Gavin Coulthard, Manager Systems Engineering of Australia/New Zealand, Palo Alto Networks, said, “Many government organisations are shifting their cyber security approach by moving away from a collection of point solutions, ad-hoc entities, and processes towards a more deliberate structure. This structure is known as a dedicated Security Operations Centre (SOC) to manage and monitor a unified security architecture.”
Palo Alto Networks advises a four-step framework that form the foundation of a new or revitalised SOC:
- Identify an executable mission. Creating a SOC should be approached the same way the organisation approaches every new project. This should include whom the SOC manager will report to and where it will be located organisationally.
- Identify the services offered. Fewer services delivered well is better than many services offered poorly. Basic core SOC services include: outreach and education of cyber security, cyber security incident management and IT vulnerabilities management.
- Document the mission and services. Once the SOC baseline mission and services are established, it is important to document the future growth and objectives. Two documents can assist with this: the blueprint, an operational document which describes the SOC architecture and the roadmap, which maps the SOC’s future growth and goals.
- Acquire the necessary people, processes, technology and intelligence. Once the foundational steps are completed, the organisations can acquire and develop the appropriate people, process, technology, and intelligence to align with the mission and the services.
Gavin Coulthard said: “The sheer magnitude of government IT systems that most SOCs protect drives the need for an intelligence-centric approach. The most basic aspect of this approach is a comprehensive understanding of the specific government IT environment used to deliver services to the government agency or agencies. Likewise, an understanding of the government’s enterprise network topology, including all connections (internet, mission partners, cloud providers and vendor specifics) is needed for an understanding of attack vectors.
“In its infancy the SOC will most likely be reactive. Ultimately, though, the SOC must engage in threat identification and understanding to develop a proactive cybersecurity approach.
“Building a SOC may seem onerous but the payoff, with improved visibility, intelligence, and protection for the government in challenging times, will be well worth it.”