Creating the GSOC: 4 Leading Examples of Successful Security Operations Centers
The Global Security Operations Center is not new, but its value is becoming widely recognized as a necessity to support business goals and operations.
GSOC, SOC, VSOC, JSOC, NOC, INSOC... The possibilities are endless when it comes to a center, building, or facility that mitigates and responds to enterprise security issues, either within the U.S. or on a global level.
GSOCs are not cheap: building one requires a proper needs analysis to ensure that you don’t invest in something that won’t add value to your enterprise. What’s right for you?
What follows is a showcase of how Symantec, Microsoft, McKesson Corp. and The Huntington National Bank are utilizing their GSOC investments to mitigate risk for the enterprise. All of their situations are unique and interesting: one is incorporating a true partnership with cyber, another is in the middle of building a GSOC, another has consolidated three GSOCs into two, and more. Here are their stories.
A JSOC Initiative
One approach to a GSOC comes from Symantec, whose leaders recently embarked on a Joint Security Operations Command (JSOC) journey that resulted in surprising benefits to the management of insider threat, employee morale and retention, and increased service availability, capability and competence.
Joel Fulton, Deputy Chief Security Officer for Symantec, is on the cybersecurity side of the enterprise. His colleague, John Eversole, Senior Director for Physical Security and Safety, is on the physical side of security. Keeping those two teams apart is natural and normal as an industry standard. But Fulton and Eversole don’t see it that way. Fulton says, “Bringing those two roles together has opened our eyes to things that we both expected and some benefits we didn’t anticipate.”
On a very concerted effort to not just “work together” but to sincerely share issues, data, threat mitigation efforts and more, Fulton and Eversole have created a JSOC at Symantec that employs analysts, reporting to one manager, to examine threats and incidents from both the physical and cybersecurity sides. “So if a guy is caught stealing a laptop or caught violating a cyber policy, that incident immediately is cross correlated by the physical security team to check his ID on the physical side and see if this person is a greater risk to the company,” Fulton explains.
In the JSOC, Fulton and Eversole are also tying in feeds from other business units such as HR, Legal and Investigations to get a whole picture of that employee. The multi-layered approach has several benefits: first, of course, is that threats are mitigated more effectively. Second, according to Eversole, SOC operators are being empowered to “see it all” versus just cycling the issue to another individual. “They can really make a broad impact on enterprise security,” Eversole says.
Fulton adds, “By bringing the physical data in and putting it with the cyber data, now we can create stories and build the math to ascertain whether the story is truly right or just a hypothesis. We can ask ‘Do people that badge in before 5:00 a.m. tend to correlate with attempts to log in to manager accounts that fail after three attempts?’ We can ask all of those questions within a broader realm of input. It’s a different approach for a GSOC; I truly feel that this is where the future of the industry is heading. Because if we can train our physical security staff to look at threats from a cyber perspective, companies that don’t currently have cyber capabilities because they’re too small to have their own SOC will now have the ability to at least have a Tier 1 triage application using existing staff.”
Eversole and Fulton have been working on this initiative for about two years and have already seen the benefits. “First, our average SOC operations cost has dropped, Fulton explains. “Second, on the cyber side, in the industry, most SOC analysts have a commodity job. But this effort allows those analysts to grow beyond their current capability because the contiguous tasks have been assigned to somebody else. We have better morale from the team, along with the ability to add more service hours for the SOC because we now have staffing around-the-clock to be able to handle those volumes.”
Adds Eversole: “For a cyber analyst, if he’s bogged down doing Level 1 triage are you getting your money’s worth out of that employee? No, because they’re doing Tier 1 work that someone else can and should handle.”
Eversole notes that level of training and empowering of a SOC analyst can trickle down to your guard force. “You increase their understanding of what a cyber attack could look like from an external [physical] prospective and what they can find while on their regular patrols, to include rogue wireless hot-spots within your buildings.”
Overall, both Eversole and Fulton are very excited about how the plan is playing out. Eversole says, “Most times, physical security falls under facilities, and cyber falls somewhere else in the company, so when people discuss true collaboration, someone might lose a little bit of their empire. Joel and I went about this without any thought of that. We just wanted to do what’s best for the enterprise.”
Microsoft began its journey into Global Security Operations Centers (GSOCs) more than 10 years ago, and it began with a standalone control center in Redmond, WA, says Brian Tuskan, Senior Director for Global Security Technology, Services and Investigations. The standalone centers eventually grown to 15 operation centers around the world at the company’s largest sites, mini security offices, Tuskan says. The problem with those, Tuskan says, is they employed many products with many vendors. “There are great solutions out there, but if there’s no strategy and it’s just a hodgepodge of non-integrated technology, does it really help your operation?” Eventually, the centers were condensed and integrated into three GSOCs (US, UK and India).
Under the direction of CSO Mike Howard, Tuskan, with an outside firm, completed a study of the three Microsoft GSOCs. “We found that even though our model for GSOCs was considered the ‘gold standard,’ over the years, we noticed that the GSOC started absorbing more and more ancillary duties that weren’t life safety or mission critical. And eventually, we’re doing a lot of work that we probably shouldn’t have been doing. And that led to the discovery that we don’t need three GSOCs; we only need two.”
From there, the global security team partnered with Microsoft Consulting Services (MCS), and Johnson Controls (JCI) to develop the VSOC (Virtual Security Operations Center). The new strategic approach involved moving away from GSOCs and evolving to an intelligence-driven, operational led fusion center VSOC. The new VSOC model has decision makers either physically within the fusion center or virtually leveraging the Microsoft Azure cloud.
“With the VSOC fusion center philosophy, you don’t need a traditional security operations center (SOC). A VSOC can be situated anywhere because of cloud solutions and any alarms, or other service calls can be pushed off to third-party security services,” Tuskan says.
