Cyber Security Operations Centers (CSOC)

Cyber Security Operations Centers (CSOC) are the physical or virtual facilities where the information systems of an organization such as servers, network devices, end-user computers, websites, applications, databases, etc. are monitored, assessed and protected. CSOCs are typically created by a combination of a wide range of roles including, in particular, the security analysts and engineers as well as managers who oversee security operations, who are organized to detect, analyse, intervene with, report, and protect the cyber security incidents.

  • Tasks of the Corporate CSOCs:
  • To continuously analyse the threats, and to prevent the cyber security incidents by means of network and client vulnerability scan,
  • To monitor, detect and analyse the potential threats based on the real-time and historic data,
  • To intervene with the security incidents by coordinating the sources and taking appropriate counter-actions,
  • To report instantaneous state, incidents, and trends in relation to the cyber security, and create situational awareness,
  • To manage the network security and analyses products,
  • CSOSc are in general composed of the service units which provide service from different levels to prioritize the incoming calls.

In order that a CSOC can provide certain capabilities, it has to be able to understand the environmental factors specific to the client to be provided with service, and the client’s security stance. This is referred to as Situational Awareness. Situational Awareness can be gained by means of the following components:

  1. Information: means Sensor data, cyber intelligence, manufacturer’s product activities, threats etc.
  2. Analyse: means processing the information;
  3. Visualization: means transmitting information by visual ways;

Security analyst carries out observation for the client on a continuous basis, directs the information he/she gets via such observations, to his/her past experiences and historical knowledge, makes a decision depending on the resultant synthesis from such direction, and implements that decision. This process proceeds cyclically on a continuous basis. This process develops over time, and hence the Situational Awareness progresses forward and becomes more efficient. The three work areas that are to contribute to such progress in relation to Situational Awareness are as follows:

Network

  • Inventory details of the information technologies such as servers, network devices, mobile devices etc.
  • Physical and logical network topologies,
  • Security requirements for assets, network and applications, and its architecture,
  • State of the IT assets (normal states, changes in such states –configuration, port, service, protocol etc.)
  • Vulnerabilities of the devices and applications, and the measures to mitigate such vulnerabilities,

Task

  • Sector in which the client is operating,
  • Physical facilities where the operations are carried out,
  • Other related parties such as people, governmental organizations, organizations etc.
  • IT assets’ dependencies with the business processes,
  • Roles of the system managers, management, and user groups such as staff providing access to the sensitive data etc.

Threat

  • Intruders’ abilities, motivations, attack potentials, effects on the business processed, and actions to be taken by them,
  • Assessment of the activities of certain intruders. 
The primary task of CSOC is to find and intervene with the security incidents. It is an ideal goal to ensure early detection and response to security incidents before they can do damage. Due to the complicated nature of the attacks, CSOSc are required to deal with the entire lifetime of cyber-attacks.

 

Tools

CSOCs often use Security Information and Event Management (SIEM) systems to stack and correlate the raw data that are generated by the products running over the corporate IT infrastructure such as network and security devices. (SIEM)  allows collection of the logs generated by all products, and examination of such logs by security analysts via one single window.

CSOC Activities

Monitoring Security Threats 

It requires advanced strategies as well as the advanced products to prevent security incidents.

  • Which data should be monitored?
  • Which security incidents should be monitored, and how the events that may turn into an incident be defined?
  • What are the laws and regulations to be followed in relation to monitoring the data?
  • Are the monitored systems so critical that they should be included in the plans for business continuity and disaster recovery?
  • Should the incidents be monitored in real-time?
  • How can the data flow be made more efficient?
  • What kind of reporting do we need?
  • What kind of SIEM capabilities are required?
  • How many personnel do we need, and which level of knowledge and qualifications should such personnel have?
  • How should we raise new staff?
  • What kind of a process should we operate in case of a security incident?
  • How should we be informed of the most recent threats and vulnerabilities?
  • How should we keep updated our security monitoring infrastructure

The key sources that are to feed the SIEM tools and create their utilization states are the systems logs, equipment logs, and application logs. Appropriate logs should be activated in order that SIEM can create the utilization states for the detection of an incident.

Security Incident Management

Detecting security threats is the first priority, but defining how to intervene with such threats and how to reduce the risk involved is yet so important. In order to manage the security incidents, it is essential to be capable of prioritizing the incidents, defining the warning processes, managing the calls, defining the service levels; and developing appropriate metrics is important for monitoring the performance.
The organizations that currently implement an Incident Intervention Process may be required to make some additions to their processes to be capable of intervening with the security incidents.

