Excellence Operations Security - c2cyber.com€¦ · Security Operations Excellence is oriented...
Transcript of Excellence Operations Security - c2cyber.com€¦ · Security Operations Excellence is oriented...
Copyright © 2018, C2 Cyber Ltd C2 Cyber WP001 ver 1.0
15 August 2018
Mission & Desired
Outcomes
Capability Concept of Operations
Phasing & Roadmap
Target Operating Model &
Organisational Design
Processes & Skills
Platform & External Services
Operational Stability
Continuous Improvement
Security Operations Excellence
C2C2
“When everything is quiet, how do you know whether it is because you are safe, or if the team is looking in the wrong direction?”
Security Operations Excellence How to achieve efficiency, consistency and value in SecOps, making it the centre of cyber security and an enabler for digital transformation.
Cyber threats are here to stay. Business has transformed over the last few decades to benefit from digital technology, and the bad forces of the world that have always existed are simply re-sponding with similar transformation. Bad people have not changed. They are still trying to achieve largely the same aims. They are just using a different set of tools to do it.
It is not sufficient to rely solely on preventing attacks, and the most determined hackers and ma-licious insiders will always be able to find a way around the defences. For this reason it is essential that an organisation also invests in capabilities to detect attacks, respond to them, and recover from the impact. This is where Security Operations fits in.
Security Operations (or SecOps) exists in an ambiguous world; it doesn’t know precisely what to look for, but recognises it must be vigilant nonetheless; when all is quiet, it doesn’t known whether this is because all is safe, or if it is looking in the wrong direction. By definition is an operational challenge, which demands strong cohesion across the best of people, process and technology.
Because of this ambiguity, many organisations struggle to elevate SecOps from being a tactical function delivering limited value. This misses the opportunity to create a strategic capability that acts as an engine for responsive and aligned security. This has prompted C2 Cyber to develop Se-curity Operations Excellence. It distils extensive experience both with in-house SOCs and out-sourced Managed Security Services to create a comprehensive approach to SecOps. Security Op-erations Excellence enables organisations to achieve that strategic vision.
Security Operations Excellence is oriented around the desired outcome, and it is tailored ac-cording to the specific needs of the client. It doesn’t try to present a one-size-fits-all solution, be-cause what is appropriate for a FTSE 100 global manufacturer is unlikely to be relevant to a mid-cap regionally based services company.
This paper serves to introduce C2 Cyber Security Operations Excellence, and provides guidance on how to build the right foundations. Future papers will look at other elements of the model and the outcomes that they deliver.
C2 Cyber believes that Cyber Security should be understood by the business; have the consent and participation of the business; and support the business in achieving its objectives with security as an enabler. Security Operations is at the heart of this, and Security Operations Excellence provides a way of achieving it. It can deliver transformation and change, catalysing sound and informed de-cisions, and allowing the business to focus on executing its core strategy.
Executive Summary
www.c2cyber.com WP001 Ver 1.0 15 Aug 2018
C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps
3
No matter how strong an organisation’s defences are, they will never be able to stop all determined hackers or malicious insiders. This is why NIST1 created a Cyber Security Framework (NIST CSF https://www.nist.gov/cyberframework) that recognises that in addition to Identify and Protect against threats it is also necessary to Detect, Respond and Recover from attacks. This is the basis for Security Operations.
What can SecOps achieve?
Security Operations goes under many names and ac-ronyms including SOC, CSIRT, CDC, CDOC, CDO, and ASOC to name a few. At C2 Cyber we prefer to use the simple term “Security Operations”, or SecOps for short. It is neither a point solution, nor a single stove-piped team. It is an outcome. It is the act of manag-ing the security of information, systems and services while they are operational.
Figure 1 shows what SecOps can contribute across all aspects of the NIST CSF. Sadly, the actual result fre-quently fails to live up to this potential. This doesn’t just undermine security, but also forgoes most of the potential benefits that could be returned from what is usually a significant investment.
