Building a minimum viable Security Operations Centre

Slides:



Advertisements
Similar presentations
MONITORING TOOLS Open Source Security Tools to monitor your network.
Advertisements

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
CERN - IT Department CH-1211 Genève 23 Switzerland t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.
CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.
Portal for ArcGIS An Introduction
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
Network security Product Group 2 McAfee Network Security Platform.
VMware vSphere Configuration and Management v6
Powered by Microsoft Azure, PointMatter Is a Flexible Solution to Move and Share Data between Business Groups and IT MICROSOFT AZURE ISV PROFILE: LOGICMATTER.
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Jisc Monitor: Updates on Developments Dr Frank Manista Senior Open Access Support Coordinator Monitor Local and Monitor UK Photo by Kate Ter Haar CC-BY.
Computing Facilities CERN IT Department CH-1211 Geneva 23 Switzerland t CF Agile Infrastructure Monitoring HEPiX Spring th April.
Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.
CERN IT Department CH-1211 Genève 23 Switzerland t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.
CERN IT Department CH-1211 Genève 23 Switzerland t CERN Agile Infrastructure Monitoring Pedro Andrade CERN – IT/GT HEPiX Spring 2012.
Breaking the frontiers of the Grid R. Graciani EGI TF 2012.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
1 Internal Use Only Network on Demand OVM Demo Script March 2016.
Operations Coordination Team Maria Girone, CERN IT-ES GDB, 11 July 2012.
IT Monitoring Service Status and Progress 1 Alberto AIMAR, IT-CM-MM.
A presentation on ElasticSearch
Windows 2012R2 Hyper-V and System Center 2012
SharePoint 101 – An Overview of SharePoint 2010, 2013 and Office 365
CernVM-FS vs Dataset Sharing
Software & Technologies: an overview
Getting & Running EdgeX Docker Containers
Monitoring Evolution and IPv6
WLCG Workshop 2017 [Manchester] Operations Session Summary
James Casey, CERN IT-GD WLCG Workshop 1st September, 2007
Proventia Network Intrusion Prevention System
“Introduction to Azure Security Center”
Hybrid Management and Security
POW MND section.
Identity Management and Authorization
BBMRI Competence Centre Status Report
Securing the Network Perimeter with ISA 2004
Protecting your mobile devices away from virus by a cloud-based approach Wei Wu.
Cloud Computing Platform as a Service
Flexible Extensible Digital Object Repository Architecture
Use Cases and Requirements for I2NSF_
Flexible Extensible Digital Object Repository Architecture
Hyper-V Cloud Proof of Concept Kickoff Meeting <Customer Name>
Software Architecture in Practice
Introduction to Cloud Computing
PROCESS - H2020 Project Work Package WP6 JRA3
Northbound API Dan Shmidt | January 2017
Dev Test on Windows Azure Solution in a Box
Managing Clouds with VMM
Logsign All-In-One Security Information and Event Management (SIEM) Solution Built on Azure Improves Security & Business Continuity MICROSOFT AZURE APP.
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Case Study: Algae Bloom in a Water Reservoir
Getting Started.
Simplified Development Toolkit
Getting Started.
Security Information and Event Management (SIEM) Solution Runs on Microsoft Azure Power “We are so happy to be using Microsoft Azure to make our security.
Configuration management suite
Features Overview.
REST Easy - Instant APIs for Your Database
Tyler Technologies presents: What you need to know about upcoming changes to your New World ERP technical environment in Scott Alan Miller MCP,
ONAP Architecture Principle Review
Future GridPP Security
Iserve – Bulk Cash Deposit Kiosk
Presentation transcript:

Building a minimum viable Security Operations Centre

Introduction Building on previous presentations at ISGC 2017, 2018 Present current status of work

WLCG SOC WG Introduction Working group designed to enhance site security monitoring in light of virtualized environments (including containers) Network monitoring Coupled with threat intelligence and real time search capabilities Minimally viable Security Operations Centre

Growing Scope Originally mandated to give guidance to WLCG sites Area of work enhanced by including neighbouring communities NRENs University CSIRTs Hoping to involve EGI Fedcloud

Minimally Viable SOC Outcome of the Workshop during 19-21 February 2019 (hosted in UK, supported by GridPP and STFC) Initial SOC model finalised and remaining steps identified In particular any integrations required were identified and documentation was updated https://wlcg-soc-wg-doc.web.cern.ch

Initial Model Define 4 stages Data sources Threat Intelligence and pipelines Storage and visualisation Alerting

Initial Model Define 2 types of component Essential Optional (but require at least one)

Initial Model

Data sources & threat intelligence At least one of Zeek (Bro): deep packet inspection Netflow: network metadata Provide two options to hopefully cover range of use cases

Data sources Zeek High level of information Scalable and flexible Dynamic protocol analysis However Hardware implications Commercial options available

Data sources Netflow/Sflow Network metadata Many switch vendors provide generators Software clients However Less data than Zeek

Threat intelligence Threat Intelligence MISP [Essential]

Threat intelligence MISP Essential component via web app/API access Intended to sync from WLCG central instance/pull data via API CERN SSO Federated identity with SIRTFI or CERN Account

Data pipelines Log ingestion pipelines One per data source using Logstash

Pipelines Pipelines to ingest data into Elasticsearch Essential to have these matched to data sources Logstash Well known Provide documentation for Zeek pipeline Suggest use of Elastiflow for netflow pipeline

Storage and visualisation Elasticsearch [Essential] Kibana [Essential]

Storage and visualisation Elasticsearch Essential component Provide deployment tips based on experience of group members

Storage and visualisation Kibana Essential component Provide some dashboards based on CERN SOC experience Elastiflow provides dashboards for netflow visualisation

Alerting At least one of Enrichment, correlation and aggregation scripts based on CERN example Elastalert Trigger on Elasticsearch query Spike of events, for example

PocketSOC SOC demonstrator Docker cluster designed to run on a laptop Essential components and network components Minimal traffic to demonstrate workflow Test new components

PocketSOC

PocketSOC VM made available at workshop In the process of a few updates then at least making it available on request Demo at ISGC Security Workshop on Sunday

New developments Project to explore a SOC deployment at Nikhef (a student working on it) Another project to deploy a SOC at the STFC Cloud – graduate started work also working on other aspects of the Cloud Deployment of CERN alerting scripts at AGLT2

Immediate future Healthy set of actions to improve documentation Move select repositories outside of CERN (Github/Gitlab.com) Improve access for non-CERN users Make contributing as easy as possible Gather everything together

Immediate future Deployment options Tightly coupled to site configuration Particularly network config Working on template project plan Benefit from new projects Look to provide somewhat automated solution for staffing constrained sites

Next few months Focus on threat intelligence Workshop later in the year Validate event detection chain WLCG → Site → Event detection

Final thoughts Fantastic to have more sites trying out deployments Start thinking about how we might want to deploy Always welcome new participants

Contact Main working group page https://wlcg-soc-wg.web.cern.ch Documentation https://wlcg-soc-wg-doc.web.cern.ch

Questions?