building a minimum viable security operations centre
play

Building a minimum viable Security Operations Centre ISGC 2019, 2 nd - PowerPoint PPT Presentation

Mar 19, 2023 •127 likes •472 views

Building a minimum viable Security Operations Centre ISGC 2019, 2 nd April 2019 Introduction Building on previous presentations at ISGC 2017, 2018 Present current status of work ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  1. Building a minimum viable Security Operations Centre ISGC 2019, 2 nd April 2019

  2. Introduction • Building on previous presentations at ISGC • 2017, 2018 • Present current status of work ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  3. WLCG SOC WG Introduction • Working group designed to enhance site security monitoring in light of virtualized environments (including containers) • Network monitoring • Coupled with threat intelligence and real time search capabilities • Minimally viable Security Operations Centre ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  4. Growing Scope • Originally mandated to give guidance to WLCG sites • Area of work enhanced by including neighbouring communities • NRENs • University CSIRTs • Hoping to involve EGI Fedcloud ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  5. Minimally Viable SOC • Outcome of the Workshop during 19-21 February 2019 (hosted in UK, supported by GridPP and STFC) • Initial SOC model finalised and remaining steps identified • In particular any integrations required were identified and documentation was updated • https://wlcg-soc-wg-doc.web.cern.ch ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  6. Initial Model • Define 4 stages • Data sources • Threat Intelligence and pipelines • Storage and visualisation • Alerting ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  7. Initial Model • Define 2 types of component • Essential • Optional (but require at least one) ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  8. Initial Model ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  11. Data sources & threat intelligence • At least one of • Zeek (Bro): deep packet inspection • Netflow: network metadata • Provide two options to hopefully cover range of use cases ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  12. Data sources • Zeek • High level of information • Scalable and flexible • Dynamic protocol analysis • However • Hardware implications • Commercial options available ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  13. Data sources • Netflow/Sflow • Network metadata • Many switch vendors provide generators • Software clients • However • Less data than Zeek ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  14. Threat intelligence • Threat Intelligence • MISP [Essential] ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  15. Threat intelligence • MISP • Essential component via web app/API access • Intended to sync from WLCG central instance/pull data via API • CERN SSO • Federated identity with SIRTFI or CERN Account ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  17. Data pipelines • Log ingestion pipelines • One per data source using Logstash ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  18. Pipelines • Pipelines to ingest data into Elasticsearch • Essential to have these matched to data sources • Logstash • Well known • Provide documentation for Zeek pipeline • Suggest use of Elastiflow for netflow pipeline ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  20. Storage and visualisation • Elasticsearch [Essential] • Kibana [Essential] ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  21. Storage and visualisation • Elasticsearch • Essential component • Provide deployment tips based on experience of group members ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  22. Storage and visualisation • Kibana • Essential component • Provide some dashboards based on CERN SOC experience • Elastiflow provides dashboards for netflow visualisation ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  24. Alerting • At least one of • Enrichment, correlation and aggregation scripts based on CERN example • Elastalert • Trigger on Elasticsearch query • Spike of events, for example ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  25. PocketSOC • SOC demonstrator • Docker cluster designed to run on a laptop • Essential components and network components • Minimal traffic to demonstrate workflow • Test new components ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  26. PocketSOC ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  27. PocketSOC • VM made available at workshop • In the process of a few updates then at least making it available on request • Demo at ISGC Security Workshop on Sunday ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  28. New developments • Project to explore a SOC deployment at Nikhef (a student working on it) • Another project to deploy a SOC at the STFC Cloud – graduate started work • also working on other aspects of the Cloud • Deployment of CERN alerting scripts at AGLT2 ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  29. Immediate future • Healthy set of actions to improve documentation • Move select repositories outside of CERN (Github/Gitlab.com) • Improve access for non-CERN users • Make contributing as easy as possible • Gather everything together ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  30. Immediate future • Deployment options • Tightly coupled to site configuration • Particularly network config • Working on template project plan • Benefit from new projects • Look to provide somewhat automated solution for staffing constrained sites ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  31. Next few months • Focus on threat intelligence • Workshop later in the year • Validate event detection chain • WLCG → Site → Event detection ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  32. Final thoughts • Fantastic to have more sites trying out deployments • Start thinking about how we might want to deploy • Always welcome new participants ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  33. Contact • Main working group page • https://wlcg-soc-wg.web.cern.ch • Documentation • https://wlcg-soc-wg-doc.web.cern.ch ISGC 2019, 2 nd April 2019 ISGC 2019, 2 nd April 2019

  34. Questions? GDB 13 March 2019

Recommend

MINIMUM VIABLE PRODUCT Erwin van der Koogh Elabor8 / 21st Century MBA

MINIMUM VIABLE PRODUCT Erwin van der Koogh Elabor8 / 21st Century MBA

MINIMUM VIABLE PRODUCT Erwin van der Koogh Elabor8 / 21st Century MBA erwin.vanderkoogh@elabor8.com.au @evanderkoogh You keep using that word. I dont think it means what you think it means.. SO WHAT DOES IT NOT MEAN? What we can build

