Security Operations Center (S.O.C) Basic Fundamentals
Ø SOC CONSISTS OF two logical parts
1.
Hub architecture => SIEMS
=> Prevent Infrastructure by detecting, analyzing, and responding SIEMS =>
SOAR is part of SIEM, Security Orscastration( centrally controlled)
Automation(auto analysis without human interference) and Response( take
necessary action) system and Threat Intelligence and Analysis tools
2.
Spoke architecture => IPS,
IDS, App Scanner, EDR, XDR, MDR
SOC functions
Monitoring and investigation, Daily soc
task, On demand request, Reporting and compliance
Ø SOC will continuously monitor IT equipments from
a centralized location, prevent IT Infrastructure by detecting, analyzing and responding
Ø SIEM parse (covert raw data into organized data) all the logs into
readable structured format
·
All devises logs are integrated
with SIEM box and SIEM has intelligence system that detect the threats
·
Next generation SIEM has UEBA
(user event behavior analytics) tool detects all the internal logs
·
If SIEM has UEBA ,ML and
SOAR then it is next generation SIEM
·
ML detects the treats without
any signature or defined rule
·
Q RADAR, Splunk, logarithm are SIEM solutions
Ø End Point security => antivirus, Host Fire wall, EDR, DLP,
vulnerability assessment tool
Ø SIEM trigger alarm when finds any vulnerability ,, SIEM is reactive
and proactive approach
Difference
between Event and incident
Event:
observables => User login, logoff, VPN connections, proxy connection
Incident:
Damages => malware outbreak, earth quake, fire, exposure of Data publically.
Can be False positive.
·
Incident Management Life cycle
·
Preparation
·
Identification
·
Containment
·
Eradication
·
Recovery
·
Lesson Learnt
IBM security Feed =>cloud base data
upto, 700TB(all bad logs event updates are available) X Force exchange feature(complementary)
Threat intelligence provides the solution
to encounter the issue, tool CISCO Plato tool
Analysis tools: virus total, IP void, auto
run, process explorer (host attack analysis), wire shark and zeek (for network
analysis), ADA pro, Geedra (for malware analysis).There is no protection for
zero day threat or zero day attack.
Ø SEIM will do
·
Collect Events
·
Correlate Data
·
Real time alert
·
Reporting
Ø IBM Q RADAR Modules
SIEM
Network insight
QVM vulnerability Manager
QRM Risk Manger
Forensic Incident Manager
Ø Q Radar Sources of info
1.Log Source => origination of logs and send it to
SIEM solution => logs are from Linux, firewalls, router switches etc
2. Flow Sources=> 7th layers monitoring, Net flow, Q
flow, G flow, wireshark
3. Vulnerability Scan =>it can be done by internal or
external integration
4. Asset info => should be updated, all asset info is
stored in the data base, e.g all the logs and ports enable in the firewall.
Active directory, port 53.
5. Watch list => predefined rules for the alert
6. Threat intelligence, IBM X force or 3rd
party intelligence is used
Ø IBM counts through EPS, event per second and FPM flow per min
In all in one architecture, console is call magistrate
and all work is done by console, there is only one console and all diff
components are called Managed hosts
Distributed
Deployment QRADAR Components
Ø
Event collector perform
following steps
1.Logs are in raw form when event collector collects the
logs.
Event collector has parsing engine that converts it in
readable form,
Parsing engine is called DSM (device support
module), DSM has logs in hard form
2.Check file protocol log file JDBC, Cisc log
Maps logs to Q ids
3.Log collasing => if many events have same
identifier than it will merge all in 1 event. Like if in 10 sec there are 4 or
5 logs have same identifiers than it merge them all
4.Auto discover => auto discover log and collects all
the info
5. License throttling => incoming events does not
violate the licensing
Event collector does not store the event
Ø Event processor => event
collector will send the encrypted file to Event processor
EP has CRE (Custom rule engine) and CRE has
built-in rules, CRE check the rules to confirm if there is an malicious
activity
1.EP provides real time streaming
2. EP stores the
Event and log
EP database is called Ariel query server and
sends the event to Console
IBM has 2 main engines CRE (Custom rule engine)and ADE (anomaly deduction engine )
Ø
CONSOLE
Searches
management, Offense management, report management, 3rd part management
Console
database is called Ariel proxy server or post dace SQL
Ø
DATA node
Is connected
to Event processor, data node is used to enhance EP performance, DN is added is
used for extra storing, searching and processing, DN is used for bigger
organizations
Ø
Flow collector
Capture of
flow and Send the network copy to Qradar using Network tab, span port
Net flow=>
analyze the network traffic
Virtual flow
=> it analyze the network flow of a virtual device
Q flow =>
span port or network tab, monitoring of layer 7
Ø Flow Processor and Event processor has same functionality
Difference
b/w Event and flow
Flow is
complete info of session, complete network info of session
Event is when
user logged in
Flow is
integrated or captured through network tab, site mirroring
App host is optional like data
node and reduce the impact of console
Console
will dedicate 10% of total storage for App host. All apps are stored in app
host like user behavior Analysts
Analysis
tool is integrated in Console,
IBM
recommends console and Event processor integration
IBM
recommends primary and secondary compliances
All
the devices in 1 site should have the IP address same like EP in disturbed
deployment
All
the devices in 1 site should have the IP address same like console primary in
all in one deployment
Logpoint is open source used to calculate EPS
MSRPC
can forward logs of App, system and security logs only.
Win
collect can forward all logs and Win collect can clean unnecessary logs.
