DOCSLIB.ORG

Log Analysis Techniques Using Clustering in Network Forensics

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

(IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No.7, July 2012 Log Analysis Techniques using Clustering in Network Forensics Imam Riadi1 Jazi Eko Istiyanto2, Ahmad Ashari2, Subanar3 1Department of Information System, Faculty of 2Department of Computer Science and Electronics, Mathematics and Natural Science, 3Department of Mathematics, Ahmad Dahlan University, 2,3Faculty of Mathematics and Natural Sciences, Yogyakarta,Indonesia Gadjah Mada University, Yogyakarta, Indonesia [email protected] {jazi,ashari}@ugm.ac.id, [email protected] Abstract — Internet crimes are now increasing. In a row with for digital investigators. However posting child pornography many crimes using information technology, in particular those on the Internet can help lead investigators to the victim. As using Internet, some crimes are often carried out in the form of well as threatening letters, fraud, intellectual property theft is a attacks that occur within a particular agency or institution. To be crime that leaves a digital footprint [2]. able to find and identify the types of attacks, requires a long Cyber crime, a crime using information technology process that requires time, human resources and utilization of as instrument or target, have led to the birth of network information technology to solve these problems. The process of identifying attacks that happened also needs the support of both forensic in response to the rise of the case. Improving the hardware and software as well. The attack happened in the quality of tools and techniques for network forensic analysis is Internet network can generally be stored in a log file that has a needed to deal with cyber criminals that are more and more specific data format. Clustering technique is one of methods that sophisticated. Digital forensics, in essence, answer the can be used to facilitate the identification process. Having question: when, what, who, where, how and why related to grouped the data log file using K-means clustering technique, digital crime [3]. In conducting an investigation into the then the data is grouped into three categories of attack, and will computer system as an example: when referring to the activity be continued with the forensic process that can later be known to observed to occur, what activities related to what is done, who the source and target of attacks that exist in the network. It is related to the person in charge, where related to where the concluded that the framework proposed can help the investigator evidence is found, how related to activities conducted and in the trial process. why, the activities related to why the crime was committed. Keywords : analysis, network, forensic, clustering, attack Legal regulation of criminal act in the field of information technology is arranged in Law No 11 of 2008 that contains about information and electronic technologies (ITE) contained I. INTRODUCTION the provisions of the criminal act elements or the acts that are Together with the rapidity of internet network prohibited in the field of ITE, such as in Article 27, 28, 29, 30, development, there are countless individual and business 31, 32, 33, 34, 35 and Article 36. Currently, Indonesian transactions conducted electronically. Communities use the government and House of Representatives are processing on Internet for many purposes including communication, email, the Information Technology Crime Bill that is included in 247 transfer and sharing file, search for information as well as list of Prolegnas Bill, 2010-2014 [4]. online gaming. Internet network offers users to access Consequence with many crimes using information information that is made up of various organizations. Internet technology particularly using the Internet, some crimes are development can be developed to perform digital crimes often carried out in the form of attacks that occur within a through communication channels that can not be predicted in particular agency or institution. To find and identify the types advance. However, development of the Internet also provides of attacks, requires a long process that requires time, human many sources of digital crime scene. Internet crime is now resources and utilization of information technology to solve increasing [1], for example, employees accessing websites that these problems. The process of identifying attacks that promote pornography or illegal activities that pose a problem happened also needs the support of both hardware and software for some organizations. Pornography has become a huge as well. The attack happened in the Internet network can business and caused many problems for many organizations. generally be stored in a log file that has a specific data format. Not only easily available