Copyright © 2018, C2 Cyber Ltd C2 Cyber WP001 ver 1.0

15 August 2018

Mission & Desired

Outcomes

Capability Concept of Operations

Phasing & Roadmap

Target Operating Model &

Organisational Design

Processes & Skills

Platform & External Services

Operational Stability

Continuous Improvement

Security Operations Excellence

C2C2

“When everything is quiet, how do you know whether it is because you are safe, or if the team is looking in the wrong direction?”

Security Operations Excellence How to achieve efficiency, consistency and value in SecOps, making it the centre of cyber security and an enabler for digital transformation.

Cyber threats are here to stay. Business has transformed over the last few decades to benefit from digital technology, and the bad forces of the world that have always existed are simply re-sponding with similar transformation. Bad people have not changed. They are still trying to achieve largely the same aims. They are just using a different set of tools to do it.

It is not sufficient to rely solely on preventing attacks, and the most determined hackers and ma-licious insiders will always be able to find a way around the defences. For this reason it is essential that an organisation also invests in capabilities to detect attacks, respond to them, and recover from the impact. This is where Security Operations fits in.

Security Operations (or SecOps) exists in an ambiguous world; it doesn’t know precisely what to look for, but recognises it must be vigilant nonetheless; when all is quiet, it doesn’t known whether this is because all is safe, or if it is looking in the wrong direction. By definition is an operational challenge, which demands strong cohesion across the best of people, process and technology.

Because of this ambiguity, many organisations struggle to elevate SecOps from being a tactical function delivering limited value. This misses the opportunity to create a strategic capability that acts as an engine for responsive and aligned security. This has prompted C2 Cyber to develop Se-curity Operations Excellence. It distils extensive experience both with in-house SOCs and out-sourced Managed Security Services to create a comprehensive approach to SecOps. Security Op-erations Excellence enables organisations to achieve that strategic vision.

Security Operations Excellence is oriented around the desired outcome, and it is tailored ac-cording to the specific needs of the client. It doesn’t try to present a one-size-fits-all solution, be-cause what is appropriate for a FTSE 100 global manufacturer is unlikely to be relevant to a mid-cap regionally based services company.

This paper serves to introduce C2 Cyber Security Operations Excellence, and provides guidance on how to build the right foundations. Future papers will look at other elements of the model and the outcomes that they deliver.

C2 Cyber believes that Cyber Security should be understood by the business; have the consent and participation of the business; and support the business in achieving its objectives with security as an enabler. Security Operations is at the heart of this, and Security Operations Excellence provides a way of achieving it. It can deliver transformation and change, catalysing sound and informed de-cisions, and allowing the business to focus on executing its core strategy.

Executive Summary

www.c2cyber.com WP001 Ver 1.0 15 Aug 2018

C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps

3

No matter how strong an organisation’s defences are, they will never be able to stop all determined hackers or malicious insiders. This is why NIST1 created a Cyber Security Framework (NIST CSF https://www.nist.gov/cyberframework) that recognises that in addition to Identify and Protect against threats it is also necessary to Detect, Respond and Recover from attacks. This is the basis for Security Operations.

What can SecOps achieve?

Security Operations goes under many names and ac-ronyms including SOC, CSIRT, CDC, CDOC, CDO, and ASOC to name a few. At C2 Cyber we prefer to use the simple term “Security Operations”, or SecOps for short. It is neither a point solution, nor a single stove-piped team. It is an outcome. It is the act of manag-ing the security of information, systems and services while they are operational.

Figure 1 shows what SecOps can contribute across all aspects of the NIST CSF. Sadly, the actual result fre-quently fails to live up to this potential. This doesn’t just undermine security, but also forgoes most of the potential benefits that could be returned from what is usually a significant investment.

What is involved in delivering these outcomes?

We use the contextual model (figure 2) to describe what SecOps is trying to achieve, and the challenges involved. At its core it is about detecting security inci-dents, and then remediating them; this is the decision-action cycle of Predict-Detect-Decide-Act. Whilst

simple in appearance, it requires a lot more to be effective.

