Building security operations centres (SOCs) in SA is no easy task, as there is no comprehensive view on what is needed - and not needed - in an SOC, a technical unit with a role that has changed drastically within organisations over the years.
To address this challenge, Dr Alapan Arnab, adjunct lecturer at Rhodes University and lead security consultant at Barclays Africa, and Pierre Jacobs, a security architect at the Council for Scientific and Industrial Research, have put together what they believe to be a workable framework at the Eastern Cape-based university.
"There are different interpretations and expectations of what an SOC does and there is a difference in what is being sold and what is being bought," says Arnab.
Jacobs explains an SOC is essentially an organisation that monitors and manages all aspects of enterprise security in real-time, from a single centralised location. Citing Kelley and Moritz (2006), he says: "[An SOC] discovers and prioritises events, determines risk level and which assets are affected, and recommends and can execute the appropriate remediation solution. It delivers detailed reports at local and network levels, meeting both real-time and management and audit requirements."
With the SOC framework built, Arnab and Jacobs say - "for the first time ever" - SA has a mechanism that facilitates the construction of an SOC by providing a means of measuring its requirements and needs, and enabling improvements where necessary.
Jacobs says the framework will soon be published and available for public access. The measurement tool, he says, is based on three concepts: functionality, effectiveness and maturity.
"In SA, we have at least four managed SOC providers and many organisations have started building their own internally, but you need to be able to compare them in functionality, effectiveness and maturity."
Jacobs says an SOC is about risk mitigation, with reporting being a major aspect. According to HP, SOCs have evolved in five phases: from monitoring and managing technical controls, to those driven by malware, cyber crime, advanced persistent threat and cyberwar.
"In terms of the future, we think the framework we have put together provides a practical and comprehensive model on building and evaluating SOC services. A proper audited evaluation service could lead to the establishment of an SOC index with the right push and will."
Arnab says the SOC framework combines a number of components, encompassing technology, people and processes in a single framework.
Bonnie Tubbs reporting from ITWeb Security Summit 2014.
Share