cyber intelligence operations center
DESCRIPTION
Replacing the Security Operations CenterTRANSCRIPT
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Title:
Replacing the SOC with a modernized Cyber Intelligence
Operations Center (CIOC)
A paper by INFOSECFORCE
804-855-4988
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Introduction ......................................................................................................................................4
Purpose ............................................................................................................................................4
The Cyber Threat Situation..............................................................................................................5
The CIOC Corrective Action Plan ....................................................................................................8
Description our current SOC think ...................................................................................................9
Big Data ….. what is it and what does it mean for security........................................................... 10
Security industry reflection on managing the BD challenge ...................................................... 10
The IBM solution for Intelligence and Big Data ...................................................................... 11
Solution Overview ................................................................................................................... 11
CIOC Operational description (draft) ............................................................................................. 17
Intelligence management cycle ..................................................................................................... 17
FBI Intelligence Cycle .................................................................................................................... 18
“ Requirements ........................................................................................................................... 18
Planning and Direction ............................................................................................................... 18
Collection .................................................................................................................................... 19
Processing and Exploitation....................................................................................................... 19
Analysis and Production............................................................................................................. 19
Dissemination ............................................................................................................................. 19
Defense in Depth core function descriptions................................................................................. 19
Predict attacks on an organization’s assets .............................................................................. 19
Prevent attacks on an organization’s assets ............................................................................. 20
Detect attacks on an organization’s assets ............................................................................... 21
Respond to attacks on an organization’s assets ....................................................................... 22
A CIOC Control Framework ........................................................................................................... 23
SANS 20 Critical Controls ...................................................................................................... 24
Summary ........................................................................................................................................ 24
Future think Epilogue ..................................................................................................................... 25
Appendix 1 The overall summary of a SOC organization...................................................... 26
Other interesting references .......................................................................................................... 28
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Figure 1 Defines the Defense in Depth approach to enterprise security .......................................5
Figure 2 SC Magazine’s report on the staggering number of data breaches in the US ................8
Figure 3 The IBM Intelligence and Big Data reference model ..................................................... 12
Figure 4 RSA SIEM Envision reference model ............................................................................ 14
Figure 5 Depicts the FBI Intelligence Management Cycle ........................................................... 18
Figure 6 Depicts the CWE overall vulnerability management framework ( I love this image ) ... 22
Table 1 Shows the integration of Controls, DID and Intelligence Management .......................... 24
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Creating a Cyber Intelligence Operations Center
(CIOC) and why it is needed to fight the undeclared
Cyber War
Introduction
I am a retired Air Force Intelligence Officer. After the Air Force, I have had the good fortune to
have worked at interesting jobs in the private sector in places like CSC at JP Morgan, The
HSBC, the Federal Reserve, Northrop Grumman, and AIG/UGC. I am highly concerned about
the fractured approach in various organizations for command and control processes and
procedures to fight the global Cyber War as it relates to an organization’s vital information
assets. I created this paper to suggest an organizational and process structure to dynamically
manage the threat. If you manage a SOC or are in the business of building one, may I suggest
you adopt the below suggested framework and change the name of the SOC to the CIOC. Here
is my linked in connection:
w ww.linkedin.com/pub/bill-ross/0/20b/a11
Purpose
We are fighting a global undeclared global cyber war. We are in a cyber warfare arms race
between the offense and defense and how we deal with cyber thugs. We are using old
methods, tools and structures to fight the expanding cyber war. To modernize our approach to
fighting this war this paper will address replacing old think SOCs with the modern Cyber
Intelligence Operations Center (CIOC). The CIOC will serve as the convergence organizational
structure to integrate the Department of Defense type intelligence cycle, the organization’s
defense in depth cyber battle management strategy, Big Data analytics and an organization’s
control management framework. The CIOC is applicable to the private and public sectors. The
CIOC is needed to:
modernize strategy, tactics, and procedures in the security profession,
integrate the new wave of security product intelligence and analytics inputs,
create the new paradigm for Cyber War Fighting in the private and public sectors,
CIOC DRAFT ….. by Bill Ross, 5 October 2013
create common frameworks for information sharing between private and public sectors,
create an awareness of Cyber War Fighting strategy, doctrine, and tactics,
defeat the cyber enemy through the CIOC command and control of an organization’s
cyber defense in depth
The Cyber Threat Situation
For numerous years, I emphasized that we should not use fear, uncertainty and doubt (FUD) to
achieve our organizational security objectives. My belief is that one should make a logical
business case based on metrics, return on investment and expected results to acquire new staff
and increase our security tool budget. I have shifted my paradigm a bit and have begun
stressing the lack of cyber warfare mobilization and threat management in the private sector in
particular. Global organizations need to embrace and accept that there is an undeclared cyber
war being waged against industry and government and that we must define our private sector
and government agencies’ strategy, doctrine, and tactics to fight the cyber war.
Matt Rosenquist, Intel
Figure 1 Defines the Defense in Depth approach to enterprise security
Private and government sectors are, at times, being clobbered by an invisible enemy that
seems to own numerous government, private networks and business applications. Information
Security Teams across the globe are fighting the good fight and win and lose in this battle.
Cyber war is almost the perfect terrorist structure of compartmentalization of multiple global
cells dedicated to very similar goals and objectives but they have no or limited cross
IT Strategy
Defense in Depth Information Security
Strategy
Information
SecurityStrategy
Prediction: Proactive measures to identify attackers,
their objectives and their methods prior to materialization
of viable attacks.
