In our era of exponential digital connectivity, any company’s operations, brand, reputation, and revenue pipelines are at risk. Cybercrime is rampant and everyone is a target. The results of a recent Accenture Cyber Investigations, Forensics & Response business study found that Global cyber intrusion activity jumped 125 percent in the first half of 2021. Cybersecurity Ventures estimates that in 2021 global losses from cybercrime damages are expected to reach $6 trillion. That equates to damage amounts of $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second (Cybercrime Magazine, 2020).
These alarming trends make it imperative for companies to treat cybersecurity with focus, investment, people, and technologies. Such an initiative requires strategy and organization. The most optimal way to do this is to prioritize cybersecurity inside the organization with a cybersecurity operations hub or a more formalized internal or external Security Operations Cent (SOC).
A security strategy framework integrated under a Cybersecurity Hub or SOC operations to meet these growing cyber-threat challenges needs to be both comprehensive and adaptive. It involves people, processes, and technologies. Defined by the most basic elements in informed risk management, cybersecurity is composed of:
- Layered vigilance (intelligence, surveillance)
- Readiness (operational capabilities, visual command center, interdiction technologies)
- Resilience (coordinated response, mitigation, and recovery)
The specifics of a security approach may vary according to circumstances, but the mesh that connects the elements is situational awareness combined with systematic abilities for critical communications in cases of emergency. These guidelines are highlighted and promoted in the U.S. government’s National Institute of Standards and Technology (NIST) mantra for industry: “Identify, Protect, Detect, Respond, Recover.” NIST is also a “go-to” resource in exploring security frameworks and industry best practices for initiating a cybersecurity strategy for a Hub and SOC. Resources | NIST
Developing an understanding and creating an effective cybersecurity operational strategy really depends on a yin-and-yang formula – you need the technical people who understand the street-view challenges of industry from an engineering perspective, and you need the executives who run P & L to facilitate the operations and go-to-market efforts, to sign off on a clearly defined plan. The themes of the framework should include protecting data, corporate IP, and establishing governance.
A successful collaborative strategy requires stepping up assessing situational awareness, information sharing, and especially resilience. In C-Suite terms, what is the price tag for staying in business. In IT terms this may include operational components of encryption, biometrics, smarter analytics, and automated network security, informed risk management software, cyber certifications and training, network monitoring, and incorporating NextGen layered hardware/software technologies for the enterprise network, payload, and endpoint security. Also, access and identity management of connected devices need to be strengthened and enforced through new protocols and processes.
Also, it is imperative that any strategy and operational plans for SOCs and Cybersecurity Hubs include working mechanisms for operational incident response, gap analysis, resilience, and audits. Cybersecurity is integral to brand reputation, and no matter what breaches will happen and how quickly and effectively a company responds will be a consequence to the bottom line to shareholders.
Three Pillars of Cybersecurity Strategy
SOCs or a Cybersecurity Hub should be designed based on cybersecurity strategies and perceived requirements. As cybersecurity gaps abound, there has been a growing panic in both industry and government on how to protect the cyber landscape. In the past, three significant risk management themes have been put forward to help ameliorate the digital risk ecosystem including security by design, defense in depth, and zero trust. They are a triad, or three strong pillars of risk management needed for a successful cybersecurity strategy.
Security by Design is really the initiation point of a risk management process – especially if you are a software or hardware developer concerned with security. In an article in United States Cybersecurity Magazine, cybersecurity expert Jeff Spivey provided an excellent working definition: “Security by Design ensures that security risk governance and management are monitored, managed and maintained on a continuous basis. The value of this ‘holistic’ approach is that it ensures that new security risks are prioritized, ordered and addressed in a continual manner with continuous feedback and learning.” Security by Design | United States Cybersecurity Magazine (uscybersecurity.net)
Defense in Depth. A variety of strong definitions exist for defense in depth in the security community. A NIST publication defines the defense-in-depth concept as “an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is ‘deep,’ containing many layers of security, and ‘narrow,’ the number of node independent attack paths is minimized.” Measuring and Improving the Effectiveness of Defense-in-Depth Postures | NIST
The Northrup Grumman Infographic below provides a good visual of the concept of defense in depth.
