Documente Academic
Documente Profesional
Documente Cultură
Information Security
Operations Center
Foreword 01
Annex. 1 42
Annex. 2 43
Annex. 3 49
Glossary 53
Big Data
Data Data Encryption DLP DAM E-Mail Security
Security Analytics
End Point
Hosts Anti Virus Host IDS WAF
Security
MDM/BYOD Anti-APT
1.1.2 IDS/IPS: Intrusion detecon and prevenon 1.1.6 Network Access Control (NAC): Non-
systems detect/prevent network a acks by: compliant devices can be denied access to enterprise
network using NAC, isolang these insecure devices
S Filtering the traffic by applying known signatures
from infecng the rest of nodes in the network.
of the malware and malicious a acks
Examples of non-complaint devices include
S Analysing the traffic flow looking for deviaons unauthorized devices, un-patched and not updated
from normal behaviour and block the devices, etc.
connecon, if any anomaly found.
1.1.7 Network Behaviour Anomaly Detec on
Both IDS and IPS soluons detect threat acvity in (NBAD): Preventave security measures are oen
the form of malware, spyware, viruses, worms and defeated, by new polymorphic malware, and zero
other a ack types, as well as threats posed by policy day exploits. Therefore, it is important to be on the
violaons. The IDS/IPS systems lack the visibility into watch for intruders. NBAD analyses the flow of data
applicaon layer of TCP/IP stack and hence may not across all devices to understand the deviaons from
protect from applicaon specific a acks. normal traffic. For example, certain type of traffic,
say Skype from normal users can be acceptable, but
1.1.3 Virtual Private Network (VPN): To protect data
the same type of traffic from servers is very
traversing on shared communicaon links from
suspicious. NBAD is useful in detecng the suspicious
a acks like spoofing and tampering, encrypng the
behaviour and can guide the security experts in
data on wire has become necessary. VPN creates
forming rules to prevent such events to occur in
private confidenal networks on top of shared public
future.
networks like Internet by encrypng the data. VPNs
thus are tamper-proof and provide secure remote 1.2 Host Security
employee log-in and remote branch office
connecon to the enterprise resources. Hosts are the main access points to the crical assets
of the enterprise and hence it is imperave to secure
1.1.4 An -DDoS: Distributed Denial of Service the hosts.
(DDoS) is the fastest growing threat. It aims at
bringing down the crical IT resources, by sending 1.2.1 An-Virus: The most common basic security
malicious traffic and thereby exhausng the crical deployed on every host is an-virus.
resource capacity. DOS a acks can happen at any 1.2.2 Host IDS: As an-virus systems work based on
layer of TCP/IP, right from flooding the routers to signature verificaon and cannot protect hosts from
opening huge number of connecons to target zero-day malware, the servers are protected by
applicaons. The soluons also vary at each layer. another layer of security, which is host based IDS. The
ISPs (Internet Service Providers) offer layer 3 and main goal of host IDS is to keep the integrity of the
layer 4 DDoS protecon services, guaranteeing clean server intact. It keeps monitoring the suspicious
pipes from volumetric DDoS a acks. However, to operaons like configuraon changes, registry
prevent layer 7 DDoS a acks, on-premise DDoS changes, log re-writes, file deletes, etc. and
detecon and prevenon devices need to be put in immediately alerts/blocks as per policy.
place.
1.2.3 Web Applicaon Firewall (WAF): The fastest
1.1.5 Honeypots: These are traps set up inside the growing categories of a acks and data breaches are
network waing for someone to a ack. They work on those that target applicaons. There are countless
simple concept; alert the security administrator the possibilies to exploit code vulnerabilies and
moment a contact is made to them.
applicaon modules. Almost every web-based applicaon has one or more web applicaon vulnerabilies
listed in OWASP top 10 list. OWASP reported that 95% websites are compromised by cross-site scripng a ack.
Block Supplier
Monitoring database acvity is a crical component
Encrypt
Networks of database security, especially as informaon that is
Enterprise
DLP Network more sensive is consolidated into larger databases.
Agent
DLP Server Block
Social Database Acvity Monitoring involves the capturing
Encrypt Networks and recording of all Structured Query Language (SQL)
Partner acvity in real-me or near real-me. They can
Networks monitor database administrator acvity, across
mulple database plaorms; and can generate alerts
Data Leakage Prevenon (DLP) soluons protect on policy violaons. Database acvity monitoring
sensive data and provide insight into the use of takes place at various levels by different tools.
content within the enterprise. This includes three However, five features disnguish Database Acvity
major aspects: Monitoring tools:
S Monitoring: Monitor and audit all database applicaons and its underlying plaorm with “need
acvity, like administrator acvity and Select to know/access” policy defined by the business layer.
transac ons. Tools can capture all SQL
1.4.1 Directory Services
transacons: DML, DDL, DCL, (and somemes
TCL) acvity. Directory is like a registry where all informaon
about users, groups, computers, servers, printers,
S Secure Storage: Storing monitoring and audit
network shares, and more are stored. Each of these
data securely outside the database.
are considered objects and have a ributes
S Correlaon and Analysis: These tools aggregate associated with them in the directory. Security
and correlate ac vity from mul ple policies can be built on top of this informaon. Based
heterogeneous Database Management Systems on these policies, directory services can carry out
(DBMSs). Tools can work with mulple DBMSs single sign-on to network resources; lock down
(e.g., Oracle, SQL Server & DB2) and normalize desktop configuraons and prevent access to specific
transacons from different DBMSs overcoming operaons such as soware installaon or registry
the differences among many SQL flavours. eding; and set access control privileges on directory
objects. Directory services are one of the first
S Segregaon of Dues: Enforce separaon of
centralised (single point) controllers of all
dues on database administrators. Auding
applicaons, users, databases, files, etc., in an
must include monitoring of DBA acvity, and
enterprise network. However, due to pla orm
soluons should prevent manipulaon or
dependency, today directory services control only
tampering of logs or any such recorded acvity.
few secons of the enterprise IT resources.
