HOW TO BUILD A

SECURITY OPERATIONS CENTER

(ON A BUDGET)

Chapter 3: Security Operations Center (SOC) Tools

Sometimes security pros use the term “defense-in-depth” to describe how best to secure the critical data and systems that need to be protected against cyber threats.

Think of this concept as a jawbreaker.

The idea is pretty simple. Starting with the data you’re protecting at the center, you add layer upon layer of policy enforcement in order to make it difficult for an attacker to break through each layer to access that data.

In fact, the cyber security industry grew out of this layered model. Each vendor started to specialize in each of these ‘layers,’ expecting the customer to piece these disparate tools together for the full context needed for security monitoring. For large organizations like banks or governmental agencies with large cyber security budgets and highly skilled teams, this approach has worked for—more or less.

Prevention vs. Detection

The key point to emphasize here is the importance of detection (vs. prevention). Of course organizations need to implement preventative tools (e.g. firewalls, AV, etc.) along with ensuring that vulnerabilities are patched among other prevention-type activities (e.g. secure desktop configurations, strict password policies, secure account management, etc.).

But in the last few years, detection has quickly risen in importance. Attackers have evolved their capabilities—consider the rise in cybercrime attacks like ransomware and DDoS threats—to the point where they execute these attacks without being noticed. In a recent Verizon Data Breach Investigation report, they concluded that it was far more common for victims to learn that they’d been breached from a third party vs. discovering these breaches themselves.

Smaller organizations, with limited budgets and time, need a new approach—one that combines the essential tools for building a SOC into a workflow that can be easily supported by small teams. These essential SOC capabilities include asset discovery, vulnerability assessment, behavioral monitoring, intrusion detection, and SIEM (security information and event management).

In this chapter, we’ll review the details of these SOC tools. We’ll show you how AlienVault® Unified Security Management® (USM) combines these essential capabilities for building a SOC into a single platform. Finally, we’ll cover how AlienVault Labs Threat Intelligence and AlienVault Open Threat Exchange® (OTX™) power these essential capabilities within AlienVault USM.

Key Takeaways

Review the essential security monitoring tools you’ll need to build a SOC: Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring and SIEM / Security Analytics. Achieve SOC success with limited time and resources by utilizing a single platform like AlienVault Unified Security Management (USM) that consolidates these tools into one place.

1 Asset Discovery

Why Is This Important?

Knowing what assets are in your environment is the first step in knowing your security posture. You need to know what systems exist—instances and servers—as well as what’s been installed and running on those systems (e.g. applications, services, and active ports). A reliable asset inventory along with the automated ability to discover new assets is foundational for building a SOC.

How Do I Do It with AlienVault?

AlienVault USM captures accurate, real-time information on all the assets in your on-premises and cloud environments. On-premises, the USM platform scans your environments to gather information from devices to help determine the OS, running services, and installed software (often without requiring any credentials). To discover assets in your cloud environments, AlienVault USM hooks directly into cloud providers’ APIs to give you immediate visibility of your cloud infrastructure. AlienVault USM leverages native cloud services like AWS CloudWatch and Azure Monitor to collect data from your cloud environments and begin detecting threats.

FEATURE SPOTLIGHT: Asset Detail

The asset discovery & inventory capabilities within AlienVault USM are explicitly designed for SOC analysts. No other asset inventory tool provides this level of context, in a format that streamlines SOC analyst workflows.

The key is that all of the security-relevant information about an asset is displayed in a single view. By clicking into asset details, you can review all of the vulnerabilities, alarms, and events that are associated with a specific asset. 

2 Vulnerability Assessment

Why Is This Important?

Vulnerabilities represent the tiny cracks that an attacker uses to infiltrate your critical systems. This is commonly referred to as the “attack surface,” and these tiny cracks can open up when you least expect it. That’s why it’s essential to continually assess your entire IT landscape for vulnerabilities. Additionally, you may be subject to a variety of contractual and regulatory mandates (e.g. PCI DSS, SOX, etc.) that require periodic vulnerability assessments to demonstrate compliance.

