A Cisco® security operations center (SOC) can help you protect your network and your customers' networks and business traffic. Carefully balancing technology, processes, and people, a Cisco SOC equips you to continuously monitor networks for security incidents and then react quickly when such threats arise.
In fact, speed of response is a prime attraction of a Cisco SOC. Computer worms can spread throughout the Internet in minutes or even seconds, potentially knocking out your customers' networks or slowing traffic to a crawl. Consequently, every second counts in identifying these attacks and negating them before they can cause damage - tasks custom-made for a Cisco SOC. In effect, a Cisco SOC monitors network security health and responds instantly to critical problems and vulnerabilities.
This paper examines the need for SOCs, describing their roles and functions and highlighting their benefits. It then explains the steps to constructing your Cisco SOC architecture and presents the six phases of effective incident response. Finally, the paper discusses how to assemble a Cisco SOC team and lists the outputs expected from a Cisco SOC.
As a service provider, you need a security policy for your own network. Although many of the principles and techniques described herein will apply to such a policy, this paper describes how to set up a Cisco SOC to monitor and protect your customers' networks and traffic.
The Need for a Cisco SOC
When a business's network is hit with a virus, worm, or distributed denial-of-service (DDoS) attack, the costs can be severe. Lost revenue. Dissatisfied customers. Frustrated employees. A tarnished reputation. And yet, many businesses have insufficient security plans and procedures to deal with these incidents. Typically, these businesses also lack the expertise and tools to mitigate the effects of harmful security breaches. They invest their faith in the hope that these kinds of attacks happen only to others - a vulnerable belief founded more on wishful thinking than reality.
Nonetheless, these businesses want to avoid losing or contaminating their data, including their vital intellectual property. They want to protect critical assets. They want to maintain communication...
keep important services operating...guard transactions from losses or delays...and serve their customers. A significant network security breach can threaten all these goals.
By implementing a Cisco SOC, however, you can thoroughly address your customers' security needs and establish the architectures and processes to protect their businesses. In short, working with your customers, you put into place the security plans, procedures, tools, and expertise that proper network vigilance demands today.
Common Cisco SOC Roles and Functions
To deliver this level of protection, your SOC needs to perform a host of different roles:
• In real time, manage and monitor virtual private networks, firewalls, intrusion detection and prevention systems, DDoS mitigation systems, anti-x solutions, patch updates, endpoints assets including servers, and other security products
• Immediately respond to potential security threats and quickly resolve security problems
• Offer real-time views of your customers' security postures
• Defend customers against emerging network attacks
• Protect company technology investments
In fulfilling these roles, your SOC needs to monitor your customers' networks for security risks. Known as "security monitoring for risk assessment," this function involves the following tasks:
• Gaining insight into network status by using such data-gathering techniques as Simple Network Management Protocol (SNMP) polling, traps, syslog messages, and NetFlow
• Using intelligent analysis and correlation techniques and tools to identify security incidents from collected data
• Closely monitoring emerging threats and handling these threats consistently across a multitenant network while enforcing each customer's security policy
• Employing a sophisticated traffic-analysis technique to isolate anomalies potentially associated with security incidents; this technique is known as the security information management system (SIMS)
• Assigning security experts to analyze and help solve security incidents
• Continuously monitoring for security vulnerabilities and breaches; much like catching a fire in its earliest stage, spotting a security incident as soon as it starts can help you mitigate the threat before it causes damage
• Periodically scanning your network and those of your customers to help ensure that your security provisions comply with policies and service-level agreements (SLAs)
• Monitoring your network for alarms and controlling and testing network elements
• Remotely provisioning, configuring, and backing up files for service restoration
• Upgrading security devices with tested software that contains vulnerability fixes, maintenance updates, or new features
• Collecting usage data for billing
• Helping generate regulatory-compliance reports for auditors by using an extensive data-collection repository
Benefits of a Cisco SOC
The roles and functions performed by your Cisco SOC offer you numerous benefits:
Prepares You to Deal Effectively with Security Incidents
When you operate a Cisco SOC, you move from a reactionary posture to one of preparedness. Rather than scrambling to respond to a security breach, you will have a well-established process to follow, one that permits you to move fast and effectively to isolate, contain, and diffuse the threat.
Moreover, you will be able to devote your security experts to developing network strategies rather than to chasing solutions every time a new threat emerges. You can also offer protection from cyber extortionists who threaten your customers' networks or Websites.
