MITRE's Cyber Security Operations Center Helps Sponsors Keep Networks Secure

January 2010
Topics: Network Security, Information Security Risk Management, Information Security Technologies
To counter advanced cyber threats from malicious code, viruses, and hackers, MITRE created a Cyber Security Operations Center (CSOC).
operations center

With more than 7,400 computer users spread across dozens of offices around the world, and two million e-mail messages processed each day, MITRE's information technology infrastructure is complex and continually evolving. Also evolving are the best practices and state-of-the art technologies that keep our network safe from malicious code, viruses, and hackers.

To investigate and enhance cyber defenses for our company and for our sponsors, MITRE has launched a corporate initiative, the Cyber Security Operations Center (CSOC). In addition to providing support for MITRE's operational environment, the CSOC is exploring innovative solutions to counter increasingly sophisticated forms of cyber attack, also known as the Advanced Cyber Threat (ACT).

The CSOC provides a testing environment for security tools and processes developed through MITRE's advanced research projects, along with testing of next-generation government and industry-developed cybersecurity capabilities. As MITRE analysts hone their expertise in the best tools and techniques to safeguard against cyber threats from outside and within company firewalls, we share these insights with our government sponsors to help them combat similar challenges.

The CSOC is a vehicle for improving MITRE's cybersecurity preparedness as well as a place to showcase for our sponsors the innovative techniques to counter the advanced cyber threat. During demonstrations to government sponsors, academic researchers, MITRE staff, and research partners in for-profit companies, our cybersecurity analysts collaborate on potential solutions to common challenges. Drawing on the operational expertise of MITRE's Information Security group, the CSOC analysts develop innovative methods and tools to combat the ACT.

Scaling a Mountain of Malicious Junk Mail

These threats include the potential for exploitation by malicious insiders with access to sensitive networks and data, cyber vandalism originating outside corporate firewalls, and potential network damage from malicious code in junk e-mail. Currently, MITRE receives approximately 2 million email messages per day, 90 percent of which are spam that is rejected by MITRE's spam filter.

Since the CSOC (which also operates out of MITRE's McLean, Va., offices) opened its doors in January 2009, it has been the site of more than 60 demonstrations of advanced cybersecurity technologies. Demonstrations usually span the CSOC's two facilities through a dedicated videoconferencing link. The facilities include several analyst workstations, large-screen plasma displays, and electronic whiteboards. Through the use of MITRE-developed tools and outside technologies, the CSOC analysts have been able to identify and analyze real incidents of intrusions on our network, and to understand the techniques used by our adversaries.

Sponsors Learn from MITRE's Experience

In addition to detecting and analyzing suspicious activity by adversaries, the CSOC provides its sponsors insight into the MITRE architecture and the threats that the company faces daily. This provides context for sponsors who are looking for scalable security solutions for their own environments.

The CSOC operates in MITRE's production environment using real data, which underlines the importance of the mission. Enabling sponsors to examine real-world cybersecurity data allows them to extrapolate best practices and experiences that can be applied to their own network environments—even when those networks are many times the size of the MITRE environment.

For example, the CSOC hosts discussions among sponsors and academics working on cybersecurity issues about how certain security solutions can scale to government environments—which might have a million users compared to MITRE's 7,400. These discussions, while often targeted to immediate issues facing the government, often turn to ways that security solutions and procedures will have to evolve as threats change over time.

The CSOC is also closely involved in next-generation cybersecurity issues such as the more subtle threat from malicious attachments or links in e-mail. These increasingly common e-mail "spear-phishing" attacks appear to the user to contain trusted information—in some cases even appearing as a specific document the user has previously accessed. These attacks are highly sophisticated and socially engineered to coerce the recipient to access the infected file or link.

A Problem That Must Be Solved

It is difficult to overstate the importance of finding solutions to the threat posed by these sophisticated adversaries. In some cases, the mission of a government agency can be at stake. One of the largest problems with this type of attack is that a company or government agency cannot survive without e-mail and access to the Web. The ability to communicate and operate securely in the presence of the adversary is a critical capability that MITRE and their sponsors must achieve in order to execute their missions.

Looking forward, the CSOC will be able to provide even more valuable intelligence to MITRE sponsors as more information is gathered on emerging threats.

—by Maria S. Lee


Publication Search