My latest book “Cybersecurity Arm Wrestling: Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” is published and available on amazon.com worldwide.
This is a relatively short book with 11 chapters, three sections and about 130 pages (excluding front matter like table of contents). I will be looking forward to getting your feedback to make improvements for the next editions.
Please subscribe to this blog for updates and new posts
There is a lot going on with Cloud computing, containers and micro services. Following is a summary of what information security professionals need to know about one very important idea: the Service Mesh.
What is it? Service Mesh controls, monitors, and secures service-to-service communication (also for container-to-container communication)
What does it achieve? It moves/offloads security of communication from “service/application” to platform.
Where is it placed? It sits “next to” service as a set of proxies and usually part of Kubernetes cluster.
How does it achieve its goals? Service Mesh implements a control plane and a data plane. The control plane enforces policies whereas data plane enable communication among services.
Is Service Mesh useful in every case? It is only beneficial when your application uses micro services. Also, if your application uses a service bus like Kafka, Service Mesh will not buy you much.
What a service mesh can do? It can provide necessary security, reliability and observability functions. For example, it can implement transparent mutual TLS (mTLS) to establish communication between two services. It can also help identify latency and measure errors in inter-service communications (and much more). From a reliability perspective, a Service Mesh can perform actions like load balancing and retries in case a communication fails.
Why Should InfoSec Professionals Care?
Confidentiality, observability, and reliability of container-to-container/service-toservice communication is of great interest to infosec teams in modern microservices architecture.
Why use Service Mesh, especially in the Cloud? Since communication between two services hosted in the Cloud takes place over Cloud infrastructure controlled by Cloud service providers (CSP), it is essential to ensure end-to-end encryption to protect confidentiality of information flowing between two services. With mTLS, Service Mesh provides both authentication/authorization as well as confidentiality by encrypting all traffic.
Can we enforcement policy and implement zero trust architecture? Yes, with service mesh, zero trust for containers and services can be realized.
Open Source Service Mesh Technologies
There are many technologies available, both in open source as well as from CSPs. Two commonly used open source technologies are listed below:
The PDF version of my latest book “Cybersecurity Arm Wrestling – Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” is now available for download. You can share this link, print it, and use it for your personal purposes. However, you are not allowed to modify it, or distribute in any shape of form. Thank you!
You can still get printed copy of book from amazon.com if you choose to do so using the following URL.
There are few things that every architect should do but most forget. As you know, there is no shortage of technology architecture frameworks and standards. You may have come across TOGAF for enterprise architecture and SABSA (Sherwood Applied Business Security Architecture) for security architecture. Without going into detail of any of these, I just want to touch base on a few things that every architect should keep in mind to ensure success of themselves as well as people around them (engineers, developers, operations, etc.).
These are: Business, Operations, Technology and Service or “BOTS”. When creating architecture for security projects, everyone should focus on “BOTS” which are the perspectives and “views” listed below:
Business View – First and foremost, ensuring that the architecture meets business needs. You may have a perfect architecture but it may hinder business instead of enabling it.
Operational View – Don’t forget the operations. Someone has to run it on a day to day basis. Operations teams are one of the main stakeholders but often forgotten. Consider how your architecture will make their life easy and not difficult.
Technology View – I know this is already the main focus area of all architects. However, technology has many aspects that are ignored sometimes. These include cost, maintainability, complexity, maturity etc. You should remember that complexity is the enemy of security. Complex systems are not only difficult and expensive to maintain, many times they are not as secure as simple systems.
Service View – Whatever you are building, at some point “people” are going to use it, directly or indirectly. Consider the service that you are providing and usability of the overall system. A multi-factor authentication could be very cumbersome or very transparent for the end users. You know which one would be more successful!
Business, Operations, Technology and Service (BOTS) views are essential for success of any information security project. In my last 20 years of experience, I have seen many projects either completely fail or not realize their potential just because architects forgot about one or more of the BOTS views. Don’t do that!
The final draft of “Cybersecurity Arm Wrestling – Winning the perpetual fight against crime by building a modern Security Operations Center (SOC)” book is complete and is available for download and your comments. The book consists of ten chapters as listed below:
SOC Business Case Development
Logs and other data sources
SOC Human Resources
SOC Technology Stack
SOC Implementation Planning
SOC Operations and Incident Response
SOC Staff Training and Skills Development
Threat Intelligence and Threat Hunting
Open Source Solutions for SOC
The final version will be published on paper and will be available through amazon.com for purchase and may contain additional content (based upon additional reviews). The expected timeframe for paper copy is April 2021.
Download the PDF Version
You can download the final draft version immediately from is this URL.Please provide your comments, recommendations, and any suggestions before the final version is published as paper copy.
