Security Operations Center

 

What is a Security Operations Center?

A  Security operations center (“ISOC” or “SOC”) is a facility where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.

A security operations center (SOC) can also be called a security defense center (SDC), security analytics center (SAC), network security operations center (NSOC), security intelligence center, cyber security center, threat defense center, security intelligence and operations center (SIOC) or infrastructure protection center (IPC).

SOCs typically are based around a security information and event management (SIEM) system which aggregates and correlates data from security feeds such as network discovery and vulnerability assessment systems; governance, risk and compliance (GRC) systems; web site assessment and monitoring systems, application and database scanners; penetration testing tools; intrusion detection systems (IDS); intrusion prevention system (IPS); log management systems; network behaviour analysis and Cyber threat intelligence; wireless intrusion prevention system; firewalls, enterprise antivirus and unified threat management (UTM). The SIEM technology creates a “single pane of glass” for the security analysts to monitor the enterprise.

 

Acunetix

Acunetix is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting and other exploitable vulnerabilities. In general, Acunetix scans any website or web application that is accessible via a web browser and uses the HTTP/HTTPS protocol.

Acunetix allows you to secure your websites and web applications quickly and efficiently, while making it easy to manage the vulnerabilities detected. The Dashboard provides a bird’s-eye view of the security of the organisation’s assets.

As Figure 1 below shows, Acunetix gives us the capability of knowing all High, Medium and Low Severity Vulnerabilities along with the Most Vulnerable Targets and Top Vulnerabilities.

Figure 1: Acunetix Dashboard

 

AlienVault OSSIM

AlienVault® OSSIM™, Open Source Security Information and Event Management (SIEM), provides a feature-rich open source SIEM complete with event collection, normalization and correlation. It leverages the power of the AlienVault® Open Threat Exchange® (OTX™) by allowing users to both contribute and receive real-time information about malicious hosts. In addition, we provide ongoing development for AlienVault OSSIM because we believe that everyone should have access to sophisticated security technologies, to improve the security of all. From the researchers who need a platform for experimentation and the unsung heroes who can’t convince their companies that security is a problem, AlienVault OSSIM offers you a chance to increase security visibility and control in your network.

Figure 2 shows the AlienVault USM All-in-One Remote Sensor Appliance. Figure 3 shows customizable executive dashboards that provide overviews and click-through details about the security and compliance posture of the organisation. The dashboards illustrate Security Events: Top 5 Alarms, SIEM: Top 10 Event Categories, Top OTX Activity in your Environment, Latest SIEM vs Logger Events, Top 10 Hosts with Multiple Events and SIEM Events by Sensor/Data Source.

Figure 2: AlienVault USM All-in-One Remote Sensor Appliance

 

Figure 3: AlienVault Executive Dashboards

Figure 4 shows built-in network flow analysis that provides all the data you need for in-depth investigations – including packet capture. A live profile covering TCP, UDP, ICMP and other traffic is monitored. Figure 5 shows the Identification of malicious actors attempting to interact with your network using dynamic IP reputation data. Events from Most Active OTX pulses and the IP reputation is noticed.

Figure 4: AlienVault Netflow Monitor

Figure 5: AlienVault OTX and IP Reputation

Figure 6 shows built-in Network and Host Intrusion Detection System (IDS) results in more accurate threat detection and event correlation, faster deployment and simpler management. Figure 7 shows the Built-in vulnerability assessment that simplifies security monitoring and speeds remediation. The Vulnerability Overview shows Vulnerabilities By Severity and By Service – Top 10, the Top 10 Hosts and Top 10 Networks. Current Vulnerabilities are also shown.

Figure 6: AlienVault Network and Host IDS

Figure 7: AlienVault Vulnerability Assessment

Fortinet FortiGate

FortiGate next-generation firewalls utilize purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance including encrypted traffic. FortiGate reduces complexity with automated visibility into applications, users and network and provides security ratings to adopt security best practices.

The FortiOS dashboard provides a location to view real-time system information. By default, the dashboard displays the key statistics of the FortiGate unit itself, providing the memory and CPU status, as well as the health of the ports, whether they are up or down and their throughput. Figure 8 shows the Fortinet FortiGate 7060E-8 hardware appliance that delivers high performance threat protection and SSL inspection for large enterprises and service providers, with the flexibility to be deployed at the enterprise/cloud edge, in the data center core or internal segments. Figure 9 shows the Status section of the Dashboard where the CPU, Memory and Session utilization is displayed. Figure 10 shows the Top Usage LAN/DMZ section where information on Top Sources by Bytes, Top Destinations by Sessions, Top Applications by Bytes and Top Web Sites by Sessions are illustrated.

