Our recent ISACA Journal article discusses the requirements for a military-grade secure data center based on the Advanced National Security Infrastructure System (ANSIS) by the National Computing and Information Agency (NCIA) in South Korea and the International Telecommunications Union (ITU-T) X.805.
This blog discusses the role of security operations center (SOC) functions, namely monitoring, visualization and incident response, in supporting security dimensions and defense-in-depth layers for data centers. The dimensions and layers in ANSIS and ITU-T X.805 are largely preventative and detection controls. While monitoring the monitoring function aids in detection, it collates information from various sources and provides the input of analysis, which can guide the incident response and recovery functions. Torsten George considers continuous monitoring and risk visualization to be 2 of the 4 key elements of cybersecurity.
SOCs fulfill all the functions encompassed in the prevent-detect-respond-recover model across people, processes and technology as mentioned in the Convergence of Enterprise Security Organizations. As such, SOCs play a significant role when it comes to the defense of an organization’s critical assets, as well as in assisting with compliance issues. Such centers also allow organizations to respond to threats in a timely manner. This holds true especially when considering the NIST Draft Framework Core know, prevent, detect, respond and recover Function Matrix Shell.
It can be postulated that a computer security incident response team (CSIRT) serves as an extremely mature and capable subset of the SOC incident management function, or that a SOC can serve as a feed into a CSIRT. Both, however, provide a monitoring, analysis and incident management function, to list a few.
Considering the 8-layer defense model for datacenters as proposed in our Journal article, it needs to be understood that as part of a holistic security approach, it is necessary to monitor critical assets in the datacenter, analyze threats, respond to threats and manage incidents. This is true not only for critical assets within the datacenter, but also for the deployed technical controls, so as to ensure their proper functioning and to detect anomalies.
Using a taxonomy of continuous monitoring, analysis and incident management, we propose the following mapping of the 8 layers:
One has to tread carefully when monitoring against abuse of internal systems. Monitoring without informing employees could lead to claims that their privacy has been breached, but it could be argued that they have made use of resources paid for and owned by the company. The important aspect is that employees should be informed.
Legislation can be vague when it comes to the monitoring of traffic aimed at your firewalls, IPS’s and web servers. Once again, these are your assets, and, as such, they should be protected. There are regulations and acts covering, prescribing and supporting the monitoring of assets.
There is a move from current security information and event management (SIEM) and intrusion detection and prevention systems (IDPS)-based monitoring to solutions incorporating advanced analytics and big data to enhance the detective capability and reduce false positives. Visualization of data supports advanced analytics, making it easier for humans to see patterns and event time lines, prioritize response efforts, and possibly identify weak areas in the data center. Workflow management in these advanced SOC solutions may also include workflow management to aid investigation and effective response and recovery from incidents. Advanced monitoring can further enhance nonrepudiation by recording events and actions by users and systems and protect data confidentiality and availability through correlation of events indicating all areas of the data center that may have been affected by an incident.
Read Brett van Niekerk, Ph.D., and Pierre Jacobs’ recent ISACA Journal article:
“Toward a Secure Data Center Model,” ISACA Journal, volume 3, 2015.