Developing a Mature Security Operations Center
Introduction Cybersecurity in the federal government is at a crossroads. Each month, there are more than 1.8 billion attacks on federal agency networks, and that number is on the rise. 1 From corporate espionage to attacks by foreign governments and cyber criminals, the threat environment is greater than ever. At the same time, federal systems are becoming more embedded in the mission, making any downtime or disruption a critical event. For every agency, the first line of defense is their Security Operations Center (SOC). Today, many government SOCs focus on reactive security, responding to incidents as they occur, diagnosing attacks and plugging leaks. This vital function must persist, but it only represents one of the three functions of a modern SOC s maturity. This white paper will address each of these stages, discussing the latest best practices in the operation of SOCs, from incident response to predictive and intelligence capabilities. Additionally, the paper will underscore the growing importance of SOCs in the enterprise, showcasing their emerging role as a clearing house for all security-related information. 1 Erika Lovley, Cyber attacks explode in Congress, Politico, March 5, 2013. Incident Response and Recovery In just one recent two-year span, the Pentagon s Cyber Crime Center reported more than 100 instances of hackers actively infiltrating networks at government agencies and military contractors. 2 Agencies can no longer assume that their networks are secure. A formalized plan for detecting, responding and recovering from cyber incidents is paramount in today s threat environment. That s why incident response and recovery has become the foundation of every SOC s security playbook. In order to effectively respond to security incidents, agencies must dedicate significant time to planning and resource allocation. Because cyber incidents tend to follow the same pattern of lifecycle development, SOCs should take a lifecycle approach to building their incident response processes depicted in figure 1 below. The distinct phases of the lifecycle build upon one another. For example, in the planning stage, the SOC should develop a common vocabulary that will enable all stakeholders to 2 Defense Science Board Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, January 2013. KCG Experience Over 12 years of corporate experience executing cyber security programs Executed over 600 security assessments across Federal agencies and commercial companies Recognized experts and frequent thought leaders speaking at conferences such as OWASP AppSec USA 2011, ISC2 Security Congress, DHS Software Assurance Forum, and many more Responsible for implementing major DHS component s first Computer Security Incident Response Team and Focused Operations capability including establishment of the reporting procedures with DHS US- CERT, reverse engineering, and malware analysis support Trusted advisor to CISOs throughout the commercial sector and federal agencies in implementing and maturing cyber programs One of only 9 companies to received initial Third Party Assessment Organization (3PAO) designation for providing security assessment services to private sector cloud providers
Figure 1: SOC Lifecycle Approach to Incident Response intelligence, vulnerability data and risk correlation information to build a holistic picture of the cyber environment. Agencies should leverage information from both classified and unclassified sources to pinpoint threat indicators. These might include attacks directed at different parts of their own agency, or against another federal department or economic sector. categorize an attack appropriately. Mapping categories to responses will speed the next steps down the line, such as containment and remediation. Communication plays a key role in the incident lifecycle. SOCs are central to coordinating information during an incident, from providing stakeholder outreach to securing law enforcement cooperation. Common factors to consider should include: What are our plans for failover to backup systems? How do we ensure continued operations during incident recovery? How do we collect and store information during an event for later use in developing post-incident lessons learned? In addition to restoring any service disruptions, recovery operations should also focus on determining what changes need to be made to prevent future attacks. This may include establishment of more restrictive settings in network infrastructure appliances, more detailed logging in compromised systems, or improved detection capabilities. Agencies should prepare for repeated attacks on the same system, or similar attacks launched against adjacent systems in the same or similar networks. Once established, agencies should exercise incident response and recovery practices through real world events and simulated attacks at least semi-annually. One leader in this area is the DoD, which since 2011 has included cyber attacks in its war games and military exercises. Cyber Intelligence and Predictive Capabilities Federal networks face threats from foreign intelligence agencies, criminal organizations, hackers and cyber activists. With so many attack vectors, a reactive posture is no longer adequate. Instead, SOCs must transition to a proactive risk management approach. By integrating continuous monitoring into its security toolkit and using cyber intelligence capabilities, SOCs can stay ahead of threats and address incidents before they become breaches. To do this, SOCs must be able to connect the dots, aggregating threat For example, recently both Apple and Facebook have had their networks compromised by a sophisticated attack that directed employees to an infected developer website. 3 Proactive SOCs would consider this attack vector and review policies to prevent a similar incident within their network. These might include adding infected websites to the agency s black-list, reducing administrative privileges, and communicating details on the threat to agency leadership. SOCs might also send a memo to potentially vulnerable stakeholders employees, asking for greater vigilance and reiterating bestpractices to prevent a breach. 3 Nicole Perlroth, Apple Computers Hit by Sophisticated Cyber Attack, The New York Times, Feb.19, 2013.