How Do I Do It with AlienVault?

AlienVault includes a built-in vulnerability assessment tool that allows you to effectively detect those tiny cracks.  Whereas traditional approaches to network vulnerability scanning and analysis rarely focus on usability and can seem cumbersome by those in IT wearing multiple hats, AlienVault USM takes a different approach. The USM platform provides a unified and easy-to-use platform that bolsters comprehensive vulnerability scanning software with asset discovery, a streamlined UI, and easy scheduling so you can ensure continuous vulnerability assessment without having to manage the process manually. Scheduling scans in advance allows you to easily manage your network vulnerability scanning program as well as minimize disruption of critical services during peak time. In case your critical infrastructure includes cloud environments, AlienVault USM offers cloud vulnerability scanning capabilities using cloud-native sensors for your Azure and AWS environments, giving you complete visibility into your cloud and on-premises environments from a single pane of glass. 

A Closer Look: Vulnerability Assessment in AlienVault USM

Regularly Scheduled Auto-scanning
Create scans that run daily, weekly, or monthly during your off-peak hours. Automated scanning ensures continuous visibility of your vulnerabilities as your IT landscape changes.

Authenticated Scanning
Authenticated scans perform vulnerability assessment by using host credentials to probe your assets deeply, looking for vulnerable software packages, local processes, and services running on the system. 

 

Cloud Infrastructure Scanning
AlienVault USM uses purpose-built cloud sensors to interface directly with cloud providers to automatically perform network vulnerability assessments of your AWS and Azure environments, including assets, security groups, and configurations.

FEATURE SPOTLIGHT:
Vulnerability Scan Scheduler

Flexibility is one of the most important aspects of doing vulnerability assessment well. At peak hours, vulnerability scans can disrupt network and system performance. To address this challenge, AlienVault USM offers SOC analysts control and flexibility when setting up ad-hoc and scheduled vulnerability scans.

With AlienVault USM, you can:
• Easily set up scan jobs targeting individual assets, asset groups, or even entire networks
• Schedule scans to run automatically at regular intervals to take the guesswork out of managing a scanning routine
• Control the techniques utilized and level of scanning intensity using default profiles or by creating your own

 

3 Behavioral Monitoring

Why Is This Important?

At its most basic, effective cyber security monitoring comes down to exception management. What activities represent exceptions to the norm? (e.g. policy violations, error messages, spikes in outbound network activity, unexpected reboots, etc.) What is required for all this to work is an understanding of what the “norm” looks like. Creating a baseline of system and network behavior provides the essential foundation with which to spot anomalies—which often signal the presence of cyber adversaries on your environment.

In order to capture a baseline, it’s critical to combine behavioral monitoring technologies, to provide a full, 360-degree perspective. Additionally, applying correlation rules against this data will help you identify and classify the latest risks, as well as capture data to support in-depth forensic investigations.

How Do I Do It with AlienVault?

AlienVault USM provides fully integrated behavioral monitoring technologies within its platform, including visibility of user behavior in your cloud environments and applications. The USM platform provides cloud access logs (Azure: Monitor, AWS: CloudTrail, S3, ELB); AWS VPC flow monitoring; asset access logs; and VMware access logs.

Cloud Application Monitoring for applications like Office 365 allows you to track user and admin activity that might indicate a data breach.

Cloud Access Logs capture who requests data from your cloud environments and what they access.

Cloud Management Plane Integreation ensures that you are able to monitor your AWS and Azure instances automatically.

4 Intrusion Detection

Why Is This Important?

Detecting an intruder at the point of entry can have the greatest impact on reducing system compromise and data leakage. That’s why intrusion detection systems (IDS) are considered one of the “must-have” SOC tools for identifying known attacks and known attacker activity. The keyword is “known.” On-premises, IDS operate based on correlation rules that detect known patterns of suspicious activity using unique intrusion signatures. This means it’s essential to keep your correlation rules current with the latest threat intelligence updates to be able to detect emerging threats. If you use cloud infrastructure, you also need to keep in mind that some traditional IDS methods won’t suffice because cloud providers restrict access to low-level network traffic. Effective cloud IDS requires access to the management plane for your cloud provider.