S Alert Mechanism: Generate alerts on policy
1.4.2 Two Factor Authencaon (2FA)
violaons. Not only just recording database
acvity, they also provide real-me monitoring 2FA is an extra security layer that authencates the
and rule-based alerng. For example, a rule can user with one more factor over and above the usual
be created to generate an alert whenever a DBA password. Usually the second factor is a dynamic OTP
performs a select query on a parcular column, (One-me Password) communicated with the
say credit card. customers (external users) over a different device
they own and on a different channel, like OTPs sent
1.3.4 E-Mail Security: E-mail is a popular a ack
over mobile for Internet Banking. For internal users,
vector and hence individual and business accounts
biometric is a norm used as second factor to operate
need to be protected. E-mail acts as a launchpad for
sensive crical applicaons.
a acks like spam, phishing and spreading malware,
etc. Secure e-mail gateway that scans all e-mails and 1.4.3 Privileged Identy Module (PIM)
filters the malicious e-mails is now common across all
The IT personnel who maintain servers, network
enterprises.
components, and soware are given elevated
1.4 Identy and Access Control permissions needed to manage and maintain the IT
infrastructure. Called privileged idenes, they are
Various tools should be used to enforce the allowed unrestricted access to view and change data,
applica on or resource usage policy via the alter configuraon se ngs, and run programs.
mechanism of access to the applicaons. Identy Business applicaons and computer services must
and access management soluon with central also store and use privileged creden als to
directory of iden es are integrated with authencate with databases, middleware, and other
applicaons when requesng sensive informaon 1.5.1 Service Asset Configuraon and Management
and compung resources. (SACM)
Control on these administrave rights with Privilege According to ITIL, SACM is the process responsible for
Identy Management (PIM) tools is required. ensuring that the assets required to deliver services
Through PIM, one can manage and monitor the are properly controlled, and that accurate and
acons of the privileged idenes and enforce reliable informaon about those assets is available
authen ca on policies including mul factor when and where it is needed. This informaon
authencaon and raise alerts in case of policy includes details of how the assets have been
viola ons. PIM soware auto-discovers and configured and the relaonships between assets.
catalogues privileged accounts present on a wide The ITIL standard gives complete details about
range of systems and applica ons and then Service Asset Configuraon and Management.
propagates password changes wherever the account
The ITSM (IT Service Management) tool to deploy ITIL
is referenced in order to prevent account lockouts
best pracces comes in as a central ITSM tool with
and service failures that can otherwise occur when
various modules. The heart of this tool is a CMDB
manual processes deploy obsolete credenals.
(Configuraon Management Database), which holds
1.4.4 Single Sign-on (SSO) the detailed informaon of all the assets, its inter-
linkage, configuraons, etc. This becomes an ideal
SSO allows user to login once with single-ID to access
source of any informaon about IT assets. All the
all applicaons and plaorms. The user is authorised
other modules for ITSM will take the asset
to access, and eliminates further prompts when they
informaon from this central tool to correlate the
switch applicaons during a parcular session.
informaon and provide meaningful intelligence.
Single sign off allows logging out from all the systems
Modules like Service Desk, Change Management,
with single log-out. However, logging off a parcular
Asset Management, Problem Management,
applicaon does not log them out of all applicaons
Knowledge Management, CMDB, Vulnerability
they were accessing.
Management, Fault, Performance Availability and
SSO is always treated as a convenience from user Incident Management should be integrated to take in
angle, however the main advantage of SSO is that data from one module, perform the funcon and
when an employee leaves an organisaon, it is easy pass on to the next module for automated
to disable his/her access to all resources in one go, by escalaons and management. Annexure 1.1 provides
removing his ID and thereby protecng all resources the maturity model for Asset Configuraon and
s/he was given access to. Management.
Operang a security program requires the necessary It has become very common for vendors of
tools to support change control, and track assets hardware, soware, network devices, security
based on asset classificaon framework. An effecve soluons, etc., to keep releasing patches to close the
security operaons program is underpinned by an IT vulnerabilies. Not patching the systems leave the
Service Management. enterprise in a greater risk. Manual patching takes
too long a me and leaves no audit trail of the whole
exercise. Modern enterprises are automang the
process of vulnerability and patch management
through centralised tools.
No Vulnerability Vulnerability Assessment Driven by Regulatory Risk-focused Attacker and threat Threat and risk aligned
Scanning Solution in Place Framework focused with business goals
Manual Vulnerability Ad-hoc Vulnerability Scheduled Vulnerability Scan data prioritized Multiple threat-vectors All threat-vectors
Assessments Scanning Scanning through analytics scanned and prioritized scanned and prioritized
Patching data-driven Patching basd on risk
Haphazard Patching Rudimentary Patching Scan to Patch Lifecycle Continuous patching
by priority to critical assets
No Process Exist Basic Processes Emerging Processes Measurable Processes Efficient, metrics-based Unified business and
processes IT Processes
No Metrics Basic Metrics Little Measurability. Emerging Metrics and Threat-driven metrics Measurement integrated
Busy Metrics Trends and trends to enterprise risk mgmt.
Business Ignorance Awareness & Early Maturity Business Risk & Context
Source: https://www.rsaconference.com/blogs/growing-up-a-roadmap-to-vulnerability-management-maturity
1.5.3 Security Incident and Event Management advanced cyber security products/services, expert
(SIEM) human resources and industry best pracces and
processes.ISOCimplementaonand operaonalizaon
SIEM is a tool that collects logs and events from
plays crucial role in achieving the objecve of
various security infrastructure, systems and
providing in-depth centralized visibility into
applicaons and stores it centrally. It also helps in
organizaon's IT infrastructure to monitor, detect,
normalizing the logs/events of different types from
p r e v e n t a n d m i ga t e s e c u r i t y i n c i d e n t s .
different nodes to a standard pa ern. The collecon
Organisaons need to focus more on rapid detecon
and storing are done in a compressed form to save
and response mechanisms, apart from technologies
the network and storage resources. Once collected,
that prevent intrusions. Quick detecon and
these logs/events are analysed, correlated and
remediaon is possible only by automang the
meaningful intelligence is provided on a central
security operaons. Such automaon frees up
console with various customizable dashboards for
analysts from mundane tasks and allows them to
faster reacon and idenficaon of root cause of the
concentrate on higher priority risks affecng the
incident. More details on SIEM are available in the
most crical assets and data. ISOC automaon
upcoming chapters.
capability is going to be a major disnguishing factor
1.5.4 Security Operaons Center in assessing an ISOC product/technology.
Security Operaons Center is a generic term An advanced implementa on of Informa on
describing a plaorm set up for the purpose of Security Opera ons Center (ISOC) may have
providing detecon and mely reacve services to following addi onal components. Upon
security incidents. implementa on of a basic version of ISOC,
organisaons may build these funconalies in their
ISOC soluon is an integrated deployment of
ISOC.
