Monday, September 24, 2012

Differences between Corporate and MSSP Security Operations Centers

There are 2 types of Security Operations Centers: the one of a MSSP and the corporate one.

The SOCs are often confused because both provide security services but they are very different.

Primary scope
Corporate: it exists because of compliance regulations and because of some corporate needs.
MSSP: it exists to provide services to the customers and increase the incomings.

How are they seen by the company?
Corporate: it's seen as a cost. Usually the company will try to save on it as much money as possible.
MSSP: it's seen as a structure to make money. The company invests and HAS to invest on it.

Services
Corporate: it provides services that usually need a strong interaction with other business units. Usually for example it provides incident handling / forensic analysis and "abuse" services.
MSSP: it usually provides services that are completely remotely managed. The MSSP will also very often answer to RFP and similar, something that corporate one, obviously never does.

People
Corporate: it's usually formed by less people but usually they are full time, permanent employee. This is because of the sensible data they will have to manage.
MSSP: the number of people will change with the market, most of the people will be temporary employee or freelance / consultants.

Stress
Corporate: in security there is always an higher level of stress compared to other IT departments but the fact that you don't have to deal with customers decrease the level in the corporate one.
MSSP: high levels of stress. Managing the security of many customers like banks, financial institutions and other critical ones with SLA and so on can be really stressing.

Knowledge sharing
Corporate: the corporate SOC will just have benefits in sharing strategies with other companies (a good example of cooperation between Telco and SOCs is ETIS).
MSSP: strategies, new offers, customers and knowledge, for obvious reasons, don't have to be shared.

Visits
Corporate: not usually visited by anyone except for people from other BUs (business units) of the same company and sometimes vendors.
MSSP: frequently visited by customers and vendors. Customers visits will be organized by KAMs (Key Account Managers) while vendors will come very often to try to sell their solutions as a service for the market.

Friday, September 14, 2012

Facilities of a Security Operations Center

One important element in a SOC is the workplace and in general the facilities, let's see them.

Open Space
The ideal workplace for a SOC is an openspace. There should be no walls between analysts. They need to analyze all together the events and discuss without boundaries.

Restricted access
The access to the openspace should be protected and just authorized people should be allowed to enter the room. Pay attention to the floating floor and roof: there should be no possibility of easly exploting it to bypass the access restrictions.

The desk
One phone (with headset), 2 computers: one connected to the internet, the other connected to the SOC management network. The desks should be positioned like an "half moon", infact every analyst should be able to clearly see the videowall.

Videowall
Every SOC has a videowall. I would suggest to compose it with LCDs and not with lamps. Lamps are cheaper at the beginning but have huge costs of maintainance.

The network
The SOC management network should be segregated by a firewall (and IPS) from the rest of the company network.

An example of how a SOC should look like is here.

Friday, September 7, 2012

The Security Services a SOC should provide

This is a list of basic services a SOC should provide.
Keep in mind that when we talk about SOCs there are 2 categories: the corporate and the MSSP one.

Security Device Management
This is the primary and basic service of a SOCand it's where a SOC usually starts from.
SDM is the management of security devices, such as: firewall, Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS), proxy, web application firewall, etc
The type of managed devices should change depending on what is requested by the market.

Distributed Denial of Service Mitigation
This service is the Distributed Denial of Service mitigation. It's usually provided to customers like banks, government and every customer that has large profits coming from its internet services.

Event & Log Management / Collection
This service is more about compliance than security and it's the collection, storage and archiving of logs.

Incident handling
The management of the security incidents (security breaches, malware, misuse, etc). It could include the complete management of the incident (usually in the corporate SOC) or just the warning.

Security professional services
Between the professional services that could be provided: vulnerability assessment, penetration tests, web appliaction assessment, source code review, etc

Abuse desk
Managing of the "abuse@" mailbox. The abuse mailbox is used to receive any warning or report of abuse coming from the IP range assigned to a customer/provider.

Early Warning
This service works like a warning for new vulnerabilities and emerging threats.

I suggest you to read the following pages on WikiPedia:

Managed Security Services
Security Operation Center (english)
Security Operation Center (more detailed but in italian, actually I was the author of the first version of this page)

Friday, August 31, 2012

Useful certifications for SOC people


According to me, the most important certifications useful for a SOC analysts are the vendor specific.
But of course there are other certifications that could be useful in a SOC environment. This is a short list (prices, when available, included).

Technical certifications

This first group of certifications is more useful for analysts and technical people.

CEH (Certified Ethical Hacker). Course + Exam: 2895$.
CGIH (Certified GIAC Incident Handler). Course and certifications: Corso + Esame 3500$
OSCP (Offensive Security Certified Professional). Course + exam 4000$
ISECOM OPST (Open Source Security tester). I could not find any info regarding the price.
ISECOM OPSA (Open Source Security Analyst). I could not find any info regarding the price.

Less-technical (but still useful!) certifications

This second group of certifications is more useful for analyst coordinators or SOC managers.

CISM (Certified Information Security Manager) - Exam cost 500€. Course cost ~800€ (in Italy).
CISSP (Certified Information Systems Security Professional) - Exam cost: ~500€.
ISO27001 Lead Auditor Exam + course cost  ~1800€.
PMP (Project Manager Professional) Exam cost 340€ for PMI members (129$ needed to be PMI member) or 465€ for not PMI members. Course cost: 3K€.
ITIL v3 foundations. Exam cost: ~150€
CISA (Certified Information System Auditor) Exam Cost 500€. Course cost ~800€.

