Cyber ​​security: what is a SOC?

06/10/17

The world of cyber security is more complex every day and more and more organizations are beginning to take the opportunity to use the services of a Security Operation Center (SOC) or to build one within your organization.

But what is a Security Operation Center?

To make it a bit clear, I use a document that I found very clear and that I invite you to read: "Classification of Security Operation Centers(Pierre Jacobs, Alapan Arnab, Barry Irwin) work at the Department of Computer Science at Rhodes University in Grahamstown, South Africa.
What we are now interested in is highlighting the concept of SOC for which I carry the first paragraph of the aforementioned document:

"The Security Operations Center (SOC) can be defined as a centralized security organization that assists companies in identifying, managing and remediating distributed security attacks [1]. Depending on the capabilities required by a SOC by the enterprise or client, SOC may also be responsible for the management of technical controls. The end goal of a SOC is to improve the security posture of an organization by detecting and responding to threats and attacks before they have an impact on the business."

From what has been said, it is immediately understood that SOC is a centralized organizational structure that seeks to assist companies in identifying, managing, and remedying distributed security attacks. A SOC can also be called to handle all the technical checks of a company using its services.
The SOC can be internal to the company and work only in support of the same, or offer services to other companies as well. In any case, the ultimate purpose of a SOC is to improve the "security posture" of an organization by identifying and responding to risks and attacks before they can impact the core business organization.
It would be better to say that SOC "tends to avoid the impact of computer attacks on the organization's business or to limit its damages," as a more realistic statement.

In the document you can find an in-depth analysis of the functions and components of a SOC, but at the moment we are only interested in the above concept.
We immediately say that SOC is not an invention of our day and it does not even come from the ICT world. He has talked about it so often in the areas that handle physical security and the ICT world has done nothing but adopting it.
Currently we speak of SOC of the fifth generation, referring to structures equipped with predictive analysis capabilities as well as monitoring and response.
It is appropriate to immediately highlight the aspect, in my opinion, more important: one Security Operation Center is a complex organizational unit, generally centralized, which is responsible for identifying, managing and remedying IT security problems and is made up of processes, tools and people.

While processes and tools are all easy to find and replace when needed, the same thing does not apply to people who need to be adequately prepared and thoroughly acquainted with the organization they work for.

Generally, a SOC uses one or more SIEM computer tools, that is Security Information and Event Management, for the aggregation and correlation of data and information from different systems.
So far we've talked about theory ...

In Italy, there are several SOCs run by some of the world's largest ICT companies, including the Company Engineering, That of Italtel and that of the Leonardo.

To better understand the usefulness of SOCs in modern society, I turned to the Pesaresi engineer of Engineering, an Italtel team and a Leonardo team asking them some questions.

Engineer Pesaresi cyber space has forcefully entered our lives through daily news, I imagine that something similar is happening in organizations. How important is the Cyber ​​sector for Engineering? Why did your company feel the need to create a SOC?

Engineering: I am the BU business manager (Business Unit, ndr) Defense and Space Engineering. In the corporate vision, cyber security issues must be addressed through a multidisciplinary approach based on the unification and integration of legal, economic and technological skills, since it has now become evident that identifying effective and of answers to the challenges involved require, in addition to the obvious competences in ICT, a deep understanding of regulatory, domain and socio-economic impact assessments.
In these areas Engineering takes the utmost attention to CyberSecurity, as it is considered to be of primary importance for the protection of information stored and processed by computer systems and transmitted through networks, with the aim of ensuring confidentiality, integrity and availability of information.
The Group's Cyber ​​Security portfolio is specialized in application security, perimeter security of IT infrastructure, security in information exchange between networks at different levels of classification and critical infrastructure security.

The Engineering Group operates through an integrated network of 4 Data Center located in Pont-Saint-Martin, Turin, Milan and Vicenza, with a system of services and infrastructure that guarantee the best technological, quality and safety standards to more than 330 customers both nationally and internationally. In this context, in order to provide the necessary security framework for data and systems of our customers, the Pont Saint Martin's Data Center is equipped with a state-of-the-art Security Operation Center.

Even in Italtel you can count on a national SOC. This makes us think that the cyber industry is very important, is that right?