How Do I Do It with AlienVault?

AlienVault USM offers three types of intrusion detection technologies (IDS) that you
can enable on a per-network, per-asset group, or per-server basis. Network Intrusion Detection (NIDS) analyzes on-premises network traffic to detect known attack patterns that indicate malicious activity (e.g. malware infections, policy violations, port scans, etc.).

The USM platform’s Host-based Intrusion Detection (HIDS) analyzes system behavior and configuration that could indicate system compromise. This includes the ability to recognize common rootkits, to detect rogue processes, and detect modification to critical configuration files. Additionally, AlienVault USM delivers Cloud Intrusion Detection (CIDS), including AWS IDS and Azure IDS, a cloud-native solution that interacts directly with the management plane of each cloud service provider to provide intrusion detection in your cloud environments.

The AlienVault Labs Security Research Team keeps AlienVault USM up-to-date with the latest threat intelligence on a continuous basis, adding new correlation rules, intrusion signatures, and response templates as threats emerge. The threat intelligence research provided by the Security Research Team is a critical extension to your SOC team, allowing you to focus on response.

FEATURE SPOTLIGHT:
AlienVault USM Integration with AlienVault Labs Threat Intelligence

Before explaining how this integration works, it’s important to understand how the AlienVault Labs Security Research Team develops its threat intelligence updates. Through a combination of proprietary research, collaboration with other security research institutions, and insights from the community-driven threat data within the AlienVault Open Threat Exchange (OTX), AlienVault collects tens of millions of threat indicators every day, including malicious IP addresses and URLs, domain names, malware samples, and suspicious files. AlienVault aggregates data from a wide range of sources, including:

  • External threat vendors (such as McAfee, Emerging Threats, Virus Total)
  • Open sources (including the SANS Internet Storm Center, the Malware Domain List, as well as from collaboration with state agencies and academia)
  • AlienVault USM and AlienVault OSSIM users voluntarily contributing anonymized data
  • Community-contributed threat data in the form of OTX “pulses” (the format for the OTX community to share information about threats)
  • High-interaction honeypots that we set up to capture the latest attacker techniques and tools. We scale up instances of the honeypots depending on activity.

Next, we have set up automated systems and processes which leverage machine learning to assess the validity and severity of each of these threat indicators collected in OTX, including:

  • A contribution system (for malware)
  • A URL system (for suspicious URLs)
  • An IP reputation system (for suspicious IP addresses)

We then use threat evaluation tools created by the Security Research Team to test and validate specific threat indicators. These evaluation processes include a Malware Analyzer, a DNS Analyzer, a Web Analyzer, and a BotNet Monitor. The validated threat data are also shared with the OTX community via the OTX Portal.

The Security Research Team then conducts deeper qualitative and quantitative analysis on the threats. Examples include reverse-engineering a malware sample, or conducting extensive research on particular threat actors and their infrastructure, to detect patterns of behavior and methods.

The Security Research Team delivers all information about the threats and the attack infrastructure to the USM platform via the AlienVault Labs Threat Intelligence Subscription. The team regularly updates eight coordinated rulesets, including correlation directives, IDS signatures & response templates, which eliminates the need for organizations to tune their systems on their own. The analyzed threat data is also fed back into the Security Research Team’s analytical systems and tools, enabling them to make future correlations of threat indicators.

5 SIEM

Why Is This Important?

Collecting and analyzing system events from across your network provides a wealth of raw source material that you can use to mine for suspicious activity. Security Information and Event Management (SIEM) tools were developed on the assumption that by looking for certain patterns of activity and sequences of events, you can detect a cyber attack as well as validate and demonstrate regulatory compliance. SIEM tools provide a core foundation for building a SOC because of their ability to apply dynamic correlation rules against a mountain of disparate and varied event log data to find the latest threats.