Reduces Risks to Your Customers
A Cisco SOC enables you to minimize security-related network downtime. By keeping pace with evolving global threats, you can better protect your customers' data traffic from loss or manipulation and better control your security services.
Improves Your Security Response
What happens when a customer's inbound e-mail traffic spikes? Is this spike abnormal but legitimate? Or does it portend a devastating networkwide attack? When you operate a Cisco SOC, you have an escalation path to follow in such instances - one that systematically analyzes the potential reasons for the traffic anomaly and appropriately elevates the incident. By moving quickly, you deal with security incidents in minutes - not hours or days - greatly lessening potential disruption to critical services and business processes.
Enhances Your Operational Efficiency
By defining security rules and policies, your SOC specialists will be able to quickly identify threats and apply remedies to sites at risk before network attacks hit them. In addition, by isolating legitimate security threats from the copious information coming into your SOC, you reduce the "signal to noise ratio" that might otherwise hinder your ability to respond.
Moreover, when your SOC collaborates with your network operations center (NOC), you gain operational efficiencies impossible to achieve when these two entities function in silos. This collaboration allows your network and security experts to improve situational awareness, share tools, integrate security-response procedures, and operate cohesively.
Reduces Your Costs
Because a Cisco SOC relies largely on technologies, tools, and procedures for front-line security, you can employ your expensive IT security specialists cost-effectively without compromising the quality of your SOC deliverables. By allowing these experts to concentrate on legitimate threats, you optimize the use of their skills. In other words, a Cisco SOC equips you to rely on processes and technology to augment the work generally done by security experts. This capability helps you serve more customers without overextending your company.
Assists Customers to Comply with Regulations
Customers often need to comply with regulations and policies governing the use, protection, or privacy of information. Customers can use reports that your SOC generates to help adhere to these regulations and policies, including the Sarbannes-Oxley Act, the Health Insurance Portability and Accountability Act, and the data-security storage requirements associated with the payment card industry.
Questions to Ask Before Implementing a Cisco SOC
Perhaps your business has functioned sufficiently well to date without a SOC. Why invest in one now? The answer is simple: The speed at which turbo worms proliferate and the potential damage that Internetwide attacks can cause make SOCs a necessity today, not a luxury. In short, you cannot afford to be without one, not if you want to adequately protect your customers - and your business.
Before you set up a SOC, you need to ask the following kinds of questions:
• In the face of ever-changing threats, how can we protect our customers' vital business assets and operations?
• How do we guarantee privacy for our employees, partners, vendors, and customers?
• How do we define and implement security policies?
• How do we manage vast amounts of data coming from various security-monitoring technologies - technologies that generate new operational-support challenges in themselves?
• How do we maintain accountability and objective corporate governance?
To answer these questions, follow the steps in the next section.
Cisco SOC Architecture
This section examines how to build your Cisco SOC architecture and describes the six phases of incident response. By following the steps and incorporating the phases, you will develop essential procedures for identifying, solving, and mitigating security incidents.
Constructing Your Cisco SOC Architecture
Your Cisco SOC architecture dictates what security information you collect and how you analyze, process, and communicate this information. Do the following to establish the proper Cisco SOC architecture for your organization; the steps are represented by the arrows at the top of Figure 1.
Figure 1. Cisco SOC Architecture
1. Identify Which Business Assets to Monitor and Protect.
In some cases, your clients may know what routers, switches, servers, computers, databases, and other business assets they want to protect. In other cases, you may have to guide your clients.
After you decide which business assets to monitor, you and your clients need to answer two questions:
• What kind of security policy is required to protect these assets?
• What type of SLA is needed?
With the answers to these questions in hand, you can move on to the next step.
2. Decide What Security Data to Collect.
Adhering to security policies and SLAs requires collecting certain types of data from your clients. The more comprehensive the security monitoring, typically the more detailed the data. In other words, the type and volume of data you collect can vary significantly from one client to the next.
3. Determine What Data to Analyze and Correlate.
It is impractical to analyze every piece of traffic data that a customer generates. Even a small to medium-sized business can produce an overwhelming volume of data. You can simplify this process by analyzing and correlating just the data generated by SNMP polling, traps, syslog messages, and NetFlow. Analysis and correlation will flag potential security incidents immediately, and these functions are essential to delivering excellent service.
