Whitepaper

Security Operations Center (SOC)The New MSS Service Tower

Introduction: The SOC

In context of today’s Cyber Threat Landscape, the importance of a SOC that can Detect, Respond and Contain

Cyber breaches early on in the Cyber Kill Chain cannot be over stated. This capability needs to keep pace with

evolving Advanced Persistent Threat (APT) based Cyber attacks. Conventional network and endpoint signature

based SIEM monitoring alone is not enough to address APT threats in the current Cyber Threat Landscape.

Today’s (or next generation) SOC should at a minimum be an intelligence driven facility incorporating network and

endpoint Data Analytics to detect signatureless Cyber Kill Chain behavior. Combined with a forensics capability, the

next generation SOC is a business critical component in any Cyber Defence capability.

Managed Security Services (MSS) delivered SOC

This paper introduces a Service Tower based MSS SOC delivery. It describes what an MSS delivered SOC Service

Tower would look like to deliver efficient and effective breach Detect, Respond & Contain capability- particularly in

a multi-vendor delivered IT estate. Multi-vendor also means increased attack surface.

An MSS delivered SOC needs to operate seamlessly across all IT towers to address the increased Cyber attack

surface. This is a challenge for the SOC since the business is a moving target- i.e. changes and growth in People,

Process, Organisation, Location, Data, Applications and Technology.

The importance and capabilities of the SOC have now evolved to the point where it arguably should exist as a

distinct logical and contractual entity- i.e. a Service Tower. The specialised technology & skills needed to operate

an in-house Next Generation SOC is a big and expensive step for an end-user.

SIAM-Integrating multiple service towers

Service Integration and Management (SIAM) is an ITIL aligned approach to engage and manage multiple vendors

(or towers) providing an end-to-end IT service- see fig 1. SIAM is accountable and responsible for integrating

operational delivery into a single coordinated end-to-end IT service for an end-user client.

This is achieved by partitioning an IT Estate into discrete functional ‘towers’ - Applications, End-User Compute (EUC),

Networks and Cloud/Hosting- collectively representing an end-to-end IT environment. SIAM, manages, orchestrates

and governs cross-tower integration.

encodegroup.com info@encodegroup.com ©2001-2015 Encode. All rights reserved. Confidential, do not distribute

Security Operations Centre (SOC)

The Service Tower model is becoming a de-facto procurement approach for UK public sector and

increasingly used for procuring on-premise or managed solutions in the private sector. Many IT System

Integrators apply the Service Tower model internally when pricing outsource deals using Tower aligned

delivery teams.

Service Towers

Each Service Tower delivers an

orchestrated functional IT service

aligned to a set of Service Level

Agreements (SLA) supported by

Operational Level Agreements (OLA)

between other supporting and

dependent Towers.

Service Tower Roles & Responsibilities

SIAM is effectively a Service Tower itself-

accountable to the end client. The

other Towers are accountable to SIAM.

Having clearly defined roles and responsibilities between towers underpinned by an SLA structure

is challenging due to inherent complexity of different vendor cultures, technologies, practices and

approaches.

The Service Tower model’s success is dependent on coordinated collaboration between Tower vendors.

Figure 1 illustrates key baseline roles and responsibilities as a starting point for a more granular set of roles

and responsibilities.

Service Tower Model Complexity- Increased Cyber Attack Surface

There is inherent increased complexity in implementing and operating a Service Tower based IT solution

with multiple vendors; each Tower represents a discrete set of People, Process and Technologies driving

a range of security controls largely focussed on perimeter defence.

Each service tower thus represents a discrete attack surface- collectively representing a far larger attack

surface than would be the case if one vendor delivered a single homogenous solution.

This increased attack surface represents an extra complexity in context of applying consistent and

joined-up breach Detection, Response and Containment capabilities across all towers.

The SOC must therefore address this complexity to deliver effective and efficient early warning

capability otherwise it just reverts to a basic log management and monitoring function issuing alerts that

cannot be adequately correlated across towers- ending up as noise, uncertainty and elevated risk.

