Designing The Next Generation Cyber Security Operations Center

Author

Elena Kvochko, Contributor

March 15, 2016

This post is written with Troels Oerting (@TroelsOerting), Group Chief Information Security and Trust Officer at Barclays, detailing the vision for the the next generation cyber security operations centers, and the need for a new approach to cyber protection, business enablement, and innovation in the industry.

The Sentient SOC to protect the ‘Internet of Me’

The threat to the users of the Internet, regardless if they are individual users or companies, is increasing in quantity and quality. The various drivers for this increase are many, but the the ease of being a cybercriminal, with an easy access to online tools and no need to travel to conduct this faceless crime, makes cybercrime almost risk-free and very profitable.

On the cyber protection side, I have noticed, that cyber security is treated mostly as a ‘tech’ problem, that can be solved by technical solutions and by balancing risks and controls. While it is already changing, this approach is still prevailing. This was also the impression I got while visiting RSA Cyber Security Conference in San Francisco. I, on the contrary, believe cyber security is a ‘business’ problem, which is amplified by the “human factor”. One would probably not hire a house-builder or a carpenter to protect the house. These experts would make sure that the basic foundations, such as walls, windows, doors and other access points are in place. But one would hire a professional to protect this house from from threats and intrusions. We have, for a long time, been focussing on the ‘bullet in the wound’, not the person holding the gun.

Cyber security is all about people, processes and technology. And in the modern Security Operations Centre it all becomes vital in order to be prepared to defend the digital assets belonging to the company, its customers, stakeholders, and staff.

At the centre of a global financial institution must be trust. Trust is a differentiator for the modern customer, and in a hyper connected world customers will need to know and demand, that their most sensitive personal information on i.e. identity, address, salary, mortgage, credit card spends, pension, travel, shopping habits are kept safe.

In the last year we have re-built our Global Information Security division in Barclays to be strategic, Intelligence-led, and future proof by implementing new capabilities and developing a new ’fusion cell’ concept being able to utilise big data, AI and machine learning. We are aiming to implement a truly strategic view for our function, have already build new and enhanced functions, including Cyber Intelligence, Insider Threat, Red Team, Hunters, Cyber Innovation, and Outreach, and, overall, are constantly adapting to meet the challenges of the present and the future.

That’s why the we are considering to establish a new SOC. The Sentient SOC.

I would like to share the vision of what operating a Sentient SOC will look like in the near future.

Advanced, adaptive and invisible analytics

At the heart of the Sentient SOC is the “Context Cloud”, as the change from Big Data is powered by the context and focus. Context, generated by analytical judgements, reference data and historical understanding is pushed into the stream enriching new data automatically. This will mean a Human-led, Machine-driven SOC with highly trained and skilled analysts at its heart. It will also be supported by the next generation technology and expanded insight. The SOC will mature and form the centre of the protection, increasingly focused on convergent analytics that will inform decision making at every level of the business. This includes providing recommendations and guidance to automated background analytics, which will create a feedback loop where priority judgement. Decision making can take place from their findings.

Analysis and response will require the ability to create inference based on machine learning, statistics and other ‘matching’ techniques. Machine generated inference will need to communicate the uncertainty around their validity to SOC staff and decision makers. Communicating uncertainty and the relative likelihood false positives will be key. Success will dependent on the 2020s SOC’s ability to harness autonomous agents that will have the ability to analyse automatically and in real-time large volumes of data. Driven by subject matter expertise and deep learning technology autonomous agents will provide ranking, promotion and pre-compute insight for the SOC of 2020.

Working at pace with the outside world, embracing change and the future

An intelligence-led approach to security will require building up of assets across the globe and specialising in different skills and techniques. Partnership will be the new unique selling proposition. Each hub will be interconnected, with shared infrastructure. Increasingly, the relationship to Government partners will change. No longer a one-way street, there will be a two-way connected exchange and collaboration on response. So too industry will recognise that by backfilling government response they can have a considerably higher impact. These hubs integrated with the geographically disparate centres of excellence will promote innovation and capability, ‘share by default’ alert to the external events and the changes in environment. This new cooperation philosophy must rest on existing or future legislation on data privacy and data protection, regulating what can be exchanged, by whom and how. This is part of trust which should also be at the centre of public and private partnership. The rules and regulations must be clear and monitored by independent governance bodies.

Agile and adaptive, anywhere, anytime

The Sentient SOC will no longer be responsible for traditional “detect” and “respond” but will live in the ‘Internet of me’, or “Internet of Everything” age. In the Internet of Everything age, the SOC will know its clients, network and employees, but will have to work at the pace of the world around “I”. The hyper connected workforce will require a connected SOC with technology deployed at pace. The Sentient SOC will not monitor, react and detect – it will deploy, predict and shape the environment around it. This will require bringing in wider skills sets from information security field to better inform the business. Removal and extension of the organisation’s perimeter will continue. The SOC will need to be able to manage security and response in a hybrid network topology, bringing in data from endpoints to inform the adaptive perimeter defences. Traditional technologies will need to integrate with emerging security management techniques for a cloud-based environment.

Sector support by a SOC of SOC’s, or a powerful shared secure platform

The Sentient SOC cannot work in isolation or in a silo amongst other silo’s. We need to improve cooperation between financial institutions and other companies holding big digital assets and we need to improve public-private-partnership. It is not enough to share outdated incomplete information with limited value. We need to share much more detailed information on how adversaries tried or succeeded in breaching us to help our colleagues either patch or change procedures. If one of the companies is hacked on Monday, a neighbour company will be hacked or DDoS’ed on Tuesday. And together we can prevent this, or make it more difficult. If we exchange detailed actionable information, we will be able to better protect our digital assets. The law enforcement will be able to make the right decisions to prioritize this type of crime, to prevent the damage and avoid ineffective use of time.

We believe an ideal solution would be to establish a regional SOC of SOC’s. The second best solution would be to develop a secure platform. This platform could be accessed by approved platform members, where they could upload indicators of compromise, malware, and other actionable information. The information would be searchable through advanced tools and utilisation of AI. It would provide advance alerts and flag selected dangerous new tools or modus. Such an entity should of course be supervised according to privacy and data protection

We need to cooperate, share by default and use new tools to enable us to resist the rapid development malware, other digital tools and techniques so we effectively can detect, prevent, and protect digital assets.

I am optimistic about the future of such initiatives. Absolute security does not exist in the physical world; neither does it exist in the virtual world. If we invest in next generation security and cooperate, we will, at least, be able to provide the same, and hopefully ‘acceptable’ level of security in both ‘worlds’.

It remains a fundamental human right to access public information, be able to use the Internet without being a victim, and having the right for privacy. And this is the strategy I am working to implement together with my colleagues in the Global Information Security Group.

This article was written by Elena Kvochko from Forbes and was legally licensed through the NewsCred publisher network.


Comment this article

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter