Photo gallery: Inside a working Security Operations Center

CSO recently took a tour of a SOC operated by eSentire, which has spent the last few years growing their operations to secure hundreds of data centers globally. They use the familiar process of automation, detection, and mitigation, but focus on the human element more than anything, as their SOC operators work to assess and mitigate threats directly rather than rely on a script.

eSentire SOC
Credit: Steve Ragan
Managed security isn't for everyone

Sometimes company culture, or regulatory requirements keep the idea of MSSP (Managed  Security Services Provider) off the table. There's also the false assumption that MSSP has something to do with device management, which is far from the truth and nowhere near reality. 

It isn't easy either. SOC (security operations center) operatives work hard to manage the known and existing threats, while keeping up with emerging risks and issues. All of this while attempting to keep aligned with the customer's needs and risk tolerance level.

Security software development
Credit: Steve Ragan
Security software development

Here you see development and QA, collectively called engineering by eSentire. They produce the software that runs on the sensor at client locations, as well as the software used by the SOC operators. Currently there are more than 300 sensors in the field, which are used to detect incoming attacks.

COTS hardware
Credit: Steve Ragan
COTS hardware

The sensor is nothing overly advanced. It's COTS (Consumer off-the-Shelf) hardware that is customized to spec by eSentire before being deployed. They use their sensors as the eyes and ears of the SOC (security operations center), monitoring customer networks and their traffic for threats on a 24-hour basis. At the same time, the sensors are also used as an interdiction measure, allowing the SOC operators to track and mitigate threats in as close to real-time as possible with few exceptions.

"The sensor acts as our boots on the ground. We see it as an extension of our human presence at a given customer's location," said Mike Neudoerffer, VP of engineering and operations.

 

The systems team
Credit: Steve Ragan
The systems team

The systems team configures the sensor to work with the customer's unique environment. Once that is done, the sensor itself is usually racked and stacked by the customer, as it comes pre-configured.  In the event there is something else needed, the systems team can help assist. 

But, with hundreds of sites globally, the systems team also deals with deployment and maintenance issues. A majority of the time in systems is spent keeping the lights on both at the customer's site and at the eSentire SOC. 

Global threat assessment
Credit: Steve Ragan
Global threat assessment

Once the sensor is at the client location, the SOC can use the data and traffic analysis that comes from each of the global locations to assess a given threat, or the scope of a set of risks. Mostly the problems are things that are expected; spam, generic malware, and the like – but there are times when serious threats are flagged and reported.

When this happens, the SOC operators can use the tools developed by engineering, and a set of workflows and company policies to address the problem, and mitigate it. 

Tracking down attacks
Credit: Steve Ragan
Tracking down attacks

When CSO was visiting the SOC earlier this month, the operators were tracking down a spam campaign that attempted to run wild across a customer's network. However, because the sensors picked up on a common anomaly and the malicious payload itself was already known, the SOC operators were able to mitigate the threat and keep it from spreading; without impacting the customer's productivity and network performance. 

Most automated security services tend to kill the threat, and everything connected to it. Only a human, watching and learning, can tell the difference between a full stop event and one that can be controlled.