Monday, September 24, 2012

Differences between Corporate and MSSP Security Operations Centers

There are 2 types of Security Operations Centers: the one of a MSSP and the corporate one.

The SOCs are often confused because both provide security services but they are very different.

Primary scope
Corporate: it exists because of compliance regulations and because of some corporate needs.
MSSP: it exists to provide services to the customers and increase the incomings.

How are they seen by the company?
Corporate: it's seen as a cost. Usually the company will try to save on it as much money as possible.
MSSP: it's seen as a structure to make money. The company invests and HAS to invest on it.

Services
Corporate: it provides services that usually need a strong interaction with other business units. Usually for example it provides incident handling / forensic analysis and "abuse" services.
MSSP: it usually provides services that are completely remotely managed. The MSSP will also very often answer to RFP and similar, something that corporate one, obviously never does.

People
Corporate: it's usually formed by less people but usually they are full time, permanent employee. This is because of the sensible data they will have to manage.
MSSP: the number of people will change with the market, most of the people will be temporary employee or freelance / consultants.

Stress
Corporate: in security there is always an higher level of stress compared to other IT departments but the fact that you don't have to deal with customers decrease the level in the corporate one.
MSSP: high levels of stress. Managing the security of many customers like banks, financial institutions and other critical ones with SLA and so on can be really stressing.

Knowledge sharing
Corporate: the corporate SOC will just have benefits in sharing strategies with other companies (a good example of cooperation between Telco and SOCs is ETIS).
MSSP: strategies, new offers, customers and knowledge, for obvious reasons, don't have to be shared.

Visits
Corporate: not usually visited by anyone except for people from other BUs (business units) of the same company and sometimes vendors.
MSSP: frequently visited by customers and vendors. Customers visits will be organized by KAMs (Key Account Managers) while vendors will come very often to try to sell their solutions as a service for the market.

Friday, September 14, 2012

Facilities of a Security Operations Center

One important element in a SOC is the workplace and in general the facilities, let's see them.

Open Space
The ideal workplace for a SOC is an openspace. There should be no walls between analysts. They need to analyze all together the events and discuss without boundaries.

Restricted access
The access to the openspace should be protected and just authorized people should be allowed to enter the room. Pay attention to the floating floor and roof: there should be no possibility of easly exploting it to bypass the access restrictions.

The desk
One phone (with headset), 2 computers: one connected to the internet, the other connected to the SOC management network. The desks should be positioned like an "half moon", infact every analyst should be able to clearly see the videowall.

Videowall
Every SOC has a videowall. I would suggest to compose it with LCDs and not with lamps. Lamps are cheaper at the beginning but have huge costs of maintainance.

The network
The SOC management network should be segregated by a firewall (and IPS) from the rest of the company network.

An example of how a SOC should look like is here.

Friday, September 7, 2012

The Security Services a SOC should provide

This is a list of basic services a SOC should provide.
Keep in mind that when we talk about SOCs there are 2 categories: the corporate and the MSSP one.

Security Device Management
This is the primary and basic service of a SOCand it's where a SOC usually starts from.
SDM is the management of security devices, such as: firewall, Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS), proxy, web application firewall, etc
The type of managed devices should change depending on what is requested by the market.

Distributed Denial of Service Mitigation
This service is the Distributed Denial of Service mitigation. It's usually provided to customers like banks, government and every customer that has large profits coming from its internet services.

Event & Log Management / Collection
This service is more about compliance than security and it's the collection, storage and archiving of logs.

Incident handling
The management of the security incidents (security breaches, malware, misuse, etc). It could include the complete management of the incident (usually in the corporate SOC) or just the warning.

Security professional services
Between the professional services that could be provided: vulnerability assessment, penetration tests, web appliaction assessment, source code review, etc

Abuse desk
Managing of the "abuse@" mailbox. The abuse mailbox is used to receive any warning or report of abuse coming from the IP range assigned to a customer/provider.

Early Warning
This service works like a warning for new vulnerabilities and emerging threats.

I suggest you to read the following pages on WikiPedia:

Managed Security Services
Security Operation Center (english)
Security Operation Center (more detailed but in italian, actually I was the author of the first version of this page)