You can analyze and correlate data either in your Cisco SOC or on your customers' premises; most service providers choose the former option, but bandwidth restrictions may make the latter more attractive. In either case, let your customers know what data you use to generate information about security incidents. You can assure customers that none of their confidential information - the information used to conduct day-to-day business - goes to your SOC, giving management valuable peace of mind.
4. Analyze Appropriate Security Events.
After you analyze and correlate a customer's data traffic, you should isolate security incidents from legitimate data traffic and concentrate on the former. It is important to expose only those incidents that actually breach each customer's security policies. For example, you cannot realistically expect to examine every line associated with two million syslog messages generated by a customer's firewall. Isolating only those lines that represent potential security threats allows you to employ your scarce IT resources efficiently.
5. Bring in Your Security Experts.
When your SOC isolates a potential security incident, your security experts take over. These people have the skills and experience to analyze a potential security breach and deal with it quickly and effectively.
6. Communicate with Your Customers.
The final step in creating your Cisco SOC architecture involves setting up the process to let your customers know about each security incident and to track its resolution. When a security incident arises, you should generate a trouble ticket and give your affected customers access to this ticket according to your SLAs or security policies. You may also want to provide comprehensive reports weekly, monthly, and yearly to further improve your customer relationships.
Six Phases of Incident Response
You have now established architecture for your Cisco SOC, but you still need to respond effectively and efficiently when a security threat is uncovered. Figure 2 illustrates the six phases of incident response, which are discussed next.
Figure 2. The Six Phases of Incident Response
1. Preparation
Sound preparation is essential to sound incident response. If you are well-prepared, you will know what to do and how to do it when a security incident strikes. Preparing well involves the following:
• Hiring experienced, certified people
• Developing and documenting a security plan
• Establishing SLAs with customers and peers
• Acquiring the needed tools
• Implementing security procedures
• Training SOC staff to use tools and procedures
• Regularly testing operations continuity
• Maintaining vendor-support contracts
• Evaluating and measuring for process improvement
Incorporating these activities allows your Cisco SOC to act swiftly and effectively when a network threat arises. Make sure that your staff knows its role and your procedures well - you do not want staff members implementing procedures for the first time during an actual security incident. In other words, by thoroughly planning for operational readiness and establishing a robust service-response baseline, you can avoid the mistakes and oversights than can severely limit your effectiveness during security crises.
2. Identification
You want to identify security incidents before they affect your customers' networks. You can gain this important capability by using analysis tools and telemetry data from NetFlow, SNMP polling, traps, and syslog messages.
3. Classification
After identifying an attack, you need to assess its threat and scope: Does it affect a single customer, multiple customers, or your entire infrastructure?
4. Traceback
An attack has a victim and a source. After classifying the threat, your specialists need to trace this threat to its point of ingress: peer, upstream server, downstream server, or compromised network device in the data center.
5. Reaction
Following classification and traceback, your Cisco SOC team applies tools and processes to mitigate the attack. Success requires visibility into the network and well-defined standard operating procedures. By adhering to these procedures, you can avoid making the problem worse.
6. Analysis
Your security team should analyze the root causes of each incident and record new insights in your security operations manual for reference during the next incident.
Security Operations Center Teams
You may have excellent security-response procedures, but they will do little good if your staff is insufficiently skilled or experienced to execute the procedures properly. Consequently, you need to assemble an expert Cisco SOC team and an incident response team.
Cisco SOC Team Skill Requirements
You want to staff your Cisco SOC with the hybrid talent of service provider backbone engineers and security engineers. In fact, your Cisco SOC team needs to know the following aspects of service provider networks:
• Core or backbone engineering
• Customer network connectivity into core or backbone
• Network management, including operations support systems (OSS)
• Hosting and content systems
• Community such as Network Service Provider - Security (NSP-SEC)
• Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and addressing design and security
• Computer Emergency Response Team (CERT)
Your Cisco SOC experts should also posses the knowledge of a typical enterprise security engineer. Employing such talent may require high salaries, but by relying on proper tools and procedures, you can optimize and scale their skills. In addition, you may want to offer to assign security experts to work full time on your customers' premises. This provision offers the highest security.
Creating an Incident Response Team
Your Cisco SOC team runs your center day to day, but when an attack strikes, you may need to activate a special incident response team. This special team is required if you operate your Cisco SOC separately from your NOC. If these two centers function as one, then your Cisco SOC team becomes your incident response team, with the addition of a few other nontechnical members noted in the following paragraphs. Either way, the size of your incident response team will typically vary according to the number and size of networks you monitor.
