Security Operations Center Research Articles

Security monitoring strategies for your OT infrastructure

Cyber security threats are an ever-increasing risk to industrial control systems (ICS). Therefore, by considering the impact of cyberattacks as part of improvements in operational technology (OT) infrastructure resiliency serves the ultimate goal of minimising production downtime. In order to achieve this, organisations should consider flexible and innovative security monitoring strategies as well as a security operations centre (SOC). Having security monitoring mechanisms and a SOC function benefits the OT infrastructure in multiple ways, including incident response management, threat and vulnerability management, asset inventory and management, network flow monitoring, security logs monitoring and correlation, as well as the core function of defence against cyberattacks. This paper demonstrates the best practices for security monitoring and protection used by different industry sectors and explains security monitoring tools and their special features, as well as how these monitoring tools are integrated within the SOC. The paper then illustrates the baseline design for building a SOC for OT infrastructure and what needs to be considered when implementing an OT SOC, including data onboarding from OT infrastructure, SOC use cases development, and other SOC functionalities such as vulnerability and risk management, malware detection and other features. The paper aims to benefit the OT security community by providing a general guidance, future vision and required information to build a functional security strategy for critical national infrastructure (CNI) by considering the security life cycle starting from monitoring, through detection, to response and reporting.

Data presentation in security operations centres: exploring the potential for sonification to enhance existing practice

AbstractSecurity practitioners working in Security Operations Centres (SOCs) are responsible for detecting and mitigating malicious computer network activity. This work requires both automated tools that detect and prevent attacks, and data presentation tools that can present pertinent network security monitoring information to practitioners in an efficient and comprehensible manner. In recent years, advances have been made in the development of visual approaches to data presentation, with some uptake of advanced security visualization tools in SOCs. Sonification in which data are represented as sound, is said to have potential as an approach that could work alongside existing visual data presentation approaches to address some of the unique challenges faced by SOCs. For example, sonification has been shown to enable peripheral monitoring of processes, which could aid practitioners multitasking in busy SOCs. The perspectives of security practitioners on incorporating sonification into their actual working environments have not yet been examined, however. The aim of this article, therefore, is to address this gap by exploring attitudes to using sonification in SOCs and by identifying the data presentation approaches currently used. We report on the results of a study consisting of an online survey (N = 20) and interviews (N = 21) with security practitioners working in a range of different SOCs. Our contributions are (i) a refined appreciation of the contexts in which sonification could aid in SOC working practice, (ii) an understanding of the areas in which sonification may not be beneficial or may even be problematic, (iii) an analysis of the critical requirements for the design of sonification systems and their integration into the SOC setting and (iv) evidence of the visual data presentation techniques currently used and identification of how sonification might work alongside and address challenges to using them. Our findings clarify insights into the potential benefits and challenges of introducing sonification to support work in this vital security monitoring environment. Participants saw potential value in using sonification systems to aid in anomaly detection tasks in SOCs (such as retrospective hunting), as well as in situations in which peripheral monitoring is desirable: while multitasking with multiple work tasks, or while outside of the SOC.

Security Operations Center: A Framework for Automated Triage, Containment and Escalation

There have been a lot of research exertions and studies to improve the safety of critical infrastructures using the Security Operations Center (SOC). As part of efforts, the purpose of this research is to propose a framework to automate the SOC’s performance of triage, containment and escalation. The research leveraged on qualitative desk review to collect data for analysis, deduced strengths and weaknesses for the current SOC implementations and used that as a basis for proposing the framework. In view of the constant evolution of SOC operations and capabilities coupled with the huge volumes of data collected for analysis, an efficient framework for SOC operations is proposed. The qualitative analysis is used to deduce strengths and weaknesses for the current SOC implementations as a premise for proposing the framework. It consists of eight interactive stages that further leverage on a proposed algorithm for baselining, remediation and escalation. The result of this research is a proposed framework that serves as a unique contribution to enhancing the SOC’s ability to automatically perform triage, containment and escalation. Supplementary to similar and earlier work reviewed, the framework is proposed as the way forward to automatically enable SOC setups with the capacity to efficiently perform triage of security threats, vulnerabilities and incidents, effectively contain identified breaches and appropriately escalate for prompt and accurate solutions.

