Secursat: the guidelines for the design of a Security Operation center

The approach to follow in the design of a SOC conceived as a hub of technological governance

 

 A Security Operations Center (SOC) can be the heart /media/Security-Operations-Center.jpg of security management and can be conceived and designed as a place for collecting data and information useful for the protection of the business, as well as for company management, to guide choices and decisions. The increase in perimeters does not always involve the necessary increase in resources for management, the technology must be oriented looking to the future and to possible changes in the scenario. Alessio Cino, security project & design account within the Business Development Secursat team, shares the approach to be followed in the design of a SOC conceived as a technological governance hub.

The structure, the shell, the protection systems, the integration and management platform (s), resources and workstations, are broadly the choices that companies face when designing a Security Operation Center (SOC). , or as defined by the UNI CEI EN 50518: 2020 standard, Alarm Receiving Center (ARC). In detail, the reference legislation regulates and guides companies in the choice of infrastructural and technical characteristics, alarm systems and power supply, as well as in the operating methods through which alarms and signals must be managed, in order to create a suitable place. , and certifiable, for the management and monitoring of safety and security systems.                                                     

According to Secursat, the need to comply with these guidelines must be guided by an integrated approach with the objectives not only of security but of management in general, in order to follow the path of digitalization and innovation in the management of processes already widespread in organizations. The response to the pandemic has, in fact, made even more evident the need to accelerate the adoption of lean and effective process management methods, of systems capable of collecting data and timely information to overcome uncertainty and stabilize the business through a a "smarter" company and, in our case, also through "smarter" security.

/media/soc ciclo .jpg

Intelligent security according to Secursat, in this phase, implies more than the adoption of new technologies, the revamping of systems in the field or the search for new products, a radical change of direction in the management of security processes by rethinking the Security Operation Center as key place in systems management. The SOC must therefore be designed to be agile, resilient and capable of continually changing. Not a rigid structure based on control but a place for dynamic management of security and safety events and technical and operational reports.

The objective is therefore to design an "ARC" that can be certified in accordance with the legislation, where necessary, leaving the traditional concept of generic alarm management by special security guards, to instead design a strategic SOC where, through technical, security and analysis it is possible to monitor and manage, on the one hand, technological and operational reports and activities related to the IT infrastructure (network, systems and applications) and on the other hand events and security and safety information to guarantee the protection of sites, assets and of company people or customers.

According to this approach, the SOC becomes not only the place to monitor events and situations in real-time, but also a data and information collection center useful for preventing risk evolution scenarios, studying systems automation models, providing answers to optimize the resources and implement the effectiveness of activities. Adopting a different security management model through SOC can help small and large organizations to mitigate risks, automate routine activities through human + machine models but also to reduce costs traditionally associated with extra activities, reviewing the role of security in 'business organization.

First phases. To implement this model, according to our approach, used both in the design of our certified Security Operation Centers and in projects to support the design of SOC or the choice of platforms by our customers, it is first necessary to start from 'analysis of capacity. Our team is based on the analysis of data relating to the reports of the systems present in the field, classifying them and studying their behavior, as well as analyzes and understands the type of sites to be connected to get out of the misunderstanding that a greater number of sites and links must necessarily lead to increased investment in resources. Thanks to a mix of analysis skills, traditional systems techniques and IT, the Secursat team therefore helps to understand the best technological choices and defines the road-map to remodel the characteristics of the integration platforms. The goal is to allow advanced monitoring of systems and reports with a direct impact on the reduction of costs associated with extra activities, as well as standardize the event management model, classifying the type, to have data to be provided to management to monitor KPIs and processes.

Second phase. Another, no less important aspect concerns the SOC's ability to guarantee business continuity in the management of activities as well as backup and disaster recovery, all activities that proved to be strategic especially during the pandemic where the SOC, in our case, has become the place. to continue to ensure the operational continuity of our customers remotely. Our team, in parallel with the infrastructural and platform choices, contributes to rethinking the network infrastructure and connection models, based on cloud-based solutions and looking at international security standards, as well as including evaluations relating to protection of servers and hardware equipment necessary to ensure the proper functioning of the SOC and also the security of the information processed. 

Third phase. Lastly, when thinking about the creation of a SOC, it is necessary to analyze the necessary resources and skills as well as define procedures and rules of behavior of people as well as systems, in order to guarantee on the one hand compliance with company procedures and on the other hand discretion of operators. Following the path traced in the design of a SOC, according to Secursat, thinking about resources in an innovative way means abandoning the traditional top-down decision-making processes, and forming teams with a mix of technical and technological skills, relating to the most widespread security and safety systems present on the market to monitor events but also manage operational reports, and with security and analysis skills for the use of platforms useful for monitoring international scenarios such as company travelers or customers. The SOC should therefore be populated by empowered teams with clear objectives and rules in the management of systems, guided and supported by data and technology, according to end-to-end logic, for greater and better speed of response and management. In this sense, the Secursat team therefore helps to define the methods of implementation of the systems management, travel security, localization platforms, etc. and the methods of use of the same by the operators. The goal is to ensure that event management in turn guarantees rapid responses, providing for the training of resources, to identify new talents and skills capable of responding to the needs of event management, as well as supporting them in the start-up and start-up of the project.

/media/What-is-Outsourced-Cyber-Security-Pros-and-Cons-1200x720.jpg

In conclusion, the guide-lines briefly represented define a model where investments in technology and in the methods of its application guarantee a real reduction in fixed costs and extra activities, favoring the quality of human resources over quantity. According to this approach, the SOC becomes a place to monitor risks related to business continuity, manage sudden changes in needs, make real-time decisions by predicting and mitigating security risks, provide useful data and information to the entire organization, thanks to a set of technologies and skills that guarantee a good reaction to crises today and that will also be useful in the near future for a real resilience capacity on the part of security.

A design that follows the needs and regulations currently in place, while at the same time trying to foresee a definitive breaking point where the dividing line between physical and virtual security will be completely intangible, laying the foundations to allow the future evolution of our " traditional "monitoring centers in Network Operation Center (NOC) or Global Security Control Room (GSCR) capable of overcoming territorial boundaries, synchronizing physical-security needs with IT ones and adopting machine-learning logics.