Cybersecurity & ATSEP: Incident management in Security Operations Centers

Security Operations Center (SOCs) are IT units within organizations such as Air Traffic Control or Airport Units that focus on cybersecurity issues. The IT security team at these centers monitors, identifies and analyzes network infrastructure for cyberthreats. Their job is to conduct risk assessment, mitigate risks by taking proactive measures and respond to threats. This team must also communicate with the broader organization's personnel on steps to maintain network safety.

How SOCs Handle Incident Management

SOCs work to reduce and block cyberthreats that can disrupt infrastructure, networks, applications and data. The design must include the proper cybersecurity tools for mitigating cyberthreats and the team must be trained to follow a predetermined plan of action for responding to threats and attacks. While the SOC team focuses on data protection, other IT personnel outside the SOC department work on maintenance and efficiency issues.

Logging activities associated with cyberthreats is an important ongoing function for SOC personnel. These IT specialists must document and analyze any type of suspicious incident that appears on their monitoring systems. The SOC's primary function is data collection from a variety of internal and external sources that monitor relevant activity for the organization. Whenever a monitoring system detects intruders in the firm's ecosystem, it sends alerts to cybersecurity team officials.

Each SOC has its own set of cybersecurity strategies based on the organization's technology and how departments interact with each other. Team members are trained to handle specific types of cyberthreats and follow a well structured disaster backup and recovery plan if switching to backup servers is necessary.

SOC and Productivity

Different SOCs perform at different capability levels depending on their history, personnel and maturity level. The center must first deploy technology with tools that monitor real-time network activity. Then it needs to establish "near-real-time threat detection" capabilities so it can conduct threat hunting and incident response solutions. SOCs that are well developed with the right tools can then help optimize productivity.

Incident Management Processes

An intrusion detection system (IDS) helps the SOC team locate suspicious activity on a network. Once a cyberthreat appears in the system, the next step is to determine the severity of the threat. In extreme cases it's necessary to implement immediate responses using intrusion prevention systems (IPSs) or intrusion detection and response systems (IDRs). Other helpful tools are used from intrusion prevention and control systems (IPCs). Machine learning software can analyze logs to help speed up analysis on the best approach to mitigating threats.

Once a threat is analyzed, the team must work on containing it. The first step is to close off the entry point that allowed the threat to sneak into the system. If a website has suffered an SQL attack, it needs to be taken offline or provided some type of protection so that its users don't get harmed by the site. In some cases it's necessary to activate a Web Application Firewall (WAF) to block the threat.

When a threat moves from one system to another it becomes much more complex and requires a more elaborate fix. Complete eradication of the threat is the goal, but sometimes this process can take time depending on available tools and talent, so it's necessary to operate on a backup system until the main system is fixed. Additional time will be needed for testing to ensure the main system is safe.

Conclusion

The quality of an SOC's staffing and tools plays a large role in how efficient the unit is at detecting, analyzing and responding to cyberthreats. Ultimately, the better the SOC's threat detection system and tool selection, the faster the team can respond to incidents.

References and Further Reading

Tips for Selecting the Right Tools for Your Security Operations Center (January 2020), by Toby Bussa, Jeremy D'Hoinn
Market Guide for Security Orchestration, Automation and Response Solutions (September 2020), by Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski
Read more about Cybersecurity for ATSEP and AVSEC (2019-today), by Dawn Turner, Martin Rupp, Peter Smirnoff, Ulrich Scholten, Alex Cosper and Dennis Vasilev.
More articles on Cryptography, Key Blocks and Key Management (2018 - today), by Martin Rupp
Articles on the protection of critical platforms and strategic response (2017 - today), by Ulrich Scholten and Stefan Hansen
Articles on Key Management and HSMs (2017 - today), by Peter Smirnoff
Articles on Digital Signing, the eIDAS standard, cyber-security and ATSEP qualification (2016 - today), by Dawn M. Turner


