Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Randy Marchany
VA Tech IT Security Office and Lab
marchany@vt.edu
Why?
Weve been collecting security related data
for a number of years and needed a focal
point to help us see the big picture
Data from
Security Reviews
Vulnerability scans (push/pull)
IPS/IDS data
System logs
Why?
The CSOC is a logical place to collect,
analyze and distribute data collected to
support our Defense in Depth Strategy
Why?
We want to measure and report compliance with our IT policies,
state/federal laws and regulations
FERPA, HIPAA, PCI, ITAR, GLB, SOX
VT Policies
6
Where?
OS Syslog/event logs, IDS logs, IPS logs,
PID logs, Firewall logs, Pen Test Logs, PCI,
netflow
CSOC needs to be able to analyze and
display this data quickly
Data resides on separate, distributed servers
CSOC pulls data from these servers as
needed
CSOC lives in the IT Security Office & Lab
What?
Provides real-time view of the VT networks
security status
Provides info to assess risk, attacks,
mitigation
Provides metrics
Executive
Operational
Incident
What?
Event Generators (E boxes)
Any form of IDS sensor (firewalls, IPS, IDS, Snort,
Active Directory servers, Remedy, vulnerability
scanners, TACACS, application software
What?
Events Databases (D boxes)
Provide basic storage, search and correlation tools
for events collected and sent to the CSOC
Vulnerability databases contain info about security
breaches, etc.
10
What?
Events Reactions (R boxes)
SOC Console
11
What?
Analysis Engines (A Boxes)
Helps ID Analyst determine if an incident has
occurred, its spread, its impact, etc.
12
13
14
IDS Infrastructure
Campus Systems
CheckNet
WWW
MySQL DB
IPS
Snort BASE
Central
Syslog
Servers
CheckNet Failure
Nessus, Comm
DB
Scanners
VT Dshield
Remedy Trouble
Ticket System
Dshield
MySQL DB
CIRT
15
Help Desk
User Vuln
Scanner
MySQL DB
SNORT
Sensors
16
17
18
19
20
21
22
23
24
25
26
27
Futures
28
Reference
Reference paper Security Operation
Center Concepts & Implementation by
Renaud Bidou
We used this as our blueprint
29
Contact Information
30
Randy Marchany
VA Tech IT Security Office & Lab
1300 Torgersen Hall
VA Tech
Blacksburg, VA 24060
540-231-9523
marchany@vt.edu
http://security.vt.edu