Security Operation System

The number of cyber attacks and cyber crimes grows every year. This is why there constantly appear new products, technologies and tools for protection against cyber threats. Security Operation Center (SOC) is one of the most up-to-date and reliable cybersecurity tools of enterprise level. There are already several SOCs in Ukraine in government and law enforcement bodies and there is strong interest to their implemen-tation shown by organizations and enterprises of practically every industry of national economy. SOC al-lows monitoring, detection and quick response to incidents which is necessary to reduce damage and fi-nancial losses caused by such incidents. Implementation of SOC requires significant expenses which can be afforded only by some organizations and enterprises. This is why creation of similar but more affordable tool is very urgent. The paper describes Security Operation System (SOS) designed for effective protection against cyber threats and cyber attacks, which collects, normalizes, correlates and analyses events in or-ganization’s IT infrastructure. Main advantage of this system is ability to receive information on events from different sources and their correlation which is important as today attacks can only be discovered on the basis of combination of events in the IT infrastructure. Another advantage of SOS is ability to add new correlation rules into analytical module which can be based on the unique experience of system exploita-tion, analysis of new attacks against organization’s IT infrastructure or borrowing such correlation rules from other organizations.

Security Operations Center: A Systematic Study and Open Challenges

Since the introduction of Security Operations Centers (SOCs) around 15 years ago, their importance has grown significantly, especially over the last five years. This is mainly due to the paramount necessity to prevent major cyber incidents and the resulting adoption of centralized security operations in businesses. Despite their popularity, existing academic work on the topic lacks a generally accepted view and focuses mainly on fragments rather than looking at it holistically. These shortcomings impede further innovation. In this paper, a comprehensive literature survey is conducted to collate different views. The discovered literature is then used to determine the current state-of-the-art of SOCs and derive primary building blocks. Current challenges within a SOC are identified and summarized. A notable shortcoming of academic research is its focus on the human and technological aspects of a SOC while neglecting the connection of these two areas by specific processes (especially by non-technical processes). However, this area is essential for leveraging the full potential of a SOC in the future.

From logs to Stories: Human-Centred Data Mining for Cyber Threat Intelligence

An average medium-sized organisation logs approx. 10 to 500 mln events per day on the system. Only less than 5% of threat alerts are being investigated by the specialised staff, leaving the security hole open for potential attacks. Insufficient information in alert message produced in machine-friendly rather than human-friendly format causes cognitive overload on currently limited cybersecurity resources. In this paper, the model that generates the report in natural language by means of applying novel storytelling techniques from security logs is proposed. The solution caters for different levels of reader expertise and preference by providing adjustable templates, filled from both local and global knowledge base. The validation is performed on case study from Security Operations Centre (SOC) at educational institution. The report generated proves superior to existing approach in terms of comprehension (increased cognition) and completeness (enriched context). The evaluation demonstrates power of storytelling in potential threats interpretation in cybersecurity context.

Capturing Tacit Knowledge in Security Operation Centers

The use of tacit knowledge has previously been shown to help expedite problem-solving procedures in the setting of medical emergency responses, as individuals can use past experiences in present and future challenges. However, there is a lack of understanding in its application in IT and socio-technical management. This paper examines the thought processes observed in Security Operational Centre (SOC) analysts facing threat events to lay the groundwork for tacit knowledge management in SOCs. Based on Sternberg's fieldwork in tacit knowledge, we conducted semi-structured interviews with ten analysts to explore the key artefacts and individual traits that aid their approach to communication, and to examine the thought processes under hypothetical incident handling scenarios. The results highlight a unanimous pursuit of Root Cause Analysis (RCA) upon the outbreak of an incident and stages of decision-making when escalating to third party support providers. Using Business Process Modelling and Notation (BPMN), we show the procedural elements of tacit knowledge from several scenarios. The results also suggest that simulation environments and physical proximity with analysts and vendors can facilitate the transfer of tacit knowledge more effectively in SOCs.