ItaltelThe digital transformation increases the surface of exposure to cyber attacks that are increasingly evolved. It is therefore important to provide quality solutions and services to ensure data protection, the resilience of critical infrastructures and counter advanced threats. Cyber ​​Security is a fundamental pillar of our offer aimed at the Public Administration, companies and Service Providers, our historical area of ​​strength. Established as a telecommunications company, Italtel has diversified its offer for several years and today is an Italian multinational in the Information & Communication Technology sector and addresses with its solutions various vertical sectors such as: Public Administration, Healthcare, Defense, Finance, Energy , Industry 4.0, Smart Cities, without neglecting Telecommunications. The Italtel SOC services were born as early as 2001 with the acquisition of SecurMatics, developing the need to guarantee effective and continuous management of customer security levels alongside professional network services and infrastructure management through our Networks Operation Center (NOC) and Technical Assistance Center (TAC). Today the threat landscape is constantly changing and it is therefore important to enhance solutions and services, including managed ones, in a single line of offer aimed at public administrations, companies and service providers.

I visited, long ago, Leonardo's SOC and I was impressed ...

Leonardo: Leonardo guarantees the performance, continuity and information superiority of its customers' systems, as well as protecting their infrastructures and applications through targeted interventions. It also develops secure digital solutions, identifying, reducing and managing threats, vulnerabilities and risks. In this context, Leonardo is able to provide innovative solutions to counter cyber threats, increasingly pervasive and structured, which make the protection of the technological, information and intellectual assets of every organization, civil or military, an urgent need. Among the most significant achievements in the cyber security sector, Leonardo has provided a "turnkey" system to NATO for the development, implementation and support of NATO Computer Incident Response Capability (NCIRC), which provides services to over 70.000 users in 29 Countries. The ability to offer protection is also enhanced by sophisticated intelligence solutions, applicable to both open source data and heterogeneous sources, to support the needs of law enforcement and investigative agencies.

Is your SOC for indoor use or for outdoor use? What are the services that your SOC does? What are the most popular services?

Italtel: Our SOC is mainly aimed at the market with customized services according to the type of customers. Basically there are two macro groups of typical customers. Large companies, which have given themselves adequate security governance, have already internalized their operational teams but require specific services or skills externally that they are unable to address, such as Threat Intelligence or Incident Response (IR) services . Medium-sized companies that ask us in addition to full-outsourced SOC services also to have a partner / consultant role able to carry out continuous assessments and gap-analyzes to increase the level of protection. Among other things, maintaining an operational SOC requires continuous investment in training and technologies to support the operation.

What is the situation with Engineering? What are the most popular services?

Engineering: Our SOC provides services both for internal use and above all in favor of our customers, which are distributed in all market areas, namely Finance, Telecommunications, Utilities, Industry and Services, and also the Public Administration to whom we deliver services at various levels , high-level governance-oriented governance consulting, evaluation services such as pentration testing, vulnerabilty assesment and ethical hacking, down to the services of a SOC such as the Security Response Team, Security Infrastructure Management and Solutions of DDoS. In addition, we also implement specific projects for our customers to implement security solutions such as Identity Access Management, Strong Authentication, Mobile Device Security. Finally, we are implementing some Cyber ​​Threat Intelligence Solution Projects, designed to anticipate potential cyber attacks in advance.

LeonardoLeonardo has created two SOCs, one in Italy and the other in the UK. The main one is Chieti, a center of excellence in Cyber ​​Security and Threat Intelligence, dedicated to protecting cyber threats in key areas of reference (ie Critical Infrastructures, Large Enterprises, Public Administrations, Defense, Intelligence Agencies, National Institutions and international). The main reference assets are allocated to the Chieti site:
- SOC Business (Security Operation Center), through which 24x7 detection and monitoring capability is guaranteed to all Leonardo's national and international clients;
- Computer Security Incident Response Team (CSIRT), which provides timely response to a computer attack;
- Cyber ​​Threat Intelligence (Open Source Intelligence based on a proprietary middleware implemented on a high performance computer supercalculating platform - High Performance Computer).
The Chieti Security Operations Center is today one of the most important Managed Service Security Providers (MSSPs) at European level, in terms of completeness of the portfolio of services delivered and in relation to the number of clients and platforms monitored. Some more significant numbers: over 50,000 logs received, aggregated and collected every second; more than 30,000 security events collected and correlated to the second. The SOC manages an average of 50 daily security incidents by applying key international reference best practices (eg NIST-800-xx, ENISA) to contain accidents and respond promptly to today's cyber security threats. Chieti works over 100 security experts, including Certified Ethical Hackers specializing in Vulnerability Assessment and Penetration Test activities. Every year, they are analyzed and sent to Customers over 500 early warning ads. The site also has several Certificates of Managed Security Services.

To keep an operational SOC, I guess, you have to focus on research and development. How much do you invest in percentage and in which sectors of cyberspace?

Engineering: Engineering believes in research and the need to transform the potential of IT technology into growth opportunities for its customers through innovation, in a continuous alignment with the evolution of technologies, processes and business models.
Engineering has opened the first research lab in 1987 and today, in collaboration with companies, universities and research centers at national and international level, counts on:

250 researchers

70 ongoing research projects

6 development laboratories

about 30 million of annual investment in Research and Innovation.

