logo
Cybersecurity

A Guide to CSOC

Hacks

Have you ever heard the term CSOC and wondered what kind of cyber goodness happens inside it? Keep reading this article, and you won't have to wonder anymore because it will be covered in the beginner's guide to CSOC that I have created for you.

|
Jul 10, 2023
A Guide to CSOC

CSOC stands for Cyber Security Operation Center, but it can be a bit confusing because CSOC teams can also be referred to as Computer Security Incident Response Teams (CSIRT), Computer Incident Response Centers (CIRC), Security Operations Centers (SOC), or Computer Emergency Response Teams (CERT). For the purpose of this article, we will stick to the term CSOC.

CSOC works in defense to combat unauthorized activities occurring in strategic networks. Its activities include monitoring, detection, analysis, response, and restoration. CSOC is a team of network security analysts organized to detect, analyze, respond to, report, and prevent network security incidents 24/7, 365 days a year. There are various types of CSOCs categorized based on their organizational and operational models, so let's delve deeper and take a closer look at the different types of CSOCs.

Virtual CSOC: As the name suggests, this type of operation often lacks dedicated facilities, and team members work periodically using a reactive approach to cyber threats. I believe that the reactive capabilities of virtual CSOCs cannot be sustained in the long term considering the current threat landscape, and many would agree with this opinion.

Distributed CSOC: These operations usually have several staff members located at different sites working 24/7 to manage ongoing operations. They often rely on freelancers, security service providers, and members of other departments to enhance their capabilities with specialized knowledge when needed. The distributed CSOC model can offer significant cost savings compared to dedicated CSOC models, allowing you to maintain essential security functions internally. However, it sacrifices agility, response speed, and team cohesion, which can impact effectiveness.

Dedicated CSOC: This is the best type of CSOC with dedicated facilities, infrastructure, and a team that operates as an independent unit, providing continuous security operations 24/7, 365 days a year. Dedicated CSOCs are typically used by large organizations, multinational companies, and nation-states. If you are a hacker operating in their jurisdiction, they might be your worst nightmare.

Command CSOC: Command CSOC is a specialized facility, infrastructure, and team dedicated to operating as a command and coordination unit for several regional-based CSOCs. Command CSOC works with third-party CSOC teams to coordinate incident response at a national or international level. They also collaborate with other CSOCs in terms of training, education, knowledge sharing, and joint projects. Command CSOCs are operated by defense contractors, large government entities, and military intelligence units.

What Does CSOC Do?

Typically, CSOCs perform a range of specific functions using the best technologies, practices, and processes. These functions may not be specific to individual CSOCs but are used to provide a set of specific services that involve various meta-domains and meta-disciplines. CSOCs usually provide functions such as security monitoring and auditing, incident response, threat and vulnerability management, security surveillance, auditing and training, as well as device management and security compliance. They offer services such as malware analysis, forensics, vulnerability and security intelligence, penetration testing, and security implementation and auditing. The skill sets and expertise of CSOC team members vary, and ultimately, the effectiveness of a CSOC relies on the quality of its team rather than the quantity of its members.

Where Does CSOC Operate, and Who Operates It?

Due to the core role of CSOCs, a natural environment for their operations is where constant awareness of threats has become the norm. CSOC environments are commonly found within large multinational corporations and national defense departments. However, the same cannot be said for the entire global threat space. Smaller nation-states often lack sufficient CSOC capabilities, and even large organizations in defense, finance, and utility sectors may not have dedicated CSOC capabilities. Those without sufficient CSOC capabilities often adopt a reactive mitigation and damage control approach to cyber threats, lacking proactive management and response. The problem is that reactive mitigation is not effective in the long run for various defensive scenarios. Risks must be managed proactively to secure strategic assets, and positions must be constantly reevaluated according to circumstances. Entities without sufficient CSOC capabilities that rely on reactive mitigation find themselves at a constant disadvantage in the current threat environment.