Enables and maximizes Prevention activities.
Prevention: Securing the computing environment
with current tools, patches, updates
and best-known-methods in a timely manner.
Represents the bulk of cost ef fective security capabilities
and facilitates better Detection.
Detection: Visibility to key areas and activities.
Ef fective monitoring to identify issues,
breaches, and attacks. Drives immediate
interdiction by Response capabilities
Response: Efficient management of ef forts to
contain, repair, and recover as needed to return the
environment to normal operations. Reduces losses by
rapidly addressing issues and feeds intelligence into
Prediction and Prevention areas
PreventionPrevents or
deters attacks so
no loss is
experienced
PredictionPredict the
most likely
attacks,
targets, and methods
DetectionDetect attacks
not prevented to
allow for rapid
and thorough response
ResponseRespond rapidly
to security
incidents to
minimize losses
and return to a
normal state
CIOC DRAFT ….. by Bill Ross, 5 October 2013
communication and planning. One reason they do not need this coordination is that there is a
target rich environment that all cyber miscreants attack and achieve their goals of nation state
espionage, SCADA terrorist attacks, identity theft, financial theft and etc.
Every year, thousands of articles and conferences across the globe address the tactics and
procedures to address this challenge and when one reads the literature and attends the
meetings, one knows that the most fundamental and missing piece to orchestrating and defining
a cyber security arsenal is a cohesive, risked-based methodology that needs to define and
implement solutions to the sometimes chaotic response to threats. A primary solution to
managing this cyber theater of war is to create a central organizational cyber command and
control battle space management element and that is the Cyber CIOC.
KPMG articulated the business case for greater threat awareness and the application of intelligence solutions in its excellent White Paper “Cyber threat intelligence and the lessons from law enforcement”
“ Cyber security breaches are rarely out of the media’s eye. As adversary sophistication
increases, many organizations react when it is too late – the attack is underway. Few
organizations have the capability to anticipate cyber threats and implement preventative
strategies, despite prevention being more cost effective and customer focused.
This is not a new threat and hackers have been infiltrating sensitive government systems since
the early 1990s. However, the focus on cyber security is increasing rapidly due to many high
profile and highly disruptive/damaging security breaches threatening financial and physical
damage across critical national and corporate infrastructures. It also appears the nature of the
threat is changing. In our most recent survey, 67 percent of data loss resulted from external
hacking, while the insider threat is surprisingly at an all time low.
The Information Security landscape is constantly evolving. Private and public sector
organizations find it difficult to believe they could be a target for cyber attacks. This mindset
needs to change – as the best offence is a good defense. At the same time, it is no longer
viable to rely on defense. The determined adversary will get through eventually. As a result,
organizations must know what is going on around them so that they can identify when an attack
has taken place or when an attack is imminent. Intelligence and the insight that it brings is at the
heart of next generation Information Security. “ Source: KPMG
CIOC DRAFT ….. by Bill Ross, 5 October 2013
While KPMG does a great job defining threat intelligence, it did not discuss how to “pull it all
together” in an organizational structure. The CIOC is the integration and command and control
intelligence element to manage the threats and actions defined by KPMG.
I think Leon Panetta’s powerful observation on cyberwarfare punctuates the magnitude
of today’s’ cyber threat. He equates the cyber war strategic threat to a similar problem
we had with the nuclear threat of the past:
“Just as nuclear was the strategic warfare of the industrial era, cyberwarfare has become the
strategic war of the information era,” says U.S. Secretary of Defense Leon Panetta.
Cyberespionage and cybersabotage are already a reality. Outside the realm of states and their
proxies, corporate spies are using increasingly advanced techniques to steal company
secrets or customer data for profit. Hactivists with political and anti business agendas are also
busy. The string of media revelations about security breaches this year suggests that the
business world is just as vulnerable to attack as ever “
Source: SYMANTEC 2013 threat report and Aviation Week & Space Technology, October 22,
2012, 82
I had considered inserting a detailed comprehensive summary of the cyber threat. However, I
could no better job than Symantec did in its excellent 2013 threat report seen at the below link.
Source: http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_v18_2012_21291018.en-us.pdf
Symantec summarized the threat landscape in its executive summary in its 2013 Threat
Report.
“ Threats to online security have grown and evolved considerably in 2012. From the threats of
cyberespionage and industrial espionage to the widespread, chronic problems of malware
and phishing, we have seen constant innovation from malware authors.
We have also seen an expansion of traditional threats into new forums. In particular, social
media and mobile devices have come under increasing attack in 2012, even as spam and
phishing attacks via traditional routes have fallen. Online criminals are following users onto
these new platform.”
CIOC DRAFT ….. by Bill Ross, 5 October 2013
INFOSECFORCES’s perspective is the threat is pervasive, highly intelligent, omnipotent,
sometimes incomprehensible in such areas as the success of the “Advance Persistent Threat”
(APT) and the advancement of SCADA attacks.
The threat pervades almost every part of an organization’s processes, its applications,
infrastructure, people, access control management, and almost every part of the OSI stack.
One core graphic from SC Magazine’s excellent monthly threat report summarizes one of the
most critical data management failures and that is staggering number of data breeches since
2005.
