Next Generation Security Operation Center for NCHC
advertisement
Security Operation Center for NCHC Professor Ce-Kuen Shieh General Director, National Center for High-performance Computing National Cheng Kung University Outline • • • • • • Brief Introduction to NCHC Purpose of Security Operation Center Architecture of SOC Features of NCHC SOC Main Achievements Summary 2 NARLabs Organization Board of Directors President Consultation Committee Vice President Taiwan Typhoon & Flood Research Institute National Center for High-performance Computing National Center for Research on Earthquake Engineering National Chip Implementation Center Taiwan Ocean Research Institute National Laboratory Animal Center National Nano Device Laboratories 企 業 行 財 稽 Instrument Technology 政 務Center 核 劃 務 Research 考 推 管 會 室 廣 理 計 核Organization National Space 室 室 室 室 Science & Technology Policy Research and Information Center 資 訊 管 理 室 NCHC Milestones 2008 Taichung Office Opened 2005 2003 Tainan Office Opened Became Incorporated 1993 Hsinchu Headquarters Opened 1991 Officially Founded 4 Categories of NCHC’s Tasks • Service – Computing – Storage – Networking • Research & Development – – – – Modeling & Simulation Big Data Applications Open Source Software Development Software Defined Network 5 HPC, Storage and Network Services • Open to academic, research, and Industrial users • Supporting 700+ research projects per year ALPS, 2011: Rmax 177 TFLOPS, 442.00 MFLOPS/W Formosa series built by ourselves NCHC Total Computing Capacity Storage Capacity TaiWan Advanced Research and Education Network (TWAREN) • 20Gbps backbone (Toward 100 G) • 5Gbps international connection Rmax(TF) • Three-site, 3-tier backup • Total capacity 5.4 PB 400 289.4 308.9 308.9 300 200 100 0 31.7 31.7 46.9 2008 2009 2010 2011 2012 2013 Year 6 Self-built Cluster Computers 2012 Formosa 5 2011 2005 2003 Formosa 1 • The first PC Cluster for online service Formosa 2 • The first 64-bit • PC Cluster for • online service • 64-bit Dual- • Core CPU and InfiniBand 2010 Formosa 3 Cloud Cluster Virtualization and Green Computing Cloud IaaS Service Formosa 4 • Cloud Cluster • GPU accelerator • Cloud Cluster • Big memory • Hybrid-Computing Platform 2011 TOP500 #232 2011 TOP500 #234 2011 Green500 #62 2011 Green500 #37 2003 TOP500 #135 7 Backbone Network Service TWAREN TaiWan Advanced & REsearch Network • TWAREN – Domestic backbone : 20Gbps • 12 regional networks • 95 universities & research institutes • 500K users – International connection : 5Gbps • w/35 int’l research networks – Network usability : 99.99% – Shared with TANET (managed by MOE) • 4000 schools, 4M users TWAREN Domestic Backbone TWAREN跨國連網圖 TWAREN International Connection •100Gbps backbone is coming by the end of this year 8 Cyber Threats to Taiwan • Taiwan is at the frontline in an emerging global battle for cyberspace – No.4 of Most Botnet Activity in 2013 – No.5 of Top Attack Traffic Originating Countries in Top Attack Traffic Originating Countries 2013 Country Q4'13 Traffic % Q3'13 % 4 Source from: Symantec 2014 Internet Security Threat Report, Volume 19 5 China 43% 35% US 19% 11% Canada 10% 0.40% Indonesia 5.70% 20% Taiwan 3.40% 5.20% Netherlands 2.70% 0.50% Russia 1.50% 2.60% Brazil 1.10% 2.10% Romania 0.90% 1.70% Germany 0.80% 0.90% Other 12% 17% Source from: AKAMEAI’s state of the Internet, Q4 2013 report 9 Purpose of SOC • Security Operation Center (SOC) is to ensure information security of internet users by – – – – – Security device management Vulnerability management Network threat detection Security event management Incident response 10 Architecture of SOC Procedure Device Management Level 2 Security Analysts Threat and Vulnerability Management Software Engineers Incident Response Incident Handlers People Level 1 Security Operators Software Security Information and Event Management (SIEM) Hardware Security and Network Devices 11 Features of NCHC SOC • Hybrid Intrusion Detection System • Security Intelligence Dashboard and Visualization of Information Security • Sharing intelligences with Information Sharing and Analysis Center (A-ISAC) • Joint Defense among TANet partners 12 Hybrid Intrusion Detection System Detecting Known network attacks by signatures and patterns. DDoS Network Intrusion Detection System Hackers SIEM Network Worms Phishing emails Distributed Honeynet System Event Correlation and incident identification Collecting Unknown network threats and malware samples for further analysis. 13 Hybrid Intrusion Detection System • Network Intrusion Detection System – Enterprise and Open-source solutions – APT Mail Detector – Secure Web Gateway • Distributed Honeynet System – Low-interaction honeypots – Simulating vulnerable systems for network threats – Collecting malware samples and suspicious exploit traffic for further research – Analyzing Malware behavior for potential threats 14 Distributed Honeynet System • Using 6000+ IP address for sensor deployment and data collection • Cooperating with 11 National Universities • Collecting 1,500,000+ malware samples • Providing network threat list for TANet partners weekly • Establishing Malware Database 15 Cyber Intelligence Dashboard • A web-based system for monitoring, managing, reporting and notifying of events for IP enabled devices • A Self-developed system based on open source software to provides cost-efficient network management services 16 Features of NCHC SOC -Security Visualization 17 Information Sharing and Analysis NCHC SOC shares intelligence with other partners through Information Sharing and Analysis Centers . Taiwan Academic Network G-ISAC GSN Incidents A-ISAC Hinet Incidents GSN Incidents HiNet Incidents NCHC SOC Government Service Network NCC-ISAC ISPs 18 Incident Reported by NCHC SOC Incidents from TANet users Over 6,000 Incidents reported by NCHC SOC in one month. Incidents from Taiwan ISPs NCHC SOC detected more than 10,000 Incidents of network attacks in one month 19 Joint Defense of TANet partners • 24/7 operation for ensuring the efficiency of incident handling. • NCHC cooperates with 7 regional network centers of Taiwan Academic Network for network monitoring and threat detection. • Providing digital forensics, malware analysis and other technical supports 20 Main Achievements • Ensuring Information Security – Protecting 4,000+ schools and 5 Million users Telecom ISAC MSSP/SOC EC-Cert • Reporting real-time Incidents(Avg.) G-ISAC Academic ISAC GOV Agencies – Taiwan: 12,000+ tickets/month – International: 2,500+ tickets/month TWNIC TWCERT/CC NTU ASOC NCHC ASOC • Malware Collection – Malware Samples: 1.5 Million(since CERT ISAC CSIRT Forensics SPAM Mails Analysis Incident Management TWAREN Netflow Malware Analysis Search Engine 2009) • Big Data(Avg.) – Honeypot: 60GB/day – Malware: 1200+ sample/day Netflow Analysis Malicious list TWMAN Analysis Honeynet Analysis Campus Netflow 21 Summary • To adapt with the changing network threats, Hybrid Intrusion Detection Systems is essential for bettering security protection and provide efficient security services. • Distributed Honeynet System not only collects network threat samples, but also brings values to information security researches. • Strengthening International technological exchange and academic-industry cooperation to extend the scope of our Joint Defense Alliance are the our future job. 22 Q&A 23
