Target. Hunt. Disrupt. SQRRL ENTERPRISE Building the Modern Security Operations Center (SOC)
WHAT ARE WE TALKING ABOUT TODAY? Who I Am Defining the SOC Functions of a SOC Do you even need a SOC? Organization and Staffing of a SOC SOC Workflow SOC Technology Hunting with Linked Data 2015 Sqrrl All Rights Reserved 2
WHY LISTEN TO ME? Over 15 years information security experience Ph.D. from SecLab at UC Davis Proposed a SOC for Department of Energy Implementation Lead for the SOC of a large Federal agency Consulted on information security to multiple Federal organizations and commercial clients 2015 Sqrrl All Rights Reserved 3
WHAT IS A SOC? (Information) Security Operations Center What a SOC Usually Looks Like What a SOC Should Look Like Vs. Public domain image from NASA, no endorsement implied 2015 Sqrrl All Rights Reserved 4
WHAT DOES A SOC DO? Extended SOC Functions Vulnerability Management Core SOC Functions Threat Intelligence Communications / Education Insider Monitoring Receive Reports Incident Detection SOC Hunting Engineering Incident Handling Incident Response Alert Processing Forensics 2015 Sqrrl All Rights Reserved 5
DO YOU NEED A SOC? You are a target almost anything of value can be targeted by an attacker Cost: Instrumentation, Engineering, Staffing, Management Add-ons, Economies of Scale Build or Buy or Hybrid? See: Trost, Pulling Up Your SOCs: Best Practices for Building and Operating a Security Operations Center (SOC), Interop Las Vegas 2015 2015 Sqrrl All Rights Reserved 6
WHO WORKS IN A SOC? Flat, wide, and all-encompassing model CIO / CSO CISO SOC Manager Call Center Lead Detection Lead Hunting Lead Threat Lead Engineering Lead Incident Response Lead Forensics Lead Comm / Ed Lead Insider Lead Tier-1 Analysts Tier-2 Analysts Tier-3 Analysts Threat Analysts Engineers Incident Responders Forensic Analysts Trainers Insider Analysts Comm Specialists 2015 Sqrrl All Rights Reserved 7
WHO WORKS IN A SOC? Distributed enterprise model CIO / CSO CISO Comm Lead SOC Manager Site Lead Education Lead Comm Specialists Call Center Lead Detection Lead Hunting Lead Threat Lead Engineering Lead Incident Response Lead Forensics Lead Insider Lead Trainers Tier-1 Analysts Tier-2 Analysts Tier-3 Analysts Threat Analysts Engineers Incident Responders Forensic Analysts Insider Analysts 2015 Sqrrl All Rights Reserved 8
WHO WORKS IN A SOC? Nested duties model CIO / CSO CISO SOC Manager Call Center Lead Incident Detection and Response Lead Advanced Analysis Lead Comm & Ed Lead Tier-1 Analysts Tier-2 Analysts Incident Responders Insider Analysts Threat Lead Hunters Trainers Threat Analysts Engineers Comm Specialists Forensic Analysts 2015 Sqrrl All Rights Reserved 9
WHO WORKS IN A SOC? Hybrid model CIO / CSO CISO SOC Manager Call Center MSSP Advanced Analysis Lead Site Leads Comm & Ed Lead Receive Reports Incident Detection Hunters Incident Responders Trainers Threat Intelligence Engineers Insider Analysts Comm Specialists Forensic Analysts 2015 Sqrrl All Rights Reserved 10
HOW DOES A SOC GET WORK DONE? Or, how I learned to stop worrying and love the process. Call Center Processes Internal Incident Report External Incident Report Internal Inquiry Detection Processes Malware Detection Zeus Alerts Custom Alert X Shift Changes Act Observe Decide Orient 2015 Sqrrl All Rights Reserved 11
WHAT DOES A PROCESS Tools LOOK LIKE? Some are linear, others not so much. ONITOR TECT ALYZE IAGE SPOND 1) Don t tru literature has tran buzzwo 2) Pilot too vendor b 3) Tool com MUST!! (Trost, 2015) 2015 Sqrrl All Rights Reserved 12
HOW MANY PROCESSES DO I NEED? As many as it takes for your staff to be comfortable and operate in a repeatable manner. Use CMMI as a guide, not a bible: Cheat sheet: Define Process Evaluate Process Execute Process 2015 Sqrrl All Rights Reserved 13
WHAT CAN TECHNOLOGY DO FOR US? After all, it got us into this mess 2015 Sqrrl All Rights Reserved 14
SOC TOOLS Priority Function Tools SANS Top 20 Core Receive Reports Ticketing System; Call Management System 18 Core Alert Processing SIEM, Log Management System, Packet Capture, IDS 14 Core Threat Hunting Linked Data Analysis, Behavioral Analytics 14 Core Incident Handling Ticketing System 18 Core Threat Intelligence Threat Management System Core Engineering SIEM, IDS, Health Monitoring 14 Extended Insider Monitoring SIEM, Log Management System, Host Loggers 16 Extended Incident Response State Capture Tools, System Inspection Tools 18 Extended Forensics Log Management System, System Forensics Software, Reverse Engineering Systems Extended Vulnerability Management Extended Communications / Education Vulnerability Management System, Patch Management System 4 Communications Management System, Course Creation Software 9 2015 Sqrrl All Rights Reserved 15
THREAT HUNTING REQUIREMENTS Linked Data + User and Entity Behavior (Contextual) Analytics Linked Data Use of ontologies to fuse together disparate datasets into common data models Graph query language and visualizations Petabyte scale Fast ad hoc querying and hypothesis testing + Behavioral Analytics Various types of anomaly detection and machine learning techniques to flag outlier devices and users Links as features for analytics Alignment to kill chain methodology Signature-less 2015 Sqrrl All Rights Reserved 16
HUNTING WITH LINKED DATA ANALYSIS Different techniques, different perspectives 2015 Sqrrl All Rights Reserved 17
EXPLICIT LINKS ARE STATED 1999-03-29T13:01:38-0500 Fz892b2SFbpSayzLyl 172.16.113.204 194.7.248.153 Cr4RV91FD8iPXBuoT6 SMTP 1 MD5 text/x-c - 0.000000 T F 1522-0 0 F - 6d01739d1d56c64209098747a5756443 - - - 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 1 delta.peach.mil <hamishs@delta.peach.mil> <tierneyr@goose.eyrie.af.mil> Mon, 29 Mar 1999 08:01:38-0400 - tierneyr@goose.eyrie.af.mil - <19990329080138.CAA2048> - Phonetics software Tech, - (from mail@localhost) by delta.peach.mil (SMI-8.6/SMI- SVR4)\x09id: CAA2048; Mon, 29 Mar 1999 08:01:38-0400 - 250 Mail accepted 172.16.113.204,194.7.248.153 - F Fz892b2SFbpSayzLyl F 1999-03-29T13:01:38-0500 Cr4RV91FD8iPXBuoT6 194.7.248.153 1027 172.16.113.204 25 tcp smtp 0.113325 1923 336 SF ShAdDafF 13 2447 12 820 (empty) 2015 Sqrrl All Rights Reserved 18
MODELING THE DATA 2015 Sqrrl All Rights Reserved 19
TRANSITIVE CLOSURE 2015 Sqrrl All Rights Reserved 20
BRINGING IT ALL TOGETHER 2015 Sqrrl All Rights Reserved 21
QUESTIONS? Target. Hunt. Disrupt.