responsibility. The resources such as Security Analyst 1 (L1), L2 Analyst, SOC engineer, L3 Analyst, Threat Intelligent Expert, Forensic Analyst and SOC Manager etc. Everyone have their crucial role in operation of a Security Operation Centre.

So this is just a basic information about SOC and its operation concept. 

-DR

How to Secure your Enterprise Infrastructure

Enterprise Infrastructure Security

Presently Enterprises/ Corporate are becoming target for the cyber attacks. Security breaches are occurring more frequently and becoming more sophisticated. Attacks are growing both in number and complexity. Technologies and new tools exposing organizations more. 

The security defense strategy somewhere is lagging behind. Many organizations do not care about the safety and security. When I have some experience in participating and conducting one global security survey from X firm, where out of approximately 1000 nos. of enterprises and from the consolidated survey result it was noticed that;

• Approximately 55% of organizations do not think to protect their overall system.
• The biggest cyber threats to the organizations are Phishing, Cyber attack, Malware, Spam, Fraud, Internal attack, Espionage, etc.
• Most vulnerabilities lies in careless or unaware employees, outdated security controls, unauthorized access, use of smart phone, cloud computing & IoT.
• Approximately 53% of organizations do not have any system to identify Breach, identify Vulnerability, Threat Intelligence, Data protection, Identity & Access Management.
• Although there are some good news that;
• New type of roles in a Organization are rising such as Chief Security Officer (CSO) and Chief Information Security Officer (CISO) to specifically focus on cyber landscape.
• Establishment of Security Operation Center (SOC) have increased gradually.
• Assessments such as vendor risk assessment, vulnerability assessment, penetration testing, forensic analysis and using device level security such as SIEM, DLP, zero trust, IDS/IPS, IAM & Firewall have increased.

Here I can suggest a little checklist for considering the Infrastructure security and which can  be taken for a best practice approach with further consulting to experts. This can be implemented gradually with proper design thinking an budgeting in advance.

• Need to protect offline access or end point encryption on desktops, laptops and servers by using Symantec end point protection, Bit Locker etc.
• Implementation of process execution prevention by using AppLocker, BeyondTrust, Avecto etc.
• Implementation of network segregation such as VLAN, IPSEC etc. 
• Log review and analysis for anomalies by using SIEM tools.
• Keeping a regular automatic backup solution.
• Using centralized anti-virus solutions or anti-exploit solutions.
• Regularly doing the configuration reviews, firewall policy reviews, Vulnerability Assessment and Penetration Testing etc.
• Using Identity Management, Password Management, Data protection etc.

Therefore, Organizations/ Enterprises need to look beyond preventive measures in their security assessments. There should be robust cyber plan to improve their protection. 

-DR