Building a SOC

For run Security Operation Center in your company you must create process, write procedures, hire a staff , etc. All these steps well described in thousand documents.

But what about technical components of SOC?

1. Video wall

Sure thing you need it for security events visibility. It could be LCD, Plasma or just a projector.

Usually you have more than 5 different security management programs (1-2 SIEMs, IDS management, system logs, etc) , so, you need method to show all these on display. You can't tile one display with all these windows - lack of resolution for huge amount of information.

I recommend to use very simple vb script ,created by friend of mine Roma Lazaruk, to switch between programs.

//JScript

var WshShell = WScript.CreateObject("WScript.Shell");

KL = true;

while (KL) {

WshShell.AppActivate(388);

WScript.Sleep(90000);

WshShell.AppActivate("2752");

WScript.Sleep(90000);

WshShell.AppActivate("3612");

WScript.Sleep(90000);

if (WshShell.AppActivate("notepad")) {

WriteWord();

KL = false;

}

}

It gives you possibility to see and read all security information on video wall and adjust visibility interval between programs. This script use PID numbers (for switching between different process with the same name like browser windows ) for program activation and you must run notepad.exe to kill the script.

2. Knowledge base.

Sharing knowledge between teem players save your time, increase team productivity and secure you from personnel turnover problem.

Sure thing the best engine for knowledge base is Wiki. More over you can create really secure knowledge base based on mutual ssl authentication with certificates on smart card and wiki single sign on (SSO) by user cn. For your convenience Andrey Dugin write a wonderful article about this in previous post!

Securing mediawiki

It is described here how to configure mediawiki for:
- use https with mutual authentication;
- use single sign on by client certificates.

At first, enable mod_ssl on apache:

a2enmod ssl

Then add to apache configuration file httpd.conf next strings:
SSLEngine on

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLCACertificateFile /etc/apache2/ssl/ca.crt

SSLCARevocationFile /etc/apache2/ssl/crl.pem

SSLVerifyClient require
SSLVerifyDepth 1

< Location />
SSLRequire (%{SSL_CLIENT_S_DN_OU} eq "infosec" )
< /Location>

Then disable http-server on apache:

a2dissite default

and edit ports.conf:

#NameVirtualHost *:80 - comment or delete
#Listen 80 - comment or delete


After this restart apache:

apache2ctl graceful

To configure SSL authentication on mediawiki using certificate CN as username you need to add these strings in your apache config:

< Directory "/var/lib/mediawiki/">
Options None
AllowOverride None
Order allow,deny
Allow from all
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN} =~ m/.*serialNumber=$/
< /Directory>

Then you need to use SSLAuthPlugin.php from guide: http://www.mediawiki.org/wiki/Extension:SSL_authentication depends on your version of mediawiki and add in LocalSettings.php these strings:

#Load SSLAuthPlugin
require_once('extensions/SSLAuthPlugin.php');

#Feel free to use extra PHP code to munge the variables if you'd like
#Additionally if you wish to only map some of the name data, set this to true
#and either blank ssl_RN and ssl_email or comment them out entirely.
$ssl_map_info = false;

#Ssssh.... quiet down errors
#$olderror = error_reporting(E_ALL ^ E_NOTICE);

#Map Real Name from certificate
#Can be DN but is it right?
$ssl_RN = $_SERVER['SSL_CLIENT_S_DN_CN'];

#MW username is required to map to something
#You should beware of possible namespace collisions, it is best to chose
#something that will not violate MW's usual restrictions on characters

#Just using Firstname + Lastname (CN) from Certificate 'will' make collisions... but what to use?
#UN could be md5-hash of DN, but its ugly to use...

$ssl_UN = $_SERVER['SSL_CLIENT_S_DN_CN'];

#Map e-mail to something close?
#Will throw warnings if E-Mail is not set in certificate.
#If so, comment out the next three lines and set $ssl_email empty.
if ($_SERVER['SSL_CLIENT_S_DN_Email'] != )
$ssl_email = $_SERVER['SSL_CLIENT_S_DN_Email'];
else
$ssl_email = ;

#Turn error reporting back on
#error_reporting($olderror);

#Activate SSL Plugin
SSLAuthSetup();