- Arenas/Stadiums/Leagues /Entertainment
- Construction, Real Estate, Property Management
- Critical Infrastructure: Electric, Gas, Water
- Education: K-12
- Education: University
- Government: Federal, State and Local
- Hospitality & Casinos
- Hospitals & Medical Centers
- Ports: Sea, Land & Air
- Retail/Restaurants/Convenience Stores
- Transportation/Supply Chain/Warehousing
Across one entire wall of the room are dozens of camera feeds. Operators in the room are on their phones, either receiving or relaying information about security – physical and cyber-related events. Welcome to Exelon’s Security Operations Center (ESOC), with three entities: the ESOC, the Incident Command Center (ICC) and the Cyber Security Operations Center (CSOC). Together, the SOCs are a united physical and cyber security management organization tasked with mitigating and responding to physical and cyber security incidents. The group also is responsible for assisting other Exelon groups to ensure compliance with regulations such as NERC CIP, Sarbanes-Oxley, the Chemical Facilities Anti-Terrorism Standards, Pipeline Security and the Maritime Transportation Safety Act.
Ed Goetz, VP and CSO of Exelon, had a vision for all of the SOCs when Constellation Energy Group merged with Exelon Corporation in 2012. The merger created the leading competitive energy provider in the country.
“When we merged, we learned that each legacy company had their own security operations center. It quickly became clear that separate SOCs were not effective and efficient, so we consolidated the two centers into one and located it in Baltimore. We are pleased with the consolidation process and the result. We came in under budget and one month ahead of schedule. We had to have one location where we could monitor threats and respond to an incident when necessary,” Goetz explains.
For physical security, the ESOC is where the action begins, so to speak. Calls go into the ESOC, and the decision is made to dispatch Physical Security Specialists, stand up the ICC or refer the matter to the CSOC, based on the nature of the event. For example, during last year’s Boston Marathon bombing, the ICC was very active as Exelon has an office in Boston that is two blocks away from the bombing site with line of sight to the finish line. “Some of our employees were in the marathon, some were spectators and others were in the office. We stood up the Incident Command Center, locked down that office and addressed the immediate needs of the employees in the building,” Goetz says. “We located employees that were on the marathon route as spectators, we found a contingent of employees who had traveled from other parts of the country to watch the marathon and we reached out to ensure their safety and provide assistance. We did this in a matter of hours, with the ICC working in conjunction with the ESOC.”
The ESOC monitors 10,000 alarm points and cameras throughout the U.S. It receives 8,000 calls a month from employees, contractors and law enforcement agencies. It is a clearing house for incident reporting, but also to field requests for information. The operators in the ESOC have “playbooks,” Goetz says, that they follow based on the type of event they are responding to. In some cases, they are asked to use their own judgment. In other cases, they are pushing the request up the chain for a decision. “That would usually entail calling a security specialist, depending upon where they are located, advising them of the situation and getting their advice,” Goetz says. “We give them latitude on fast-breaking incidents. Exelon has three utilities, and we also own generation plants that encompass hydro, wind, solar, gas, nuclear and coal, so if there’s an incident at any of those locations, the operators have the latitude to interact with first responders. We don’t want a lag time with calling 911, then calling a security specialist and waiting. So we ask them to utilize their best judgment, stay on the line, keep the cameras trained and try to assist the first responders as best they can.”
While the merger of Constellation and Exelon and the disparate monitoring systems in place gave Goetz some room in selling the new ESOC to management, he still used a risk equation to communicate the threats to the enterprise and possible effects on business units. “Our risk equation is examining the threat, the vulnerability and the impact to the company, and that equals the risk. We are able to articulate clearly threats to the company, but it still has to be a strong and persuasive argument. We spent $3.5 million to upgrade the Baltimore site, the ICC and build the CSOC. Chris Crane, our CEO, and Sonny Garg, the CIO, clearly understand the current threat environment facing the electricity sector. They, along with the Exelon Executive Committee and the Board of Directors are very supportive of providing the resources for us to be able to mitigate those threats.But I still had to communicate it well.”
