Whitepaper
Security Operations Center (SOC)The New MSS Service Tower
Introduction: The SOC
In context of today’s Cyber Threat Landscape, the importance of a SOC that can Detect, Respond and Contain
Cyber breaches early on in the Cyber Kill Chain cannot be over stated. This capability needs to keep pace with
evolving Advanced Persistent Threat (APT) based Cyber attacks. Conventional network and endpoint signature
based SIEM monitoring alone is not enough to address APT threats in the current Cyber Threat Landscape.
Today’s (or next generation) SOC should at a minimum be an intelligence driven facility incorporating network and
endpoint Data Analytics to detect signatureless Cyber Kill Chain behavior. Combined with a forensics capability, the
next generation SOC is a business critical component in any Cyber Defence capability.
Managed Security Services (MSS) delivered SOC
This paper introduces a Service Tower based MSS SOC delivery. It describes what an MSS delivered SOC Service
Tower would look like to deliver efficient and effective breach Detect, Respond & Contain capability- particularly in
a multi-vendor delivered IT estate. Multi-vendor also means increased attack surface.
An MSS delivered SOC needs to operate seamlessly across all IT towers to address the increased Cyber attack
surface. This is a challenge for the SOC since the business is a moving target- i.e. changes and growth in People,
Process, Organisation, Location, Data, Applications and Technology.
The importance and capabilities of the SOC have now evolved to the point where it arguably should exist as a
distinct logical and contractual entity- i.e. a Service Tower. The specialised technology & skills needed to operate
an in-house Next Generation SOC is a big and expensive step for an end-user.
SIAM-Integrating multiple service towers
Service Integration and Management (SIAM) is an ITIL aligned approach to engage and manage multiple vendors
(or towers) providing an end-to-end IT service- see fig 1. SIAM is accountable and responsible for integrating
operational delivery into a single coordinated end-to-end IT service for an end-user client.
This is achieved by partitioning an IT Estate into discrete functional ‘towers’ - Applications, End-User Compute (EUC),
Networks and Cloud/Hosting- collectively representing an end-to-end IT environment. SIAM, manages, orchestrates
and governs cross-tower integration.
encodegroup.com [email protected] ©2001-2015 Encode. All rights reserved. Confidential, do not distribute
Security Operations Centre (SOC)
The Service Tower model is becoming a de-facto procurement approach for UK public sector and
increasingly used for procuring on-premise or managed solutions in the private sector. Many IT System
Integrators apply the Service Tower model internally when pricing outsource deals using Tower aligned
delivery teams.
Service Towers
Each Service Tower delivers an
orchestrated functional IT service
aligned to a set of Service Level
Agreements (SLA) supported by
Operational Level Agreements (OLA)
between other supporting and
dependent Towers.
Service Tower Roles & Responsibilities
SIAM is effectively a Service Tower itself-
accountable to the end client. The
other Towers are accountable to SIAM.
Having clearly defined roles and responsibilities between towers underpinned by an SLA structure
is challenging due to inherent complexity of different vendor cultures, technologies, practices and
approaches.
The Service Tower model’s success is dependent on coordinated collaboration between Tower vendors.
Figure 1 illustrates key baseline roles and responsibilities as a starting point for a more granular set of roles
and responsibilities.
Service Tower Model Complexity- Increased Cyber Attack Surface
There is inherent increased complexity in implementing and operating a Service Tower based IT solution
with multiple vendors; each Tower represents a discrete set of People, Process and Technologies driving
a range of security controls largely focussed on perimeter defence.
Each service tower thus represents a discrete attack surface- collectively representing a far larger attack
surface than would be the case if one vendor delivered a single homogenous solution.
This increased attack surface represents an extra complexity in context of applying consistent and
joined-up breach Detection, Response and Containment capabilities across all towers.
The SOC must therefore address this complexity to deliver effective and efficient early warning
capability otherwise it just reverts to a basic log management and monitoring function issuing alerts that
cannot be adequately correlated across towers- ending up as noise, uncertainty and elevated risk.