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero-trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero-trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. Zero Trust Architecture | NIST
Zero trust is the newest of the pillars and has not received the investment or focus of the others. Both industry and government are prioritizing this approach. In government, the Department of Homeland Security is leading the civilian side of exploring and optimizing the zero-trust approach. On the defense and intelligence side of government, a zero-trust pilot is being undertaken as a joint effort with U.S. Cyber Command, the Defense Information Systems Agency, and the National Security Agency where they are lab testing various technologies. According to Neal Ziring, the technical director for NSA’s Cybersecurity Directorate, “The team has been able to demonstrate the effectiveness of zero trust at preventing, detecting, responding and recovering from cyberattacks.” DHS, NSA creating reusable pieces to zero trust foundation | Federal News Network
When Security by Design, Defense in Depth, and Zero Trust are combined, cybersecurity becomes stronger. Security by design monitors, manages, and maintains the security process. Defense in depth enables layers of redundant protective security measures to help deter data breaches. And zero trust focuses on protecting resources (assets, services, workflows, network accounts) through strict identity and access management enforced by authentication and proper authorization. These three pillars need to be guiding in designing and monitoring the changing operational requirements of SOCs.
Source: Combining Three Pillars Of Cybersecurity by Chuck Brooks Combining Three Pillars Of Cybersecurity (forbes.com)
To address the potential perils, working frameworks to prioritize security operations to remediate cyber-attacks should be guiding structures in operations in security operations center security planning. A Security Operations Center Security Operations Center (SOC) includes corporate systems, control systems, and physical security. It is designed to deliver continuous prevention, protection, detection, and mitigation of threats to systems. SOC teams also uncover vulnerabilities, respond to threats, and handle incidents that may be in progress on your networks or systems. Am industry or government SOC does not have to be a one-size- fits-all and can be refined by corporate size, industry requirements, and market verticals.
SOCs provide an operational risk management structure for organizations to organize, monitor and respond to cybersecurity threats. While models can differ, below is a glimpse of the basic elements usually found in operating an SOC:
Functional SOC Activities:
Operations Management: The core of a Security Operations Center (SOC) will have a Security Information and Event Management solution (SIEM). Other core components will include Web Application Firewalls (WAF) – Privilege Identity Management Solution (PIM), Anti-Advanced Persistent Threat Protection (Anti-APT), and Anti-Phishing and Anti-Malware software. SOCs perform log backups as per policy and legal requirements. A fundamental role for SOCs is to track and advise about new global security threats and vulnerabilities. This is done by continual scanning of critical websites for phishing, and malware threats and maintaining actional reports.
Training and Planning: SOC operators are regularly trained on the functionality of new products and tools, architecture, and the solution designs for SOCs. Operators are also key to planning and assisting in security awareness throughout organizations and companies.
Identifying Information Security Vulnerabilities: Security vulnerabilities can include application security testing and scanning, penetration testing, checking the vulnerability of servers and routers. SOC operators typically conduct secure code reviews and analyze. The correlation of logs from all the devices/solutions/applications under scope.
Risk Assessment and Resilience: Performing Risk Assessment Activity in line with legal or regulatory cybersecurity policies. Developing and implementing a minimum baseline cybersecurity and resilience framework. And the creation and implementation of Cyber Crisis Management Plan (CCMP).
Incident Management and Response: Common tasks in incident management include the reporting and logging of information security incidents using ticketing tools. Operators will track and monitor information security incidents and initiate an escalation of these incidents to appropriate teams if required. Incident management requires having a business continuity plan that features an adaptive incident response, management, and recovery framework to deal with adverse incidents/disruptions, contain attacks and restore services. Forensic activities of an SOC will include audits and forensics of records for evaluation and mitigation of incidents.
