DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchananhttp://thecyberacademy.org

[vSoC]

Sharingofresources

DFET Training Cloud – Infrastructure for training and sharing of material

Public Sector Evaluation of systems.

Training.

Academia Training/sharing

materials Virtualised environments

Industry Training/sharing materials.

Professional certification

Software Vendors: Test environments. Promoting products. Providing floating licences

Government Define standards Evaluate products

Public clouds

Existing AcademicClouds

Law Enforcement Triage systems Training

BuildingvSoC

Intrusion Detection System

Firewall

Internet

Switch

Router (NAT)

Emailserver

Webserver

DMZ

FTPserver

Firewall

EveBob

Alice

Data Centre

Load balancer

Syslogserver [vSoC]

vSoC/DFETCloud

ThecurrentDFETCloudcontainsfivemainclusternodes,whereeachclusternoderuns:• VMwarevSphere5.5withVMwarevCenterusedtomanagetheinstances.• 170GHzCPU,767GBofmemory.• 40TBofdiskspace.• 72Processors.• Runningover2,500runningVMs.

TheMoveTowardSecurityAnalyticsBigData/SIEM

[vSoC]

DataAnalysis

• IncreasingnumberofjobsareinSecurityAnalytics(SOCAnalysts).• Companiesrequireskillsforbefore,duringandafterincidents(mixofsecurityandforensics).

Inci

dent

sIn

trodu

ctio

n

Author: Prof Bill Buchanan

Incidents

During IncidentBefore Incident After Incident

TimelineData At Rest

Data In-Motion

Data In-Process

Files, Directories, File Rights, Domain Rights, etc.

File changes, File CRUD (Create, Delete, Update,

Delete), Thumbprints

Network packet logs, Web logs, Security logs

Network scanners, Intrusion Detection Systems, Firewall

logs, etc

Processes, Threads, Memory, etc.

Security Log, Application Log, Registry, Domain Rights.

Intruder

IncreasingComplexityofKnowledge

• Increasingrequirementforawiderangeofskillsforsecurityprofessionals.

Intro

duct

ion

Inc

Res

pons

e

Data Capture

Webserver

IT Ops

Nagios.NetApp.

Cisco UCS.Apache.

IIS.

Web Services

Firewall

Router

Proxyserver

Emailserver

FTPserver

Switch

Eve

Bob

Microsoft Infrastructure

Active Directory.Exchange.SharePoint.

Structured Data

CSV.JSON.XML.

Database Sys

Oracle.My SQL.

Microsoft SQL.

Network/Security

Syslog/SNMP.Cisco NetFlow.

Snort.

Intrusion Detection System

Alice

Cloud

AWS Cloudtrail.Amazon S3.

Azure.

Application Serv

Weblogic.WebSphere.

Tomcat

DataIntegration

• Increasingmovetowardtheintegrationofdataforsecurityanalysiseg withSIEMtools.

Intro

duct

ion

Inc

Res

pons

e

Security Operations Centre

EveEve

Logs/alerts

Bob

SIEM Package (Splunk)

News feeds

Security alerts

DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk LabIntegration

[vSoC]

vSoC SIEMArchitecture

U001 - Ubuntu Server192.168.x.7/24)

Main gateway/fireweall Firewall

(pfSense)

W001 - Windows 2003 Server(192.168.y.7/24)

K001 - Kali(DHCP)

K002 - Kali (192.168.y.9/24)

em0(DHCP)

em1em2

10.200.0.1/24

W003 – Windows 2008 with Splunk Enterprise(192.168.y.8/24)

_Public _Private

_DMZ Splunkforwarder

192.168.y.254/24

192.168.x.254/24

Splunk LabIntegration

DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk TestingEnvironment–Buttercupgames

[vSoC]

http://asecuritysite.com/tests/tests?sortBy=siem

http://asecuritysite.com:8000

CaptureTheFlagBritishBroadband,andRSASA

[vSoC]

BritishBroadband

• Video:https://www.youtube.com/watch?v=V7o03eLolqA

BritishBroadband

CyberSecurityInsightCamp

BigDatainCyberSecurity

RSASA

CTF– BigDatainCyberSecurity

DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreResults

[vSoC]

CurrentRangeofVMs

• Specialised:EnCase,WindowsXP(withMalware),GNS3.• LinuxKali.• Ubuntu.• Windows2003,Windows2008,Windows7andWindows8.• Firewalls:pfSense,vyatta,F5Big-IP(indevelopment).• Caine.• Metasploitable.

Example $tubuntu ="t_ubuntu_205"

if($args[1].contains("u")){$ins=$prefix+$iubuntu +$i.ToString("000")+"_private";...Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"new-vm -name$ins-template$temp-datastore $disk-resourcepool DFETLab -DiskStorageFormat thin-location$folder

$apt=Get-NetworkAdapter -VM$insSet-NetworkAdapter -NetworkAdapter $apt-NetworkName $private-confirm:$false

Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"

new-snapshot-VM$ins-Namesnapshot

}

Setupnetwork

CreateVM

Createknownsnapshot

Results

Modulesusedon:Semester1:CryptographyandNetworkForensics(80students);NetworkSecurity(60students– GNS3);Host-basedForensics(60students- EnCase).Semester2:SecurityTesting(70students);e-Security(100students);IncidentResponseandMalwareAnalysis(100students).

Cloudupgrade

SDNIntegrationProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org

[vSoC]

CurrentWork

• IntegratingF5Big-IP(30licences).• IntegrationofSDNwithinCloud(withHutchinsonNetworks).• IntegrationofRSASAandSplunk forteachingin2016/2017.• IntegrationofHPEArcsight.• Roll-outoftwoCTF:BritishBroadbandandRSASA(NetworkForensics.• DevelopmentofamobileCloudenvironment,foronsitetraining/CTF.

CurrentWork

CurrentWork

CurrentWork

CurrentWork

DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org

[vSoC]