SC September 2013
Figure 2 SC Magazine’s report on the staggering number of data breaches in the US
I recently spoke with a highly respected CISO who said to me “Bill, I just cannot keep up as
there is just too much out there anymore to keep track of it all”. How do we deal with his
concerns?
The CIOC Corrective Action Plan
CIOC DRAFT ….. by Bill Ross, 5 October 2013
To fight the Cyber War at the grassroots level, every major corporation should create a Cyber
Intelligence Operations Center (CIOC) to replace the older model SOCs. CIOCs will truly
produce the finished intelligence from the raw data our systems are collecting. Even when the
data is correlated to a degree in the SIEM, the human still needs to derive the intelligence from
the data reported as it relates to the organization’s integrated defense in depth program …….
prediction, prevention, detection, and response? Figure 1 depicts an integrated DID.
The situation is this:
Many security companies now say they can provide intelligence services and create intelligence
information. Some can do so more than others. Likewise, they tout that they operate in the "Big
Data" space but they really do not yet as we, as an industry, are maturing our processes and
doctrine to operate in this space. When I have discussed with vendors the process by which
they turn data into intelligence, they do not really understand the art form of building intelligence
process, tactics, techniques, procedures, and strategies for a CIOC-like intelligence function
and develop the corporate intelligence requirements needed to fight the ongoing Cyber War.
They are rapidly learning how to do so.
When creating a CIOC, a primary requirement should be that at all costs it should be collocated
physically or virtually with the network operations center (NOC). It never made sense to me
when I would see separated SOCs and NOCs. The best model for responding to a threat and
incident is to have shared resources and information to understand the possible initial
indications and warnings (I&W) that an attack or compromise could, is, or has happened. Some
organizations do geo locate the SOC and NOC in what is called an NSOC.
The short below narration from a Wikipedia reference defines the old think approach to
managing the cyber threat environment in a SOC. For more information on a SOCs structure
and organization, refer to appendix one.
Description our current SOC think
SOC Objective
“ A SOC is the people, processes and technologies involved in providing situational awareness
through the detection, containment, and remediation of IT threats. A SOC manages incidents for
the enterprise, ensuring they are properly identified, analyzed, communicated,
actioned/defended, investigated and reported. The SOC also monitors applications to identify a
possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident),
and if it could have a business impact.”
NOTE: The above is a good summary of what a mature SOC should have done as our model
deployed. The fundamental energy missing from the description is that we have moved passed
CIOC DRAFT ….. by Bill Ross, 5 October 2013
just “situational” awareness that we are “now playing with live ammo” and the cyber war threat
situation requires a real time battle management function that is connected in real time to the
variety of threats and the time-space warp in which they occur. There must be an
organizational dynamic intelligence process using the below intelligence management cycle
core functions that feeds the CIOC battle management requirements.
Given the magnitude of the global threat environment, the SOC must migrate to the CIOC
model. The CIOC model is defined below but we must first examine the impact of Big Data and
Security Intelligence on our current operational state.
Big Data ….. what is it and what does it mean for security
While this paper will not address how to secure “Big Data” (BD) and data warehouses (topic for
another paper), we must reflect on the impact of BD in relationship to Cyber Attacks,
Intelligence collection and processing, and the fact that that BD is creating numerous new
vectors from which a threat can explode and where the risks, vulnerabilities and exposures can
reside.
It seems the term “big data” is everywhere in business and technical writings. BD is the new
target rish environment that we need to protect. In the simplest reflection of what BD is, it is the
aggregation and business use of far more data than we have ever had before in far more places
than it has ever been before. The exponential growth of BD means that security professionals
have a far more complex problem of performing our primary mission of protecting the
corporation’s assets. Likewise, given the magnitude of the data storage and use by numerous
businesses within an organization, how do we now secure this data?
Firstly, I would create a new role called the Data Security Manager (DSM) and embed him in the
CIOC. The DSM would know all aspects of how the organization uses data, where it is at,
define the data security strategy and be familiar with all data usage tools like Data Analytics,
Hadoop, Cognos, organic data base security functions like SQL and Oracle Security and etc.
Secondly, I would modernize my security architecture and organizational structure in the CIOC
to manage the fluid and dynamic nature of our ‘Data World”
Security industry reflection on managing the BD challenge
While this paper is not designed to endorse certain products and services, we do recognize the
extensive work that our security colleagues have done in the areas of Cyber Intelligence and
BD. We will quote some industry leaders in the below paragraphs.
NOTE: Our paper is designed to suggest how and where to manage the Cyber Threat in the
CIOC. The point to take away from this section is how should security professionals think about
the BD challenge as it relates to developing your Cyber Intelligence Collection Plan and your
Defense in Depth Programs within your organization’s Control Objective Frame work.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
With that in mind, let’s look at some of the writings about BD from IBM and RSA/EMC.
The IBM solution for Intelligence and Big Data
“ IBM Security Intelligence with Big Data provides exceptional threat and risk detection,
combining deep security expertise with analytical insights on a massive scale. For forward-
leaning organizations seeking advanced insight into security risks, the IBM solution –
including IBM QRadar Security Intelligence Platform and IBM Big Data Platform – provides a
comprehensive, integrated approach that combines real-time correlation for continuous insight,
custom analytics across massive structured and unstructured data, and forensic capabilities for
irrefutable evidence. The combination can help you address advanced persistent threats, fraud
and insider threats.
