Release #2: A basic CDC Model
For our discussions I will define a reference model with functions, responsibilities and an organizational background. The external requirements are based on the EU and German ligislations and requirements for the finance sector. (1)
BTW, a well known eBook from Carson Zimmermann is named "Ten Strategies of a world-class Cybersecurity Operation Center" is a good read for practioneers. You should read it too.
CDC Reference Model
Our CDC reference model does not include the responsibility for the administration of security technologies, like firewalls, intrusion detection systems, SIEM, AV scanners and such.
The detailed organizational setup depends on the size of the organisation, the bigger the organisation the less technical and administrative responsibilities should the CDC have and the more interdependence within the organisation exists. If the CDC is located outside the IT department (maybe in the staff department of the CISO), then it is very unlikely that the CDC team will have the responsibility to run the IT and instead depend on the cooperation with the IT department. This cooperation works as long as the relationship between the CISO and the CIO is healthy and it even works better if the CISO comes with his own budget.
Typical functions of our CDC model are
- detect potential security violations
- receive security alerts (source: SIEM, telephone hotline, tickets, etc.)
- analysis and containment of security incidents (incident response)
- run the vulnerability management program or at least know about the critical and serious vulnerabilities in the IT infrastructure to have a better understanding of the company's threat landscape
- in addition to the internal threat landscape Threat Intelligence analysts should constantly evaluate the external threat landscape (which cyber crime campagne is curently runnig that targets banking, what tools are used et cetera)
- reporting comes in various flavours
- TTPs (tactics, techniques and procedures of adversaries) for the Level-1 and Level-2 Security Analysts and the technical departments
- the threat landscape for the technical departments, analysts, and management to know and understand the contextand better estimate their operational risk
- KPI fulfillment for mangement and maybe the customers (SLA fulfillment)
- customer reports if your CDC provides security-as-a-service
- new and unhandled risks to risk owners and/or the enterprise risk management department
- to always keep up with the increasing technical demand (new attack techniques, more systems and log data, etc) the CDC will always be involved in projects for continuous improvement
Let's go down further in our diagram, the next layer are the best practices which we dive deeper into in this blog, but a bit later.
Policy Pyramid or House of Policies
Then comes the layer of the organisational measures; corporate policies (like information security policies and guidelines) and written rules for the daily life of analysts and other technical staff. They are normally ordered in a pyramid based on abstraction. The upper two layers (like the top of a pyramid) are strategic and organisational policies; the lower layers describe the operational work defined at each functional entitiy (department or team). The operational fulfillment of these written rules is most interesting for most auditors (internal auditros which are the 3rd Line-of-Defense as well as external auditors). Of course, the policies from the top and middle layer of the pyramid will also be tested to be complete, coherent, and up-to-date.
Undefined Terms
Now let's come to the terminology used within the blog, but let's focus on terms that are ambiguous and not already defined in an RFC or by another industry norm.
- CERT: A Computer Emergency Repsponse Team, first used by the Carnegie Mellon University. There is/was an US patent on this acronym, therefore the acronym CSIRT should better be used.
- CSIRT: Computer Security Incident Response Team. Both terms focus on the response task. Which is just one part of cyber defense.
- IRT: An Incident Response Team takes care of natural disasters. ISO 27035 mentions an IRT which they use as synonym for CERT/CSIRT, a bad decision on my opinion.
- SOC: A Security Operation Center centeralizes security functions and also contains the detection functionality by correlating and analyzing log information. It could also include the function of running IT security solutions and verifying survailane cameras.
- CDC: A Cyber Defense Center does active defense of the IT infrastructure and puts its weight on the defense not the operation functionality.
For variations of oranizational setups, have a look at the above mentioned Mitre eBook.
From Security Event to Security Incident
It is not seldom that documentation mixes the use of "security event" and "security incident". A uniform definition is important when it comes to Service Level Agreements (SLAs), escalation and notification processes, as well as for communications with external entities (like auditors for an ISO 27001 certification, or government officials).
Personally I like the definition of the ISO 27000 standard.
- Security event: “.. is identified occurrence of a system, service or network state indicating a possible breach of information security or failure of controls, or a previously unknown situation that may be relevant". At the simplest level it could be the log-entry of the system service like SSH for a failed log-in attempt.
- Security incident: "... is a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security”. The multiple accurence of log-entries of failed log-in attempts for many users indicating a "brute force" or "password spraying" attack.
If a security incident goes out of control and the impact reaches a defined threshold it becomes a crisis. In the diagram above the word "certainty" on the lower arrow is meant as "level of certainty that a bad thing happened" and not as "knowing how to handle it"; especially in a crisis the way to contain damage might get very individual and less standardardized.
Checkout HBR 2020/11 to read about when to use heuristics and when to use standard routines.
Best,
Thomas
(1) BSI (German Federal Office for Information Security) Sektorstudien (sector studies, unfortunately in German only): https://www.kritis.bund.de/SubSites/Kritis/DE/Publikationen/Sektorstudien/Sektorstudien_node.html