Operations need direction so that it can decide which incidents are critical to the business, and which can be left until resources become available. It needs to gain insight and learn from experience, improving the effi-ciency of its operations, and building the body of knowledge. It also needs to provide this insight to the business, increasing the organisation’s understanding of changing risks and how to reduce them. The sup-porting tools need to remain continuously configured and aligned with the direction and knowledge.

Context is key

To be effective SecOps needs to understand and in-fluence the business, threat and technology environ-ments. The business environment will be shaped by strategy, objectives, activities, resources and priori-ties. The threat environment is determined by the

C2 Cyber’s vision for Security Operations

S ecOps needs to understand

context and be able to influence

the environment

Figure 2 : SecOps Contextual Model

Business

Technology

C2

Identify Protect Detect Respond Recover

Technology led focus on detect ion

Detect , priorit ise, invest igate,

understand and plan

Coordinate, measure, assess, and

monitor for recurrenceAssess and improve

Evidence st rategy, inform

on change

The full potent ial

The common reality

Figure 1 : The outcomes that SecOps can deliver

1 The National Institute of Science and Technology (NIST) is the agency of the US Department of Commerce that was established to promote innova-tion and industrial competitiveness. Its Cyber Security Framework is widely recognised as one of the standards used to manage cyber risk and security.

www.c2cyber.com WP001 Ver 1.0 15 Aug 2018

C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps

4

motivations, methods, tactics and capabilities of the attackers. The technology environment defines the ground being defended; it is described by the charac-teristics of current and future systems, networks, as-sets and services that the business is employing, their vulnerabilities, and what they contribute to. These three contexts will all be subject to constant change and evolution.

Scope can be broad, and demands cohesion

The SecOps capability framework (figure 3) that we use illustrates how broad the scope can be. Not all businesses will need all of the capabilities. Also, some may already exist elsewhere in the enterprise outside of the security function, and others may be out-sourced to 3rd party service providers. But all should be considered, and some are essential. This requires a structured approach to be conducted in a controlled and objective way, with investment justified by busi-ness need. This is why we have developed Security Operations Excellence , to help our clients achieve the best, regardless of the scale of their SecOps ambi-tions.

SecOps, like a medical operating theatre, requires a highly drilled team of capable people. Good technol-ogy is essential but it should take a supporting role, as opposed to a leading one. True success is achieved by

the participants being expert in their own roles, and confident in the other systems, services, and team members that they are depending on. This way they can concentrate more of their capacity on preventing harm impacting on their business, without having to work out who is meant to be doing what.

Having seen at first hand the benefits of good imple-mentations, as well as the challenges and mistakes that are frequently made, we have developed a unique framework for delivering and sustaining value in Security Operations. An illustration of it can be seen in Figure 4, with a brief description of each seg-ment. Each is underpinned by proven approaches and processes.

It can be employed irrespective of whether capability will be built in-house, outsourced, or delivered as a hybrid of the two.

SOE is effective across all scales of ambition

It can be tailored to any type of SecOps business need. It is relevant for a medium-sized business im-

plementing security monitoring for the first time, per-haps as a result of EU GDPR and other regulations, and wants to maximise the benefits returned. It is similarly suited to a global FTSE 25 looking to trans-form existing capabilities. It can also be applied effec-tively to a Managed Security Services Provider (MSSP) that wants to differentiate market offerings, maximise value to customers, and minimise delivery cost.

