How to bring a virtual GSOC to life

At the beginning of the COVID-19 pandemic, Brett Wentworth learned the value of enabling remote access for security operations. As Senior Director of Global Security for Lumen Technologies, Wentworth oversees 170 employees at eight global security operations centers, supporting 4,000 managed security customers. “We transitioned to full remote at the start of the pandemic in March of 2020, and we haven’t really looked back since,” he says.

“When you think about a global security operations center [GSOC], normally you think about a room with people looking at screens and swivel-chairing to help each other with issues. Now we have had people all working from home for the better part of two years, and I’m happy to say that that transition was seamless,” Wentworth adds.

Like Wentworth, many security professionals and teams have learned that, given the nature of a GSOC’s work, virtual access not only has benefits — it also makes sense. Traditionally, the GSOC is thought of as a physical space, but recent events have helped security professionals to see the value in remote security teams. With the right tools and some thoughtful planning, it’s possible to deploy a “virtual” GSOC, delivering security effectively from anywhere at any time.

“In 2019, we opened the doors to the GSOC as a completely physical team,” says Robert Gummer, the National Football League (NFL)’s Director of Intelligence Operations. “Then, in March 2020, everyone was sent home,” he says.

Fortunately, before the pandemic, Gummer had already designed the GSOC and security operations to function remotely. Even as the situation on the ground became more perilous, the team was able to deliver. “In May and June 2020, when all the civil unrest broke out across the United States, we had our entire team supporting that effort from home,” Gummer says. “They were giving situational awareness to our clubs and our stadium partners across the country, all from their homes.”

*Click the image for greater detail

Why Remote?

Gummer says that the idea behind remote access for security operations is continuity regardless of circumstances.

“Bottom line, you don’t know when your facility could be shut down. If you cannot operate outside of that facility, then you are non-mission capable; you can’t support the mission or bring value,” Gummer says. “For us, that means the entire team requires some level of remote access to operate in the same capacity as they would in the physical space.”

Remote access makes his team more responsive. “An issue can happen at any time. You get a call late at night, and you need to be able to respond in real time. You can’t do that if you’re transiting 30 minutes to an hour into an office environment,” he says. “You have to be able to access your tools and capabilities from wherever you’re operating.”

Tools and Strategies

So, how can organizations ensure that their GSOC is equipped to handle remote operations? Experts say it takes a combination of technology investments and thoughtful strategic planning — and communication is key to making it all work, particularly as analysts need to share and discuss information constantly.

Analysts, operators and other stakeholders need ready access not just to each other, but also to the data feeds that are the heart of the GSOC value proposition. Therefore, in planning for a virtual GSOC, security leaders need to think about how security staff and others will access that information.

Wentworth, for example, enables direct access to all the GSOC’s operational elements for those working remotely. “We connect to our tools via two-factor authentication and remote access VPN. From there, we are able to fire up all of the standard tools that somebody would have within the SOC environment, tools such as a security information and event management [SIEM] system to look at alarms for any security events,” he says.

“People can also access the ticketing system, which is very important for any operational team that’s customer-supporting,” Gummer says. “The ability to VPN into the network and have virtual access to all those tools has really helped us.”

In terms of strategy, developing a virtual GSOC requires some added consideration beyond what goes into building a physical operation.

“Building a SOC with remote work in mind has to start with a cost and benefits analysis,” says John Dummett, Senior Project Manager at security consultancy Guidepost Solutions. Security leaders should ask themselves if there is a benefit to having remote employees. If the answer is yes, “then there is a decided business case for remote or mobile capability, and the practical considerations should be reviewed,” he says.

Once security organizations have made a business case for remote operations, “the baseline consideration becomes, ‘How can we duplicate the platform centralization monitoring capabilities and communications capabilities seen in a traditional SOC into a virtual environment, and how can we manage a remote staff enacting those functions?’” Dummett says.

To connect those dots, organizations must then drill down further by considering the platforms already in use for intelligence and security operations. It’s important to understand what resources will be needed to support remote access to any platform, as this will offer insight into how to organize virtual access cost effectively.