What is involved in delivering these outcomes?
We use the contextual model (figure 2) to describe what SecOps is trying to achieve, and the challenges involved. At its core it is about detecting security inci-dents, and then remediating them; this is the decision-action cycle of Predict-Detect-Decide-Act. Whilst
simple in appearance, it requires a lot more to be effective.
Operations need direction so that it can decide which incidents are critical to the business, and which can be left until resources become available. It needs to gain insight and learn from experience, improving the effi-ciency of its operations, and building the body of knowledge. It also needs to provide this insight to the business, increasing the organisation’s understanding of changing risks and how to reduce them. The sup-porting tools need to remain continuously configured and aligned with the direction and knowledge.
Context is key
To be effective SecOps needs to understand and in-fluence the business, threat and technology environ-ments. The business environment will be shaped by strategy, objectives, activities, resources and priori-ties. The threat environment is determined by the
C2 Cyber’s vision for Security Operations
S ecOps needs to understand
context and be able to influence
the environment
Figure 2 : SecOps Contextual Model
Business
Technology
C2
Identify Protect Detect Respond Recover
Technology led focus on detect ion
Detect , priorit ise, invest igate,
understand and plan
Coordinate, measure, assess, and
monitor for recurrenceAssess and improve
Evidence st rategy, inform
on change
The full potent ial
The common reality
Figure 1 : The outcomes that SecOps can deliver
1 The National Institute of Science and Technology (NIST) is the agency of the US Department of Commerce that was established to promote innova-tion and industrial competitiveness. Its Cyber Security Framework is widely recognised as one of the standards used to manage cyber risk and security.
www.c2cyber.com WP001 Ver 1.0 15 Aug 2018
C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps
4
motivations, methods, tactics and capabilities of the attackers. The technology environment defines the ground being defended; it is described by the charac-teristics of current and future systems, networks, as-sets and services that the business is employing, their vulnerabilities, and what they contribute to. These three contexts will all be subject to constant change and evolution.
Scope can be broad, and demands cohesion
The SecOps capability framework (figure 3) that we use illustrates how broad the scope can be. Not all businesses will need all of the capabilities. Also, some may already exist elsewhere in the enterprise outside of the security function, and others may be out-sourced to 3rd party service providers. But all should be considered, and some are essential. This requires a structured approach to be conducted in a controlled and objective way, with investment justified by busi-ness need. This is why we have developed Security Operations Excellence , to help our clients achieve the best, regardless of the scale of their SecOps ambi-tions.
SecOps, like a medical operating theatre, requires a highly drilled team of capable people. Good technol-ogy is essential but it should take a supporting role, as opposed to a leading one. True success is achieved by
the participants being expert in their own roles, and confident in the other systems, services, and team members that they are depending on. This way they can concentrate more of their capacity on preventing harm impacting on their business, without having to work out who is meant to be doing what.
Having seen at first hand the benefits of good imple-mentations, as well as the challenges and mistakes that are frequently made, we have developed a unique framework for delivering and sustaining value in Security Operations. An illustration of it can be seen in Figure 4, with a brief description of each seg-ment. Each is underpinned by proven approaches and processes.
It can be employed irrespective of whether capability will be built in-house, outsourced, or delivered as a hybrid of the two.
SOE is effective across all scales of ambition
It can be tailored to any type of SecOps business need. It is relevant for a medium-sized business im-
plementing security monitoring for the first time, per-haps as a result of EU GDPR and other regulations, and wants to maximise the benefits returned. It is similarly suited to a global FTSE 25 looking to trans-form existing capabilities. It can also be applied effec-tively to a Managed Security Services Provider (MSSP) that wants to differentiate market offerings, maximise value to customers, and minimise delivery cost.
