Conference PaperPDF Available

A Framework for Designing a Security Operations Centre (SOC)

Authors:

Figures

Content may be subject to copyright.
A framework for Designing a Security Operations Centre (SOC)
Stef Schinagl BBA QSA CISA Keith Schoon BSc QSA CISA prof. Ronald Paans Ph.D
Noordbeek Noordbeek Noordbeek and VU University Amsterdam
stef@noordbeek.com keith@noordbeek.com Ronald.Paans@noordbeek.com
Abstract
Owning a SOC is an important status symbol for
many organizations. Although the concept of a ‘SOC’
can be considered a hype, only a few of them are ac-
tually effective in counteracting cybercrime and IT
abuse. A literature review reveals that there is no stan-
dard framework available and no clear scope or vision
on SOCs. In most of the papers, specific implementa-
tions are described, although often with a commercial
purpose. Our research was focused on identifying and
defining the generic building blocks for a SOC, to draft
a design framework. In addition, a measurement me-
thod has been developed to assess the effectiveness of
the protection provided by a SOC.
1. Introduction
Society is continuously under attack from hackers,
criminals and other malicious actors. For example, an
attack on the Dutch SSL certificate provider Diginotar
succeeded in June 2011. The attackers collected the
private keys and issued rogue certificates that were
later abused in a large scale attack in August of 2011
[3]. This attack damaged many government agencies,
forcing them into expensive replacement of all SSL
certificates.
Citizens and organizations are rapidly becoming
more vulnerable to cyber-attacks because of increasing
dependency on vulnerable techniques. An example is
the chip for e-ticketing for national public transporta-
tion, the OV-chipkaart, which was successfully hacked
several times between 2007 and 2011, allowing travel-
ers to manipulate their accounts and to travel for free
[11] [4]. Other examples are the online Dutch payment
system IDEAL for bank transactions and the citizens’
identity verification DigiD; both attacked via DDoS.
The increasing number of attacks is also observed by
the Dutch National Cyber Security Centre [10] [15]
[7]. Society’s increasing dependence on IT results in
more severe consequences when IT fails to function.
This awkward situation was made worse by the fi-
nancial crisis as budgets were cut and unemployment
rose, having adverse effects on cybercrimes in many
ways. Firstly, private and public organizations spend
less modernizing IT and improving information securi-
ty. Secondly, a crisis makes it easier for criminal
groups to recruit skilled employees since the group of
unemployed and perhaps vengeful and unhappy people
is growing [7]. In addition, citizens feel uncertainty
that is abused by cybercriminals via finance related
attacks [1].
In response, many organizations are trying to pro-
tect their business processes by implementing addi-
tional measures for information security. One of these
measures is setting up a Security Operations Centre
(SOC), assuming this would be the solution to counte-
ract cyber-attacks and abuse. These organizations are
faced with a real challenge: the absence of an explicit
model and guidance on how to establish a SOC. Each
organization has to re-invent the wheel, leading to a
diversity of implementation forms, and high costs.
A number of papers from leading security suppliers
[13] [5] [6] [8], describe specific implementations and
are written with a commercial intention. An organiza-
tion that has to build its own SOC has little benefit
from these papers, since they contain no general guid-
ance.
1.1. Research: A framework for a SOC
Noordbeek collaborated with VU University Ams-
terdam to investigate common practices for private and
public SOCs and to develop a framework for the de-
sign and implementation of an effective SOC. This
research focused on modelling the structure of a SOC
with the goal to assist large companies and governmen-
tal agencies in establishing SOCs which can offer ef-
fective cyber security to multiple organizations.
For designing our research approach, we used Yin
[17]. In this context, we visited a number of SOCs,
mapped their activities, measured the effectiveness of
their performance, analyzed their problems and devel-
oped a generic model based on their common aspects.
This model contains five basic elementary functions,
called the building blocks of a SOC. This structure was
verified in collaboration with the stakeholders from the
participating SOCs and was validated by them.
The model was presented to the Dutch security
community, who recognized and accepted it as a model
for designing new SOCs or further improving existing
SOCs.
2. Background literature
Businesses are embracing cloud solutions, user
mobility, expanding social collaboration, and creating
and sharing extraordinary volumes of data [15] [7].
The combination of business and IT transformation,
compliance and governance demands, and the on-
slaught of security threats continues to make the job of
safeguarding data assets a serious challenge for organi-
zations of all types [Trust 2013].
2.1. Cyber-attacks
Today’s reality is ‘no matter what business you are
in, no matter where in the world you are if you have
got data, your business is at constant risk’. From the
outside in, to the inside out threats are increasing as
quickly as you can implement measures against them
[15]. In a similar way, EY states that ‘in today’s world
of intense use of technology and not enough security
awareness on the part of users, cyber-attacks are no
longer a matter of if but when’. We live in an age
where information security prevention is no longer
optional [2]. Attacks are any kind of malicious activity
that attempts to collect, disrupt, deny, degrade or de-
stroy information system resources or the information
itself. This translates to 137.4 million attacks annually,
2.6 million weekly and 0.37 million daily [6].
The primary data type targeted by attackers in 2012
was cardholder data. Criminals also sought personally
identifiable information which has some monetary val-
ue, but not as much as cardholder data. Therefore, the
primary targets of cyber criminals in 2012 were Retail
(45%), Food & Beverage (24%) and Hospitality (9%).
Surprisingly Financial Services came fourth (7%) fol-
lowed by the Non-profit sector (3%) [15].