Figure 8: Fortinet FortiGate 7060E-8

Figure 9: FortiGate Dashboard – Status

Figure 10: FortiGate Dashboard – Top Usage LAN/DMZ

Within the Dashboard is a number of smaller windows, called widgets that provide this status information. Beyond what is visible by default, you can add a number of other widgets that display other key traffic information including application use, traffic per IP address, top attacks, traffic history and logging statistics.

You can add multiple dashboards to reflect what data you want to monitor, and add the widgets accordingly. Dashboard configuration is only available through the GUI. Administrators must have read and write privileges to customize and add widgets when in either menu. Administrators must have read privileges if they want to view the information. Figure 11 shows the Security Dashboard comprising of sections displaying the Top Compromised Hosts by Verdict, Top Threats by Threat Level, FortiClient Detected Vulnerabilities, Host Scan Summary and Top Vulnerable Endpoint Devices by Detected Vulnerabilities.

Figure 11: FortiGate Dashboard – Security

Figure 12 shows the Security Rating section of the Dashboard. Doughnut charts displaying the Security Control Results, Severity of Failed Security Controls and Device Types are available. Audit Logging & Monitoring (AL) Results are also shown in Figure 12 where columns for compliance, security controls, devices and result (Passed/Failed) are given.

Figure 12: FortiGate Dashboard – Security Rating

Graylog

Graylog is a leading centralized log management solution built to open standards for capturing, storing, and enabling real-time analysis of terabytes of machine data. It helps to find the real threats in massive amounts of data produced by firewall logs, applications, endpoint OSes, networking equipment, DNS requests. Identify issues like USB devices plugged into sensitive endpoints or installations of browser plug-ins with known vulnerabilities.

Figure 13: Graylog Application Overview Dashboard

Graylog is purpose-built and designed to deliver the best log collection, storage, enrichment, and analysis experience. The simplicity in searching, exploring, and visualizing data means no expensive training or tool experts are required.

Figure 13 shows an Application Overview Dashboard with various widgets such as Total exceptions today, Failed DB queries last hour, HTTP Response codes today, Response time, Total requests, User IDs, Resources and Controllers. Figure 14 shows a Netflow Board with widgets such as traffic Today, Traffic over the last Week, Traffic over the last 8 hours, Source and Destination.

Figure 14: Graylog Netflow Dashboard

 

IBM® Guardium Data Protection for Databases

IBM® Guardium Data Protection for Databases empowers security teams to analyse, protect and adapt for comprehensive data protection in heterogeneous environments, including databases, data warehouses, files, file shares, cloud, and big-data platforms such as Hadoop and NoSQL.

The solution continuously monitors all data access operations in real time to detect unauthorized actions, based on detailed contextual information—the “who, what, where, when and how” of each data access. Guardium Data Protection reacts immediately to help prevent unauthorized or suspicious activities by privileged insiders and potential hackers. It automates data security governance controls in heterogeneous enterprises. Guardium Data Protection improves security and supports compliance requirements through a set of core capabilities that help reduce risk and minimize cost of ownership.

It is a comprehensive data security platform that offers a full range of functions across different environments, from file systems to databases and big data platforms. It provides a data security platform for structured data in databases and data warehouses on major operating systems. It automatically discovers critical data and uncovers risk, providing visibility into all transactions and protocols across platforms and users.

Guardium enables protection for sensitive data via real-time capabilities, including monitoring, alerting, blocking and quarantining, along with compliance automation to streamline operations and reduce risk of audit failure. It protects against unauthorized data access by learning regular user access patterns and can provide real-time alerts on suspicious activities. It can dynamically block access or quarantine user IDs to protect against internal and external threats and also helps streamline and automate compliance workflows.

Figure 15 shows the Guardium Deployment Health Dashboard which has plots of the Unit utilization timechart showing the Logger queue and CPU load, High severity issues and Resource requirements.

Figure 16 shows the Assessment on the Databases with different widgets from the categories of Landscape, Security and Compliance. In Landscape there is the Total Databases, DB Users, OS Users and Client IPs and Servers’ Errors, Activities & Source programs. Security has Security Assessments, Activity & Outliers and Violations & Errors & Activity. The Compliance has Audit process and Unmonitored Servers.

Figure 17 shows the Suspected SQL Injection Cases with various charts that display the Activities count per Time and Object, Errors count per Time and Details, Outliers count per Hour and Outlier Reason, Violations count per Time and Severity, Suspicious Error types and Suspicious Objects Names.