If you operate your Cisco SOC and NOC separately, your incident response team should comprise representatives from both your Cisco SOC and your NOC. Why? This combination allows you to determine quickly whether a problem originates with the network or a firewall or whether it represents a security incident. For instance, when a trouble ticket is raised, it might first go to the NOC. If the NOC determines that the network is fine, the ticket goes to the Cisco SOC. If the Cisco SOC determines that the firewall is functioning properly, the ticket is elevated to the incident response team. By including members from both the Cisco SOC and the NOC, this team has the perspective and expertise to tackle the problem holistically, applying tools, techniques, and processes to identify the incident, trace its source, and respond to it appropriately.
You should also enlist your chief information security officer (CISO), chief information office (CIO), chief counsel, public affairs manager, and potentially others as members of your incident response team. Although your Corporate Intelligence Resource Committee (CIRC) member(s) and CISO will likely conduct the response, they will need help and expertise - as well as authority - from other organizations to succeed.
Team and Network Preparation Assessment
If both your teams and your network are prepared, you should be able answer the following questions:
• Are these traffic patterns normal for our network?
• What is consuming all our bandwidth?
• Angry customers are calling - what happened?
• Why can't we reach that server, network, or autonomous system?
• Has another provider hijacked our routers?
• Should we buy more transit or peer directly?
• Should we change these Border Gateway Protocol (BGP) attributes or policies?
Communications Channel Contacts and Information
Your Cisco SOC must have procedures to communicate with staff, customers, and interconnecting service providers if you or your customers come under attack. In essence, you want to follow the six steps of incident response described earlier. Knowing precisely whom to contact can help you implement these six steps faster and more effectively. Consequently, you should collect the following information and keep it up-to-date:
• All critical e-mail addresses, phone numbers, pager numbers, and Webpage URLs
• Contacts for all interconnecting service providers, both peers and upstream companies, as well as for vendors and customers
• Contacts for your vendors' product-security reaction teams and response-accountable parties
• Policies to define levels of support for customers, classification and traceback of attacks, and response methods (for example, will you drop the attacks on your infrastructure?)
• Procedures to answer questions and communicate
Cisco SOC Outputs
Your Cisco SOC should generate the following outputs, many of which come in the form of reports:
• Security monitoring for risk management
• Security posture risk analysis
• Secure role-based portal access
• Real-time monitoring and status of incidents and tickets
• Security policy reports
• Security incident reports
• Real-time assessment per incident as well as weekly and monthly reports
• Information required to prepare a compliance audit
• SLA reports
• Evidence of security policy compliance
• Trends of security incidents and events
Importance of Reporting
As these outputs suggest, reporting is critical to running a successful Cisco SOC. You will ultimately develop your own incident reporting standards, but to conform to best practices, your reports should address certain common elements such as incident response time and date, attack identification and classification, root cause, detection method, mitigation method, and risk analysis (that is, how can you avoid the problem in the future?).
Also, make sure that you do not release information that could negatively affect your Cisco SOC or leave you vulnerable to attacks or hackers. In other words, do your due diligence during the final reporting process. In addition, if your incident reports could become public (as with reports for state and local government clients), have a public affairs or legal representative evaluate the reports before you publish them.
Incident Report Contents
To improve the value of your incident reports, use UTC time (Greenwich standard) wherever possible for all routing and switching infrastructure, security controls, and critical servers. Standardizing on UTC will equip you to develop a common time-hack to consolidate and fuse sensor data easily. Minimizing time-conversion helps avoid inadvertently tampering with the evidence you collect.
Make sure your points-of-contact list identifies all the people who worked on the incident along with their roles. This information is invaluable when analyzing incidents or combating a similar incident. Finally, make your reports accessible through a security portal. This portal should provide a consistent view of your security posture throughout your network.
Conclusion
A Cisco security operations center can help you protect your customers' networks and data traffic from security threats. A Cisco SOC balances technology, processes, and people to generate a comprehensive security defense. By being well-prepared and following a systematic process for responding to security incidents, you can either avoid or mitigate the effects of potentially debilitating attacks on your customers' networks.
Please speak to your Cisco account representative about how you and your customers can benefit from a security operations center.