The IBM solution is designed to answer questions you could never ask before, by widening the
scope and scale of investigation. You can now analyze a greater variety of data – such as DNS
transactions, emails, documents, social media data, full packet capture data and business
process data – over years of activity. By analyzing structured, enriched security data alongside
unstructured data from across the enterprise, the IBM solution helps find malicious activity
hidden deep in the masses of an organization’s data.
IBM Security intelligence:
Security intelligence is the continuous real-time collection, normalization and analysis of data generated by users, applications and infrastructure. It integrates functions that have typically been segregated in first-generation security information and event management (SIEM) solutions, including log management, security event correlation and network activity monitoring. Data collection and analysis goes well beyond traditional SIEM, with support for not only logs and events, but also network flows, user identities and activity, asset profiles and configurations, system and application vulnerabilities, and external threat intelligence within the single warehouse.
Solution Overview
IBM Security Intelligence with Big Data combines the real-time security visibility of the IBM
QRadar Security Intelligence Platform with the custom analytics of the IBM Big Data Platform.
QRadar performs real-time correlation, anomaly detection and reporting for immediate threat
detection, and also sends enriched security data to IBM big data products, such as IBM
InfoSphere BigInsights.
IBM big data products analyze enriched security information from QRadar along with vast
amounts of data from unstructured and semi-structured sources, accommodating both the
variety and volume of data needed for advanced security and risk use cases. Information is
subsequently fed back to QRadar, providing a facility for closed-loop, continuous learning.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
The result is an integrated, intelligent solution that collects, monitors, analyzes, explores and
reports on security and enterprise data in ways previously not possible. And the solution is
designed so you can start with any product in the IBM solution and add complementary
capabilities as your needs evolve.
Key capabilities include:
Real-time correlation and anomaly detection of diverse security data
High-speed querying of security intelligence data
Flexible big data analytics across structured and unstructured data – including
security data; email, document and social media content; full packet capture data;
business process data; and other information
Graphical front-end tool for visualizing and exploring big data
Forensics for deep visibility “
Figure 3 The IBM Intelligence and Big Data reference model
http://www-03.ibm.com/security/solution/intelligence-big-data/
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Please see an awesome security analytics and intelligence brief by Anand Ranganathan, TJ Watson research Center at this link.
http://www.slideshare.net/SwissHUG/big-data-for-cybersecurity
INFOSECFORCE Comment: Similar to KPMG, IBM does not suggest an organizational
structure like a CIOC to manage all their new product output.
EMC/RSA Envision and Art Coviello’s dead on speech
This section reflects the RSA EMC methodology for SIEMS in the era of security analytics, big
data, and cyber intelligence requirements. IBM and RSA have similar and mature reflections on
Security Intelligence. It seems IBM is tuned to the BD Intelligence and analytics focus while
RSA EMC is more tuned to the actual SIEM operations space. If I were a rich man, I would
integrate the two solutions.
There are numerous other SIEMS out there like the famous Splunk and one of my favorites, Log
Rhythm. However, I really like the deep and advanced thinking Art Caviello, CEO RSA-EMC
has given to the convergence of BD, Intelligence, and Analytics and thus have included
Envision as an example of what you can use to build your CIOC methodology around. Art’s
vision is included in this section at the end of the Envision product descriptions.
“ The RSA® enVision® platform provides a centralized log management service that enables
organizations to simplify their compliance programs and optimize their security incident
management. The RSA enVision solution facilitates the automated collection, analysis,
alerting, auditing, reporting, and secure storage of all logs. Organizations can simplify
compliance by using regulation-specific, out-of-the-box reports, alerts and correlations
rules. Reports can be scheduled to be delivered at a specific time or run on an ad-hoc
basis. Alerts can be delivered through the intuitive user interface, via SMS, or email.
Administrators don’t have to be glued to the interface at all times. Auditors can even be
granted read-only access to the enVision platform so that they can access the reports
whenever they need them.
Security incident management is optimized by using the purpose-built incident
management tool within the enVision platform. Incidents can be identified, tagged with
evidence, and passed along through the organization’s ticketing system. The RSA
enVision platform is also integrated with RSA Archer™ eGRC enabling business context to
CIOC DRAFT ….. by Bill Ross, 5 October 2013
be applied to each incident. Business context means applying relating incidents to larger
business objectives. “
Source: http://www.emc.com/collateral/data-sheet/9245-h9037-3in1-ds.pdf
Figure 4 RSA SIEM Envision reference model
Source: http://virtualization.info/en/news/2010/10/hytrust-partners-with-rsa.html
“ The traditional cyber security model has become almost useless as a result of the massive
proliferation of smart phones, Web-based apps, social networks, and Internet-connected
machines. But just as the new world of BD provides cover for cyber attackers, big data is also
the only answer for devising a next-gen security system that can cope with emerging threats “,
RSA executive chairman Art Coviello said at a conference last week.
Speaking at the Third Annual International Cybersecurity Conference in Tel Aviv, Israel, Coviello
highlighted how today's approach to information security is losing effectiveness, and laid out
CIOC DRAFT ….. by Bill Ross, 5 October 2013
plans for a new "intelligence driven" approach that can spot the signal in the noise, and cope
with the rapid fire growth of technology.
"In the first two decades of the new millennia, we'll have gone from a cyber attack surface that
has just a few points of egress and ingress through a controlled firewall perimeter, to almost
infinity, when you think of the impact of mobility, web apps, big data, social media, and the
Internet of things," Coviello said in a video of the speech.
