INSIDE A CYBER SECURITY
OPERATIONS CENTRE
Security Monitoring for protecting Business and supporting Cyber Defense Strategy
Dr Cyril Onwubiko
Intelligence & Security Assurance Research Series Limited
Invited Lecture, Post Graduate, Network & Information Security, Kingston University, February 25 2015
CYBER SECURITY OPERATIONS CENTRE
@CMRiCORG
www.C-MRiC.ORG
Abstract
Cyber security operations centre is an essential business
control aimed at protecting ICT systems and supporting
Cyber Defense Strategy. Its overarching purpose is to
ensure that Incidents are identified and managed to
resolution swiftly, and to maintain safe & secure business
operations and services for the organisation. Further, the
difficulty and benefits of operating a CSOC are explained.
CYBER SECURITY OPERATIONS CENTRE
@CMRiCORG
www.C-MRiC.ORG
What is a Cyber Security Operations Centre?
• It is a centre that comprises People (Analyst, Operators, Administrators etc.) who monitor ICT systems, infrastructure and applications. They use Processes, Procedures and Technology in order to deter computer misuse and policy violation, prevent and detect cyber attacks, security breaches, and abuse, and respond to cyber incidents.
What do they do? They
• Ensure ICT, infrastructure and business applications of an organisation are identified. • Ensure systems, infrastructure and applications are protected.
• Ensure vulnerabilities that may exist in, and within the IT estates are identified and managed. • Identify threats that could compromise or exploit the vulnerabilities to break in.
• Identify threat actors that could be interested or that may wish to attack the business.
• Monitor the IT estate for real-time or near real-time cyber attacks, policy violations, security breaches or anomalous and symptomatic events, or deviations.
• Profile identities that appear suspicious, interesting and ‘risky’.
• Analyse events and alerts in order to determine if they are associated/related to streams of ongoing attack.
• Analyse historical events logs for patterns and trends (trending) symptomatic of an attack / compromise. • Triage and investigate incidents.
• Coordinate, contain and respond to cyber incidents. • Provide report and management information.
CYBER SECURITY OPERATIONS CENTRE
Why Cyber Security Operations Centre?
Aug. 2014: Contact information >76 million households and about 7 million small businesses were compromised in a cybersecurity attack
2011: IPR theft of the RSA SecurID system and software – believed to be State sponsored.
Jan 2015: The US Central Command (Centcom Twitter account was
CYBER SECURITY OPERATIONS CENTRE
@CMRiCORG
www.C-MRiC.ORG
Why Cyber Security Operations Centre?
• Volume: Some Organisation posses myriad of devices in their IT estate, many of which are no longer managed, unsupported or legacy.
• Information / Data: All Organisation have various data that need to be protected such as Customer records, Student records, Citizens data, Bank/financial records, IP (Intellectual Property) etc.
• Growth: There’s increasing growth in organisation user base, information and data. Networks are extended and expanded to accommodate collaboration, partnerships etc. Hence, isolated and localised point solutions struggle to protect the enterprise.
• Point Solution Management: Localised and point solution devices (log sources) need to be monitored, and properly managed, too.
• Borderless Perimeter: Collaboration, partnerships etc. and new ways of doing
business (internet/eCommerce) means the boundary/perimeter is no longer ‘hard’ but ‘soft’.
• Privileged User Abuse: Trusted users with privileged access can turn rogue, such risk must be monitored, mitigated and managed.
CYBER SECURITY OPERATIONS CENTRE
Cyber Security Facts
1. Cyber incidents will always occur. 2. No Organisation is safe.
3. Every system, network, infrastructure or application can be attacked or hacked.
4. Vulnerability exists in every asset/organisation.
5. Risk mitigation is always a proportionality proposition.
6. Cyber landscape is constantly increasing (LAN, MAN, WAN, Internet, Cloud Computing, IoT, IoET etc.).
7. Technology is continuously evolving and complex. 8. Attack surface is growing.
9. Impacts of Cyber attacks can result to significant losses.
10 Web Fraud Detection Portal Anti-Virus HIDS Database Anti-Virus Integrity HIDS Privileged User Access Management Active Directory WAF L7 AV Gateway Anti-Virus OS Hypervisor VM Switch Firewall NIDS Log Collection Analysis Interpret Corre late Fuse Reporting
Incident Response & Forensic Investigations
Vulnerability Management
Security Operations Centre
CYBER SECURITY OPERATIONS
Syslog events, SNMP, DPI, Flow and Audit
Pus h c o mmand Pu sh c o mman d Enrich Trending HDB CMDB Collection Response Cy b er Si tu at io n al A w ar en es s Threat Intel Mobile Desktop Push/pull Push/pull
• Every ICT should be configured to produce event logs.
