Cybersecurity starts in the Security Operations Center

This post first appeared on Federal News Network. Read the original article.

To understand the functionality of cybersecurity at a federal agency, you might start by looking at the organization’s Security Operations Center (SoC). The SoC is made up of a group of cybersecurity experts that continuously monitor systems and technologies in an effort to prevent or respond to security threats with immediate action. While cybersecurity is the big picture, the SoC is a window into those efforts. SoCs are responsible for keeping the data that government services use to stay in business safe. Over the last several years, there has been an increase in new procedures aimed at protecting the SoCs.

“There’s a lot of federal guidance that addresses what is needed to protect Security Operations Centers. And we actually had a report issued December 2023 that looks at federal agencies’ information and response procedures. And in that, we’re highlighting that there’s a set of guidance from various entities.” Jennifer Franks, director of Information, Technology and Cybersecurity at the Government Accountability Office said on Federal Monthly Insights – Security Operations Centers. “So there was the cybersecurity executive order that really does enhance how government agencies need to secure their cloud-based infrastructures, as well as their agency on premises networks.”

The management of SoCs can also be a bit complicated, like who’s in charge, and what happens in the case of a security incident. The experts behind the Security Operations Centers in the federal government vary by agency, technology and include both federal employees and contractors.

“The chief information officers are usually the leaders of security operations centers, who then directly report the the chief information officers. Some agencies, the CIOs are directly responsible for the SoC. It’ depends on how the agency is structured.” Franks said. “So when an incident or vulnerability occurs, when something needs to be patched, all of the data owners, the system owners, the business owners, were alerted immediately.”

Franks doesn’t manage the GAO security operations center, but she manages some of the networks that reside in the data operations center. “I do a magnitude of things for the agency…I do manage some of the information systems within our network. When that latest vulnerability did impact us last week, I was able to be at the table immediately for what needed to be done with alerting all of the responsible parties.”

Franks admits that protecting critical business services in the federal government requires a menagerie of skills and efforts including securing cloud based infrastructures, managing zero trust operations, security event logging and incidence response efforts.

“This gets complicated when we think about some of the automated processing that would help us be a little bit more timely, incentivize our investigative services.” Franks said. “A lot of the SoCs, they are running short on the skillsets that are needed to withstand their own individualized SoCs across the many agencies. So being able to provide information sharing services across the various agencies, it will help with some of the visibility that is needed as well as some of the investigative services.”

And some solutions come with their own challenges. Information sharing of incident and vulnerability reports between agencies that use the same productivity tools and services would be one solution to decreasing the amount of time it takes to address a vulnerability or breach, but different agencies carry and manage different risks.

“The Department of Defense honestly has its own network and its own set of criteria, because the way it manages, more national security, intel related data and the classification of their data is so much more sensitive than perhaps the Department of Education.” Franks told the Federal Drive with Tom Temin. “There are times where those entities may or may not want to share information, related data about vulnerabilities that are impacting their environments, but we’re looking at ways that we can do that in the near future, so that yes, we’re not sharing sensitive related information, but at least enough vulnerability related data that would help those entities as well as others with similar related vulnerabilities that would just help us remediate vulnerabilities a little faster.”

As with the federal government at large, SoCs have to find the right people, and those people need the right training. The mix of employees at SoCs are both federal and contractual, and they all bring necessary knowledge.

“If an agency has more sensitive data that the contractor may not be used to managing, we need to let that contractor service know the intricacies and the sensitivities about how we need to manage the data.” Franks said. “We need fresh thinking, fresh insights. They might have also seen or even helped to implement security controls and infrastructures in other environments that can then help another agency to upskill their environment.”

Rule number one of the SoCs is understanding that the job of protecting data is continuous.

“It’s no on person’s fault. If it’s connected to the network, it’s not an if, it’s a when.” Franks said. “A cyber incident, a breach, could inevitably happen. So providing those security control assessments, those risk management frameworks and just having that assessment where you identify all of the likelihoods of events and being ready to respond should an event occur, then you have a plan in place.”

The post Cybersecurity starts in the Security Operations Center first appeared on Federal News Network.

Leave a Reply

Your email address will not be published. Required fields are marked *