MITRE publication ‘11 Strategies for a World-Class SOC Centre’. Strategy #2 ‘Ensure the SOC has the authority it needs to fulfil its mission’

Ruslan Rakhmetov, Security Vision

Although the SOC centre is usually a structural part of the customer company whose information assets it protects, often hosts and networks are maintained by another division of the company with which it will need to interact. As a consequence, the SOC's ability to perform preventive and reactive actions should be either documented or inherited authority from the parent SOC organisation. Strategy #2 describes the acquisition of the necessary authority for the SOC to operate, as well as possible organisational support measures to ensure that the SOC's mission is achieved.

Written, documented authority, which gives the SOC the power to conduct business, consume resources, and make changes to the company's infrastructure and processes, is an important component in building and operating a SOC. The policies and authorities of the SOC should be consistent with those of the client company; the in-house legal department should be consulted to ensure compliance with this rule. The mission, functionality and authority of the SOC may be reflected in an internal regulatory document, the SOC Charter, which is key to the SOC's operation and can assist in liaising with customer representatives and when questions arise about the SOC's rights to perform certain activities. The SOC Charter can not only reflect the current functionality of the SOC, but also list what is expected of the SOC in the future - this will allow the SOC to develop successfully. The Charter should reflect what the SOC does and who is responsible for ensuring its activities, but should not describe in detail how the SOC fulfils its responsibilities (a detailed description should be given in other, more specific documents). The SOC Charter, signed by a senior company official, will allow the SOC to request the necessary resources and require co-operation from representatives of the customer company to successfully carry out the SOC's mission.

The SOC Charter should include provisions such as:

1. Designation of the SOC as the customer's single point of cyber operations and cyber intrusion monitoring, cyber defence, and cyber incident response centre

2. the scope of the SOC's responsibility to protect organisations, departments, data, systems, users; it is desirable to formulate these provisions in an unambiguous, interpretable manner, avoiding future ambiguities that may arise when the customer introduces new technologies or asset types

3. Authorisation for the SOC to perform the following activities:

- Deployment, operation, and support of host-based and network-based active and passive monitoring systems;

- Proactively and reactively scanning hosts and networks to map the network and identify assets, determine their security settings and vulnerability status, and install patches;

- Performing or enforcing active and passive cyber threat countermeasures, including but not limited to disabling or blocking network connections, hosts, accounts, networks

- Responding to confirmed cyber incidents with direct liaison and co-operation with necessary individuals and departments

- Collection, storage, analysis of digital artefacts, including media, logs, network traffic, to provide incident analysis (both on demand and on an ongoing basis), subject to applicable legal regulations and restrictions.

4. expected level of cooperation from technical support, IS and IT departments (network, system administrators) in alerting, diagnosing, analysing, responding to problems, breakdowns, incidents and other tasks that may require the involvement of the resources of these departments and individuals

5. The role of the SOC in designing, acquiring, building, integrating, operating, and maintaining SOC monitoring systems, functions, and operating environments

6. The level of control the SOC has over the allocation of resources for tool development and support, personnel recruitment and retention, and operating costs related to SOC functions. 7.

7. Responsibility of the SOC for other responsibilities such as building an awareness programme, awareness training and drills, audit data collection.

Where a group of SOCs uses the Tier model to divide responsibilities between subordinate SOCs at different levels of the customer hierarchy, the parent SOC above shall, in addition to the above, have the following authorities:

1. possess the highest authority for subordinate SOCs

2. Obtain access from all subordinate SOCs to cybersecurity related data such as aggregated metrics, summarised information, data views, incident specific data;

3. Coordinate the actions of subordinate SOCs in responding to incidents;

4. Manage improvements to the functionality and actions of subordinate SOCs to improve response quality;

5. Manage devices that aggregate relevant IS data from subordinate SOCs and sensors installed on hosts and networks, especially when subordinate SOCs lack the relevant competencies;

6. Act as the primary point of contact for providing situational awareness and sharing cybersecurity information, including providing guidance, tools, technologies, standards;

7. Offer internal IS standards and guidance, e.g., in terms of selecting practices and technologies for network and cybersecurity monitoring;

8. Facilitate the signing of licence and commercial agreements for monitoring technologies that will be useful to subordinate SOCs.