Cyber-attacks and intrusions are nearly impossible
to avoid, given the openness of today’s networks and
the growing sophistication of advanced threats [14]. In
response, the practice of cybersecurity should focus on
ensuring that intrusion and compromise do not result in
business damage or loss [13]. Preparing for known
attacks is hard enough. But, how do organizations
build controls for the security risks they do not even
know about yet [2]? Some guidance can be found in
the publications of the US National Institute for Stan-
dards and Technology (NIST).
Figure 1. IT Services and their context
User
Business
Processes
Customers,
Partners etc.
VA L U E
User Organization
Financial
Privacy
Confidentiality
Service Development &
Maintenance
Reqs FD TD Build Tes t AccepArch
D-T-A-P
Supplier Management
Development Process
Web
Applications Applications
DATA
IT Service Delivery
Network Operating Centre
Functional & Technical Support
IDS & IPS
Network
(WAN and LAN’s)
Internet
Outer World
Connections
Partners
Office Automation
& Mobile
Data centres
Infrastructure
Application
Middleware
Access Control
Operating System
Hardware
Data
AV
DMZ
Storage
Storage
2.2. Definition of a SOC and its mission
A Security Operations Centre (SOC) functions as a
team of skilled people operating with defined processes
and supported by integrated security intelligence tech-
nologies. The SOC specifically focuses on cyber threat,
monitoring, forensic investigation, and incident man-
agement and reporting [6], under the umbrella of an
overall security operations environment and clear ex-
ecutive support. Without such an umbrella, a SOC is
ineffective, and its value is not to be realized. A bot-
tom-up or grassroots approach to security has a minim-
al chance of survival and an even smaller chance of
success [2].
The business interests to be protected by a SOC are
depicted in Figure 1. The user organizations and their
relations such as customers, partners are essential.
They exchange electronic messages and transactions,
each representing a particular value. This exchange of
information between organizations and there relations
can be roughly divided into - more or less - privacy
sensitive, confidential, or finance related. The ex-
change of value between organizations and people is
depicted in green at the top of Figure 1. The capability
to exchange and process data is provided by IT, with
its (web) applications and data storage. From a security
perspective, functionality and data are the principal
objects to protect. One has to ensure the confidentiali-
ty, integrity and availability of IT service delivery.
The applications are acquired via ‘make or buy’,
via Service Development and Maintenance for ‘make’
and Supplier Management for ‘buy’. An increasing
number of organizations have adopted methods for
Secure Service Development, with sophisticated risk
and vulnerability analysis methods, explicit security
requirements, involvement of SOC staff for penetration
tests and code reviews during the development stages,
and security acceptance criteria [9].
A major part of a SOC’s attention is focused on the
technical infrastructure, with the networks, external
connections, office automation, mobile solutions and
the servers running the applications and processing the
data. The SOC performs continuous monitoring, vulne-
rability scans, compliance scans, log data collection,
etc.
2.3. Detection and Tooling
The primary function of a SOC is continuous moni-
toring, to become rapidly aware of attacks by malware,
DDoS, viruses, hackers, and so on, and paying atten-
tion to malicious activities by people such as em-
ployees, subcontractors, guests and outsiders. For this,
the SOC analysts need to recognize attack patterns, the
inherent and specific weaknesses of their own IT infra-
structure, the information systems and, the habits and
behavior of the regular users.
Organizations must assign highly competent securi-
ty resources towards rapid threat detection and remedi-
ation [13]. A well-functioning SOC can form the heart
of effective detection. It can enable information securi-
ty functions to respond faster, work more collabora-
tively and share knowledge more effectively [2]. With
the understanding that attacks can never be completely
prevented, companies should advance their detection
capabilities so they can respond appropriately.
Organizations sometimes invest in ‘fancy’ tooling.
The tools are not the Silver Bullet that will protect
them from cyber threats outside or already inside the
security perimeter [2]. The competences and expe-
rience of the staff of the SOC are much more impor-
tant. Since highly qualified analysts are scarce, this is
where organizations struggle the most.
Attacks have grown significantly in complexity,
rendering the majority of ‘Off the Shelf’ detection so-
lutions ineffective [15]. Be aware that some 48% of the
tooling belongs to this category. In addition, due to
advanced subterfuge techniques, malware often goes
unnoticed by system administrators despite being
clearly visible to experienced investigators. We have to
rely on the human factor, i.e. the analysts, to outsmart
the sophisticated attackers.
Security event visualization is still rare in most or-
ganizations today. Many security professionals conduct
manual log reviews or perform ‘spreadsheet’ analyses,
and for some, implementation of basic Security Infor-
mation and Event Manager (SIEM) technology is as far
as they go. However, the ultimate goal should be to
develop an environment in which security events are
discovered by security professionals within the organi-
zation. Data aggregation or correlation as seen in a
SIEM is assumed to be beneficial to real-time security
event visualization and notification [15].
2.4. People, awareness and competences
A fundamental component of continuous monitor-
ing is the analysis of data collection, carried out by the
analysts working in the SOC [12]. This is a value add-
ed activity since highly qualified analysts with ac-
knowledged competences are in charge of both prepa-
ration and management of complex security investiga-
tions. At the core of a successful SOC is a firm founda-
tion for operational excellence driven by well-designed
and executed processes, stable governance, capable
individuals and a constant drive for continuous im-
provement to stay ahead of cyber adversaries [2].
SOCs need collaborative, cross-disciplinary teams with
highly specialized skill sets to combat advanced cyber
threats. However, the security community faces a se-
rious shortage of such skills and qualified personnel
[13].
Moreover, employees leave the door open to further
attacks. Whether it is due to lack of education or policy
enforcement, employees happen to pick weak pass-
words, click on phishing links and share company in-
formation on social and public platforms [15].
