Author
Markus Pfister
Published
24. February 2025
Leaf Mound AG, a fictitious company used here as an example, has been working successfully with its management team for years and is probably already familiar to regular InfoGuard blog readers. In the following, Leaf Mound AG will be referred to as “Leaf Mound” for short.
Leaf Mound’s core business is the production of mobile prefabricated leaf mounds and hedgehog houses for the modern hedgehog. Optimum hibernation support is provided by the GPS-driven site selection (dry and shady). The leaf mounds also provide protection from the hedgehog’s few predators such as badgers.
Leaf Mound shows its claws
A year ago, the management team decided to team up with InfoGuard’s Security Operations Centre (SOC). The driving forces behind this decision were Ms. Wagglenose (IT architect) together with Mr. Brushwood (CISO). The project was ultimately approved by Ms. Spiny (CEO). Since then, the Leaf Mound servers and clients have been monitored around the clock and no relevant security incidents have occurred this year.
Whenever Mr. Brushwood spoke about IT security issues, it was usually along the lines of: “Now we have the SOC, we can do without this measure,” or “The SOC is already costing us enough”. This situation was not satisfactory for the CISO.
At Leaf Mound, IT security tasks are referred to as “IT security discipline”, so this article uses that term exclusively. An IT security discipline describes and defines Leaf Mound’s IT from a security perspective.
The CISO and his plan for integrated cyber defence
The CISO wanted to show that the IT security disciplines and the SOC are interdependent. He therefore believed that both components should be considered as a unit to be operated and developed together. If this fact is overlooked, Leaf Mound could be at risk. The IT architect and the CISO wanted to make this clear. As usual, the CISO and the IT architect sat down together. This time the plan was to come up with a coherent line of argument for the next meeting of the manager-hedgehogs.
Systematic presentation: review of the IT security disciplines
The two met for a brainstorming session in the “Happy Hibernation” meeting room to sift through and organise the IT security disciplines.
The result was the following slide with Leaf Mound’s IT security disciplines:
Figure 1: IT security disciplines represent the IT landscape
Mr. Brushwood was pleased that they had identified a whole range of IT security disciplines. These represent the entirety of Leaf Mound’s IT landscape.
Nevertheless, he still looked a little quizzical. “What’s next for our story? How can we explain this to the CEO in an understandable way?” “Let’s see tomorrow,” said Ms. Wagglenose. I’m going to hedgehog fitness now.” And she was gone.
Get in touch with us. We can help you build your own SOC in a structured way, or secure your 360° cyber defence with our 24/7 compliance-driven Managed SOC service. Leverage the expertise of our ISO 27001-certified Cyber Defence Centre (CDC) for compliance-driven cyber defence.
SOC as a control centre: input, output and the dynamics of IT security disciplines
The next day, Ms. Wagglenose added explanations to the IT security disciplines (see Table 1) and also indicated whether an IT security discipline provides input to the SOC or whether the SOC generates output for the IT security discipline.
Mr. Brushwood was delighted with the result. “There are many relationships between the IT security disciplines and the SOC – and they run on both sides,” he mused. This can be easily explained and discussed...
|
IT Security Discipline |
Explanation |
Input to SOC |
Output from SOC |
|
Monitoring and Reaction |
The SOC’s core task is the ongoing monitoring of Leaf Mound to detect security incidents. Lead Mound’s IT provides the necessary event and log data to the SOC. |
x |
x |
|
Software Bill of Materials, SBOM |
Leaf Mound equips leaf mounds and hedgehog houses with GPS, weather sensors and an operating hours counter. Because the products are delivered to EU countries, EU legislation for exports to the EU must be complied with [1]. |
|
|
|
Vendor Risk Management |
Leaf Mound is connected to its suppliers via B2B systems. This exposes it to possible supply chain attacks. |
x |
x |
|
Access Protection |
Leaf Mound’s assets must be protected from unauthorised access. |
x |
x |
|
Disaster Recovery |
The company’s IT is hybrid, i.e. it is operated both on-prem and in the cloud. In both cases, data needs to be backed up in line with requirements. Backups should be stored offline and off site to protect against outages and ransomware attacks, for example. |
x |
x |
|
Standards |
The production of hedgehog houses is strictly regulated. |
x |
x |
|
Patching |
Because a hedgehog’s coat only protects as well as its weakest spine, the IT components used by Leaf Mound must be up to date. |
|
x |
|
Architecture |
To ensure that Leaf Mound's IT can adapt quickly to new or changing requirements, the IT architecture must be modular and agile and provide a component architecture that meets requirements. |
x |
x |
|
Cloud and Multi Cloud |
It should be possible to integrate additional providers, giving Leaf Mound the best of all options. |
x |
x |
|
Quantum Cryptography |
In future, cryptographic algorithms must be able to withstand the high computing power of quantum computers. This requires existing algorithms to be replaced. |
x |
x |
|
Asset Management |
In order to assess the consequences of an attack, the affected assets must be known and the value of an attacked asset defined. This input is essential for the SOC to assess a recognised attack. |