On the cyber side, the Exelon CSOC is responsible for monitoring cyber threats and risk to the enterprise network. “We know that one of the top threats to the U.S. electric sector is a potential cyber attack,” Goetz says. “We took all groups involved in preventing, detecting and responding to a cyber event and put them under one umbrella in the CSOC. We have a team that works on firewalls, monitoring the perimeter of the network for malware or attempted intrusions – that’s one group. If there’s an intrusion, another group is in place to detect it, and yet another group works to respond and remediate incidents. We also have a forensics group that has the capability to look at malware, analyze it and take the appropriate mitigation steps against it. These events happen at machine speed, and we need to respond almost as quickly. If we didn’t have the forensics capability in-house, we would have to send the malware out to a third party, wait for it be analyzed and send a report back to us. That can take several days. All of those groups are in one location, within the CSOC, with a director in charge, which allows for a seamless handoff from group to group. We are one of the few organizations that have an in-house cyber forensics capability.”
Goetz adds, “We don’t want to be followers; we want to be leaders in addressing the threats to Exelon and the electric sector. What happens to the electric grid affects every other sector down the line. We take our responsibilities very seriously, not only to our customers and shareholders but also to the country at large. Exelon’s commitment to protect the electric grid is demonstrated in the capabilities that we have built into our ESOC.”
SOCs, GSOCs, SFOCs and More
Clearly, SOCs can provide a real-time view into an enterprise’s security status, making a proactive approach to security a reality via automated alerts, detailed reports and remediation. It can monitor and manage all aspects of enterprise security in real time, discover and prioritize events, determine risk level and which assets are affected and recommend and/or execute the appropriate remediation solution. While terrorism gains much attention and is one issue closely watched by SOCs, weather is increasingly taking a higher position on global risk charts, according to the World Economic Forum’s Global Risks 2014 report, by Marsh & McLennan Companies, Swiss Re, Zurich Insurance Group, the Oxford Martin School (University of Oxford), the National University of Singapore, and the Wharton Risk Management and Decision Processes Center (University of Pennsylvania).
Taking a 10-year outlook, the report assesses 31 risks that are global in nature and have the potential to cause significant negative impact across entire countries and industries if they take place. The risks are grouped under five classifications – economic, environmental, geopolitical, societal and technological – and measured in terms of their likelihood and potential impact.
According to the report, after income disparity, extreme weather is the global risk next most likely to cause systemic shock on a global scale. This is followed by unemployment and underemployment, climate change and cyberattacks.
Fiscal crises feature as the global risk that experts believe has the potential to have the biggest impact on systems and countries over the course of the next 10 years. This economic risk is followed by two environmental risks – climate change and water crises – then unemployment and underemployment, and then critical information infrastructure breakdown, a technological risk, the report says.
“Each risk considered in this report holds the potential for failure on a global scale; however, it is their interconnected nature that makes their negative implications so pronounced as together they can have an augmented effect,” says Jennifer Blanke, Chief Economist at the World Economic Forum.
In particular, the report considers reduced employment opportunity and the rising cost of education as having a large, yet potential impact on political and social stability as well as economic development.
In addition, the deepening reliance on the Internet to carry out essential tasks and the massive expansion of devices that are connected to it, make the risk of systemic failure – on a scale capable of breaking systems or even societies – greater than ever this year, according to the report. Recent revelations on government surveillance have reduced the international community’s willingness to work together to build governance models to address this weakness. The effect could be a balkanization of the Internet, or so-called “cybergeddon,” where hackers enjoy overwhelming superiority, and massive disruption is commonplace.
According to the report, the four key threats that could each impact global stability in the next five to 10 years include:
- Emerging market uncertainties, whereby the world’s major emerging markets become unstable as a result of social, political or economic pressure;
- Commercial and political frictions between countries, where trade and investment become increasingly used as a proxy for geopolitical power, with increased flashpoints as a result;
- Proliferation of low-level conflicts, caused by technological change and reluctance of major powers to intervene, which could easily spill over into full-scale warfare; and
- Slow progress on global challenges, where persisting deadlock in global governance institutions leads to failure to adequately address environmental and developmental challenges that are truly global in nature.
“A more fractured geopolitical environment threatens to impede progress in industries which are critical to global development, such as financial services, healthcare and energy,” notes John Drzik, president of Global Risk and Specialties at Marsh. “The world needs more coordinated governance to prevent slow-burning, systemic risks from developing into full-blown crises.”
At Cisco, the GSOCs are called SFOCs – Security Facilities Operations Centers. Michael Maloof, CPP, is the Sr. Manager, responsible for global incident management & investigations for Cisco’s Global Safety, Security & Business Resiliency team. Cisco has five global SFOCs. Each SFOC is situated next to an Emergency Operations Center.