A complicating factor for establishing cybersecuri-
ty is outsourcing. Many third-party vendors do not
allow customer organizations to perform logging and
monitoring, although their engineers sometimes are
leaving the door open for attacks as they do not neces-
sarily keep client security interest in mind [15].
3. Research and measurement method
For the research method, ‘Case Study Research,
Design and Methods’ of Robert K. Yin [17] was used.
Yin describes six stages, which we tailored as follows:
Stage 1, the ‘Plan’ phase has the character of an in-
ventory. We collected literature, visited some SOCs
and defined the research question and subquestions.
The central question is: ‘What is an effective
framework for designing and implementing a SOC to
increase the robustness of e-businesses and their cus-
tomers against cyber-attacks and IT abuse?’ The three
subquestions are:
Does literature provide guidance for designing an
effective SOC?
Which standard functions can be identified when
analyzing the design and operations of existing
SOCs?
How can a SOC provide effective security services
to multiple user organizations and IT organiza-
tions?
Then, we drafted an initial model for a framework,
based on input from experts and our expectation of
what the common functions should be. This model is
used during the interviews and workshops to confirm
or reject certain parts of the SOC’s functionality.
Stage 2, the ‘Design’ phase is used to draft a mea-
surement method to assess the effectiveness of a
SOC’s operations, supported by visual spider diagrams
and questionnaires. We made a list of organizations, to
visit their SOCs and interview their security staff.
During stage 3, the ‘Prepare’ phase, we performed
a pilot at an organization with a SOC that had already
been operating for several years. In close cooperation
with the analysts of this SOC and via workshops, we
improved the assessment method and the question-
naires, to make them suitable for assessing a multitude
of different SOC implementations.
Stage 4, the ‘Collect’ phase, consists of the site vis-
its, observations, interviews and workshops, resulting
in a research database. We discussed the functional
building blocks, the existing problems and the current
and future objectives with one or more analysts of each
SOC and our colleagues.
Stage 5, ‘the ‘Analyze’ phase, is used to finalize the
draft theoretical propositions using the quantitative and
qualitative evidence collected.
During stage 6, the ‘Share’ phase, we wrote our re-
port and organized a number of workshops with repre-
sentatives of the SOCs visited, adapting the draft mod-
el until consensus was found. We then presented our
research outcome and model to several committees of
the security community, who confirmed the model.
4. Observations and analyses
Because each SOC is as unique as the organization
it belongs to, it is critical to understand the factors that
influence their result. A SOC can include all internal
operations, processes, technologies and staff, rely
heavily on external provider managed services, or can
be a hybrid of out-tasked and internal capabilities. To
determine the right balance for an organization, one
has to consider cost, skills availability, single point
versus multiple global locations, and the importance of
around-the-clock coverage and support [6].
4.1. Assessment method
For the assessment method, some of these factores
have been combined, and other aspects such as compe-
tences, and experience have been added. The question-
naire is divided into four groups, i.e. sharing know-
ledge, secure service development, continuous moni-
toring and damage control. The rating per axis is: 1 =
unsatisfactory, 2 = concerned, 3 = suboptimal, 4 = sa-
tisfactory, 5 = desired level. The rating is relative to the
organization’s level, i.e. its objective per axis. The vis-
ual representation is shown in Figure 2.
For each SOC visited, a spider diagram was drafted
and discussed with the SOC analysts until it was a rea-
sonable interpretation of the effectiveness of the SOC’s
operational activities. Using this assessment method
periodically, one may monitor the progress of im-
provement activities.
4.2. Assessment results
Each SOC has a unique design and implementation.
Since no generally accepted framework exists, each
SOC was formed through organic growth. The security
processes are tailored by one or some experts accord-
ing to the funds and staffing available, on a best effort
basis, based on their personal skills and competences.
Using opportunities, they created something which is,
in their opinion, the right solution for the challenges of
their organization.
All of the SOCs were part of or related to the IT
department. There are some typical implementation
forms, e.g.:
Integral SOC:
This type of SOC is a center of expertise involved in
both secure service development and infrastructure
support and operations. We could only find and visit
one instance of such an integral SOC during our re-
search. The advantage of an integral approach is that
the same analysts and consultants are involved in
making new services secure during the acquire
phase while later being involved in compliance
scanning and continuous monitoring. This is optimal
sharing of knowledge;
Technology driven SOC:
The majority of SOCs is focused on infrastructure
support and operations. They are located between
functional support, and network and system admin-
istrators. This is an effective positioning, since they
know what happens in the operational environment
and interact directly with the engineers. However,
their impact on preventive actions such as making
new services secure is limited;
Partly outsourced SOC:
One SOC consisted of technical security officers,
analysts and penetration testers. Because of the in-
frastructure, scanning and continuous monitoring
had been outsourced to the hosting provider. It turns
out that knowledge sharing and cooperation had a
low rating since human interaction was very limited
in this outsourcing relationship;
Figure 2. Integral SOC
0
1
2
3
4
5
Consultant's Experience
Security Requirements
Testing
Risk Acceptance
Pentests
Code reviews
Analyst's Experience
Monitoring
Operat ional S ecurity
Tooling
Compliance Scans
Vulnerability Scans
SIEM
Forensic Investigations
Intervention on Tec hnique
Intervention on Users
Response Plans
Security Awareness
Damage Controller's
Experience
External Information
Sharing
Cyber Intelligence
Incident Management
Threats and Risks
Security Policy
Security Governance
Score Axes
Intelligence
Business Damage Control Continuous Monitoring
Secure Service Development
Rating:
5 = Desired Level
4 = Satisfactory
3 = Suboptima l
2 = Concerned
1 = Unsatisfactory
Specialized SOC:
Some SOCs are highly specialized, due to a particu-
lar organization’s mission to protect a country and
its vital infrastructures. They have experts, e.g., for
protecting and guarding Industrial Control Systems
(ICS) and Supervisory Control and Data Acquisition
(SCADA) computers, and use classified sources for
information about threats.