"Already in 2013, we're in a hyperconnected world that has facilitated access and productivity
for all of us, but with unintended consequence of doing the same for our adversaries," he said.
"And if all that weren't enough, it's getting easier and easier with the advent of social media for
our adversaries, to trick, spoof, and assume our digital personas."
Coviello recommends that organizations stop spending up to 80 percent of their security
budgets on building perimeter defenses that have steadily been losing effectiveness against
attacks from rouge states, "hactivists," and cyber criminals. Instead, organizations ought to
prepare for the transition to intelligence-driven systems that have big data at their hearts.
This new system, which Coviello also discussed at the RSA conference earlier this year, will be
characterized by the use of "dynamic and agile controls" on the perimeter and a central
management system "that has the ability to analyze vast streams of data from numerous
sources to produce actionable information."
The central security management system "must be able to gain full visibility into all data--
unstructured, structured, internal, and external. The underlying big data architectures will be
scalable enough such that all data will be analyzed, no matter how expansive or fast changing,"
he said.
"As a result, organizations will be able to build a mosaic of specific information about digital
assets, users, and infrastructures… and correlate abnormal behavior in people and in the flow
and use of data," Coviello said. "The management system must be well integrated with GRC
[governance, risk, and compliance] systems and specific tools, so that we can detect those
attacks early or even in advance, and then trigger automated defenses, such as blocking
network traffic, quarantining systems, and requiring additional identity verification."
The access controls will also be smart in the new big data-driven security world. "They will also
have the capacity to be self learning," he said. "They will be able to inform or be informed by
CIOC DRAFT ….. by Bill Ross, 5 October 2013
other controls. They'll be able to feed or receive intelligence from security management
systems, and report to and receive instructions from GRC systems. Armed with a thorough
understanding of risk at the outset, this big data oriented management and control environment
completes a vision of intelligent driven security."
Such a big data-driven security system will be able to "find the hidden patterns, the unexpected
correlation, the surprising connections" between data points in the wild, he said. "It's about
analyzing vast and complex data sets at high speed, which in our case will allow us to spot the
fake signal of an attack. Because at some point, no matter how clever the attacker, they must
do something anomalous."
Today, the most a cyber attacker can expect to achieve is to disrupt an organization's activities,
such as through a denial of service attack. But thanks to the proliferation of big data and greater
sophistication and coordination on the part of attackers, destructive attacks executed solely
through the Internet will soon become the norm, Coviello said.
"Despite the hype, destructive attacks are still next to impossible to carry out solely through the
Internet without manual intervention," he said. "But as we transition to IPV6 and create the
Internet of things, IP enabling more and more elements of our physical infrastructure, attacks on
digital systems that result in physical destruction will become a reality--a chilling, sobering
thought."
There must be a sense of urgency among stakeholders to deal with the "ongoing expansion of
the attack surface and the escalation of the threat environment," he said. "The only way to reach
and maintain the appropriate level of understanding is through knowledge," he said. "From a
much higher level of collaboration between public, private, and vendor organizations, knowledge
will replace fear with confidence, knowledge will guide our actions."
Source: http://www.datanami.com/datanami/2013-07-
03/big_data_at_the_heart_of_a_new_cyber_security_model.html
INFOSECFORCE comment: Similar to IB and KPMG, RSA/EMC did not suggest a specific
new type of organization to manage new security Intelligence demand. Although, Art did make
references to the new “central security management system”. I propose the new management
system is the CIOC and its strategy, tactics, and procedures meet his goal of a central security
management system.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
CIOC Operational description (draft)
The CIOC is the private or public sector dynamic cyber battle management operations center for
managing an organization’s defense in depth and intelligence collection strategies to
predict, prevent, detect, and respond to all forms of cyber security threats against an
organization’s vital human, information, production, and infrastructure assets. These demands
are detailed above. The CIOC operates within the organization’s defined control management
framework. The 24 X 7 CIOC is led by the chief security operations officer (CSOO) and
includes a highly skilled and trained cyber security staff. As much as possible, the CSOO
should hire prior military personnel with Cyber War Fighting experience.
The CIOC is the center for managing the security of an organization’s data challenges where
ever sensitive data may reside …… data centers, the cloud, big data storage, end points,
customer sites, out sourced sites, BYOD, partner sites, and etc. The CIOC processes large
amounts of data from a variety amount of information sources that include but are not limited to
the Security Incident and Event Management (SIEM) tool. The CIOC will consume data from a
host of other information sources to include such major information sources like the Big Data
and business intelligence tools, ERP tools, People Soft, SAP and etc and will turn that data into
actionable intelligence.
Based on the organization’s intelligence collection plan, the CIOC will produce actionable
intelligence that will not only influence the complete cyber security span of control nut it will also
provide another form of business intelligence that the CEO can use for profit and loss decisions
base on a cyber risk-based analyses.
The CIOC should have NOC real time information feeds to quickly correlate network anomalies
to possible security events.
Intelligence management cycle
DoD and government agencies have historically use the Intelligence collection cycle model to
drive and frame its intelligence collection plan in peacetime and wartime. The private sector can
and should use this simple but powerful framework to drive its security intelligence operations
from the CIOC.