The centers, which are staffed at all times, are in place for a variety of reasons, for situational monitoring, for receiving intelligence from sources (news, intelligence feed service) that could impact Cisco in some manner. If something happens, policies and procedures are activated.
“They truly are the first step for us,” Maloof says. “For example, they are watching weather-related issues such as a winter storm, or protests in a city that could impact us at an organization level in terms of supply chain and employees. Our incident management team was activated in Thailand due to the protests in Bangkok. If the protest is in close approximation to a Cisco office, we are looking at protecting our employees, impact on our supply chain, shareholder value and more. We also publish the information on an internal Web page, so Cisco is very transparent about incident management. An employee traveling to Bangkok would have multiple sources to know about possible threats,” he says.
Microsoft Corporation has three GSOCs – one at the corporate headquarters in Redmond, Wash., that covers North America and South America, one in London (Reading) that covers Europe, the Middle East and Africa and a third in India that handles the Asia Pacific region. “Everything is tied into the GSOCs,” explains Mike Howard, CSO at Microsoft. “We built the technology so that if one goes down, another one could easily assume all of the load sharing and can access cameras, lock down doors, dispatch security officers and more. Each GSOC is staffed with between eight and 10 operators who are indigenous to the area. They are there to manage the intake for calls into our system, including security issues and alerts. After that, we leverage our Regional Security Managers and others within Global Security. If it’s a crisis management issue, regional mangers drive the crisis management process. A lot of it is process driven with protocols.” The GSOCs can monitor videos and alarms, fire and life safety systems, 911 calls and dispatch, emergency alert requests and geo-spatial mapping.
Howard and his team built the business case to get a GSOC in 2003. The GSOCs were built from 2005 to 2008. “First, you need a strategic imperative before you seek the technology for your GSOC,” he advises. “Too many people get wrapped around the technology first. Our old control center could not scale to the growth of Microsoft. We first did a zero-based study with our Life Safety Control Center (LSCC) and found 60 different technologies that didn’t scale or interoperate. Based on that study we recommended the GSOC concept. We knew that Microsoft was growing. Then it was a matter of going up the chain of command to demonstrate the limitations of the old LSCC. It moved up to the CEO’s office and quickly received approval. But we had to build the business case first.”
For others looking to build their own GSOC Howard recommends a gap analysis. “Is there a clear need for the GSOC? Can you get the job done using existing software? Also, make sure that you are strategically aligned with the business. In our case, we were expanding our footprint and knew what we had could not cover a growing Microsoft. Do that gap analysis and capabilities and marry that with the strategic imperative. What is the risk to the company if you don’t build one?”
The GSOCs have also added ROI to the business, Howard explains, through a Showcase program. “It continues to be a key tool in promoting our GSOC to the C-Suite,” he says. “Fundamental to our GSOC strategy was to use commercial off-the-shelf (COTS) technology; staying away from custom-coded software that didn’t scale or interoperate. We built the core of our GSOC on the Microsoft platform and our Office Suite COTS such as SharePoint, InfoPath and OneNote. These are tools that most enterprises currently use, but not for security. We began by bringing in public and private groups to benchmark at our GSOC in Redmond, presenting our GSOC story from where we were then to what we are now, demonstrating our technology and failover capabilities. Many customers were amazed at what could be done with technology they already had. Soon after, we became a presentation offering through the Microsoft Executive Briefing Center, where Microsoft Account representatives would send visiting companies and government personnel to our GSOC demo to see the full extent of how Microsoft Office can be used. For this effort, we received ‘soft dollar’ credits of sales – which we recorded and tracked through Microsoft Dynamics CRM. I was able to show a tangible ROI in dollars to my boss as well as the Microsoft C-Suite resulting from the opening of GSOCs to Microsoft, as well as delivering best-in-class life safety analytics. Our program has now matured to a global model, where we demo the GSOC at one of our physical locations or remotely all over the world. We are at the point that we are now generating hard dollar revenue through showcasing partner technology that we use every day in the GSOC, which continues to add and show value for my organization.”
eBay, which has 35,000 employees and contractors in 40 countries, has 15 GSOCs that are named Central Security Control. The GSOC in San Jose, Calif., which is eBay’s corporate headquarters, is more strategic in nature. “Right now we are worried about the situation in the Ukraine and the dry weather in Australia,” says George Booth, Senior Manager Global Security Operations for eBay.
