Skip to main content

Build Your Own Security Operations Center (SOC) using The Hive

 

City University




 BACHELOR OF  SCIENCE IN COMPUTER SCIENCE  & Engineering



(Cyber Security) 




Project Report 



Build Your Own Security Operations Center (SOC) using TheHive




 Boni Yeamin



Supervised by:


              MD SAMRAT ALI ABU KAWSER 

Lecturer 


Department of computer science and engineering   


City University 

Bangladesh








SEPTEMBER 2020



Security Operations Center(soc)

A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization's security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents.

A SOC acts like the hub or central command post, taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.

key functions performed by the SOC

  1. ake Stock of Available ResourcesThe SOC is responsible for two types of assets—the various devices, processes and applications they’re charged with safeguarding, and the defensive tools at their disposal to help ensure this protection.
    • What The SOC ProtectsThe SOC can’t safeguard devices and data they can’t see. Without visibility and control from the device to the cloud, there are likely to be blind spots in the network security posture that can be found and exploited. So the SOC’s goal is to gain a complete view of the business’ threat landscape, including not only the various types of endpoints, servers, and software on-premises, but also third-party services and traffic flowing between these assets.
    • How The SOC ProtectsThe SOC should also have a complete understanding of all cybersecurity tools on hand and all workflows in use within the SOC. This increases agility and allows the SOC to run at peak efficiency.
  2. Preparation and Preventative MaintenanceEven the most well-equipped and agile response processes are no match for preventing problems from occurring in the first place. To help keep attackers at bay, the SOC implements preventative measures, which can be divided into two main categories.
    • preparation team members should stay informed on the newest security innovations, the latest trends in cybercrime, and the development of new threats on the horizon. This research can help inform the creation of a security roadmap that will provide direction for the company’s cybersecurity efforts going forward, and a disaster recovery plan that will serve as ready guidance in a worst-case scenario.
    • Preventative MaintenanceThis step includes all actions taken to make successful attacks more difficult, including regularly maintaining and updating existing systems; updating firewall policies; patching vulnerabilities; and whitelisting, blacklisting and securing applications.
  3. Continuous Proactive MonitoringTools used by the SOC scan the network 24/7 to flag any abnormalities or suspicious activities. Monitoring the network around the clock allows the SOC to be notified immediately of emerging threats, giving them the best chance to prevent or mitigate harm. Monitoring tools can include a SIEM or an EDR, the most advanced of which can use behavioral analysis to “teach” systems the difference between regular day-to-day operations and actual threat behavior, minimizing the amount of triage and analysis that must be done by humans.
  4. Alert Ranking and ManagementWhen monitoring tools issue alerts, it is the responsibility of the SOC to look closely at each one, discard any false positives, and determine how aggressive any actual threats are and what they could be targeting. This allows them to triage emerging threats appropriately, handling the most urgent issues first.
  5. Threat ResponseThese are the actions most people think of when they think of the SOC. As soon as an incident is confirmed, the SOC acts as first responder, performing actions like shutting down or isolating endpoints, terminating harmful processes (or preventing them from executing), deleting files, and more. The goal is to respond to the extent necessary while having as small an impact on business continuity as possible.
  6. Recovery and remediation in the aftermath of an incident, the SOC will work to restore systems and recover any lost or compromised data. This may include wiping and restarting endpoints, reconfiguring systems, or, in the case of ransomware attacks, deploying viable backups in order to circumvent the ransomware. When successful, this step will return the network to the state it was in prior to the incident.
  7. Log ManagementThe SOC is responsible for collecting, maintaining, and regularly reviewing the log of all network activity and communications for the entire organization. This data helps define a baseline for “normal” network activity, can reveal the existence of threats, and can be used for remediation and forensics in the aftermath of an incident. Many SOCs use a SIEM to aggregate and correlate the data feeds from applications, firewalls, operating systems and endpoints, all of which produce their own internal logs.
  8. Root Cause investigation in the aftermath of an incident, the SOC is responsible for figuring out exactly what happened when, how and why. During this investigation, the SOC uses log data and other information to trace the problem to its source, which will help them prevent similar problems from occurring in the future.
  9. Security Refinement and ImprovementCybercriminals are constantly refining their tools and tactics—and in order to stay ahead of them, the SOC needs to implement improvements on a continuous basis. During this step, the plans outlined in the Security Road Map come to life, but this refinement can also include hands-on practices such as red-teaming and purple-teaming.
  10. Compliance ManagementMany of the SOC’s processes are guided by established best practices, but some are governed by compliance requirements. The SOC is responsible for regularly auditing their systems to ensure compliance with such regulations, which may be issued by their organization, by their industry, or by governing bodies. Examples of these regulations include GDPR, HIPAA, and PCI DSS. Acting in accordance with these regulations not only helps safeguard the sensitive data that the company has been entrusted with—it can also shield the organization from reputational damage and legal challenges resulting from a breach.

