Ever heard the term CSOC and wondered what sort of cyber goodness goes on in one? Read on and wonder no more, my beginners guide to the CSOC with a breakdown of the CSOC-as-a-Service vendors in the market has you covered.

What Is A CSOC?

CSOC is the acronym for a Cyber Security Operations Center, but somewhat confusingly a CSOC team can also be described as a Computer Security Incident Response Team (CSIRT), a Computer Incident Response Center (CIRC), a Security Operations Center (SOC), or a Computer Emergency Response Team (CERT).

For the purposes of this analysis, lets stick to CSOC.

A CSOC is in the business of defending against unauthorized activity on strategic networks and this includes monitoring, detection, analysis, as well as response and restoration activities. A CSOC is a team primarily composed of network security analysts organized to detect, analyze, respond to, report on, and prevent network security incidents on a 24/7/365 basis.

There are different kinds of CSOC which are defined by their organizational and operational model rather than their core sets of capabilities.

Virtual CSOC

The name says it all really, these kinds of operations often have no dedicated facility, team members who work on a periodic basis and are reactive in their approach to cyber threats, this is what really sets them apart from the other kinds of SOC. I argue that a reactive virtual SOC capability is not sustainable over the long term given the current threat landscape and not many will argue with that sentiment.

Distributed CSOC

These kinds of operations usually have a couple of staffers on site 24/7 to manage ongoing operations and tend to lean on freelancers, security service providers and members of other departments to force multiply their capabilities with specialist knowledge as and when necessary.

The distributed model can offer significant cost savings against dedicated CSOC models, it also allows you to keep critical security functions in house, but you sacrifice agility, responsiveness and team cohesiveness with this model and this can impact upon a team’s effectiveness.

Dedicated CSOC

The best kind of CSOC, with a dedicated facility, infrastructure and team who operate as a self contained unit, delivering continuous security operations on a persistent 24/7/365 basis. Dedicated SOCs are operated by large organizations, multi-national corporations and nation states typically and if you are a hacker on their turf, they will probably be your worst nightmare.

Command CSOC

A command CSOC is a dedicated facility, infrastructure and team who operate as a command and coordination unit for a number of other regionally based CSOC's. Command CSOC's work with third party CSOC teams to coordinate incident response on a national or international level. They also collaborate with other CSOC's around training, education, knowledge sharing and joint projects. Command CSOC's are operated by operated by defense contractors, large governments and military intelligence units.

What Does A CSOC Do?

Your average CSOC performs a specific set of functions by leveraging technologies, best practices and processes that may not be specific to the individual CSOC, but which are used to deliver a specific set of services that inevitably involve many different meta domains and disciplines.

Typically, a CSOC will deliver functions like security monitoring & auditing, incident response, threat & vulnerability management, security monitoring, auditing & training, as well as device management & security compliance.

They deliver services like malware, forensic, vulnerability and threat intelligence analysis, they deal with penetration testing, countermeasure implementation and security audits. A healthy CSOC will also engage in activities like attack path modelling, security intelligence collection and analysis of risk analytics.

Talents and skillsets vary wildly between different CSOC’s, ultimately the effectiveness of a CSOC is underpinned by the quality of its team and not the quantity of its people.

Where Do CSOC’s Operate & Who Operates Them?

Because of the nature of the CSOC’s core role, the natural environment for a healthy CSOC operation is one where constant awareness of threat is the norm, CSOC environments exist quite naturally around large multinational corporations and state actor defense departments, but this is not typical across the global threat space.

It is still quite common to see smaller nation states lacking a CSOC capability, just as it is to see large organizations operating within the defense, finance and utilities sectors lacking a dedicated CSOC capability.

The stance most commonly adopted by those who do not possess a CSOC ability is to reactively mitigate and insure against cyber threats rather than to proactively manage or respond to threats and risks. The problem with this is that a reactive mitigation stance is simply not effective over the long term in any kind of defensive scenario.

Risks must be proactively managed in order to secure strategic assets and positions must be constantly reevaluated according to the terrain. Actors lacking in CSOC capability and who are engaged in reactive mitigation find themselves at a constant disadvantage in the current threat environment.

Who Provides CSOC-as-a-Service?

Gartner estimates that approximately 15% of large organizations have established a CSOC, driven primarily by the increased risk of incidents and breaches and an increase in managed security services adoption. Regulatory requirements, consolidation of security functions and centralization of information security programs are also a driving factor.