S User and Enty Behaviour Analycs: A ackers systems, instead of just glancing at logs, flows
tend to compromise legimate user accounts to and packets. The future is the accuracy and
access the target system. However, different speed of detecon for security threats that can
users exhibit different pa ern of acvies. exceed the ability of a ackers to hide in the
Analysis of user behaviour data helps to create a noise.
baseline of normal user and reports suspicious
S Cyber Threat Hunng: Cyber threat hunng,
anomalous behaviour. This fact leads to
according to Wikipedia, is “the process of
differenate a legimate user from an intruder.
proacvely and iteravely searching through
Machine learning based techniques have
networks to detect and isolate advanced threats
successfully demonstrated detecon of this kind
that evade exisng security soluons.” This is in
of compromise. Recently, user behaviour
contrast to tradional threat management
analy cs transformed to user and en ty
measures, such as firewalls, intrusion detecon
behaviour analycs for effecve detecon of
systems (IDS), and SIEM Systems, which typically
various frauds including insider threat.
involve an invesgaon aer there has been a
Signature-less behaviour-based analycs is a
warning of a potenal threat or an incident has
new approach for detecng insider and targeted
occurred.
cyber threats.
Cyber hunng plaorm, which work in real-me
S Digital Forensic Capabili es: Though this
and are network-based are available now. They
capability is menoned as one of the basic
empower the cyber hunter to idenfy zero-day
funcons of ISOC, very few organisaons plan
threats by quickly deploying constant analycs
and implement this. As a future expansion, ISOC
at large scale. They use dynamic – on the wire –
may develop forensic capabilies for idenfying,
analysis. Being on the network allows the
preser ving , recovering , analyzing , and
organisaon to be proacve. They believe that
presenng digital evidences to establish a digital
packets do not lie. The malware author's “tricks”
crime. This capability of ISOC team will lead to a
for obfuscaon, cannot divert or mislead these
quick response to any adverse situaon.
plaorms.
S Big Data Analycs: Storing and querying large
S Decepon Networks: Unlike a honeypot – these
amounts of data collected by ISOC also requires
are just a set of devices set up to appear like a
database technologies capable of handling such
real network to induce an adversary to a ack – a
huge volumes and also which supports future
decepon network is all or part of the actual
scaling up. Relaonal databases to store and
enterprise that is instrumented and protected
query data might not scale well and could pose a
such that the adversary is allowed to engage and
problem for organisa ons as informa on
the engagement is captured forensically but
requirements con nue to grow. Big Data
does no harm. The benefit is that the adversary
plaorms can store and process large amounts
does not know that s/he is being tracked and
of data and would be the way forward for a
manipulated. They use “Decepons Everywhere
futurisc ISOC, which requires contextual
Technology" to neutralize targeted a acks and
retrieval of large amounts of data. This should
advanced persistent threats by creang a
also be compable with the tradional log
decepve layer across the enre network. This
management and SIEM tools.
provides an endless source of false informaon,
The future of ISOC lies in analysing data across all disrupng and detecng advanced a acks with
Conclusion S h ps://www.rsaconference.com/writable/presenta
ons/file_upload/sec-w04_final.pdf
This chapter glanced though the exisng important
S h ps://securosis.com/assets/library/reports/DLP-
security soluons that are essenal in the present
Whitepaper.pdf
environment for any enterprise. The soluons
explained here are not exhausve but are indicave S h ps://www2.deloi e.com/content/dam/Deloi e/
only. Enterprises need to place SOP (Standard lu/Documents/technology/lu_dlp-data-lost-
Opera ng P rocedures) for all these security prevenon-soluon_02102014.pdf
soluons. S h ps://securosis.com/assets/library/reports/DAM-
Whitepaper-final.pdf
The following challenges remain despite rolling out
majority of the security soluons: S h p://iasaglobal.org /itabok/capability-
descripons/access-and-identy-management/
S Security data overload – Too many devices, too
S h p://www.oregon.gov/DAS/EISPD/ITIP/docs/Arch
much data
Ch6_AssetMgt_v1_0.doc pp. 3-5 (March 2004)
S Lack of event correlaon across mul-vendor
S Author cited by source: Patricia Adams of Gartner
sevices – IDS, Firewalls, An-Virus, and Hosts (Sep 10, 2003) in arcle: “Management Update: IT
S Excessive false posives Asset Management Stages Form the Stairway to
Success”
S No mely and targeted reporng
S Next-Generaon Security Operaons – Preview
S Minimizing risk against key assets h ps://nigesecurityguy.wordpress.com/2016/09/2
6/next-generaon-security-operaons-preview/
S Incident response mechanism.
S Is logging dead in the future of security threat
detecon? by Alex Taverner, December 2016,
h ps://www.cio-asia.com/print-arcle/105558/
S Next-generaon security monitoring and analycs by
Peter Stephenson,December 14, 2016
h ps://www.scmagazine.com/next-generaon-
security-monitoring-and-analycs/arcle/577705/
S Next-Generaon Security Operaons – Preview by
Nigel Willsonh ps://nigesecurityguy.wordpress.
com/2016/09/26/next-genera on-security-
operaons-preview/
S "Cyber threat hunng: How this vulnerability
detec on strategy gives analysts an edge -
TechRepublic". TechRepublic. 2016-06-07
CERT-IN
Dashboard
Privacy Impact Assessment
The gap analysis done and detailed study conducted S It also supports compliance reporng and
on the cost of various models of implementaon incident invesgaon through analysis of
would assist an organisaon in deciding the budget historical data from these sources. The main
to be allocated (Capex-intensive in-house model or capabilies include event and log collecon and
perpetual licensing model vs. Opex-intensive management, data aggregaon, normalizaon,
outsourced model or consumpon license model vs. correlaon, analysis, reporng, alerng and
hybrid model). dashboard facilies.
Organisaon can also explore newer technologies S Network monitoring tools provide insight into
like virtualizaon and cloud based services wherever the state of the network within an organisaon.
possible, which could bring down the total Oen referred to as Network Analysis and
expenditure requirement. Annex 2.4 provides Visibility (NAV)/NBAD, these tools monitor
template for ISOC Budget. crical network characteriscs for a possible
presence of threat in real me and alert/trigger
2.7.7 Formulate ISOC Strategy the response mechanism.
Selecng the opmal ISOC strategy depends on the S Situaonal awareness is an important component
Business and IT requirements, threat landscape, in ISOC, which aims to achieve a thorough
regulatory requirements and financial constraints. understanding of a ack vectors and the
The ISOC strategy should be arrived at based on roles knowledge of what process/systems/people have
and responsibilies, various stakeholders, the model access to which valuable informaon within an
of operaon (own, outsourced), processes and organisaon. In order to counter the emerging
resources required, priories with respect to threats, self-learning, predicve analysis and risk
opera on. A roadmap may be accordingly based decision systems are also being
developed. implemented as part of situaonal awareness.
