You are on page 1of 3

Big Data in the Cybersecurity

Operations Center
Thomas M. Mitchell

Abstract: Today’s Cyber Security Operations Center

CSOC should include everything needed to mount a com-
petent defense in the rapidly changing cyber-landscape.
The CSOC will consist of a vast array of sophisticated
Thomas Michael Mitchell has over detection and prevention technologies, extensive and
25+ years of strong experience in
information technology and security
dynamic cyber-intelligence reporting, capable ­forensic
enterprise environments. He is abilities. The link to create the next generation CSOC
an accomplished author, speaker, is the use of Big Data technologies. The organizations
entrepreneur, part-time chef, and that leverage their data with these technologies when
sommelier. Tom holds a master’s degree
properly implemented. This will be detailed in another
in Information Assurance and Security
(MSIAS) along with the following article.
certifications: CISSP #63456, CEH, HBSS, The organizations that implements this properly will
DoD 8570 IAT and IAM Level III, ITIL, have the capability to have 20/20 vision into their respec-
CNSA, CNDA, and Cleared Professional.
tive network enclaves. The aggregation of historical data,
Tom has also been responsible for
the advanced design, architecture, with the addition and the input of present day data has
and operational and situational the possibility to produce predictive analysis.
awareness advances within a number This can create automation for some functions with the
of Fortune 500 organizational Cyber CSOC, and the ability to predict the deficiencies within
Security Operations Centre (CSOC). He
is at the forefront of Cyber Thought
the network enclave.
Leadership in response to adapt to the
ever-changing cyber-landscape, and Keywords: big data, cyber, CSOC, internet of things,
new challenges faced today: simplify network, security, SOC
existing processes and workflows of on-
boarding of sources to reduce overall
costs of service without compromising Executive Summary
organizational security posture. The premise of this article lays the foundation for the
Tom understands and practices the ­Cyber Security Operations Center (CSOC) and within the
development of system requirements, standards of a meticulous process enables the efficient
designing solutions, developing demo
systems, and design and development buildup and management of the next-generation CSOCs,
of the implementation of cybersecurity also known as a Security Operation Center (SOC), with
Big-data next-generation analytics advanced analytics as the cornerstone of technology.
CSOC. He has a 10 years’ hands-on
experience with various security
information and event management
The Mission of CSOC
(SIEM) tools: McAfee SIEM, ArcSight, Today’s CSOC should include everything needed to mount a
QRadar, BlackStratus, Accelops, competent defense in the rapidly changing c­ yber-landscape.
LogRhythm, Splunk. The CSOC will consist of a vast a­ rray of sophisticated detec- tion and prevention technologies, ­extensive and dynamic
thomas-mitchell-2b0459/ cyber-intelligence reporting, ­capable forensic abilities, and
Mitchell, Thomas, CSOC with Advanced access to a rapidly expanding workforce of talented IT
Analytics; professionals.

© Business Expert Press 978-1-94858-080-9 (2018) Expert Insights

Big Data in the Cybersecurity Operations Center

The Task of Incident/Event Adding notes to the incident record for

Management further escalations as required
The core function within a CSOC is to take ­action Incident record closure
on events from hundreds or even thousands High-priority/high-severity handling
of different systems within the ­organizational Lack of resolution
enclave. Essentially the CSOC is the correlation
point for every event logged within the orga- Realities of CSOC Security
nization. For each of these events, the CSOC Challenges
must ­decide how they will be managed and To keep the adversary out, the CSOC must
then responded to accordingly. Also, a detailed use advanced technology and keep p ­ ushing
step-by-step process needs to be documented the technological envelope as the ­adversary
for each level in the SOC for the analyst to will continue to be one step ahead of the
know precisely what information is required, most diligent CSOC team. The ­ defenders
whom to contact, and how to deliver the known must be ever vigilant in their pursuit of
information quickly and accurately. remaining ­
­ secure. Consider that while the
The CSOC management of events must adversary must discover only one way in, the
include a list of instructions, that is, play- ­defenders must defend all access points, limit
book and Standard Operating Procedures and ­ assess damage, and find and remove
(SOPs), that will apply to the 24×7, 365-day ­adversary points of presence in ­enterprise
operational basis. An event is an element systems.
that comes into the CSOC and is moni- CSOCs must be set up and operate
tored, while an incident is an event where with a focus on people, process, and tech-
action must be taken. nology. The CSOC must be vigilant and
As a part of event management, the SOC identify ­ every aspect of responding to
provides telephone and e-mail assistance ­cybersecurity attacks: people, technology,
to its customers that cover some of the fol- and ­process ­issues. In hardening defenses
lowing areas: one must also be able to enable, detect,
and ­respond to c­ yber-attacks, taking prece-
Malware outbreak dence over ­battling politics and personnel
Phishing attacks issues. The integration of advanced analyt-
Social engineering calls ics tools such as Splunk Enterprise Secu-
Access to the organization’s security portal rity, SQRRL, ­Elastic search has changed the
Data leak/loss incidents traditional CSOC “sit and wait” for a para-
Customer account lockout digm to b ­ ecome proactive in hunting for the
Customer inquiries adversary.

