Security Operations in real life
Marek Kumpošt
It takes 20 years to build a reputation and few minutes of a
cyber-incident to ruin it.
~ Stephane Nappo
Small company
• Typically no security team at all
• One man show
• Sometimes not even that
• Security is a function of IT team or IT admin
• Security is perceived as not much important domain
• It is mostly about backup and authentication services
• Pros/Cons
• + at least one person, who spells Security right J
• - lack of knowledge/experience of just one person
Taking security (more) seriously
• Typically after a major security incident
• Or audit
• Before these two happen
• Minimal budget
• Minimal human resources
• Minimal respect for Security (aka “why we should be a target”)
Medium-sized company
• Small all-purpose team
• Dealing with operational/infrastructure/application layers
• Still “nobody knows everything aspect”
• Security is perceived as unnecessary evil
• Maybe after a data breach.
• Pros/Cons
• + Dedicated security team
• - Budget aspect
• - Limited experience with various aspects of Security
Big company or large enterprises
• Big dedicated team or teams
• Not all of them necessarily focused on security
• Privacy team, for instance
• Focused on different areas of security
• Pros/Cons
• + Dedicated teams
• + Detailed experience in various security domains
• + Might have a dedicated budget
• - Security costs a lot
• - Slower speed of innovation
Example of focused Security (sub)teams
Security
Engineering
Security
Architecture
Security
Operations
Center
Application
Security
Pentesting
Team
Security
Consulting
Team
CISO
Security Architecture
• Ensures that security best practices are addressed
• Defines overall security policies/standards/procedures
• Makes sure that new technologies fits withing existing ones
• Performs risk assessments
• Prevent bad designs
• May focus on Operations/Application/Product
Security Engineering
• “Build tools, techniques and methods to support the development
and maintenance of systems that can resist malicious attacks that are
intended to damage a computer-based system or its data.”
• Example of tools for:
• SIEM (Security Information and Event Management)
• Build with ELK, Splunk, OSSEC, etc.
• FIM (File Integrity Monitoring)
• Technologies like Qualys, Tanium, LogRythm
• Network segmentation
• PaloAlto, CISCO, Illumio
• (Micro)Services management (or container security)
Security Operations Centre
• Breaches in 2020: 3950
• Large business victims: 72%
• Sm./Med. business victims: 28%
• Targeting web apps: 43%
• Avg cost of a large breach: $392 million
Security Operations Centre – Key objectives
Manages and
Coordinates the
response to Cyber
Threats and Incidents
Monitors the Cyber
Security posture and
reports deficiencies
Ability to correlate
system, application,
network, server,
security logs in a
consistent way
Performs Threat and
Vulnerability Analysis
Performs Analysis of
Cyber Security Events
Maintains an Internal
Database of Cyber
Security Incidents
Provide Alerts and
Notifications to General
and Specific Threats
Provide regular
reporting to
Management and Cyber
Incident Responders
Security Operations Centre – Some more key
objectives
Ability to automate the
requirement to meet
compliance –
vulnerability assessment
and risk management
Ensure change control
function is integrated
into the SOC process
Identification for all
security attack vectors
and classification of
incidents
Define disaster recovery
plans for ICE (in-case of
emergency).
Build a comprehensive
reporting dashboard
that is aligned to
security metrics
Proactive Security
Monitoring based on
predefined security
metrics / KPI
Examples of SecOps processes
Secure change management lifecycle
Request for
change
Impact analysis
Approve/DenyImplement change
Review/Reporting
Secure change management lifecycle
Security Design Review – Operations view
Justification for
change
Use-cases
Environments in
scope
Logical network
diagrams
Network access
control
User access
control
Data sensitivity
and data
encryption
Logging,
monitoring
auditing
Vulnerability
management
Business
continuity and
disaster recovery
Secrets
management
...
DevSecOps concept
DevSecOps in the light of SecOps
• Software defined Data Centers
• AWS, Azure, Google Cloud, OCI
• Security driven by code (Ansible, Terraform,..)
Examples of Security Frameworks
CIS controls v8 (formerly SANS top 20)
• Focuses on activities, rather than who manages the devices
• Consists of 18 controls
• Aims to cover critical processes/activities in a company
• Contains 153 safeguards
• Grouped to implementation groups (IG1/2/3)
• Provides mapping to well known frameworks
• CSF, ATT&CK, CSA, PCI, SOC2, …
Another Security Framework
The Cybersecurity Framework (NIST)
Three Primary Components
Core
Desired cybersecurity outcomes organized in a
hierarchy and aligned to more detailed guidance and
controls
Profiles
Alignment of an organization’s requirements and
objectives, risk appetite and resources using the
desired outcomes of the Framework Core
Implementation Tiers
A qualitative measure of organizational cybersecurity
risk management practices
• Common and accessible language
• Adaptable to many technologies, lifecycle
phases, sectors and uses
• Risk-based
• Based on international standards
• Living document
• Guided by many perspectives – private
sector, academia, public sector
Key Framework Attributes
Principles of Current and Future Versions of the Framework
The Framework Core
Establishes a Common Language
• Describes desired outcomes
• Understandable by everyone
• Applies to any type of risk
management
• Defines the entire breadth of
cybersecurity
• Spans both prevention and reaction
Function
Identify
Protect
Detect
Respond
Recover
An Excerpt from the Framework Core
The Connected Path of Framework Outcomes
5 Functions 23 Categories 108 Subcategories 6 Informative References
Implementation Tiers
The Cybersecurity Framework Version 1.1
1 2 3 4
Partial Risk Informed Repeatable Adaptive
Risk
Management
Process
The functionality and repeatability of cybersecurity risk
management
Integrated Risk
Management
Program
The extent to which cybersecurity is considered in
broader risk management decisions
External
Participation
The degree to which the organization:
• monitors and manages supply chain risk1.1
• benefits my sharing or receiving information from
outside parties
https://facilitycyber.labworks.org/
And one more J
MITRE ATT&CK (attack.mitre.org)
• Adversarial Tactics, Techniques & Common Knowledge
• Aim is to
• Categorise adversarial behaviours based on real-world observations
• Used for offensive and defensive activities, measurements, reporting, …
• Can be heavily customized
• Enterprise, Mobile, PRE-ATT&CK
Example:
What
happened
in
SolarWinds
Security company FireEye release a blog
saying a bad hacker or group called
UNC2452 has hacked SolarWinds
IT Company SolarWinds says it may have
been hit in a highly sophisticated attack
18,000 companies, government
agencies, think tanks, universities and
NGOs affected
https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack
• SolarWinds?
• Software Company
• Network Management Products
• Orion is one of their popular products
• Customers
• Governments and major corporations
• SolarWinds Orion was approved for use in many sensitive areas
• Orion customers were careful and kept SolarWinds patched & updated
The Vector
• SUNBURST only activated if installed at one of a handful of places
• 18,000 companies installed SUNBURST malware
• 14 days later SUNBURST would peek out
• SUNBURST would go live only if it was worth it
• Everywhere else, SUNBURST went to sleep indefinitely
The Targets
When
• Very Sophisticated
• Clean up trace evidence
• Good security on their own servers
• Good ability to hide their servers
• Extensive efforts to hide their exploit
• Motivation Murky
• Limited target selection among the 18,000
• No financial interest
• No Denial of Service
• No data destruction or ransomware
• No Personal Information Theft
Actor’s Traits
Nobody
likes
compliance
but it is
important
Company complies with regulations
Legal requirements
Internal policies and standards
Helps companies pass external audits
Identifies new compliance issues
Conducts internal audits
Thanks!
marek@kumpost.net