Documentos de Académico
Documentos de Profesional
Documentos de Cultura
net/publication/308837734
CITATION READS
1 1,895
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Stef Schinagl on 07 April 2017.
Stef Schinagl BBA QSA CISA Keith Schoon BSc QSA CISA prof. Ronald Paans Ph.D
Noordbeek Noordbeek Noordbeek and VU University Amsterdam
stef@noordbeek.com keith@noordbeek.com Ronald.Paans@noordbeek.com
Development Process
Supplier Management
IT Service Delivery
D-T-A-P
Service Development & Web
Maintenance Applications
Applications
Arch Reqs FD TD Build Test Accep
DATA
Infrastructure Internet
DMZ Outer World
Network Operating Centre
Network (WAN and LAN’s)
Functional & Technical Support
Connections
IDS & IPS Partners
Office Automation Data centres
& Mobile Application
The model was presented to the Dutch security longer a matter of if but when’. We live in an age
community, who recognized and accepted it as a model where information security prevention is no longer
for designing new SOCs or further improving existing optional [2]. Attacks are any kind of malicious activity
SOCs. that attempts to collect, disrupt, deny, degrade or de-
stroy information system resources or the information
2. Background literature itself. This translates to 137.4 million attacks annually,
2.6 million weekly and 0.37 million daily [6].
Businesses are embracing cloud solutions, user The primary data type targeted by attackers in 2012
mobility, expanding social collaboration, and creating was cardholder data. Criminals also sought personally
and sharing extraordinary volumes of data [15] [7]. identifiable information which has some monetary val-
The combination of business and IT transformation, ue, but not as much as cardholder data. Therefore, the
compliance and governance demands, and the on- primary targets of cyber criminals in 2012 were Retail
slaught of security threats continues to make the job of (45%), Food & Beverage (24%) and Hospitality (9%).
safeguarding data assets a serious challenge for organi- Surprisingly Financial Services came fourth (7%) fol-
zations of all types [Trust 2013]. lowed by the Non-profit sector (3%) [15].
Cyber-attacks and intrusions are nearly impossible
to avoid, given the openness of today’s networks and
2.1. Cyber-attacks
the growing sophistication of advanced threats [14]. In
response, the practice of cybersecurity should focus on
Today’s reality is ‘no matter what business you are
ensuring that intrusion and compromise do not result in
in, no matter where in the world you are if you have
business damage or loss [13]. Preparing for known
got data, your business is at constant risk’. From the
attacks is hard enough. But, how do organizations
outside in, to the inside out threats are increasing as
build controls for the security risks they do not even
quickly as you can implement measures against them
know about yet [2]? Some guidance can be found in
[15]. In a similar way, EY states that ‘in today’s world
the publications of the US National Institute for Stan-
of intense use of technology and not enough security
dards and Technology (NIST).
awareness on the part of users, cyber-attacks are no
2.2. Definition of a SOC and its mission inherent and specific weaknesses of their own IT infra-
structure, the information systems and, the habits and
A Security Operations Centre (SOC) functions as a behavior of the regular users.
team of skilled people operating with defined processes Organizations must assign highly competent securi-
and supported by integrated security intelligence tech- ty resources towards rapid threat detection and remedi-
nologies. The SOC specifically focuses on cyber threat, ation [13]. A well-functioning SOC can form the heart
monitoring, forensic investigation, and incident man- of effective detection. It can enable information securi-
agement and reporting [6], under the umbrella of an ty functions to respond faster, work more collabora-
overall security operations environment and clear ex- tively and share knowledge more effectively [2]. With
ecutive support. Without such an umbrella, a SOC is the understanding that attacks can never be completely
ineffective, and its value is not to be realized. A bot- prevented, companies should advance their detection
tom-up or grassroots approach to security has a minim- capabilities so they can respond appropriately.
al chance of survival and an even smaller chance of Organizations sometimes invest in ‘fancy’ tooling.