• SIEMs are used to collect events logs of most formats.
• Most SIEMs have the capability to collect logs (push/pull) from a number of Log Sources.
• However, the deployment must enable this to happen!
• System Audit policy must be enabled, and audit logs must be consumed.
• The right events must be logged (to providing the right set of accounting data) – I have seen a
deployment that produces several TB of logs daily but most of the logs are not useful.
‘Potential to do’ Log Collection Firewall NIDS Switch Portal Anti-Virus HIDS Database Anti-Virus
Integrity HIDS PUAM AD
WAF L7 AV Gateway Anti-Virus OS Hypervisor VM
LOG COLLECTION
Possibly ‘Big Data’
Syslog events, SNMP, DPI, Flow and Audit
• Syslog (RFC 5424)
• SNMP (RFC 5343, v1, v2c, v3)
Push/pull
Mobile
Anomaly Detection Web Fraud Detection
ANALYSIS
SIEM
Flow Events and Audit Logs DPI Capture Network Discovery VulnerabilityScan Big Data
User agent User agent
Data feeds
Note: There are no set rule to the type of data
collected, but the quality of data, and data types used will determine the accuracy of the analysis. Provided data analytics techniques used are of substantive nature.
SIEM CMDB
14
CYBER INCIDENT RESPONSE
@CMRiCORG
www.C-MRiC.ORG Invited Lecture, Post Graduate, Network & Information Security, Kingston University, 25 Feb 2015
Reporting
Cyber Incident Responders
Containment
Initial Triage
Source of attack (Geo-IP), IP address of Attacker, suspected type of attack,
target endpoint(s), location of endpoints, categorisation of incident based
on type of attack/target Control Counter measure Callout Specialist Services Digital Forensic Investigators FIRST* Responders Timeline Incidents Major Incidents Minor Incidents External Function Internal Function
• Time is of essence / critical
PEOPLE – ANALYSTS, OPERATORS, ADMINS, ARCHITECTS, ENGINEERS ETC.
1. People are as important as Technology.
2. Analysts & Operators must be well trained and skilled.
3. Processes must exist, and should be followed, and policies must be adhered.
4. Cyber operations require specialist skills, and continuous
investments in – training, courses, certifications, memberships 5. The best Cyber operations can only be achieved through
people. ‘Man in the loop’.
16
MI Reporting
S/N Sample Important Elements of Cyber Reports
1 Report against SLAs.
2 Performance of the Cyber operations (RoC*, false negative vs false positive vs real
negative vs real positive).
3 Rolling "top 5" Cyber Attacks, Geography of origin of the attack. 4 Summary of Internal violations – Privileged User misuse/abuse 5 Summary of current Policy Violations
REPORTING – MANAGEMENT INFORMATION
@CMRiCORG
www.C-MRiC.ORG Invited Lecture, Post Graduate, Network & Information Security, Kingston University, 25 Feb 2015
Report against the useful indicators important to the business, driving by stakeholders (senior Exec, and Analysts, too)
Typical Accounting Data (Sampled) Date and Time
Date and Time and Log record reference
Malware name, Application(1) stream detected in, Direction and Console
Signature-base Version(1) and Console
User, Workstation, URL and Reason
User, Workstation or Process, URL of file and Reason User, Workstation or Process, URL and Reason User, Workstation and URL
Criticality, Message contents and output Console User, Device, Console and Reason for failure
Detecting Probe or Agent, Attack type, Source, Target and attack Detail
18
Strategy
Incidents
Analyse Identify Manage Escalate Resolve
Business Audit Technical Audit Event Monitoring Correlation Business Rules on Business Systems Accountable to User by Independent person for
Evidential Proof
System Rules on Any Device for Situational Awareness & Performance
Proactive Suspicious Behaviour Policy violation Sensors Time Sync Logs Accounting process (by device) Collection process (independent) Log Sources Recordable Events Alerts (Prioritised Events) Rules Privileged Users Accountable Items
Identify Event Time HIDS, NIDS, DDoS
Probes etc. Cross Channel PMC12 PMC1 PMC2 PMC3 PMC4 PMC5 PMC6 PMC7 PMC8 PMC9 PMC10 PMC11 12 1 2 3 4 5 6 7
Policy & Compliance Controls
Assurance & Testing
Risk Management & Security Accreditation
Manage People & Process
Forensic & Legal Readiness
8 9 10 11
App Network System Security Host-based Database SEF
Terms of Reference
The 12 Aspects include:
CYBER SECURITY OPERATIONS CENTRE OBJECTIVES
Analyse & Identify Incidents Manage Incidents to Resolution Business Audit Technical Audit
Event Monitoring Log Collection Correlation –by Time across Multiple Channels Policy & Compliance Controls Privilege User Monitoring Risk Management & Security Accreditation Manage People & Process
Forensic & Legal Readiness Deterrent Controls Proactive Controls Reactive Controls Retrospective Controls
20
Terms of Reference
CONCLUSION
1. CSOC is an essential business control to ensure safe and secure business operations and services, esp. online digital service. 2. Business requirements should drive cyber security strategy,
and CSOC capabilities & scope.
