Securing the Security Operations Centre (SOC)
According to National Cyber Security Centre (NCSC) Guidance, a secure SOC protects itself:
A SOC exists to help manage your risks more effectively, which means the SOC itself must be protected adequately.A SOC must have mechanisms, processes and procedures to ensure that it can protect itself against threats comparative to those being faced by its customers. This includes protecting the service itself, and also the data within it.
The compromise of a security operations infrastructure could have a disabling effect on an organisation’s cyber defences. Where the value to an adversary is high, such as multi tenancy operations centres, so may be the level of sophistication and stealth that adversaries employ.
With many SOC environments based in large part on browser-based access to platforms and tools, the opportunity exists to adopt a simplified and locked-down endpoint and network architecture that can provide a high degree of assurance in the ongoing integrity of the monitoring environment, ensuring separation of duty between doers and viewers, and removing the possibility of event data leaving a defined customer boundary.
A ‘Zero Trust’ Network architecture can provide a compelling and robust approach to ensuring ongoing confidence in both analyst authenticity and platform integrity. The Zero Trust network model emphasises placing trust in authenticated users, using healthy devices, and providing granular access control to relevant services. The concept is often easiest applied to Greenfield IT environments or enclaves where security should be a premium, such as SOC environments.
Zero Trust networks can be readily built using open standards, such as the Trusted Platform Group remote attestation protocol for end user device integrity, and standard authentication protocols for both device and user identity and service access control (e.g. SAML).
Employing such standards within its Paradox end user device product platform, has allowed Becrypt to provide high assurance endpoints into government and private sector environments that have needed a high degree of protection. The architecture employed ensures that devices remain in a known healthy state, and a security-focused operating system provides high-value low-volume security event information, providing high confidence to those who need to watch the watchers.
For practical advice on securing the SOC or to find out more about Paradox please get in touch.