Our Security Operations Excellence (SOE) framework is built on extensive experience building, reviewing and optimising SecOps functions across a broad range of clients. Over the last ten years many differ-ent approaches have been taken, some have worked, and some have led to confusion, frustration and dis-appointment. This expertise is enhanced by the les-

The Security Operations Excellence framework

S ecurity Operations Excellence enables our clients to benefit from experience and

good practice, and to avoid the mistakes that others have made in the past

Content

Engineering

Threat

Intelligence

Post Incident

Review

Alert

Detect ion

Incident

Management

Trend

Analysis

Technology

Environment

Change

Technology

Environment

Conf igurat ion

Alert TriageIncident

Invest igat ion

Forensics

Invest igat ion

Vulnerability

Assessment

Penetrat ion

Test ing & Red

Teaming

Vulnerability

Remediat ion

Malware

Analysis

Business

Context

Sent iment

Analysis

Corporate

Crisis

Management

Attack

Hunt ing

Incident

Response

Plat form

Engineering

& Support

Insider

Vulnerability

& Threat

Risk

Management

Report ing

Future

SecOps Plans

& Change

C2

Figure 3 : SecOps Capability Framework

www.c2cyber.com WP001 Ver 1.0 15 Aug 2018

C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps

5

Devel

op

pla

n f

or

kno

wle

dge c

aptu

re,

man

agem

en

t an

d

exp

loit

atio

n.

Id

enti

fy p

ote

nti

al f

or

tech

en

able

men

t.

Evo

lve

cap

abili

ty s

cop

e a

nd

serv

ices.

T

rack

mar

ket

devel

op

men

ts a

nd

o

pp

ort

un

itie

s.

Def

ine b

enef

its

and

iden

tify

ad

dit

ion

al

con

trib

uti

ng t

hir

d p

arti

es.

Art

icu

late

wh

at w

e a

re t

ryin

g t

o a

chie

ve.

A

gre

e t

he b

usi

ness

o

utc

om

es

and

ob

ject

ives

. D

efi

ne t

he s

cop

e a

t o

uts

et

and

m

ediu

m t

erm

asp

irat

ion

s.

Exp

lore

sce

nar

ios

for

evo

luti

on

in

th

e l

on

g t

erm

. D

evel

op

th

e b

usi

ness

cas

e f

or

inves

tmen

t.

Def

ine a

nd

imp

lem

ent

core

an

d c

on

tin

gen

t p

roce

sses

. D

efin

e

role

s an

d r

ecr

uit

. E

stab

lish

tra

inin

g r

eq

uir

em

en

ts a

nd

p

rogr

amm

es.

E

vo

lve

pro

cess

es

and

ski

lls w

ith

mat

uri

ty a

nd

p

latf

orm

evo

luti

on

. E

stab

lish

car

eer

path

s.

Def

ine o

pera

tin

g m

od

el a

nd

ho

w it

in

terf

aces

wit

h o

ther

part

s o

f th

e s

ecu

rity

, IT

an

d b

usi

ness

en

terp

rise

. D

evel

op

o

rgan

isat

ion

al d

esig

n.

Est

ablis

h r

eso

urc

e m

od

el w

ith

p

aram

ete

rs t

o p

red

ict

scal

e.

Defi

ne h

ow

ou

tso

urc

ed

serv

ices

will

be

con

sum

ed?

Meas

ure

op

era

tio

nal

eff

ect

iven

ess

an

d

eff

icie

ncy

. I

den

tify

was

te a

nd

fai

lure

m

od

es.

Dri

ve i

mp

rove

men

ts.

Id

enti

fy a

nd

m

itig

ate o

pera

tio

nal

ris

ks r

ela

ted

to

co

nsi

sten

cy a

nd

co

hes

ion

. O

pti

mis

e w

ays

of

wo

rkin

g a

nd

en

ablin

g t

ech

no

logy.

Dete

rmin

e f

un

ctio

nal

an

d n

on

-fu

nct

ion

al

req

uir

emen

ts f

or

enab

ling

tech

no

logy

an

d

pro

cure

d s

erv

ices.

C

on

du

ct v

end

or

sele

ctio

n.

Desi

gn a

nd

im

ple

men

t te

chn

ical

an

d s

ervi

ce a

rch

itec

ture

s.

Man

age

evo

luti

on

th

rou

gh

lif

e.