  • Integration of SIEM outputs,
  • Creating the role and responsibilities matrix containing the security intervention activities,
  • Assignment process for security incidents,
  • Provision of training to the personnel for a security threats, vulnerabilities, and interventions.


Red Team Practices would be useful for increasing the CSOC personnel’s capabilities of detecting the security incidents and intervening with such incidents, on an annual basis.

Personnel Recruitment, Training and Management

Just as a CSOC without a SIEM is meaningless, so is a SIEM that is not managed with skilled analysts an unnecessary investment Therefore, it is of essential importance to recruit appropriately qualified staff with CSOC to monitor and intervene with, when necessary, the security incidents.

The CSOC team in general consists of CISSP or GIAC certificated engineers, analysts and CSOC manager. The roles recommended to be included in the said team, based on the Cyber Security Workforce studies conducted by Barikat are given below:

  • CSOC Director
  • Security Operations Engineer
  • Security Analyst
  • Security Architect
  • Security Superintendent
  • Incident Intervention Specialist
  • Leakage Test Specialist
  • Business Continuity Manager
  • Forensic Information Expert
  • Malware Specialist

Process Development, Management and Optimization

Defined processes are needed to efficiently manage corporate CSOC. These processes are the assets which should be implemented in an organized, effective, and consistent manner, and provide guidance for the persons regarding how and by whom the works are to be performed. Some of the processes needed for the implementation of CSOC activities are present below.

  • Monitoring Process
  • Notification process (e-mail etc.)
  • Work assignment process
  • Incident detection and analyse process
  • Incident logging processes
  • Compatibility monitoring process
  • Report generation process
  • Process of creating a monitoring screen Incident examination processes (malwares etc.)
  • Threats evaluation process

Developing Threat Strategy

It is necessary to closely monitor the security intelligence services in order to be able to follow up the constantly developing security threats and to take action against them. In order to be informed of any event which influences the assets contained in a corporation or generally poses a threat, the threat intelligence services may be benefited by way of subscription. Besides, it is important to take swift action for assigning the required sources against such notified security intelligence.

Agility

The biggest enemy of CSOCs is the Advanced Persistent Threat (APT). It may be difficult to take rapid action for the organizations which employs many policies and procedures such as variation management, while the intrusive techniques and tools are being developed at such a speed. Therefore, the key features should be determined to use the triangle of human, process and technology in the most effective way, and integrated into the CSOC processes in order to be capable of taking rapid action.

Planning the CSOC as an Outsourced Service

As CSOC requires a long period for any agency or organization, the organizations may not prefer to install in on their own. Installing CSOC requires taking long term actions and practical experiences such as recruitment of qualified personnel, investments on the monitoring equipment, creation of appropriate processed for intervening with the incidents, etc. Therefore, the organizations may wish to easily avail themselves of the Managed Security Services Provider (MSSP) solutions that are already installed and commissioned.


Some advantages of outsourcing CSOC as MSSP are as follows:

  • To avoid a process that would constantly require investment,
  • Direct access to the skilled and experienced personnel,
  • Extra feedings on the threat intelligence,
  • An infrastructure that can be scaled and expanded in capacity.

Utilization State Development

Some Utilization States should be defined to make sure that CSOC is efficient. Here the term “Utilization State” means the incidents which CSOC is required to monitor and/or intervene with. One of the best ways of developing an utilization state may be looking at the incidents from the intruder’s point of view. 

CSEC Strategies

Some important strategies to install and operate a functional and efficient CSOC are as follows: 

1. Gather the security team under a single roof.
2. Set a balance between the scope and agility.
3. Give to the CSOC the authorization it needs to do its business.
4. Do not skip the important issues.
5. Quality workforce. 
6. Increase the value in technology procurements.
7. Properly process the collected data.
8. Adhere to the CSOC tasks.
9. Take note of the threat intelligence.
10. Build a good incident intervention process.

Considering the fact that cyber-attacks will never stop and can affect a lot of organizations, the best thing for the organizations is to attempt to protect themselves on a continuous basis. And the creation of a good incident intervention process via a practical CSOC should come at the very beginning of such activities. In order that a functional CSOC can maintain itself, the Human, Process, and Technology should operate in harmony. Upon definition of the required components such as utilization states, metrics, processes etc. that are necessary for CSOC to carry out its duty, an appropriate SIEM should be integrated into the infrastructure for central monitoring and logging. In this manner, the components necessary for a successful incident intervention capability should be combined. 

It shouldn’t be forgotten that the main question we have to find the answer is not “I wonder if our information can be captured?”, but “When can our information be captured? The corporate CSOCs should put into use the detective controls to identify the potential attacks before the vulnerabilities are discovered in the outer world.