Our Security Operations Excellence (SOE) framework is built on extensive experience building, reviewing and optimising SecOps functions across a broad range of clients. Over the last ten years many differ-ent approaches have been taken, some have worked, and some have led to confusion, frustration and dis-appointment. This expertise is enhanced by the les-
The Security Operations Excellence framework
S ecurity Operations Excellence enables our clients to benefit from experience and
good practice, and to avoid the mistakes that others have made in the past
Content
Engineering
Threat
Intelligence
Post Incident
Review
Alert
Detect ion
Incident
Management
Trend
Analysis
Technology
Environment
Change
Technology
Environment
Conf igurat ion
Alert TriageIncident
Invest igat ion
Forensics
Invest igat ion
Vulnerability
Assessment
Penetrat ion
Test ing & Red
Teaming
Vulnerability
Remediat ion
Malware
Analysis
Business
Context
Sent iment
Analysis
Corporate
Crisis
Management
Attack
Hunt ing
Incident
Response
Plat form
Engineering
& Support
Insider
Vulnerability
& Threat
Risk
Management
Report ing
Future
SecOps Plans
& Change
C2
Figure 3 : SecOps Capability Framework
www.c2cyber.com WP001 Ver 1.0 15 Aug 2018
C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps
5
Devel
op
pla
n f
or
kno
wle
dge c
aptu
re,
man
agem
en
t an
d
exp
loit
atio
n.
Id
enti
fy p
ote
nti
al f
or
tech
en
able
men
t.
Evo
lve
cap
abili
ty s
cop
e a
nd
serv
ices.
T
rack
mar
ket
devel
op
men
ts a
nd
o
pp
ort
un
itie
s.
Def
ine b
enef
its
and
iden
tify
ad
dit
ion
al
con
trib
uti
ng t
hir
d p
arti
es.
Art
icu
late
wh
at w
e a
re t
ryin
g t
o a
chie
ve.
A
gre
e t
he b
usi
ness
o
utc
om
es
and
ob
ject
ives
. D
efi
ne t
he s
cop
e a
t o
uts
et
and
m
ediu
m t
erm
asp
irat
ion
s.
Exp
lore
sce
nar
ios
for
evo
luti
on
in
th
e l
on
g t
erm
. D
evel
op
th
e b
usi
ness
cas
e f
or
inves
tmen
t.
Def
ine a
nd
imp
lem
ent
core
an
d c
on
tin
gen
t p
roce
sses
. D
efin
e
role
s an
d r
ecr
uit
. E
stab
lish
tra
inin
g r
eq
uir
em
en
ts a
nd
p
rogr
amm
es.
E
vo
lve
pro
cess
es
and
ski
lls w
ith
mat
uri
ty a
nd
p
latf
orm
evo
luti
on
. E
stab
lish
car
eer
path
s.
Def
ine o
pera
tin
g m
od
el a
nd
ho
w it
in
terf
aces
wit
h o
ther
part
s o
f th
e s
ecu
rity
, IT
an
d b
usi
ness
en
terp
rise
. D
evel
op
o
rgan
isat
ion
al d
esig
n.
Est
ablis
h r
eso
urc
e m
od
el w
ith
p
aram
ete
rs t
o p
red
ict
scal
e.
Defi
ne h
ow
ou
tso
urc
ed
serv
ices
will
be
con
sum
ed?
Meas
ure
op
era
tio
nal
eff
ect
iven
ess
an
d
eff
icie
ncy
. I
den
tify
was
te a
nd
fai
lure
m
od
es.
Dri
ve i
mp
rove
men
ts.
Id
enti
fy a
nd
m
itig
ate o
pera
tio
nal
ris
ks r
ela
ted
to
co
nsi
sten
cy a
nd
co
hes
ion
. O
pti
mis
e w
ays
of
wo
rkin
g a
nd
en
ablin
g t
ech
no
logy.
Dete
rmin
e f
un
ctio
nal
an
d n
on
-fu
nct
ion
al
req
uir
emen
ts f
or
enab
ling
tech
no
logy
an
d
pro
cure
d s
erv
ices.
C
on
du
ct v
end
or
sele
ctio
n.