on the Internet but perpetrators also To simplify the process of analyzing the log, the use of frequently spreading pornography using the advances of scientific methods to help a diverse group of raw data is Internet technology to attack computer with unsolicited email needed. Clustering technique is one of methods that can be and pop up ads that are not desirable. Some form of used to help facilitate the identification process. pornography is not only illegal but also bring a big problem (IJCSIS) International Journal of Computer Science and Information Security, Vol. 10, No.7, July 2012 II. CURRENT STUDIES ON NETWORK Table 2. Forensic Computer Tools FORENSICS No Software Information A. Forensics in Computer Security 1 E-Detective http://www.edecision4u.com/ The rapidity of information technology 2 Burst http://www.burstmedia.com/release/ development especially in the field of computer network has advertisers/geo_faq.htm brought a positive impact that make human activity becomes 3 Chkrootkit http://www.chkrootkit.org easier, faster and cheaper. However, behind all the 4 Cryptcat http://farm9.org/Cryptcat/ conveniences it was the development of such infrastructure 5 Enterasys http://www.enterasys.com/products/ services have a negative impact emerging in cyberspace, Dragon advanced-security-apps/index.aspx among others: the theft of data on the site, information theft, 6 MaxMind http://www.maxmind.com 7 netcat http://netcat.sourceforge.net/ financial fraud to the Internet, carding, hacking, cracking, phishing, viruses, cybersquating and cyberporn. Some crimes, 8 NetDetector http://www.niksun.com/product.php?id=4 especially that are using of information technology services 9 NetIntercept http://www.sandstorm.net/products/ spesifically the Internet network can be used to perform some netintercept 10 NetVCR http://www.niksun.com/product.php?id=3 illegal activities that harm others, such as: cyber gambling, 11 NIKSUN http://www.niksun.com/product.php?id=11 cyber terrorism, cyber fraud, cyber porn, cyber smuggling, Function cyber narcotism, cyber attacks on critical infrastructure, cyber Appliance blackmail, cyber threatening, cyber aspersion, phishing. 12 NetOmni http://www.niksun.com/product.php?id=1 The number of computer crime cases and computer 13 Network http://sourceforge.net/projects/ Miner networkminer/ related crime that is handled by Central Forensic Laboratory 14 rkhunter http://rkhunter.sourceforge.net/ of Police Headquarters at around 50 cases, the total number of 15 Ngrep http://ngrep.sourceforge.net/ electronic evidence in about 150 units over a period of time as 16 nslookup http://en.wikipedia.org/wiki/Nslookup it can be shown in Table 1. [5]. 17 Sguil http://sguil.sourceforge.net/ 18 Snort http://www.snort.org/ Table 1. The number of computer crimes and computer related 19 ssldump http://ssldump.sourceforge.net/ crime cases 20 tcpdump http://www.tcpdump.org year number of cases 21 tcpxtract http://tcpxtract.sourceforge.net/ 2006 3 cases 22 tcpflow http://www.circlemud.org/~jelson/software/ 2007 3 cases tcpflow/ 2008 7 cases 23 truewitness http://www.nature-soft.com/forensic.html 2009 15 cases 24 OmniPeek http://www.wildpackets.com/solutions/ network_forensics 2010 (May) 27 cases 25 Whois http://www.arin.net/registration/agreements /bulkwhois The forensic process began has been introduced 26 Wireshark http://www.wireshark.org/ since long time. Several studies related to the forensic process 27 Kismet http://www.kismetwireless.net/ include [5]: 28 Xplico http://www.xplico.org/ a) Francis Galton (1822-1911); conducted the research on fingerprints CERT defines the forensic as the process of b) Leone Lattes (1887-1954); conducted the research on collecting, analyzing, and presenting evidence scientifically in court. Computer forensics is a science to analyze and present blood groups (A, B, AB & O) data that have been processed electronically and stored in c) Calvin Goddard (1891-1955); conducted the research on computer media [1]. Digital forensics is the use of scientific guns and bullets (Ballistic) methods of preservation, collection, validation, identification, d) Albert Osborn (1858-1946); conducted the research on analysis, interpretation, documentation and presentation of document examination digital evidence derived from digital sources or proceeding to e) Hans Gross (1847-1915); conducted scientific research on facilitate the reconstruction of the crime scene [6]. Indonesia has a state law that can be used to help the application of the criminal investigation confirm that crime committed using information technology f) FBI (1932); conducted the research using Forensic Lab services may be subject to Article 5 of Law no. 11/2008 on The forensic process requires a few tools that can Information and Electronic
Recommended publications
  • A Decryption Process for Android Database Forensics