The effectiveness of each SOC is based mainly on
executive commitment [2]. Without such commitment,
competent resources and sufficient budgets, a SOC can
provide ‘security in name only’.
5. The framework
A SOC needs an umbrella, consisting of an infor-
mation security organization with a Chief Information
Security officer (CISO), reporting to the Chief Infor-
mation officer (CIO), and acting within the mission
and security goals of the organization.
Moreover, there should be a process for secure ser-
vice development to ensure that only secure solutions
are handed over from the acquire phase to the produc-
tion environment. In Figure 3, this is depicted as the
‘Security by Design’ function. This is often combined
with methods and processes for Business Impact Anal-
ysis (BIA), Risk Analysis (RA) and Privacy Impact
Assessment (PIA). These analysis methods provide
information about the requirements for confidentiality,
integrity and availability.
The research results indicate a clustering of the SOC’s
activities in five areas, which turn out to be their ele-
mentary building blocks. These are:
Intelligence function:
The kernel of the SOC is the Intelligence function,
that shares similarities with a Computer Emergency
Response Team (CERT). The competent and skilled
analysts are located here, exchanging information
with internal and external parties [16], analyzing
threat patterns and monitoring results, defining rules
for event filtering and giving instructions to opera-
tional staff and security staff;
Figure 3. The components of a SOC / Typology
SECURITY BY DESIGN function
BIA Security requirements Code review
RA SSD Dashboard Pentests
PIA Risk acce ptance
CISO
IB Beleid
POOL PENTESTERS
Education
Training
Too l i n g
Subcontracting
MONITORING function
Observati on
Log collection and selection
SIEM
SOC
BASELINE SECURITY function
Compliance Scans
Vulnerability Scans
SOC
Logs
INTELLIGENCE function
Specific analysis of intelligence
Analysis of security incidents
‘CERT’
PENTEST function
Attack
Patterns
FORENSIC function
Log analyses
Investigations
SOC
SOC
Hardening
Patching
Security
Incident
Process
Infrastructure
Etc.
CENTRAL CERT
Generic analysis of
intellige nce
4 to 5 Alerts or Events per day
Filter
Rules
Internet
threats
Customer
specific
threats
Data
traffic B otnets
Events
> 100 G / day
Gove rnance & Con trol
Mission of Organization Security Goals
Governance objectives CIO
Security organization CISO
Baseline Security function:
The SOC analysts for Baseline Security supervise
the operational processes for hardening servers, op-
erating systems and network components, and per-
form vulnerability and compliance scans to verify
adherence to hardening guidelines. Moreover, they
scan for known vulnerabilities and verify the main-
tenance levels based on actual guidance on high
priority and security patches. This function also su-
pervises the settings and operational effectiveness of
the endpoint protection (e.g. antivirus), firewalls, In-
trusion Detection and Protection System (IDS/IPS),
Public Key Infrastructure (PKI) etc.;
Monitoring function:
The SOC Monitoring function observes the data
traffic and attempts to identify anomalies. The large
volumes of logging data and signals are stored and
filtered using dynamic rule sets to find a needle in a
haystack. One of their major challenges is to tailor
the Security Information and Event Manager
(SIEM) in such a way that only the relevant alerts or
events are identified;
Penetration Test function:
Penetration tests are used both as an integral part of
secure service development and within the opera-
tional environment. A penetration test can determine
how a system reacts to an attack, whether or not a
system’s defenses can be breached, which defenses
were defeated and what information can be acquired
from the system;
Forensic function:
The SOCs’ analysts are skilled in finding details in
the data traffic and logging infrastructure data.
When forensic investigations are performed by the
Office of Integrity or law enforcement agencies,
these analysts assist in collecting electronic evi-
dence and ensuring the chain of custody of such
evidence.
For each function, the objectives and activities can
be outlined and translated into requirements for compe-
tences, experience and number of staff. Here we use
rules of thumb, based on observations in existing
SOCs.
For instance, experience teaches that seven penetra-
tion testers are required for the penetration test func-
tion. The calculation is as follows: as soon as a pene-
tration tester has sufficient experience, chances are he
or she is offered a job by a specialized security firm
with a higher salary than the organization is allowed to
Figure 4. Indivisible relationships: Anchoring a SOC
NOC
IDS & IPS
Network
(WAN and LAN’s)
Internet
Outer World
Connec tions
Partners
Office Automation
& Mobile Data centres
Infrastructure
Storage
Data
AV AV
DMZ
User organization
MONITORING function
Observation
Log collection and selection
SIEM
BASELINE SECURITY function
Compliance Scans
Vulnerability Scans
INTELLIGENCE function
Specific analysis of intelligence
Analysis of security incidents
PENTEST function
FORENSIC function
Log analyses
Investigatio ns
Functional and
Technical Support
Web
Applications Applications
DATA
IT Service Delivery
User
Business
Processe s
Customers,
Partners
etc.
VA L U E
CISO
Security engineer
Interaction with ISO, Security by
Design and Damage Control about:
Business interests to be protected
Threat profile for the business
BIA and CIA
Major changes
Security incidents etc.
Interaction with Functional and Technical Support about:
Installation and configurations
Hardening and deviations
Patches
Logs
Security incidents etc.