“People have a mixed set of perceptions about what we really do as a company, and that translates into how we train in our security program. In general, our mantra is that what we do is about people, not objects, and the primary thrust of our being is notto prevent property theft. If we do a good job with access control, then a lot of other problems take care of themselves.”
Booth says that regular meetings with the eBay security operations team and the GSOC team help to identify what’s currently on “the radar” in terms of security and risk management issues. “We have on our radar a listing of 50 items. The top group of items is most pressing, the next group is items we are thinking about and the bottom third are long-term issues, such as the 2015 Summer Olympics. We are looking at the upcoming tornado season right now, and the potential impacts it may have on our business units.
“As security we are always in a defensive mode,” Booth adds. “We have never figured out to get ahead of things. We need to be anticipatory based on our history. We recently conducted a study where we found that we spent money patrolling the inside of buildings, and the result of that was nothing. So we are increasingly testing against our own data, versus benchmarking data.”
At Western Union, the GSOC is an integral part of the Western Union Global Security team, says Kendall Kern, Director, Global Safety and Security. “The GSOC maintains constant monitoring of critical infrastructure such as points of sale, data centers and points of ingress/egress in real time to detect and respond to any security concerns in the quickest possible timeframe,” he explains. “This is accomplished utilizing CCTV, access control alarm systems, communication and coordination of physical patrol techniques. The GSOC also assists Western Union with our request management process for ID badges. On a daily basis they are handling requests for new ID badges, clearance level changes, terminations, etc. Other duties include real-time monitoring of access at global locations, responding to alarms, both physical and access control related. GSOC staff responds to 911 calls, and assist emergency personnel while on property, either in person or by CCTV. The GSOC also has the ability to retrieve video from a number of locations upon request by internal security departments assisting Law Enforcement on a number of issues.”
The GSOC is the voice behind the Crisis Help Line which is available to all of Western Union employees on a 24/7 basis, Kern explains. When a call comes in it is sent to the appropriate, pre-determined personnel. The GSOC has an established crisis process and monitors all outgoing, emergent 911 calls to provide quicker response, as well as aid and limit unnecessary exposure to high-risk concerns for responders.
Having implemented a GSOC has helped support security’s business goals and operations, Kern notes. “The GSOC allows the security team to have a 24/7 monitoring operation that is there in the event of an emergency (no matter how small or big it may be). They are trained to handle incidents across the globe. The key to installing any technology is to have someone behind the wheel that can use it effectively and efficiently, which our GSOC has been proven to do. All of this supports our goal of protecting Western Union from any harm.”
What Don’t GSOCs Do?
One size does not fit all with a GSOC, of course. Factors such as enterprise size, security budget and risk needs analysis all come into play. For example, the operators at Cisco’s SFOCs don’t make operational-based decisions for security management, says Maloof. “They receive the information, they package it up and they send it to a manager who makes the decision, who then disseminates it to the security management team. The operators are contract employees working with a defined set of policies and procedures. They have to understand their swim lanes, such as you would find with a 911 operator,” he says.
They do have extensive training, though, which assists Cisco’s emergency response team that has about 3,500 members worldwide comprised of Cisco employees and volunteers. That team receives medical calls through a SFOC, and if an operator can’t answer it or is busy, the call goes to the local police dispatch. In one instance, thanks to a quick response and training, a team from a SFOC dispatched medical personnel and fire and ambulance personnel to a scene. Local EMS responders credited the entire process as to saving the man’s life.
At eBay, Booth says, “We put our experience and our better paid officers in the field. The duty of the staff in the GSOC is to support the field officers. They are deciding very little, and it’s designed that way. It’s not because they can’t do it, though. In our GSOC we function as the company’s internal CNN, so to speak, and we can provide analysis and background on everything going in the world, including potential labor strikes. We are advising eBay’s business units. We were ahead of Hurricane Sandy by 10 days.”
In Philadelphia, Comcast’s security operations center is seven years old and recently underwent some expansion, as Comcast Corp. adds facilities that need security monitoring. The current Comcast headquarters is only a few years old, so the build included a 24/7 center that monitors card access, video for each office floor, passage and service elevators and stairwells, alarms, panic alarms for executives and environmental alarms such as heat, cold and water. The expansion includes adding other corporate and critical buildings under the SOC, including an office in Washington D.C., an office in Delaware and a corporate airplane hangar. Monitoring of all of those locations have been tied back into the main Comcast SOC.
