Security Operations Center Design

Oct. 27, 2008
Examining the key design elements in a successful SOC implementation

Over the past decade information technology has radically improved the operational capabilities of a Security Operation Center (SOC). Both what can be done and how it can be done have been changed dramatically by computer, network and communications technologies. Thus many security executives and managers are considering upgrading their SOCs. The purpose of this article is to capture the key elements that must be considered in SOC design, and to share information about what leading security practitioners are doing in that regard.

The Role of SOC Technology

Prior to the advent of electronic security systems, SOC monitoring and response was heavily dependent on human resources and human capabilities, which also limited the accuracy and effectiveness of monitoring efforts. Over the past two decades, the adoption of information technology into facility security systems, and their ability to be connected to SOCs via corporate networks, has significantly changed that picture. This means two important things:

* First, the total cost of ownership for an old-style SOC (that does not take advantage of current technology) is much higher than for a current-technology SOC — even though its contribution to security effectiveness is lower. Without a properly deployed, current-technology SOC, it is likely that your organization is spending more money than it needs to and is getting less security than it should.

* Second, achieving the lower security operations costs and higher security effectiveness that a current-day SOC can provide is not just a matter of SOC design alone. The strategic and tactical roles of global, regional and local SOCs, and the design of security operations at all levels cannot be done by selecting technology in isolation. Designs must use security technology and information technology to address current and expected future security risks. They must also take into account the organization's business culture.

In a recent half-hour interview that is available online at Microsoft's TechNet Radio website ( http://channel9.msdn.com/Showpost.aspx?postid=360166 ), Johnny Walker, senior program manager for Microsoft Global Security, explains that the role of the technology design and concept of operations for a SOC is to provide situation awareness that enables precision response and supports forensics investigations.   Precision response is both a security factor and a cost factor. In the interview Walker explains, “Physical security strategy begins with a comprehensive risk and an investment model,” Walker says during the broadcast. “We kind of bucket it in four zones: technology, monitoring, communication and administration. First is the technology investment that is really built on your risk drivers. Next, you have to have an effective, sustainable and predictable monitoring model that goes on the total cost of ownership.

“Once you have heard an alarm and you understand the alarm, you have to be able to communicate it quickly to a response mechanism — whether that's your proprietary forces or a public safety response mechanism — it still has to work,” Walker continued. “So you have to invest in that third tier (communications). And then finally you have to have this administrative module that says, ‘Do I have the right design, is it working ?' So you have this process improvement piece going on so you can evolve the lifecycle of the system and know its readiness.”

Design Considerations

Once the homework has been done relating to risk assessment and business alignment, key aspects of the design can be considered, including:

•  location (primary and alternate);

•  range of functions (security, safety, and building services);

•  scope of monitoring (local, regional or global);

•  size (for personnel and equipment);

•  current and future technology;

•  lifespan;

•  stakeholders;

•  SOC team; and

•  security operations transition.

A key and often overlooked consideration is that the reliability of the SOC itself is a critical business continuity and disaster recovery issue. Thus, redundancy is a key design element — from strategic issues like establishing an alternate or fallback SOC location, to technical issues such as ensuring network equipment and communications redundancy.

Location

Although selecting a secure and safe site would seem to be obvious, few SOC design phases include an initial vulnerability assessment and final vulnerability review after build-out. There are many vulnerabilities that can disable SOC operations. Not all risks can be fully eliminated, but contingencies and fall-back modes can be established to prevent loss of critical functionality. The space should be easily accessible to entrance facilities, but within at least one other security boundary layer.

Today's SOCs are critical data centers that contain computer server and network equipment. Thus the recommendations commonly provided for a data center apply to an SOC. The selected space must be able to be built out according to facility use requirements (monitoring station, observer and meeting requirements), technology requirements (including provisions for primary and backup power, lighting and HVAC systems), and cabling system and network design requirements .

Range of Functions

Basic SOC operations include monitoring and dispatch functions for security, safety, building services and maintenance, and can even include primary or backup Network Operations Center (NOC) monitoring. However, response for a significant event can include planning and management for business continuity and disaster recovery operations. Is there adjoining space for a management team to assemble and view updated incident status information? One room over from the Security and Facilities Operations Center (SFOC) at the San Jose headquarters of Cisco Systems Inc., is the Emergency Operations Center (EOC), which is activated when strategic management decisions need to be made. Cisco's SFOC maintains situational awareness, provides security operations human intervention, and generates the data for the EOC's electronic dashboard. Cisco's theater crisis management teams (Americas International, Asia, and EMEA) and corporate crisis management teams rely on the EOC to keep updated on key situational elements. Some enterprises, such as key international airports, must accommodate traveling dignitaries and press, and support them with telephone lines and internet connections.

Scope of Monitoring

The scope of SOC monitoring impacts its design and technology use.

The larger the scope of monitoring, the more important it is to set standards for the signals and data that will be received by the SOC from individual facilities. (That also means the related devices and systems must be installed at the monitored facilities.) Leading companies establish written security standards to establish uniform SOC situational awareness for each type or category of facility. These standards should be based on risk assessment results and the risk tolerance level of the organization for each type of facility.