    A Decryption Process for Android Database Forensics

    International Journal of Computer Sciences and Engineering Open Access Research Paper Vol.-7, Issue-3, March 2019 E-ISSN: 2347-2693 A Decryption Process for Android Database Forensics Nibedita Chakraborty1*, Krishna Punwar2 1,2Dept. of Information Technology and Telecommunication, Raksha Shakti University, Ahmedabad, India *Corresponding Author: [email protected], Tel.: 7980118774 DOI: https://doi.org/10.26438/ijcse/v7i3.2326 | Available online at: www.ijcseonline.org Accepted: 18/Mar/2019, Published: 31/Mar/2019 Abstract— Nowadays, Databases are mostly usable in business applications and financial transactions in Banks. Most of the database servers stores confidential and sensitive information of a mobile device. Database forensics is the part of digital forensics especially for the investigation of different databases and the sensitive information stored on a database. Mobile databases are totally different from the major database and are very platform independent as well. Even if they are not attached to the central database, they can still linked with the major database to drag and change the information stored on this. SQLite Database is mostly needed by Android application development. SQLite is a freely available database management system which is specially used to perform relational functional and it comes inbuilt with android to perform database functions on android appliance. This paper will show how a message can be decrypted by using block cipher modes and which mode is more secured and fast. Keywords—Database Forensics,Mobile Device ,Android,SQLite, Modes, Tools I. INTRODUCTION In android mobile phone device, SQLite is mainly based on ACID properties docile relational database management Database is an assemble form of interrelated data which is system.
  • Implementing Cisco Cyber Security Operations

    Implementing Cisco Cyber Security Operations

    2019 CLUS Implementing Cisco Cyber Security Operations Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers LTRCRT-2222 2019 CLUS Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019. 2019 CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Agenda • Goals and Objectives • Prerequisite Knowledge & Skills (PKS) • Introduction to Security Onion • SECOPS Labs and Topologies • Access SECFND / SECOPS eLearning Lab Training Environment • Lab Evaluation • Cisco Cybersecurity Certification and Education Offerings 2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats. • The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center. • This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM).
  • Design Document for IP Fabrics

    Design Document for IP Fabrics

    Design Document for IP Fabrics Author: May06-15 (Network Forensic UI) Andy Heintz (Communication Leader) Abraham Devine (Webmaster) Altay Ozen (Team Leader and Team Key Concept Holder) Dr. Joseph Zambreno (Adviser) Curt Schwaderer (Client) Version Date Author Change 1.0 10/26 AH Created initial version of design document 2.0 11/23 AH Created final version of design document Table of Contents 1 Problem Statement.................................................................................................................... 3 2 System Design ........................................................................................................................... 4 2.1 System Requirements................................................................................................................................ 4 2.2 Functional Requirements .......................................................................................................................... 4 2.3 Functional Decomposition ........................................................................................................................ 5 2.4 System Analysis ....................................................................................................................................... 6 3 Detailed Design ......................................................................................................................... 7 3.1 Input / Output Specification .....................................................................................................................
  • Hands-On Network Forensics, FIRST 2015

    Hands-On Network Forensics, FIRST 2015

    2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 1 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Erik Hjelmvik, Swedish Armed Forces CERT FIRST 2015, Berlin 2 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Hands-on Network Forensics Workshop Preparations: 1. Unzip the virtual machine from NetworkForensics_ VirtualBox.zip on your EXTENSIVE USE OF USB thumb drive to your local hard drive COMMAND LINE 2. Start VirtualBox and run the Security Onion VM IN THIS WORKSHOP 3. Log in with: user/password 3 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE ”Password” Ned 4 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE SysAdmin: Homer 5 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE PR /Marketing: Krusty the Clown 6 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Password Ned AB = pwned.se 7 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE pwned.se Network [INTERNET] | Default Gateway 192.168.0.1 PASSWORD-NED-XP www.pwned.se | 192.168.0.53 192.168.0.2 [TAP]--->Security- | | | Onion -----+------+---------+---------+----------------+------- | | Homer-xubuntu Krustys-PC 192.168.0.51 192.168.0.54 8 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Security Onion 9 FM CERT 2015-04-30 WWW.FORSVARSMAKTEN.SE Paths (also on Cheat Sheet) • PCAP files: /nsm/sensor_data/securityonion_eth1/dailylogs/ • Argus files:
  • Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

    Network Intell: Enabling the Non-Expert Analysis of Large Volumes of Intercepted Network Traffic

