Creating a Virtual SOC

This is an analysis of the Logrhythm(R) SIEM Product, its implementation, and potential cost savings focused on a DOD IT Environment

---

This article is neither an endorsement or promotion of the product discussed; it is used to offer a framework for a Virtual-Security Operations Center (V-SOC) creation

---

In compliance with the former Department of Defense (DOD) Defense Information Assurance Certification and Accreditation Process (DIACAP) requirements, and the new requirement of the Risk Management Framework (RMF).  RMF was mandated by the DOD Instruction (DODI) 8510.01 as well as the policy for the rest of the federal government that requires the implementation of an automated audit logging system and more specifically Continuous Monitoring (ConMon); audit logging capabilities are established controls under the RMF.  ConMon is the cornerstone component that would eventually eliminate the past DIACAP requirement that every three years that the process be re-done in total; the estimated cost savings of this transition could be as much as $250,000 every three years. 

Continuous Monitoring: What Good Looks Like

Specifically, leveraging of the Logrhythm Security Information and Event Management (SIEM) suite to collect and analyze log outputs requires a subsequent phase of human oversight and action with expanded use of technology to provide for response to potential cyber-threats.  The typical approach for human oversight is the establishing of the classic fixed-site Security Operations Center (SOC). These SOCs have personnel providing 24 hours a day/7 days a week coverage of a company’s or agency’s Information Technology (IT) environments. Such a solution continues to be costly for many parts of the federal government. 

The intent is to leverage Logrhythm’s add-on capabilities to create a virtual SOC with current government and contract personnel, and to provide a rapid response capability without requiring any further dollars to maintain such an initiative.  Agencies may leverage, for example, the SIEM’s Simple Mail Transfer Protocol (SMTP) server within the governments’ architectures.  It will provide email and text alerts to technical and non-technical personnel after-hour responses.

Introduction

Logrhythm is a commercial product that was well-rated by the a Gartner evaluation of SIEM solutions. (See Figure 1 below).  Its strengths include the ease and capability to integrate within the current IT environments.  This solution provides for network event monitoring and alerts of potential security compromises of managed servers.   The implementation of an enterprise grade SIEM solution is necessary to meet growing cybersecurity requirements for auditing of logs and incident response. This solution would also allow agencies to manage and close existing unresolved Plans of Action and Milestones (POAM) specific to automated security audit control requirements.

Figure 1. Gartner Evaluation of Commercially Available SIEM solutions (Kavanagh, Nicolett, & Rochford, 2014)

Logrhythm provides the overall capability of establishing a virtual SOC.  In the current era of reduced budgets and funding, especially for DOD, a 24-7 fixed-site is both difficult and costly.  With the growing cyber-threat, the establishment of a SOC is necessary since it provides “…increased security and rapid response to events throughout the network,” (McAfee® Foundstone® Professional Services, 2013, p.3). This solution leverages extended capabilities of the SIEM solution to meet this architectural shift to a virtual configuration.

The example solution affords extensive reporting capabilities to include pre-defined, compliance, and customized reports.  It will provide reports electronically to key leadership and technical staff via electronic mail and textual SMS messaging.

[It] can be configured to send alerts and reports directly to individuals, groups, shared directories, helpdesks or any combination, allowing for the effective dissemination of information across a distributed workforce (Logrhythm, 2015).

It is ideal for providing critical net-centric principles of architectural Situational Awareness (SA) of IT environments and supports the development of an automated virtual SOC configuration; this configuration will provide critical network SA.

The technology uses client software on deployed servers.  Figure 2 provides a basic implementation design example for a distributed architecture.  The system collects and stores auditable events within several Log Managers (LM).  The LMs forward the audit logs to the Event Manager (EM) that conducts the analysis of the logs and subsequently provides alerts to security professionals.  The EM utilizes a proprietary Artificial Intelligence (AI) module to conduct pattern and heuristic analysis to determine threats.  It logs all performed analysis and archives all activities to the local Archive Storage array.

 Based upon alert parameters, anomalies are forwarded to the SMTP Server in the form of alerts.  The SMTP server provides the external communications via email and text messages.