I have adopted the FBI’s intelligence cycle against which to model a possible private sector
intelligence collection plan.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
FBI Intelligence Cycle
Figure 5 Depicts the FBI Intelligence Management Cycle
Source: http://www.fbi.gov/about-us/intelligence/intelligence-cycle
The CISO and the CSOO must use the Intelligence Cycle to manage their information collection
process and intelligence collection cycle to support the below tenants of the organization’s
Defense in Depth Strategy.
NOTE: The below definitions are extracted from the FBI Intelligence Cycle. I have modified
the instructions to align the FBI Intelligence Cycle to the CIOC requirements. If you want to see
original FBI writings, please go to the above FBI web site for same.
“ Requirements are identified information needs—what we must know to safeguard the
organization. Intelligence requirements are established by the CISO according to guidance received from the CIO. Requirements are developed based on critical information required to protect the organization from national security and criminal threats. The security team and technical team managers participate in the formulation of organizational intelligence requirements.
Planning and Direction is management of the entire effort, from identifying the need for
information to delivering an intelligence product to a consumer. It involves implementation plans to satisfy requirements levied on the organization, as well as identifying specific collection requirements based on the organization’s needs. Planning and direction also is responsive to the end of the cycle, because current and finished intelligence, which supports decision-making, generates new requirements. The director for the security operations and DSOO Branch leads intelligence planning.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Collection is the gathering of raw information based on requirements. Activities such as
security product technical means, interviews, technical reconnaissance, human source operation, and liaison relationships result in the collection of intelligence.
Processing and Exploitation involves converting the vast amount of information
collected into a form usable by analysts. This is done through a variety of methods including decryption, language translations, and data reduction. Processing includes the entering of raw data into databases where it can be exploited for use in the analysis process. The above IBM and RSA models support this area.
Analysis and Production is the conversion of raw information into intelligence at the
CIOC. It includes integrating, evaluating, and analyzing available data, and preparing intelligence products. The information’s reliability, validity, and relevance is evaluated and weighed. The information is logically integrated, put in context, and used to produce intelligence. This includes both "raw" and finished intelligence. Raw intelligence is often referred to as "the dots"—individual pieces of information disseminated individually. Finished intelligence reports "connect the dots" by putting information in context and drawing conclusions about its implications.
Dissemination—the last step—is the distribution of raw or finished intelligence to the
consumers whose needs initiated the intelligence requirements. The FBI disseminates information in three standard formats: Intelligence Information Reports (IIRs), FBI Intelligence Bulletins, and FBI Intelligence Assessments. FBI intelligence products are provided daily to the attorney general, the president, and to customers throughout the FBI and in other agencies. These FBI intelligence customers make decisions—operational, strategic, and policy—based on the information. These decisions may lead to the levying of more requirements, thus continuing the FBI intelligence cycle. “
INFOSECFORCE comment: I purposely left the “ dissemination” section intact as I recommend that similar to the FBI approach that each organization create Intelligence reports that your customers need. Be creative and responsive to all your customers and the need to protect the organizations vital assets !!!
Defense in Depth core function descriptions
More specifically, as mentioned above, the CIOC is the cyber battle management function that
manages the multiple attack vectors against an organization’s vital assets through the CIOC
management of the organization’s DID posture. Specific actions behaviors required for the
defense in depth concept and functional management include:
Predict attacks on an organization’s assets
Serious consideration of the results of the ongoing intelligence reports generated
by the CIOC intelligence analyses and report team.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Analyses of internal vulnerabilities, risks and exposures and the likelihood that
specific exposures can be realized against the organization due unmitigated
exposures.
Review SIEM and all other awareness dashboards that you might have at least
twice a day
Constant analyses of the types of attacks that happen every day on the
organization that might provide indications and warnings (I&W) of site
enumeration
The introduction of new technologies that could cause a disruption of current
processes and procedures. Cloud adoption could be considered a disruptive
technology that could present new exposures non mitigated exposure.
High vigilance to Cyber Open Source Intelligence (COSI) information and
intelligence sources to include multiple information security magazines, blogs,
threat reports
Get feedback from other teams like network engineering on possible Indications
and warnings you can integrate into you Prediction Strategy
Membership in core information sharing organizations like FS-ISAC
Membership in INFRAGUARD and similar organizations
Relationships with local law enforcement
Prevent attacks on an organization’s assets
Define and build an state of the art security architecture that is aligned with an
organizations risk profile
Build excellent security architecture documents
Tune all tools such as firewalls, access control functions, logging and alerting
systems for maximum efficiency and regularly test same
Write process and procedures for all major procedures such as patch
management, vulnerability management, Intelligence development, incident
response and etc.
Ensure that security is aggressively built into the enterprise architecture and
requirements documents
Base security management on IT governance such as ITIL
Define security standards and policies
Ensure the basic security blocking and tackling is done before implementing
advanced tools and procedures
Use change control for all things that could affect the IT environment
Harden all platforms and applications against attack
Select a control environment such as SANS Top 20, FISMA, NIST 800-53, ISO
27000 series
Implement a superb patch management process that sets metric for current
patch status at 95 per cent for all platforms, end points, data bases, applications,
network devices and etc
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Strictly limit administrative access and manage with privilege management tools
Monitor access in real time
Implement robust static and in transit data loss protection plans (DLP)
Implement a robust secure software development program.
100 per cent compliance to government regulation and business compliance
requirements like PCI
Conduct regular internal scans and pen tests using anyone of the host
vulnerability assessment tools for platform and applications exposures.