ISO
SOC
Interaction within SOC:
From Intelligence with
all functions
Logs
Attack
Patterns
Security
by Design
Damage
Control
Figure 5. Centralized SOC with local liaisons
MONITORING function
Observation
Log collection and selection
SIEM
BASELINE SECURITY function
Compliance Scans
Vulnerability Scans
INTELLIGENCE function
Specific analysis of intelligence
per user organization
Analysis of security incidents
PENTEST function
FORENSIC function
Log analyses
Investigations
NOC
Infrastructure A
Functional and
Technical Sup port
Security engineer
NOC
Infrastructure Z
Functional and
Technical Support
Security engineer
Infrastructure …
User organization …
Liaison within the user organization:
Information Security Officer (ISO), on behalf of CISO
Security by Design (architects and consultants)
Business Damage Control (security staff)
Anchoring the relation with the user organization and the business processes
Liaison within Functional and Technical Support:
Security engineer
Anchoring the relation with Support and the infrastructure
Shared Service SOC
Logs
Attack
Patterns
User organization 1
DATA
CISO ISO
(Web)
Applications
Security by Design
Damage Control
VALUE
User organization N
DATA
CISO ISO
(Web)
Applications
Security by Design
Damage Control
VALUE
offer. So, the manager of the SOC must always expect
to lose one or two of the most experienced penetration
testers, and has to employ one or two juniors who need
time to be educated and trained. If the manager wants a
core team of four mid-level or senior penetration tes-
ters continuously, he or she must employ a group of
seven.
5.1. Anchoring the SOC
Each of SOC’s functions has inseparable relation-
ships with functions within the user and IT organiza-
tions. In Figure 4, these relationships are shown.
The Intelligence function of the SOC maintains a
close relationship with the user organization, since it
has to focus on protecting against threats specific for
this business, and the customer and user community.
This task can only be performed with sufficient know-
ledge of the user organization, being aware of all rele-
vant changes, and with close contact with the CISO,
Information Security Officer (ISO), security staff, in-
formation managers, project leaders, architects, etc.
Hence, there must be at least one analyst within the
Intelligence function, acting as liaison for the user or-
ganization.
Three functions of the SOC, i.e. Intelligence, Base-
line Security and Monitoring, need a close relationship
with the engineers and staff of Functional and Tech-
nical Support within the IT organization. They must be
aware of the changes affecting security, security inci-
dents, release management, patch management, etc.
and must give instructions about the hardening process,
high priority and security patches, settings for security
related parameters, logging and collecting logging in-
formation, etc. Moreover, they need to be authorized to
access many sensitive parts of the network and systems
to perform their investigations. At the very least, the
SOC needs a liaison within the IT organization, in Fig-
ure 5 indicated as a specialized Security engineer. This
engineer is the primary entry point for the SOC.
5.2. Providing security to multiple user and IT
organizations
The third sub-question for this research is: ‘How
can a SOC provide adequate security services to mul-
tiple user organizations and IT organizations?’ The
reason for asking this question is that skilled analysts
are scarcely available, tooling for each SOC is expen-
sive and tailoring and maintaining the tooling turns out
to be an awkward and time-consuming process. Hence,
the search for ways to let a SOC of one organization
provide security services to another organization,
which is beneficial for large companies with multiple
divisions or a government with many governmental
agencies. Exploiting the inseparable relationships, as
explained above, Figure 5 shows an answer to this
question.
In the case of supporting multiple organizations, the
SOC has to implement dedicated communication lines
at the business side. Within the Intelligence function of
the SOC, there should be a dedicated liaison for each
user organization, knowing the business and intimately
interacting with the relevant actors within the business.
The user organization performs the Business Impact
Analyses (BIAs), Risk Analyses (RAs) and Privacy
Impact Assessments (PIAs). So information about the
requirements for confidentiality, integrity and availa-
bility are provided to the SOC, which can focus on the
threats and vulnerabilities relevant to the particular
business.
At the IT side, there is also a liaison required per IT
organization. This liaison should be a person located
between the support staff and engineers of this IT or-
ganization. This person is the local Security engineer,
who is aware of all security related changes, security
incidents, configurations, settings, and so on, within
the IT organization. He or she gives such information
to the SOC and passes guidance and instructions from
the SOC to the support staff and engineers.
By appointing liaisons at the business and the IT
side, the SOC will be able to ensure the inseparable
relationships, vital to efficiently delivering the security
services required.
6. Evaluation
Assuming this model is adopted by a country to
protect e-government services for multiple agencies, a
number of practical issues have to be solved. If, for
example, the SOC operates for more than one Ministry,
the individual ministerial responsibility is an issue. In
the case of a severe incident, which minister has to
submit to parliament – the minister responsible for the
SOC or the minister who suffered the cyber-attack?
Another point of discussion is funding, which is mainly
an issue if a SOC is used to protect a chain crossing a
number of agencies and private parties. There is a
number of leads for further research in this area.
7. Conclusions
The primary recommendation is not to re-invent the
wheel multiple times. It makes no sense to create tens
of SOCs, knowing that there is only a very limited
number of very skilled analysts available, and many
SOCs struggle with implementing and tailoring (ex-
pensive) tooling in a meaningful way. Such problems
can be solved by an increase of scale, e.g., by creating
one SOC for an important chain. For a country, this
may be one SOC for the large financial streams and e-
governance, such as taxes, subsidies and pensions, one
SOC for law enforcement, courts and penitentiary in-
stitutes, one SOC for the vital infrastructure, etc. Since
the framework is focused on a SOC operating for mul-
tiple user and IT organizations, it allows for such a
form of concentration.
8. Acknowledgment
We appreciate the close cooperation with many or-
ganizations and authorities. They have provided many
insider details about the operational processes and have
participated in the completion of this framework for a
SOC. In addition, we want to thank the staff of VU
University Amsterdam for their support in writing a
graduate thesis about this subject.
