MITRE Author Zimmerman Answers 10 Questions on 10 Cyber StrategiesOctober 2014
Topics: Cybersecurity, Computer Security, Information Security Operations, Information Security Risk Management, Homeland Security, Network Security, Strategic Planning
A new book published by MITRE provides organizations of all sizes and in all sectors with the tools they need to more effectively defend their IT systems against cyber attacks. Ten Strategies of a World-Class Cybersecurity Operations Center is now available as a free PDF.
Written by MITRE principal cybersecurity engineer Carson Zimmerman, the book focuses on the cybersecurity operations center, known as CSOC, or simply SOC. A SOC typically serves as the nucleus for an organization's computer network defense capabilities. It's where cybersecurity incidents are detected, analyzed, responded to, reported on, and at times prevented. A SOC performs many other activities as well, such as gathering and producing cyber threat intelligence.
However, most CSOCs focus on technology, without adequately addressing people and process issues. Because this can get in the way of successful network defense, the book proposes a more balanced approach.
Zimmerman recently talked about why these 10 strategies are so important now and how they fit into MITRE's overall cybersecurity approach.
MITRE: What made you decide to write Ten Strategies of a World-Class Cybersecurity Operations Center?
Carson Zimmerman: I've supported SOCs for our MITRE sponsors for more than 10 years. My colleagues and I are frequently asked questions such as: "How many analysts do I need?" and "What type of data should I collect?" We joked that we should record our answers so we could refer people to a specific track on a DVD. But we came to realize there wasn’t much recently written on recent SOC best practices. Sharing the knowledge we've accumulated seemed like a great way to help sponsors and the cybersecurity community at large.
What are the key objectives of the book?
CZ: The main one is to translate the lessons we've learned to help other organizations improve their cybersecurity capabilities. But we also wanted to address the fact that there is no commonly agreed upon perspective on these issues. We wanted to put a flag in the ground in an effort to gain greater consensus across the cybersecurity community. We want to help SOCs spend less time on the basics and more time on advanced operations.
Why is MITRE publishing it now?
CZ: Cybersecurity is a huge issue today. Even though SOCs have been around for a while, many of them struggle. SOCs must constantly adapt their techniques, tactics, and procedures to keep up with the changing enterprise they defend, and perhaps more important, the changing nature of the threat. If you're standing still, you’re actually falling behind. This is a major theme in the book, and one of the top reasons why we’re publishing it—to help SOCs not only maintain parity with their environment and threats, but to make forward progress.
How significant is this to MITRE's overall cybersecurity strategy?
CZ: A key part of MITRE's message about cybersecurity is that organizations should practice active threat-based defense. This means investing resources—funding, time, and staff—in sensing, collecting, and analyzing data. That allows you to focus on preventing unwanted access using the best available intelligence on the threats facing your organization. Unfortunately, mindless compliance with security frameworks or checklists of best practices can eat up precious IT budgets without significantly improving your defensive posture. The crucial work of monitoring, analyzing, and making sense of threat behavior comes together in the SOC.
What's the current landscape like for SOCs? Do most entities have this function now?
CZ: The larger the organization, the more likely they'll have a SOC. I can’t imagine any Fortune 500 or large government agency not having one. The issue is that SOCs continue to struggle for resources and external support. Many smaller organizations must also allocate resources to this function—but how? Additionally, many large organizations have SOCs with overly broad mandates. How do they redirect resources toward the actual mission to do that? The answers don't always come easy, and we want to work on that.
How did you compile the information?
CZ: It's the result of a lot of hands-on, boots-on-the-ground work with SOCs, coupled with a keen sense of the strategic perspectives of cybersecurity. Through our work with sponsors, we have been in a position to touch every aspect of SOC operations—from data analytics to budget allocations. Most important, we have long-standing relationships with several SOCs. Their common struggles and successes become clearer as you look at their different experiences. This puts MITRE in a relatively unique position to publish on this topic.
How did you decide on 10 recommendations?
CZ: The goal was to look at how things are commonly done and package these commonalities into useful examples that folks could latch onto. These common themes became the 10 strategies. In general terms, they cut across several areas, including people, process, and technology. There are lots of wonderful materials out there particularly interesting to those working in the SOC. Some focus on technology, and others focus on people and processes. This book brings all three elements together.
Are there specific types of entities for whom these 10 strategies are appropriate?
CZ: We're mainly aiming at medium-to-large government agencies, companies, and educational institutions—ones big enough to justify their own SOCs, but not so big they need to cover an entire national government or country. However, these strategies could work for any size and any sector. They're just as valid for an entity that wants to set up its first SOC as for one that wants to update an existing one.
Who would benefit most from applying these 10 strategies?
CZ: First would be the folks running the SOC—managers and their direct reports. Others would be anyone setting up a SOC, and then anyone who interacts with a SOC from elsewhere in IT or cybersecurity. That might include the office of the chief information officer or chief information security officer, or IT operations.
What's the best way to use this book?
CZ: We’ve tried to give people hands-on examples and generalities so they can find elements of their particular situation in these scenarios and identify the best suggestions from what we’re proposing to address their needs. How they do that is up to them. People who work in cyber operations have also used the book to show their bosses the types of resources and support that a SOC needs to operate effectively.
Carson Zimmerman is a principal cybersecurity engineer with The MITRE Corporation. He has 10 years of experience working with various CSOCs to better defend against the adversary. He has held roles in the CSOC ranging from tier 1 analyst to cyber architect.
—by Twig Mowatt