SIEM Secret Sauce: Threat Intelligence

Even though we have a whole chapter dedicated to Threat Intelligence, we still feel compelled to emphasize how essential dynamic threat intelligence is to the value of your SIEM, and the overall functioning of your SOC. Without threat intelligence, your SIEM would have no alarms, and no interesting reports to review. While it would be nice to have no alarms to respond to (because that means nothing is wrong or you’re on vacation), it basically means that there’s no correlation or analysis being done on your raw event log data. Or, you may have some sample or DIY correlation rules as a starting point, but you’re no longer looking for the latest threats because your threat intelligence hasn’t been updated since the LoveBug virus.

The point is…threats are constantly evolving, cyber attackers are constantly upping their game, and so too must your SOC. As new indicators and countermeasures are being discovered, collected, shared, analyzed and implemented, the more difficult we will all make it for the bad guys. That’s why AlienVault built the platform (AlienVault USM), the community (OTX), and the threat intelligence (AlienVault Labs Security Research Team) to create a SOC for all teams to implement—no matter the size.

How Do I Do It with AlienVault?

AlienVault USM combines all of the essential security monitoring technologies, including SIEM, onto a single platform. Our SIEM capability normalizes and analyzes event log data from disparate sources and applies correlation rules developed and maintained by the AlienVault Labs Security Research Team to find and classify potential threats. When an alarm is triggered by a correlation rule, details about the event and activity are classified according to an event taxonomy based on a simplified version of Lockheed Martin’s cyber kill chain (an industry standard). This event classification enables SOC analysts to prioritize which events to focus on, in order to quickly respond and investigate.

Additionally, AlienVault’s SIEM correlation logic also translates into rich and highly detailed compliance ready data. Raw event log data from hundreds and thousands of systems are aggregated and analyzed to identify policy violations and demonstrate compliance to auditors.

If you don’t have the time, budget, or resources to constantly research the global threat landscape, don’t worry. The AlienVault Labs Security Research Team does it for you. With its built-in threat intelligence subscription, the AlienVault USM platform is regularly updated with:

  • New and advanced correlation directives - to find the latest threats among the activity on your network
  • New IDS signatures - to detect emerging threats on your network and servers
  • New vulnerability checks - to ensure systems and apps are effectively patched
  • New asset discovery signatures - for an accurate asset inventory
  • Dynamic IP reputation data - to detect activity with the latest known bad adversaries
  • New data source plugins - to consume more raw event log data
  • Updated report templates - to demonstrate compliance with PCI DSS, HIPAA and more
  • Up to-the-minute guidance on emerging threats and context-specific remediation
  • A Contribution System (for malware)

The Security Research Team also leverages the power of OTX, the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors. AlienVault’s team of security experts analyze, validate, and curate the global threat data collected by the OTX community.

The AlienVault Labs Security Research team maximizes the efficiency of any security monitoring program by delivering the threat intelligence that you rely on to understand and address the most critical issues in your networks.

We perform the analysis, allowing you to spend your scarce time mitigating the threats rather than researching them.

FEATURE SPOTLIGHT:
AlienVault USM Security Dashboards & Reports

If you can’t measure it, you can’t manage it. That’s a favorite quote of millions of business people across industries and regions. It’s especially true now that we find ourselves in the age of big data. As many IT professionals have discovered, however, big data is meaningless without the ability to sort through and interpret it.

To help you put your security data to use, AlienVault USM includes intuitive dashboards and clean visualizations. AlienVault USM allows you to:

  • Quickly assess the security status of your critical infrastructure
  • Easily prioritize alarms and vulnerabilities
  • Take immediate action to remediate new threats
  • Fight data overwhelm with clean visualizations

Additionally, you can drill down within the dashboards AlienVault USM provides to see details about the threats and vulnerabilities affecting your critical infrastructure.

Navigate Your Build

Watch a Demo ›
GET PRICE FREE TRIAL