Next Generation Security Operation Center for NCHC

Download Report

Transcript Next Generation Security Operation Center for NCHC

Security Operation Center for
NCHC
Professor Ce-Kuen Shieh
General Director, National Center for High-performance
Computing
National Cheng Kung University
Outline
•
•
•
•
•
•
Brief Introduction to NCHC
Purpose of Security Operation Center
Architecture of SOC
Features of NCHC SOC
Main Achievements
Summary
2
NARLabs Organization
Board of Directors
President
Consultation Committee
Vice President
Taiwan Typhoon & Flood Research Institute
National Center for High-performance
Computing
National Center for Research on Earthquake
Engineering
National Chip Implementation Center
Taiwan Ocean Research Institute
National Laboratory Animal Center
National Nano Device Laboratories
企 業 行 財 稽
Instrument Technology
政 務Center
核
劃 務 Research
考 推 管 會 室
廣 理 計
核Organization
National Space
室 室 室 室
Science & Technology Policy Research and
Information Center
資
訊
管
理
室
NCHC Milestones
2008
Taichung Office
Opened
2005
2003
Tainan Office
Opened
Became
Incorporated
1993
Hsinchu Headquarters
Opened
1991
Officially Founded
4
Categories of NCHC’s Tasks
• Service
– Computing
– Storage
– Networking
• Research & Development
–
–
–
–
Modeling & Simulation
Big Data Applications
Open Source Software Development
Software Defined Network
5
HPC, Storage and Network Services
• Open to academic, research, and Industrial users
• Supporting 700+ research projects per year
ALPS, 2011: Rmax 177 TFLOPS, 442.00 MFLOPS/W
Formosa series built by ourselves
NCHC Total Computing Capacity
Storage Capacity
TaiWan Advanced Research and
Education Network (TWAREN)
• 20Gbps backbone (Toward 100 G)
• 5Gbps international connection
Rmax(TF)
• Three-site, 3-tier backup
• Total capacity 5.4 PB
400
289.4 308.9 308.9
300
200
100
0
31.7
31.7
46.9
2008 2009 2010 2011 2012 2013
Year
6
Self-built Cluster Computers
2012
Formosa 5
2011
2005
2003
Formosa 1
• The first PC
Cluster for
online
service
Formosa 2
• The first 64-bit •
PC Cluster for •
online service
• 64-bit Dual- •
Core CPU and
InfiniBand
2010
Formosa 3
Cloud Cluster
Virtualization and
Green Computing
Cloud IaaS Service
Formosa 4
• Cloud Cluster
• GPU accelerator
• Cloud Cluster
• Big memory
• Hybrid-Computing
Platform
2011 TOP500 #232
2011 TOP500 #234
2011 Green500 #62
2011 Green500 #37
2003 TOP500 #135
7
Backbone Network Service
TWAREN
TaiWan Advanced &
REsearch Network
• TWAREN
– Domestic backbone : 20Gbps
• 12 regional networks
• 95 universities & research institutes
• 500K users
– International connection : 5Gbps
• w/35 int’l research networks
– Network usability : 99.99%
– Shared with TANET (managed by MOE)
• 4000 schools, 4M users
TWAREN Domestic Backbone
TWAREN跨國連網圖
TWAREN International
Connection
•100Gbps backbone is coming by the end of this year
8
Cyber Threats to Taiwan
• Taiwan is at the frontline in an emerging global
battle for cyberspace
– No.4 of Most Botnet Activity in 2013
– No.5 of Top Attack Traffic Originating Countries in
Top Attack Traffic Originating Countries
2013
Country
Q4'13 Traffic %
Q3'13 %
4
Source from: Symantec 2014 Internet Security Threat Report, Volume 19
5
China
43%
35%
US
19%
11%
Canada
10%
0.40%
Indonesia
5.70%
20%
Taiwan
3.40%
5.20%
Netherlands
2.70%
0.50%
Russia
1.50%
2.60%
Brazil
1.10%
2.10%
Romania
0.90%
1.70%
Germany
0.80%
0.90%
Other
12%
17%
Source from: AKAMEAI’s state of the Internet, Q4 2013 report
9
Purpose of SOC
• Security Operation Center (SOC) is to ensure
information security of internet users by
–
–
–
–
–
Security device management
Vulnerability management
Network threat detection
Security event management
Incident response
10
Architecture of SOC
Procedure
Device
Management
