design and evaluation of [vsoc]: virtualised security ... · aws cloudtrail . amazon s3. azure....
TRANSCRIPT
![Page 1: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/1.jpg)
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchananhttp://thecyberacademy.org
[vSoC]
![Page 2: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/2.jpg)
Sharingofresources
DFET Training Cloud – Infrastructure for training and sharing of material
Public Sector Evaluation of systems.
Training.
Academia Training/sharing
materials Virtualised environments
Industry Training/sharing materials.
Professional certification
Software Vendors: Test environments. Promoting products. Providing floating licences
Government Define standards Evaluate products
Public clouds
Existing AcademicClouds
Law Enforcement Triage systems Training
![Page 3: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/3.jpg)
BuildingvSoC
Intrusion Detection System
Firewall
Internet
Switch
Router (NAT)
Emailserver
Webserver
DMZ
FTPserver
Firewall
EveBob
Alice
Data Centre
Load balancer
Syslogserver [vSoC]
![Page 4: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/4.jpg)
vSoC/DFETCloud
ThecurrentDFETCloudcontainsfivemainclusternodes,whereeachclusternoderuns:• VMwarevSphere5.5withVMwarevCenterusedtomanagetheinstances.• 170GHzCPU,767GBofmemory.• 40TBofdiskspace.• 72Processors.• Runningover2,500runningVMs.
![Page 5: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/5.jpg)
TheMoveTowardSecurityAnalyticsBigData/SIEM
[vSoC]
![Page 6: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/6.jpg)
DataAnalysis
• IncreasingnumberofjobsareinSecurityAnalytics(SOCAnalysts).• Companiesrequireskillsforbefore,duringandafterincidents(mixofsecurityandforensics).
Inci
dent
sIn
trodu
ctio
n
Author: Prof Bill Buchanan
Incidents
During IncidentBefore Incident After Incident
TimelineData At Rest
Data In-Motion
Data In-Process
Files, Directories, File Rights, Domain Rights, etc.
File changes, File CRUD (Create, Delete, Update,
Delete), Thumbprints
Network packet logs, Web logs, Security logs
Network scanners, Intrusion Detection Systems, Firewall
logs, etc
Processes, Threads, Memory, etc.
Security Log, Application Log, Registry, Domain Rights.
Intruder
![Page 7: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/7.jpg)
IncreasingComplexityofKnowledge
• Increasingrequirementforawiderangeofskillsforsecurityprofessionals.
Intro
duct
ion
Inc
Res
pons
e
Data Capture
Webserver
IT Ops
Nagios.NetApp.
Cisco UCS.Apache.
IIS.
Web Services
Firewall
Router
Proxyserver
Emailserver
FTPserver
Switch
Eve
Bob
Microsoft Infrastructure
Active Directory.Exchange.SharePoint.
Structured Data
CSV.JSON.XML.
Database Sys
Oracle.My SQL.
Microsoft SQL.
Network/Security
Syslog/SNMP.Cisco NetFlow.
Snort.
Intrusion Detection System
Alice
Cloud
AWS Cloudtrail.Amazon S3.
Azure.
Application Serv
Weblogic.WebSphere.
Tomcat
![Page 8: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/8.jpg)
DataIntegration
• Increasingmovetowardtheintegrationofdataforsecurityanalysiseg withSIEMtools.