2.7.8 Idenfy the ISOC Technologies 2.7.9 Understand the ISOC Tool Architecture
The ISOC is a combinaon of technologies put ISOC Tool comprises of Log Analyser, Network
together with seamless integraon, in order to Analyser, Malware Analysers and Forensic Analysers
achieve a faster incident detecon and response. with incident response mechanism taking input from
S Security informaon and event management all these analysers. For carrying the process of
(SIEM) tools are the core technical components security analysis, auding, and compliance, data
of ISOC. SIEM technology supports threat from various sources like event logs, network
detec on and security incident response packets, network flows, etc., and in different formats
through real-me collecon and historical need to be collected.
Incident Response
Forensic Data
case of mulple locaons connected over a wide- normalized for further analysis. Raw input data is
area network (WAN). Collecon of network flows, processed and meaningful data from raw logs is
which gives contextual informaon about network extracted through the process of parsing. With
connecons, is much more feasible than capturing normaliza on, similar extracted events from
full packets. mulple sources are uniformly stored or consumed
by subsequent processing steps.
The system's overall performance is dependent on
capturing, maintaining, and exporng network flow 2.7.9.5 Security Analysis
informaon. Working through a capacity-planning
Security analysis involves researching collected data
exercise and consulng with network vendor on the
in order to uncover potenal threats. This could vary
impact of enabling the feature is the best pracce.
from performing a basic incident mapping to
Similar to syslog, one can implement a centralized, advanced mathemacal modelling, to discover
distributed, or semi-centralized model for collecng known or unknown threats and to understand threat
network flows. pa erns.
2.7.9.3 Telemetry Data – Packet Capture Security event correlaon is being offered by many
SIEM Soluons as one of their core components. This
There are cases in which one need to go beyond
involves idenfying relaonships between disparate
collecng logs and network flows. Security point
events from various sources and collang and
soluons like Intrusion Detecon System (IDS), Deep
analysing these, to detect and report threats.
Packet Inspecon (DPI) and Forensic Analysis, etc.,
need network traffic containing actual data (payload) The correlaon engine of SIEM has rules, which
to be captured and forwarded. One may consider the require regular updates. The default rules can be
following two techniques to capture network fine-tuned and custom rules created, based on the
packets, in the case of Ethernet: organizaonal environment, business requirements
and the use cases idenfied. Out-of-box rules could
Port Mirroring: Network switches can be configured
include alerng excessive failed login a empts,
to mirror traffic seen on ports or VLANs to other local
malware detec on, unauthorised outbound
or remote ports. The network throughput of the
connecon, DoS a acks, etc.
source and desnaon ports needs to be considered
while doing a port mirroring. 2.7.9.6 Data Enrichment
Network Taps: Connecng network taps (out-of- Adding addional context to the data collected is
band devices) is another approach to monitor and known as data enrichment. Data enrichment helps in
capture packets from point-to-point links. making more informed decisions, thus improving the
Connecng taps to all network lines may not be accuracy of threat-detecon processes and tools.
feasible. Taps can be connected to the most Following are few example of data enrichment:
important locaons in the network, such as Internet S Geo informaon, mapping IP addresses to
Gateways and Data Centers. In larger complex geographical locaons
organizaon, network taps may be implemented for S WHOIS informa on, providing addi onal
packet capture, to reduce the overhead on the contextual informaon on IP addresses
business network. S Reputaon informaon on IP addresses, domain
2.7.9.4 Parsing and Normalizaon names, file hash values, e-mail senders, etc.
S Domain age informaon.
Data that has been collected must be first parsed and
products). Collectors collect events from Syslog UDP, virus signature update, fixing vulnerabili es,
Syslog TCP, JDBC, Log File protocol, etc. Event monitoring availability, etc., which needs to be
Processors filter the events based on parsers and handled by the IT Operaons. Other monitoring tasks
some rule sets. Event Analysers perform analysis on such as detecng a DoS a ack, remote code
the events filtered by event processors and provide a execuon a acks, SQL injecon, unauthorised login
dash board to the ISOC users. ISOC deployment a empt, etc., should be handled by ISOC.
models basically vary on how these three elements
It is important to idenfy the core responsibilies of
are best placed.
the SOC and the IT operaons center. Based on the
2.7.12.1 Centralised idenfied responsibilies for each, come to an
agreement on how responsibilies are to be divided
In a centralised model, all the three components are
between the two.
placed at a central locaon. This deployment model
is very simple and suits very small organisaons, 2.7.15 Understand the level and depth of
wherein the number of systems and events are very automaon
low. For larger organisaon, this model would not be
The ISOC’s job is to monitor and help respecve team
suitable, as shipping the event data to central
to remediate the threats across en re IT
loca on without filtering may exhaust the
infrastructure as quickly as possible. To achieve this,
bandwidth on WAN links.
it is necessary to integrate and automate funcons
2.7.12.2 Distributed Processor and Central Analyser and processes of ISOC. More the automaon, faster
would be the detecon and migaon capabilies,
In this model, the collectors and processors could be
with minimal human resources. However,
distributed. Each processor filters the events
automang monitoring and remediang could be a
collected by a group of collectors and then hands
costly process. Idenfy the core tasks and processes
them to analyser. This model suits larger
which needs to be automated.
organisaon, wherein only the processed data is
handed over to the central analyser, reducing the 2.7.16 ISOC Operang Models
bandwidth requirement over the WAN, considerably.