In addition to the IAPs that directly govern the operation of the SOC, the customer company should develop and implement IT/IS documents that will assist in the effective execution of the SOC centre's tasks. In conjunction with the IT and IS departments, the SOC should participate in the development or adjustment of the following documents:

1. User consent for monitoring, which explicitly authorises the SOC and IS auditors to monitor and store any information about activities on all customer systems and networks;

2. A policy on acceptable use of IT systems in the form of a set of rules including provisions for restricting the use of Internet and social media resources, rules for software installation and use, and rules for remote working;

3. Policies for processing personal data and confidential information, including instructions for managing and protecting various types of information processed on the customer's controlled networks;

4. A list of internal authorised ports and protocols that may be used within the customer's infrastructure and SOC operating environment;

5. A list of external authorised ports and protocols that may be used when crossing the company perimeter for access through the DMZ, to counterparties' IT infrastructure and open to/from the Internet;

6. Host naming standards, including requirements for naming devices to understand their type and role based on their DNS name;

7. Other IT system configuration and compliance policies, from password complexity requirements to secure device configuration standards;

8. Personal device policies and rules for remote work with corporate infrastructure, networks, applications, and data from employees' personal devices;

9. List of agreed OS, software, system images, standard baseline settings for devices of various types (servers, PCs, laptops, network equipment, PACs);

10. Rules for notifying the SOC of external infrastructure scans by contractors (to search for vulnerabilities, identify infrastructure components, etc.);

11. Audit policy describing the types of IS events that should be collected on certain types of systems, audit log retention periods, list of those responsible for processing, collecting and storing audit logs;

12. Roles and responsibilities on the counterparty side with respect to responding to cyber incidents;

13. Legally relevant documents regarding classification of information, personal data, storage of information, collection of evidence and its applicability in court, rules for employee explanations and internal audits (investigations) of identified cyber incidents.

In addition to the above documents, agreements and SLA metrics for external service providers should also be developed; for example, for cloud infrastructure service providers, it should be defined what information and how it can be shared with the client company. These agreements should spell out the requirements from the SOC to external providers, including provisions for retrieval and provision of stored information, notification of data breaches, recovery and transfer of digital artefacts, monitoring and response to cyber incidents. Agreements and SLAs should be developed for both the services consumed and the services provided by the SOC; said documents should include the following aspects:

1. network availability and bandwidth requirements;

2. Planning for unavailability of consumed/provided services;

3. Network failure and incident notification procedures, time standards for recovery, escalation, reporting;

4. Cyber incident notification procedures, recovery procedures, time standards for escalation and reporting;

5. A clear division of responsibility for implementation, operation, maintenance of security features and measures to be applied to acquired services.

The location of the SOC in the organisational structure and hierarchy of the company is a key issue when allocating budget, assigning authority, and determining the focus of the SOC. The following factors that directly affect the success of the SOC should be considered:

1. Location of SOC in the company hierarchy, choice of SOC subordination: SOC can report directly to CIO/CISO, and this is the best option, otherwise (lower hierarchical position of SOC) it is necessary to envisage VNDs that will help SOC to realise the functions necessary for effective activity;

2. The authority of the organisation that is parent to the SOC;

3. The power and influence of the SOC's parent organisation's leaders: their attitude towards realising the SOC's mission and supporting the SOC's staff in carrying out their job responsibilities;

4. The funding lines and budget of the SOC parent organisation: the ability to allocate resources to acquire tools and technology for SOC activities and to recruit and retain SOC staff to carry out all the functions that are reflected in the SOC Charter;