    Chapter 1 NETWORK INTELL: ENABLING THE NON- EXPERT ANALYSIS OF LARGE VOLUMES OF INTERCEPTED NETWORK TRAFFIC Erwin van de Wiel, Mark Scanlon and Nhien-An Le-Khac Abstract In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wire- tapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully inter- cepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic cap- tured. The advent of Internet-of-Things further complicates the pro- cess for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an arXiv:1712.05727v2 [cs.CR] 27 Jan 2018 insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data. Keywords: Network Investigation, Big Data Forensics, Intercepted Network Traffic, Internet tap, Network Metadata Analysis, Non-Technical Investigator. 1. Introduction Lawful interception is a method that is used by the police force in some countries in almost all middle-to high-level criminal investigations.
  • CIT 485: Network Forensics

    CIT 485: Network Forensics

    CIT 485/585 Network Forensics The primary objective of this assignment is to learn a process for investigating security incidents and to give students practice analyzing such an incident using captured network data. 1S TUDENT LEARNING OUTCOMES 1. Describe digital evidence and how the type of legal dispute affects evidence used to resolve it. 2. Describe the steps of the OSCAR network forensics methodology. 3. Identify and decode protocols used on non-standard ports. 4. Investigate suspicious network data for malicious activity. 2D IGITAL EVIDENCE Digital evidence refers to any data collected in digital form from any computer, whether that computer is a desktop, mobile device, game console, printer, or IoT device. A primary goal of digital forensics is ensuring evidence integrity, the preservation of evidence in its original form. Evidence integrity is supported by a chain of custody, a set of documentation that describes the acquisition, copying, and analysis of digital evidence. As analysis of digital data often changes that data (reading a file will not modify the file itself but will change the last accessed time on the file), cryptographic checksums such as SHA-256 are often used to ensure that copies of digital evidence match the original evidence. Details of digital evidence handling are discussed in CIT 430: Computer Forensics. Digital evidence in a criminal case is returned through an inventory of items take through a search warrant. Any devices that may contain an embedded computer can contain digital evidence. Defense attorneys can request an invetory of items and obtain forensic copies of the data from those devices.
  • Network Forensics

    Network Forensics

    Network Forensics Michael Sonntag Institute of Networks and Security What is it? Evidence taken from the “network” In practice this means today the Internet (or LAN) In special cases: Telecommunication networks (as long as they are not yet changed to VoIP!) Typically not available “after the fact” Requires suspicions and preparation in advance Copying the communication content At the source (=within the suspects computer): “Online search” This could also be a webserver, e.g. if it contains illegal content “Source” does NOT mean that this is the client/initiator of communication/… At the destination: See some part of the traffic Only if unavoidable or the only interesting part Somewhere on the way of the (all?) traffic: ISP, physically tapping the wires, home routers etc. Network Forensics 2 Problems of network forensics “So you have copied some Internet traffic – but how is it linked to the suspect?” The IP addresses involved must be tied to individual persons This might be easy (location of copying) or very hard “When did it take place?” Packet captures typically have only relative timestamps But there may be lots of timestamps in the actual traffic! As supporting evidence to some external documentation “Is it unchanged?” These are merely packets; their content can be changed Although it is possible to check e.g. checksums, this is a lot of work and normally not done Treat as any other digital evidence Hash value + Chain of Custody; work on copies only Network Forensics 3 Scenario Suspect: Mallory Malison; released
  • Guide to Computer Forensics and Investigations Fourth Edition

    Guide to Computer Forensics and Investigations Fourth Edition

    Guide to Computer Forensics and Investigations Fourth Edition Chapter 11 Virtual Machines, Network Forensics, and Live Acquisitions Objectives • Describe primary concerns in conducting forensic examinations of virtual machines • Describe the importance of network forensics • Explain standard procedures for performing a live acquisition • Explain standard procedures for network forensics • Describe the use of network tools Guide to Computer Forensics and Investigations 2 Virtual Machines Overview • Virtual machines are important in today’s networks. • Investigators must know how to detect a virtual machine installed on a host, acquire an image of a virtual machine, and use virtual machines to examine malware. Virtual Machines Overview (cont.) • Check whether virtual machines are loaded on a host computer. • Check Registry for clues that virtual machines have been installed or uninstalled. Network Forensics Overview • Network forensics – Systematic tracking of incoming and outgoing traffic • To ascertain how an attack was carried out or how an event occurred on a network • Intruders leave trail behind • Determine the cause of the abnormal traffic – Internal bug – Attackers Guide to Computer Forensics and Investigations 5 Securing a Network • Layered network defense strategy – Sets up layers of protection to hide the most valuable data at the innermost part of the network • Defense in depth (DiD) – Similar approach developed by the NSA – Modes of protection • People • Technology • Operations Guide to Computer Forensics and Investigations
  • Contents in Detail