Orchestration and Continuous Improvement: SOC operations include the procurement of the necessary solutions, hardware, software, database, patch management, required for implementing cybersecurity solutions. Implementation of the solutions includes configuration, customization, and the scaling of hardware/software solutions as necessary.
SOC staff must ensure secure operational links along with the servers, software, database, storage solution, and networking and security equipment. Management should include the integration of SIEM with all devices, servers, and applications and regular configuration reviews. SOC operators must monitor alerts and events reported and record the incidents, classify, and recommend remedial action. These tasks can be facilitated by an integrated dashboard that can continually view the security risks/ incidents.
The infographic below highlights the mechanics of SOC operating models.
The mechanics and tools that are important by managing an SOC can be a key challenge for any organization as it requires the right mix of cybersecurity expertise, technologies, and the often-overlooked factor of a functional budget to address emerging threats and continual incident response issues. Not every company has the resources or in-house expertise to operate an SOC. SOCs can be outsourced as a service, which is a viable option for small- and medium-size companies. Another option is creating a company Cybersecurity Hub.
I recommended creating a Cybersecurity Hub (CH) as a course of action for companies in a recent FORBES article: Creating An Internal Cybersecurity Hub Inside Your Company (forbes.com)
The benefits of creating a CH could cut across a wide number of different areas. The CH itself should be composed of those who can help steer the company and should include the C-Suite management leadership, the boards, and especially the CISO, CIO, and CTOs. The CH would operate as an internal operational think tank geared toward planning the specifics of mitigating, and being more resilient to, cyber threats. A summary of the potential benefits include:
- Enhancing Industry Competitiveness: Creating a location for the collection of expertise and industry awareness to gather insights into risk management, technology, innovation, access to talent, and compliance trends within security environments.
- Internal Training and Developing In-House Expertise: Creating curricula for training leadership, employees, and partners in risk governance and development of appropriate cultural attitudes toward security.
- Partner Attraction: Identifying and engaging with other businesses to coordinate sales pipelines and explore new go-to-market opportunities.
- Research and Development: Performing horizon analysis on research and development planning, and assimilation of next-gen emerging technologies into company operations.
- Outreach and Marketing: Providing focused outreach, thought leadership, and media activities to raise awareness of company security capabilities in their products, services, and partner supply chains.
The internal company cyber hub does not have to be a one-size-fits-all and can be refined by corporate size, industry requirements, and market verticals. The members included in the CH could divide up tasks in accordance with their roles and expertise. While a Cybersecurity Hub is not a substitute for an SOC, it is a pragmatic alternative for companies and organizations.
Whether it be an SOC or a Cybersecurity Hub, there are common grounds to be considered for an action list for those wanting to bolster their cybersecurity posture.
Putting it all Together: A Suggested SOC and/or Cybersecurity Hub Strategy Action List
Initial Cyber Pursuits:
- Prioritize cybersecurity as a company imperative
- Create a risk management and vulnerability framework
- Obtain C-Suite leadership and employee engagement
- Create Incident Mitigation and Continuity Plan
Identify Digital Assets to be Protected
- Data (at rest and in motion)
- Network (firewalls, servers, routers, switches, WIFI)
- Devices (PC and mobile)
Identify Top Cyber Threats:
- Social engineering
- Insider threats
- DDOS Attacks
Recognize Evolving Challenges:
- IoT – exponential connectivity
- Vulnerable supply chains
- Transition to cloud, hybrid cloud and edge platforms
- Emerging tech landscape: artificial intelligence, machine intelligence, 5G, quantum computing
- Secure back-up protocols
- Cyber hygiene and strong passwords
- Access control
- Antivirus software
- Threat intelligence
- New security tools
- Quick-response teams
Frameworks, strategies and having an operational SOC or a Cybersecurity Hub are elements that should be prioritized in industry and government. The stakes are too high not to consider the consequences. The global cyber ecosystem is on the verge of unparalleled exponential connectivity and new risks and unforeseen issues will continue to evolve and expand. Being aware of the resources available and operational requirements for cybersecurity is a starting point.