Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a Security Operations Center

Published byArchibald Davidson Modified over 6 years ago

Similar presentations

Presentation on theme: "Building a Security Operations Center"— Presentation transcript:

1 Building a Security Operations Center
Randy Marchany VA Tech IT Security Office and Lab

2 CyberSecurity Operations Center
Security Operations Center (SOC) term is being taken over by physical surveillance companies We’re building a Cyber Security Operations Center (CSOC) that doesn’t have any physical surveillance capability. It could be a component of a SOC in the future

3 Why? We’ve been collecting security related data for a number of years and needed a focal point to help us see the big picture Data from Security Reviews Vulnerability scans (push/pull) IPS/IDS data System logs We want to build a “security history” for a host

4 Why? The CSOC is a logical place to collect, analyze and distribute data collected to support our Defense in Depth Strategy Preventing Network Based Attacks Preventing Host Based Attacks Eliminating Security Vulnerabilities Supporting Authorized Users Providing tools for Minimizing Business Loss

5 Why? We want to measure and report compliance with our IT policies, state/federal laws and regulations FERPA, HIPAA, PCI, ITAR, GLB, SOX VT Policies 7000 Acceptable Use of Computer and Communication Systems 3/28/2002 7010 Policy for Securing Technology Resources and Services 1/22/2007 7025 Safeguarding Nonpublic Customer Information 5/12/2004 7030 Policy on Privacy Statements on Virginia Tech Web Sites 3/27/2002 7035 Privacy Policy for Employees' Electronic Communications 3/14/2005 7040 Personal Credentials for Enterprise Electronic Services 4/01/2008 7100 Administrative Data Management and Access Policy 4/01/2008 7105 Policy for Protecting University Information in Digital Form 7/1/2008 7200 University IT Security Program 6/12/2006 7205 IT Infrastructure, Architecture and Ongoing Operations 6/12/2006 7210 IT Project Management 6/12/2006 7215 IT Accessibility 6/12/2006 1060 Policy on Social Security Numbers 5/25/2007

6 Where? OS Syslog/event logs, IDS logs, IPS logs, PID logs, Firewall logs, Pen Test Logs, PCI, netflow CSOC needs to be able to analyze and display this data quickly Data resides on separate, distributed servers CSOC pulls data from these servers as needed CSOC lives in the IT Security Office & Lab

7 What? Provides real-time view of the VT network’s security status
Provides info to assess risk, attacks, mitigation Provides metrics Executive Operational Incident

8 What? Event Generators (E boxes) Most are Polling Generators
Any form of IDS sensor (firewalls, IPS, IDS, Snort, Active Directory servers, Remedy, vulnerability scanners, TACACS, application software Most are Polling Generators Generate specific event data in response to a specific action Example: IDS or firewall

9

10

11

12 Putting the Pieces Together
RDWEB – locate any device in our network DSHIELD – Collect Firewall logs SNORT – Sensors monitoring for patterns VULNSCAN – “pull” vulnerability scanner CHECKNET – “push” vulnerability scanner REMEDY – Trouble Ticket system used by Help Desk CENTRAL SYSLOG – collects syslogs

13 IDS Infrastructure CheckNet IPS WWW MySQL DB Campus Systems Snort BASE
CheckNet Failure DB Campus Systems Central Syslog Servers Nessus, Comm Scanners SNORT Sensors VT Dshield Dshield MySQL DB Remedy Trouble Ticket System User Vuln Scanner MySQL DB CIRT Help Desk

14

15

16

17

18

19

20

21

22

23

24

25

26 Futures There are commercial tools that do all of this
They cost lots of $$$ We don’t have lots of $$$ Had to grow our own Improves our skill set, proactive and reactive capabilities We can better evaluate commercial products because of our experience

27 Reference Reference paper “Security Operation Center Concepts & Implementation” by Renaud Bidou We used this as our blueprint

28 Contact Information Randy Marchany VA Tech IT Security Office & Lab 1300 Torgersen Hall VA Tech Blacksburg, VA 24060

Download ppt "Building a Security Operations Center"

Similar presentations

The Threat Within September 2004. Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
OPM Cybersecurity Competencies by Occupation (Technical Competencies) 2210085508540391 Information Technology Management Series Electronics Engineering.

OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.

Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.

August 9, 2005UCCSC Converting Policy to Reality Building Campus Security Programs Karl Heins -- Director of IT Audit Services Office of the University.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, 2007. This.

Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.

Similar presentations

Ads by Google