Who Provides CSOC Services?

Gartner estimates that around 15% of large organizations have established CSOCs, driven primarily by increased incident and breach risks, as well as regulatory requirements, security function consolidation, and information security program centralization. These driving factors lead Gartner to believe that by 2019, around 50% of security operations work will be performed by CSOCs through service providers or through nationally, regionally, and vertically shared security services. Currently, there are thousands of virtual CSOC operations internationally, hundreds of distributed CSOCs, and medium-sized dedicated CSOCs operating globally. There are also dozens of large CSOCs collectively categorized as command CSOCs operated by defense contractors, governments, and military intelligence units. While many smaller CSOC operations provide services to third parties, there are few large CSOCs that offer comprehensive CSOC functions and various specialized CSOC services. Some key providers include:

ITSEC Group: A Singapore-based cybersecurity provider, ITSEC is the second-largest information security company in the Asia-Pacific region. They serve clients in the financial services, banking, insurance, and natural resources industries. ITSEC holds full accreditation and certifications such as ISO 9001 for Quality Management and ISO 27001 for Information Security Management. They are also a registered penetration tester in CREST, a global accreditation body for penetration testing services, incident response, threat intelligence, and security operations center (SOC) services for their clients and partners.

Raytheon: A major U.S. defense contractor with a core focus on the production of electronic weaponry, military, and commercial equipment. Raytheon offers "cyber protection systems" globally and provides various other services, including cybersecurity academies.

BAE Systems: A British multinational company in the defense, security, and aerospace sectors. BAE Systems operates globally with its headquarters in London. It is the third-largest defense company with revenues of £17.79 billion and 82,000 employees worldwide. BAE Systems provides "Advanced and National Level CSOC Operations" to nation-states, government institutions, and law enforcement agencies.

Thales Group: A French multinational company that provides services to the aerospace, defense, transportation, and security industries. Thales has revenues of €14.9 billion and 64,000 employees worldwide. They offer "managed security services" globally, including CSOC services with a focus on cyber defense.

Deloitte: A multinational professional services company with operational headquarters in New York City, Deloitte is one of the "Big Four" accounting firms with revenues of over US$38.8 billion, more than 263,900 employees, and the largest client base among the FTSE 250 companies. They operate a global CSOC network and provide "cyber risk services" to enhance security, awareness, and resilience.

These five organizations have similarities in their approach to operating their CSOCs, although they may use different terms to describe the types of work they do. They follow internationally agreed-upon best practices for processes, operations, and security.

What Are the Characteristics of an Effective CSOC?

They have authority: CSOCs without authority spend more time dealing with political conflicts than producing effective operational impacts. They need a clear statement of authority from executive leadership, written policies granting permission for their existence and resource usage, and strong internal policies to function effectively as a CSOC.

They focus on quality: People are the most critical element of cybersecurity and determine the right number of operators to employ, which can be challenging. However, focusing on the quality of operators is crucial, and specific policies, compensation schemes, and support mechanisms should be established to ensure you acquire high-quality assets, mitigating the effects of employee turnover common in the cybersecurity industry.

They exercise data discretion: There is a balance to strike when collecting data that can help identify red flags. Collecting too little data may hinder visibility, while collecting too much can bury red flags in noise. It's important to collect the right amount and from the right sources, and a pragmatic operational approach can help prioritize resources.

They work smart: A good CSOC needs to determine its priorities and focus on important tasks effectively. It can be difficult to determine which responsibilities to take on and to what extent, but as CSOCs mature, they learn from failures and successes, adapting to new roles on the journey to operational excellence.

They maximize technology value: Newly established CSOCs should strive for the relevance of their technology purchases. Ensuring the alignment between constituents, longevity, and operator feedback, dedicated resources should be allocated to sustainable tool improvements and their integration into a coherent architecture and workflow.

