Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.
Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and subject to failure. These failures are also hard to predict. Operations centers therefore play an important role in responding to failures in real-time to reduce their impact on the mission.
Operations centers in the information technology world keep IT and network operations up and running. Information security (InfoSec) and security operations centers (SOCs) play a similar role. As Rick Howard summarizes in his Cybersecurity First Principles, the goal of security operations is to “reduce the probability of material impact to my organization due to a cyber event.” In my last 15 years in the InfoSec domain, I have learned most mature cybersecurity organizations are not driven by their architecture or engineering groups but instead by the cybersecurity operations group.
A quick history of security operations
SOCs emerged from Networking Operation Centers (NOCs) who were dealing originally with IT-security monitoring matters. Organizations would simultaneously create separate groups such as Computer Emergency Response Teams (CERT’s) to focus on security incident response and forensics, or Cyber Defense Centers (CDCs) to focus on threat analysis and assessment. Whatever operational groups were created all organizations had to recognize two realities.
First, SOCs can’t prepare for every conceivable threat and therefore InfoSec leaders must limit the SOCs focus to threats observed in the wild. Second, collaboration, expertise exchange, and ultimately your incident response time are hindered when different groups own monitoring, incident response, analytics, and forensics responsibilities. So, what’s next?
Evolution of Cyber Operations
SOC value-add in the next decade of challenges
SOCs will face key challenges in the next decade. Their success depends on their adaptability to the following trends:
- Nearly every business is susceptible to cybercrime. As industries and business processes digitize, cyber-enabled crime and fraud become ubiquitous. For most industrialized nations, cybercrime has overtaken traditional crime. Cybercrime has a more attractive risk/reward profile. According to the Verizon Data Breach Report 2020, 86% of breaches were financially motivated. InfoSec leaders and SOCs therefore must expand their focus beyond IT and integrate with individual business departments.
- Integrating security in production phase is too little, too late. Public cloud environments and DevOps have changed the way organizations run centralized functions like quality assurance and security operations. Security therefore must be built-in as early as possible in the development lifecycle, embracing principles like Shift Left and Security by Design. Unfortunately, most SOCs still haven’t figured out how to talk to DevOps.
- Automation will revolutionize cybercrime and fraud: Cybercriminals are already leveraging automation to steal money from online banking customers through phishing or encrypting their hard drives and demanding money. What happens when cybercriminals use automation in targeted attacks against organizations? We are in big trouble if the 2016 NotPetya ransomware attack is any indication. Can a traditional SOC compete with a hacker’s ability to takeover 60,000 devices in seven minutes?
The traditional, centralized SOC will struggle to deliver value in light of these trends. We need a new model. A cyber fusion center might be the solution.
The concept of a cyber fusion center
A cyber fusion center advances the SOC strategy. It embodies the SOC but also physical security, anti-fraud management, IT operations and other functions. The fusion center concept originated in the US law enforcement community following the September 11th terrorist attacks. Analysts from several agencies were merged together in numerous fusion centers to exchange information more effectively and efficiently.
Large US banks were the first adopters of this approach. InfoSec leaders learned large-scale cyber heists like the 2016 Bangladesh Bank robbery could be avoided or at least mitigated by a more integrated exchange of information. Some banks responded by bringing liaison officers from transaction monitoring into their cyber operations units.
Fusion centers can provide value for any sized company in just about every industry. Let’s take a look at some examples.
- Finance: The finance industry learned the hard way that sharing information between multiple groups is key. ATM hacks from the internet, SWIFT transaction manipulation, M&A insider espionage are just a few examples. Nowadays, a bank is a technology company. And often you have up to 10+ operational groups, which don’t have many interfaces nor a platform or a mechanism to collaborate. Bringing together SOC, Transaction Monitoring, anti-fraud and physical security groups could be a big benefit for overall risk management and operations of the bank.
- Energy: Anybody who read Marc Elsberg’s Blackout understands what is at stake when our power grid is impacted. Ukraine for example has experienced two cyber-enabled blackouts. SOCs and Operational Technology Monitoring departments must integrate in this sector.
- Transportation: Nobody wants to ride in a hacked plane, car, train, or ship. Given the modern architectures of powerdrive, navigation and other transportation systems, it’s obvious that the InfoSec, operations, and physical security departments must be deeply integrated.
Incorporate DevOps into a fusion center to turboboost your cybersecurity operations
Development Operations (DevOps) has replicated fusion center principals for some time, resulting in better collaboration, resilience and time to market. Infosec leaders would be well served therefore to adopt this model. DevOps also offers a more proactive approach to both resilience and threat management by synthesizing threat intelligence and monitoring. DevOps-level questions like “is this blocked transaction related to last week’s bank breach?” could enhance a fusion center’s situational awareness, but also help design or even automate better playbooks for business teams.
Cyber Fusion Center
Most operational teams already share several capabilities and technologies, like detection hygiene or prevention controls, SLA and KPI management and automatization of response playbooks. Those shared services could standardize the way a SOC or fusion center is organized and dramatically increase the organization’s hygiene and resilience.
Unfortunately, a blueprint for a cyber fusion center doesn’t exist yet. You can start this transformation in small steps by deploying into your SOC liaison analysts from other functions or go big and merge all operational functions together. In the end, it’s important to define your success criteria first and measure it on a frequent basis. Like a space operation center measures the number of risks and failures before a rocket launch and throughout the entire mission, we have to measure our cyber resilience against the bad guys – whether it’s through a cyberattack or a cyber-enabled fraud, blackmail or a lure.
Previously, we discussed the requirements of a mature data classification program. In this post, we are going to review the administrative mechanics of such a program. Data classification, you’ll recall, usually includes a three- or four-layer system akin to the...
Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...
Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...
Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...
I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...
Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...
Data classification can help secure your data for compliance and company policy. But where should you even begin in the classification process? To start, let’s go through the main data classification types. The four main classifications for data are: restricted...
Understanding what to do when you have EOL software becomes crucial to the security of your organization. So, what happens when your system reaches EOL? When software reaches EOL, it means that program will no longer be supported by the developer and there will be no...
I’m sitting at a table in one of the offices of my private security firm in a tense, but now familiar, setting. No matter who the client is, there’s always a strange energy when extremely wealthy and powerful people are asking you to accomplish the seemingly...