Figure 2. Logrhythm Basic Architecture Diagram

Applicable Policies

The policy impacting the necessity for the creation of a virtual SOC within the DOD, for example, is DODI 8510.01, “Risk Management Framework (RMF) for DoD Information Technology (IT).”  DODI 8510.01 implements the RMF approach for Assessment and Authorization (A&A) of systems within approved architectures.  This will include the results and corrections based upon security scans using standard DOD-approved security tools such as Fortify® and Web Inspect®, for example.   It will reside within this architecture as a sub-component and is subject to all cybersecurity processes and code reviews. These reviews will assure the security posture of on networks that attache to the federal infrastructures. 

Efficiencies

Establishing a virtual vice physical SOC provides several notable efficiencies.  The White Paper, “Creating and Maintaining a SOC,” suggests “…at least seven staff members,” (McAfee® Foundstone® Professional Services, 2013, p.7); the suggested number of on-call personnel recommended in this solution is four.  The expertise required would include a shift leader, a security analyst—who would be able to determine that an actual threat exists, a security engineer—that would be able to affect a change either coordinating with the Computer Network Defense Service Provider (CNDSP) or shutting down services until further investigation could be conducted, and a forensic investigator—who could ascertain the amount and level of damage to servers and the network. Suggested cost savings for a reduction of three personnel would be over $540,000.  (This estimate is based on current Washington, DC, labor rates for IT professionals of approximately $180,000 per year for each Full Time Equivalent (FTE) contract employee.)

Further, the transition from DIACAP to RMF will result in major cost-savings.  The elimination of the requirement for Independent Validation and Verification teams every three years would, for example, result in a $100,000 to $200,000 savings every three years based upon the size and complexity of the respective system. For example, the savings across the four defined DOD-medical systems and infrastructures maintained by the Defense Health Agency (DHA)—formerly Tricare Management Agency–could be $133,000 to $266,000 annually.  These estimates do not include the direct and indirect labor costs of 3 to 4 government and contract personnel focused on the preparation of accreditation documents for a period of four to six months prior to the actual inspection—estimated savings would be over $360,000 per every three years per system.

“Best Practice” Should be a Process NOT a Catch-phrase

Security and Reliability

The security of the Logrhythm solution will require close adherence to DODs’ standards and policies.  Handheld-devices and smart phones will be Federal Information Processing Standards (FIPS) 140 compliant and assure Data in Motion (DIM) is secured at the highest level appropriate.  Data at Rest (DAR), especially on the handheld devices, will be encrypted on the respective device and will allow for remote erasure as required. 

The reliability of the virtual SOC solution will depend heavily on the communications maintained by the government.  The expectation, while not absolute, will afford continuous access to audit logs and data analytics critical to the virtual SOC team. 

Response Times

Response times during normal duty hours would be a matter of minutes to respond to any alert.  With a full complement of security professionals, engineers, and analysts on-site, actions to determine the level of threat would take several minutes.  With the combination of both human cybersecurity experts and the SIEM automated tool suite, threats can be detected and addressed in several minutes. 

In terms of a virtual SOC solution, response times may take 1-2 hours in most instances assuming a full assault on federal network. In minor alert situations, agencies could respond within 30 minutes to include blocking unauthorized services or disconnecting compromised servers from the network.  Addressing the full range of responses for more intrusive attacks will require more time and coordination across the SOC security team.  An example of a response may include support to an overseas military contingency operation where services require continued data access while an intrusion is ongoing.  Access would be maintained, and the threat mitigated as much as possible until the military operation has ceased under such a scenario.

Net-Centric Strategy

The deployment of a virtual SOC aligns with the requirements of DOD net-centricity. By leveraging a SIEM solution ensures that all security data and audit logs are “visible, accessible, and understandable,” (McGibbon, 2015, Slide 2).  This implementation would abide by the principles outlined in DOD’s net-centric requirements.

A net-centric information environment is further defined by how it supports the user and who can access “…the best information available,” (McGibbon, 2015, Slide 6).  This solution provides alerts and analyzed events.  The issue is not just providing distributed intelligence to virtual SOC members, but processed and actionable information regarding the security posture of the network.  Through its ability to analyze and alert security personnel, it would be a significant improvement to assure a more secure operational environment.
           