Iden

tify

cap

ab

iliti

es

req

uir

ed

to

ach

ieve t

he

mis

sio

n a

nd

ou

tco

mes.

E

stab

lish

ho

w

cap

ab

iliti

es

wo

rk t

ogeth

er,

an

d w

hat

ext

ern

al

fun

ctio

ns

they i

nte

ract

wit

h.

Sele

ct c

ap

ab

ility

so

urc

ing m

od

el

(in-h

ou

se,

ou

tso

urc

ed

, co

-so

urc

ed,

hyb

rid

).

Defi

ne V

1 s

cop

e.

Est

ab

lish

pro

gra

mm

e o

f w

ork

acr

oss

peo

ple

, p

roce

ss,

tech

no

logy,

go

vern

an

ce,

infr

ast

ruct

ure

etc

. D

evelo

p

road

map

to

evo

lve

futu

re v

ers

ion

s o

ver

ti

me.

Id

en

tify

cap

ab

ility

mile

sto

nes

an

d

meth

od

of

val

idati

on

..

Se

curi

ty

Op

era

tio

ns

Ex

cell

en

ce

C2

Mis

sio

n &

D

esi

red

O

utc

om

es

Cap

ab

ility

C

on

cep

t o

f O

pe

rati

on

s

Ph

asi

ng

&

Ro

ad

map

Targ

et

Op

era

tin

g M

od

el &

O

rgan

isati

on

al

De

sign

Pro

cess

es

&

Ski

lls

Pla

tfo

rm &

E

xte

rnal

Se

rvic

es

Op

era

tio

nal

Sta

bili

ty

Co

nti

nu

ou

s Im

pro

ve

men

t

Fig

ure

4 :

C2

Cy

be

r’s

Se

curi

ty O

pe

rati

on

s E

xce

lle

nce

Fra

me

wo

rk

www.c2cyber.com WP001 Ver 1.0 15 Aug 2018

C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps

6

Q1 : What are we trying to achieve?

Often the shortcomings in SecOps implementations start from the outset with a lack of defined objectives. This doesn’t just undermine the design and imple-mentation. It also limits the effectiveness of service improvement during operations. The question “What are we trying to achieve?” may sound simplistic, but it

must be answered at the outset. It isn’t a particularly onerous exercise, but will benefit if the discussion in-volves a broad set of stakeholders.

The question should cover the objectives, target out-comes and desired benefits that SecOps is attempt-ing to deliver. This defines the mission for the organi-sation, and sets the overarching scope. It also sets the bar against which performance can be measured,

yGetting the foundations right There are four questions that should be answered at the outset before delivering a new SecOps function or transforming an existing one

sons of the past, running a Managed Security Services business for several years. The aim of Security Opera-tions Excellence is to enable our clients to benefit from experience and good practice, and avoid the mistakes that others have made in the past.

Different clients will need to focus in different areas of the framework depending on their circumstances, maturity and aspirations. There are also interdepend-encies between different segments. When combined with other tools such as our capability framework, it brings structure and discipline, ensuring the outcome

delivers value from the outset, and sustains it in oper-ations.

The remainder of this document focuses on how the framework can be applied to get the foundations right, what it delivers, and how it can help to reduce risk and maximise benefits.

Security Operations offers significant value that can be delivered; we believe it is worth applying a bit of structure and rigour, and a good dose of pragmatism, to make sure this happens.

Achieving Excellence when outsourcing Security Operations

Some readers may feel that Security Operations Excellence is not relevant to them because they are out-sourcing their SecOps requirements to an MSSP. We hope that much of this belief will be dispelled else-where in this paper. For example, we highlight the continued need for retained functions to support the delivery, consumption and assurance of external services. It also needs to be recognised recognising that at some stage contracts will end, MSSPs will be replaced, and services may be brought back in-house. This can be either very hard or relatively easy depending on some of the actions taken before contract award and during service delivery.

