A design model for a Security Operations Centre (SOC)

Owning a SOC is an important status symbol for many organizations. Although the concept of a ‘SOC’ can be considered a hype, only a few of them are actually effective in counteracting cybercrime and IT abuse. A literature review reveals that there is no standard framework available and no clear scope or vision on SOCs. In most of the papers, specific implementations are described, although often with a commercial purpose. Our research is focused on identifying and defining the generic building blocks for a SOC and to draft a design framework. In addition, a measurement method has been developed to assess the effectiveness of the protection provided by a SOC.

Society is continuously under attack from hackers, criminals and other malicious actors. For example, an attack on the Dutch SSL certificate provider Diginotar succeeded in June 2011. The attackers collected the private keys and issued rogue certificates that were later abused in a large-scale attack in August of 2011. [FOXI12] This attack damaged many government agencies, forcing them into expensive replacement of all SSL certificates.

Businesses are embracing cloud solutions, user mobility, expanding social collaboration, and creating and sharing extraordinary volumes of data.[ZIMM14] [TRUS13] [WATI11] The combination of business and IT transformation, compliance and governance demands, and the onslaught of security threats continues to make the job of safeguarding data assets a serious challenge for organizations of all types. [TRUS13]

Citizens and organizations are rapidly becoming more vulnerable to cyber-attacks because of increasing dependency on vulnerable techniques. An example is the Dutch chip for e-ticketing for national public transportation, the OV-chipkaart, which was successfully hacked several times between 2007 and 2011, allowing travelers to manipulate their accounts and to travel for free. [NOHL07] [HOEP10] Other examples are the online Dutch payment system IDEAL for bank transactions and the citizens’ identity verification DigiD; both attacked via DDoS. The increasing number of attacks and vulnerabilities is also observed by the Dutch National Cyber Security Centre. [NCSC13] [TRUS13] [WATI11] Society’s increasing dependence on IT results in more severe consequences when IT fails to function.

This awkward situation was made worse by the financial crisis as budgets were cut and unemployment rose, having adverse effects on cybercrimes in many ways. Firstly, private and public organizations spend less modernizing IT and improving information security. Secondly, a crisis makes it easier for criminal groups to recruit skilled employees since the group of unemployed and perhaps vengeful and unhappy people is growing. [WATI11] In addition, citizens feel some uncertainty, which is abused by cybercriminals via finance related attacks. [BASH11]

In response, many organizations are trying to protect their business processes by implementing additional measures for information security. One of these measures is setting up a Security Operations Centre (SOC), assuming this would be the solution to counteract cyber attacks and abuse. These organizations are faced with a real challenge, i.e. the absence of an explicit model and guidance on how to establish a SOC. Each organization has to re-invent the wheel, leading to a diversity of implementation forms, and high costs.

Research: A framework for a SOC

Noordbeek collaborated with VU University Amsterdam to investigate common practices for private and public SOCs and to develop a framework for the design and implementation of an effective SOC. This research focused on modelling the structure of a SOC with the goal to assist large companies and governmental agencies in establishing SOCs which can offer effective cyber security to multiple organizations.

For designing our research approach, we used Yin [YIN09]. In this context, we visited a number of SOCs, mapped their activities, measured the effectiveness of their performance, analyzed their problems and developed a generic model based on their common aspects. This model contains five basic elementary functions, called the building blocks of a SOC. This structure was verified in collaboration with the stakeholders from the participating SOCs and was validated by them.

The central question is: What is an effective framework for designing and implementing a SOC to increase the robustness of e-businesses and their customers against cyber-attacks and IT abuse? The three subquestions are:

● Does literature provide guidance for designing an effective SOC?

● Which standard functions can be identified when analyzing the design and operations of existing SOCs?

● How can a SOC provide effective security services to multiple user organizations and IT organizations?

The model was presented to the Dutch government security community, who recognized and accepted it as a model for designing new SOCs or further improving existing SOCs.

Observations and analyses

Because each SOC is as unique as the organization it belongs to, it is critical to understand the factors that influence their result. A SOC can include all internal operations, processes, technologies and staff, rely heavily on external provider-managed services, or can be a hybrid of out-tasked and internal capabilities. To determine the right balance for an organization, one has to consider cost, skills availability, single point versus multiple global locations, and the importance of around-the-clock coverage and support. [IBM13]

The first sub-question for this research is: Does literature provide guidance for designing an effective SOC? Research shows that literature on SOC is accessible. Yet literature lacks initiations in establishing an unambiguous framework. The scarce initiations for a design model are very diverse and are more or less based on organization needs. A number of papers from leading security suppliers describe specific implementations and are written with a commercial intention. [RSA13] [HPEN11] [IBM13] [MCAF11] An organization that has to build its own SOC has little benefit from these papers, since they contain no general guidance. Hence, we added some papers about our research. [SCHI14] [SCHI15]