Figure 15: Guardium Deployment Health Dashboard

Figure 16: Guardium Dashboard Widgets

Figure 17: Guardium Suspected SQL Injection Cases

Imperva® SecureSphere WAF


Imperva® SecureSphere Web Application Firewall (WAF) analyses all user access to your business critical web applications and protects your applications and data from cyber-attacks. It dynamically learns your applications’ “normal” behaviour and correlates this with the threat intelligence crowd-sourced from around the world and updated in real time to deliver superior protection.

SecureSphere Web Application Firewall analyses all user access to your business critical web applications and protects your applications and data from cyber-attacks. It dynamically learns your applications’ “normal” behaviour and correlates this with the threat intelligence crowd-sourced from around the world and updated in real time to deliver superior protection.

Imperva SecureSphere® appliances provide superior performance and resiliency for demanding data center environments. With fail open interfaces, SecureSphere platforms offer fast and cost-effective fail over. Out-of-band management enhances security, while front panel status messages and network interfaces improve manageability. SecureSphere appliances deliver a scalable, reliable and flexible platform to power Imperva’s web, database, and file security solutions.
Figure 18 shows the Imperva X6500 SecureSphere Appliance that protects applications from current and future security threats by combining multiple security engines into a cohesive Web defense. It is certified by ICSA Labs and provides ironclad protection against the OWASP Top Ten, including SQL Injection, XSS and CSRF and it addresses PCI 6.6.

Figure 18: Imperva X6500 SecureSphere Appliance


The firewall identifies and acts upon dangers maliciously woven into innocent-looking website; traffic that splits right through traditional defences. This prevents application vulnerability attacks such as SQL injection, cross-site scripting and remote file inclusion; business logic attacks such as site scraping and comment spam; botnet and DDoS attacks; and account takeover attempts in real-time, before fraud can be performed.

Imperva WAF uses patented dynamic application profiling and correlated attack validation to accurately detect attacks and minimize false positives. Dynamic application profiling learns all aspects of web applications, including the directories, URLs, parameters, and acceptable user inputs. Correlated attack validation aggregates and analyses individual violations across the stack. Combined, they detect attacks with exceptional accuracy and block only bad traffic.

It offers rich graphical reporting capabilities to easily understand security status and meet regulatory compliance. Generate pre-defined and customizable reports. Quickly assess security status and streamline demonstration of compliance with PCI, SOX, HIPAA and FISMA and other compliance standards.

The WAF integrates with most of the leading Security Information and Event Management (SIEM) systems such as Splunk, ArcSight and others. It exports events as syslog messages, Common Event Format (CEF) and JSON format. Events generated by Imperva WAF are intuitively indexed and easily searchable for quick incident response.

Figure 19 shows the Monitor Dashboard of Imperva SecureSphere with various widgets such as ThreatRadar, Gateways, Server Groups, CPU Load, Connections/sec, Alerts per Severity (Filtered), Latest Alerts and Latest System Events.

Figure 19: Imperva® SecureSphere WAF Monitor Dashboard

Nessus® Manager

Nessus® Manager combines the powerful detection, scanning and auditing features of Nessus, the world’s most widely deployed vulnerability scanner, with extensive management and collaboration functions to reduce your attack surface.

Nessus Manager enables the sharing of resources including Nessus scanners, scan schedules, policies, and scan results among multiple users or groups. Users can engage and share resources and responsibilities with their co-workers; system owners, internal auditors, risk and compliance personnel, IT administrators, network admins and security analysts. These collaborative features reduce the time and cost of security scanning and compliance auditing by streamlining scanning, malware and misconfiguration discovery, and remediation.

It protects physical, virtual, mobile and cloud environments. Nessus Manager is available for on-premises deployment or from the cloud, as Tenable.io. Nessus Manager supports the widest range of systems, devices and assets, and with both agent-less and Nessus Agent deployment options, easily extends to mobile, transient and other hard-to-reach environments.

Figure 20 shows a Network Scan Dashboard with Current Vulnerabilities ranging from Critical, High, Medium, Low and Info. It has widgets for plotting the information relating to the Operating Systems, Vulnerabilities, Authentication, Vulnerabilities over time and Top Vulnerabilities.

Figure 20: Nessus Manager Scan Dashboard

NetIQ® Access Manager


NetIQ® Access Manager is a comprehensive access management solution that provides secure access to web and enterprise applications. Access Manager provides seamless single sign-on across technical and organizational boundaries. It uses industry standards that include Security Assertion Markup Language (SAML), Liberty Alliance protocols, WS-Trust, WS-Federation, OAuth, OpenID Connect and others.