Some global companies use a “follow the sun” approach to monitoring, whereby global monitoring is performed in rotation by two or three SOCs during their facility's normal business operations hours. When an enterprise has multiple SOCs, their strategic use can optimize the staffing requirements if the right monitoring system technology is deployed. For example, on occurrence of a major incident, monitoring of all non-incident related signals can be routed to another SOC, allowing the primary SOC's personnel to concentrate on the incident without distraction and without requiring a higher level of personnel.

The use of network-based technologies can also allow global companies to deploy a strategy of using their multiple SOCs as fail-over operations centers to the other centers. Should one SOC become disabled or non-operational, monitoring, communications, and command and control functions can be forwarded to the “fail-over” SOC.

Size

All of the items mentioned in the Design Considerations list above are factors in the size of the SOC. Strategic SOC design accounts for current SOC functions while anticipating space needs for future (or envisioned) consolidated or collaborative services that SOC personnel may perform. Many technology factors have greatly reduced the floor, working and console space needed for SOC functions including server virtualization, digital video, data and management aggregation services, and VOIP networked communication systems. Conversely, large display screens and walls that may not have existed previously are an increasingly popular way to enhance communications between operations center personnel.

Current and Future Technology

The increasing pace of technology development and the increasing value of new security technology mean that SOC design must consider both current and future technology. IT standards-based technologies provide future-proofing in three senses: First, the computing and communications infrastructure will continue to be compatible with future technology development; second, the communications infrastructure is independently scalable and upgradeable; and third, interoperability between components and systems continues to grow, which increases the value of the existing technology investment.

Lifespan

Common standards-based infrastructures among systems means that security systems design can focus more on security applications and less on technology details. This is coincidentally a focus also on the security ROI elements—where a security manager's attention should be focused. The nature of SOC upgrades has changed from complete “forklift” redesigns, to designs that can evolve as both technology and security applications needs evolve. The approach of previous decades, to redesign a SOCs every 5 to 10 years, is being replaced by ongoing SOC technology lifecycle planning . Security executives and managers can learn a lot from their IT departments about how this beneficially impacts budget planning and management approvals.   The lifespan of a current-technology SOC will be determined by an organization's strategic and tactical security planning (such as consolidation or regionalization) according to business needs, rather than by technology changes.

SOC Team

James Connor, CEO of security consulting firm N2N Secure and former senior manager of Global Security Systems for Symantec Corp., points out that human capital development for SOC functions is highly important, but is often overlooked. “The SOC team is a critical part of the security operations ecosystem,” Connor says. “The correct perspective starts with the team and goes from there. The technology simply provides the tools that the SOC needs to get the job done. That's why the design effort should include metrics to measure how the job is getting done, and to provide insight into the upgraded operations.

“When redesigning a SOC, the security manager must re-evaluate the SOC's mission statement,” Connor continues. “What is the mandate? What security policies and procedures are appropriate for the business today? That last thing that you want is to have an SOC upgrade amount to nothing more than ‘putting a new paint job' on an existing SOC.”

[Sidebar]

Some Sources for Data Center Standards

  • 7x24 Exchange ( www.7x24exchange.org ) - leading knowledge exchange for those who design, build, use and maintain mission-critical enterprise information infrastructures
  • AFCOM - Association For Computers Operations Management (www.afcom.com) – provides education and resources for data center managers
  • ASIS International ( www.asisonline.org ) – source for security guidelines, educational materials and workshops
  • ASHRAE – American Society of Heating, Refrigerating and Air-Conditioning Engineers ( www.ashrae.org )

•  Book: Thermal Guidelines for Data Processing Environments – defines Class 1 and Class 2 Environments applicable to monitoring centers

•  EIA-310-D Cabinets, Racks, Panels, and Associated Equipment

  • OSHA – Occupational Safety and Health Administration ( www.osha.gov )

•  Operator workstation considerations:
www.osha.gov/SLTC/etools/computerworkstations/positions.html

•  2008 National Electrical Code (NFPA 70)

•  Article 645 — Information Technology Equipment

•  NFPA 75 –Standard for the Protection of Electronic Computer/Data Processing Equipment, 2003 Edition

•  NFPA 76 –Standard for the Fire Protection of Telecommunications Facilities, 2005 edition (telecommunications is data, voice, and video)

•  ANSI/TIA/EIA-942 Data Center Standard (downloadable)

•  White Paper: Tier Classifications Define Site Infrastructure Performance , downloadable from:
www.uptimeinstitute.org/cgi-bin/admin2/admin.pl?admin=view_whitepapers

  • UL – Underwriters Laboratories ( www.nfpa.org ) – standards for power and cable system design

•  Online calculator for determining the capacity of air conditioner required

Many of the sources above were presented in the October 2007 ASIS Workshop, CCTV-Analog to Digital: Applications and Advances in Surveillance, in a presentation by Ed Bacco (Sr. Manager World-Wide, Physical Security Services, Systems and Design, Amazon.com ) and Steve Surfaro (Group Manager Strategic Technical Liaison, Panasonic System Solutions Company ).  

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 20 years. He is founder and publisher of “The Security Minute” 60-second newsletter ( www.TheSecurityMinute.com ).

Deon Chatterton is a program manager in Cisco's Global Risk Technologies department. His specific areas of focus include security technology strategy development, process and procedure standards development, security systems enterprise architecture management, and business process manager for joint security and IT convergence projects.