A shift manager at the SOC is “empowered and encouraged with a full operations manual with steps to make decisions,” says Mark Farrell, CSO at Comcast. “If they receive a critical situation, they reference the manual to assess and coordinate the response.”
Moving into a new building helped Farrell make the business case for the SOC, he says. “I started out small, a room with two people monitoring a building based on the square footage of the building, the value was easily shown. Now because of company growth, I have expanded the room, kept the same staff with a new way of delivering the electronics system and set up a video wall with intelligent cameras – I am motioning additional facilities without adding staff. I am using technology to do a lot more with less manpower.”
Cisco anticipates upgrading the technology in its SFOCs. “We want an interactive-based environment, one that is touchscreen-centric,” Maloof says. “We are testing the tools now. Eventually it will customize a screen, so rather than sending an email to share data, you can move your fingers and a motion will send that program, window or image onto someone else’s desktop.”
Maloof adds, “We are working with more fusion-based centers, and we are trying to predict and be one step ahead. We know that flooding will happen a certain time each year, and we are prepared for that. The days of people saying that security no longer adds ROI doesn’t exist. We are adding shareholder value through a proactive incident and crisis management program and allowing our business to continue operations. We want to warn our business in advance, like suggesting to moving a sales meeting to mitigate risk, and that’s where the ROI comes into play.”
On Farrell’s wish list is more analytics. “In our new building, which is in the desigh process, instead of just watching video we will be watching anomalies, like a guy pulling on a door and creating an alarm. We will want the analytics to do the work,” he says.
Keys to a Successful Security Operations Center
- Have trained and motivated personnel. “You can have the best equipment, but if you don’t have people who are trained properly and motivated, that equipment won’t be effective,” says Ed Goetz, VP and CSO of Exelon Corp. “To address that, a lot of our operators are former first responders.”
- Have a good PSIM and integration module. “Inevitably you will have disparate systems, and it all has to be seamless to the operator,” Goetz says.
- Have well-maintained equipment in the field and within the SOC. “If you have 10,000 alarm points, it’s impossible for your SOC operators to manually check and see if the cameras or alarms are working,” Goetz says. “We incorporated that into the buildout. There is a system in place that sends alerts that allows the operators to focus their attention on actual events.”
- “Ask yourself ‘Why are you doing this? What does it look like? Do you want to stop the bad guys or catch them?’ It’s a completely different strategy,” says George Booth, Senior Manager, Global Security Operations for eBay.
- “Ask yourself ‘If a guy breaks a window and steals computers, what is the impact? What would the view from the Board be? What is the impact on the business?’ How many resources will you commit to preclude any additional instances?” says Booth.
Financing the GSOC
Money doesn’t grow on trees, and obviously, many enterprises may not be able to afford a GSOC or SOC. An enterprise could always completely outsource SOC operations, and in so doing could save considerable up-front expense. But outsiders do not know a company’s operations, critical servers and applications as well as internal staff members do. Also if an enterprise completely outsources monitoring, and if something happens to the service provider – for example, if it goes bankrupt – it can leave an organization empty-handed when it comes to operational monitoring.
Mike Howard, CSO of Microsoft says that “A CSO’s resource constraint may prohibit the build-out of their own SOC, if so they can contract SOC services with a security provider that specializes in remote SOC management. The CSO must ensure these providers have the necessary infrastructure, technology and operational experience to manage:
a. security dispatching,
b. emergency response,
c. employee/traveler tracking,
d. site identification, and
e. mass communication/alerting and incident monitoring.
“Even with remote SOC services, some integration is required with on premise security to effectively manage overall security efforts,” Howard notes. “When I arrived at Microsoft, we had 15 stand-alone SOCs globally. There was no interoperability, and they contained many technologies that were incompatible. We reduced our total SOCs to three global SOCs and leveraged technology to reduce operational labor. Though Microsoft has more than doubled in size since I started, our initial and strategic investment in the right technology has kept our headcount constant and budget
neutral, despite growth.”
According to Booth of eBay, GSOCs come in two basic configurations. And they have an almost endless number of names. A Tactical, Dispatch GSOC is a solid professionally designed room that can run as high as $1 million, he says. Strategic, Global GSOCs, he says, can cost anywhere between $5 million to $7 million. Booth suggests that “If you can’t afford the big GSOC then two things are going on: you either haven’t made the case or you don’t need one. That’s why, I think, that outsourced solutions, good ones, are hard to find. And if you find a good one, the costs will make you really wonder if it makes sense.”
