Olivier Caleff on why CSIRT/SOC is valuable for a CISO

Icon

Olivier Caleff is a CISO (Cyber-Resilience & Crisis Director) at ERIUM, and an active member of CISO’s associations such as CESIN in France and ECSO in Europe. He has been working in cyber for 30 years, with a clear focus on security watch and incident management. As such, he is a Member of Board of Directors at FIRST, and a SIM3 auditor and trainer. He is very well familiar of both CISO and CSIRT/SOC perspectives. We asked Olivier to consider the pros and cons of CSIRT/SOC for a CISO and here are his thoughts and insights.

Below Olivier expands on the 3 topics:

  • How important is situational awareness for CISO?
  • What practices/alternatives are used to achieve it?
  • What are the pros and cons of SOC for CISO?

1. How important is situational awareness for CISO?

It is critical for CISOs to get a global understanding and, if required, ask for additional details before taking decisions. Reporting from Security Operations (SecOps) teams, a SOC, or a CSIRT must be well defined to the benefits of the CISO. There are at least 3 elements at stake:

  1. An understanding of the situation by the CISO, as perception of the environment is not enough. In turn the CISO will be able to fully play his governance role, providing guidance and directions to the SOC or the CSIRT;
  2. Actionable data, as defined in a 2015 ENISA document, as the CISO needs relevant, timely, accurate, complete, and ingestible pieces of information, even though it takes time for the fog of war to lift;
  3. The CISO must anticipate and project for the next steps based on facts, but more strategically too. Here human, business, legal aspects and priorities, will come on top. As the situation evolves, taking decisions – and logging them and the context will be useful for the final lessons learnt part – is expected along with reporting to the high level of the organisation.

2. What 4 practices/alternatives are used to achieve it?

decoration

2.1 Preparation is key here

Everything must be defined in advance. It starts with the type, quality, and frequency of data delivery, then the procedures and various communication channels: one for standard in-band communications, and at least one out-of-band or if additional security requirements must be enforced, e.g., in terms of confidentiality.

decoration

2.2 There are 2 other valuable inputs for CISOs

  • Vulnerability management data coming from a VOC (Vulnerability Operations Center) with the help of metrics such as CVSS (Common Vulnerability Scoring System) and EPSS (Exploit Prediction Scoring System)
  • Raw data is not enough, and correlation with an up-to-date inventory or CMDB will enable to define priorities and actions to be taken to allocate resources to assets based on their importance from a cyber security standpoint.
decoration

2.3 Threat intelligence

This will help aggregate elements of context and provide a better understanding. Sharing Indicators of Compromise (IOCs), Indicator of Attack (IOAs) and Indicator of Behaviour (IOBs) is good, but going further is necessary with sharing Tactics, Techniques, and Procedures (TTPs). This will help all those who will receive them, and allow for better preparation. In many trusted cyber security communities, the more you share, the more you learn and receive. Sharing is caring.

2.4 Efficiency

You cannot simply rely on an organisation, processes, procedures, tools that have been set up some times ago. As the threats are evolving, you must also adapt. So first, you need to assess how mature and aligned your cybersecurity organisation is.

There are at least 2 categories of metrics that should be known:

  1. The real coverage of the NOC, SOC, CSIRT, and SecOps teams;
  2. The level of efficiency or performance of the security solutions and security processes set in place.

The former can be known through an objective assessment of the known IT and OT perimeters and provide a real assessment of the knowledge and ability to manage assets in the perimeter of the organisation.
The latter can be achieved with technologies such as the BAS (Breach Attack Simulation) which, thanks to attack simulation in real-life, enables to assess whether detection and reaction security tools have been well tuned, and what is the ability of the teams to behave as expected by detecting and qualifying events into incidents, follow the procedures to escalate to the CISO and act. This is key and this will help detect blind spots in your SOC and CSIRT activities. And this is why BAS and Red Teaming are different.

At least 2 reports published in 2023 (based on the results of hundreds of BAS campaigns) are eye-opening on how organisations fare when it comes to MITRE ATT&CK Tactics. They provide valuable insight of where pain points are and help CISOs, SOCs, and CSIRTs improve their technical and organisation coverage.

3. There are different names for security teams - how they differ and what is important for a CISO?

What’s in a name? The question relates to the SOC, but in some organisations, SecOps are in the perimeter of a group whose name may vary a lot: SOC, OpsTeam, CyberTeam, or even… CSIRT. What’s important is that all required activities are addressed, all stakeholders work with cooperation in mind. They can even be split between internal or external teams.

  • First and foremost, the CISO must be vigilant that the sharing of relevant data between the stakeholders – NOC(s), SOC(s), VOC(s), CSIRT… – is well set and efficient. It is his/her responsibility to cover all activities.
  • Second, the ‘SOC Capability Maturity Model’ (SOC-CMM) and the widely recognised Security Incident Management Maturity Model (SIM3) are the best ways to assess the maturity of each group, and link with the expected activities. FIRST working groups (SIG) already published ‘Services Frameworks‘ for CSIRTs and PSIRTs that are de facto standards in the Incident management communities. In October 2023, they released a new draft titled ‘Incident Management Team Types‘ which helps to clarify the needs and requirements for CSIRT roles and enables quick(er) and more consistent writing of role descriptions. In addition, it provides a clear overview of specific competencies that are important in handling the functions and tasks related to specific services provided.

Whether these entities should be internal or subcontracted, really depends on the context, the level of expertise of cybersecurity teams, level of maturity, and width of perimeter coverage, just to name a few criteria.

Incident Management Team Types

SOC
Type 1
Security Operations Center
SOC
CSIRT
Type 2
Cybersecurity Incident Response Team
CSIRT
PSIRT
Type 3
Product Security Incident Response Team
PSIRT
ISAC
Type 4
Information Sharing and Analysis Center
ISAC

Conclusion

No CISO can afford to skip SecOps, unless the organisation’s governance is to rely on fate being a good provider, betting that attacks will not strike. That said, assessing the maturity and the efficiency of the SecOps teams, and making a lot of efforts in sharing and reporting must be part of the project.
I definitely believe that not having a SecOps teams (whatever name you give it) is like being short-sighted, without glasses… So SecOps should be seen as… the apple of CISO’s eye!

Building awareness is a continuous effort
Building awareness is a continuous effort
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Facilitating dialogue on NIS2 within the Lithuanian cybersecurity ecosystem
Developing a culture of CTI sharing in Lithuania
Developing a culture of CTI sharing in Lithuania
Festivities in Lithuania in 8 episodes
Festivities in Lithuania in 8 episodes
SOCshare December 2024: cyber threats for elderly
SOCshare December 2024: cyber threats for elderly
SOCcare November 2024: Have you noticed... a stillness?
SOCcare November 2024: Have you noticed... a stillness?
SOCshare November 2024: cyber trap
SOCshare November 2024: cyber trap
SOCshare October 2024: Talking with children about security in cyberspace
SOCshare October 2024: Talking with children about security in cyberspace