Cybersecurity is one of the topics that are investing more in terms of research especially in Europe, where Engineering is present with a lab called IS3Lab (Intelligence Systems and Social Software) that by participating in a leading role in major projects research funded under Horizon2020.

Do you have collaborations with security organizations? What kind of relationships exist between your SOC and your national CERT?

Engineering: Engineering is also one of the founding members of ECSO (European CyberSecurity Organization), which brings together key European computer security firms, and is collaborating with European institutions to establish a common strategy in Cybersecurity.

LeonardoCollaboration in this area is a critical success factor. We work with numerous international companies and technology providers to exchange information about new threats and vulnerabilities. Thanks to the capabilities recognized by the market, we are the strategic partner of many of the most important public and private organizations in Europe and beyond. This allows us to support such organizations in the design and implementation of their IT security systems. With them we can exchange information as provided by contractual relations. Finally, we participate in working groups and institutional benchmarks in Europe (eg ECSO) as well as in Italy and the UK.
An important partnership project is also developed along with NATO.
Leonardo and the Communications and Information Agency (NCI) have signed a collaboration agreement on computer security for the purpose of sharing confidential information to improve knowledge of the context and increase protection of their respective networks and systems.
This collaboration initiative aims at sharing information on computer threats and security practices to be adopted and recognizes the importance of working with trusted industrial partners so that the Alliance can fully achieve its goals in protecting cybercrime. Leonardo will cooperate with the NCI agency to better understand the threat patterns and the latest attack trends. This will make the application of preventive measures more effective and improve the company's capabilities in safeguarding information, thus reducing the scope for future intrusion attempts.

In Italy what is the market for IT security services? Given the increased interest in cybersecurity, has the market increased over the last period?

Engineering: In Italy, the IT security market has stalled to take off as our customers were less sensitive to this type of threat. Perhaps a major part of it plays the technological gap in our country, which is one of the least connected and hence intrinsically less exposed to computer hazards. However, in recent months, perhaps due to the recent episodes of computer attacks that have also compromised the reputation of many businesses, the issue, which was previously seen as a technical problem run by CIOs / CSOs, has risen to the attention of the have begun to become aware of the consequences in terms of reputations that may be the victim of computer attacks. As a result, the Italian market seems to have a more careful look at the issue of data protection and business systems, and more and more customers are starting to face the problem, asking for risk analysis first, and then requiring them to put in place security of their ICT infrastructures.

LeonardoIn the period 2013 - 2018 the world cyber security market grows with a compound annual growth rate (CAGR) of 10,4% up to an expected value of € 80B in 2018; the Italian market grows with a CAGR of 8,6% for a value of approx. 2B € in 2018. The Assinform 2017 report indicates growth in the IT security market of over 11% for the past year.
In the Italian context, the Government / Defense sector represents 20% of the market, while the Business cluster around 80% (of which the CNI - Critical National Infrascructure - sector has an impact for more than half).

What kind of staff can you find employment in a SOC? What kind of studies and what specializations are needed?

EngineeringOur SOCs employ IT engineers specializing in network and software security. Unfortunately, these professionalities are difficult to find on the market because there are few study programs in Italy designed to prepare computer security engineers. To cope with this gap, we launched a series of cybersecurity specialization courses at our ICT School "Enrico Della Valle" aimed mainly at forming internal staff, but also open to those organizations that would specialize their own employees.

LeonardoWe employ IT security experts and young technicians and engineers with theoretical knowledge of IT security standards and protocols, of the major security issues. We prefer personnel with a high propensity for resolving network and security issues, knowledge of the standards and best practices of reference for the governance of ICT Security, the prevention and management of IT security incidents and knowledge of security issues aimed at protecting networks and control and automation systems.

Why did your customers turn to you? Following Cyber ​​Accidents or Preventing Problems?

Italtel: Italtel has traditionally been involved in the design and implementation of network infrastructure for global service providers and in our experience the security element has always been a key factor in many aspects. By virtue of this expertise, many customers have turned to us on Cyber ​​Security because they have already been able to test our service quality in complex network management.

Engineering: As mentioned above, our company has been providing ICT services for decades through its Data Center to public and private customers, and in this context, it has always been a must to ensure the highest levels of logical and physical security. Many of these customers manage their infrastructure for which they feel the need to improve their security levels. It was therefore almost natural that our customers, in the light of our recognized capabilities, would ask us for advice in cybersecurity. However, recently, our company has launched a business to promote its cybersecurity expertise also across the market.