I am extremely thankful to many individuals who provided their input and reviews to make this book better. They include but are not limited to the following:
Over years of my professional work and research, I found six ingredients absolutely necessary for success of any SOC, big or small. When you combine these ingredients with continuous improvement activities, you will get excellent business results. On the other hand, you miss one of these and everything falls apart.
For more than a decade since I got involved in helping businesses build security programs and operations centers, it has been quite a learning process. To make this body of knowledge available to the information security community, about two and a half years ago I started writing a book about building a Security Operations Center (SOC). As part of my research for this book. As part of my research, I have interviewed a large number of SOC practitioners, talked to CISOs, read thousands of research papers and reports, explored commercial and open source products, and created tools for budgeting purposes.
So what are those six essential ingredients? While three of them are typical people, process, and technology while others go beyond that as shown in the diagram below.
People (SOC Staff) with different levels of expertise in diverse areas including networking, operating systems, applications, operations management, scripting, Python, vulnerability management, incident handling, forensics and others.
Defined processes for tasks under the scope of SOC. While there are many SOC processes, effective incident detection and incident management is a key process for success of every SOC. A SOC may also rely on other IT systems/processes like asset management, change management, patch management etc.
Technology Stack for collecting log and other types of telemetry data, storing data, and processing/analyzing data. Main technologies used in SOC include Security Information and Event Management (SIEM) tool, log collection, network sensing, ticket/incident management, forensic tools, and vulnerability management tools.
SOC Governance structure that enables SOC management and continuous improvement while ensuring the business objectives of SOC are achieved.
Carefully selected Data Sources provide high value in threat detection. People need to be careful and selective in determining the type and amount of data that is fed into the technology stack. More is not always better!
Threat Intelligence is a must for the success of any modern SOC. It helps in proactive threat hunting and helps in automation, responding to threats at machine speed.
While these ingredients are necessary to build a successful SOC, continuous improvement activities are absolutely necessary to keep SOC effective and continuously deliver value. Continuous improvements require that SOC managers look for opportunities of improvement in all of these areas including training of SOC staff.
Also note that while building a SOC, you don’t necessarily need to have all of the SOC components in-house. You can make business decisions about what to keep in-house and where to get help from your security partners/vendors.
Draft of Chapter 7 of my book “Cybersecurity Arm Wrestling – Winning the perpetual fight against crime by building a modern Security Operations Center” is complete and available for download. This chapter is about “Operate” part of the “Plan-Design-Build-Operate” strategy and covers such areas like:
Human Resource management
Incident Detection and Response
Managing SOC technology infrastructure
Build and Improve use cases
Dealing with stress and SOC burnout
SOC reporting and metrics
SOC and meeting compliance needs
SOC best practices and pitfalls
The chapter summary and recommendations include:
Importance of SOC governance can’t be emphasized enough. This is the most critical success factor for long-term success.
Hiring the right kind of people, training, managing their stress levels, and scheduling shifts is very critical as well.
The most important process for SOC is incident detection and response. Building and improving use cases, automation and use of SOAR technologies is part of it.
Applying ITIL processes to manage SOC infrastructure is quite important.
Meaningful metrics, automated reports, and dashboards do help not only in meeting compliance needs but also facilitate effective communications across broader IT teams as well as business leadership.
Last, but not the least, maintain a risk register, plan for next year, and always be ready to respond to data breaches.
The chapter can be download from the link below. However please note that this is a draft and will be updated in the final version of the book.
Historically Security Operations Centers (SOC) have been a combination of people, processes, and technology designed to protect information systems, detect and respond to incidents to minimize damage. Many times SOC were built to meet fundamental needs for log collection and analysis, achieve compliance, and provide incident response. However, traditional SOC has morphed into a modern SOC concept where there is a lot more focus on building capabilities for early threat detection (both known and unknown), minimizing dwell time, and using automation to improve efficiency. The nature of SOC has also morphed from a reactive organization to proactive hunting to identify threats before they strike.
If you think about the traditional SOC, the focus areas were as follows:
Log collection from systems and applications/
Use Security Incident and Event Management (SIEM) solutions for correlations.
Developing use cases to identify threats.
Integrate vulnerability scanning data for risk scoring.
Provide incident response through SOC as well as extended IT teams (first responders).
Putting significant focus on achieving compliance while managing risk.
Capabilities of NextGen SOC
A modern NextGen SOC takes into account all of the capabilities of a traditional SOC. However, the focus has shifted from managing tools to building capabilities and from reactive approach to a proactive approach. Modern SOC design also uses new sources of telemetry beyond traditional Syslog data collection and discovering unknown threats. When you think about a modern SOC, following are some of the salient features and capabilities of a NextGen SOC.
Less focused on tools and more on capabilities as more and more SOC tools are now available in the Cloud and as-a-Service.
Threat intelligence integration is now an essential component of SOC.