success [2]. The tools are not the Silver Bullet that will protect
The business interests to be protected by a SOC are them from cyber threats outside or already inside the
depicted in Figure 1. The user organizations and their security perimeter [2]. The competences and expe-
relations such as customers, partners are essential. rience of the staff of the SOC are much more impor-
They exchange electronic messages and transactions, tant. Since highly qualified analysts are scarce, this is
each representing a particular value. This exchange of where organizations struggle the most.
information between organizations and there relations Attacks have grown significantly in complexity,
can be roughly divided into - more or less - privacy rendering the majority of ‘Off the Shelf’ detection so-
sensitive, confidential, or finance related. The ex- lutions ineffective [15]. Be aware that some 48% of the
change of value between organizations and people is tooling belongs to this category. In addition, due to
depicted in green at the top of Figure 1. The capability advanced subterfuge techniques, malware often goes
to exchange and process data is provided by IT, with unnoticed by system administrators despite being
its (web) applications and data storage. From a security clearly visible to experienced investigators. We have to
perspective, functionality and data are the principal rely on the human factor, i.e. the analysts, to outsmart
objects to protect. One has to ensure the confidentiali- the sophisticated attackers.
ty, integrity and availability of IT service delivery. Security event visualization is still rare in most or-
The applications are acquired via ‘make or buy’, ganizations today. Many security professionals conduct
via Service Development and Maintenance for ‘make’ manual log reviews or perform ‘spreadsheet’ analyses,
and Supplier Management for ‘buy’. An increasing and for some, implementation of basic Security Infor-
number of organizations have adopted methods for mation and Event Manager (SIEM) technology is as far
Secure Service Development, with sophisticated risk as they go. However, the ultimate goal should be to
and vulnerability analysis methods, explicit security develop an environment in which security events are
requirements, involvement of SOC staff for penetration discovered by security professionals within the organi-
tests and code reviews during the development stages, zation. Data aggregation or correlation as seen in a
and security acceptance criteria [9]. SIEM is assumed to be beneficial to real-time security
A major part of a SOC’s attention is focused on the event visualization and notification [15].
technical infrastructure, with the networks, external
connections, office automation, mobile solutions and 2.4. People, awareness and competences
the servers running the applications and processing the
data. The SOC performs continuous monitoring, vulne- A fundamental component of continuous monitor-
rability scans, compliance scans, log data collection, ing is the analysis of data collection, carried out by the
etc. analysts working in the SOC [12]. This is a value add-
ed activity since highly qualified analysts with ac-
2.3. Detection and Tooling knowledged competences are in charge of both prepa-
ration and management of complex security investiga-
The primary function of a SOC is continuous moni- tions. At the core of a successful SOC is a firm founda-
toring, to become rapidly aware of attacks by malware, tion for operational excellence driven by well-designed
DDoS, viruses, hackers, and so on, and paying atten- and executed processes, stable governance, capable
tion to malicious activities by people such as em- individuals and a constant drive for continuous im-
ployees, subcontractors, guests and outsiders. For this, provement to stay ahead of cyber adversaries [2].
the SOC analysts need to recognize attack patterns, the SOCs need collaborative, cross-disciplinary teams with
highly specialized skill sets to combat advanced cyber naires, to make them suitable for assessing a multitude
threats. However, the security community faces a se- of different SOC implementations.
rious shortage of such skills and qualified personnel Stage 4, the ‘Collect’ phase, consists of the site vis-
[13]. its, observations, interviews and workshops, resulting
Moreover, employees leave the door open to further in a research database. We discussed the functional
attacks. Whether it is due to lack of education or policy building blocks, the existing problems and the current
enforcement, employees happen to pick weak pass- and future objectives with one or more analysts of each
words, click on phishing links and share company in- SOC and our colleagues.
formation on social and public platforms [15]. Stage 5, ‘the ‘Analyze’ phase, is used to finalize the
A complicating factor for establishing cybersecuri- draft theoretical propositions using the quantitative and
ty is outsourcing. Many third-party vendors do not qualitative evidence collected.