Desi
gn a
nd
im
ple
men
t te
chn
ical
an
d s
ervi
ce a
rch
itec
ture
s.
Man
age
evo
luti
on
th
rou
gh
lif
e.
Iden
tify
cap
ab
iliti
es
req
uir
ed
to
ach
ieve t
he
mis
sio
n a
nd
ou
tco
mes.
E
stab
lish
ho
w
cap
ab
iliti
es
wo
rk t
ogeth
er,
an
d w
hat
ext
ern
al
fun
ctio
ns
they i
nte
ract
wit
h.
Sele
ct c
ap
ab
ility
so
urc
ing m
od
el
(in-h
ou
se,
ou
tso
urc
ed
, co
-so
urc
ed,
hyb
rid
).
Defi
ne V
1 s
cop
e.
Est
ab
lish
pro
gra
mm
e o
f w
ork
acr
oss
peo
ple
, p
roce
ss,
tech
no
logy,
go
vern
an
ce,
infr
ast
ruct
ure
etc
. D
evelo
p
road
map
to
evo
lve
futu
re v
ers
ion
s o
ver
ti
me.
Id
en
tify
cap
ab
ility
mile
sto
nes
an
d
meth
od
of
val
idati
on
..
Se
curi
ty
Op
era
tio
ns
Ex
cell
en
ce
C2
Mis
sio
n &
D
esi
red
O
utc
om
es
Cap
ab
ility
C
on
cep
t o
f O
pe
rati
on
s
Ph
asi
ng
&
Ro
ad
map
Targ
et
Op
era
tin
g M
od
el &
O
rgan
isati
on
al
De
sign
Pro
cess
es
&
Ski
lls
Pla
tfo
rm &
E
xte
rnal
Se
rvic
es
Op
era
tio
nal
Sta
bili
ty
Co
nti
nu
ou
s Im
pro
ve
men
t
Fig
ure
4 :
C2
Cy
be
r’s
Se
curi
ty O
pe
rati
on
s E
xce
lle
nce
Fra
me
wo
rk
www.c2cyber.com WP001 Ver 1.0 15 Aug 2018
C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps
6
Q1 : What are we trying to achieve?
Often the shortcomings in SecOps implementations start from the outset with a lack of defined objectives. This doesn’t just undermine the design and imple-mentation. It also limits the effectiveness of service improvement during operations. The question “What are we trying to achieve?” may sound simplistic, but it
must be answered at the outset. It isn’t a particularly onerous exercise, but will benefit if the discussion in-volves a broad set of stakeholders.
The question should cover the objectives, target out-comes and desired benefits that SecOps is attempt-ing to deliver. This defines the mission for the organi-sation, and sets the overarching scope. It also sets the bar against which performance can be measured,
yGetting the foundations right There are four questions that should be answered at the outset before delivering a new SecOps function or transforming an existing one
sons of the past, running a Managed Security Services business for several years. The aim of Security Opera-tions Excellence is to enable our clients to benefit from experience and good practice, and avoid the mistakes that others have made in the past.
Different clients will need to focus in different areas of the framework depending on their circumstances, maturity and aspirations. There are also interdepend-encies between different segments. When combined with other tools such as our capability framework, it brings structure and discipline, ensuring the outcome
delivers value from the outset, and sustains it in oper-ations.
The remainder of this document focuses on how the framework can be applied to get the foundations right, what it delivers, and how it can help to reduce risk and maximise benefits.
Security Operations offers significant value that can be delivered; we believe it is worth applying a bit of structure and rigour, and a good dose of pragmatism, to make sure this happens.
Achieving Excellence when outsourcing Security Operations
Some readers may feel that Security Operations Excellence is not relevant to them because they are out-sourcing their SecOps requirements to an MSSP. We hope that much of this belief will be dispelled else-where in this paper. For example, we highlight the continued need for retained functions to support the delivery, consumption and assurance of external services. It also needs to be recognised recognising that at some stage contracts will end, MSSPs will be replaced, and services may be brought back in-house. This can be either very hard or relatively easy depending on some of the actions taken before contract award and during service delivery.