Maloof of Cisco notes that “When a security organization decides to pursue an SFOC, there are many factors to consider: costs, adequate space, headcount (proprietary or contract), equipment purchase and training, to name a few. When one looks at equipment, the scope runs the full gamut from desks and chairs to software and monitoring equipment. These are not just one time expenses, but in the case of software, licenses and upgrades must be factored.”
Second, redundancy must be considered, as well. If the SFOC experiences an outage or must be evacuated, what fail over options are available. One must be sure back up staffing is readily available and properly trained, Maloof notes.
“Based on these hurdles or others, many security departments opt to outsource their SFOCs,” he says. “Many of the larger physical security integrators or alarm monitoring providers have the ability to perform SFOC duties for a company. The SFOC can be built within the ‘inner walls’ of the company and the equipment leased, staffed, and operated by a third party. More common, in my opinion, is using the physical services of the dedicated SFOCs in place by these companies. Your employees call the security emergency phone number, and the call is answered by a dedicated team of SFOC personnel trained to the specifications required by your company. These outsourced SFOCs can deliver intelligence emails, monitor alarms, provide notifications and more based on a mutually agreed set of operating procedures. There is some initial cost-saving advantages as well as redundancy incorporated into the design, ensuring the SFOC will always be operational.”
Global Security Operations Centers in Transition
By Brent Conran, CSO at McAfee, Inc.
Global Security Operations Centers (GSOCs) are a fundamental part of any major company’s security approach: they allow monitoring and response to potential risks to the company, its employees and its customers. The GSOC is the nerve center of security operations, providing 24/7 threat monitoring and analysis. To do this, the GSOC has to monitor a range of systems from physical security to critical equipment and systems. One of the most important functions of the SOC is to monitor for, detect and respond to global threats. This implies a follow-the-sun model, in which the SOCs across the globe can both respond to local threats, and share information with other SOCs to ensure timely, adequate response to emerging situations.
GSOCs currently rely heavily on SIEM systems to collect log data globally, normalize it and mine it to see what attacks were being perpetrated. That’s a necessary step in threat mitigation. SIEM provides a body of knowledge so that, if you miss the attack, you can go back and find out the details. And it’s there for continuous monitoring: eyeballs on the screen.
However, we are seeing a couple of trends that indicate GSOCs are in transition. First, we are seeing convergence of the physical and the cyber worlds. Whereas in the past cameras provided information to local security officers, today’s IP-based cameras and IP-based access control systems can provide information to both physical and cyber security experts in a coordinated, consolidated fashion, piped into the SOC. Now, for example, we can find out that someone badged into a facility on the East Coast, but logged in from the West Coast. Both items in isolation appear fine, but when taken together the convergence shows a real risk.
Another important change taking place in SOCs relates to the way we will staff them in the future, as a result of our increasing propensity to standardize on a security platform/infrastructure. Many organizations have put in place an integrated SIEM, Intrusion Detection Systems, Firewalls, Web Gateways and other technologies to isolate and investigate potentially harmful payloads. By coordinating and adding intelligence to the way these systems operate in concert, we can effectively stop the vast majority of threats hitting our organization, freeing up the real security experts to track down and actively seek out the difficult, advanced threats. Now, instead of dedicating SOC engineers to evaluating the data from a SIEM, only to find out too late that something harmful has made its way into our network, they can rely on their integrated intelligent standardized systems to find and deal with 99 percent of the threats. The result is that we can repurpose our SOC staff to now start actively hunting for the remaining one percent of malware – the really tricky, insidious threats.
Here’s an example: let’s suppose you normally see half a meg of Internet traffic, in the morning, at noon, and in the afternoon. This goes on for months. Suddenly, a machine wakes up in the middle of the night and sends out 80GB of traffic. Now this might be completely legitimate – but someone needs to ask the question. This is precisely the type of situation that requires a seasoned SOC security engineer to really investigate.
What does this mean for the GSOC? It may mean a fundamental change to the way the GSOC is staffed, the types of skill sets that are needed, and the procedures and approaches that are used to protect the organization and its employees and customers: letting the systems do the heavy lifting. In a nutshell – working smarter, not harder.