There must also be additional escalation Use Cases: What Advanced Analytics
procedures in place. The SOC must have Can Add to the CSOC Mission
clearly defined procedures for the escala- Achieving the balance of proactive, dynamic,
tion tier that address, at a minimum: and forensic cybersecurity ­encompasses the
following use case actions.
Resources to assist with resolution of
incidents Use Case Examples
Review of open incident records Advanced analytics comes in two flavors.
Status updates One is the automated analyst and the other is
No response from the customer (again the human analyst who will perform similar
customer is defined as part of the SOC functions, where they both can dive into the
services and in many cases may be the aggregated data for analysis of such use case
end user or system administrator) functions as incident monitoring, malware

2 © Business Expert Press 978-1-94858-080-9 (2018) Expert Insights
Big Data in the Cybersecurity Operations Center

detection, data breach detection, advanced Upon the definition of the service func-
persistent threat ­ detection, ­insider threat tions, there will be a runbook, playbook, or
detection, threat ­intel analysis, and incident SOPs. This series of documentation must
response. The automated CSOC will then be developed and consistently updated to
execute its mission efficiently when given ensure that the appropriate information
the authority to do its job through efficient is accurate. These documents are con-
organizational placement and appropriate sidered “living” documents and need to
and transparent policies and procedures for be updated as events happen or there is
cyber-situational awareness. any major u ­ pdate to the network topol-
The advanced analytics-driven CSCO will ogy. This documentation will guide the
take massive amounts of data and bring daily processes and ­ procedures for the
them together into dashboard graphs as SOC staff. Each tier within the CSOC is
data-driven behavioral diagrams ­designed assigned a series of responsibilities based
by the use cases. The use cases will allow on each ­tier’s ­position’s description at the
for cybersecurity investigations. The vast tier level. The ­advent of utilizing advanced
amounts of data will provide the context for analytics within the CSOC will drive effi-
a comprehensive view of the network that ciencies and automation of processes and
will enable the defenders to be successful. procedures. The a­ utomation will initially
To be the next generation, CSOC should be take place in the Tier 1 responses to initial
aware of the existing and new technologies. receipt of incidents. The goal of analytics
This proactive vigilance will ­enable the CSOCs within the confines of the CSOC is for the
to become technologically ­sophisticated. The actual fingerprint of the network. Once
consumer of advanced analytics along with this baseline or footprint is established,
threat intelligence creates a CSOC that will then anomalies will be able to be detected.
become advanced by using these technologies The Tier 1 incidents will auto-generate a
to grow the a­ utomated CSOC of the future. ticket and automatically be escalated or
The future is now. closed based on the historical data and
the information from threat intelligence
Primary Components of a CSOC feeds.
with Advanced Analytics The programming of the analytics e ­ ngine
The mission of the SOC—situational aware- will lead to the automation and ­escalation
ness of the managed enclave. of true incidents through false positives
Determine the processes, procedures, that will be handled automatically. There
technology—Identify and document critical will need to be human interaction to ensure
templates, methods, and processes r­ equired the accuracy of the ticket closure initially.
to support the CSOC.
Understand the cyber-enclave’s environ- Traditional Structure of a CSOC
ment to determine the “use cases” and the Roles and Responsibilities
type of data that is received by the CSOC. The following individuals are responsi-
Identify the interaction with the CSOC. ble for maintaining and managing system
Staff the CSOC—define the operational events on incidents for the enterprise or
hours and the necessary personnel per shift. organization:
Manage the events with advanced
­analytics—categorize, assign, and prioritize ■■ Tier 1 CSOC engineer can resolve the
activities received by the CSOC. ­incident record, he/she:
Leverage the appropriate framework, Defines the incident in specific terms
that is, CSF, NIST 800-53, and ITIL—under- and also gathers additional facts neces-
stand the core framework to regulate the sary for troubleshooting and resolving
components to run an efficient CSOC. the issue(s).

© Business Expert Press 978-1-94858-080-9 (2018) Expert Insights