SOCs as the Operational Security Clearinghouse Figure 2: SOC as a Security Clearinghouse As SOCs mature, they must become each agency s security clearinghouse, a place where decision-makers can turn to as the authoritative source for all security data. The model isn t unprecedented in cybersecurity. Since 2005, the National Institute of Standards and Technology has maintained a National Vulnerability Database (NVD), serving as the authoritative source for publicly-known vulnerabilities. In effect, SOCs need to serve the same function as the NVD within their own agency. In this model, SOCs gather intelligence on security and feed it back to the rest of the enterprise through a security dashboard. The use of dashboards increases accessibility and improves the decision-making process, particularly in times of crisis. Moreover, as the owner of all security-related data, SOCs are positioned to draw on the full spectrum of cyber information in assessing and predicting future events. This continuous feedback loop enriches defensive strategies and strengthens an agency s cyber readiness. Conclusion Today, U.S. intelligence leaders now designate a cyber attack as the number one threat facing the country, ahead of the risks posed by terrorism and rogue nations. Defending against this persistent but amorphous threat will not be easy. As adversaries employ increasingly sophisticated tactics, agencies across the government will need to adapt their processes and internal procedures. SOCs remain one of the most potent weapons in this fight, but their role must evolve. Agencies should expand the scope of their SOC s mission from reactive security to proactive intelligence. Agencies should also elevate SOCs to serve as the central clearinghouse for security information. By establishing sound processes at every level and arming decision-makers with the information they need, agencies will be better equipped to meet the next cyber challenge. KCG Overview Headquartered in Northern Virginia, Knowledge Consulting Group (KCG) is an award-winning information assurance services firm with expertise in providing cybersecurity services support. KCG s role is often that of an independent trusted advisor to our client base. Organizations within the Department of Homeland Security (DHS), the Department of Justice (DOJ), the Department of Defense (DoD), the Intelligence Community (IC) and the commercial xector utilize KCG as an independent advisor providing cybersecurity support
services. Our experience includes Security Operations, Incident Management, Focused Operations, Compliance, Risk Assessment, Independent Verification and Validation, Security Testing and Evaluation, Penetration Testing and Security Governance support services. KCG is composed of over 250 professionally certified IT security engineers. Approximately 95 percent of KCG s engineers hold cybersecurity professional certifications in areas including but not limited to CISSP, CISM, CISA, CGEIT, SANS GIAC Certified Incident Handler, GIAC Certified Penetration Tester, Certified Ethical Hacker, EnCase Certified Examiner and ArcSight Certified Security Analyst. Over 94 percent of KCG s security engineers hold active clearances, and 80% are cleared at the Top Secret level or higher. Our Project Management infrastructure includes recruiting, finance, contract management, human resources and security processing. Our experience includes over 2,500 deliverables developed on time and within budget and having met or exceeded all client expectations. Our success is a direct result of our proactive approach to service delivery and project management. Cybersecurity as a Core Capability KCG is focused purely on cybersecurity as its core capability. With cybersecurity contracts at over 20 agencies and commercial customers, KCG has proven expert capabilities in successfully delivering information security solutions across the full spectrum of cybersecurity including compliance, operations, governance and risk management. Leveraging 12 years of corporate experience, KCG developed a Chief Information Security Officer (CISO) Framework that provides a formalized approach to developing and evolving security programs in today s changing threat and regulatory environment. KCG takes advantage of our experience and methodologies to meet service demands, as well as contribute innovation and best practices. The diagram represents our CISO Framework and the core capabilities and service offerings we bring to bear to secure and protect your enterprise. KCG s capability of delivering high levels of information security support is validated by our notable accomplishments which include the following: One of the nine initial FedRAMP accredited Third Party Assessment Organizations (3PAOs) for accrediting cloud service providers (CSPs) under the GSA FedRAMP program; Implementing NIST-based Risk Management program for the world s largest security company; Implementing continuous monitoring services throughout the federal government in line with evolving legislative and regulatory requirements; Serving as a trusted advisor providing management consulting expertise in cybersecurity to CISOs throughout the federal government and commercial sector; and Serving as a trusted team partner for major SOCs including JSOC, FBI ESOC, ICE SOC and independent oversight authority for TSA SOC. KCG also maintains a direct approach to Focused Operations and Penetration Testing/Analysis. KCG s Cyber Attack & Penetration (CAPD) Division delivers specialized expertise to high-end security
assessments, penetration testing, application security and forensics. This division harnesses the collective capabilities across KCG in supporting both federal agencies and Fortune 500 companies such General Electric, Lockheed-Martin, Booz Allen Hamilton and many more. KCG s CAPD solutions professionals are renowned experts with pedigrees from boutique companies such as @stake (authors of L0phtcrack), Neohapsis and Symantec. KCG was recently selected as the premier provider of penetration testing services supporting Rapid7 and Metasploit team s professional services to its customers. In addition, KCG has formed partnerships with top tier application security providers such as Veracode, providing static and dynamic source code and binary analysis. Contact For more information about developing a mature SOC, and how KCG can help your organization, contact: Paul Nguyen, CISSP, CISA, CGEIT Vice President, Cyber Solutions pnguyen@knowledgecg.com Tel 703-467-2000 x108 Fax 703-547-0322 KCG maintains resolute commitment to the success of each of our clients. We accomplish that through the use of disciplined project management methodologies, highly skilled professional resources, proven assessment methodologies, and transparent visibility into the status of the work being done. With our core capability in the delivery of exceptional security services, our clients benefit from ISO Certification linked to our assessment methodologies, highly skilled resources that have executed over 600 assessments and our relationship-based customer support model.