The Analytics Dashboard provides an intuitive visual view of real-time and historic access patterns. With this you can gain intelligent insights into typical access patterns and make decisions. You can tweak Access Policies, consolidate resources, capacity plan, and spot security risks.

With the Analytics Dashboard, you can gain insights on Users, endpoint characteristics, Applications Accessed, trend of Authentications over a time period, security and Risk-Based Authentication patterns.

Figure 21 shows a Risk Analysis dashboard for User Behaviour Analysis which may alert or indicate any potential suspicious user activity. Various widgets are displayed such as Pre-auth risk distribution, Post-auth risk distribution, Top Users, Geolocation of users logged in, Most used browsers, Most used endpoint devices, Identity server logins and Access gateway logins.

Figure 21: NetIQ Analytics Dashboard

pfSense®

pfSense® is a free, customized distribution of FreeBSD that transforms your device into a full featured router and firewall.

pfSense is very flexible and can easily be adapted to numerous applications ranging from a home router to a firewall for a large corporate network. pfSense is easy to install and maintain offering a very useful web based user interface. PfSense includes many features that are often only found in expensive commercial routers.

The pfSense dashboard is the main page of the firewall, and it makes monitoring various aspects of the system easy. The Dashboard is composed of Widgets, each of which display information about a different area of the firewall. The various widgets include Captive Portal Status, Carp Status, Dynamic DNS Status, Firewall Logs, Gateways, Gmirror Status, HAVP Alerts (installable add-on widget), Installed Packages, Interface Statistics, Interfaces, IPsec Status, Load Balancer Status, NTP Status, OpenVPN Status, Pictures, RSS Feed, Services Status, S.M.A.R.T. Status, Snort Alerts (installable add-on widget), System Information, Thermal Sensors, Traffic Graphs and Wake on LAN.

Figure 22 shows the XG-1541 1U 19″ rack mount system pfSense® Security Gateway appliance, which is a state of the art, featuring the 8 Core Intel® Xeon® D-1541 processor with AES-NI to support a high level of I/O throughput and optimal performance per watt. This pfSense appliance can be configured as a firewall, LAN or

WAN router, VPN appliance, DHCP Server, DNS Server, and IDS/IPS with optional packages to deliver a high performance, high throughput front-line security architecture at an excellent price per gigabit. Built with performance, versatility, and low total cost of ownership in mind, pfSense systems meet the growing needs of organizations of all sizes.

Figure 22: XG-1541 1U pfSense® Security Gateway Appliance.

Figure 23 shows a custom pfSense dashboard with different widgets allotted. The widgets include System Information, Services Status, Interfaces, Firewall Logs, Traffic Graphs – Current WAN Traffic and Current LAN Traffic.

Figure 23: pfSense Dashboard Widgets

Radware® DefensePro

Radware® DefensePro includes a comprehensive set of four essential security modules – anti-DDoS, network behavioural analysis (NBA), intrusion prevention system (IPS) and SSL attack protection (DefenseSSL) – to fully protect the application infrastructure against known and emerging network security attacks. It employs multiple detection and mitigation modules including adaptive behavioural analysis, challenge response technologies and signature detection.

DefensePro provides advanced DDoS prevention, protection and IoT botnet attack mitigation. It provides automated DDoS defense and protection from fast moving, high volume, encrypted or very short duration threats, including IoT-based attacks like Mirai, Pulse, Burst, DNS, TLS/SSL attacks and those attacks associated with Permanent Denial of Service (PDoS) and Ransom Denial-of-Service (RDoS) techniques.

Figure 24 shows the Radware DefensePro x4420 Series Appliance. It is a real-time, behavioural based attack mitigation device that protects your infrastructure against network & application downtime, application vulnerability exploitation, malware spread, network anomalies, information theft and other emerging cyber-attacks.

Figure 24: Radware DefensePro x4420 Series Appliance

Figure 25 shows the DefensePro Dashboard with widgets for Top Attacks, Top Attack Destinations, Top Attacked Destinations, Attacks by Port, Attack Details by Latest Timestamp and Attacks Detected.

Figure 25: Radware Dashboard

DefensePro consists of patent protected, adaptive, behavioural-based real-time signature technology that detects and mitigates emerging network attacks, zero-minute, DoS/DDoS, application misuse attacks, network scanning and malware spread. It eliminates the need for human intervention and does not block legitimate user traffic.