Assessment method

For the assessment method, some of the factors influencing the result have been combined, and other relevant aspects such as competences and experience have been added. The questionnaire is divided into four groups of factors, i.e. sharing knowledge, secure service development, continuous monitoring and damage control. The rating per axis is: 1 = unsatisfactory, 2 = concerned, ­3 = suboptimal, 4 = satisfactory, 5 = desired level. The rating is relative to the organization’s level, i.e. its objective per axis. The visual representation is shown in figure 1 and further described in more detail. [SCHI14]

For each SOC visited, a spider diagram was drafted and discussed with the SOC analysts until it was a reasonable interpretation of the effectiveness of the SOC’s operational activities. Using this assessment method periodically, one may monitor the progress of improvement activities.

Assessment results

Each SOC turns out to have a unique design and implementation. Since no generally accepted framework exists, each SOC was formed through organic growth. The security processes are tailored by one or more experts according to the funds and staffing available, on a best effort basis, based on their personal skills and competences. Using opportunities, they created something which is, in their opinion, the right solution for the challenges of their organization.

All of the SOCs were part of or related to the IT department. There are some typical implementation forms, e.g.:

● Integral SOC

This type of SOC is a center of expertise involved in both secure service development and infrastructure support and operations. We could only find and visit one instance of such an integral SOC during our research. The advantage of an integral approach is that the same analysts and consultants are involved in making new services secure during the acquire phase while later being involved in compliance scanning and continuous monitoring. This is optimal sharing of knowledge.

● Technology driven SOC

The majority of SOCs is focused on infrastructure support and operations. They are located between functional support, and network and system administrators. This is an effective positioning, since these experts know what happens in the operational environment and interact directly with the other engineers. However, the SOC’s impact on preventive actions such as making new services secure is limited.

● Partly outsourced SOC

One SOC consisted only of technical security officers, analysts and penetration testers. Because of the infrastructure, scanning and continuous monitoring had been outsourced to the hosting provider. It turns out that knowledge sharing and cooperation had a low rating since human interaction was very limited in this outsourcing relationship.

● Specialized SOC

Some SOCs are highly specialized, due to a particular organization’s mission to protect a country and its vital infrastructures. They have experts, e.g. for protecting and guarding Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) computers, and use classified sources for information about threats.

The effectiveness of each SOC is based mainly on executive commitment. [EY13] Without such commitment, competent resources and sufficient budgets, a SOC can provide ‘security in name only’.

The framework

A SOC needs an umbrella, consisting of an information security organization with a Chief Information Security officer (CISO), reporting to the Chief Information officer (CIO), and acting within the mission and security goals of the organization.

Moreover, there should be a process for secure service development to ensure that only secure solutions are handed over from the acquire phase to the production environment. In figure 2, this is depicted as the ‘Security by Design’ function. This is often combined with methods and processes for Business Impact Analysis (BIA), Risk Analysis (RA) and Privacy Impact Assessment (PIA). These analysis methods provide information about the requirements for confidentiality, integrity and availability.

The research results indicate a clustering of the SOC’s activities in five areas, which turn out to be their elementary building blocks. Answering the second sub-question Which standard functions can be identified when analyzing the design and operations of existing SOCs? These are:

● Intelligence function

The kernel of the SOC is the Intelligence function, which shares similarities with a Computer Emergency Response Team (CERT). The competent and skilled analysts are located here, exchanging information with internal and external parties [ZIMM14][MCCO08], analyzing threat patterns and monitoring results, defining rules for event filtering and giving instructions to operational staff and security staff.

● Baseline Security function

The SOC analysts for Baseline Security supervise the operational processes for hardening servers, operating systems and network components, and perform vulnerability and compliance scans to verify adherence to hardening guidelines. Moreover, they scan for known vulnerabilities and verify the maintenance levels based on actual guidance on high priority and security patches. This function also supervises the settings and operational effectiveness of the endpoint protection (e.g. antivirus), firewalls, Intrusion Detection and Protection System (IDS/IPS), Public Key Infrastructure (PKI) etc.

● Monitoring function

The SOC Monitoring function observes the data traffic and attempts to identify anomalies. The large volumes of logging data and signals are stored and filtered using dynamic rule sets to find a needle in a haystack. One of their major challenges is to tailor the Security Information and Event Manager (SIEM) in such a way that only the relevant alerts or events are identified.

● Penetration Test function

Penetration tests are used both as an integral part of secure service development and within the operational environment. A penetration test can determine how a system reacts to an attack, whether or not a system’s defenses can be breached, which defenses were defeated and what information can be acquired from the system.