It is true that much of the work required to deliver an in-house SOC will not be necessary if much of the ca-pability is outsourced to an MSSP. A significant proportion of the processes will be replaced by procured services. Headcount will be reduced, and with it the organisational design, recruitment burden, training requirement and operating model complexity. After all, this is one of the main reasons why many busi-nesses opt to outsource.

However, the MSSP market is broad, with a wide variety of different offerings and a broad range of price points. An intelligent customer will have a clear understanding of their requirements at the outset and how they might evolve over time.

It is also important to consider how service performance will be measured and assessed. Most conventional managed services have a measurable input, a defined transformation, and a verifiable output. This is less well defined with managed security services, where the output is dependent on unknown people (the at-tackers) doing unpredictable things. As a customer you need to be confident that a quiet service means that you are safe, and not that the service provider is overlooking incidents.

All segments of the SOE framework are relevant to organisations that are outsourcing services to an MSSP.

www.c2cyber.com WP001 Ver 1.0 15 Aug 2018

C2 Cyber SOE — Deliver efficiency, consistency and value in SecOps

7

and identifies how the capability and scope should be managed and evolved over time.

The answer should be technology and vendor agnos-tic, and independent of the sourcing model. It is con-cerned only with outcomes and benefits.

Q2 : What capabilities are required?

Having defined the objectives it is necessary to identify the capabilities required to achieve and sustain them. We use the capa-bility framework in figure 3 to identify which are required for mission compliance.

The urgency and importance of capabilities should be prioritised, consid-ering not just what is required initially, but also what might be needed in future years. A frequent mistake is to try to implement too much, too quickly, leading to over-stretch. Another is to ignore future require-ments, creat-ing the risk that early deci-sions will limit the options available in later years. The scope and priorities will inform the timelines and sequence of capability development and deployment in the roadmap.

Q3 : What is the sourcing strategy?

With the capability requirements specified it is now time to decide what will be built in-house and what will be outsourced.

Often this is viewed as a binary decision; a choice be-tween building entirely in-house or alternatively out-sourcing all responsibility to a Managed Security Ser-vices Provider (MSSP). Full in-house may be viable, but is frequently too expensive and complex for many businesses. The idea of 100% outsourced is less credi-ble though. Even if a significant scope is outsourced, there will still be the requirement for functions to ex-ist in-house. There are numerous responsibilities that the business must take on, to ensure the services are effective, can be consumed, and providers can be held to account. For example:

• The MSSP will need to be kept up to date on the

configuration, vulnerabilities and changes in the technology environments being monitored;

• The MSSP will need to understand enough of the business context to be able to prioritise, triage and investigate incidents;

• The MSSP is unlikely to be the responder group for all ele-ments of the technology envi-ronment, so incidents and re-sponses will need to be handled and actions directed; and

• It may not be possible to share some contextual infor-mation with the MSSP, because of commercial sensitivities or regulatory constraints (e.g. pri-vacy regulations) meaning that some of the investigation will

need to be concluded in-house.

These are only a few examples, and there are oth-ers related to the additional value that a customer can gain from managed security services. This is why, even for those clients who wish to outsource to the maximum, we consider the

requirements of both the procured services and the retained functions.

Q4 : What is the Concept of Operations?

The answers to the previous three questions are used to develop the detailed Concept of Operations (ConOps) for SecOps. This specifies the functions that need to be built and the services that will be pro-cured. We can now start to decide what technology is needed to support the retained functions. It will also detail the interactions and dependencies between each of these components, as well as identifying ex-ternal functions that are involved.

A sound and detailed Concept of Operations acts as a blueprint for the future SecOps organisation. It pro-vides structure to the roadmap and programme plan that can then be executed. It also establishes confi-dence that the future capability will deliver the de-sired business outcomes and benefits.