It is true that much of the work required to deliver an in-house SOC will not be necessary if much of the ca-pability is outsourced to an MSSP. A significant proportion of the processes will be replaced by procured services. Headcount will be reduced, and with it the organisational design, recruitment burden, training requirement and operating model complexity. After all, this is one of the main reasons why many busi-nesses opt to outsource.
However, the MSSP market is broad, with a wide variety of different offerings and a broad range of price points. An intelligent customer will have a clear understanding of their requirements at the outset and how they might evolve over time.
It is also important to consider how service performance will be measured and assessed. Most conventional managed services have a measurable input, a defined transformation, and a verifiable output. This is less well defined with managed security services, where the output is dependent on unknown people (the at-tackers) doing unpredictable things. As a customer you need to be confident that a quiet service means that you are safe, and not that the service provider is overlooking incidents.
All segments of the SOE framework are relevant to organisations that are outsourcing services to an MSSP.
www.c2cyber.com WP001 Ver 1.0 15 Aug 2018
C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps
7
and identifies how the capability and scope should be managed and evolved over time.
The answer should be technology and vendor agnos-tic, and independent of the sourcing model. It is con-cerned only with outcomes and benefits.
Q2 : What capabilities are required?
Having defined the objectives it is necessary to identify the capabilities required to achieve and sustain them. We use the capa-bility framework in figure 3 to identify which are required for mission compliance.
The urgency and importance of capabilities should be prioritised, consid-ering not just what is required initially, but also what might be needed in future years. A frequent mistake is to try to implement too much, too quickly, leading to over-stretch. Another is to ignore future require-ments, creat-ing the risk that early deci-sions will limit the options available in later years. The scope and priorities will inform the timelines and sequence of capability development and deployment in the roadmap.
Q3 : What is the sourcing strategy?
With the capability requirements specified it is now time to decide what will be built in-house and what will be outsourced.
Often this is viewed as a binary decision; a choice be-tween building entirely in-house or alternatively out-sourcing all responsibility to a Managed Security Ser-vices Provider (MSSP). Full in-house may be viable, but is frequently too expensive and complex for many businesses. The idea of 100% outsourced is less credi-ble though. Even if a significant scope is outsourced, there will still be the requirement for functions to ex-ist in-house. There are numerous responsibilities that the business must take on, to ensure the services are effective, can be consumed, and providers can be held to account. For example:
• The MSSP will need to be kept up to date on the
configuration, vulnerabilities and changes in the technology environments being monitored;
• The MSSP will need to understand enough of the business context to be able to prioritise, triage and investigate incidents;
• The MSSP is unlikely to be the responder group for all ele-ments of the technology envi-ronment, so incidents and re-sponses will need to be handled and actions directed; and
• It may not be possible to share some contextual infor-mation with the MSSP, because of commercial sensitivities or regulatory constraints (e.g. pri-vacy regulations) meaning that some of the investigation will
need to be concluded in-house.
These are only a few examples, and there are oth-ers related to the additional value that a customer can gain from managed security services. This is why, even for those clients who wish to outsource to the maximum, we consider the
requirements of both the procured services and the retained functions.
Q4 : What is the Concept of Operations?
The answers to the previous three questions are used to develop the detailed Concept of Operations (ConOps) for SecOps. This specifies the functions that need to be built and the services that will be pro-cured. We can now start to decide what technology is needed to support the retained functions. It will also detail the interactions and dependencies between each of these components, as well as identifying ex-ternal functions that are involved.
A sound and detailed Concept of Operations acts as a blueprint for the future SecOps organisation. It pro-vides structure to the roadmap and programme plan that can then be executed. It also establishes confi-dence that the future capability will deliver the de-sired business outcomes and benefits.