Most organisaons face the dilemma of whether to
2.7.13 Understand the ISOC Licensing Models outsource the ISOC or have it built in-house.
Organizaons have varied business models, risk
ISOC components are basically licensed depending
profiles, technology implemented and compliance
on the number of EPS generated, number of data
and regulatory requirements to sasfy, with which
collectors and data processors deployed. During the
ISOC must align. Based on these factors, the ISOC
data collecon phase, the EPS esmaon exercise
deployment methodology may be arrived at. The
needs to be done, which would help in deciding
common ISOC Operang Models are:
actual deployment model that in turn decides the
licensing model. The specific products purchased 2.7.16.1 In-house Capve ISOC
should support scalability and also upgradaon,
Capve or In-house ISOC is generally deployed by
based on the changing environment.
organisaons who want to avoid outsourcing of ISOC,
2.7.14 Understand Processes due to various reasons like risks of crical security
data loss, misuse of security logs and analysis, policy
Idenfy the core responsibilies and processes in an
and regulatory requirements, etc. The organisaon
ISOC. There would be various day-to-day security
can leverage on its own dedicated resources who
tasks like patch management, server hardening, an-
understand the environment and enable efficient experience of staff. Stringent contracts, NDA and SLA
correlaons among different working groups. This need to be in place with the service providers to
also allows for customizaon as per organizaon's address the risks involved.
needs. The challenges include, high Capex
2.7.16.3 Hybrid ISOC
investment, requirement of in-house skilled
resources on long term, me to realize ROI and me This model is a hybrid of in-house and outsourced
and effort to setup infrastructure. methods, wherein the organisaon can leverage the
best of both the worlds. The security logs may be
One method to implement in-house Capve ISOC is
maintained in-house and the analycs, specialized
Build, Operate and Transfer Model (BOT).
services and threat intelligence may be provided by
Organisaons adopt this model with a vision to fully
the service providers. This provides organisaons
own and operate the ISOC at a later period, however
flexibility to develop experse in specific areas,
wanng to leverage the experse of a service
flexible deputaon of organisaon's resources,
provider in se ng up and in a aining a faster
ulize experse and infrastructure of the service
maturity level, thus migang risks in the start-up
provider for advanced analycs, scale up in mes of
stage. BOT, as a hybrid model, combines elements of
n e e d a n d a l s o m e et st r i n ge nt re g u l ato r y
the capve centre and outsourcing.
requirements regarding security logs. Risks include
During the Build-phase, the service provider sets up loss/misuse of security data, which would need to be
the infrastructure and provides resources required addressed by choosing trusted partners and having
for the acvity. In the Operate-phase, the provider in place NDA, contracts and SLA with the service
manages the ISOC providing security services and provider.
also personnel required for the same. During the
While choosing the model, organisaons have to
Transfer-phase, the provider iniates acvies like
keep in mind the regulatory recommendaons also.
trainings, knowledge transfers, etc. to the in-house
team. 2.7.17 Manpower Requirements
2.7.16.2 Outsourced or MSSP Model The ISOC requires workforce can be divided into five
categories:
Organisaons going for managed security operaons
can leverage on the service provider's already Leadership Roles: The responsibility of the official
exisng infrastructure and skilled resource pool. would be to lead the ISOC team to achieve the
Immediate benefits of ISOC implementaon is visible mission of the ISOC.
to the management. In addion, service providers,
Analyst Roles: Responsibilies include security event
due to their various engagements with other
monitoring, incident report invesgaon, incident
organisaons, can bring in the knowledge base,
handling, threat intelligence, vulnerability
learnings, and best pracces with respect to security
intelligence and reporng.
incident and event handling and threat intelligence.
The ability to scale up would be faster when Engineering Roles: Engineers with specific in-depth
compared to capve ISOC. Risks include loss / misuse knowledge about tools and technology on top of
of crical security data, sharing organisaon's which ISOC is built, is required for expanding the ISOC
vulnerability details with third party, misuse of data funcons and to handle and resolve any ISOC specific
aer end of contract, etc. It is necessary to choose issues.
trusted partners based on their reputa on,
Operaons Roles: While ISOC engineers focus on
reference customers, level of security and
a ribute the logs from each asset. Start with basic 3.2.4 P h a s e - w i s e I n t e g r a o n B a s e d o n
ISOC funcons like log analysis and vulnerability Geographical Coverage
analysis. One needs to choose the capabilies that
Organisaons’ crical assets may be spread across a
can be built based on the funcons chosen.
wide geographical area. Apart from DC and DR,
3.2.2. Phase-wise Integra on Based on Core certain business offices may also be cri cal.
Funcons Integrate the assets of DC, DR, Central Offices,
Regional offices, branches, etc., in a phase-wise
It is sug gested to go in for a phase-wise
approach.
implementaon as indicated below along with cket
m a n a ge m e nt , i n c i d e nt re s p o n s e a n d r i s k 3.3 ISOC Deployment
management:
SIEM Deployment Phases
S Phase 1
w Log Analysis – SIEM
Pilot and
Deploy and
Discovery Controlled
Mature
Mature
Deployment
w Vulnerability Analysis
S Phase 2
3.3.1 Discovery Phase – Laying the Groundwork
w DAM – Database Acvity Monitoring
S Review the organisaonal security posture and
w NBAD – Network Behaviour Anomaly the inial business case for a SIEM. Then
Detecon priorize the goals of the SIEM implementaon
S Phase 3 from the most crical to the oponal -taking into
w Malware Analysis – Advanced Persistent account the tasks that must be performed in
Threat Protecon order to support the effort
S The informaon developed from this phase is Once the targeted systems are idenfied and
used to determine the final steps of controlled inventoried, the next step is to collect the events
deployment and maturity phase. through logs. The Event Generaon should be set-up
to generate as much raw informaon as possible.
3.3.3 Controlled Deployment Phase – Capacity This informaon can be sent in “real-me” to
Building collectors and/or can be stored locally for future
The primary goal of this phase is to develop a collecon.
deployment workflow that enables the organisaon Idenfy and place the log collectors in appropriate
to build capacity as full deployment approaches. This locaons like DMZ, internal network, crical server
phase also serves as the inial producon test run segments, etc. The deployment and number of
and the compleon of operaonal processes and sensors/collectors for perimeter and internal
procedures necessary to manage a full deployment. components will be dependent upon the network
3.3.4 Maturity Phase – Connuing to Evolve architecture and the types of cyber security soluons
deployed by the organizaon. The sensors/collectors
Significant work must be performed in order to will in turn forward the logs gathered to central
mature the organisaon’s security posture and processor/correlaon engine for further processing
implement the finer points of deployment. This and storage. The Log Analysis and Correlaon engine
phase never has an end since SIEM must connually will then apply the use cases to the data it receives to
evolve. provide the required alerng and reporng acons
by the SIEM.
