Guidance for Setting Up a Cloud Security Operations Center (cSOC)

Note: My original blog was published in ORACLE CLOUD INFRASTRUCTURE blog site on August 20th, 2018. I have republished it here with permission.

Official Disclaimer: The views and opinions expressed in this blog are those of the author and do not necessarily reflect the official policy or position of Oracle Corporation.









Establishing a security operations center (SOC) is one of the primary requirements for managing cybersecurity-related risks in the current information age. This post provides general DIY guidance for building a SOC primarily for Oracle Cloud, including both platform-as-a-service and infrastructure-as-a-service offerings. This general guidance is also applicable to hybrid cloud environments.

As more businesses are relying on interconnected technologies, like IoT sensors and cloud-based platforms, it’s becoming unmanageable to respond to cyberthreats and resulting incidents without having proper visibility across the cyberthreat landscape. So it’s an imperative for enterprise information security organizations to build (in-house or outsourced) a cloud-centric SOC (cSOC) to address the following broad types of cyberthreats, based on HarvardX's categorization:
  1. Unintentional external threats
  2. Malicious external threats
  3. Malicious internal threats
  4. Unintentional internal threats 

Internal ActorsExternal Actors
Unintentional Threats: Regular usage of systems by internal employees may result in discovering bugs or exploits hitherto unknown. These are always leveraged by the internal security teams to remediate the issues.Unintentional Threats: Regular usage of systems by external agencies may result in discovering bugs or exploits hitherto unknown. This may result in loss of reputation and loss of revenue.
Malicious Threats: Internal agencies  like employees, contractors or vendors having privileged access intentionally targets internal systems for information theft, financial gains and / or for pure malevolence. Malicious Threats: External agencies  like individuals, cyber criminals or enemy nation states intentionally targets corporations for information theft, financial gains and wide range disruptions.

Outsourced or In-House

First, let’s tackle the issue of building a cSOC. The question is whether to outsource the SOC functionality to a managed security service provider (MSSP) or to have the functionalities in-house. From experience and some research, following are the disadvantages of outsourcing:
  • Not aligned with the enterprise's business vertical
  • Limited services and capabilities
  • Systems optimized for scaling across a large number of customers 
  • Lacks intimate knowledge because of the large number of customers
  • Lack of dedicated resources
  • Focused on maximizing profit
  • Provides standard security services, not customized ones
  • Lack of specialization
  • Short lifespan of outsourced threat intelligence
  • Minimal opportunities for correlation unless all data is sent to the MSSP
Following are the advantages of employing an MSSP:
  • Potential cost savings (building a cSOC is expensive)
  • Fully trained and qualified stuff
  • Experiences in handling stressful situations
  • Experience in addressing all types of security incidents effectively and efficiently
  • Keeps the organization current on emerging threats (threat Intelligence)
  • Wide industry experience
  • Helps an organization to focus on core business
  • 24x7x365 availability
  • Provides an SLA
  • Maintains and updates runbooks
  • Automates and maintains incident response playbooks

cSOC Components

To build a cSOC or to take the service from an MSSP, ensure that the following components are in place:
  • Command center
  • Environment security monitoring
  • Incident response
  • Threat intelligence
  • Forensics
  • Environment assessment and verifiability
The rest of this post briefly describes these components.

Command Center

The following diagram depicts the relationships between the command center and other internal or external agencies or services:
Oracle Management Cloud (OMC) with custom dashboard capabilities, makes perfect sense for the cSOC Command Center tooling for Oracle Cloud IaaS.
Following additional components of OMC are targeted towards SOC:

Environment Security Monitoring

Environment security monitoring should have the following components:
  • Oracle Cloud Access Security Broker services
  • Network logs (Oracle Cloud Infrastructure VCN flow logs)
  • Host logs
  • Application logs
  • Network IDS
  • Host IDS
  • Malware detection feeds
  • Security information and event management (SIEM)
  • IOC (indicators of compromises) comparing tool 
  • Honeypots (optional)
The following diagram depicts the relationships among these components

Incident Response

Incident response (IR) is the central part of the cSOC. The IR team interacts with the business units, steering committees, and management while responding to a security incident by eradicating issues so that the affected system can return to service.