1.06k views • 29 slides
T AKE THE LEED IN YOUR BUILDING LEED for Building Operations and Maintenance (LEED-O+M) AGENDA

T AKE THE LEED IN YOUR BUILDING LEED for Building Operations and Maintenance (LEED-O+M) AGENDA

T AKE THE LEED IN YOUR BUILDING LEED for Building Operations and Maintenance (LEED-O+M) AGENDA Introductions Introduction to LEED Introduction to LEED-O+M Minimum Project Requirements Individual Buildings

592 views • 41 slides
Milestones and Scope Week 6 - Day 1 Project Timeline Playable Slice - Minimum Viable Product -

Milestones and Scope Week 6 - Day 1 Project Timeline Playable Slice - Minimum Viable Product -

Milestones and Scope Week 6 - Day 1 Project Timeline Playable Slice - Minimum Viable Product - Your project doesn't need to be a complete experience - Just provide a section of it - Show off why it would be good if it were complete

250 views • 8 slides
Product Subgroup Update 10 th March 2017 Goal Deliver Minimum Viable Product for PMS by mid 2019

Product Subgroup Update 10 th March 2017 Goal Deliver Minimum Viable Product for PMS by mid 2019

Product Subgroup Update 10 th March 2017 Goal Deliver Minimum Viable Product for PMS by mid 2019 to realise intended Pharmacovigilance value underpinning IDMP standards Objectives Deliver Pharmacovigilance use cases and create additional

312 views • 7 slides
ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field

ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field

ICT Security PeaceKeeping Operations Field Missions Challenges Peacekeeping Field Technology ICT Security & Support Operations Operations Centre Operational Resilience 16 Peacekeeping missions (PKM) + UNSOA 20 Special

450 views • 10 slides
Building Complete Communities Supporting a Viable Agricultural Sector Protecting Natural Heritage

Building Complete Communities Supporting a Viable Agricultural Sector Protecting Natural Heritage

Building Complete Communities Supporting a Viable Agricultural Sector Protecting Natural Heritage and Water Responding to Climate Change Growing the Greenbelt Planning for Infrastructure Image: Neptis Foundation, 2010 Building Complete

570 views • 42 slides
alternatives viable for credit unions to deliver? Mick Mc Ateer : Financial Inclusion Centre

alternatives viable for credit unions to deliver? Mick Mc Ateer : Financial Inclusion Centre

Are affordable payday loan alternatives viable for credit unions to deliver? Mick Mc Ateer : Financial Inclusion Centre Threat or opportunity? Huge market worth with approximately 3 4 million users. Financial year 2012 2.8

660 views • 27 slides
Building Viable Energy Markets: The Contribution of Regional Centers for RE and EE Irene

Building Viable Energy Markets: The Contribution of Regional Centers for RE and EE Irene

Building Viable Energy Markets: The Contribution of Regional Centers for RE and EE Irene Giner-Reichl Austrian Ambassador to PR of China Workshop on Energy Connectivity and Transboundary Trade Suzhou, 8-9 November 2015 sterreich in China

482 views • 20 slides
What is an ASA ? Agricultural Security Areas (ASAs) are voluntary and are intended to promote

What is an ASA ? Agricultural Security Areas (ASAs) are voluntary and are intended to promote

Pennsylvanias Agricultural Security Area Law (PA Act 43 of 1981) What is an ASA ? Agricultural Security Areas (ASAs) are voluntary and are intended to promote more permanent and viable farming operations by strengthening the farming

263 views • 11 slides
Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY Silvie Schmidt Competence Centre for IT- Security at FH Campus Wien Project ELVIS Embedded Lab Vienna for IoT & Security Agenda

811 views • 37 slides
BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION

BUILDING CAPACITY FOR SECURITY RESILIENCE Building CapaCity FOR SeCuRity ReSilienCe INTRODUCTION Mr. S pea k e r , wish to dedicate this sectoral presentation to the hardworking, devoted and uncompromising I members of Jamaicas security

478 views • 21 slides
CAs Privacy Legal Framework Reasonable Security Minimum standard of reasonable

CAs Privacy Legal Framework Reasonable Security Minimum standard of reasonable

CAs Privacy Legal Framework Reasonable Security Minimum standard of reasonable security Consumer NoBce California Online Privacy ProtecBon Act 1 Civil Code 1798.81.5 A business that owns, licenses, or maintains

545 views • 16 slides
Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence

Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence

Centre for Cyber Security Thomas Kristmar Centre for Cyber Security Danish Defence Intelligence Service 05-10-2015 05-10-2015 Who are we? Centre for Cyber Security In respect of the Rule of Law and Privacy Cyber is a priority (Gov.