allow customer organizations to perform logging and During stage 6, the ‘Share’ phase, we wrote our re-
monitoring, although their engineers sometimes are port and organized a number of workshops with repre-
leaving the door open for attacks as they do not neces- sentatives of the SOCs visited, adapting the draft mod-
sarily keep client security interest in mind [15]. el until consensus was found. We then presented our
research outcome and model to several committees of
3. Research and measurement method the security community, who confirmed the model.
For the research method, ‘Case Study Research, 4. Observations and analyses
Design and Methods’ of Robert K. Yin [17] was used.
Yin describes six stages, which we tailored as follows: Because each SOC is as unique as the organization
Stage 1, the ‘Plan’ phase has the character of an in- it belongs to, it is critical to understand the factors that
ventory. We collected literature, visited some SOCs influence their result. A SOC can include all internal
and defined the research question and subquestions. operations, processes, technologies and staff, rely
The central question is: ‘What is an effective heavily on external provider managed services, or can
framework for designing and implementing a SOC to be a hybrid of out-tasked and internal capabilities. To
increase the robustness of e-businesses and their cus- determine the right balance for an organization, one
tomers against cyber-attacks and IT abuse?’ The three has to consider cost, skills availability, single point
subquestions are: versus multiple global locations, and the importance of
♦ ‘Does literature provide guidance for designing an around-the-clock coverage and support [6].
effective SOC?’
♦ ‘Which standard functions can be identified when 4.1. Assessment method
analyzing the design and operations of existing
SOCs?’ For the assessment method, some of these factores
♦ ‘How can a SOC provide effective security services have been combined, and other aspects such as compe-
to multiple user organizations and IT organiza- tences, and experience have been added. The question-
tions?’ naire is divided into four groups, i.e. sharing know-
ledge, secure service development, continuous moni-
Then, we drafted an initial model for a framework, toring and damage control. The rating per axis is: 1 =
based on input from experts and our expectation of unsatisfactory, 2 = concerned, 3 = suboptimal, 4 = sa-
what the common functions should be. This model is tisfactory, 5 = desired level. The rating is relative to the
used during the interviews and workshops to confirm organization’s level, i.e. its objective per axis. The vis-
or reject certain parts of the SOC’s functionality. ual representation is shown in Figure 2.
Stage 2, the ‘Design’ phase is used to draft a mea-
surement method to assess the effectiveness of a
SOC’s operations, supported by visual spider diagrams
and questionnaires. We made a list of organizations, to
visit their SOCs and interview their security staff.
During stage 3, the ‘Prepare’ phase, we performed
a pilot at an organization with a SOC that had already
been operating for several years. In close cooperation
with the analysts of this SOC and via workshops, we
improved the assessment method and the question-
Score Axes
Intelligence
Consultant's Experience
Security Governance 5 Security Requirements Secure Service Development
Security Policy Testing
4
Threats and Risks Risk Acceptance
3
Incident Management Pentests
2
Cyber Intelligence Code reviews
1
External Information
0 Analyst's Experience
Sharing
Damage Controller's
Monitoring
Experience
Operational Security
Security Awareness
Tooling
For each SOC visited, a spider diagram was drafted one instance of such an integral SOC during our re-
and discussed with the SOC analysts until it was a rea- search. The advantage of an integral approach is that
sonable interpretation of the effectiveness of the SOC’s the same analysts and consultants are involved in
operational activities. Using this assessment method making new services secure during the acquire
periodically, one may monitor the progress of im- phase while later being involved in compliance
provement activities. scanning and continuous monitoring. This is optimal
sharing of knowledge;
4.2. Assessment results ♦ Technology driven SOC:
The majority of SOCs is focused on infrastructure
Each SOC has a unique design and implementation. support and operations. They are located between
Since no generally accepted framework exists, each functional support, and network and system admin-
SOC was formed through organic growth. The security istrators. This is an effective positioning, since they
processes are tailored by one or some experts accord- know what happens in the operational environment
ing to the funds and staffing available, on a best effort and interact directly with the engineers. However,
basis, based on their personal skills and competences. their impact on preventive actions such as making