x |
x |
|
Assessments and Tests |
In order to fulfil compliance requirements and to have an internal view of IT, internal and external audits are carried out periodically to determine the status of Leaf Mound’s IT. |
x |
x |
|
Penetration Tests |
Penetration tests are attempted attacks carried out under real conditions in order to test the effectiveness of Leaf Mound’s security system. |
x |
x |
|
Resilience |
Leaf Mound strengthens its resilience to attacks through periodic table-top and disaster recovery exercises. |
x |
x |
|
Governance |
Leaf Mound’s governance also includes the IT production resources. |
x |
x |
|
Reporting |
Metrics and reports help in terms of “Plan, Do, Check, Act” to apply the lever in the right place. |
x |
x |
Table 1: Table 1: IT security disciplines and SOC
[1] Draft REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020
Dynamic environment
Ms. Wagglenose pointed out that the IT landscape at Leaf Mound is constantly changing. This affects the IT security disciplines because, as mentioned, they map the IT landscape. Mr. Brushwood suggested presenting the dynamics of the IT security disciplines in a table. No sooner said than done:
|
IT Security Discipline |
Description of the dynamics |
Classification |
|
Monitoring and Reaction |
Attacks can occur at any time. For this reason, monitoring and readiness to respond must be maintained at all times. |
very high |
|
Software Bill of Materials, SBOM |
Normally, Leaf Mound uses components in its products that are sourced via long-term supply contracts. This is why there are few changes to the structure and functions of the externally sourced components. |
low |
|
Vendor Risk Management |
The suppliers’ B2B systems are subject to the security measures defined by the suppliers. The vulnerability of suppliers’ B2B systems can improve or deteriorate at any time. |
low - medium |
|
Access Protection |
Due to its successful business activities, people joining, leaving and transferring have caused many changes at Leaf Mound. New functions are being integrated into applications and authorised accordingly. All of this causes mutations with regard to the authorisations granted. |
medium |
|
Disaster Recovery |
The disaster recovery plans must take into account both existing and newly added functions. |
medium |
|
Standards |
No changes to the regulations or the applicable legal requirements are expected at the present time. |
low |
|
Patching |
Many vulnerabilities in the components can be patched with a high cadence. In Leaf Mound’s case, the SOC provides the input for components with vulnerabilities. |
very high |
|
Architecture |
The IT architecture has a medium to long-term focus. The aim is to offer an expandable component architecture without having to significantly redesign the foundation. |
low |
|
Cloud and Multi Cloud |
If Leaf Mound’s business wants a new functionality that is only provided by service or cloud provider X, this leads to a multi-cloud architecture. |
low - medium |
|
Quantum Cryptography |
It is to be expected that the existing cryptographic algorithms will have to be replaced by quantum computer-resistant algorithms (PQC) in the foreseeable future. |
medium |
|
Asset Management |
Due to the dynamic development of Leaf Mound’s business, there are frequent changes (new additions and replacements) and configuration changes to the assets. This has an impact on disaster recovery, monitoring, patching etc. |
very high |
|
Assessments and Tests |
Compliance checks are carried out on a regular basis. |
medium |
|
Penetration Tests |
Changes to Leaf Mound’s system landscape and the introduction of new functionality require periodic penetration tests to test protection against attacks. |
low - medium |
|
Resilience |
The findings from the disaster recovery exercises and attack patterns from the SOC are incorporated into the design of Leaf Mound’s IT. |
medium |
|
Governance |
The governance requirements are long-term in nature and are changed as little as possible. |
low |
|
Reporting |
Requirements for reports and metrics help to manage Leaf Mound’s business and are frequently optimised. |
high |
Table 2: Dynamics of IT security disciplines
The cycle of SOC and IT: the big picture
Ms. Wagglenose was looking for an illustration to cast light on the following process:
- The results of the SOC monitoring and the actions based on those results are incorporated into the IT landscape
- Reciprocal backcoupling between the IT security disciplines and the SOC
Because this is a “never-ending story”, the IT architect presented the situation as a circle. She looked at the illustration with satisfaction. It shows that IT security disciplines and SOC are two manifestations of the same thing: Maintaining IT security at Leaf Mound.
Figure 2: Backcoupling between the IT landscape and the SOC
Backcoupling between IT and SOC: insights and measures to eliminate blind spots
What happens if the backcoupling between the IT security disciplines and the SOC is not implemented or is incomplete? And how does this affect the IT landscape mapped by the disciplines?
Ms. Wagglenose wanted to underline the facts with a few examples from the meeting of the manager-hedgehogs.
Insight 1: How information from the IT security disciplines supports the SOC
Leaf Mound has acquired a new application for monitoring the production of leaf mounds. Each leaf mound is issued with a quality certificate confirming compliance with industry standards.