● Forensic function:

The SOC’s analysts are skilled in finding details in the data traffic and logging infrastructure data. When forensic investigations are performed by the Office of Integrity or law enforcement agencies, these analysts assist in collecting electronic evidence and ensuring the chain of custody of such evidence.

For each function, the objectives and activities can be outlined and translated into requirements for competences, experience and number of staff. Here we use rules of thumb, based on observations in existing SOCs.

For instance, experience teaches that seven penetration testers are required for the penetration test function. The calculation is as follows: as soon as a penetration tester has sufficient experience, chances are he or she is offered a job by a specialized security firm with a higher salary than the organization is allowed to offer. So, the manager of the SOC must always expect to lose one or two of the most experienced penetration testers, and has to employ one or two juniors who need time to be educated and trained. If the manager wants a core team of four mid-level or senior penetration testers continuously, he or she must employ a group of seven.

Anchoring the SOC

Each of SOC’s functions has inseparable relationships with functions within the user and IT organizations. In figure 3, these relationships are shown.

The Intelligence function of the SOC maintains a close relationship with the user organizations, since it has to focus on protecting against threats specific for this business, and the customer and user community. This task can only be performed with sufficient knowledge of a specific user organization, being aware of all relevant changes, and in close contact with the CISO, Information Security Officer (ISO), security staff, information managers, project leaders, architects, etc. Hence, there must be at least one analyst within the Intelligence function, acting as liaison for each specific user organization.

Three functions of the SOC, i.e. Intelligence, Baseline Security and Monitoring, need a close relationship with the engineers and staff of Functional and Technical Support within the IT organization. They must be aware of the changes affecting security, security incidents, release management, patch management, etc. and must give instructions about the hardening process, high priority and security patches, settings for security related parameters, logging and collecting logging information, etc. Moreover, they need to be authorized to access many sensitive parts of the network and systems to perform their investigations. At the very least, the SOC needs a liaison within the IT organization, in figure 3 indicated as a Security Engineer. This specialized engineer is the primary entry point for the SOC.

Providing security to multiple user and IT organizations

The third sub-question for this research is: How can a SOC provide effective security services to multiple user organizations and IT organizations? The reasons for asking this question are that skilled analysts are scarcely available, tooling for each SOC is expensive and tailoring and maintaining the tooling turns out to be an awkward and time-consuming process. Hence, the search for ways to let a SOC of one organization provide security services to another organization, which is beneficial for large companies with multiple divisions or a government with many governmental agencies. Exploiting the inseparable relationships, as explained above, figure 3 shows an answer to this question.

In the case of supporting multiple organizations, the SOC has to implement dedicated communication lines at the business side. Within the Intelligence function of the SOC, there should be a dedicated liaison for each user organization, that knows the business and can closely interact with the relevant actors within the business. The user organization performs the Business Impact Analyses (BIAs), Risk Analyses (RAs) and Privacy Impact Assessments (PIAs). So information about the requirements for confidentiality, integrity and availability are provided to the SOC, which can focus on the threats and vulnerabilities relevant to the particular business.

At the IT side, there is also a liaison required per IT organization. This liaison should be a person located between the support staff and engineers of this IT organization. This person is the local Security engineer, who is aware of all security related changes, security incidents, configurations, settings, and so on, within the IT organization. He or she gives such information to the SOC and passes guidance and instructions from the SOC to the support staff and engineers.

By appointing liaisons at the business and the IT side, the SOC will be able to ensure the inseparable relationships, vital to efficiently delivering the security services required.

Evaluation

Assuming our model is adopted by a country to protect e-government services for multiple agencies, a number of practical issues have to be solved. If, for example, the SOC operates for more than one ministry, the individual ministerial responsibility is an issue. In the case of a severe incident, which minister has to report the incident to parliament – the minister responsible for the SOC or the minister who suffered the cyber attack? Another point of discussion is funding, which is mainly an issue if a SOC is used to protect a chain crossing a number of agencies and private parties.

Conclusions

The primary recommendation is not to re-invent the wheel multiple times. It makes no sense to create tens of SOCs, knowing that there are only a very limited number of very skilled analysts available, and many SOCs struggle with implementing and tailoring (expensive) tooling in a meaningful way. Such problems can be solved by an increase of scale, e.g. by creating one SOC for an important chain. For a country, this may be one SOC for the large financial streams and e-governance, such as taxes, subsidies and pensions, one SOC for law enforcement, courts and penitentiary institutes, one SOC for the vital infrastructure etc. Since our framework is focused on a SOC operating for multiple user and IT organizations, it allows for such a form of concentration.

Acknowledgment

We appreciate the close cooperation with many organizations and authorities. They have provided many insider details about the operational processes and have participated in the completion of this framework for a SOC. We do encourage further research on this topic as there are still practical issues to be solved. In addition, we want to thank the staff of VU University Amsterdam for their support in writing a graduate thesis about this subject.