Cyber Threat Landscape
In today’s Cyber Threat Landscape, the most potent threat is the Advanced Persistent Threat (APT). An
APT is characterised by a highly motivated Threat Source and/or Threat Actor(s) strategically targeting
Figure 1 Generic Service Tower Model
encodegroup.com [email protected] ©2001-2015 Encode. All rights reserved. Confidential, do not distribute
The New MSS Service Tower
a business, constructing TTPs to by-pass perimeter and network security and covertly exploiting network
and end-point trust relationships. APT based attackers will plan and mercilessly execute an effective Kill
Chain gliding past the perimeter like it did not exist; APT attackers focus on Trust Relationship discovery
and exploitation.
An APT actor conducts reconnaissance; building detailed corporate, digital and technology footprints
to identify the best Attack and Exploit Vectors for establishing a foothold and then pivot onto other
endpoints. Business assets are compromised by the ensuing breach- often persisting undetected for
several months. The SOC must be capable of detecting early breach activity and contain it.
Elevated Cyber Attack Risk Level
The increased attack surface inherent in the Service Tower model combined with clear and present APT
threat represents an elevated risk level to the business/end customer.
A larger attack surface exposes multiple breach points. Detecting breaches involves piecing together
anomalous activity across towers and correlating that information to assess whether, collectively, the
activity represents any phase of the Cyber Kill Chain.
Applying effective early breach detection across multiple service towers with a moving IT environment
baseline is a major challenge for a SOC. Generating actionable alerts early on in the Cyber Kill Chain is
key to mitigating damage to the business.
Next Generation SOC
In order to adequately address the increased attack surface of the Service Tower model in context of
today’s Cyber Threat Landscape, a SOC capability should at minimum deliver the following features:
• Single view of operations across all Service Towers
• IT Environment Baseline Change Monitoring
• Cyber Threat Assessment Modelling- across all towers
• Intelligence Driven rule violation assessment
• Signatureless breach behavior detection
• Cross-Tower incident/event response orchestration
The above attributes are not facets of a conventional (or traditional) SOC. Detecting signatureless
behavior patterns in context of the Cyber Kill chain across towers requires a large team, working 24x7.
This team must be dedicated to analysing against a baseline; millions of network flow[s], endpoint
behavior and Internet communication logs analysed against any phase of the Cyber Kill Chain.
Alternatively, a Big Data Analytics (BDA) solution might be a smarter choice.
BDA effectively needs to spot statistical ‘dots’ outside the baseline, join them up and correlate to other
sets of joined-up dots to identify breach activity or Indicator of Compromise (IoC)- i.e. signatureless
breach detection.
The capabilities described above represent Next Generation features combining SIEM, Cyber Security
Intelligence and BDA into a seamless integrated SOC platform delivering effective Detection, Response
encodegroup.com [email protected] ©2001-2015 Encode. All rights reserved. Confidential, do not distribute
Security Operations Centre (SOC)
and Containment across multiple
vendor environments.
These capabilities, in order to be properly
harnessed and calibrated to deliver
cross-Tower Detect, Respond and
Contain functionality can be logically
and contractually delivered as a Service
Tower- shown in Fig 2 below.
SOC Tower Functional Architecture
As with the other Towers, the SOC Tower
will have a set of operational roles
and responsibilities - indicated in fig 2.
However, the SOC will operates across
all towers to deliver timely, consistent,
correlated and effective breach Detect,
Respond and Contain capability.
Fig 3 illustrates the SOC functioning across
all towers (including SIAM) collecting
device and endpoint logs.
The SOC Tower in principle should be
accountable to SIAM but in practice can
be accountable to the end-client. The
gap between principle and practice will
be, as always, a matter of compliance
and SLAs coupled to operational Roles
and Responsibilities.
Conclusion
The next Generation of SOC capability is a critical component of any end-to-end IT environment.
It’s a particularly important function to support a Service Tower based delivery model that inherently
possesses an extra large Cyber Attack Surface.
The SOC ability to consistently Detect, Respond and Contain breaches early, across all towers is far
too important to implement as discrete instances within each service tower under local control of
tower vendors.
The SOC needs to exist as a discrete, contractually and logically ‘independent’ entity directly and
homogeneously operating across all Towers. This is critical to address Cyber attacks in any or all parts of
the IT environment where multiple Service Towers are involved. The SOC is the new Service Tower.
Figure 2 Service Tower Model including SOC Service Tower
Figure 3 SOC Tower Operational and Functional view