“For example, live viewing of many video surveillance streams is both computing-hardware intensive and bandwidth intensive,” Dummett says. “Enabling these functions to operate optimally requires hardware that is capable of decoding high-resolution streams effectively and quickly, as well as distributing those in a low bandwidth manner.”

By comparison, monitoring functions that are primarily alarm-related are not as resource-intensive and require less technology to support virtualization, according to Dummett.

Aside from ensuring operational platforms can be accessed remotely, security leaders need to think about the actual tools that bring remote connectivity to life.

“Perhaps the most important is a robust KVM — keyboard, video and mouse — over IP solution to transport all GSOC control, video and audio content across a wide area network securely, reliably and with limited latency,” Dummett says.

At cybersecurity consultancy ABS Group, the Head of Industrial Cybersecurity Services Development Dennis Hackney points to other key hardware needs, such as laptops, mobile devices, virtual private network (VPN) routers, monitors, printers and other technologies necessary for analysts and security staff to perform their core functions.

For security reasons, he says, all equipment should be company-owned. “I do not recommend employing a bring your own device policy. All remote working devices should be company provided and controlled,” he says.

And then, with all of the data coming into a SOC, data storage and management is a prime consideration for any organization considering remote accessibility. At the NFL, for example, Gummer leverages the robust computer and storage capabilities of the cloud to ensure data is readily available. “Our video analytics and camera systems are up in AWS [Amazon’s cloud service],” he says.

Of course, in any GSOC, remote or on-premise, consolidated viewing of data is critical for efficiency and intelligence — particularly if GSOC operators view and act on data from remote locations. In Gummer’s case, this means that team members can use their individual logins, protected by two-factor authentication, to connect to a range of GSOC capabilities in an easy-to-access format. To that end, Gummer has implemented a “virtual command center” solution that allows team members to collate the data they receive.

“It’s a dashboard that reports all our data holdings, subsequently increasing the value of each platform,” he says. “That means that when an incident happens, not only is it populated in our incident management system, but you can also see it on the map. All of our alerts, even our emergency notification system — we have one place to see where everything’s transpiring.”

Staying Connected

Some security professionals hesitate about the operational impact of transferring a GSOC to a remote environment. Security monitoring is a team sport, and for those used to being in physical proximity, the idea of working from disparate sites may be worrisome.

Security leaders who have made the transition say that a thoughtful approach to communications can help alleviate those concerns. “Without good communication, things fall apart,” Wentworth says. “We have been using Microsoft Teams to help facilitate this large, geographically diverse set of people working in different states, on different continents. You need something that incorporates a group chat feature, instant messaging, phone integration, document sharing, all of those things combined into one platform.”

Wentworth says that the operations team checks in frequently via team meetings, instant messages and one-on-one audio or video calls. These are all critical tools in a remote environment to validate that the front lines are consistent in their approach, he says.

In addition to communications tools, scheduling is also a critical component of a remote GSOC scenario. Wentworth overlaps shift handoffs to ensure people are coordinating with one another. “Right now, we’re running six 10-hour shifts to maintain 24/7 coverage, which allows for two hours of overlap between the shifts. That gives you the time you need to say: This was the major event that happened, we need you to carry it forward. That happens three times a day, every day,” he says.

Gummer says that just as important as emphasizing communication among staff is emphasizing communication and collaboration between the GSOC and its third-party vendors.

“We meet almost weekly with most of our vendors, talking through requirements, talking with them about our expectations and issues that we’re identifying,” Gummer says. “Having partners who are open to collaboration with others is critical.”

And, when all is said and done, an emphasis on training, leveraging mentorships and side-by-side work opportunities (even virtual) are important to ensure those working from outside the physical GSOC are prepared to fulfill their roles. In other words, a heavy focus on the human element is the ultimate key to success.

“The biggest thing underneath it all is to have trust in your staff and have good communication strategies,” Gummer says. “If you don’t have those two things in place, everything else falls apart. That’s true when they’re in a physical space, and it’s true in the virtual space as well.”

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.

Special Report

How to bring a virtual GSOC to life