The current size of cyber threats is huge. Nowadays, enterprises must assume their systems have already been penetrated; or otherwise, that they will be the next victims of an attack. Therefore, it is imperative that penetrations are quickly detected, that a quick reaction is enacted, and that the security infrastructure is optimised for the purpose. This is why you need a Cyber Defence Center instead of a Security Operational Center. Are you wondering where is the difference, and why you need one? So read on!
Every day the news are filled with targeted hacker attacks and data thefts, on a growing scale. If we look at the developments of cyber-attacks, we see a clear trend: attackers are usually not alone, and Internet criminality is increasingly in the hands of professional criminal organisations. Duties are efficiently separated: development of malware, sending e-mails, targeted search for vulnerabilities and exploits, implementation of exploit-kits. Stateside groups of hackers are also very active, and instead of limiting themselves to attacking other state-run groups, they go happily after private enterprises. All the above is done by employing almost unlimited resources.
Cyber security does not consist only of (ICT) security walls
Enterprises must grow more professional in their treatment of cyber security, and not just build higher security walls around their ICT infrastructure. There is a clear trend towards developing more intensive surveillance of security systems and incident detection, as suggested for instance by the NIST Cyber Security Framework. This is the way to go: we need a new approach to security, with detection at the foreground and response to the attacks as a relevant component of the IT process. When the preventive measures are appropriately implemented, they can be better oriented to the targets and continually improved.
Our experience shows, unfortunately, that in many enterprises there is much room for improvement in this direction. This is also reflected in the lately published international study “EY’s 19th Global Information Security ‒ Survey 2016-17”:
- Almost half of the interviewees have no facility, or barely informal facilities, for the recognition of vulnerabilities; and no Security Operation Center (SOC) for the ongoing monitoring of potential cyber-attacks.
- 64% of interviewees have no cyber threat intelligence programme, providing information on the current threat situation.
- 87% of participants have pointed out that the implemented cyber security controls do not fully cover the requirements of the enterprise. In particular, the domain of threat recognition appears to be lacking.
Security Operation Center is on everyone’s lips
All the above are tasks that a Security Operation Center can take upon itself. This means that a SOC can be the one decisive development in the direction of cyber security, for the treatment of the ever more complex and refined attacks. However, barely one enterprise out of two operates a SOC – and it is debated whether it is a real SOC or not. But what is it that makes a SOC? The primary focus lies in the centralised monitoring of IT resources and data, the search of signs of possible attacks, and the steering of reactions against cyber threats. A SOC can be seen as a command deck, and actually many SOCs do indeed look like one. In this way, the concentration of so much security competence can fend away any cyber-attack – hopefully…
The biggest mistake: Security Operation is too often IT Operation
In many instances, however, the SOC must take care of operational tasks, which leaves little time for the detection of attacks, or the analysis and reaction to incidents. If your command deck must also answer help desk questions, the chances of a successful cyber-attack are much higher: good for the attacker but bad for you!
What should a good SOC look like then? This is what our experts suggest:
- The focus should lie primarily in the identification of risks, the detection of security incidents and the reaction thereto.
- Duties should be managed automatically whenever it is possible and it makes sense; this applies in particular to the reaction to attacks and the collection and correlation of data. This is also a solution to the eternal problem of lack of workforce.
- Nevertheless, a SOC will always run processes that require human action. It is important that the enterprise run an appropriate staff planning process.
- Enterprises, who cannot hire security staff, should lie out a hybrid personnel planning or similar strategies, which blend the use of internal resources together with the outsourcing of specific functions to external specialists running their own cyber defence center.
SOC 2.0 – the Cyber Defence Center
Of course, even in the SOC of the future we shall still need IT experts, along with tools for the detection of attacks and penetrations; but still more important are cyber threat and intelligence analysts and security experts. In a Cyber Defence Center (CDC) there must be a clear separation of duties, and at the same time an effective team interaction, between the so-called “Blue Team” (cyber security and cyber defence experts) and “Red Team” (cyber threat analysts and penetration testers). In this way, all threads converge into the detection, analysis and contention of cyber-attacks. This poses a requirement for experienced staff with a comprehensive know-how, along with security tools, and not least for a protected operations room with room enough for both teams.
Cyber defence is a demanding work. Due to the lack of specialised workforce, enterprises find it increasingly difficult to procure competent staff in the IT sector. And since attacks can happen around the clock, of course the Cyber Defence Center too must work around the clock, which means yet more specialised staff. Nor do self-learning systems and artificial intelligence solutions offer more than a limited support to security analysts, in the field of breach detection. Such systems must be developed anyway, because they can be expected to bring improvements that will make a CDC more efficient; but a full automation shall never happen. In the future we should still expect to see the need of security experts; this increases the demand for well-trained, external specialists, who can offer their professional skills in the form of a “SOC as a Service”.
InfoGuard's new Cyber Defence Center
At the end of May 2017 InfoGuard opens a new Cyber Defence Center, occupying all of 250 square meters in office space, manned by experienced security staff and analysts. The offering will include Security Information & Event Management (SIEM), Vulnerability Management, Breach Detection, Cyber Threat Intelligence, Incident Response and Forensics. The services are based on leading detection technologies, including artificial intelligence and machine learning. The new CDC is founded on a multi-step concept, in which security systems are monitored 24h/365d all-round. InfoGuard is also compliant with the Swiss Data Protection Act, and the guidelines for the Swiss financial market.
Preparation works for the opening of the new CDC are in full swing! We offer you a backstage view: go to our Cyber Defence Ticker and find current pictures of the building site!