Using automation to shorten analysis and response time through Security Orchestration, Automation and Response (SOAR) tools.
Proactive threat hunting, not only from internal telemetry data but also going outside of corporation boundaries and discovering threats through dark web research.
Finding unknown threats with help from machine learning techniques like anomaly detection and unsupervised learning.
Cloud telemetry integration and use of APIs.
Cater for convergence of IT/OT (Operational Technologies), including IoT.
User and Entity Behavior Analytics (UEBA) going beyond just log data and known threat detection.
Businesses who have adopted nexgen SOC concepts see improvement in threat detection, quick incident response and better satisfaction of their staff as well as their internal or external customers.
Does a NextGen SOC Costs More?
Not necessarily. Many times it is just a cost shift. Efficiency is achieved through reducing mean time to resolve (MTTR) incidents through automation and proactive capabilities. Cloud based tools (e.g. Cloud based SIEM technologies) help in better cost management as well as capacity planning. What the security leaders need to do is to build cost models and business cases keeping in view the total cost of ownership. SOC is a continuous and unending journey and a perpetual Cybersecurity Arm Wrestling with threat actors. Infosec leaders must continuously evaluate where they stand right now and where they should be going to achieve goals and provide value to businesses they support.
Once SOC analysts declare an event as a security incident, the CSIRT takes the ownership of the incident, take necessary actions and close it. The objective of CSIRT is to execute workflow for responding to the incidents once it is escalated by SOC analysts. The main reason of having a CSIRT is to keep SOC analysts primarily focused on threat monitoring activities instead of getting into response activities which may take long time and may divert their attention away from their primary goal of threat monitoring and detection. A typical high level workflow (corresponding to NIST incident response process) for CSIRT team is shown below that also shows collaboration between SOC analysts and the CSIRT.
Note than the CSIRT team will be working with the SOC analysts in some phases of the incident response whereas it will take lead in containment, eradication, recovery and post incident activities. However, collaboration among all stakeholders is crucial during incident response and you should not strive for drawing hard lines for where role of one team starts/ends as long as the responders are clear about who is the lead on certain activities.
ENISA and other organizations have published good material about CSIRT establishment, training, and handbooks in case you need further help.
The current model of building security operations center (SOC) is not sustainable. This is probably not a news for many of my readers. Working with many businesses, small to large and regional to international organizations, I have been thinking about this quite a lot lately. I have been publishing CISO MindMap for over eight years to explain and highlight complexities of work that security professionals have to do. With digital economy taking a foothold, the CISO’s work is just getting more complex as new technologies are adopted by businesses, strict privacy laws are enacted globally, and attack surface is expanding by each day. Networks are no longer confined to data centers or corporate offices, and older ideas of managing security operations are obsolete.
With digital economy taking a foothold, the CISO’s work is just getting more complex as new technologies are adopted by businesses, strict privacy laws are enacted globally, and attack surface is expanding by each day.
There is a need for major changes in foundational thinking about how to run security operations. Most security conferences are too generic and focusing on tactical and derived work. There is a need for new, original, and thought-provoking ideas to change our practices for managing security operating and optimizing risk. Our industry needs this badly. For these reasons, I have started thinking about a 3-day conference in 2021 to exclusively focus on SOC by gathering best minds and exploring new ideas.
What could/would be the Conference Focus Areas?
Per my initial exploration, following are some of the major areas of focus for the conference. However, I believe these would evolve and change as I get more feedback from industry leaders.
Alternate models for the SOC of the future
SOC for IoT, OT, Autonomous Vehicles and other emerging industry needs
Implication of Cloud, Containers, Serverless Computing on SOC
Threat visualization, Threat Intelligence
Cooperative SOC for vertical markets
SOC Innovation and frameworks, Meaningful Metrics
SOC in the Cloud, SOC as a Service
SOC People: Stress management and well being
Automation, Machine Learning for SOC technologies
Open source SOC
Incident Response, Digital Forensics
Planning and implementation, Business case development
Emerging SOC technologies
Global SOC challenges, privacy laws, data sharing across physical boundaries
Integrations, APIs, Ticketing Systems
Want to be Involved?
In the short team, I would like to create an advisory council for the conference. However, there are many other areas where help is needed. Please check and fill out this Google Form if you are interested in getting involved.
While upgrading SOC technologies, bringing in new tools, and continuously training SOC staff are all great things to do, these don’t solve the fundamental issue of long term sustainability of the SOC model itself. With expanding sources of data and ever-evolving new threats, we, as industry need to bring new thought process to question what we are doing today and what is the best path forward. The objective of this conference is to do exactly that by challenging the status quo and bring fresh and original thoughts to meet new challenges.
Subscribe to this Blog
Subscribe to my blog to keep updated about this and other thought-provoking discussions. You will get an email when a new post is published here.