9. References
[1] Bashar Matarneh, H., “World Financial Crisis and
Cybercrime”, 2011.
[2] EY, “Security Operations Centres against Cybercrime,
Top 10 Considerations for Success”, 2013.
[3] FOX IT, “Black Tulip, Report of the Investigation into
the DigiNotar Certificate Authority Breach”, 2012.
[4] Hoepman, J.-H., Jacobs, B., Vullers, P., “Privacy and
Security Issues in e-Ticketing - Optimisation of Smart
Card-based Attribute-proving”, in V. Cortier, M. Ryan
and V. Shmatikov (eds), Proceedings Workshop on
Foundations of Security and Privacy, FCS-PrivMod
2010, Edinburgh, UK, 2010.
[5] HP Enterprise Security Business Whitepaper, “Build-
ing Successful Security operations Centre”, 2011.
[6] IBM, “Strategy Considerations for Building a Security
operations Centre”, 2013.
[7] General of the Army Marc Watin-Augouard, Gendar-
merie Nationale France, “Prospective Analysis on
Trends in Cybercrime from 2011 to 2020”, 2011.
[8] McAfee White Paper, “Creating and Maintaining a
SOC, the Details behind Successful Security Opera-
tions Centres”, 2011.
[9] Microsoft, “Simplified Implementation of the Micro-
soft Security Development Lifecycle”, 2010;
[10] National Cyber Security Centre (NCSC) Netherlands,
“Cyber Security Assessment Netherlands”, 2013.
[11] Nohl, K., “Mifare security”, 24th Chaos Communica-
tion Congress, 2007.
[12] Reply Communication Valley, “Security Operation
Centre”, 2011.
[13] RSA Technical Brief, “Building an Intelligence-driven
Security Operations Centre”, 2013.
[14] Security & Defence Agenda (SDA), Belgium, “Cyber-
security: The Vexed Question of Global Rules”, 2012.
[15] Trustwave, “2013 Global Security Report”, 2013.
[16] US Intelligence Community, National Intelligence,
“Information Sharing Strategy”, 2008.
[17] Yin, R.K., “Case Study Research Design and Me-
thods”, 2009.
... Besides, past research has also highlighted that no international guidelines and standards have been used by organizations to develop and implement the SOC [13]. This is reflected in the inequality and diversity of SOC infrastructure and its implementation [14]. Given this scenario, it is not easy to measure the success of the SOC because no benchmark model can be applied. ...
... According to [36], a process is defined as a step or procedure to achieve the desired goal. The study by [14] highlights the importance of establishing fully defined processes between the components in the SOC to ensure consistent and continuous operations. Further, fully defined processes are also necessary to determine the actions and responsibilities of the members in the SOC [33,38]. ...
... SOC can be considered as one of the solutions to protect the organization from cyberattacks. [14] stated that the framework of the SOC is dependent on the direction set by the organization. It can be implemented by the missions, objectives, financial, and other factors that influence the organization's operation. ...
Article
Full-text available
Cyberattacks have changed dramatically and have become highly advanced. This latest phenomenon has a massive negative impact on organizations, such as financial losses and shutting-down of operations. Therefore, developing and implementing the Cyber Security Operations Centre (SOC) is imperative and timely. Based on previous research, there are no international guidelines and standards used by organizations that can contribute to the successful implementation and development of SOC. In this regard, this study focuses on highlighting the significant factors that will impact and contribute to the success of SOC. Simultaneously, it will further design a model for the successful development and implementation of SOC for the organization. The study was conducted quantitatively and involved 63 respondents from 25 ministries and agencies in Malaysia. The results of this study will enable the retrieval of ten success factors for SOC, and it specifically focuses on humans, processes, and technology. The descriptive analysis shows that the top management support factor is the most influential factor in the success of the development and implementation of SOC. The study also contributes to the empirical finding that technology and process factors are more significant in the success of SOCs. Based on the regression test, the technology factor has major impact on determining the success of SOC, followed by the process and human factors. Relevant organizations or agencies can use the proposed model to develop and implement SOCs, formulate policies and guidelines, strengthen human models, and enhance cyber security.
... Unfortunately, many SOCs are believed to be ineffective. According to Schinagl, S., et al., (2015), only a few SOCs are effective in countering cybercrime and IT abuse. ...
... e) Lack of Standardisation -SOCs have varying perceptions across industry and government. Each organisation has its own understanding of what a SOC should do ( (Schinagl, S., et al., 2015), (Onwubiko, C. and Ouazzane, K., 2019a)). ...
Preprint
Full-text available
The increasing dependency of modern society on IT systems and infrastructures for essential services (e.g. internet banking, vehicular network, health-IT, etc.) coupled with the growing number of cyber incidents and security vulnerabilities have made Cyber Security Operations Centre (CSOC) undoubtedly vital. As such security operations monitoring is now an integral part of most business operations. SOCs (used interchangeably as CSOCs) are responsible for continuously and protectively monitoring business services, IT systems and infrastructures to identify vulnerabilities, detect cyber-attacks, security breaches, policy violations, and to respond to cyber incidents swiftly. They must also ensure that security events and alerts are triaged and analysed, while coordinating and managing cyber incidents to resolution. Because SOCs are vital, it is also necessary that SOCs are effective. But unfortunately, the effectiveness of SOCs are a widespread concern and a focus of boundless debate. In this paper, we identify and discuss some of the pertinent challenges to building an effective SOC. We investigate some of the factors contributing to the inefficiencies in SOCs and explain some of the challenges they face. Further, we provide and prioritise recommendations to addressing the identified issues.