A Concept for Establishing a Security Operations and Training Centre at the Bulgarian Naval Academy

A Concept for Establishing a Security Operations and Training Centre at the Bulgarian Naval Academy

SOTER: A Playbook for Cybersecurity Incident Management

SOTER, <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">1</sup> a cybersecurity incident management playbook, is developed to provide a comprehensive model to manage cybersecurity incidents, particularly for the cybersecurity operations center. The proposed playbook is adaptive, cross-sectorial, and process driven. Each key components of the incident management playbook are outlined and discussed. Furthermore, a lexicon based on equivalence mapping is developed and used to map existing cybersecurity incident vocabulary and taxonomy into a common and consistent lexicon to aid understanding among incident management stakeholder communities—national, government, and private sectors. A versatile workbook model has been explored, which proves to be adaptable to serve a wide range of cases for successfully managing government and private sector security operations center. Cybersecurity incident sharing partnership, formalism for metric and measurements of cybersecurity incident parameters, and cybersecurity incident classification and prioritization schemes are presented, and finally, cybersecurity incident “plays” and playbook templates are discussed.

Challenges and performance metrics for security operations center analysts: a systematic review

ABSTRACT The increasing use of Security Operations Centers (SOCs) by organisations as a part of their cyber security strategy has led to several studies aiming to understand and improve SOC operations. However, to the best of our knowledge, there is no systematic literature review on the challenges faced by SOC analysts or on metrics for measuring analysts performance. To this end, we conducted a Systematic Literature Review (SLR) in accordance with the guidelines for undertaking SLR and analyzed papers published on SOCs between 2008 and 2018. We provide a comprehensive overview of the challenges faced by SOC analysts and of the metrics suggested in the literature for measuring analysts performance. In addition, we present a mapping between the challenges and existing performance metrics showing how the effectiveness of an analyst in addressing a particular challenge could be measured. We also discuss the drawbacks of the existing metrics and suggest directions for improvement. Our findings will enable SOC analysts and managers, as well as the academic community to gain a better understanding of the challenges impeding the performance of SOC analysts, and how analysts performance could be measured and improved.

Challenges towards Building an effective Cyber Security Operations Centre

The increasing dependency of modern society on IT systems and infrastructures for essential services (e.g. internet banking, vehicular network, health-IT, etc.) coupled with the growing number of cyber incidents and security vulnerabilities have made Cyber Security Operations Centre (CSOC) undoubtedly vital. As such security operations monitoring is now an integral part of most business operations. SOCs (used interchangeably as CSOCs) are responsible for continuously and protectively monitoring business services, IT systems and infrastructures to identify vulnerabilities, detect cyber-attacks, security breaches, policy violations, and to respond to cyber incidents swiftly. They must also ensure that security events and alerts are triaged and analysed, while coordinating and managing cyber incidents to resolution. Because SOCs are vital, it is also necessary that SOCs are effective. But unfortunately, the effectiveness of SOCs are a widespread concern and a focus of boundless debate. In this paper, we identify and discuss some of the pertinent challenges to building an effective SOC. We investigate some of the factors contributing to the inefficiencies in SOCs and explain some of the challenges they face. Further, we provide and prioritise recommendations to addressing the identified issues.

POSITIONING CYBERSECURITY IN THE C-SUITE: HOW TO BUILD A JOINT SECURITY OPERATIONS CENTER

ABSTRACTThis paper argues that the creation of a Joint Security Operations Center (JSOC) must be coordinated, implemented, and administered by a single dedicated entity, one that operates at the highest level of organizational authority to ensure proper coordination and enforcement. Currently, not one sector in the U.S.’s national infrastructure have yet to come up with an effective strategy or a coherent scheme to protect itself from a concerted cyberattack. Therefore, it is critically important that we begin to get our act together in cyberspace. Electronic, personnel, and physical security are separate operations in most companies. So, in essence, the separation of functions has created three wobbly one-legged stools instead of one solid three-legged stool. Thus, we need a single unified point to create and manage a complete, rational, organization-wide cybersecurity control system. In essence, a complete cybersecurity response requires expertise in electronic, behavioral, and physical security operations and the key to success lies in the proper placement. The obligation for creating and sustaining this strategic function lies with corporate leadership, not the people down the organizational ladder in IT. The converged approach is essential because monitoring and enforcement is cross functional and comprehensive.