Friday, August 24, 2012

Start up project of a Security Operations Center for a MSSP

In the first post I will describe the typical startup project of a Security Operations Center (SOC) for a Managed Security Service Provider (MSSP).
Probably it could also be useful for a generic startup of a market oriented technical structure.
Please feel free to send me suggestions to integrate it.


Start up project of a Security Operations Center for a Managed Security Service Provider


Phase 1 - Predesign



  • Certifications useful for the design
Some certifications could be very useful during the design phase. You will be able to save a lot of time and money and avoid the most common mistakes. Some examples: ITIL, ISO27001, PMP, etc
In general, you should never forget that "following a well known best practice" it's the best answer to the question "why are you doing it in this way?".

  • Security services market analysis
You are market driven. You should never forget this. You have to implement services required by the market. You are not a scientist, you are not a researcher, you are working for the market. A good example of market analysis (easy to find on the web) are the GARTNER magic quadrants.

  • Interview people involved into the market
To better understand the situation of Managed Security Services in your country you should try to interview as much people involved in the market as you can. Try to read specific LinkedIN groups, phone friends, talk to the well-known market players.

  • Build up the design team
Build up the design team. The members should be from both inside and outside the organization. If you have the occasion, involve marketing people, pre-sales and NOC etc. Marketing and pre-sales will help you to push on sales while NOC people could help you to solve know issues and bureaucracy issues inside the organizations. The more (but not too much) people you involved in the design, the more they will push the project inside the organization and to the market.

  • Visit other Security Operations Centers
If possible, try to visit other SOCs. Try to understand how they work (or they should work).


  • Study competitors
Try to understand which services do they manage, which they do not manage, why, the lacks, deficiencies and possible improvement, the prices and the offering models.


  • Budget
Understand how much resources you will have, what kind of technologies will you be able to implement (a SIEM for example is very expensive) and if you will be able to acquire the know-how.

  • Timing
The organization will give you a goal in terms of timing. In the best case, you will be able to negotiate it. In the worst case, the goal will be fixed. Will you have enough time to startup the SOC and implement the services?


Phase 2 - Design


  • Decide the services to implement
Decide the services to implement basing your decision on the market analysis, budget, timing, etc.

  • Design services
Finally design how the services should work.

  • Technologies choice
You will need to choose which technologies will you manage and sell.
A good methodology to choose could be: market analysis, create a short list of vendor, PoC (Proof of Concept), evaluation, choice.

  • Define KPI/KPO
For the government of a SOC it’s very important to define the Key Performance Indicators and Key Performance Objectives.

  • Facilities
From the facilities point of view, you will need a room with restricted access, computers & phone (with headset) for your analyst, a videowall (actually it’s not really useful but it’s what customer really want to see). Last but not least, the network of the SOC should be segregated by a firewall (and IPS) from the rest of the company network.

  • Sharing people between services
Try to figure out what kind of saving you can implement sharing people between SOC services or with other structures (for example with NOC).


  • Plan a marketing strategy
Contact the marketing department (one member of your design team should be from marketing) and plan a marketing strategy.


Phase 3 - Implementation


  • Write down processes and procedures
Definitely involve the technical people (if possible, let them write it) in the writing of technical procedures (you will have to review it, of course), while let processes be written by people who is already aware of the organization’s internal processes and bureaucracy.

  • Acquire the know-how
To acquire the know-how you can: hire people (consultants or employees) or take some courses/certifications.

  • Implement the technologies
Implement the technologies you choose in the design phase.

  • Create a security culture in sales people
Make sales people aware of the new services. Organize meetings, prepare easy to digest powerpoints.

  • Implement a lab environment
You will need a test environment for the new configurations, new technologies, PoC, etc.

  • Start the marketing strategy
Start the marketing strategy.

  • Apply KPI/KPO
KPI and KPO should be applied to your everyday work.


Phase 4 - Improvement


  • Evaluate useful SOC certifications
Some certifications are required by RFPs (Request For Proposal) for example the ISO27001 is often required.

  • Evaluate useful SOC team certifications
Some will be required by RFP, others will be useful during troubleshooting.
A short list of useful certifications as an example: GIAC, CISM, Security+, vendor specific, CCNA, CISSP, ITIL, etc.

  • Keep you and the your team updated about security news
Read everyday the most important sources of IT Security / hacking news like: dark reading, twitter, linkedin groups and status update, etc.

  • Let the market be aware of you
Organize meetings, take part to conferences, use linkedin, twitter, a blog and any other instrument to let other people understand you are an important and aware player.

  • Let the management be aware of you
Never forget you are part of a bigger organization. Your management should always be aware of what you are doing and about your results. Organize periodical presentations.

  • Scouting of new security services required by the market
It’s very important to never stop speaking with customers, reading market analysis, etc to understand where the market is going and intercept the customers needs.

  • Periodical upgrade of technologies
At least every year you should check if the technologies you are selling (UTM, proxy, IPS etc) and you are using (management, ticketing, etc) are the state of art. Otherwise you should.

  • KPI/KPO monitoring
Key Performance Indicator and Key Performance Objectives will be the thermometer of your work. If you choose the right KPI/KPO they will help you to understand if you are working well or not, if you can do better or not. If you are working too much or you can work more.  

Monday, August 20, 2012

New work...and new blog!


As some of you could know, I have a new work.

Actually I am employed as manager for a MSSP and Telco and I'm busy building up and running a SOC (Security Operations Center).

This is my 3rd experience in a SOC startup and the reason of this blog is to try to write down some notes, to not forget the most important things and maybe help some of you.