... SOC have established themselves as a centralized organizational unit for improving cyber security holistically [4]. A SOC is related to the people, processes and technologies that provide situational awareness through the detection, containment, and remediation of IT threats in order to manage and enhance an organization's security posture [5]. SOCs in IIoT environments can enable a holistic view of cyber security in manufacturing operations to accurately identify attack vectors, avert potential attacks or derive measures to prevent major control system failure [6]. ...
Chapter
The Industrial Internet of Things (IIoT) enables the connection of industrial operational technology (OT) with information technology (IT). However, the convergence of IT and OT has the drawback that machines become increasingly vulnerable to cyber attacks. Therefore, security aspects for OT areas require special attention. The integration of Security Operations Centers (SOC) and OT offers a possible solution approach. A SOC is related to the people, processes and technologies that provide awareness through the detection, containment, and remediation of IT threats. The basis for integrating an IIoT-based SOC are well defined processes and their information needs. In this respect, the discipline of Business Process Management (BPM) offers numerous established methods, concepts and technologies for the systematic modeling and system-supported execution and analysis of processes. This paper aims to highlight the opportunities that the application of BPM concepts holds for IIoT security management. Based on the IIoT security management process, we show several exemplary ways how to leverage BPM methods for improving IIoT security.
... They propose a new workflow that ensures effective collaboration between the tiers in a SOC and the associated security incident correlations.In [17], the authors review existing, industry-accepted maturity models wherein the proposed SOC classification model complies with this approach. In [36], the authors define their SOC and demonstrate a method for assessment of any SOC, where they suggest a SOC framework commensurate with their conjecture. In [7], the author presents the initial model as developed by the WLCG SOC Working Group, for a minimally viable SOC, where he starts out with the design of different stages, elaborating upon the individual stages involved. ...
Preprint
The number of cyber-attacks have substantially increased over the past decade resulting in huge organizational financial losses. Indeed, it is no longer a matter of "if" but "when" a security incident will take place. A Security Operations Center(SOC) adoption will help in the detection, identification, prevention, and resolution of issues before they end up causing extensive cyber-related damage. In this paper, our proposed framework is brought about to address the problem that current open-source SOC implementations are plagued with. These include lack of ability to be strengthened on the fly, slow development processes, and their ineptness for continuous timely updates. We, herein, propose a framework that would offer a fully automated open-source SOC deployment; otherwise dubbed, a "plug-and-play framework"; full horizontal scalability incorporating a modular architecture. These underpinning features are meant to mitigate underlying SOC challenges, which often emerge as a result of many pre-determined and repeated processes, bolstering their ability for expansion with new tools. This is on top of enhancing their ability to handle more servers in the clusters as a single logical unit. We also introduce a new system of its kind called a Programmable Plugin-based Intrusion Detection and Prevention System (PPIDPS). This system will extend a SOC's ability to add any tool to the monitored devices while collecting logs that can trigger alerts whenever a suspicious behavior is detected.
... We perform an in-depth examination of publications that cover the two topic areas capability or maturity. Outlined SOC processes (e.g., Kowtha et al. (2012) ; Schinagl et al. (2015) ) provide further guidance for the development of SOC services. ...
Article
Threats, cyber attacks, and security incidents pertain to organizations of all types. Everyday information security is essentially defined by the maturity of security operations and incident response capabilities. However, focusing on internal information only has proven insufficient in an ever-changing threat landscape. Cyber threat intelligence (CTI) and its sharing are deemed necessary to cope with advanced threats and strongly influence security capabilities. Therefore, in this work, we develop CTI-SOC2M2, a capability maturity model that uses the degree of CTI integration as a proxy for SOC service maturity. In the course, we examine existing maturity models in the domains of Security Operations Centers (SOCs), incident response, and CTI. In search of adequate maturity assessment, we show threat intelligence dependencies through applicable data formats. As the systematic development of maturity models demands, our mixed methodology approach contributes a new in-depth analysis of intelligence-driven security operations. The resulting CTI-SOC2M2 model contains CTI formats, SOC services and is complemented with an evaluation through expert interviews. A prototypical, tool-based implementation is aimed to document steps towards the model’s practical application.
... To enhance the efficiency of monitoring tasks for dynamic environments, including company, government and other enterprise networks, the SOC as a centralized unit is introduced, and operated for real-time monitoring and identification of security incidents [23]. In fact, the recent SOC generally roles the umbrella of overall security operations, such as forensic investigation or incident management and reporting; however, the main function of them, consisting of security-skilled personnel, focuses on monitoring traffic between internal and external networks [24]. Since the traffic nowadays is rapidly increasing along with the development of communication technologies, the tasks of counteracting cyber threats on SOC are becoming more difficult to identify malicious behaviors from extensive network traffic; consequently, SOC exploits and also depends on different types of security devices (e.g., SIEM, UTM, and ESM) with the state-of-the-art techniques, especially ML and AI approaches. ...
Conference Paper
Full-text available
With a paradigm shift to untact environments, security threats on the network also have been significantly increasing all over the world. To monitor and detect intrusion attempts under enormous network traffic, Security Operation Center (SOC) essentially exploits various security devices. Above all, Network Intrusion Detection System (NIDS) has been operated in public/private sectors as a spearhead to fight against cyber threats. In particular, state-of-the-art technologies, especially ML and AI, have been being studied to achieve quick and accurate intrusion detection. Despite much effort to guarantee a secure network, however, SOCs are still struggling for overcoming various types of threats as well as attacks of similar form with benign traffic. Even though the advanced techniques may find out a complex and unknown attack, operating and managing them in real-world situations cause counterproductively more pressure to agents in the SOC. In order to solve these difficulties, this study introduces an easy-to-use framework to build intrusion detection models based on AI techniques, as well as to operate them depending on a situation using a graphical user interface. The framework supports generating various types of AI-and ML-based intrusion detection models with optimized parameters by only a few steps. Furthermore, an interactive graphical interface makes it easier to manage detection models according to different threat situations. Finally, the performance of models made by the framework is evaluated in terms of accuracy, especially under the real-world SOC environment with live network traffic.