Microsoft closed its GSOC in the UK on July 1, 2015, and converted the Redmond GSOC to the VSOC fusion center. The GSOC in India is now operating as a security communication center for Tier 1 calls for service and as a backup SOC. The Redmond VSOC fusion center now has high-speed security professionals with decision-making authority managing the operations. The VSOC’s focus is only on mission critical, life-safety events, and Tuskan says they can quickly assess and address threats without layers of reporting/approval protocols that previously slowed down security’s response.
Another positive outcome of the evolution of the VSOC is cost savings via cloud computing using a Microsoft solution. “One of the biggest challenges for physical security technology devices is identifying if it’s working or not, right?” Tuskan asks. “For years the only time we found something was broken was when something didn’t work. That’s a really old school way of thinking. I know there exist today camera monitoring solutions that can tell you the health of your cameras; however, we wanted to know the health of all or our IP-enabled devices, but that type of technology didn’t exist. We decided to build a monitoring solution based off of Microsoft System Center Operations Manager (SCOM). SCOM monitored the health of data center servers, and we added our security IP devices with a cool dashboard. ”
The dashboard allows engineers and operators to monitor more than 20,000 devices with a heat map for the highest priority areas that need service. “Instead of waiting for a camera to fail, duress alarm, and other IP edge devices, we know about it in advance and can take a proactive approach to maintenance,” Tuskan says. “We’re saving millions of dollars because we’re able to intelligently understand our physical security technology infrastructure system, in a single view. So instead of replacing a device every five years because the manufacturer told us we need to do that, we can monitor if and when to replace the device based on the data collected in SCOM.”
Huntington National Bank’s GSOC Build
Dan Bissmeyer, SVP and CSO at The Huntington National Bank, is in the middle of building a GSOC that will include physical and cybersecurity. He’s using his knowledge from a past role at Raytheon to build the business case, display benchmark data and not repeat any past mistakes.
“An industry colleague of mine has a fantastic GSOC. So I was familiar with how they had done it, the benefits, and I was able to articulate that to my board and explain our gaps. And I could point to cases where insider threat investigations, for instance, were being tracked on the physical side, but we struggled with communication to IT security because there was a physical and a process gap between the two business units.”
When it’s complete, the GSOC will include analysts for threat intelligence, fraud, and a fusion center capability – a complete view and all angles of threats, Bissmeyer says.
“As a financial institution, we have an obligation to have controls in place to detect fraud and threats against the bank. And they get very specific [in terms of regulations] for when once a potential threat is identified and how it’s documented, tracked and mitigated, all the way up to the reporting back to the federal government. So having an all-side’s view of a threat, we can more quickly and accurately track what the threat is doing, what it touched, and what level of damage there might potentially be.”
Through this GSOC needs and analysis process, Bissmeyer says that he’s learned that business unit relationships have to be strong. “I’ve seen that where IT security has their turf and battle lines have been drawn between physical security and IT security. And if that’s the case at your company, you’re set up to fail. So you’ve got to get that right before you have any chance of getting to a GSOC. First, make sure that that collaboration is strong. And second, make sure that you have shared vision between the business units. And start having those conversations about how you can share resources. How can you co-locate? How can you get some of your systems communicating with each other?”
McKesson’s CSOC to GSOC
McKesson is a global health care company that distributes pharmaceuticals and provides health information technology, medical supplies, and care management tools worldwide. Founded in 1833 and employing nearly 80,000 people in 2016, McKesson is the oldest and largest health care company in North America.
In 2008, McKesson’s Corporate Security & Safety Department established a small Corporate Security Operations Center – or CSOC – to monitor the company’s North American distribution centers. Originally designed to accommodate a single watch officer, the CSOC featured one multi-monitor workstation, a server and a wall-mounted screen for monitoring security video and alarm systems. It was the size of small closet.
By 2014, the company had expanded its operations globally. And under the leadership of Ed Shubert, CPA, Senior Director, Global Security Operations Center, Investigations & Crisis Management Program, the CSOC team began evolving its operations. Originally monitoring just 10 distribution centers, the team was soon overseeing more than 35.
Shubert proposed a plan to transform McKesson’s CSOC into a GSOC. He envisioned a worker-friendly, technology-rich environment complete with a watch floor, conference room and collaboration space.
“After our large acquisition in Europe, employees started traveling more often and globally, and with that comes a large duty of care,” Shubert explains.
In early 2016, Shubert received approval on his GSOC proposal and was given full command of the design and execution of the project.
The new GSOC was finished in late Fall 2016. The new 2,200-square-foot GSOC features a large watch floor, a high-tech conference room, offices and a collaboration space. It also includes a high-tech video wall system from CineMassive.
The GSOC allows Shubert and his team to expand its Global Risk Management programs, including the Travel Safe program, which supports and protects the thousands of McKesson employees traveling and working around the world. For example, whenever an employee books a business trip, the GSOC sends them an in-depth report alerting them to specific risks in the area where they will be traveling. The team also monitors employee safety in real-time through an integrated risk-management platform displayed on the video wall. If an event occurs in an area where employees are traveling, the platform displays an alert with a summary of the issue and the number of employees in the affected area. Through the platform’s integrated smartphone app, the GSOC team can then contact potentially-affected employees to confirm their safety, provide updates and coordinate emergency assistance. Employees can also contact the GSOC directly for emergency assistance.
“I went from a closet to a much larger space that is designed to meet our security needs,” Shubert says. “It’s now a physical and virtual center, and we are utilizing some good security technology to collect, assess and deliver data. We have a saying in our GSOC: ‘We have your back.’”
Learn more about good practices for establishing a GSOC here.