Cybersecurity & ATSEP: Incident management in Security Operations Centers Security Operations Center (SOCs) are IT units within organizations such as Air Traffic Control or Airport Units that focus on cybersecurity issues. The IT security team at these centers monitors, identifies and analyzes network infrastructure for cyberthreats. Their job is to conduct risk assessment, mitigate risks by taking proactive measures and respond to threats. This team must also communicate with the broader organization's personnel on steps to maintain network safety. How SOCs Handle Incident Management SOCs work to reduce and block cyberthreats that can disrupt infrastructure, networks, applications and data. The design must include the proper cybersecurity tools for mitigating cyberthreats and the team must be trained to follow a predetermined plan of action for responding to threats and attacks. While the SOC team focuses on data protection, other IT personnel outside the SOC department work on maintenance and efficiency issues. Logging activities associated with cyberthreats is an important ongoing function for SOC personnel. These IT specialists must document and analyze any type of suspicious incident that appears on their monitoring systems. The SOC's primary function is data collection from a variety of internal and external sources that monitor relevant activity for the organization. Whenever a monitoring system detects intruders in the firm's ecosystem, it sends alerts to cybersecurity team officials. Each SOC has its own set of cybersecurity strategies based on the organization's technology and how departments interact with each other. Team members are trained to handle specific types of cyberthreats and follow a well structured disaster backup and recovery plan if switching to backup servers is necessary. SOC and Productivity Different SOCs perform at different capability levels depending on their history, personnel and maturity level. The center must first deploy technology with tools that monitor real-time network activity. Then it needs to establish "near-real-time threat detection" capabilities so it can conduct threat hunting and incident response solutions. SOCs that are well developed with the right tools can then help optimize productivity. Incident Management Processes An intrusion detection system (IDS) helps the SOC team locate suspicious activity on a network. Once a cyberthreat appears in the system, the next step is to determine the severity of the threat. In extreme cases it's necessary to implement immediate responses using intrusion prevention systems (IPSs) or intrusion detection and response systems (IDRs). Other helpful tools are used from intrusion prevention and control systems (IPCs). Machine learning software can analyze logs to help speed up analysis on the best approach to mitigating threats. Once a threat is analyzed, the team must work on containing it. The first step is to close off the entry point that allowed the threat to sneak into the system. If a website has suffered an SQL attack, it needs to be taken offline or provided some type of protection so that its users don't get harmed by the site. In some cases it's necessary to activate a Web Application Firewall (WAF) to block the threat. When a threat moves from one system to another it becomes much more complex and requires a more elaborate fix. Complete eradication of the threat is the goal, but sometimes this process can take time depending on available tools and talent, so it's necessary to operate on a backup system until the main system is fixed. Additional time will be needed for testing to ensure the main system is safe. Conclusion The quality of an SOC's staffing and tools plays a large role in how efficient the unit is at detecting, analyzing and responding to cyberthreats. Ultimately, the better the SOC's threat detection system and tool selection, the faster the team can respond to incidents. References and Further Reading Tips for Selecting the Right Tools for Your Security Operations Center (January 2020), by Toby Bussa, Jeremy D'Hoinn Market Guide for Security Orchestration, Automation and Response Solutions (September 2020), by Claudio Neiva, Craig Lawson, Toby Bussa, Gorka Sadowski Read more about Cybersecurity for ATSEP and AVSEC (2019-today), by Dawn Turner, Martin Rupp, Peter Smirnoff, Ulrich Scholten, Alex Cosper and Dennis Vasilev. More articles on Cryptography, Key Blocks and Key Management (2018 - today), by Martin Rupp Articles on the protection of critical platforms and strategic response (2017 - today), by Ulrich Scholten and Stefan Hansen Articles on Key Management and HSMs (2017 - today), by Peter Smirnoff Articles on Digital Signing, the eIDAS standard, cyber-security and ATSEP qualification (2016 - today), by Dawn M. Turner