-
Created by
Randy Marchany, last updated on Nov 25, 2008
2 minute read
Synopsis
The CSOC provides a real-time view of the VT network's security status. It monitors and helps to manage all aspects of enterprise security by prioritizing event information sent to it from campus systems and sensors. The CSOC determines the risk level, which assets are affected, discovers and prioritizes events. It recommends solutions to the local administrators and can provide support to those resources if needed. It collects metrics at the local and network level to compile reports. The CSOC uses hardware and software to reduce the large amounts of security information to manageable levels. The CSOC is built and managed by the ITSO.
CSOC Components
The CSOC components include:
- Vulnerability scanners
- Self service vulnerability scanners - http://ids.cirt.vt.edu (replaced SafetyNet)
- Automatic vulnerability scanner from candi4.cirt.vt.edu
- The ITSO uses a combination of freeware and commercial security assessment tools.
- IPS
- Remedy tickets generated by ITSO whenever the IPS detects suspicious outbound attacks originating from VT hosts. ITSO analysts review the data to verify the threat is valid. If so, the trouble ticket is submitted.
- Snort BASE
- Snort Base summarizes IDS data collected from various Snort sensors around campus
- Dshield
- The Dshield system collects firewall logs from campus hosts and makes the data available for reports.
- Security Review data
- Security review information is stored in ITSO databases for review and correlation.
- Hawk-I Asset and Risk management database
- Hawk-I tool provides a way to classify risk and criticality factors for IT assets.
- Security History Tool
- The tool is designed to give the ITSO a "security history" of a VT host. Examples of the information collected by this tool:
- Host contact information, location, MAC Address, portal location, switch address (collected from RDWEB)
- VPN, Wireless access - when was the last time this host accessed the net via VPN or Wireless?
- Security review history - was this machine ever part of an ITSO security review?
- Vulnerability Scanner history - what were the results of the last vulnerability scan done on this host?
- Dshield history - did this host ever appear in our Dshield database?
- IPS history - did this host ever appear in our IPS logs?
- Snort history - did this host ever appear in our Snort databases?
- Syslog history - did this host ever appear in a central syslog database?
- The tool is designed to give the ITSO a "security history" of a VT host. Examples of the information collected by this tool:
- CSOC Main Console
- The main console displays the individual www components on the ITSO flat screen monitors. It provides a single view for ITSO analysts.
- See the Attachment page for architecture, screen shot examples.
CSOC Status
The CSOC is 60% operational as of 11/18/2008. It is located in the IT Security Lab in Torgersen Hall.