They are savvy consumers: Newly established CSOCs must continuously adapt their techniques, tactics, and procedures to respond to the ever-changing threat environment. This proactive approach involves using cyber threat intelligence driven by focused observation and analysis of specific, sophisticated, and persistent threats.

They protect their mission: A solid CSOC operation must be able to function even when constituent assets are under attack. The best CSOCs operate in an out-of-band mode that isolates passive monitoring, analytics, and sensitive data storage from the entire organization. They should achieve near-zero packet loss at designated monitoring points of presence (PoPs) and avoid detection of their monitoring capabilities by adversaries while providing transparency and reporting to their customers to maintain trust and maximize impact.

If you need to utilize CSOC services, feel free to come and discuss with our team. We operate advanced CSOC facilities from our command center in Jakarta, Indonesia, managed 24/7 by highly experienced cybersecurity professionals overseeing cybersecurity for some of the world's largest organizations

Share this post

You may also like

Calculating the Cost of Securing Your Business
Cybersecurity

Calculating the Cost of Securing Your Business

Tips

As the strategic importance of information security continues to grow for organizations of all sizes, and the complexity of information security increases across industries, business decisions are increasingly driven by the need to protect their intellectual assets and safeguard their IT infrastructure from evolving cybersecurity threats. Securing customer records, protecting sensitive financial information, and complying with regulatory requirements can create significant pressures on IT decision-makers and their resources. While many organizations have traditionally outsourced critical elements of their IT operations to managed service providers, more and more businesses are proactively outsourcing their security functions to specialized information security service providers. This has led to a need for evaluating the benefits of outsourcing security elements and comparing them to managing these processes internally. I wrote this article to help business leaders understand the best way to approach Managed Security Service Providers (MSSPs) in the context of Total Cost Ownership (TCO), a subject that is frequently discussed and of interest to both technical and non-technical leaders. INTERNAL SOLUTIONS OR OUTSOURCING? The key to evaluating

|
Jul 10, 2023 8 minutes read
Four Strong Reasons to Use an MSSP
Cybersecurity

Four Strong Reasons to Use an MSSP

Test

The multitude of challenges to be faced is the main reason why most organizations today are turning to managed security service providers (MSSPs) to help them address these issues. The challenges of strengthening human resources, processes, and technologies as efforts to secure their intellectual property and data appropriately, while still complying with cybersecurity regulations, can be a daunting task even for well-managed IT departments. With these considerations in mind, here are four main reasons why I prefer MSSPs over in-house security. USING MSSP SAVES YOU MONEY Building, running, and maintaining a cybersecurity ecosystem comes with significant costs. One of the reasons is that many software solutions require specialized hardware and equipment to run, and they often come with recurring licensing costs. Additionally, the salaries of cybersecurity employees and the training they need to effectively utilize new tools and technologies add to the expenses. One of the CFO's favorite aspects of using MSSP is that it can replace the capital expenditures often needed to add new tools with a large

|
Jul 10, 2023 5 minutes read
This is Why You Should Automate Your Cybersecurity
Cybersecurity

This is Why You Should Automate Your Cybersecurity

DO YOU NEED TO AUTOMATE YOUR CYBERSECURITY OPERATIONS? The answer is likely "yes," and whenever I ask anyone about automation, they unequivocally state that automation will undoubtedly enhance the overall cybersecurity foundation if implemented correctly in their organizations. They say "if" because the organizations I speak with, not many of them have actually implemented automation into their operations, even if they intend to do so. They usually reason that they are too busy to stop and learn how. Here are some of the strongest reasons to automate... We live in a world where launching cyber attacks on an organization is far cheaper than defending it. To make matters worse, the threat landscape is becoming increasingly difficult to cover. You face exponentially growing threats where adversaries are getting the upper hand every day while your security tools incessantly warn you. Business resilience is the ultimate goal of any cybersecurity operation, and the only way to improve the overall resilience of your organization is to improve your overall efficiency in protecting it.

|
Jul 20, 2023 4 minutes read

Receive weekly
updates on new posts

Subscribe