Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a minimum viable Security Operations Centre

Published byさや すわ Modified over 5 years ago

Similar presentations

Presentation on theme: "Building a minimum viable Security Operations Centre"— Presentation transcript:

1 Building a minimum viable Security Operations Centre

2 Introduction Building on previous presentations at ISGC 2017, 2018
Present current status of work

3 WLCG SOC WG Introduction
Working group designed to enhance site security monitoring in light of virtualized environments (including containers) Network monitoring Coupled with threat intelligence and real time search capabilities Minimally viable Security Operations Centre

4 Growing Scope Originally mandated to give guidance to WLCG sites
Area of work enhanced by including neighbouring communities NRENs University CSIRTs Hoping to involve EGI Fedcloud

5 Minimally Viable SOC Outcome of the Workshop during February 2019 (hosted in UK, supported by GridPP and STFC) Initial SOC model finalised and remaining steps identified In particular any integrations required were identified and documentation was updated

6 Initial Model Define 4 stages Data sources
Threat Intelligence and pipelines Storage and visualisation Alerting

7 Initial Model Define 2 types of component Essential
Optional (but require at least one)

8 Initial Model

9

10

11 Data sources & threat intelligence
At least one of Zeek (Bro): deep packet inspection Netflow: network metadata Provide two options to hopefully cover range of use cases

12 Data sources Zeek High level of information Scalable and flexible
Dynamic protocol analysis However Hardware implications Commercial options available

13 Data sources Netflow/Sflow Network metadata
Many switch vendors provide generators Software clients However Less data than Zeek

14 Threat intelligence Threat Intelligence MISP [Essential]

15 Threat intelligence MISP Essential component via web app/API access
Intended to sync from WLCG central instance/pull data via API CERN SSO Federated identity with SIRTFI or CERN Account

16

17 Data pipelines Log ingestion pipelines
One per data source using Logstash

18 Pipelines Pipelines to ingest data into Elasticsearch
Essential to have these matched to data sources Logstash Well known Provide documentation for Zeek pipeline Suggest use of Elastiflow for netflow pipeline

19

20 Storage and visualisation
Elasticsearch [Essential] Kibana [Essential]

21 Storage and visualisation
Elasticsearch Essential component Provide deployment tips based on experience of group members

22 Storage and visualisation
Kibana Essential component Provide some dashboards based on CERN SOC experience Elastiflow provides dashboards for netflow visualisation

23

24 Alerting At least one of
Enrichment, correlation and aggregation scripts based on CERN example Elastalert Trigger on Elasticsearch query Spike of events, for example

25 PocketSOC SOC demonstrator Docker cluster designed to run on a laptop
Essential components and network components Minimal traffic to demonstrate workflow Test new components

26 PocketSOC

27 PocketSOC VM made available at workshop
In the process of a few updates then at least making it available on request Demo at ISGC Security Workshop on Sunday

28 New developments Project to explore a SOC deployment at Nikhef (a student working on it) Another project to deploy a SOC at the STFC Cloud – graduate started work also working on other aspects of the Cloud Deployment of CERN alerting scripts at AGLT2

29 Immediate future Healthy set of actions to improve documentation
Move select repositories outside of CERN (Github/Gitlab.com) Improve access for non-CERN users Make contributing as easy as possible Gather everything together

30 Immediate future Deployment options
Tightly coupled to site configuration Particularly network config Working on template project plan Benefit from new projects Look to provide somewhat automated solution for staffing constrained sites

31 Next few months Focus on threat intelligence
Workshop later in the year Validate event detection chain WLCG → Site → Event detection

32 Final thoughts Fantastic to have more sites trying out deployments
Start thinking about how we might want to deploy Always welcome new participants

33 Contact Main working group page https://wlcg-soc-wg.web.cern.ch
Documentation

34 Questions?

Download ppt "Building a minimum viable Security Operations Centre"

Similar presentations

MONITORING TOOLS Open Source Security Tools to monitor your network.

MONITORING TOOLS Open Source Security Tools to monitor your network.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.

Cost Effort Complexity Benefit Cloud Hosted Low Cost Agile Integrated Fully Supported.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.

 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
CERN - IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.

CERN - IT Department CH-1211 Genève 23 Switzerland t Monitoring the ATLAS Distributed Data Management System Ricardo Rocha (CERN) on behalf.
Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.

Cloud Models – Iaas, Paas, SaaS, Chapter- 7 Introduction of cloud computing.
Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.

Technology Overview. Agenda What’s New and Better in Windows Server 2003? Why Upgrade to Windows Server 2003 ?  From Windows NT 4.0  From Windows 2000.
Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.

Microsoft and Community Tour 2011 – Infrastrutture in evoluzione Community Tour 2011 Infrastrutture in evoluzione.
CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.

CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.
Portal for ArcGIS An Introduction

Portal for ArcGIS An Introduction
WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
VMware vSphere Configuration and Management v6

VMware vSphere Configuration and Management v6
Powered by Microsoft Azure, PointMatter Is a Flexible Solution to Move and Share Data between Business Groups and IT MICROSOFT AZURE ISV PROFILE: LOGICMATTER.

Powered by Microsoft Azure, PointMatter Is a Flexible Solution to Move and Share Data between Business Groups and IT MICROSOFT AZURE ISV PROFILE: LOGICMATTER.
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing

Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Jisc Monitor: Updates on Developments Dr Frank Manista Senior Open Access Support Coordinator Monitor Local and Monitor UK Photo by Kate Ter Haar CC-BY.

Jisc Monitor: Updates on Developments Dr Frank Manista Senior Open Access Support Coordinator Monitor Local and Monitor UK Photo by Kate Ter Haar CC-BY.
Computing Facilities CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t CF Agile Infrastructure Monitoring HEPiX Spring 2013 17 th April.

Computing Facilities CERN IT Department CH-1211 Geneva 23 Switzerland t CF Agile Infrastructure Monitoring HEPiX Spring th April.
Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.

CERN IT Department CH-1211 Genève 23 Switzerland t CERN IT Monitoring and Data Analytics Pedro Andrade (IT-GT) Openlab Workshop on Data Analytics.

Similar presentations

Ads by Google