Chapter
Digital Twin (DT) impacts significantly to both industries and research. It has emerged as a promising technology enabling us to add value to our lives and society. DT enables us to virtualize any physical systems and observe real-time dynamics of their status, processes, and functions by using the data obtained from the physical counterpart. This paper attempts to explore a new direction to enhance cyber resilience in the perspective of cybersecurity and Digital Twins. We enumerate definitions of the Digital Twin concept to introduce readers to this disruptive concept. We then explore the existing literature to develop a holistic analysis of the DT’s integration into cybersecurity. Our research questions develop a novel roadmap for a promising direction of research, which is worth exploring in the future and is validated by an extensive and systematic survey of recent works. Our research has aimed to properly illustrate the current research state in this area and can benefit both community and industry to further the integration of Digital Twins into Cybersecurity.
Article
Full-text available
Nowadays, there are different kinds of public knowledge bases for cyber security vulnerability and threat intelligence which can be used for IoT security threat analysis. However, the heterogeneity of these knowledge bases and the complexity of the IoT environments make network security situation awareness and threat assessment difficult. In this paper, we integrate vulnerabilities, weaknesses, affected platforms, tactics, attack techniques, and attack patterns into a coherent set of links. In addition, we propose an IoT security ontology model, namely, the IoT Security Threat Ontology (IoTSTO), to describe the elements of IoT security threats and design inference rules for threat analysis. This IoTSTO expands the current knowledge domain of cyber security ontology modeling. In the IoTSTO model, the proposed multi-source knowledge reasoning method can perform the following tasks: assess the threats of the IoT environment, automatically infer mitigations, and separate IoT nodes that are subject to specific threats. The method above provides support to security managers in their deployment of security solutions. This paper completes the association of current public knowledge bases for IoT security and solves the semantic heterogeneity of multi-source knowledge. In this paper, we reveal the scope of public knowledge bases and their interrelationships through the multi-source knowledge reasoning method for IoT security. In conclusion, the paper provides a unified, extensible, and reusable method for IoT security analysis and decision making.
Article
Full-text available
p> The rapid development of information technology has made security become extremely. Apart from easy access, there are also threats to vulnerabilities, with the number of cyber-attacks in 2019 showed a total of 1,494,281 around the world issued by the national cyber and crypto agency (BSSN) honeynet project. Thus, vulnerability analysis should be conducted to prepare worst case scenario by anticipating with proper strategy for responding the attacks. Actually, vulnerability is a system or design weakness that is used when an intruder executes commands, accesses unauthorized data, and carries out denial of service attacks. The study was performed using the AlienVault software as the vulnerability assessment. The results were analysed by the formula of risk estimation equal to the number of vulnerability found related to the threat. Meanwhile, threat is obtained from analysis of sample walkthroughs, as a reference for frequent exploitation. The risk estimation result indicate the 73 (seventy three) for the highest score of 5 (five) type risks identified while later on, it is used for re-analyzing based on the spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of prvilege (STRIDE) framework that indicated the network function does not accommodate the existing types of risk namely spoofing. </p
Article
Full-text available
This article presents an application guide for the implementation of a cybersecurity operations center, announcing the steps built for the proposed methodology. This Application Guide has as a differentiating factor, the incorporation of opensource tools, which is reflected in accessible costs and accessibility to their documentation.
Article
This short note concentrates on an optimisation of the attribute-proving protocol by Batina et al. [1], and provides the improved performance figures. The protocol relies on elliptic curve cryptography with bilinear pairings. These pairings provide signatures that are stable under multiplication with a blinding factor. In this way multiple proofs are unlinkable, and thus provides a privacy-friendly solution. The optimisation involves better exploitation of the (limited) elliptic curve primitives that are available on the current generation of Java Card smart cards. It leads to a reduction of the on-card running times (wrt. to [1]) of roughly a factor three. Total running times with this new protocol are below one second. A further reduction with a factor two or three is needed to achieve performance that is acceptable in practice. Key words: anonymous credentials, elliptic curve cryptography, smart
World Financial Crisis and Cybercrime
  • H Bashar Matarneh
Bashar Matarneh, H., "World Financial Crisis and Cybercrime", 2011.
Black Tulip, Report of the Investigation into the DigiNotar Certificate Authority Breach
  • Fox It
FOX IT, "Black Tulip, Report of the Investigation into the DigiNotar Certificate Authority Breach", 2012.
Creating and Maintaining a SOC, the Details behind Successful Security Operations Centres
  • Mcafee White Paper
McAfee White Paper, "Creating and Maintaining a SOC, the Details behind Successful Security Operations Centres", 2011.
Simplified Implementation of the Microsoft Security Development Lifecycle
  • Microsoft
Microsoft, "Simplified Implementation of the Microsoft Security Development Lifecycle", 2010;
Cyber Security Assessment Netherlands
National Cyber Security Centre (NCSC) Netherlands, " Cyber Security Assessment Netherlands ", 2013.
Building an Intelligence-driven Security Operations Centre
  • Rsa Technical Brief
RSA Technical Brief, "Building an Intelligence-driven Security Operations Centre", 2013.
  • Trustwave
Trustwave, " 2013 Global Security Report ", 2013.
Information Sharing Strategy
US Intelligence Community, National Intelligence, " Information Sharing Strategy ", 2008.