CyberSecurity SOCs building proposal


CyberSecurity SOCs building proposal

                                         Trevor Shi version 1.0  10/02/2019

1.      Long-term goal

Establish the security operation centers and build a Computer Security Incident Response Team (CSIRT).
Establish the Security operations centers to monitor and analyze networks, servers, endpoints, databases, applications, websites, and other systems looking for anomalous activity that could be indicative of a security incident or compromise. The SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed, defended, investigated, and reported.

Build a Computer Security Incident Response Team (CSIRT) to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. 

2.      Short-term goal
2.1.   Establish the network monitoring center (NMS)
2.1.1.      Monitoring network equipment performance
2.1.2.      Monitoring network traffic
2.1.3.      Collecting and analyzing the network equipment logs
2.2.   Establish security operation centers (SOCs)
2.2.1.      Monitoring cybersecurity equipment performance
2.2.2.      Security monitoring
2.2.3.      Intrusion Detection
2.2.4.      Incident Response

3.      Essential SOC capabilities
The essential security monitoring tools to build a SOC include Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring, and SIEM / Security Analytics.

3.1.   Asset Discovery
what systems exist (instances and servers) as well as what’s been installed and running on those systems (e.g. applications, services, and active ports).
3.2.   Vulnerability Assessment
3.3.   Behavioral Monitoring
3.3.1.      Network monitoring
3.3.2.      Security monitoring
3.4.   Intrusion Detection
3.4.1.      NIDS
3.4.2.      HIDS
3.4.3.      CIDS
3.5.   Log Servers and SIEM
3.5.1.      Commercial version: Splunk
3.5.2.      Open-source
3.5.2.1.            grafana
Metric database, a monitoring solution, Grafana is designed for analyzing and visualizing metrics such as system CPU, memory, disk and I/O utilization.
3.5.2.2.             ELK
Log collection sets, a log analysis solution including ElasticSearch, Logstash, and Kibana
3.5.3.      Splunk the free version(500mb logs limit per day, manual upload data)
3.6.   Anti-virus and Anti-malware

4.      Time schedule

4.1.   The first stage goal
4.1.1.      Understanding the environment
4.1.2.      Identify and scope out a Service and SOC service functions
4.1.3.      Anti-virus config
4.1.3.1.            Make computers show up in the management center
4.1.3.2.            License
4.1.4.       Firewall
4.1.4.1.            Add the other two firewalls to the management center  
4.1.5.      Set-up log servers
4.1.5.1.            Graylog
4.1.5.2.            Logstash
4.1.6.      Configuring Log servers to receive raw data
4.1.7.      Create the weekly security report sample

4.2.   The second stage goal
4.2.1.      Set-up network monitoring environment
4.2.1.1.            Grafana
4.2.2.      Set-up SIEM
4.2.3.      Configuring SIEM to receive raw security-relevant data
Firewall/IPS/IDS
Database server/file server/domain controller/dns/email/web/active directory
4.2.4.      Base on security policy, create Security Checklist (monthly and yearly)

4.3.   The third stage goal
4.3.1.      Vulnerability Assessment
4.3.2.      Patching processes
4.3.3.      Establish a honey pot environment

4.4.   The fourth stage goal
4.4.1.      Establish cybersecurity Lab
4.4.2.      Pentesting





Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: The 0365 email/ADFS Troubleshooting - Http status 500 error

Image
 To Be A CyberMan: The O365 email/ADFS Troubleshooting - Http status 500 error    0x00: Preview Knowlege ADFS: Active Directory Federation Services (ADFS) is a Microsoft Single Sign-On (SSO) solution. It provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).   Reference: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services   0x01: Symptoms Some users reported they were not able to log into the email from Web console, the error shows: HTTP status 500:internal server error   0x02: Troubleshooting We tested some accounts email, The issue only affected some of the user's web-based Outlook applications. So we sent the email to our outlook service provider, got confirmation that the outlook service is working. From the error message, we can see the error is the internal serv...
Read more