Government agencies under attack: How a SOC can protect against cyber threatsPOSTED BY MARKUS AUER
Traditionally, large companies have been the main targets of hackers, as they attract potentially high ransom money. It goes without saying, however, that it is precisely those companies with a lot of capital that strengthen their IT security structures due to this threat. But what does this mean for cyber criminals? They are looking for new victims, with defence systems that are easier to crack and grown IT infrastructures as well as municipal or state funds.
In recent times, this has led to frequent attacks on the IT of government facilities, in which too little money is still invested and which, due to outdated structures, has become confusing for operators. The effects of cyber attacks are particularly devastating for government organizations. In many cases, not only does this cause purely economic damage to the agency itself, but citizens are also victims of data protection abuses. In the worst case – such as attacks on health care facilities – medical care and other important services can even fail. Recently, the Klinikum Fürth was the victim of a hacker attack. In December 2019, the IT of the facility was paralyzed by the malware attack, which meant that the admission of patients had to be temporarily halted
The malware Emotet in particular has repeatedly infected the networks of public authorities over the past year. In September 2019, for example, the virus paralysed the entire IT system of the administration of Neustadt am Rübenberge in Lower Saxony. Those of the city’s 44,000 inhabitants who needed a new license plate number, for example, were out of luck – Neustadt’s car registration office remained closed. The computers in the town hall and the citizens’ office were also shut down by Emotet. Other examples were the city of Frankfurt at the end of the year and most recently the city of Alsfeld was also affected. The vulnerability in the Citrix software is causing further implications, as is the support process for Windows 7.
Holistic IT security through SOCs
In order to avoid such failures in government agencies, the IT infrastructures must be specifically secured. The German Federal Employment Agency (BA), among others, has shown what an important step towards more reliable security can look like. In 2015, it was one of the first German authorities to receive the IT security certification ISO 27001 based on the IT basic protection of the Federal Office for Information Security (BSI). The BA is now continuing its efforts to strengthen cyber security by expanding its own Security Operations Center (SOC). But what exactly is an SOC and why is it so essential for network security?
In a world of increasingly complex cyber attacks, it is of course not enough to rely on simple security concepts like firewalls. It is essential to protect your network with a comprehensive line of defense. In order to achieve this, more and more IT security specialists are turning away from one-dimensional security strategies and are instead relying on the holistic approach of an SOC. Within the IT of an organization, the SOC functions, as the name suggests, as the central point for the operational processes of IT security. The tasks of the SOC can be divided into several areas and also vary depending on the size of the company.
Together with other organizational tasks, such as patch management, one of the main tasks of the SOC is to bundle and evaluate all security relevant events delivered by internal solutions such as SIEM, firewalls, endpoint protection, intrusion detection systems and others. The latest “ingredient” in a SOC is Threat Intelligence. After the kind of intelligence services that have been practicing this approach for decades, they try to obtain as detailed information as possible about the attacker and the type of attack, as well as so-called IoCs (Indicators of Compromise, e.g. harmful IP addresses). With this information, attacks can be detected at an early stage and in the best case fended off in advance. This new approach enables SOCs to switch from a reactive to a proactive position. Threat intelligence platforms help to absorb the enormous amounts of data and to separate essential from insignificant information. This saves valuable time, which enables them to make quick decisions in the heat of the moment.
Of course, an SOC involves much more than just tools – the security centre stands or falls with the qualified IT security specialists who operate it and ensure that all relevant processes run smoothly. The actual strength of the SOC lies precisely in the cooperation between man and machine. The automated programs take over the computationally intensive task of scanning all devices and networks, while the IT staff concentrates on reacting to system alerts and specifically searching for security gaps. But the cooperation of the teams within a SOC is also extremely important. Many incidents can only be analyzed and processed with the help of several specialists. Security Operations Platforms guarantee a seamless integration of the individual processes and possibilities to distribute information quickly and automatically.
Specifically, specialised teams work closely together to address the various tasks involved in combating cyber threats. The Incident Response Team reacts to acute threats such as attacks by hackers, while so-called Threat Hunters detect threats and vulnerabilities in the network. These Threat Hunters are a rather new but promising introduction to IT security, as shown by last year’s SANS Institute Threat Hunting study commissioned by ThreatQuotient. For example, 61 percent of the companies surveyed in the study stated that their general IT security status had improved by at least 11 percent as a result of Threat Hunting
Depending on the size and needs of the organization, the SOC can be operated either by the in-house IT security department or by external providers. Whichever of these options is chosen, it is always worthwhile for a company to use the services of a SOC. The centralized approach enables security professionals to quickly and efficiently monitor and manage devices, apply patches, detect threats and respond to attacks across departments. Ultimately, they can focus on the really important security incidents and gain time in the fight against cybercriminals.
As the number and complexity of cyberattacks increases every day, it is essential to ensure that your IT security is prepared to deal with the threats from the network. This applies more than ever to public authorities today, as they are usually less well protected than companies in the business world and consequently are increasingly the target of devastating attacks by cybercriminals. Up to now, only very few IT security departments of state authorities have a dedicated SOC. The establishment of such a security center ensures a holistic approach to security that generates synergy effects by bundling IT security tasks and supports and facilitates the work of IT experts.