bringing intelligence to security with the CyberSOC

Enterprise security can sometimes seem like an endless game of whack-a-mole between the security industry and cybercriminals. As soon as one hole gets plugged up the hackers find a new way in. Enterprises have found out that on its own, a technology-led approach to security is no longer enough. To protect themselves, they need to adopt an intelligence-led approach provided by a new organization called the CyberSOC (security operations center).

The CyberSOC helps defend enterprises against the trend of modern malware to operate by stealth. Security company Sophos says that advanced persistent threats (APT) developed by cybercriminals specifically target businesses and even individuals in an attempt to steal data. These stealth attacks are well planned and often stay in place leaking confidential information long after the initial objective has been achieved.

costly attacks

Look at the data breach US retailer Target suffered in November and December 2013, which saw the credit card details of almost 40 million customers compromised. “Given the timing, the height of the holiday shopping season, the attackers chose a time period where they could inflict the maximum damage and gain access to a wealth of financial information,” Gidi Cohen, CEO of Skybox Security told eSecurity Planet.

However, even targeted attacks will typically use known vulnerabilities: the Verizon data breaches report, which studied 621 data breaches in 2012 said that in 78% of cases the initial intrusion is rated as low difficulty, while 66% of breaches took months or more to discover.

The problem in preventing, or even detecting, attacks is that enterprise infrastructure is too complex and produces too much data. Justin Croker, VP EMEA at Skybox, told the Cyber Security Summit in London that he worked with one organization that had over 1 million events per second coming through its SOC.

And the more security devices, the more likely that making one simple change to the configuration, such as to a firewall, could have an unintended consequence somewhere else in the infrastructure.

managing risk

To cope with this complexity, the chief security officer (CSO) needs to focus on risk and understand the strengths and weakness of the enterprise infrastructure. It helps to adopt what is known in the military as “situational awareness”. This involves understanding your environment, predicting where security problems could occur and understanding the impact they could have on the business.

The CyberSOC helps in this process by managing risk across the business via a cycle of monitor, assess, advise and remediate. It draws on human skills, including security events analysts, to provide services such as incident handling, alert warning, risk analysis and business impact assessment.

It complements, rather than replaces the work of the SOC, which manages security from a ‘technology standpoint’. Typically, the SOC is staffed by security product specialists and offers services such as release management, configuration management and signature updates.

focus on business value

“You need to analyze the risks to your business and work out what type of threats are likely. Different types of businesses have different requirements and risks,” says Sebastien Roncin, Security Product Manager, Orange Business.  “For example, a manufacturer’s priority is to ensure that its intellectual property is not stolen, while an ecommerce company will be more concerned with the uptime of its customer-facing site.”

This helps focus security efforts on protecting what is valuable to the business. “Remember that ensuring security is a business issue, not an IT project,” adds Sebastien Roncin.  “Don’t only focus on how the attack will happen, focus also on the resource that you are protecting. The CyberSOC can identify activity that could signal a problem, such as a large number of requests from one IP address, or port scanning. A combination of several suspicious activities can signal a potential problem that will need action.”

At its core, the CyberSOC provides an overall view of security by bringing together forensic security, security event analysis and risk analysis. This provides a security view of the past, present and future to help keep all attacks at bay. Together with the SOC, the two agencies are well-armed to fend off the ever-evolving cyber-security threats that target enterprises.

To find out more about how to implement CyberSOC-related services, speak to our security experts at securityservices@orange.com