From personnel files and student grades to accounts receivable data and cutting-edge research, the US based Virginia Tech University maintains enormous amounts of sensitive information. So it is no wonder that its networks are probed hundreds of thousands of times every day.
Adequately protecting such a complex campus network infrastructure, made up of more 30,000 computing and communication systems across 125 buildings, requires a host of layered defenses, says Randy Marchany, the university's information security officer, who leads a team of four full-time security analysts in addition to several graduate students.
Marchany and his group have been collecting security-related information from various sources – such as operating system logs, intrusion detection and prevention systems, firewalls and vulnerability scanners – for a number of years. But with such vast amounts of security data being regularly generated and stored on separate, distributed servers, it became difficult to see the big picture, he says.
So, about two years ago, the team embarked on a project to build a cyber security operations centre (SOC) to collect, correlate and analyse the data and leverage it to more quickly respond to threats.
Countless organisations have built SOCs for similar reasons. These centres serve to pull together threat and log data from sources, and centralize security monitoring, analysis and response functions within a single unit. In addition, these centers usually provide around-the-clock monitoring and risk management to detect and protect against attacks.
These days, the most state-of-the-art SOCs look like something right out of the movies, says Chris Triolo, vice president of enterprise solutions at HP ArcSight, which offers SOC consulting services.
Picture a hardened facility, he says, where an overhead grid of large, flat-screen displays depict real-time attack traffic. Rows of security analysts, each sitting behind multiple computer monitors, watch for trends and anomalies. Other, less elaborate SOCs, meanwhile, may be housed inside a small 10-by-10 room and staff just two employees.
While each SOC is unique, its main functions often include security event generation, collection, storage, analysis and reaction, according to “Security Operation Center Concepts and Implementation,” a paper written by French computer and network security expert Renaud Bidou, which the Virginia Tech team used as a blueprint.
Virginia Tech's IT security department did not have a large budget with which to work – about $10,000. Any commercial solution for an environment of their size would have cost roughly 10 times that amount, says Marchany.
As an alternative, members of the team used various free, open-source network security tools to combine threat and log data across the campus.
Now, within the IT security office and lab, a SOC console depicts real-time inbound and outbound attacks and provides the information necessary to assess and respond to threats. As part of the initiative, the team also created a centralized portal that allows system administrators across the university to access the threat information applicable to their department.
“My philosophy is that all security is local, and the more information that we can provide to the administrators closest to the problem, the quicker they are able to fix it and address any potential issue,” Marchany says.
While SOCs are prevalent today, the concept actually traces back to the internet's beginnings, says Sam Curry, chief technology officer for global marketing at security firm RSA. During the 1990s, the defense industry created so-called Electronic Warfare Operations Centers to address threats, such as radio-signal jamming. These centres later evolved to manage the threats introduced by newly deployed networks. Hence, the first modern SOCs were born.
By the late 90s, large, cutting-edge organisations caught wind of the concept and began developing their own SOCs. The model gained widespread support among enterprise IT teams in the early 2000s, driven by an increase in online risks and information regulations.
Countering the most advanced threats – such as those using zero-day malware to perpetrate stealthy and often undetectable attacks against a target with the goal of siphoning off valuable information – will likely require organisations to evolve their SOCs in the future, according to experts at RSA, which introduced the concept of an “intelligent” SOC in a paper released in February. (RSA itself was the victim of an advanced persistent threat attack.) As part of this transition, organisations may need to develop new models for mapping risks, attack vectors and threats, the paper said.
The intelligent SOCs of the future may rely on what are now just experimental technologies and theoretical approaches, such as self-learning solutions that continuously monitor an environment to quickly spot anomalies in behaviour, researchers say. The most advanced centres may even go a step further, leveraging theoretical, risk-based decision systems to detect unusual conditions and take action on their own to investigate and ultimately mitigate the threat.
While security practitioners wait for these advanced technologies to be developed, there are some key principles of intelligent SOCs that can be adopted today and don't require the purchase of costly equipment, only a change in focus and behavior.
It is impossible to respond to every threat, so understanding which organisational assets are most valuable and where they reside is important, RSA's Curry says. By adopting an information-centric approach to risk planning, security teams can selectively mitigate attacks, focusing on protecting what is most important, instead of trying to patch each vulnerability and respond to every attack.
“I sit through presentations from companies and they say, ‘We have 3400 machines that feed into the SOC,' and I say, ‘So? How much information are you protecting and how many critical systems do you have?'” Curry says.
Security pros should also begin dedicating some time to attack-modeling activities to determine potential threat vectors and examine defensive steps to quickly isolate them. By modeling potential attacks, practitioners can be ready with a plan.
Outsourcing the work to managed security services providers is another option, Triolo of HP ArcSight says.
The alternative: Managed services
Due to the typically high cost and the level of security expertise needed to create and run a SOC, many organisations choose to simply outsource their security monitoring and response functions, instead of building out such capabilities in-house. Managed security services providers (MSSPs), most of which typically maintain their own high-tech SOCs, can offer the benefit of 24/7 protection, in-depth information security expertise and the ability to spot attack patterns across multiple customers, says Chris Triolo, vice president of enterprise solutions at HP ArcSight. These services also can be especially helpful for companies without a dedicated IT security staff.
MSSPs do not, however, have the deep knowledge of a customers' policies, procedures or IT environment that a dedicated IT security staff would. Also, when outsourcing monitoring and response functions, an organisation's security-related data must be transmitted to and stored by their service provider.
For some organisations, outsourcing is not an option due to the confidentiality of their operations and the drawbacks of the managed service model.