Cyber Ops Must Evolve Toward Fusion Centers. Here Is Why.
Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operations center.
All complex missions or operations are high risk and subject to failure. These failures are also hard to predict. Operations centers therefore play an important role in responding to failures in real time to reduce their impact on the mission.
Operations centers in the information technology world keep IT and network operations up and running. Information security (InfoSec) and security operations centers (SOCs) play a similar role. As Rick Howard summarizes in his Cybersecurity First Principles, the goal of security operations is to “reduce the probability of material impact to my organization due to a cyber event.”
In my last 15 years in the InfoSec domain, I have learned most mature cybersecurity organizations are not driven by their architecture or engineering groups but instead by the cybersecurity operations group.
A Quick History of Security Operations
SOCs emerged from Networking Operations Centers (NOCs) that were dealing originally with IT security monitoring matters. Organizations would simultaneously create separate groups such as Computer Emergency Response Teams (CERTs) to focus on security incident response and forensics, or Cyber Defense Centers (CDCs) to focus on threat analysis and assessment. Whatever operational groups were created, all organizations had to recognize two realities.
First, SOCs can’t prepare for every conceivable threat and therefore InfoSec leaders must limit the SOCs focus to threats observed in the wild. Second, collaboration, expertise exchange, and ultimately your incident response time are hindered when different groups own monitoring, incident response, analytics, and forensics responsibilities. So, what’s next?
Evolution of Cyber Operations
SOC Value-add in the Next Decade of Challenges
SOCs will face key challenges in the next decade. Their success depends on their adaptability to the following trends:
- Nearly every business is susceptible to cybercrime. As industries and business processes digitize, cyber-enabled crime and fraud become ubiquitous. For most industrialized nations, cybercrime has overtaken traditional crime. Cybercrime has a more attractive risk/reward profile.
According to the Verizon Data Breach Report 2020, 86% of breaches were financially motivated. InfoSec leaders and SOCs therefore must expand their focus beyond IT and integrate with individual business departments.
- Integrating security in the production phase is too little, too late. Public cloud environments and DevOps have changed the way organizations run centralized functions like quality assurance and security operations.
Security therefore must be built-in as early as possible in the development life cycle, embracing principles like Shift Left and Security by Design. Unfortunately, most SOCs still haven’t figured out how to talk to DevOps.
- Automation will revolutionize cybercrime and fraud: Cybercriminals are already leveraging automation to steal money from online banking customers through phishing or encrypting their hard drives and demanding money.
What happens when cybercriminals use automation in targeted attacks against organizations? We are in big trouble if the 2016 NotPetya ransomware attack is any indication. Can a traditional SOC compete with a hacker’s ability to take over 60,000 devices in seven minutes?
The traditional, centralized SOC will struggle to deliver value in light of these trends. We need a new model. A cyber fusion center might be the solution.
The Concept of a Cyber Fusion Center
A cyber fusion center advances the SOC strategy. It embodies the SOC but also physical security, anti-fraud management, IT operations, and other functions. The fusion center concept originated in the U.S. law enforcement community following the September 11 terrorist attacks. Analysts from several agencies were merged together in numerous fusion centers to exchange information more effectively and efficiently.
Large U.S. banks were the first adopters of this approach. InfoSec leaders learned large-scale cyber heists like the 2016 Bangladesh Bank robbery could be avoided or at least mitigated by a more integrated exchange of information. Some banks responded by bringing liaison officers from transaction monitoring into their cyber operations units.
Fusion centers can provide value for any sized company in just about every industry. Let’s take a look at some examples.
- Finance: The finance industry learned the hard way that sharing information between multiple groups is key. ATM hacks from the internet, SWIFT transaction manipulation, and M&A insider espionage are just a few examples.
Nowadays, a bank is a technology company. And often you have 10+ operational groups, which don’t have many interfaces nor a platform or a mechanism to collaborate. Bringing together SOC, transaction monitoring, anti-fraud, and physical security groups could be a big benefit for overall risk management and operations of the bank.
- Energy: Anybody who read Marc Elsberg’s Blackout understands what is at stake when our power grid is impacted. Ukraine for example has experienced two cyber-enabled blackouts. SOCs and Operational Technology Monitoring departments must integrate in this sector.
- Transportation: Nobody wants to ride in a hacked plane, car, train, or ship. Given the modern architectures of powerdrive, navigation, and other transportation systems, it’s obvious that the InfoSec, operations, and physical security departments must be deeply integrated.
Incorporate DevOps Into a Fusion Center to Turboboost Your Cybersecurity Operations
Development Operations (DevOps) has replicated fusion center principles for some time, resulting in better collaboration, resilience, and time to market. Infosec leaders would be well served therefore to adopt this model. DevOps also offers a more proactive approach to both resilience and threat management by synthesizing threat intelligence and monitoring.
DevOps-level questions like “is this blocked transaction related to last week’s bank breach?” could enhance a fusion center’s situational awareness, but also help design or even automate better playbooks for business teams.
Cyber Fusion Center
Most operational teams already share several capabilities and technologies, like detection hygiene or prevention controls, SLA and KPI management, and automatization of response playbooks. Those shared services could standardize the way a SOC or fusion center is organized and dramatically increase the organization’s hygiene and resilience.
Unfortunately, a blueprint for a cyber fusion center doesn’t exist yet. You can start this transformation in small steps by deploying into your SOC liaison analysts from other functions or go big and merge all operational functions together.
In the end, it’s important to define your success criteria first and measure it on a frequent basis. Like a space operations center measures the number of risks and failures before a rocket launch and throughout the entire mission, we have to measure our cyber resilience against the bad guys—whether it’s through a cyberattack or cyber-enabled fraud, blackmail, or a lure.