455 views • 18 slides
Capital Building Bond Referendum Bill Holmgren, Director of Finance & Operations Bryan

Capital Building Bond Referendum Bill Holmgren, Director of Finance & Operations Bryan

Capital Building Bond Referendum Bill Holmgren, Director of Finance & Operations Bryan Hennekens, Director of Technology & Security Jeff Cacek, Principal North Park Elementary June 13, 2017 Creating College and Career Ready Graduates

688 views • 41 slides
Verifying Richard Birds On building trees of The algorithm Implementation minimum

Verifying Richard Birds On building trees of The algorithm Implementation minimum

The pearl Verifying Richard Birds On building trees of The algorithm Implementation minimum height L.T. van Binsbergen J.P. Pizani Flor Department of Information and Computing Sciences, Utrecht University Wednesday 26 th June, 2013

234 views • 11 slides
Threat analysis for routing-bridges marcelo bagnulo IETF62 Security goals minimum security

Threat analysis for routing-bridges marcelo bagnulo IETF62 Security goals minimum security

Threat analysis for routing-bridges marcelo bagnulo IETF62 Security goals minimum security expected from rbridges is to provide the same level of protection than regular bridges i.e. that the introduction of rbridges in a bridged

689 views • 41 slides
Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk | Security Markets September 26 | Washington, DC The Leader in Security Automation & Orchestration Phantom Community Growing Larger Each Day

450 views • 8 slides
Gardening for our sustainable future GLEE 2019 Building sustainability into your operations

Gardening for our sustainable future GLEE 2019 Building sustainability into your operations

Gardening for our sustainable future GLEE 2019 Building sustainability into your operations Marcus Eyles Horticultural Director GLEE 2019 2 Introduction GLEE 2019 3 3 Leading the future of garden centre retailing GLEE 2019 4 4

836 views • 13 slides
Canadas Parliament Buildings Centre Block - circa 1900 Centre Block - Today Sir John A.

Canadas Parliament Buildings Centre Block - circa 1900 Centre Block - Today Sir John A.

Canadas Parliament Buildings Centre Block - circa 1900 Centre Block - Today Sir John A. Macdonald Building Sir John A. Macdonald Building Wellington Building Government Conference Centre Visitor Welcome Centre West Block Interim House of

643 views • 28 slides
The Minimum Wage in the UK and Beyond Professor Alan Manning Nicola Smith Professor of

The Minimum Wage in the UK and Beyond Professor Alan Manning Nicola Smith Professor of

LSE Works : Centre for Economic Performance public lecture The Minimum Wage in the UK and Beyond Professor Alan Manning Nicola Smith Professor of Economics, Head of Economic and Social Affairs Director, Community Programme, TUC Centre for

740 views • 41 slides
Safety and Emergency Operations Plan Jon White, Safety & Security Manager Cheltenham School

Safety and Emergency Operations Plan Jon White, Safety & Security Manager Cheltenham School

Safety and Emergency Operations Plan Jon White, Safety & Security Manager Cheltenham School District Kim Kirschner, Cheltenham Township Deputy Emergency Management Coordinator Objectives Building Entry Visitor Procedures n Safety

370 views • 25 slides
Taking Leadership to the Next Level: UN Peace Operations 2020 Challenges Forum Workshop Hosted

Taking Leadership to the Next Level: UN Peace Operations 2020 Challenges Forum Workshop Hosted

Taking Leadership to the Next Level: UN Peace Operations 2020 Challenges Forum Workshop Hosted by the Peacekeeping and Stability Operations Institute in partnership with the Geneva Centre for Security Policy, Carlisle, 28 February-1 March 2017

294 views • 4 slides
New Port Colborne Operations Centre PUBLIC INFORMATION CENTRE NO. 1 Monday, January 13, 2014

New Port Colborne Operations Centre PUBLIC INFORMATION CENTRE NO. 1 Monday, January 13, 2014

New Port Colborne Operations Centre PUBLIC INFORMATION CENTRE NO. 1 Monday, January 13, 2014 Municipal Class EA Process Many projects related to municipal services and infrastructure that are similar in nature , are carried out routinely ,

429 views • 13 slides
IN-BOND SHIPMENTS NEW RULES OF THE GAME & CTPAT MINIMUM SECURITY CRITERIA REQUIREMENTS HOW

IN-BOND SHIPMENTS NEW RULES OF THE GAME & CTPAT MINIMUM SECURITY CRITERIA REQUIREMENTS HOW

IN-BOND SHIPMENTS NEW RULES OF THE GAME & CTPAT MINIMUM SECURITY CRITERIA REQUIREMENTS HOW THE NEW RULES WILL AFFECT YOU KEY POINTS OF THE INBOND PROCESS & UPDATED SECURITY CRITERIA FOR CTPAT TO BE PHASED IN STARTING IN 2019

575 views • 23 slides

More recommend