Events
over MSRPC protocol has pulling protocol called MS-EVEN6 Protocol,, in IBW Q
radar MS-EVEN6 Protocol is selected by default
Console
communicates with remote WIN collect Agent
QRADAR main services
Ø
Host context
Disk management, disk upgrade, core process
start and stop, all component deployment, reporting, asset info, all services
run on console and Managed devices
Ecs
Ingress is not handled at Host Context
Tom cat
User
interface responsibility, user interface will not be available when service
will restart
Tom
cat runs on console
Host services
All
back end deamon process
Ecs-ingress
collects logs, this service is available on EC. ECS-es is available in EC to
parse the log and collasing
Accumulator
data base is in EP, accumulation data table in Ariel query table and says it is
responsible to counts the data that changes on regular interval. All data is
saved in data table
IOC
(indicator of compromise) are the traces of attack. It can be hash, IP,
URL, bad domain, network anomaly. All info about the attack and help to protect
the attacks in future.
You get signal, censys, Sdodan.io provides IP info
Mitre Attack Is systematically defined, real time observations. Dynamic
TTP(
tactic technique and procedure ) is the toughest IOC
Use case manager is free Qradar App that has Mitre attack work associated
Reconnaissance: Gather the info
about the targeted org
Resource development: it is used to
gather resources to support targeting.
Initial Access: attacker tries to
get access to the targeted organization
Execution: attacker tires to run
malicious code on the targeted network
Persistence: attacker use techniques
that keep his access to the targeted organization.
Privilege Escalation: attacker used
techniques to get high level permissions
Defense Envasion: attacker used
techniques to hide its activities throughout the attack.
Credential Access: attacker use
techniques to get the username and pass
Discovery: Attacker gathers the info
about the network and internal network
Lateral Movement: attacker used
techniques to move into the network
Collection: Attacker gathers data of
interest
Command and Control: Attacker uses
techniques to get the control over targeted organization devices
Exfiltration : techniques used to steal the
data from the targeted network
Impact: techniques used to destroy or
manipulate the data
Triage process
1. Monitor
Offenses monitoring and improving the rules
User behavior analytics ,, UEBA tool runs
with ML
SIEM alert monitoring
Resilient IBM tool is used for ticket
generation
2. Initial
investigate
Investigate if the offense needs to be
escalated
3. Prioritize
Prioritize the offense depending on
sensitivity of data and every company has its own set of rules to prioritize
the offenses
4.Escalate
Basic level investigation and has to
escalate the issue to IR team
Cases needs to be forwarded when user
account or server are at risk, IOCs are available sensitive data is at risk,
suspicious activities in User account
5. Improve
After Triage process
rules set can be improved
minimize the false positive to get
legitimate incident
rules accuracy can be improved
Role Of Offense
Unified
threat from a specific source
CRE
Custom rule engine monitor all the logs and events. CRE check the pattern of
logs with predefined rules. Rule is triggered when there is an offense
regarding a specific attack.
IBM
qradar servies, reports, searches, system monitoring is done thorough email
notification.
Difference
b/w Incident and Offense
Incident
Single
attack or policy violation generated by 1 rule
Offense
Group
of attack or policies violation generated against multiple rules
Brute
force attack on a specific account followed by privilege escalation
Correlation Engine in IBM
CRE Custom Rule Engine
Rules
based created by administrator
If
7 logins in 10 mins than generate an offense
Anomaly Detection Engine ADE
Offense
is created on behavior, anomaly and threshold,, data exfiltration
Every
offense and event has Magnitude
Magnitude
is calculated on 3 factors
Relevance
Impact
of offense on your network
If
the port is open than the relevance will be high
Ddoc
attack is on network and it increase the impact of relevance
To
get accurate relevance DB and network hierarchy should be accurate
Severity
Attack
from a source checks the vulnerability of the destination. Checks how much
destination is prepared for the attack
If
offense is created due to failed attempts and offense is already created than
it will increase impact of severity
Severity
does not depend on network hierarchy
Credibility
Trust
on the logs
Credibility
increases when multiple sources report same attack
Offense chaining
Merge
different incidents in 1 offense
Offense
is based on indexed field
Offense Retention
Default
retention period is of 30 days
There
can only be 2500 active offense
100,000
max total offenses
Offense
maintenance
Soft
Clean offense: all offense are closed
but are not removed from Qradar
Hard
clean: it removes all the offense , SIEM does not recommend hard clean
Offense Handling
Description
and categories
Magnitude
=> credibility, relevance and severity
User
Networks
Events
and flows
Time
spam
Source
and destination
|
Intrusion Detection system |
Intrusion prevention system |
Fire Wall |
|
A system that monitor a network traffic
and alerts the user when a suspicious activity happens |
A system that monitor network traffic and
alter the user like IDS but it also take actions to prevent that attack |
Inspect the network traffic and block the
malicious attacks |
|
Does not block the malicious |
Preferred by organizations due to
detection and prevention |
Blocks the IPs and ports |
|
EDR end point deduction and response |
MDR Managed deduction and response |
XDR Extended deduction and response |
|
·
Searching
through data ·
Investigating
and hunting for threats ·
Monitoring
and recording events ·
Suspicious
activity alerts and validation ·
Analyzing
gathered data ·
Support ·
Remediation
|
·
Monitoring
data ·
Searching
for threats ·
Handling
alerts as they arise ·
Investigations ·
Guided
response efforts ·
Taking
care of remediation
|
·
Recordings
of security breaches ·
Analysis
of threat events ·
Primary
threat detection solutions ·
Multi-platform
data searches and threat investigations ·
Remediating
current security threats · Processes to mitigate future risks
|
|
PIM Privilege Identity Management |
PAM privilege Access Management |
IAM identity Access Management |
|
used to manage , control, monitor the resources
with the high level privileged access |
System used to safeguard , monitor and
control the privilege access |
System that’s allows the Admin to grant access of resources to Users with privilege access. |
Comments
Post a Comment