Intrusion Detection Over Encrypted Network Data

Abstract Effective protection against cyber-attacks requires constant monitoring and analysis of system data in an IT infrastructure, such as log files and network packets, which may contain private and sensitive information. Security operation centers (SOC), which are established to detect, analyze and respond to cyber-security incidents, often utilize detection models either for known types of attacks or for anomaly and applies them to the system data for detection. SOC are also motivated to keep their models private to capitalize on the models that are their propriety expertise, and to protect their detection strategies against adversarial machine learning. In this paper, we develop a protocol for privately evaluating detection models on the system data, in which privacy of both the system data and detection models is protected and information leakage is either prevented altogether or quantifiably decreased. Our main approach is to provide an end-to-end encryption for the system data and detection models utilizing lattice-based cryptography that allows homomorphic operations over ciphertext. We employ recent data sets in our experiments which demonstrate that the proposed privacy-preserving intrusion detection system is feasible in terms of execution times and bandwidth requirements and reliable in terms of accuracy.

Improving Information Security Performance: The Role of Management Support and Security Operation Center

The implementation of Information Technology (IT) in any aspects of business has change the landscape of business. Specifically, IT has made significant and major changes in banking industry, especially on the way people do business with bank. Beside as business enabler, IT now become a major tool for bank to win the competition. With the strategic role of IT in banking industry, there is a risk from security point of view. The new sophisticated and advanced kind of attack drive to higher impact for banks. Beside direct loss caused by successful attack, there is also loss caused by image damage and sanction from regulatory. With many initiatives can be done to improve Information Security condition, banking need to prioritize the initiative that has most significant impact. Management support on information security is cited by many literatures as basic requirement for improving Information Security condition. Security Operation Center also proposed as initiatives to enhance the capability of detection and response to attack. This research tries to empirically find out the impact of Management Support to information security performance and the role of Security Operation Center on mediating both variables. Data are gathered from banks in Indonesia using survey methodology through questionnaire answered by qualified respondents. The sample design used is a probability sample with disproportionate stratified random sampling and analyzed using Structural Equation Modeling - Partial Least Square. This paper shows that management support has significant impact on improving Information Security condition in banking industry. It also concludes that SOC has complimentary mediation of relationship between management support and information security performance. Practically, result of this research can be foundation for company that wants to focus on factors that significantly impact security performance, while theoretically confirmed previous studies on the role of management support.

The enhanced security control model for critical infrastructures with the blocking prioritization process to cyber threats in power system

There have been a lot of efforts and studies to improve the safety of critical infrastructures. As one of efforts, there have been numerous constructions of security operation center (SOC) to protect against cyber-attacks. Unfortunately, it is too difficult to protect from cyber-attacks, because there are too many security events to analyse and respond. Reducing security events are very essential to improve the efficiency of incidents response. In this paper, we studied four years cyber threats against a Korean electric power organization by analysing IPS and FW raw data. As a result of this analysis, we found that 95% of all cyber-attacks were from foreign nations. If an IT system is not related with foreign business, we should think about blocking unnecessary foreign IP ranges. So, we propose the Enhanced Security Control (ESC) model with Blocking Prioritization (BP) process for critical infrastructures to improve daily incidents response activities. This ESC model has a BP process with six factors to consider when deciding which IT systems to be blocked from foreign IP ranges: foreign relation, real login, blocking complexity, stop tolerance, outer relation and stop impact. By considering these six factors, the ESC model can make it possible to prioritize Blocking Impact Degree (BID) of IT systems and help making decision to block from unnecessary foreign IP ranges. This ESC model will reduce security events and make a better condition for concentration on the remaining unblocked and crucial IT systems.

