Security Operation Centres (SOCs) and Computer Security Incident Response Teams (CSIRTs) or Computer Emergency Response Teams (CERTs) can play a pivotal role in the monitoring of, and response to threats, attacks and vulnerabilities in organisations, including governments. While the focus of a SOC is on the monitoring of technical security controls and critical assets, and the response to attacks and threats, CSIRTs’ main focus is on response and incident management. One postulation is that a CSIRT or CERT is a highly specialised sub-capability of a SOC, whereas another postulation could be that a SOC serves as an input mechanism into CSIRTs and CERTs. In this paper, the differences between SOCs, CERTs and CSIRTs are established, and synergies between them are defined. This leads to an integrated services model for the establishment of an initial SOC and CSIRT capability in developing countries. Developing countries have unique challenges facing them where it concerns cybersecurity. Aspects such as Information Communication and Technology (ICT) infrastructure are often a challenge, and so is funding for ICT as well as skills. Political instability could also have an influence on the cybersecurity posture of developing countries by leaving developing nations open to malicious state-sponsored attacks. This SOC and CSIRT capability is made viable and possible through the savings in cost and resources by identifying overlapping services, as well as the application of the proposed model. This emergent SOC and CSIRT combined capability is called the Embryonic Cyberdefense Monitoring and Incident Response Center (E-CMIRC). The purpose of this paper is to identify a high-level integrated services model for the E-CMIRC in order to reduce cost and resources which serves as a barrier to entry in developing countries. A scalable operational framework is identified, and for the management of the effectiveness and efficiency, and also to ensure that all aspects of service delivery are considered, the Information Technology Information Library (ITIL) is proposed.
Reference:
Jacobs, P.Von Solms, S. and Grobler, M. 2015. E-CMIRC - towards a model for the integration of services between SOCs and CSIRTs. In: 15th European Conference on Cyber Warfare and Security (ECCWS-2016), July 2016, Munich, Germany, pp 350-360
Jacobs, P., Von Solms, S., & Grobler, M. (2015). E-CMIRC - towards a model for the integration of services between SOCs and CSIRTs. Academic Conferences and Publishing International Ltd. http://hdl.handle.net/10204/8894
Jacobs, P, S Von Solms, and M Grobler. "E-CMIRC - towards a model for the integration of services between SOCs and CSIRTs." (2015): http://hdl.handle.net/10204/8894
Jacobs P, Von Solms S, Grobler M, E-CMIRC - towards a model for the integration of services between SOCs and CSIRTs; Academic Conferences and Publishing International Ltd; 2015. http://hdl.handle.net/10204/8894 .
15th European Conference on Cyber Warfare and Security (ECCWS-2016), July 2016, Munich, Germany. Due to copyright restrictions, the attached PDF file only contains the abstract of the full text item. For access to the full text item, please consult the publisher's website.