Content
Engineering
Threat
Intelligence
Post Incident
Review
Alert Detect ionIncident
ManagementTrend Analysis
Technology
Environment
Change
Technology
Environment
Conf igurat ion
Alert TriageIncident
Invest igat ion
Forensics
Invest igat ion
Vulnerability
Assessment
Penetrat ion
Test ing & Red
Teaming
Vulnerability
Remediat ion
Malware
Analysis
Business
Context
Sent iment
Analysis
Corporate
Crisis
Management
At tack Hunt ingIncident
Response
Plat form
Engineering &
Support
Insider
Vulnerability &
Threat
Risk
Management
Report ing
Future SecOps
Plans & Change
C2
Capability Scope
Content
Engineering
Threat
Intelligence
Post Incident
Review
Alert Detect ionIncident
ManagementTrend Analysis
Technology
Environment
Change
Technology
Environment
Conf igurat ion
Alert TriageIncident
Invest igat ion
Forensics
Invest igat ion
Vulnerability
Assessment
Penetrat ion
Test ing & Red
Teaming
Vulnerability
Remediat ion
Malware
Analysis
Business
Context
Sent iment
Analysis
Corporate
Crisis
Management
At tack Hunt ingIncident
Response
Plat form
Engineering &
Support
Insider
Vulnerability &
Threat
Risk
Management
Report ing
Future SecOps
Plans & Change
C2
Sourcing Strategy
Attack hunting
Allocate incidents to
analystInvestigate
Response Planning
Response Coord
Detect
Triage
Investigate L1
Escalate L2+
Response Planning
Manage Content
Threat IntelAnalyse Trends
Future Plans
Horizon Scanning
Manage Change
Log Collection
Log Retention
Querying Visualisation
Manage Content
Log srcs
Copyright (c) C2 Cyber Ltd 2017Author: Tom BurtonDate: 10 September 2017Version: 0.01
Engagement Reference: 1927472Client: Acme_Widgets
Illustrative and simplified ConOps for hybrid security operations function
Email ITSMIT Ops
Log Forwarding
Ext TI
CIOCISO
Contextual Information
CMDB
Vulnerability Reports
Corporate Structure
Forward Forecast of Change
Asset Registers
Analyse Trends
Threat Fusion
Content Planning
Vuln Treatment Planning
Case Management
Threat Intelligence
C2 C2 CYBER LTDRESILIENCE REALISED
An illustrative and simplified Concept of Operations schematic
An illust ra tive SecOps mission
•
•
•
The contents of this document should be considered to be of a general in nature and not to be relied upon as recommendations or professional advice for specific action without further advice related to the organisation in question.
Copyright © 2018, C2 Cyber Ltd, which is a business registered in England and Wales (No. 9885860).
For more information please contact: e: [email protected] t: +44 (0)20 7965 7596 w: www.c2cyber.com
C2 Cyber Ltd exists to solve complex cyber and information security challenges, and has extensive experience managing risk across all three sectors in local and central government, healthcare, financial services, retail and not for profit/charity enterprises. Our approaches and methodologies blend a pragmatic mix of technical and human control measures to reduce vulnerability, limit risk, realise resilience and enable businesses to operate efficiently.
Using international standards and industry specific regulations C2 Cyber helps its customers to assess, identify and treat threats to their operations and business. We engage at an executive level with our customers and maintain that culture, leadership, behaviour and education are key factors for success. Even in today’s world of pervasive communications and the Internet of Things, technology is developed to deliver value to people. It is also attacked and targeted by people, and frequently the most challenging vulnerabilities are the people who interact with it.
Our human centric approach to cyber security starts by understanding what the business is trying to achieve, what part people play in realising those objectives, and what risks threaten the vision and aspirations. This enables us to help our clients to define and implement the right processes, prepare the people and organisation, and choose the most appropriate technology so that security becomes an enabler and differentiator; not an obstacle.
With services that generate value from strategy and governance, through to delivering capability into operations, C2 Cyber will work side by side with you as your security partner on the journey to see resilience realised.
About C2 Cyber Ltd
C2 CYBER LTDRESILIENCE REALISED
C2