Content

Engineering

Threat

Intelligence

Post Incident

Review

Alert Detect ionIncident

ManagementTrend Analysis

Technology

Environment

Change

Technology

Environment

Conf igurat ion

Alert TriageIncident

Invest igat ion

Forensics

Invest igat ion

Vulnerability

Assessment

Penetrat ion

Test ing & Red

Teaming

Vulnerability

Remediat ion

Malware

Analysis

Business

Context

Sent iment

Analysis

Corporate

Crisis

Management

At tack Hunt ingIncident

Response

Plat form

Engineering &

Support

Insider

Vulnerability &

Threat

Risk

Management

Report ing

Future SecOps

Plans & Change

C2

Capability Scope

Content

Engineering

Threat

Intelligence

Post Incident

Review

Alert Detect ionIncident

ManagementTrend Analysis

Technology

Environment

Change

Technology

Environment

Conf igurat ion

Alert TriageIncident

Invest igat ion

Forensics

Invest igat ion

Vulnerability

Assessment

Penetrat ion

Test ing & Red

Teaming

Vulnerability

Remediat ion

Malware

Analysis

Business

Context

Sent iment

Analysis

Corporate

Crisis

Management

At tack Hunt ingIncident

Response

Plat form

Engineering &

Support

Insider

Vulnerability &

Threat

Risk

Management

Report ing

Future SecOps

Plans & Change

C2

Sourcing Strategy

Attack hunting

Allocate incidents to

analystInvestigate

Response Planning

Response Coord

Detect

Triage

Investigate L1

Escalate L2+

Response Planning

Manage Content

Threat IntelAnalyse Trends

Future Plans

Horizon Scanning

Manage Change

Log Collection

Log Retention

Querying Visualisation

Manage Content

Log srcs

Copyright (c) C2 Cyber Ltd 2017Author: Tom BurtonDate: 10 September 2017Version: 0.01

Engagement Reference: 1927472Client: Acme_Widgets

Illustrative and simplified ConOps for hybrid security operations function

Email ITSMIT Ops

Log Forwarding

Ext TI

CIOCISO

Contextual Information

CMDB

Vulnerability Reports

Corporate Structure

Forward Forecast of Change

Asset Registers

Analyse Trends

Threat Fusion

Content Planning

Vuln Treatment Planning

Case Management

Threat Intelligence

C2 C2 CYBER LTDRESILIENCE REALISED

An illustrative and simplified Concept of Operations schematic

An illust ra tive SecOps mission

•

•

•

The contents of this document should be considered to be of a general in nature and not to be relied upon as recommendations or professional advice for specific action without further advice related to the organisation in question.

Copyright © 2018, C2 Cyber Ltd, which is a business registered in England and Wales (No. 9885860).

For more information please contact: e: info@c2cyber.com t: +44 (0)20 7965 7596 w: www.c2cyber.com

C2 Cyber Ltd exists to solve complex cyber and information security challenges, and has extensive experience managing risk across all three sectors in local and central government, healthcare, financial services, retail and not for profit/charity enterprises. Our approaches and methodologies blend a pragmatic mix of technical and human control measures to reduce vulnerability, limit risk, realise resilience and enable businesses to operate efficiently.

Using international standards and industry specific regulations C2 Cyber helps its customers to assess, identify and treat threats to their operations and business. We engage at an executive level with our customers and maintain that culture, leadership, behaviour and education are key factors for success. Even in today’s world of pervasive communications and the Internet of Things, technology is developed to deliver value to people. It is also attacked and targeted by people, and frequently the most challenging vulnerabilities are the people who interact with it.

Our human centric approach to cyber security starts by understanding what the business is trying to achieve, what part people play in realising those objectives, and what risks threaten the vision and aspirations. This enables us to help our clients to define and implement the right processes, prepare the people and organisation, and choose the most appropriate technology so that security becomes an enabler and differentiator; not an obstacle.

With services that generate value from strategy and governance, through to delivering capability into operations, C2 Cyber will work side by side with you as your security partner on the journey to see resilience realised.

About C2 Cyber Ltd

C2 CYBER LTDRESILIENCE REALISED

C2