Understanding SOC: The heartbeat of Cybersecurity and Network Infrastructure

Transcript

1. Beginners Guide! Understanding SOC: The heartbeat of Cybersecurity and Network

   Infrastructure @Jayesh_Dhuri 16th June 2024 Major Event - 03:30:00 PM IST

2. [email protected] linkedin.com/in/jayesh-dhuri-54a9a51b1 About Me... Jayesh Dhuri Jr. Cyber Security Analyst

   at Audix Technologies Explored auditing and cultivated a strong interest in blue teaming, actively engaged as SOC L1 with VA-PT responsibilities. Computer Engineer | Speaker | CyberSecurity Enthusiast | THM Community | SIH Grand Finalist 2022

3. 1 2 3 5 Today's Agenda Introduction to SOC SOC

   Team Structure Network Infrastucture SOC Tools and Technologies 4 SOC Architechture 6 Flow of IT Infrastructure

4. What is SOC? SOC stands for Security Operations Center. It

   is a centralized unit within an organization responsible for monitoring, analyzing, and responding to cybersecurity threats and incidents. The primary role of a SOC is to safeguard the organization's digital assets, including networks, systems, applications, and data, from a wide range of security threats such as cyber attacks, data breaches, and unauthorized access. -SOC-

5. How SOC Works? 24/7 Surveillence /365 days Monitoring and Detection

   of Threats Investigating Alerts Responding Incidents Vulnerability Research & Patching

6. Basic Team Hierarchy- Team Structure

7. L 1 Alert Triage 1st Line of Defence Identifying Anomalies

   Performing Investigations Rasing Requests for White/Blacklisting L 2 SOC lead/L3 Monitoring Alerts Resource Mentoring Threat Hunting Creating / Approving White and Blacklists Handling Escalations Client Handling Client Onboarding Documentation Generating Reports RCA Roles and Responsibilities

8. SOC Manager Responsible for Security Operations Coordination with Stakeholders Addition

   of new services {tools} Strategy and Roadmap Development Training resource

9. SIEM Engineer SIEM Administration Assisting SOC Resources with Reports and

   Queries Reporting and Dashboards Integration of Systems/ Devices Use cases and Rules

10. 3 Network Infrastructure

11. SERVER LOOKS LIKE THIS Network Devices

12. Network Devices ROUTER LOOKS LIKE THIS

13. Network Devices SWITCH LOOKS LIKE THIS

14. Network Devices WLC and AP LOOKS LIKE THIS

15. Network Devices IDS LOOKS LIKE THIS IPS LOOKS LIKE THIS

16. Network Devices DMZ Overview:

17. SOC Tools and Technology SIEM EDR - Endpoint Detection and

    Response Threat Intelligence Platforms FIM - File Integrity Monitoring PAM - Privileged Access Management Firewall (WAF), IDS/IPS AI

18. What is SIM? SIEM Security Information Event Management What is

    SEM? What is SIEM? Security information management (SIM) refers to the collection of log files and storage in a central repository for later analysis. SIM is therefore also referred to as log management. Security event management (SEM) is the identifying, gathering, monitoring, evaluating, correlating and monitoring of system events and alerts. In a sense, SEM is an improvement of SIM, though the two are seen as distinct areas of security management. SIEM is a tool that collects, aggregates, normalizes the data and analyses it according to pre-set rules and presents the data in human readable format. Garbage In = Garbage Out 1. Log Collection 2. Log Aggregation 3. Rule Based Alerts 4. Artificial Intelligence 5. Response SIM + SEM = SIEM

19. Logs Collections and Alert Generation is done following the Functions

    Below SIEM FUNCTIONS

20. COLLECTION Agent Based and Agent Less AGGREGATION Push and Pull

    methods I. Agent-Based: - Agent Collected on each device collects, parses, and forwards the logs. - Windows Servers, Web Servers, Other file-based logs (e.g., Sysmon, NXLog, OSSEC, etc.). II. Agentless: - Devices send the logs to the servers. - Windows Hosts (WMI), Cloud Environments (APIs), Firewalls, Switches. Process of collecting logs from multiple computing systems, parsing them and extracting structured data, and putting them together in a format that is easily searchable and explorable by modern data tools. Methods I. Push. Logs are pushed from source to server. II. Pull. Logs are pulled by server from source.

21. PARSING NORMALIZATION & CATEGORIZATION Software component that can take a

    specific log format and convert it to structured data. Multiple parsers are used for different systems Example Log: Sep 28 16.39.03 app_server sshd[8677] Failed password for invalid user icecast2 from 10.72.109.227 port 57238 ssh2 After parsing host = app_server process = sshd source_user = icecast2 source_lip = 10.72.109.227 source_port = 57238 Normalization: Merges events containing different data into a reduced format which contains common event attributes. Following a standard for reducing records to common event attributes i.e., common field names and values. Categorization: Categorization involves adding meaning to events - identifying log data related to system events, authentication, local/remote operations, etc. Host=app_server Process=sshd source_user=icecast2 → Authentication|Login|SSH Logi n source_ip=10.72.109.227 source_port= 57238 Fetching Info Normalizing Data

22. ENRICHMENT Making Data useful for Action CORRELATION RULES & ALERTS

    If else statement... more like conditional Log enrichment involves adding important information that can make the data more useful. host = app_server process = sshd source_user =icecast2 →(Administrator) source_ip = 10.72.109.227 →(Internal IP) source_port =57238 A correlation rule is a logical expression that causes the system to take a specific action if a particular event occurs. For example, "Anonymous logon, alert the user”. In other words, a correlation rule is a condition (or set of conditions) that functions as a trigger for alert.

23. INDEXING STORAGE Effectively search and explore log data, there is

    need to create an index of common attributes across all log data. Searches or data queries that use the index keys can be an order of magnitude faster, compared to a full scan of all log data. Logs are stored for different purposes such as compliance and sometimes for later retrieval. They can be kept as Hot Storage or Cold Storage. E.G: Source data type == Cyberroam E.G: Database of logs and system information.

24. Agents Based Cloud SIEM - Seceon SIEM Architecture

25. Qradar Architecture SIEM Architecture

26. Basic Deployment of SIEM SIEM Architecture

27. List of SIEM Tools IBM QRadar SPLUNK SECEON ALIEN Vault

    Solarwinds Arksite Wazuh (Open Source)

28. Flow Of IT Security Infrastructure IT team SOC/NOC IR DF

    TI VAPT Policy Audit Risk Management DR BCP

29. Friendly Fire.

30. Demo of Alert and Framework used

31. Q & A Folks!

32. Thank You! Have a great Sunday!