Faced with increasingly insistent and advanced threats, Security Operations Centers (SOCs) must be able to detect security incidents as quickly as possible in order to be able to react ever more effectively.
However, they are also facing increasingly stringent measures under new regulations such as the General Data Protection Regulation (GDPR), which covers all personal data, or the various new regulations on the protection of critical national infrastructures. France is in the vanguard of this activity with its Military Programming Act which applies to the organizations classed as “most critical” in terms of the country’s functioning.
But how can you put in place increasingly sophisticated detection systems, while, at the same time, complying with an ever-stricter regulatory framework?
SOCs ARE BEING STANDARDIZED AT THE EUROPEAN LEVEL—AND GLOBALLY
In the mid-2000s, the implementation of the first SOCs consisted, for the most part, of deploying log collectors based on geographical hubs and the setting up of a central alert management system. However, recent regulatory changes may require modifications to architecture. In France, in particular, within the context of the Military Programming Act, the requirement to set up a “system of log correlation and analysis” (i.e. a SOC equipped by a SIEM system) has been accompanied by a strict regulatory framework, which is set out in its PDIS (Security Incident Detection Service Providers) Requirements Reference Document.
In terms of standardization, this addresses three points in particular:
- First, the framework for surveillance: there is now an obligation to detect certain types of common attacks and implement controls, following recommendations made through audits carried out by qualified bodies, in accordance with the PASSI (Cybersecurity Audit Service Providers) Reference Document. Companies must also put in place a permanent surveillance unit to notify ANSSI (the French national agency for information system security) in the event of an IS being critically compromised.
- The second area addresses the securing of the SOC’s assets: new security measures described in the PDIS Requirements Reference Document demand, in particular, more robust measures for SOC operators and administrators (two-factor authentication, limitations on internet access, etc.). These security measures will be verified by ANSSI through audits, or retrospectively, following the compromise of an IS being notified to it.
Finally—the architecture—where there’s a requirement for greater complexity: partitioning into trust zones and an enlargement to the perimeter of the monitored network are introduced (going beyond the traditional scope of equipment under security surveillance: business servers and handheld devices must also now be monitored). Information related to security incidents (events, analysis reports, and their associated notifications) must also now be retained for as long as the service is provided.
STRONG SECURITY AND CAREFUL HANDLING OF PERSONAL DATA: INCOMPATIBLE GOALS?
To carry out retrospective analyses and, in particular, to determine the origin of cyber-attacks, a good deal of personal and critical data must be collected, stored, and exploited. However, this data is covered by the GDPR, which tends to limit its collection and use.
Google’s recent fine by the AGPD (Spain’s personal data protection authority) highlights the types of issue that a SOC may encounter regarding the processing of personal data:
- Google’s obligations in the processing of personal data and the user’s right to be forgotten were the prime causes of Google’s penalty. In fact, the GDPR intends to offer European citizens the option to access, modify, or delete their data wherever it is stored (including in the cloud). This means that, in practice, companies must know exactly what data is being collected by their SOC, so that they can inform their customers, employees, etc. accordingly—and offer them the option of having it removed at any time. Having said that, the GDPR seems to indicate that preservation of some data is acceptable, where this is necessary for the protection of companies. The details of exactly how this provision will operate are expected to be worked out over the next few years.
- An obligation of transparency with respect to the exploitation of data is the second issue that the AGPD’s action raises. Yet, for PDISs, the obligation to monitor a wide range of equipment gives rise to the collection of a large and varied amount of data. The content of logs will therefore have to be addressed to ensure that only the data needed for security-monitoring activity is collected.
- Finally, the GDPR imposes a requirement to justify the preservation of the data. Yet, PDIS requirements are for data to be kept for at least six months, in order to have the ability to carry out long-term or retrospective analysis; this creates regulatory uncertainty: how far can a company go in ensuring the protection of its IS?
Looking beyond the example of Spain, it’s instructive to compare the different legislative approaches to the notification of incidents. Those dedicated to the protection of personal data target rapid notification in order to limit the impacts on people’s lives; while legislation concerning the protection of critical infrastructure requires limited and highly confidential notifications in order to allow sufficient time for incidents to be correctly managed, without revealing to an attacker the fact that they have been discovered. In the end, the GDPR took into account this type of scenario, but that’s not to say that other texts won’t result in contradictory obligations.
A STRICT—BUT BENEFICIAL—REGULATORY FRAMEWORK
The tightening of the regulatory framework for SOCs, whether direct (via PDIS requirements) or indirect (through the GDPR), will result in a transformation of the IS ecosystem. New types of profiles could thus be integrated into teams, such as the Data Privacy Officer (DPO), which the SOC could consider as a key player in maintaining its long-term compliance.
In addition, these regulations will raise maturity levels among the players who have to comply with them, as well as among those who draw inspiration from them. Already, there are numerous moves toward compliance involving SOC architecture, as well as its processes and governance.
In complying with the regulations, tools also count—and that means looking at innovations such as data-based surveillance (with Data Leakage Prevention [DLP] tools), which can help ensure compliance with respect to the protection of sensitive data.
TOWARD MORE REALISTIC REGULATIONS…
The value of the requirements for many organizations, both as standards and objectives to be met, cannot be disputed.
While the bar may seem high, and regulatory inconsistencies remain, one thing is for sure: the next round of regulatory updates will provide a solid framework for the design and improvement of SOC.