Security Operations Centre (SOC)

Security Operations Center:

A Security operations center (SOC) is that facility or multiple facilities of an organization or an organization’s service provider having qualified people using string set of technology solution and a strong set of process. The operation conducted by a SOC is of continuous monitoring, analyzing and responding to security posture and the threat to an organization.

The Three tenant of a Security Operating Center are People, Process and System. The harmonic synchronization of the three provides the organization with Visibility, Analysis, and Action.

- People: Includes trained people with certification, knowledge and vendor specific experience and skills.

- Process: Includes preparation, analysis, recovery, identification, containment, learning and knowledge retentions & transfer.

- System: Includes the End Point Protection, Perimeter Security, Data Center Security, Forensics and Incident Detection Management.

This allows for Data Aggregation, Data Analysis and 360 degree real time dashboard for the organization to detect, prevent and respond to any threat at the same time to do Forensics.

https://youtu.be/uj8PuaXyygU

The SOC operation typically can be broken up into Monitoring, Analyzing and Responding to Insider threat and that too of outsider threat.

-    The insider threat would typically be from employees or value chain partner like supplier and buyers. And organization would want the SOC to monitor Identity & Access Manager (IAM), Privileged Access Manager (PAM), Active Directory, Data Leakage Prevention(DLP), Compliance tools, etc.

-    The Outsider Threat is monitoring of Network Security – Firewall, Network IPS, Network Security Appliance for Email, The Web, etc., End Point Security, Data Center Security, NAC, Network Access Control.

A typical SOC would have some form of SIEM – Security Incident Event Monitoring and a Log collector to collect log from various security tools at various sites and some for security intelligence.

However, the security landscape has changed SIEM alone is no more as effective since the security and digital landscape has evolved. The threat landscape now also includes Social Engineering, Mobile devices & BYOD – Bring your own device has new challenges and threat thrown at the organization for application and content security. IoT – Internet of things present new form of security challenges, Industrial Security & Physical Security are as important as IT- Information technology security. And cloud migration brings new form of security integration challenges at least in short term. There is a lot happening outside the organization echo system in their industry and deep dark web which can affect the organization, its IT & Industrial asset, intellectual property and bring down their operation.

An organization should look at the tool and solution that address these new challenges to security in their Security Operating Center. All this requires to look into various facets of security, and this would involve data monitoring inside and outside of organization which is structured and unstructured at the same time would be in high volumes, varsity, and velocity hence organization or their service provider would need Artificial Intelligence (AI) to help them.

Future looking SOC would not just monitor IT, but also OT  (Operational Technology /Industrial) asset should have various advance treat analytics solution embedded along with threat intelligence, Integrated real-time dash board along with Forensic capabilities to allows access to the SOC provider customer in case organization use a third party SOC. Most importantly the SOC should be global and be having redundancy. It is imminent that Artificial intelligence is plugged to the SOC and the organization ties up with the external academics research center to get updates on research being carried out in the Security landscape.

Operating System Security

Security is a negative goal, and an attacker can break the system by many ways like permissions, disk locks, reuse memory, backup, steal disk, attackers grades.txt. The goals of Policy goals of an organization are Information Security and Liveness, which are as follows:

Information security goals include: Privacy- Limit who can read the data & Integrity: limit who can write the data.

Liveness Goals are: Availability- which is to ensure services are operational.

Operating system Security (OS Security) is the process of ensuring OS integrity, confidentiality, and availability. OS security refers to specific steps used to protect the OS from threat, viruses, malware or remote hacker intrusions.

Risk model of assumption: Threat modeling is a process by which potential risk can be identified, enumerated and prioritized from a possible attackers point of view. An adversary can be inside the organization or can be outside the organization. The adversary can be a hardware vendor, software vendor, administrator, employee or competitor, enemy state etc someone outside the network.

The threat model in this case are:

-   Adversary control some computers or network.

-   Adversary controls some software on computers.

-   The adversary is privy to some information such as password or keys.

-   Social engineering attacks.

- Adversary trying to hack or attack the network or system from outside.

Guard model of Security:

Typically in a client-server architecture, we would have some resource (data) on a server which would be accessed by the client. In guard model, the server would consult a guard for all access control decision. Hence this model follows complete mediation as the only way to access the resources which are via the guard.

The design of the guard model is on two basic principles which are Authentication and Authorisation, and this simplifies security.

The model works on following principles.

1.   Complete mediation: All resources are accessed only via the guard.

2.   Policy and Mechanism: High level concise and clear policy and well lined up security mechanism.

3.   The interaction between layers and components.

4.   Taking into cognizance social engineering and phishing attacks.

The challenges with model are:

1.   Complete mediation is challenging: Backdoor access also needs to checked.

2.   Software bugs in mediation.

3.   The disparity between Policy and Mechanism.

4.   Difficulty in enforcing policy and getting the desired outcome.

The Guard model does not provide full prove solution to all security challenges, another option we have is the separation of privilege. We can split the system into modules and give each module the least privilege to do its job.

1.   Use multiple physical machines. Separate machines for database and websites.

2.   Use of virtual machine to split.

3.   Application to be split in components.

Challenges in the Privilege separation

1.   The need for modules to share.

2.   Performance.

3.   The configuration of privileges.

4.   Reduce trusted software.

Trust computing base (TCB)

TCB is the set of hardware, firmware or software components, which are critical to its security systems. The bugs or vulnerability might affect the security property of the entire system. The principle is that all software that must be trusted to achieve security. The another theory is that less software would lead to fewer bugs and this would eventually lead to fewer exploits.

Challenges in TCB:

1.   Undermining of privilege separation.

2.   New and undiscovered class of bugs.

3.   Many bugs.

We also face security challenges due to Program, Compilers, and codes. We would need to take measures like disabling certain optimization, use bugs finding tools, look out for undefined behavior.

Cyber Security.

With the rise of acceptability and usage of Information Technology most of our data now resides in digital world and Information security is very critical aspect for today’s companies, institution, government and public sector. The companies’ data are vulnerable from external malicious attacks, through internal triggered data leakage and via information passed by emails or social network. As the concept of Bring your own devices to work place further catches up it is bringing new challenges for CXO’s at the work place. For Government as well the challenges are monitoring and securing their own Infrastructure at the same time with the evolution of social media, VOIP, Mobile etc which has many advantages but also possess potential treat and data monitoring is another aspect of Security surfacing. In future war would not be fought on battle field but in cyber world and cyber security is the most critical aspect, if a country targets top 10 Companies of a country and penetrate their IT infrastructure they can possibly bring down the economy, similarly different Government departments like Income tax, CBEC, EPFO, Defense etc are again very critical and cyber security has to be upmost priority. We recently had a case where Sony pictures in US was hacked by a Government of a country and Just last week Russian banks found out that their IT network for penetrated and around 2 billon per annum was transferred that exposed the Information Security vulnerability of these organizations. Information security not just requires right products like, HIPS, DLP, End Point protection, Control Compliance Suit, Encryption, MDM, Asset Management, and Patch Management etc but requires regular Audit and Monitoring. As we step in future we would have to manage legacy infrastructure with latest new and evolving technology and trends, Cloud commuting is inevitable and Organization would need to be ready to secure their Infrastructure from all possible threats.