Once the application has been introduced, the SOC recognises the new server through the scans, but only has incomplete information about the new application. The following list shows the information from the IT security disciplines that the SOC needs to fulfil its tasks:
|
Information |
Reason |
Measures taken by the SOC |
|
The importance of the application for Leaf Mound |
If the availability requirement of an application is known, monitoring can be intensified and a prompt response can be made in the event of an incident. |
Protection in accordance with the defined availability requirements. |
|
Type of connections to peripheral systems originating from the application |
The new application has a graphical web interface and communicates with a database. These systems could be lateral targets in the event of an attack on the new application and should be protected accordingly. |
Protection of the identified horizontal and lateral attack paths. |
|
Protection requirements of the processed data |
Depending on the need for protection, measures such as anonymisation or pseudonymisation are implemented to keep the risk of a data leak as low as possible. |
Monitoring by the SOC is intensified for sensitive data. |
|
Operating location of the application |
Depending on the operating location, an application is more or less exposed to attacks and requires appropriate protection. |
Protection in line with the exposure of an application or application component. |
Table 3: Example of protection requirements derived from the IT security disciplines and to be provided by the SOC
If this information is not known to the SOC, the basic protection provided for Leaf Mound’s IT systems and components is applied. However, this protection is not sufficient for critical systems.
Insight 2: Findings from the SOC as input for the IT security disciplines
The SOC discovers that Mr. Ball’s (product manager) laptop has not been updated for six months. The following information flows from the SOC to the company:
|
Informations from the SOC |
Reason |
Operational tasks |
|
The Windows OS patch level is outdated. |
Updating the configuration management database. |
Maintaining the current configuration management database and the current patching levels. |
|
Certificates have expired |
Automatic import of new certificates or notifying Mr. Ball that he must have them renewed by the Help Desk. |
Ensure identity, secure remote access and valid signatures. |
|
Missing virus scans |
Automatic update of virus scanner and virus definitions or input to Mr. Ball that he should bring his laptop to the help desk to fix the virus scanner. |
Ensure that the virus protection is functional and up-to-date on all systems.
|
Table 4: Example of information from the SOC to the IT security disciplines
The SOC also discovered that Mr. Ball tried to dial into Leaf Mound remotely from an unusual location in the middle of the night. Here too, information flows from the SOC to operations and the CISO:
|
Information from the SOC |
Reason |
Operational and CISO tasks |
|
Monitoring and evaluation of user behaviour |
Suggestions for the definition of “conditional access policies”, used to detect and automatically block suspicious behaviour patterns. |
Establish “conditional access policies” and define corresponding “story books” that can be used to react automatically to incidents where possible. |
Table 5: Example of information from the SOC to the IT security disciplines
If there is no feedback from the SOC to the IT security disciplines or to operations, the findings from the SOC will be in vain.
An endless pattern: dangerous gaps between SOC and IT security disciplines
In the scenarios described, both the SOC and the IT landscape represented by the IT security disciplines diverge. The longer this condition lasts, the larger the blind spots become. The illustration below shows that there are gaps on the left and right:
Figure 3: Incomplete coverage of IT landscape and SOC
These gaps are highly dangerous – no exaggeration. Every hacker will welcome this so they can go about their malicious activities undisturbed.
Conclusion or the need for a holistic strategy
The CISO now had all the information he needed to create a presentation tailored to the management meeting. In the final slide, he summarised the findings of his observations:
- The IT security landscape, which is mapped by both the IT security disciplines and the SOC or its configuration, is interdependent. Changes need to be made on both sides.
- If IT security disciplines and SOC are treated as separate elements, blind spots are created that can be exploited for attacks. The blind spots become larger over time, which makes them more dangerous.
For this reason, Leaf Mound should continue to invest in the IT security disciplines and the SOC and ensure the reciprocal flow of information. In this way, Leaf Mound can ensure that the funds invested generate the optimum benefit.
How can InfoGuard specifically support your company with the implementation?
InfoGuard supports companies with the operation of a managed SOC using dedicated business and compliance use cases to ensure that they are 360° secure and compliant.
This includes the following service components:
- Ensuring or defining reciprocal information flows between SOC and IT security disciplines.
- Creation of migration scenarios to an SOC.
- Evaluating and improving an existing SOC integration.
- Developing and evaluating an industry-compliant IT security architecture.
Contact us whether with our Risk Management & Compliance Services or 24/7 Cyber Defence & Incident Response Services from our ISO 27001-certified Cyber Defence Center (CDC), we will support your implementation of a compliance-applied managed SOC.
Caption: with AI generated image
Blog
Blog
SOC and security disciplines in harmony: the perfect cyber defence symphony
Cyber Security
Architecture
Blog
Secure Cloud Computing: How to Avoid Compliance Violations
Risk & Compliance
Blog
Innovations, trends and challenges in cyber security – that was the 13th InfoGuard Innovation Day
Cyber Defence
Cyber Security