3.4 Asset Inventory
3.6.1 Integraon of Log Sources
There should be a centralised asset inventory of the
enre IT infrastructure and applicaons consisng of The integra on of log sources with the
targeted systems/devices/applicaons/networks. Collector/Sensor of the SIEM data may be carried out
The next step will be integraon of log sources with on the basis of the filtering and logging level as per
the ISOC for situaonal awareness and in-depth suggesons given in Annex 2.
visibility of the organisaonal IT setup. Classificaon S Inial Implementaon: It is a good pracce to
of the assets on the basis of cricality is must and will start with UAT or Test systems, observe the
be linked to the severity of incidents, its response performance and then start with less crical log
and migaon measures. Indicave asset collecon sources. The process of integraon of log
template is in Annex. 3- A. sources is mostly non-disrupve except for few
systems where agent has to be installed for
detailed log capture.
3.9 Reporng
ISOC should be capable of generang customised
reports at regular intervals for the purposes of
meeng compliance requirements, informing Top
management, Audit requirements, and incident
management. In general, the ISOC, may provide
reports on the following: 3.10 Developing Dashboards
S Security Event and Trend Stascs Enterprise dashboards are the first points of contact
S Firewall Traffic and Ulizaon Stascs in the area of Security Informaon Management. It
S Vulnerability Management provides a bird’s eye-view to the top management on
S Audit Compliancy the security posture. Reporng of incidents and
S Workload Priorizaon threats are commonly projected via the dashboard
S Suspicious Host Detecon format. Dashboards act as frontends to ISOC tools by
S IP Intelligence (Security Analycs) providing collaboraon, workflow, publishing,
reporng and tracking capabilies. The dashboard
S Compliance.
has to be customized to meet the requirements of set
of stakeholders like Execuves, CISOs, Operaon
team, etc. Below is an example dashboard:
Security Metrics
2005 Metrics Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec YTD*
Privacy
Reported 10 26 15 31 19 19 16 21 12 24 21 23 237
Incidents
Resolved 12 22 9 20 22 16 21 20 21 14 7 10 194
Incidents
Threat Management
Forensic 48 63 62 56 68 58 65 48 46 37 31 32 32
Investigations
Active
Forensic 26 26 26 25 17 22 18 20 9 17 20 22 248
Investigations
New
Forensic 11 27 32 13 27 15 35 22 18 23 19 27 269
Investigations
Closed
Intelligence – 281 85 172 83 79 53 45 183 44 34 40 82 1181
Cyber Threat
Incidents
Intrusion 2316 361 503 243 388 429 701 158 131 116 144 54 5544
Detection
Security
Tickets
Assessments
Third Party 1 3 7 11 3 2 0 0 8 1 36
Site
Assessments
Completed
Awareness & Education
Percent 64.47% 78.25% 80.58% 80.58%
Complete of
the Tutorial
2005-2006
Issues Tracking
Audit – Past 11 19 11 10 7 5 5 6 4 4
Due Issues
Audit – 9 10 17 5 10 12 3 10 14 1 2 9 102
Closed Issues
Risk Acceptances
Risk 18 18 22 23 21 22 23 23
Acceptances
– Active
Risk 7 7 3 3 2 4 4 4
Acceptances
– Expired
Risk 7 8 10 11 15 15 15 15
Acceptances
– Closed
Conclusion
This chapter covered in detail the implementaon
and integra on phases of ISOC, use case
developments and dashboards.
CMD Business
Board
ED Compliance
Legal
Internal Audit
Head - Integrated Risk Management (HIRM)
IT
Physical Security
Chief Information Security Officer (CISO)
Communications
Tier 1
SOC Manager
treang security events) and response procedures.
Alert Tier 2 SME/
Analyst Incident Hunter
Responder (Network)
4.3.2 Processes
Frontlines
SOURCE: HP
The ISOC manager must carry out regular review of The Incident Management allows technicians need
all incident records for their resoluon within the to understand:
parameters of the defined severity levels. Proper
S Scope: The number of systems affected
review of incident records that exceeded standard
resoluon mes needs to be validated to check S Impact: The degree to which each system is
whether they were handled appropriately. Based on affected in terms of confidenality, integrity and
the reviews and audits, the ISOC processes and availability
procedures should be updated. S Business Cricality: The importance of the
The service levels must be reviewed once in a month incident based on the business value of the
at least. An example of the response me and impacted systems relave to other systems
resoluon me SLA can be defined as below. All the S Priority: The urgency of the required response
numbers are indicave and should be aligned with relave to other incidents.
individual organisaon security policy/incident The SANS Instute has arculated a thorough
response plan. framework for incident handling that lends
consistency to an oen muddled process. Between
Severity Response Time Resolution Time SLA
idenficaon and closure, according to SANS, the
High 20 mins 24 hours 98% following types of acvies should occur:
Medium 60 mins 48 hours 98% S Containment: Liming the scope and magnitude
High 180 mins 96 hours 98% of the incident
S Eradica on: Eliminang the source of the
Response me is the me within which a security problem or avenue of entry
event upon detected, is invesgated and reported to
S Recovery: Returning affected systems to their
the concerned domains along with recommendaon
to the incident occurred. Resoluon me is the me fully operaonal state
within which the recommendaon is applied and S Follow-up: Documenng the root cause and
helped towards incident closure. impact of the incident; and implemenng
measures to avoid recurrences.
When the SLA of High Severity incidents are set at
98%, the ISOC is bound to respond to those events 4.3.3.6.1 Case Management
within 20 mins and resolve the incidents within three
An analyst performs mulple searches to understand
hours 98% of the mes.
the nature, intent and scope of a suspicious acvity
4.3.3.6 Incident Management Process as part of the invesgaon process. Unless these
searches and the resultant data are organised
As per Symantec, “an incident is a set of one or more
properly, it becomes difficult to interpret and may
security events or condions that requires acon and
lead to an incorrect conclusion resulng an incident
closure in order to maintain an acceptable risk
to slip.
profile. In the haystack of events, organisaons must
find the "needles" that are the security incidents. Cases need to be created within ISOC plaorm, which
Events are isolated and disconnected, but incidents can act as a central repository of evidence ed to
add the context that enables security administrators ongoing invesgaons. They can include any exisng
to gain understanding and take acon”. forensic data within ISOC, as well as external
evidence such as screen captures from third-party
Congure
Annex 1
ITIL Maturity Model
The Process Maturity Model for IT Asset Management proposed by Patricia Adams of Gartner (2003) is
perhaps the most popularly cited model across ITAM literature. It has five levels of maturity: chaoc, reacve,
proacve, service-oriented, and value creaon.
Step Attributes Goals
1. Chaoc No processes, dedicated people or tools “Just want to know what we own, where it
Uncontrolled No assigned accountability or accounng for changes is, and who is using it”
environment Unpredictable services, support and costs One-me acvity rather than systemac
30% of enterprises Purchasing is ad hoc process.