Level 2
Security
Analysts
Threat and
Vulnerability
Management
Software
Engineers
Incident
Response
Incident
Handlers
People
Level 1
Security Operators
Software
Security Information and Event Management
(SIEM)
Hardware
Security and Network Devices
11
Features of NCHC SOC
• Hybrid Intrusion Detection System
• Security Intelligence Dashboard and
Visualization of Information Security
• Sharing intelligences with Information Sharing
and Analysis Center (A-ISAC)
• Joint Defense among TANet partners
12
Hybrid Intrusion Detection System
Detecting Known network attacks
by signatures and patterns.
DDoS
Network Intrusion
Detection System
Hackers
SIEM
Network Worms
Phishing
emails
Distributed
Honeynet
System
Event Correlation and
incident identification
Collecting Unknown network threats and
malware samples for further analysis.
13
Hybrid Intrusion Detection System
• Network Intrusion Detection System
– Enterprise and Open-source solutions
– APT Mail Detector
– Secure Web Gateway
• Distributed Honeynet System
– Low-interaction honeypots
– Simulating vulnerable systems for network threats
– Collecting malware samples and suspicious exploit
traffic for further research
– Analyzing Malware behavior for potential threats
14
Distributed Honeynet System
• Using 6000+ IP address
for sensor deployment
and data collection
• Cooperating with 11
National Universities
• Collecting 1,500,000+
malware samples
• Providing network
threat list for TANet
partners weekly
• Establishing Malware
Database
15
Cyber Intelligence Dashboard
• A web-based system for monitoring, managing,
reporting and notifying of events for IP enabled devices
• A Self-developed system based on open source
software to
provides cost-efficient network management services
16
Features of NCHC SOC
-Security Visualization
17
Information Sharing and Analysis
NCHC SOC shares
intelligence with other
partners through Information
Sharing and Analysis
Centers .
Taiwan
Academic
Network
G-ISAC
GSN Incidents
A-ISAC
Hinet Incidents
GSN Incidents
HiNet Incidents
NCHC SOC
Government
Service
Network
NCC-ISAC
ISPs
18
Incident Reported by NCHC SOC
Incidents from TANet users
Over 6,000 Incidents reported
by NCHC SOC in one month.
Incidents from Taiwan ISPs
NCHC SOC detected more
than 10,000 Incidents of
network attacks in one
month
19
Joint Defense of TANet partners
• 24/7 operation for ensuring
the efficiency of incident
handling.
• NCHC cooperates with 7
regional network centers
of Taiwan Academic
Network for network
monitoring and threat
detection.
• Providing digital forensics,
malware analysis and other
technical supports
20
Main Achievements
• Ensuring Information Security
– Protecting 4,000+ schools and
5 Million users
Telecom
ISAC
MSSP/SOC
EC-Cert
• Reporting real-time Incidents(Avg.)
G-ISAC
Academic
ISAC
GOV Agencies
– Taiwan: 12,000+ tickets/month
– International: 2,500+ tickets/month
TWNIC
TWCERT/CC
NTU
ASOC
NCHC
ASOC
• Malware Collection
– Malware Samples: 1.5 Million(since
CERT
ISAC
CSIRT
Forensics
SPAM Mails
Analysis
Incident
Management
TWAREN
Netflow
Malware
Analysis
Search Engine
2009)
• Big Data(Avg.)
– Honeypot: 60GB/day
– Malware: 1200+ sample/day
Netflow
Analysis
Malicious list
TWMAN
Analysis
Honeynet
Analysis
Campus
Netflow
21
Summary
• To adapt with the changing network threats,
Hybrid Intrusion Detection Systems is essential
for bettering security protection and provide
efficient security services.
• Distributed Honeynet System not only collects
network threat samples, but also brings values to
information security researches.
• Strengthening International technological
exchange and academic-industry cooperation to
extend the scope of our Joint Defense Alliance
are the our future job.
22
Q&A
23