Cyber Threat Landscape

In today’s Cyber Threat Landscape, the most potent threat is the Advanced Persistent Threat (APT). An

APT is characterised by a highly motivated Threat Source and/or Threat Actor(s) strategically targeting

Figure 1 Generic Service Tower Model

encodegroup.com info@encodegroup.com ©2001-2015 Encode. All rights reserved. Confidential, do not distribute

The New MSS Service Tower

a business, constructing TTPs to by-pass perimeter and network security and covertly exploiting network

and end-point trust relationships. APT based attackers will plan and mercilessly execute an effective Kill

Chain gliding past the perimeter like it did not exist; APT attackers focus on Trust Relationship discovery

and exploitation.

An APT actor conducts reconnaissance; building detailed corporate, digital and technology footprints

to identify the best Attack and Exploit Vectors for establishing a foothold and then pivot onto other

endpoints. Business assets are compromised by the ensuing breach- often persisting undetected for

several months. The SOC must be capable of detecting early breach activity and contain it.

Elevated Cyber Attack Risk Level

The increased attack surface inherent in the Service Tower model combined with clear and present APT

threat represents an elevated risk level to the business/end customer.

A larger attack surface exposes multiple breach points. Detecting breaches involves piecing together

anomalous activity across towers and correlating that information to assess whether, collectively, the

activity represents any phase of the Cyber Kill Chain.

Applying effective early breach detection across multiple service towers with a moving IT environment

baseline is a major challenge for a SOC. Generating actionable alerts early on in the Cyber Kill Chain is

key to mitigating damage to the business.

Next Generation SOC

In order to adequately address the increased attack surface of the Service Tower model in context of

today’s Cyber Threat Landscape, a SOC capability should at minimum deliver the following features:

• Single view of operations across all Service Towers

• IT Environment Baseline Change Monitoring

• Cyber Threat Assessment Modelling- across all towers

• Intelligence Driven rule violation assessment

• Signatureless breach behavior detection

• Cross-Tower incident/event response orchestration

The above attributes are not facets of a conventional (or traditional) SOC. Detecting signatureless

behavior patterns in context of the Cyber Kill chain across towers requires a large team, working 24x7.

This team must be dedicated to analysing against a baseline; millions of network flow[s], endpoint

behavior and Internet communication logs analysed against any phase of the Cyber Kill Chain.

Alternatively, a Big Data Analytics (BDA) solution might be a smarter choice.

BDA effectively needs to spot statistical ‘dots’ outside the baseline, join them up and correlate to other

sets of joined-up dots to identify breach activity or Indicator of Compromise (IoC)- i.e. signatureless

breach detection.

The capabilities described above represent Next Generation features combining SIEM, Cyber Security

Intelligence and BDA into a seamless integrated SOC platform delivering effective Detection, Response

encodegroup.com info@encodegroup.com ©2001-2015 Encode. All rights reserved. Confidential, do not distribute

Security Operations Centre (SOC)

and Containment across multiple

vendor environments.

These capabilities, in order to be properly

harnessed and calibrated to deliver

cross-Tower Detect, Respond and

Contain functionality can be logically

and contractually delivered as a Service

Tower- shown in Fig 2 below.

SOC Tower Functional Architecture

As with the other Towers, the SOC Tower

will have a set of operational roles

and responsibilities - indicated in fig 2.

However, the SOC will operates across

all towers to deliver timely, consistent,

correlated and effective breach Detect,

Respond and Contain capability.

Fig 3 illustrates the SOC functioning across

all towers (including SIAM) collecting

device and endpoint logs.

The SOC Tower in principle should be

accountable to SIAM but in practice can

be accountable to the end-client. The

gap between principle and practice will

be, as always, a matter of compliance

and SLAs coupled to operational Roles

and Responsibilities.

Conclusion

The next Generation of SOC capability is a critical component of any end-to-end IT environment.

It’s a particularly important function to support a Service Tower based delivery model that inherently

possesses an extra large Cyber Attack Surface.

The SOC ability to consistently Detect, Respond and Contain breaches early, across all towers is far

too important to implement as discrete instances within each service tower under local control of

tower vendors.

The SOC needs to exist as a discrete, contractually and logically ‘independent’ entity directly and

homogeneously operating across all Towers. This is critical to address Cyber attacks in any or all parts of

the IT environment where multiple Service Towers are involved. The SOC is the new Service Tower.

Figure 2 Service Tower Model including SOC Service Tower

Figure 3 SOC Tower Operational and Functional view