In your opinion, what is the most important figure if it exists within a SOC? And if you were to turn to young people, inviting them to study one or more subjects, what could you suggest?

Engineering: I would say that there is no more important figure than the others. Cybersecurity is a multidisciplinary subject that requires versatile skills ranging from governance to more technical issues involving all ICT infrastructure, from the lowest levels of the network to the higher ones in the applications.
So, the only suggestion I would have to give to a young computer engineer is to specialize in any matter related to cybersecurity because it will surely find a company available to take it.

Italtel: If we were to identify an important figure, then I would say that the SOC MANAGER is the fundamental role for the provision of the service, able both to govern and stimulate the security analysts in the most delicate phases of the management of an IT incident and to adequately manage communications with the outside world.

Which tools are used in your SOC? Which SIEM do you use?

EngineeringOur SOC uses so-called "branded" products. However, there is growing focus on open source not just for economic issues, but also for "national security" needs. In fact, the trend is to try to have the source code control also for this type of product.

From a regulatory point of view, the new "National Guidelines for Cyber ​​Security and National Computer Security Guidelines", DPCM issued 17 February 2017 and published in the Official Gazette, General Series no. 87 13 April 2017, it seems to promise big changes, what do you think?

Italtel: The DPCM Gentiloni improves and optimizes the national decision-making chain in dealing with Cyber ​​dominoes, the main ground of future conflicts. In addition, the cooperative and collaborative model between critical institutions and infrastructures is fundamental to address the threats that await us.

LeonardoWith the DPCM 17 / 2 / 2017 and the next National Plan, the Department of Security Information (DIS) acquires the leading role in cyber security activities at the national level.
The role will be exercised through two structures devoted respectively to the first to the "operational" activities and the second to the ones of a strategic and evolutionary nature. In the field of operation, a Cybernetic Intelligence and Security Service (NSC) is set up to manage h24's unit for alerting and responding to cybercrime situations by acquiring communications of violations or attempts to violate the security forces, police forces, separate Ministry of Defense structures, and Computer Emergency Response / Readiness Team (CERT).
The creation of laboratories for national evaluation and certification of market ICT components destined for critical and strategic infrastructures, development of national cryptography, Research and Development on sovereign technologies is also planned.
Leonardo is able to provide expertise and services to support DIS's operations. Specifically, this covers the areas of Threat Intelligence and Open Source Intelligence, CERT, Cyber ​​Range / Cyber ​​Academy, CERT and CERTs, infrastructure and application consolidation skills, skills of " hardening "of systems.
An interesting element is also the Center for Research and Development in sovereign cyber security technologies, which is likely to be based on a collaboration between public and private sectors, creating an ecosystem that sees collaboration between institutions, industry and academia.

Engineering: Undoubtedly, there was a need to give a "governance" to cybersecurity in the national sphere, and the Directive certainly goes in this direction, entrusting DIS with a central role in driving. However, every effort must be made that the approach is not to deal with matter as a "confidential" matter to a few job-seekers, but to deal with the issue with the utmost mental openness, involving all parts of the game as well as public, but especially private.

I think that the overview made with the help of Italtel, Engineering and Leonardo is sufficient to illustrate the importance of SOCs and the cybersecurity services provided for which all that remains is to thank everyone for their availability and I hope that they can be used to do a little of clarity in the Cyber ​​world on the concept of SOC.
I SOCClearly, they are just an aspect of cyber security. Network Operation Center (Wot Infrastructure Operation Center (IOC) with their variants complete the structures used in cyberspace management and I hope to have the opportunity to talk about it soon.

Alessandro Rugolo & Ciro Metaggiata

To learn more:
- http://ieeexplore.ieee.org/document/6641054/
- http://icsa.cs.up.ac.za/issa/2013/Proceedings/Full/58/58_Paper.pdf;
-http://academic.research.microsoft.com/Publication/12790770/security-ope...
https://www.slideshare.net/ahmadhagh/an-introduction-to-soc-security-ope...
http://www.eng.it/
http://www.leonardocompany.com/
http://www.italtel.com/it/

(photo: Leonardo)

Events

Click on the days highlighted in red and find out what's in evidence.
Tales of military life
Send us your story
Tribute (due) to the 80th "Roma" infantry who takes leave with honor

Well, yes, we are now used to witnessing the closure of the barracks and perhaps even a little to burying the long history of the departments, a phenomenon which however does not erase the memories. It also touched...

Read the story
"Il Signor Parolini" (ninth part)

The baked chicken, as expected, had lived up to its reputation, consolidating, where needed, the undisputed culinary mastery of Gastone, chief ...

Read the story