A method for software trusted update on network security equipment

Network security equipment plays an important role in preventing network security attacks. However, with the change of network environment and the upgrade of network attack means, the protection ability of the security software on the existing network security equipment will gradually decrease with time. For some large organizations or enterprises, their information security operations centers lack attention to software version control and software update processes for network security equipment, resulting in some security crises in the software update process. In this paper, we propose a method for software trusted update on network security equipment. This method can provide trusted identify authentication, secure data transmission and effective software version control. It enables the network security operations centers to more safely manage software update process on network security equipment. This method uses the functions of Trusted Cryptography Module to provide trusted execution environment. In this paper, we had introduced the process design, the prototype design and theoretical analysis to explain the feasibility and safety of this method.

A Two-Step Approach to Optimal Selection of Alerts for Investigation in a CSOC

A Cyber Security Operations Center (CSOC) is responsible for investigating all the alerts generated from the intrusion detection systems to identify suspicious activities in a timely manner. There exists a critical gap between the time needed (demand) and the time available (limited analyst resource) for alert investigation at a CSOC. Hence, alert prioritization is important, for which CSOCs employ ad-hoc filtering methods to prune and triage the alerts that are presented to the analysts for investigation. One of the major drawbacks of the ad-hoc methods is that they do not comprehensively take into consideration the organization-specific factors such as mission and asset criticality, CSOC resource availability, demand variations, and the desired CSOC performance metrics. Hence, an ad-hoc triaging (or prioritization) method is insufficient, and an intelligent method for optimal selection of alerts that considers the above-mentioned organization-specific factors must be developed, which is described as a two-step process in this paper. First, a composite risk score of each alert is determined using a quantitative value function hierarchy process, which takes into account several organization-specific factors. Second, an optimization model selects a list of alerts for investigation that optimizes the CSOC performance metrics for a given demand subject to its resource constraints. Experimental results show that the alerts that pertain to mission criticalities are handled in a timelier manner as compared to current practices at the CSOCs. The average persistence time of an alert in the CSOC system is also shown to significantly reduce with this new approach, which is a paradigm shift in providing a stronger cyber-defense system by protecting the critical constituents of an organization.

Cyber Security Skill Set Analysis for Common Curricula Development

The field of cyber security is getting diversified day by day, with new specialist responsibilities and roles at different levels of competence being required by the industry. The competencies can be mapped with required skills set in multiple cyber security certification programs. However, different certification programs use different curricula and terminology, which makes the offerings overlap in some aspect and be distinct in others. This makes it hard for new institutes and cyber ranges to decide upon their training offerings. The aim of this study is to identify commonalities in skill set requirement for multiple cyber security roles like penetration tester, security operation center analysts, digital forensic and incident responders and information security managers. The identified commonalities will be used for development of a standard common curricula to set skill set requirement for the achievement of specific competence levels in a specific cyber security field.

Security Operations Center - Prerequisite and Requirements

Security Operations Center - Prerequisite and Requirements

Monitoring and Improving Managed Security Services inside a Security Operation Center

Nowadays, small to medium sized companies, which usually cannot afford hiring dedicated security experts, are interested in benefiting from Managed Security Services (MSS) provided by third party Security Operation Centers (SOC) to tackle network-wide threats. Accordingly, the performance of the SOC is becoming more and more important to the service providers in order to optimize their resources and compete in the global market. Security specialists in a SOC, called analysts, have an important role to analyze suspicious machine-generated alerts to see whether they are real attacks. How to monitor and improve the performance of analysts inside a SOC is a critical issue that most service providers need to address. In this paper, by observing workflows of a real-world SOC, a tool consisting of three different modules is designed for monitoring analysts' activities, analysis performance measurement, and performing simulation scenarios. The tool empowers managers to evaluate the SOC's performance which helps them to conform to Service-Level Agreement (SLA) regarding required response time to security incidents, and see the need for improvement. Moreover, the designed tool is strengthened by a background service module to provide feedback about anomalies or informative issues for security analysts in the SOC. Three case studies have been conducted based on real data collected from the operational SOC, and simulation results have demonstrated the effectiveness of the different modules of the designed tool in improving the SOC performance.