Unused hardware and soware are not controlled
Success depends on quality of people, not processes
Sub-opmizaon of efforts occurs.
2. Reacve Focus is on asset counng Perform annual physical inventory and
Limited Employs physical inventory and some auto discovery periodic spot audits
accountability recorded on spreadsheets or in a database Report on asset counts, but cannot produce
45% of enterprises Accountability lies with IS organizaon but there is solid detail data to idenfy and resolve
ineffecve change accounng problems.
Hardware and soware viewed separately, not as
single complex asset.
3. Proacve There is an IT Asset Program and manager with “Clearly defined processes with accountability
Life cycle focus dedicated staff that reports to IS and finance that detail the praccal applicaon of
20% of enterprises organizaons. people, processes and tools that support
ITAM with auto discovery tools is integrated with the ITAM Program”
service desk Effecve change and configuraon
Use of cross-funconal teams for major asset management processes
management projects ITAM projects use repeatable processes that
Life cycle management process goes from requision, are well defined, adhered to, reviewed, and
to deployment, to rerement re-engineered when necessary.
Inventory system linked to financial and contractual ITAM operaons manual with asset taxonomy
data. produced and maintained.
4. Service Metrics are available to measure program value Create SLAs for asset management and use
Oriented Services are delivered according to SLA-based plans them as a basis for planning
Service level TCO processes in place Conduct periodic reviews of service
management Automated requision is integrated with purchasing delivery quality
5% of enterprises and ERP systems Instute an enterprise technology refresh
Just in me inventory pracces used. plan for replacement and rerement of
equipment.
5. Value Creaon There is a cost recovery process Connuous process improvement with
Cost recovery Repository, auto discovery and asset-usage tools all in improving metrics
< 1% of enterprises place ITAM data used for problem prevenon
Seamless integraon with strategic systems like HR, ITAM is a core business process and
accounng, ERP, purchasing, network and systems business enabler
management, IT service desk, problem and change Measurement of efficiency (employee
management tools, and business connuity process producvity) and effecveness (customer
Decision support and analyc tools available for sasfacon) of business processes across all
mining asset informaon. IT assets in the enterprise.
Annex 2
2.1 Logging Levels
Log Collecon S Log events that are of business, technical, or
In general, Syslog is the mechanism used for logging compliance value
events. Microso Windows plaorms need an agent S Configure clients and servers for NTP
to forward events in syslog format. The minimum
S Time stamp log messages and include the me
parameters that need to be configured are:
zone in each message
S Logging Desnaons: The collector, relay IP S Configure the client with the minimum log
addresses, or hostnames. To how many collectors. Use Syslog relays to replicate and
des na ons the syslog messages from forward the same message to mul ple
originator need to be forwarded, is dependent desnaons. The desnaons could be like
on the implementaon. monitoring plaorms such as security, problem
S Protocol and Port: By default UDP and port 514 management, and system and network health
are used. The opon of changing to some other monitoring
port and protocol is implementaon specific. S Baseline and monitor the CPU, memory, and
S Logging Severity Level: It can be a value ranging network usage overhead introduced by the
from 0 to 7, as shown in the adjacent table: Syslog service
Logging Severity Levels S Have a limited local logging facility, in file or
memory, so that logs are not completely lost if
Level Severity Levels the Syslog collector is unavailable, such as in the
case of network failure
0 Emergency: System is unusable
S On a regular basis, test that logging is
1 Alert: Acon must be taken immediately
funconing properly
2 Crical: Crical condions S Protect Syslog implementaon by providing
3 Error: Error condions confidenality, integrity and authencity
S The log rotaon and retenon policies be set
4 Warning: Warning condions
properly
5 Noce: Normal but significant condion
S Protect files where logs are stored:
6 Informaonal: Informaonal messages w Restrict access to the system by assigning
7 Debug: Debug-level messages proper files access permissions and enabling
file encrypon.
Logging Recommendaons w Grant read access to log files only to
Enabling logging is associated with cost on authorised users and processes
performance and funconality. Implement Time w Grant write access to log files only to the
synchronizaon for meline events. Enable local Syslog service or any such collecon service
logging to act as a backup repository when the w Apply standard system hardening
centralised logging soluon fails. Before enabling procedures to operang systems that host
logging, consider the following: the logging server.
S From the producon environment determine the The Peak EPS is arrived at once these computaons
peak number of security events (PEx) created by are complete. Consult SMEs and the system
each device that requires logging using Formula 1. engineers provided by the vendor in order to
(for idencal devices with idencal hardware, establish a realisc Peak EPS that the SIEM system
configuraons, load, traffic, etc., use this formula must be able to handle.
to avoid having to determine PE for every device): Use this list along with peers’ experience and other
[PEx (# of idencal devices)] references as resources to set benchmarks for the
S Arrive at a grand total by summing up all PE infrastructure. Sample templates are provided
numbers for the environment below.
Total Average
Qty Type Description Avg EPS
Peak EPS Peak EPS
Included Included Included
Employees/Endpoints
750 Desktops & Laptops at 5 locations at domain at domain at domain
(Windows XP)
severs servers servers
7 Cisco Catalyst Switches One at each loaction, one in DMZ 5.09 51.88 26.35
and one in the Trusted network
7 Cisco Gateway/Routers One at each location 0.6 380.5 154.2
5 Windows 2003 Domain One at each location 40 404.38 121.75
Servers
3 Windows 2003 In high availability duster at Data 1.38 460.14 230.07
Application Severs Center
Total Average
Qty Type Description Avg EPS
Peak EPS Peak EPS
2 Windows DNS Servers At Data Center - failover 0.72 110.8 110.8
3 Cisco Pix Firewalls Between the Data Center and the 39 1734 1178
other four sites, in front of trusted
network between trusted and the
DMZ
1 Cisco VPN Concentrator Located at Data Center facing the 0.83 69.45 69.45
Internet
1 Squid Proxy Located at Data Center 14.58 269.03 269.03
Totals 149.79 15598.9 8118.8
Avg.
Feature Benchmark Settings Explanation Avg. Peak
Peak
Relevant and Critical logs are
System Logs Collected Collected. Should be able to
handle peak threshold.
Network Devices Source destination, calls
§ Fire Walls connections, access, traffic
§ VPNs/SSL and other security-related log
§ IAM.Switches data can be collected and
§ Routers normalized at specified rate..
