Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

A security operations center (SOC) may be established for an Enterprise (ESOC),

ID: 3664418 • Letter: A

Question

A security operations center (SOC) may be established for an Enterprise (ESOC), a network (NSOC), a system (SSOC), or a business (BSOC).

The Security Operations Center is expected to be aware of all "security relevant changes" and to "advise management of any security relevant changes that need to be implemented;"  and often, also for ensuring that "required changes that are approved by management" are implemented.   



So, one of the "big functions" of the SOC is "change management."    



So given that mission, managing change, what are some of the functions that you would expect of a security operations center (SOC)?

Hint: We are driving toward a definition of "known good state"- so if you can "explain" the idea of a known good state, and how it relates to the SOC, that would be great.

Explanation / Answer

An information security operations center ("ISOC" or "SOC") is a facility where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.

A SOC is related with the people, processes and technologies involved in providing situational awareness through the detection, containment, and remediation of IT threats. A SOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion (event) and determine if it is a real, malicious threat (incident), and if it could have a business impact.

Large organizations and governments may operate more than one SOC to manage different groups of information and communication technology or to provide redundancy in the event one site is unavailable. SOC work can be outsourced, for instance by using a managed security service. The term SOC was traditionally used by governments and managed computer security providers, although a growing number of large corporations and other organizations also have such centers.

The SOC and the network operations center (NOC) complement each other and work in tandem. The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service. The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers, and other technologies. Likewise, the SOC and the physical security operations center coordinate and work together. The physical SOC is a facility in large organizations where security staff monitor and control security officers/guards, alarms, CCTV, physical access, lighting, vehicle barriers, etc.

Not every SOC has the same role. There are three different focus areas in which a SOC may be active, which can be combined in any combination:

In some cases the SOC, NOC or physical SOC may be housed in the same facility or organizationally combined, especially if the focus is on operational tasks. If the SOC originates from a CERT organisation, however, the focus is often much more on monitoring and control, in which case the SOC operates independent from the NOC to maintain separation of duties. Typically, larger organizations maintain a separate SOC to ensure focus and expertise. The SOC then collaborates closely with network operations and physical security operations.

When it comes to threat prevention and detection in the enterprise, 'known good' technologies can be critical, yet also introduce complexity.By using known-good technology as a part of its information security plan, an enterprise can reduce its efforts in maintaining blacklists and improve the overall security in its environment.

Using known-good technology is similar to taking a whitelisting approach -- where traditionally only authorized users or applications are enabled in an enterprise -- but it takes the concept to a much more expansive and detailed level. In a traditional whitelist approach, specific executables are allowed to run on a computer, but this does not prevent someone within an enterprise network from opening a malicious file for an attacker to get their initial access for an attack. Known-good technologies would prevent the attacker from being able to execute any sort of attack in the first place.

Allow me to explain with a few more examples. Input validation is a common method of accepting only known-good input for entering data into a system. This is used in Web application or database firewalls where potentially malicious SQL statements are filtered to allow only approved SQL statements to execute.

Another example would be examining a webpage, PDF or other document, identifying potentially malicious links and then stripping out the threat and reconstituting the file with only its "known good" parts before allowing it to be downloaded. The file could be examined to identify where user-entered data -- such as text in a document -- resides and then remove the contents that could potentially include malicious code. This is a feature offered by a number of Web proxy or content gateway products from vendors such as Symantec, Blue Coat or Websense. There is also an open source tool and framework, ExeFilter, that brings this feature to files and active content and can be incorporated into other tools or used to scan file shares, email or other content.

It is entirely possible that an attacker today could compromise a legitimate business partner that your enterprise knowingly trusts and then embed malicious code in a legitimate PDF being sent by that trusted partner. By leveraging a technology like ExeFilter that removes only the malicious content of a file, an enterprise can be sure that the legitimate communication from the business would not be disrupted while the threat is removed.

Finding known-good threat prevention and detection technologies requires an in-depth understanding and control over the environment where malicious content could potentially be hiding, and then knowing where and when it is necessary to delete the malicious content rather than outright blocking the attachment, traffic, user, links and so on.With firewalls -- where "deny all" and "only allow" policies are set as needed by the business -- there are significant reasons to allow connections from known-good secure networks with known secure protocols to support the policies. This could be complemented by a network access control system that allows only known-good and approved systems to use approved protocols and connect to the specifically allowed networks. While both technologies could be set up to block malicious networks, security teams would have to add each malicious network every time one is identified. The same goes for new known-good networks or protocols; as these are discovered and approved, they would also need to be added to the approved list.

Unfortunately, it might be quite difficult to extrapolate this method to all types of files or applications. To simplify the process, it may be beneficial for enterprises to focus on the most common file types or data that may be used to exploit its vulnerabilities. Additionally, defining known good in a way that would not cause a significant number of false positives that could negatively impact communications may also pose an enterprise challenge; it would require constant fine-tuning -- just like a whitelist or a blacklist -- to keep it operating effectively.

"Known good" is similar to both mandatory access control and using formal methods in software development: Mandatory access control is where access is granted to only a specific resource based on the classification of the data and the specific access granted. Formal methods, on the other hand, are used in software development to mathematically validate that software performs exactly the functions it was designed for. Both of these methods are very rigorous and resource-intensive ways to use known-good technology for improving security.

Related Questions

A section of a sphere with a radius of curvature of 20 cm is mirrored on both th
Question #1301121
A section of an exam contains four True-False questions A student who did not st
Question #3209133
A section of an exam contains four questions with \"True\" or \"False\" answers.
Question #3217223
A section of membrane with an aquaporin (AQP) has a water transport rate of abou
Question #819714
A section of membrane with an aquaporin (AQP) has a water transport rate of abou
Question #984870
A section of output from Excel Solver is shown here; what will happen to the sol
Question #3177960
A section of output from The Management Scientist is shown here. Constraint Lowe
Question #3228902
A section of output from a software package is shown here. What will happen to t
Question #461259
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
A security keypad has 15 alpha-numeric characters on it. (a) How many different
Next
A security policy is the crux of a company’s overall security program. Which of

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.