Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understanding SOC: The heartbeat of Cybersecuri...

Understanding SOC: The heartbeat of Cybersecurity and Network Infrastructure

Title: Understanding SOC: The heartbeat of Cybersecurity and Network Infrastructure
Presenter: Jayesh Dhuri
Event: BreachForce CyberSecurity Cohort
Talk Date: 16-June-2024

Key Takeaways: Gain insights into the crucial role of Security Operations Centers (SOCs) in safeguarding networks and responding to threats, explore the essential components and processes that make SOCs effective.

BreachForce

June 16, 2024
Tweet

More Decks by BreachForce

Other Decks in Technology

Transcript

  1. Beginners Guide! Understanding SOC: The heartbeat of Cybersecurity and Network

    Infrastructure @Jayesh_Dhuri 16th June 2024 Major Event - 03:30:00 PM IST
  2. [email protected] linkedin.com/in/jayesh-dhuri-54a9a51b1 About Me... Jayesh Dhuri Jr. Cyber Security Analyst

    at Audix Technologies Explored auditing and cultivated a strong interest in blue teaming, actively engaged as SOC L1 with VA-PT responsibilities. Computer Engineer | Speaker | CyberSecurity Enthusiast | THM Community | SIH Grand Finalist 2022
  3. 1 2 3 5 Today's Agenda Introduction to SOC SOC

    Team Structure Network Infrastucture SOC Tools and Technologies 4 SOC Architechture 6 Flow of IT Infrastructure
  4. What is SOC? SOC stands for Security Operations Center. It

    is a centralized unit within an organization responsible for monitoring, analyzing, and responding to cybersecurity threats and incidents. The primary role of a SOC is to safeguard the organization's digital assets, including networks, systems, applications, and data, from a wide range of security threats such as cyber attacks, data breaches, and unauthorized access. -SOC-
  5. How SOC Works? 24/7 Surveillence /365 days Monitoring and Detection

    of Threats Investigating Alerts Responding Incidents Vulnerability Research & Patching
  6. L 1 Alert Triage 1st Line of Defence Identifying Anomalies

    Performing Investigations Rasing Requests for White/Blacklisting L 2 SOC lead/L3 Monitoring Alerts Resource Mentoring Threat Hunting Creating / Approving White and Blacklists Handling Escalations Client Handling Client Onboarding Documentation Generating Reports RCA Roles and Responsibilities
  7. SOC Manager Responsible for Security Operations Coordination with Stakeholders Addition

    of new services {tools} Strategy and Roadmap Development Training resource
  8. SIEM Engineer SIEM Administration Assisting SOC Resources with Reports and

    Queries Reporting and Dashboards Integration of Systems/ Devices Use cases and Rules
  9. SOC Tools and Technology SIEM EDR - Endpoint Detection and

    Response Threat Intelligence Platforms FIM - File Integrity Monitoring PAM - Privileged Access Management Firewall (WAF), IDS/IPS AI
  10. What is SIM? SIEM Security Information Event Management What is

    SEM? What is SIEM? Security information management (SIM) refers to the collection of log files and storage in a central repository for later analysis. SIM is therefore also referred to as log management. Security event management (SEM) is the identifying, gathering, monitoring, evaluating, correlating and monitoring of system events and alerts. In a sense, SEM is an improvement of SIM, though the two are seen as distinct areas of security management. SIEM is a tool that collects, aggregates, normalizes the data and analyses it according to pre-set rules and presents the data in human readable format. Garbage In = Garbage Out 1. Log Collection 2. Log Aggregation 3. Rule Based Alerts 4. Artificial Intelligence 5. Response SIM + SEM = SIEM
  11. COLLECTION Agent Based and Agent Less AGGREGATION Push and Pull

    methods I. Agent-Based: - Agent Collected on each device collects, parses, and forwards the logs. - Windows Servers, Web Servers, Other file-based logs (e.g., Sysmon, NXLog, OSSEC, etc.). II. Agentless: - Devices send the logs to the servers. - Windows Hosts (WMI), Cloud Environments (APIs), Firewalls, Switches. Process of collecting logs from multiple computing systems, parsing them and extracting structured data, and putting them together in a format that is easily searchable and explorable by modern data tools. Methods I. Push. Logs are pushed from source to server. II. Pull. Logs are pulled by server from source.
  12. PARSING NORMALIZATION & CATEGORIZATION Software component that can take a

    specific log format and convert it to structured data. Multiple parsers are used for different systems Example Log: Sep 28 16.39.03 app_server sshd[8677] Failed password for invalid user icecast2 from 10.72.109.227 port 57238 ssh2 After parsing host = app_server process = sshd source_user = icecast2 source_lip = 10.72.109.227 source_port = 57238 Normalization: Merges events containing different data into a reduced format which contains common event attributes. Following a standard for reducing records to common event attributes i.e., common field names and values. Categorization: Categorization involves adding meaning to events - identifying log data related to system events, authentication, local/remote operations, etc. Host=app_server Process=sshd source_user=icecast2 → Authentication|Login|SSH Logi n source_ip=10.72.109.227 source_port= 57238 Fetching Info Normalizing Data
  13. ENRICHMENT Making Data useful for Action CORRELATION RULES & ALERTS

    If else statement... more like conditional Log enrichment involves adding important information that can make the data more useful. host = app_server process = sshd source_user =icecast2 →(Administrator) source_ip = 10.72.109.227 →(Internal IP) source_port =57238 A correlation rule is a logical expression that causes the system to take a specific action if a particular event occurs. For example, "Anonymous logon, alert the user”. In other words, a correlation rule is a condition (or set of conditions) that functions as a trigger for alert.
  14. INDEXING STORAGE Effectively search and explore log data, there is

    need to create an index of common attributes across all log data. Searches or data queries that use the index keys can be an order of magnitude faster, compared to a full scan of all log data. Logs are stored for different purposes such as compliance and sometimes for later retrieval. They can be kept as Hot Storage or Cold Storage. E.G: Source data type == Cyberroam E.G: Database of logs and system information.
  15. List of SIEM Tools IBM QRadar SPLUNK SECEON ALIEN Vault

    Solarwinds Arksite Wazuh (Open Source)
  16. Flow Of IT Security Infrastructure IT team SOC/NOC IR DF

    TI VAPT Policy Audit Risk Management DR BCP