Optimizing a security operations model

While dealing with incidents monopolizes much of the SOC's resources, the chief information security officer (CISO) is responsible for the larger picture of risk and compliance. To bridge operational and data silos across these functions, an effective strategy requires an adaptive security architecture that enables organizations to enact optimized security operations. This approach increases efficiency through integration, automation, and orchestration, and reduces the amount of labor hours required while improving your information security management posture.

An optimized security operations model requires the adoption of a security framework that makes it easy to integrate security solutions and threat intelligence into day-to-day processes. SOC tools like centralized and actionable dashboards help integrate threat data into security monitoring dashboards and reports to keep operations and management apprised of evolving events and activities. By linking threat management with other systems for managing risk and compliance, SOC teams can better manage overall risk posture. Such configurations support continuous visibility across systems and domains and can use actionable intelligence to drive better accuracy and consistency into security operations. Centralized functions reduce the burden of manual data sharing, auditing, and reporting throughout.

Operationalizing threat management should start with a thoughtful assessment. In addition to defenses, an organization should evaluate processes and policies. Where is the organization strong? What are the gaps? What is the risk posture? What data is collected, and how much of that data is used?

While every organization is different, certain core capabilities and security operations best practices represent due care today. A reasonable threat management process starts with a plan, and includes discovery (including baseline calculation to promote anomaly detection, normalization, and correlation), triage (based on risk and asset value), analysis (including contextualization), and scoping (including iterative investigation). Threat management processes feed prioritized and characterized cases into incident response programs. A well-defined response plan is absolutely key to containing a threat or minimizing the damage from a data breach.

https://www.mcafee.com/enterprise/en-us/img/diagrams/threat-management-plan-for-soc.png

Figure 1. Threat management plans integrate and structure many processes across security and IT operations.

Effective visibility and threat management will draw on many data sources, but it can be hard to sort out the useful and timely information. The most valuable data has proven to be event data produced by countermeasures and IT assets, indicators of compromise (IoCs) produced internally (via malware analysis) and externally (via threat intelligence feeds), and system data available from sensors (e.g., host, network, database, etc.).

Data sources like these are not just an input to threat management. They add context and make the information valuable and actionable for more precise, accurate, and speedy assessment throughout the iterative and interactive threat management effort. Access to, and effective use of, the right data to support plans and procedures is a measure of organizational maturity. A "mature" scenario would include a workflow that hands off the right information or permits direct action within operational consoles and across products. This flow integrates IT operations and security teams and tools into incident response when there is a critical event.

All these assessments will help prioritize where an increase in investment or reduction of friction is needed to make threat management implementation match goals. Consultants and penetration tests can help benchmark strategy and organizational maturity and health check security response against attacks to obtain a current measure of an organization’s ability to detect and contain malicious events. By comparing against peer enterprises, this vetted review can help justify and explain the need to redirect or invest in cybersecurity operations resources.

source :

https://www.mcafee.com/enterprise/en-us/security-awareness/operations/what-is-soc.html

What Does a SOC Team Member Do?

Members of a SOC team are responsible for a variety of activities, including proactive monitoring, incident response and recovery, remediation activities, compliance, and coordination and context.

Let’s take a deeper dive into each of these tasks.