Implement a ongoing security training program that is not given once a year
Invest in training the security staff
Build robust security metrics briefed by the CIOC CSOO to executives once a
month to C level and once a quarter to Board level executives.
Lead your staff and all organization personnel in data protection
Detect attacks on an organization’s assets
Prevent incidents form happening in the first place
Ensure a 24 X 7 detection capability is available
Deploy state of the art static and dynamic detection tools that your organization
can fund
Define real time detection processes
Ensure employees are aware of how to report suspicious end point, platform and
network intrusions
Extend detection to all BYOD and external systems
Mange threat detection in all cloud based services
Define SLAs for responding to threats
Determine which security systems should be in your DR and BC planning
Ensure you have managed out as many false positives and false negatives as
possible
Use the CWE tools whenever possible http://cwe.mitre.org/. CWE is tuned to
application security but it is an excellent but complex framework.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Figure 6 Depicts the CWE overall vulnerability management framework ( I love this image )
Source: http://cwe.mitre.org/
Respond to attacks on an organization’s assets
Determine what the company’s appetite for incident response is. Is it willing to
accept automated shut down of business processes and network segments.
Determine if you want to hire a DDOS threat mitigation service like Prolexic
Create and practice detailed incident repose process
Define response thresholds based on the attack areas and magnitude of same
Ensure global partners and external business customers are aware of incident
response processes
Define escalation process
Conduct table top exercises to train entire staff on incident response and cyber
crises management
Contract with external forensics investigator
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Ensure two incident management lines are established, one for executives and
one for those doing the work to manage and terminate the incident
Develop and train on the RACI chart for incident management. Platform security
incidents possibly could be managed by the platform manager.
Train internal staff for forensics investigations and but tools like EnCase
Conduct prior planning with all technical and c level staff
Know obligations and response procedures for such laws concerning a data
breech. Let legal and marketing work the customer notification obligations.
Ensure incident response team is aware of all threat intelligence generated by
the SOC
Ensure systems are configured to respond to attacks, is your IPS set to deny
attacks
Oversee and be aware of all preventive measures that should prevent incidents
from happening in the first place
Ensure that you have proper incident close out processes
A CIOC Control Framework
Building a CIOC and making it a organizational cyber battle management function is as much an
art form as it is building the CIOC function and team. One needs to develop an organic
approach on how the intelligence, BD, and Defense in Depth methodologies integrate and
complement each other. Implementing an overarching control framework that keeps the
organization focused on maintaining a positive risk posture is the cement upon which to base
measurement and success.
I developed the below table to show the possible integration of how the Intelligence Lifecycle,
the core components of a defense in depth program could integrate with an organization’s
control framework. In this case, I used the SANS Top 20 controls. The links are hot if you want
to reach out to each SANS control.
What this table does is it provides a reflection on the obvious and subtle dynamics that will
happen within the CIOC. This dynamic combination for a Cyber Command and Control
approach to protecting your vital assets expands the current definition and processes seen in a
SOC.
Intelligence Cycle Framework Predict Prevent Detect Respond Requirements X
Planning and Direction X
Collection X
Processing and exploitation X X
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Analyses and production X X X
Dissemination X X X
SANS 20 Critical Controls
1: Inventory of Authorized and Unauthorized Devices
X X
2: Inventory of Authorized and Unauthorized Software
X X
3: Secure Configurations for Hardware and
Software on Mobile Devices, Laptops, Workstations, and Servers
X X
4:Continuous Vulnerability Assessment and Remediation
X X X X
5: Malware Defenses X X X X
6: Application Software Security X
7: Wireless Device Control X X X
8: Data Recovery Capability X
9: Security Skills Assessment and Appropriate
Training to Fill Gaps X X X X
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
X X
11: Limitation and Control of Network Ports, Protocols, and Services
X X X
12: Controlled Use of Administrative Privileges X X X
13: Boundary Defense X X X X
14: Maintenance, Monitoring, and Analysis of Audit Logs
X X X X
15: Controlled Access Based on the Need to
Know X X X
16: Account Monitoring and Control X X X
17: Data Loss Prevention X X X
18: Incident Response and Management X X
19: Secure Network Engineering X X X
20: Penetration Tests and Red Team Exercises X X X X
Table 1 Shows the integration of Controls, DID and Intelligence Management
http://www.sans.org/critical-security-controls/guidelines.php
Summary
Colleagues
CIOC DRAFT ….. by Bill Ross, 5 October 2013
We are in an undeclared cyber war. The enemy is extremely talented, fluid, fast moving and
highly compartmentalized. They can rapidly adapt and adjust to the defenses that we develop
such as the Tuesday Patch Release and the AV and Malware definition update.
Unlike the days of the old days of a SOC when the battle was relatively static, the cyber
battlefield of today is fluid and changes every day. We must reflect similar nimbleness to
counter and when possible, defeat the threat. The private and public sectors have begun to
unite in the Strategic War that Leon Panetta defined above. We must advance this partnership
and collaterally build similar tools, tactics and procedures that the public and private sector
mutually understand.
In our own right, we must now execute a convergence of a variety and complimentary new
processes that might be somewhat disruptive into a new cyber security and intelligence
management framework.
Embracing the intelligence cycle, defining the defense in depth structure to protect our assets,
creating common control frameworks, and building the CIOC to serve as the “new management
system” that has a common doctrine that aligns the public and private sector is an essential
solution to manage the time-space based cyber war that we will continuously wage as the war
that never ends.