Intro
duct
ion
Inc
Res
pons
e
Security Operations Centre
EveEve
Logs/alerts
Bob
SIEM Package (Splunk)
News feeds
Security alerts
![Page 9: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/9.jpg)
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk LabIntegration
[vSoC]
![Page 10: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/10.jpg)
vSoC SIEMArchitecture
U001 - Ubuntu Server192.168.x.7/24)
Main gateway/fireweall Firewall
(pfSense)
W001 - Windows 2003 Server(192.168.y.7/24)
K001 - Kali(DHCP)
K002 - Kali (192.168.y.9/24)
em0(DHCP)
em1em2
10.200.0.1/24
W003 – Windows 2008 with Splunk Enterprise(192.168.y.8/24)
_Public _Private
_DMZ Splunkforwarder
192.168.y.254/24
192.168.x.254/24
![Page 11: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/11.jpg)
Splunk LabIntegration
![Page 12: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/12.jpg)
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreSplunk TestingEnvironment–Buttercupgames
[vSoC]
![Page 13: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/13.jpg)
http://asecuritysite.com/tests/tests?sortBy=siem
http://asecuritysite.com:8000
![Page 14: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/14.jpg)
CaptureTheFlagBritishBroadband,andRSASA
[vSoC]
![Page 15: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/15.jpg)
BritishBroadband
• Video:https://www.youtube.com/watch?v=V7o03eLolqA
![Page 16: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/16.jpg)
BritishBroadband
![Page 17: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/17.jpg)
CyberSecurityInsightCamp
![Page 18: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/18.jpg)
![Page 19: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/19.jpg)
![Page 20: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/20.jpg)
BigDatainCyberSecurity
![Page 21: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/21.jpg)
RSASA
![Page 22: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/22.jpg)
CTF– BigDatainCyberSecurity
![Page 23: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/23.jpg)
![Page 24: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/24.jpg)
![Page 25: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/25.jpg)
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreResults
[vSoC]
![Page 26: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/26.jpg)
CurrentRangeofVMs
• Specialised:EnCase,WindowsXP(withMalware),GNS3.• LinuxKali.• Ubuntu.• Windows2003,Windows2008,Windows7andWindows8.• Firewalls:pfSense,vyatta,F5Big-IP(indevelopment).• Caine.• Metasploitable.
![Page 27: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/27.jpg)
Example $tubuntu ="t_ubuntu_205"
if($args[1].contains("u")){$ins=$prefix+$iubuntu +$i.ToString("000")+"_private";...Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"new-vm -name$ins-template$temp-datastore $disk-resourcepool DFETLab -DiskStorageFormat thin-location$folder
$apt=Get-NetworkAdapter -VM$insSet-NetworkAdapter -NetworkAdapter $apt-NetworkName $private-confirm:$false
Write-Output"Creating:$($ins)from$($temp)in$($folder)for$($folder)disk:$($disk)"
new-snapshot-VM$ins-Namesnapshot
}
Setupnetwork
CreateVM
Createknownsnapshot
![Page 28: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/28.jpg)
Results
Modulesusedon:Semester1:CryptographyandNetworkForensics(80students);NetworkSecurity(60students– GNS3);Host-basedForensics(60students- EnCase).Semester2:SecurityTesting(70students);e-Security(100students);IncidentResponseandMalwareAnalysis(100students).
Cloudupgrade
![Page 29: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/29.jpg)
SDNIntegrationProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org
[vSoC]
![Page 30: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/30.jpg)
CurrentWork
• IntegratingF5Big-IP(30licences).• IntegrationofSDNwithinCloud(withHutchinsonNetworks).• IntegrationofRSASAandSplunk forteachingin2016/2017.• IntegrationofHPEArcsight.• Roll-outoftwoCTF:BritishBroadbandandRSASA(NetworkForensics.• DevelopmentofamobileCloudenvironment,foronsitetraining/CTF.
![Page 31: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/31.jpg)
CurrentWork
![Page 32: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/32.jpg)
CurrentWork
![Page 33: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/33.jpg)
CurrentWork
![Page 34: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/34.jpg)
CurrentWork
![Page 35: Design and Evaluation of [vSoC]: Virtualised Security ... · AWS Cloudtrail . Amazon S3. Azure. Application Serv Weblogic. WebSphere. Tomcat. Data Integration • Increasing move](https://reader033.vdocuments.net/reader033/viewer/2022042612/5f6f13203ac09c368e06eec4/html5/thumbnails/35.jpg)
DesignandEvaluationof[vSoC]:VirtualisedSecurityOperationsCentreProfWilliamJBuchanan,CharleyCelice,PeterAaby,BruceRamsay,RichardMacfarlane,AdrianSmales,DrGordonRussellandBobbySoutarhttp://thecyberacademy.org
[vSoC]