3. Continuous improvements , including lesson learned should be encouraged.
4. Cyber incident will happen, and every organisation should have proportionate incident response and management strategy, and incident readiness processes in place.
5. Forensic readiness should be considered important and business requirements should focus on this.
6. People and process are the key, while technology is equally important too.
7. Staff training and development should be considered essential.
REFERENCES / SOURCES
1. HMG Government – www.gov.uk
2. CESG Polices & Guidance - http://www.cesg.gov.uk/PolicyGuidance/Pages/index.aspx
3. The UK Cyber Security Strategy - https://www.gov.uk/government/publications/cyber-security-strategy
4. HMG Security Policy Framework - https://www.gov.uk/government/publications/security-policy-framework
5. HMG Good Practice Guide #13 – Protective Monitoring of HMG ICT Systems
6. HMG Good Practice Guide #53 – Transaction Monitoring for HMG Online Service Providers -
https://www.gov.uk/government/publications/transaction-monitoring-for-hmg-online-service-providers
7. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/271268/GPG_53_Transaction
_Monitoring_issue_1-1_April_2013.pdf
8. 10 Steps to Cyber Security - https://www.cesg.gov.uk/News/Pages/10-Steps-to-Cyber-Security.aspx
9. Cyber Essentials Scheme - https://www.gov.uk/government/publications/cyber-essentials-scheme-overview 10. NIST 800-Series – (SP 800-137) Information Security Continuous Monitoring (ISCM) for Federal Information
Systems and Organisations - http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf 11. Reducing the Cyber Risk in 10 Critical Areas -
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/395716/10_steps_ten_critical _areas.pdf
12. FIRST – Forum of Incident Response and Security Teams - https://www.first.org/about/organization/teams
13. User Agent (HTTP) - http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
14. Syslog Standard (IETF 5424) - https://tools.ietf.org/html/rfc5424
15. Renaud Bidou – “Security Operation Center Concepts & Implementation”
16. Cyril Onwubiko & Thomas Owens - “Situational Awareness in Computer Network Defense: Principles, Methods & Applications”
CONTACT
Dr Cyril Onwubiko1, 2
1
Chair – Intelligence & Security Assurance E-Security Group, Research Series
2
Steering Committee Chair
Cyber Science Joint Conferences 2015 C-MRiC.ORG
@CMRiCORG
www.C-MRiC.ORG
Invited Lecture, Post Graduate, Network & Information Security, Kingston University, February 25 2015
Conference proceedings will be published by the
Conference Publishing
Services (CPS) and submitted for bibliographic indexing and listing on the following: • IEEE Computer Society
Digital Library,
• IEEE Xplore Digital
Library,
• DBLP Computer Science • Scopus
• CiteSeerX
• Computer Science Index • EI Compendex
• Academic Search
Complete
• CiteULike
• Google Scholar & • Microsoft Academic
Joint and Co-located Conferences: Cyber Science 2015, June 8-9, London, UK
• International Conference on Cyber Situational Awareness, Data Analytics
and Assessment (CyberSA 2015), June 8-9, 2015, London, UK (
www.c-mric.org/csa-2015home)
• International Conference on Social Media, Wearable and Web Analytics
(Social Media 2015), June 8-9, 2015, London, UK (
www.c-mric.org/sm-2015home)
• International Conference on Cyber Security and Protection of Digital
Services (Cyber Security 2015), June 8-9, 2015, London , UK (
www.c-mric.org/cs-2015home)
• International Conference on Cyber Incident Response, Coordination,
Containment & Control (Cyber Incident 2015), June 8-9, 2015, London , UK
(www.c-mric.org/ci-2015home)