Thank you for reading my paper
Bill Ross, Greensboro, September 2013
Future think Epilogue
I have touted and implemented a host of intelligence solutions while in the military that in one
form or another used the principles of the Army's Intelligence Preparation of the Battlefield (IPB)
methodology. In a way, I have applied IPB to private industry threat management teams. ESRI
company geospatial mapping supports IPB as seen in the below link. My desire, over the years
of being in Private Industry, is that we should have IPB solutions for Cyber Security and when I
read about all of ESRI's capabilities and the ability to modify its amazing mapping capabilities, it
hit me like a steam roller that if ESRI wants to get into the Cyber Warfare Space that there is no
doubt in my mind that ESRI can build the first ever Intelligence Preparation of the Cyber
Battlefield (IPCB) tool that will finally merge military intelligence principles with the intelligence
functions that security companies are now promoting for private industry, and for the
government/military for that matter. Private industry knows it needs to become more war like
and DOD like in its approach to using security data and transforming the raw data into an
intelligence product. The ESRI IPCB would be the front end tool that will help them do this by
managing security intelligence data, see where the vulnerabilities are on their "ESRI mapped
networks" and efficiently use their multiple collection methods to plan their CIOC end-to-end
Cyber Intelligence campaigns.
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Appendix 1 The overall summary of a SOC organization
http://en.wikipedia.org/wiki/Information_security_operations_center
1 Objective
2 Alternative names
3 Technology
4 People
5 Organization
6 Facilities
7 Process and Procedures
8 See also
9 References
An information security operations center (or "SOC") is a location where enterprise information
systems (web sites, applications, databases, data centers and servers,networks, desktops and other
endpoints) are monitored, assessed, and defended.
Objective
A SOC is the people, processes and technologies involved in providing situational awareness through
the detection, containment, and remediation of IT threats. A SOC manages incidents for the
enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended,
investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or
intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business
impact.
Technology
SOCs typically are based around a security information and event management (SIEM) system which
aggregates and correlates data from security feeds such as network discovery and vulnerability
assessment systems; governance, risk and compliance (GRC) systems; web site assessment and
monitoring systems, application and database scanners; penetration testing tools; intrusion detection
systems (IDS); intrusion prevention system (IPS); log management systems; network behavior analysis
and denial of service monitoring; wireless intrusion prevention system; firewalls, enterprise antivirus and
unified threat management (UTM). The SIEM technology creates a "single pane of glass" for the security
analysts to monitor the enterprise.
People
SOC staff includes analysts, security engineers and SOC managers who are seasoned information and
communication systems professionals. They are usually trained in computer
engineering, cryptography, network engineering, or computer science and are credentialed (e.g. Certified
CIOC DRAFT ….. by Bill Ross, 5 October 2013
Information Systems Security Professional (CISSP) from (ISC)², GIAC fromSANS, or Certified Information
Security Manager (CISM) from ISACA).
SOC staffing plans range from eight hours a day, five days a week (8x5) to twenty four hours a day, 7
days a week (24x7). Shifts should include at least 2 analysts and the responsibilities should be clearly
defined.
Organization
Large organizations and governments may operate more than one SOC to manage different groups
of information and communication technology or to provide redundancy in the event one site is
unavailable. SOC work can be outsourced, for instance by using a Managed security service. The term
SOC was traditionally used by governments and managed computer security providers, although a
growing number of large corporations and other organizations also have such centers.
The SOC and the network operations center (NOC) complement each other and work in tandem. The
NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary
function is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as
well as web sites, applications, databases, servers and data centers, and other technologies. Likewise,
the SOC and the physical security operations center coordinate and work together. The physical SOC is a
facility in large organizations where security staff monitor and control security officers/guards, alarms,
CCTV, physical access, lighting, vehicle barriers, etc.
In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally
combined. Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The
SOC then collaborates closely with network operations and physical security operations.
Facilities
SOCs usually are well protected with physical, electronic, computer, and personnel security. Centers are
often laid out with desks facing a video wall, which displays significant status, events and alarms; ongoing
incidents; a corner of the wall is sometimes used for showing a news or weather TV channel, as this can
keep the SOC staff aware of current events which may have an impact on information systems. The back
wall of the SOC is often transparent, with a room attached to this wall which is used by team members to
meet while able to watch events unfolding in the SOC. Individual desks are generally assigned to a
specific group of systems, technology or geographic area. A security engineer or security analyst may
have several computer monitors on their desk, with the extra monitors used for monitoring the systems
covered from that desk.
Process and Procedures
Processed and procedures within a SOC clearly spell out roles and responsibilities as well as monitoring
procedures. These Process include business, technology, operational and analytical processes. They lay
out what steps are to be taken in the event of an alert or breach including escalation procedures,
reporting procedures, and breach response procedures.
http://en.wikipedia.org/wiki/Information_security_operations_center
CIOC DRAFT ….. by Bill Ross, 5 October 2013
http://blogs.esri.com/esri/arcgis/2012/08/29/the-military-aspects-of-terrain-template-is-available-
for-download/
Other interesting references
http://catalog.ferris.edu/programs/538
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-
availability/idefense/index.xhtml?loc=en_US
http://en.wikipedia.org/wiki/Intelligence_cycle_security
http://www.slideshare.net/DeloitteAnalytics/cyber-intelligence