§ Web Process
Avg.
Feature Benchmark Settings Explanation Avg. Peak
Peak
Custom Apps Security-related data from
§ Legacy apps custom/legacy applications
§ Mainframe and systems are collected as
§ Midrange needed.
Threat Intelligence
SIEM Soluon
Feeds
NBAD
Vulnerability Scanning
PIM (Network)
Forensic Soware
References
Secure Cabinets/Locks
S Benchmarking Security Informaon Event
Log Storage and
backup
Management (SIEM) by J. Michael Butler
h p s : / / w w w. s a n s . o r g / r e a d i n g - r o o m /
Office, Furniture, etc. whitepapers/analyst/benchmarking-security-
Miscellaneous informaon-event-management-siem-34755
Professional S Building a Successful Security Operaons Center
Consulng/design/ Part 3: SOC Budget Calculator by Rafeeq Rehman
setup
h p://rafeeqrehman.com/2017/02/05/soc_bu
Total Annual Cost dget_calculator/
(The list is indicave. Other S/W and H/W costs to be added as per requirement)
Annex 3
3 - A : Log Collecon Format
Applicaon (AV,
Operang Log
ADS/LDAP, DHCP, IP No. of
S. No. System/ Version Hostname Collecon Owner Locaon Remarks
Mail, Custom Address devices
IOS Method
applicaons, etc.)
5 Proxy Servers
7 AS 400/iSeries
8 Mainframe/LPARs
10 Firewalls – Internal
11 Firewalls – External
12 VPN devices
13 Network IDS/IPS
14 Host IDS/IPS
16 Anvirus Servers
17 Endpoint DLP
18 Network DLP
19 Database Servers
20 Applicaons
26 Do you want to capture ne lows? If so, please answer a and b below.
27 a. How many total end user workstaons/laptops are on the network?
28 b. How many total servers are on the network?
Capture
Dashboard Chart Display Time Time
Dashboard Name Value to Graph
Type Type Top Series Range
Data
Default - IDS/IPS-All:Top Alarm Pie
Event Count (Sum) 10 Yes 24 hours
Signatures (Event Count) Chart
Top Systems A acked (IDS/IDP/IPS) Event Count (Sum) Table 10 yes 24 hours
(Event Count)
Threat & Most Recent Offenses Default Default Default No 1 minute
Security
Monitoring Most Severe Offenses Default Default Default No 1 minute
Firewall Deny by DST IP (Event Count) Event Count (Sum) Bar 5 Yes 24 hours
Chart
Firewall Deny by DST Port (Event Count) Event Count (Sum) Table 5 Yes 24 hours
Network Top Talkers (Total Bytes) Total Bytes (Sum) Bar 5 Yes 24 hours
Overview Chart
Top Log Sources (Event Count) Event Count (Sum) Table 5 Yes 24 hours
Firewall Deny by Source IP (Event Event Count (Sum) Bar 5 Yes 24 hours
Count) Chart
Capture
Dashboard Chart Display Time Time
Dashboard Name Value to Graph
Type Type Top Series Range
Data
Outbound Traffic by Country/Region Total Bytes (Sum) Bar 10 Yes 24 hours
(Total Bytes) Chart
Applicaon Top Applicaons Outbound to the Total Bytes (Sum) Bar 10 Yes 24 hours
Overview Internet (Total Bytes) Chart
Total Applicaons (Total Bytes) Total Bytes (Sum) Bar 10 Yes 24 hours
Chart
Security News Default Default 5 No 1 minute
Security Advisories Default Default 5 No 1 minute
Vulnerability
Managemen Internet Threat Informaon Center Default Default Default No 1 minute
t and
Scans In Progress Default Default 5 No 1 minute
Intelligence
New Vulnerabilies in the last 7 Vulnerability Count Bar 10 No 1 minute
days / Network Chart
3 - D: Sample A ack Scenarios everyone (from any host, not restricted to its
own network) to send e-mails to any desnaon
Brute force a ack to an administrave interface in order to contribute to spam campaign
(SSH, applicaon interface)
S Applicaon level a ack to web server (SQL
This scenario is straight forward. Mulple connecon injecon): Exploitaon of an applicaon level
a empts either to an exposed SSH server or to an vulnerability on a web page allowing the a acker
exposed web administraon page. The a ack to dump the database.
scenario includes two variants, one – resulng in a
successful connecon aer some requests and Virus/Trojan Infecon in the Internal Network
another with no success. Malware infecon through e-mail a achment,
Vulnerability Exploitaon of Crical Server spreading itself throughout the internal network.
S Authencaon bypass of an SQL server: A empt Covert Channels of Communicaon
to bypass the authencaon procedure of an SQL This kind of a ack involves the use of a side channel
server by exploing known vulnerabilies in order to circumvent monitoring and bypass
S Abuse of misconfigured DNS server (open control. As an example, an a ack including a DNS
relay): Exploitaon of a DNS server which server abuse from an internal user in order to
permits openly (from any host, not restricted to establish a DNS tunnel and circumvent data traffic
its own network) recursive queries in order to policies regarding data ex-filtraon was used.
conduct a reflected a ack Detecon of Advanced Persistent Threat
S Abuse of misconfigured SMTP ser ver: Advanced persistent threat (APT) includes a variety of
Exploitaon of an SMTP server which permits a acks and techniques sharing a common factor, the
Glossary
1 AIX An Unix Flavour Operang System sold by IBM
2 APT Advanced Persistent Threats
3 BCP Business Connuity Planning
4 BOT Build Operate and Transfer Model
5 CISO Chief Informaon Security Officer
6 CMDB Configuraon Management Database
7 CMMI Capability Maturity Model® Integraon
8 CnC Command-and-Control
9 CSOC Cyber Security Operaons Center
10 CTI Cyber Threat Intelligence
11 CybOX Cyber Observable Expression
12 DAM Database Acvity Monitoring
13 DB Database
14 DBA Database Administrator
15 DBMS Database Management Systems
16 DC Data Center
17 DCL Data Control Language
18 DDL Data Definion Language
19 DDOS Distributed Denial of Service
20 DHCP Dynamic Host Configuraon Protocol
21 DLP Data Leakage Prevenon
22 DML Data Manipulaon Language
23 DMZ Demilitarized Zone
24 DNS Domain Name System
25 DOS Denial of Service
26 DPI Deep Packet Inspecon
27 DR Disaster Recovery
Members
Shri Murtaza Bhatia, Practice Head (Data Centre & Security), Dimension Data