    Contents in Detail

    CONTENTS IN DETAIL ACKNOWLEDGMENTS xv INTRODUCTION xvii Why This Book? .....................................................................................................xvii Concepts and Approach ........................................................................................xviii How to Use This Book ............................................................................................. xix About the Sample Capture Files ................................................................................ xx The Rural Technology Fund ....................................................................................... xx Contacting Me ........................................................................................................ xx 1 PACKET ANALYSIS AND NETWORK BASICS 1 Packet Analysis and Packet Sniffers ............................................................................. 2 Evaluating a Packet Sniffer ............................................................................ 2 How Packet Sniffers Work............................................................................. 3 How Computers Communicate.................................................................................... 4 Protocols ..................................................................................................... 4 The Seven-Layer OSI Model .......................................................................... 5 Data Encapsulation .....................................................................................
  • Comparing SSD Forensics with HDD Forensics

    Comparing SSD Forensics with HDD Forensics

    St. Cloud State University theRepository at St. Cloud State Culminating Projects in Information Assurance Department of Information Systems 5-2020 Comparing SSD Forensics with HDD Forensics Varun Reddy Kondam [email protected] Follow this and additional works at: https://repository.stcloudstate.edu/msia_etds Recommended Citation Kondam, Varun Reddy, "Comparing SSD Forensics with HDD Forensics" (2020). Culminating Projects in Information Assurance. 105. https://repository.stcloudstate.edu/msia_etds/105 This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contact [email protected]. Comparing SSD Forensics with HDD Forensics By Varun Reddy Kondam A Starred Paper Submitted to the Graduate Faculty of St. Cloud State University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Assurance May 2020 Starred Paper Committee: Mark Schmidt, Chairperson Lynn Collen Sneh Kalia 2 Abstract The technological industry is growing at an unprecedented rate; to adequately evaluate this shift in the fast-paced industry, one would first need to deliberate on the differences between the Hard Disk Drive (HDD) and Solid-State Drive (SSD). HDD is a hard disk drive that was conventionally used to store data, whereas SSD is a more modern and compact substitute; SSDs comprises of flash memory technology, which is the modern-day method of storing data. Though the inception of data storage began with HDD, they proved to be less accessible and stored less data as compared to the present-day SSDs, which can easily store up to 1 Terabyte in a minuscule chip-size frame.
  • Linux Networking Cookbook.Pdf

    Linux Networking Cookbook.Pdf

    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
  • Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Ten Strategies of a World-Class Cybersecurity Operations Center Conveys MITRE’S Expertise on Accumulated Expertise on Enterprise-Grade Computer Network Defense

    Bleed rule--remove from file Bleed rule--remove from file MITRE’s accumulated Ten Strategies of a World-Class Cybersecurity Operations Center conveys MITRE’s expertise on accumulated expertise on enterprise-grade computer network defense. It covers ten key qualities enterprise- grade of leading Cybersecurity Operations Centers (CSOCs), ranging from their structure and organization, computer MITRE network to processes that best enable effective and efficient operations, to approaches that extract maximum defense Ten Strategies of a World-Class value from CSOC technology investments. This book offers perspective and context for key decision Cybersecurity Operations Center points in structuring a CSOC and shows how to: • Find the right size and structure for the CSOC team Cybersecurity Operations Center a World-Class of Strategies Ten The MITRE Corporation is • Achieve effective placement within a larger organization that a not-for-profit organization enables CSOC operations that operates federally funded • Attract, retain, and grow the right staff and skills research and development • Prepare the CSOC team, technologies, and processes for agile, centers (FFRDCs). FFRDCs threat-based response are unique organizations that • Architect for large-scale data collection and analysis with a assist the U.S. government with limited budget scientific research and analysis, • Prioritize sensor placement and data feed choices across development and acquisition, enteprise systems, enclaves, networks, and perimeters and systems engineering and integration. We’re proud to have If you manage, work in, or are standing up a CSOC, this book is for you. served the public interest for It is also available on MITRE’s website, www.mitre.org. more than 50 years.