5. A list of services and capabilities that the SOC will provide;

6. The chosen SOC organisational model: a Tier model with subsidiary SOCs and a parent SOC or a centralised SOC model.

To successfully fulfil the customer's cyber security mission, the SOC must have situational awareness of the state of the company's business processes, with pinpoint accuracy of specific incidents on specific systems with an understanding of how they will affect the company's business; the SOC must also have the authority and capability to make changes to information systems (both proactively and reactively - as a result of a cyber incident), for example, by modifying domain group policies, reconfiguring network equipment, disconnecting systems from the co Various senior executives in a company, such as the Chief Executive Officer (CEO), Chief Operating Officer (COO), Chief Technology Officer (CTO), as well as the CIO (Chief IT Officer), CISO (Chief IS Officer), or CSO (Chief Security Officer), can claim to manage SOC capabilities. During an incident response, there may be a situation in which different managers will give different instructions and request information specifically to them, so it is crucial to establish the roles of the managers in advance, describe their interactions, responsibilities and decision-making authority - these provisions must be approved by the CEO. The authors of the publication emphasise that regardless of the location of the SOC-centre in the organisational structure of the company, it should have full and comprehensive budgetary, logistical and engineering support for the effective performance of SOC functions. The publication gives the following suggestions for SOC subordination with a description of pros and cons:

1. Subordination to the CIO or CISO

SOC subordinate to CIO or CISO is the most common case, especially in large companies. In the case of subordination to the CIO, attention should be paid to the inadmissibility of shifting the focus from cybersecurity to IT. In many cases, companies appoint deputy CIOs or CISOs who become direct SOC managers. In the case of other types of reporting lines, it is likely that the SOC will still depend to some extent on the decisions of the CIO or CISO.

2. Subordination to the COO

The SOC, subordinate to the COO, is usually quite high in the corporate hierarchy, which gives its advantages: understanding of business processes and involvement in the company's activities, sufficient budgeting, adequate authority. At the same time, such a subordination model has its disadvantages: it is necessary to bring really important issues to the COO level and compete for his time and attention.

3. CSO subordination

When the SOC reports to the Chief Security Officer (or Chief Security Officer), on the one hand, there may be increased detection of cyber incidents related to human error and non-compliance with security policies, but on the other hand, there may be a need to continuously monitor the IS focus and maintain IS competencies, difficulties in working with IT and IS departments, and a lack of rapport with the CSO, who is rarely deeply immersed in cybersecurity issues.

4. merging with the NOC

Combining a SOC with a NOC (Network Operations Center, a network monitoring centre, usually under the IT department) can provide advantages both in terms of budget savings (by combining the two structures) and in terms of combining competencies (for example, network equipment equipped with network security functions can be administered both in the SOC and in the NOC).

It should be remembered that the main goal of the NOC is to ensure the availability of resources, while the goal of the SOC is to ensure their cyber security, so it is important not only to allocate areas of responsibility and duties between SOC and NOC members, but also to avoid mutual subordination between the SOC and NOC. In order for the two entities to work effectively and synergistically, easy-to-use collaboration tools should be used, and different options should be considered for jointly handling user requests, investigating incidents and managing related processes (e.g., asset inventory, vulnerability scanning, update deployment), with operational decisions made by a manager who is competent in both the NOC and SOC. Regardless of the merger of the SOC and NOC, it should be ensured that the SOC structure is liaised with and sponsored by the executive responsible for cybersecurity within the company.

5. Placement of the SOC within the business unit structure

The SOC may also be subordinate to a particular business unit. This will allow it to focus on the tasks and processes of that business unit, but will not provide the necessary authority and insight to protect the entire company. The variant with a target SOC within a structural business unit responsible for critical processes will work well in the case of a hierarchical Tier model, when such a target SOC is subordinate to a parent SOC, which operates on a company-wide level and reports to senior managers.