Friday, September 14, 2012

Facilities of a Security Operations Center

One important element in a SOC is the workplace and in general the facilities, let's see them.

Open Space
The ideal workplace for a SOC is an openspace. There should be no walls between analysts. They need to analyze all together the events and discuss without boundaries.

Restricted access
The access to the openspace should be protected and just authorized people should be allowed to enter the room. Pay attention to the floating floor and roof: there should be no possibility of easly exploting it to bypass the access restrictions.

The desk
One phone (with headset), 2 computers: one connected to the internet, the other connected to the SOC management network. The desks should be positioned like an "half moon", infact every analyst should be able to clearly see the videowall.

Videowall
Every SOC has a videowall. I would suggest to compose it with LCDs and not with lamps. Lamps are cheaper at the beginning but have huge costs of maintainance.

The network
The SOC management network should be segregated by a firewall (and IPS) from the rest of the company network.

An example of how a SOC should look like is here.

7 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I suppose that should be a reasonable requirement to place computers on an higher position (i.e. behind or below monitor) so that every plug should be visible and clearly untampered. Is the two-computers setting for segregation purpose? I wonder about how useful it's gonna be in the end this kind of measure on a SoC environment, and what are the benefits compared to a single computer configuration with two NICs and two monitors. Also, beside most of SOC's activities need teamwork in an openspace, some of them are analitical and could need concentration and silence :-)

    ReplyDelete
  3. Hi Franz, thank you for your suggestions!

    According to me the placement of the computers on an higher position is absolutely reasonable as far as it respects the "clear desk" policy.

    As regarding the two-computer settings, I think it could be useful if with one computer you'r often browsing the internet for the analysis. The risk is, for example, to be compromised by a trojan/keylogger or similars that could send out passwords / info etc

    ReplyDelete
    Replies
    1. You are right, but beside the obvious security risk of a dual NICs configuration, that will encourage a massive use of usb device to share documentation, script and files between the two computers. IMHO, Strict segregation sometimes resolves a lot a problems but creates new needs to be fulfilled that could lead to even worse risks.

      Delete
  4. In my opinion it would be more valuable to use zero/thin-clients rather than PCs.
    This is even more interesting when building from scratch because you usually don't have to cope with existing systems and the related migration to new infrastructure.
    Using thin clients allows you big saves on maintenance fees and you don't have to worry about obsolescence of hardware.
    Moreover you can easily share the thin clients between the operators (usually they don't work all together at the same time), reducing the number of needed desks and also using another (or a spare) thin client as a backup in case of failure, restoring operations within seconds (!!) and without need to reinstall anything.

    You can even think to collapse phone and thin/zero client in a single object on the desk.


    On another side, it's useful to have a place where analysts can share their datas and the knowledge base. Tipically you can use MS Sharepoint (in this way user profiling and provisioning is easier because it's related to the AD)

    ReplyDelete
    Replies
    1. Thin clients is a good idea but then someone has to manage them.

      Delete
    2. There's the IT crowd for that... :-) as usual

      Delete