Using opportunities, they created something which is, new services secure is limited;
in their opinion, the right solution for the challenges of ♦ Partly outsourced SOC:
their organization. One SOC consisted of technical security officers,
All of the SOCs were part of or related to the IT analysts and penetration testers. Because of the in-
department. There are some typical implementation frastructure, scanning and continuous monitoring
forms, e.g.: had been outsourced to the hosting provider. It turns
♦ Integral SOC: out that knowledge sharing and cooperation had a
This type of SOC is a center of expertise involved in low rating since human interaction was very limited
both secure service development and infrastructure in this outsourcing relationship;
support and operations. We could only find and visit
Governance & Control
CENTRAL CERT CISO
Mission of Organization Security Goals
• Generic analysis of Governance objectives IB Beleid
CIO
intelligence Security organization CISO
MONITORING function
• Observation Logs SOC Filter
Infrastructure • Log collection and selection
• SIEM
Security
Incident PENTEST function SOC 4 to 5 Alerts or Events per day
Process
offer. So, the manager of the SOC must always expect Intelligence function, acting as liaison for the user or-
to lose one or two of the most experienced penetration ganization.
testers, and has to employ one or two juniors who need Three functions of the SOC, i.e. Intelligence, Base-
time to be educated and trained. If the manager wants a line Security and Monitoring, need a close relationship
core team of four mid-level or senior penetration tes- with the engineers and staff of Functional and Tech-
ters continuously, he or she must employ a group of nical Support within the IT organization. They must be
seven. aware of the changes affecting security, security inci-
dents, release management, patch management, etc.
5.1. Anchoring the SOC and must give instructions about the hardening process,
high priority and security patches, settings for security
Each of SOC’s functions has inseparable relation- related parameters, logging and collecting logging in-
ships with functions within the user and IT organiza- formation, etc. Moreover, they need to be authorized to
tions. In Figure 4, these relationships are shown. access many sensitive parts of the network and systems
The Intelligence function of the SOC maintains a to perform their investigations. At the very least, the
close relationship with the user organization, since it SOC needs a liaison within the IT organization, in Fig-
has to focus on protecting against threats specific for ure 5 indicated as a specialized Security engineer. This
this business, and the customer and user community. engineer is the primary entry point for the SOC.
This task can only be performed with sufficient know-
ledge of the user organization, being aware of all rele- 5.2. Providing security to multiple user and IT
vant changes, and with close contact with the CISO, organizations
Information Security Officer (ISO), security staff, in-
formation managers, project leaders, architects, etc. The third sub-question for this research is: ‘How
Hence, there must be at least one analyst within the can a SOC provide adequate security services to mul-
tiple user organizations and IT organizations?’ The 7. Conclusions
reason for asking this question is that skilled analysts
are scarcely available, tooling for each SOC is expen- The primary recommendation is not to re-invent the
sive and tailoring and maintaining the tooling turns out wheel multiple times. It makes no sense to create tens
to be an awkward and time-consuming process. Hence, of SOCs, knowing that there is only a very limited
the search for ways to let a SOC of one organization number of very skilled analysts available, and many
provide security services to another organization, SOCs struggle with implementing and tailoring (ex-
which is beneficial for large companies with multiple pensive) tooling in a meaningful way. Such problems
divisions or a government with many governmental can be solved by an increase of scale, e.g., by creating
agencies. Exploiting the inseparable relationships, as one SOC for an important chain. For a country, this
explained above, Figure 5 shows an answer to this may be one SOC for the large financial streams and e-
question. governance, such as taxes, subsidies and pensions, one
In the case of supporting multiple organizations, the SOC for law enforcement, courts and penitentiary in-
SOC has to implement dedicated communication lines stitutes, one SOC for the vital infrastructure, etc. Since
at the business side. Within the Intelligence function of the framework is focused on a SOC operating for mul-
the SOC, there should be a dedicated liaison for each tiple user and IT organizations, it allows for such a
user organization, knowing the business and intimately form of concentration.
interacting with the relevant actors within the business.