  • Proactive Monitoring: This includes log file analysis. Logs can come from endpoints (e.g., a notebook computer, a mobile phone, or an IoT device) or from network resources, such as routers, firewalls, intrusion detection system (IDS) applications, and email appliances. Another term for proactive monitoring is threat monitoring. SOC team members work with various resources, which can include other IT workers (e.g., help desk technicians), as well as artificial intelligence (AI) tools and log files.
  • Incident Response and Recovery: A SOC coordinates an organization’s ability to take the necessary steps to mitigate damage and communicate properly to keep the organization running after an incident. It’s not enough to just view logs and issue alerts. A major part of incident response is helping organizations recover from incidents. For example, that recovery can include activities such as handling acute malware or ransomware incidents.
  • Remediation Activities: SOC team members provide data-driven analysis that helps an organization address vulnerabilities and adjust security monitoring and alerting tools. For example, using information obtained from log files and other sources, a SOC member can recommend a better network segmentation strategy or a better system patching regimen. Improving existing cybersecurity is a major responsibility of a SOC.
  • Compliance: Organizations secure themselves through conformity to a security policy, as well as external security standards, such as ISO 27001x, the NIST Cybersecurity Framework (CSF) and the General Data Protection Regulation (GDPR). Organizations need a SOC to help ensure that they are compliant with important security standards and best practices.
  • Coordination and Context: Above all, a SOC team member helps an organization coordinate disparate elements and services and provide visualized, useful information. Part of this coordination is the ability to provide a helpful, useful set of narratives for activities on the network. These narratives help shape a company’s cybersecurity policy and posture for the future.

A SOC team member helps an organization identify the primary causes of cyberattacks. When a SOC analyst does this, they are said to engage in root-cause analysis. In short, a SOC analyst works to figure out exactly when, how and even why an attack was successful.

To this end, a SOC analyst reviews evidence of attacks. Such evidence is called an indicator of attack. If an attack is successful, a SOC analyst will then study indicators of compromise to help the organization respond appropriately, as well as make changes so that similar attacks don’t happen in the future.

working Process

  • [ ] centos os
  • [ ] Cassandra Database install and config:- Backens database for the hive
  • [ ] Store data index
  • [ ] File Storage
  • [ ] The hive install
  • [ ] Log and case Connection

https://docs.thehive-project.org/thehive/installation-and-configuration/installation/step-by-step-guide/

Comments

Post a Comment

Popular posts from this blog

Discrete Mathematics - Rules of Inference

To deduce new statements from the statements whose truth that we already know,  Rules of Inference  are used. What are Rules of Inference for? Mathematical logic is often used for logical proofs. Proofs are valid arguments that determine the truth values of mathematical statements. An argument is a sequence of statements. The last statement is the conclusion and all its preceding statements are called premises (or hypothesis). The symbol “ ∴ ∴ ”, (read therefore) is placed before the conclusion. A valid argument is one where the conclusion follows from the truth values of the premises. Rules of Inference provide the templates or guidelines for constructing valid arguments from the statements that we already have. Table of Rules of Inference Rule of Inference Name Rule of Inference Name P ∴ P ∨ Q P ∴ P ∨ Q Addition P ∨ Q ¬ P ∴ Q P ∨ Q ¬ P ∴ Q Disjunctive Syllogism P Q ∴ P ∧ Q P Q ∴ P ∧ Q Conjunction P → Q Q → R ∴ P → R P → Q Q → R ∴ P → R Hypothet
Post a Comment
Read more

Discrete Mathematics - Propositional Logic

The rules of mathematical logic specify methods of reasoning mathematical statements. Greek philosopher, Aristotle, was the pioneer of logical reasoning. Logical reasoning provides the theoretical base for many areas of mathematics and consequently computer science. It has many practical applications in computer science like design of computing machines, artificial intelligence, definition of data structures for programming languages etc. Propositional Logic  is concerned with statements to which the truth values, “true” and “false”, can be assigned. The purpose is to analyze these statements either individually or in a composite manner. Prepositional Logic – Definition A proposition is a collection of declarative statements that has either a truth value "true” or a truth value "false". A propositional consists of propositional variables and connectives. We denote the propositional variables by capital letters (A, B, etc). The connectives connect the propositi
Post a Comment
Read more

5 best private search engines and why you need to use them.

5 best private search engines and why you need to use them  By:  Boniyeamin laju   ▪   May 31, 2019   ▪ 3 minute read 5 best private search engines and why you need to use  Normal browsers like Google and Bing are designed to track users’ activities and profile their online behavior. The primary reason for this is to create advertisements that will be attractive to the user. However, there-there is always the concern of  personal information being compromised  due to security breaches, state surveillance, and unauthorized data sharing. Fortunately,  private search engines  can help keep your private information safe. Simply put, Private Search Engines, also known as PSE, uses proxy and encrypted search request to  hide your personal information  from anyone looking to misuse your information. Below you will find more information about what a PSE is, how it works, and where to find the best private search engines on the internet
Post a Comment
Read more