These driving factors lead Gartner to believe that by 2019, approximately 50% of security operations work will be conducted out of a CSOC via service providers, or via nationally, regionally and vertically aligned shared security services.

There are currently thousand of virtual CSOC operations internationally, hundreds of medium sized distributed and dedicated CSOC operations operating on a global level and tens of large CSOC’s that we could categorize collectively as Command CSOC’s, operated by defense contractors, governments and military intelligence units.

Whilst many of the smaller CSOC operations do provide their services to third parties, there are very few large CSOC’s who provide all of the essential CSOC functions and who offer a full range of CSOC specialty services, the key providers are:

Raytheon - A major U.S. defense contractor with core manufacturing concentrations in weapons and military and commercial electronics, a turnover of $25 billion and 63,000 employees worldwide. Raytheon offer a ‘cyber protection system’ to organizations globally and a wide range of services, including a cybersecurity academy.

BAE Systems - A British multinational defense, security, and aerospace company with headquarters in London and it operations globally, it is the third largest defense company based on revenues of £17.79 billion and 82,000 employees worldwide. BAE Systems provide ‘Advanced and National CSOC Operations’ to nation states, governmental agencies and law enforcement agencies.

Thales Group - a French multinational company that provides services for the aerospace, defense, transportation and security industries, with revenues of €14.9 billion and 64,000 employees worldwide. Thales provide ‘managed security services’ to large organizations globally that include CSOC services with a focus on cyber defense.

Secureworks Inc. – A US based subsidiary of Dell that provides information security services to approximately 4,400 customers across 61 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries. They provide ‘managed security solutions’ with a focus on cyber defense.

Deloitte – A multinational professional services firm with operational headquarters in New York City USA, Deloitte is one of the "big four" accounting firms, with $38.8 billion USD in revenues more than 263,900 employees and the largest number of clients amongst FTSE 250 companies. They operate a network of CSOC divisions globally and provide ‘cyber risk services’ to boost security, vigilance and resilience

The common approach amongst these five is that they adopt almost the same approach to their CSOC operations, whilst terming what they do in different ways, adhering to internationally approved best practices in process, operations and security.

What Are The Characteristics Of An Effective CSOC?

They Have Authority - A CSOC without authority spends more fighting political battles than they do on having an effective operational impact. They need explicit authority from executive leadership, written policies that give it permission to exist and procure resources, with strong internal policies to allow it to be effective.

They Focus on Quality - People are the most important element of cybersecurity and and determining the right number of operators to hire can be difficult, but a focus on the quality of the operator is essential and specific policies, compensation schemes and employee support mechanisms need to be in place to ensure that you can retain your quality assets, proactively mitigating against the high employee churn rates that are typical to the cybersecurity industry.

They Exercise Data Discretion – There is a balance to be struck when collecting data that can help you identify important red flags, collect too little data and you are running blind, but if you collect too much and the red flags are lost amongst the noise. It is important to gather the right amount of data, in just the right amounts and from just the right places and a pragmatic, operationally driven approach can help prioritize resources.

They Do Some Things Brilliantly – A good CSOC needs to work out which of their many responsibilities are a priority for them and focus on doing the essentials effectively, it can sometimes be difficult to determine responsibilities to assume and to what level, but over time and as a CSOC matures, it can build upon its failures and successes and take on new roles in its journey towards operational excellence.

They Maximize Technology Value – A newly established CSOC needs to work out he relevancy of its technology purchases, in relation to its constituency, longevity and operator feedback, with resources being dedicated to the continuous improvement of tools and their integration into a coherent architecture and workflow.

They Are A Sophisticated Consumer – A newly established CSOC must constantly adapt their techniques, tactics, and procedures in order to respond to a changing threat environment. This proactive approach involves the consumption of cyber threat intelligence, driven by observations and analysis and led by a cyber threat analysis cell who focus on specific advanced persistent threats.

They Protect Their Mission – A solid CSOC operations needs to be able to function, even with its constituent assets have been compromised and the very best ones operate in an out-of-band fashion that isolate passive monitoring systems, analytics, and sensitive data storage from the rest of the enterprise. They must also achieve near zero packet loss at designated monitoring points of presence and prevent the adversary from detecting their monitoring capabilities, whilst providing a degree of transparency and reporting to their customers in order to maintain trust and maximize impact.

Image by Andrew Davies