The user organization performs the Business Impact
8. Acknowledgment
Analyses (BIAs), Risk Analyses (RAs) and Privacy
Impact Assessments (PIAs). So information about the
We appreciate the close cooperation with many or-
requirements for confidentiality, integrity and availa-
ganizations and authorities. They have provided many
bility are provided to the SOC, which can focus on the
insider details about the operational processes and have
threats and vulnerabilities relevant to the particular
participated in the completion of this framework for a
business.
SOC. In addition, we want to thank the staff of VU
At the IT side, there is also a liaison required per IT
University Amsterdam for their support in writing a
organization. This liaison should be a person located
graduate thesis about this subject.
between the support staff and engineers of this IT or-
ganization. This person is the local Security engineer,
who is aware of all security related changes, security 9. References
incidents, configurations, settings, and so on, within
the IT organization. He or she gives such information [1] Bashar Matarneh, H., “World Financial Crisis and
to the SOC and passes guidance and instructions from Cybercrime”, 2011.
the SOC to the support staff and engineers. [2] EY, “Security Operations Centres against Cybercrime,
By appointing liaisons at the business and the IT Top 10 Considerations for Success”, 2013.
side, the SOC will be able to ensure the inseparable [3] FOX IT, “Black Tulip, Report of the Investigation into
relationships, vital to efficiently delivering the security the DigiNotar Certificate Authority Breach”, 2012.
services required. [4] Hoepman, J.-H., Jacobs, B., Vullers, P., “Privacy and
Security Issues in e-Ticketing - Optimisation of Smart
6. Evaluation Card-based Attribute-proving”, in V. Cortier, M. Ryan
and V. Shmatikov (eds), Proceedings Workshop on
Assuming this model is adopted by a country to Foundations of Security and Privacy, FCS-PrivMod
protect e-government services for multiple agencies, a 2010, Edinburgh, UK, 2010.
number of practical issues have to be solved. If, for [5] HP Enterprise Security Business Whitepaper, “Build-
example, the SOC operates for more than one Ministry, ing Successful Security operations Centre”, 2011.
the individual ministerial responsibility is an issue. In [6] IBM, “Strategy Considerations for Building a Security
the case of a severe incident, which minister has to operations Centre”, 2013.
submit to parliament – the minister responsible for the [7] General of the Army Marc Watin-Augouard, Gendar-
SOC or the minister who suffered the cyber-attack? merie Nationale France, “Prospective Analysis on
Another point of discussion is funding, which is mainly Trends in Cybercrime from 2011 to 2020”, 2011.
an issue if a SOC is used to protect a chain crossing a [8] McAfee White Paper, “Creating and Maintaining a
number of agencies and private parties. There is a
SOC, the Details behind Successful Security Opera-
number of leads for further research in this area.
tions Centres”, 2011.
[9] Microsoft, “Simplified Implementation of the Micro-
soft Security Development Lifecycle”, 2010;
[10] National Cyber Security Centre (NCSC) Netherlands,
“Cyber Security Assessment Netherlands”, 2013.
[11] Nohl, K., “Mifare security”, 24th Chaos Communica-
tion Congress, 2007.
[12] Reply Communication Valley, “Security Operation
Centre”, 2011.
[13] RSA Technical Brief, “Building an Intelligence-driven
Security Operations Centre”, 2013.
[14] Security & Defence Agenda (SDA), Belgium, “Cyber-
security: The Vexed Question of Global Rules”, 2012.
[15] Trustwave, “2013 Global Security Report”, 2013.
[16] US Intelligence Community, National Intelligence,
“Information Sharing Strategy”, 2008.
[17] Yin, R.K., “Case Study Research Design and Me-
thods”, 2009.