Advantages and Disadvantages

The advantages of leveraging of the Logrhythm SIEM tool provide increased flexibility.  The architecture proposed is highly extensible and expertise can be added or reduced based upon such factors as contract cost reductions or declared threat levels.  For example, elevation from DOD Threat Condition ‘Alpha’ to ‘Bravo’ would require and allow for the addition of on-call experts to address heightened threats.

Also, using secure mobile communication devices, security personnel will have access to the extended analytical capabilities in real-time.  As with any net-centric capability, the provided analysis will enhance the team’s ability to make more informed decisions vice having to rely on speculation from a “typical” static reporting tool; these older tools had no AI to assist cyber-professionals in making more rapid and thoughtful decisions without major operational impact to the mission.

The most serious disadvantage to this solution would be Internet and voice communications interruptions in service. There is no guarantee that a cyber-attack would bypass the security communications capabilities to avoid alerting SOC personnel.  There is a need for back-up communications and Internet access because such a generalized vulnerability would eliminate the effectiveness of a virtual and a fixed SOC element alike.  Back-up communications will be vital in mitigating this weakness.

Additionally, an article in Nextgov.com highlighted findings from Booz Allen Hamilton which:

“…called attention to the most pressing challenges the government faces in hiring cyber talent: the arcane federal hiring process, a rigid pay scale not keeping pace with the private sector and the lack of a government-wide “master strategy” for boosting the cyber workforce,” (Moore, 2015).

One of the most serious disadvantages throughout the government is the shortage of cyber-professionals who can adequately meet all the varied IT skill sets required.  This issue will not be resolved quickly as the threats and their sophistication of attack grows.  There is a vital need to reduce the rigidity of both the hiring activities and limits on pay that will continue to stifle the government’s long-term ability to hire qualified IT personnel.

Recommendations and Conclusions

The recommendation is to implement this solution in conjunction with an overall deployment plan.  This approach allows for immediate integration of this solution within existing technical infrastructures and minimizes changes or updates to required security A&A efforts.  The solution allows for a rapid and coherent capability deployed within the architectures and provides capabilities to meet a growing cyber-threat.

Logrhythm provides additional “Defense in Depth,” and further abides by the tenets of net-centric capabilities and requirements from DOD.  It is a viable solution that maximizes the benefits of its deployment and immediately leverages SIEM functionality in a rapid and supportable fashion.  The ability to deploy such a capability provides a modern capability which combines the human expertise with the full-range of analytical and reporting capabilities. This solution provides the needed rapid-response requires with “minimal” costs.  Finally, it provides superior security to critical public and private sectors’ data.

---

Bibliography

Kavanagh, K. M., Nicolett, M., & Rochford, O. (2014, June 25). Magic Quadrant for Security Information and Event Management. Retrieved from Gartner: http://www.gartner.com/technology/reprints.do?id=1-1W8AO4W&ct=140627&st=sb&mkt_tok=3RkMMJWWfF9wsRolsqrJcO%2FhmjTEU5z17u8lWa%2B0gYkz2EFye%2BLIHETpodcMTcVkNb%2FYDBceEJhqyQJxPr3FKdANz8JpRhnqAA%3D%3D

Logrhythm. (2015). Professional Services Overview. Retrieved from Logrhythm: https://www.logrhythm.com/services/professional-services.aspx#LiveAccordionContent3158146-la

Logrhythm. (2015). Reporting. Retrieved from Logrhythm: https://www.logrhythm.com/siem-2.0/features-components/reporting.aspx

McAfee® Foundstone® Professional Services. (2013). McAfee. Retrieved from White Paper: Creating and Maintaining a SOC: http://www.mcafee.com/us/resources/white-papers/foundstone/wp-creating-maintaining-soc.pdf

McGibbon, M. D. (2015, May). Net-Centric Operations (Class Slides). Fort McNair, DC: National Defense University.

Moore, J. (2015, April 14). In Fierce Battle for Cyber Talent, Even NSA Struggles to Keep Elites on Staff. Retrieved from Nextgov: http://www.nextgov.com/cybersecurity/2015/04/fierce-battle-cyber-talent-even-nsa-struggles-keep-elites-staff/110158/

---