Threat Intelligence

The threat intelligence component comprises the following functions and process:
  • Internal information systems
  • Threat actors
  • Open-source resources (Oracle's approach)
  • Attribution information

Forensics

Cloud systems forensics can be carried out internally by the cSOC or can be further outsourced. For the purpose of this post, I am showing the relationship between the components within the cSOC.
The main forensics processes are as follows:
  • Host forensics
  • Reverse engineering
  • Network forensics
  • Communication with management and the command center
  • Maintaining the chain of custody

Environment Assessment and Verifiability

This component used to be the most ignored aspect in the traditional SOC. With the advent of cSOCs, this component is the pattern that connects a cSOC to the agile DevSecOps practice. The subcomponents, such as penetration testing and vulnerability assessment, can be integrated as an on-demand service with the organization's CI/CD pipeline.

I hope that this short, visuals-heavy post will help you to establish your cloud security operations center.
For more helpful information, see the following resources:
  • MGT517: Managing Security Operation: Detection, Response and Intelligence
  • PCI Compliance on Oracle Cloud Infrastructure blog post
  • Oracle Cloud Infrastructure Security white paper 
Disclaimer: All diagrams / visuals were created using PowerPoint and no shapes were harmed.

Comments

  1. Helpful article! Which you have given such good and informative knowledge on cloud security. It's useful for me but also good for others who are searching for this information. Thanks for giving me information like this. Oracle integration cloud service Certification

    ReplyDelete
  2. I am really happy to read your post because this is very useful blog. we also provide to Cyber Security Monitoring Service. if you want use our services you can visit on our website.


    ReplyDelete
  3. Wonderful blog for all which you have shared here about cloud security. This is very informative for those who need this. In the future share this type of informative article here with us. oracle fusion hcm training india

    ReplyDelete
  4. Thanks for suggesting good list. I appreciate your work this is really helpful for everyone. Get more information at Cloud Technology Solutions. Keep posting such useful information.

    ReplyDelete
  5. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. I hope you post again soon. Big thanks for the useful info. Cyber Security Services Companies

    ReplyDelete
  6. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work. CDN

    ReplyDelete
  7. You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. CDN

    ReplyDelete
  8. Nicely done, Thank you for sharing such a useful article. I had a great time. This article was fantastic to read. continue to write about

    Data Engineering Solutions
     
    Data Analytics Solutions

    Business Intelligence Solutions

    Artificial Intelligence Solutions

    ReplyDelete
  9. Nicely done, Thank you for sharing such a useful article. I had a great time. This article was fantastic to read. continue to write about
    Data Engineering Solutions 
    Advanced Data Analytics Solutions

    ReplyDelete
  10. Great job for publishing such a nice article. Your article isn’t only useful but it is additionally really informative. Read more info about cloud security papers. Thank you because you have been willing to share information with us.

    ReplyDelete
  11. You have provided valuable data for us. It is great and informative for everyone.Read more info about Managed Database Solutions in Saudi Arabia Keep posting always. I am very thankful to you.

    ReplyDelete
  12. I generally check this kind of article and I found your article which is related to my interest.Counter Surveillance Genuinely it is good and instructive information. Thankful to you for sharing an article like this.

    ReplyDelete
  13. You have provided valuable data for us. It is great and informative for everyone. Read more info about Cloud For Developers in Saudi Arabia Keep posting always. I am very thankful to you.

    ReplyDelete
  14. I liked your work and, as a result, the manner you presented this content about TSCM Services.It is a valuable paper for us. Thank you for sharing this blog with us.

    ReplyDelete

Post a Comment

Popular posts from this blog

OCI Object Storage: Copy Objects Across Tenancies Within a Region

Access data anywhere using DataDistillr and your Oracle Cloud Credits