Big Data in the Cybersecurity
Operations Center
Thomas Michael Mitchell has over
25+ years of strong experience in
information technology and security
enterprise environments. He is
an accomplished author, speaker,
entrepreneur, part-time chef, and
sommelier. Tom holds a master’s degree
in Information Assurance and Security
(MSIAS) along with the following
certifications: CISSP #63456, CEH, HBSS,
DoD 8570 IAT and IAM Level III, ITIL,
CNSA, CNDA, and Cleared Professional.
Tom has also been responsible for
the advanced design, architecture,
and operational and situational
awareness advances within a number
of Fortune 500 organizational Cyber
Security Operations Centre (CSOC). He
is at the forefront of Cyber Thought
Leadership in response to adapt to the
ever-changing cyber-landscape, and
new challenges faced today: simplify
existing processes and workflows of on-
boarding of sources to reduce overall
costs of service without compromising
organizational security posture.
Tom understands and practices the
development of system requirements,
designing solutions, developing demo
systems, and design and development
of the implementation of cybersecurity
Big-data next-generation analytics
CSOC. He has a 10 years’ hands-on
experience with various security
information and event management
(SIEM) tools: McAfee SIEM, ArcSight,
QRadar, BlackStratus, Accelops,
LogRhythm, Splunk.
https://www.linkedin.com/in/
thomas-mitchell-2b0459/
Mitchell, Thomas, CSOC with Advanced
Analytics; https://eforensicsmag.com/
download/big-data-cybersecurity/
© Business Expert Press 978-1-94858-080-9 (2018)
www.businessexpertpress.com
Thomas M. Mitchell
Abstract: Today’s Cyber Security Operations Center
CSOC should include everything needed to mount a com-
petent defense in the rapidly changing cyber-landscape.
The CSOC will consist of a vast array of sophisticated
detection and prevention technologies, extensive and
dynamic cyber-intelligence reporting, capable ­forensic
abilities. The link to create the next generation CSOC
is the use of Big Data technologies. The organizations
that leverage their data with these technologies when
properly implemented. This will be detailed in another
article.
The organizations that implements this properly will
have the capability to have 20/20 vision into their respec-
tive network enclaves. The aggregation of historical data,
with the addition and the input of present day data has
the possibility to produce predictive analysis.
This can create automation for some functions with the
CSOC, and the ability to predict the deficiencies within
the network enclave.
Keywords: big data, cyber, CSOC, internet of things,
network, security, SOC
Executive Summary
The premise of this article lays the foundation for the
­Cyber Security Operations Center (CSOC) and within the
standards of a meticulous process enables the efficient
buildup and management of the next-generation CSOCs,
also known as a Security Operation Center (SOC), with
advanced analytics as the cornerstone of technology.
The Mission of CSOC
Today’s CSOC should include everything needed to mount a
competent defense in the rapidly changing c­ yber-landscape.
The CSOC will consist of a vast a­ rray of sophisticated detec-
tion and prevention technologies, ­extensive and dynamic
cyber-intelligence reporting, ­capable forensic abilities, and
access to a rapidly expanding workforce of talented IT
professionals.
Expert Insights
1
 Big Data in the Cybersecurity Operations Center
The Task of Incident/Event
Management
The core function within a CSOC is to take ­action
on events from hundreds or even thousands
of different systems within the ­organizational
enclave. Essentially the CSOC is the correlation
point for every event logged within the orga-
nization. For each of these events, the CSOC
must ­decide how they will be managed and
then responded to accordingly. Also, a detailed
step-by-step process needs to be documented
for each level in the SOC for the analyst to
know precisely what information is required,
whom to contact, and how to deliver the known
information quickly and accurately.
The CSOC management of events must
include a list of instructions, that is, play-
book and Standard Operating Procedures
(SOPs), that will apply to the 24×7, 365-day
operational basis. An event is an element
that comes into the CSOC and is moni-
tored, while an incident is an event where
action must be taken.
As a part of event management, the SOC
provides telephone and e-mail assistance
to its customers that cover some of the fol-
lowing areas:
Malware outbreak
Phishing attacks
Social engineering calls
Access to the organization’s security portal
Data leak/loss incidents
Customer account lockout
Customer inquiries
There must also be additional escalation
procedures in place. The SOC must have
clearly defined procedures for the escala-
tion tier that address, at a minimum:
Resources to assist with resolution of
incidents
Review of open incident records
Status updates
No response from the customer (again
customer is defined as part of the SOC
services and in many cases may be the
end user or system administrator)
2 © Business Expert Press 978-1-94858-080-9 (2018)
www.businessexpertpress.com
Adding notes to the incident record for
further escalations as required
Incident record closure
High-priority/high-severity handling
Lack of resolution
Realities of CSOC Security
Challenges
To keep the adversary out, the CSOC must
use advanced technology and keep p ­ ushing
the technological envelope as the ­adversary
will continue to be one step ahead of the
most diligent CSOC team. The ­ defenders
must be ever vigilant in their pursuit of
remaining ­
­ secure. Consider that while the
adversary must discover only one way in, the
­defenders must defend all access points, limit
and ­ assess damage, and find and remove
­adversary points of presence in ­enterprise
systems.
CSOCs must be set up and operate
with a focus on people, process, and tech-
nology. The CSOC must be vigilant and
identify ­ every aspect of responding to
­cybersecurity attacks: people, technology,
and ­process ­issues. In hardening defenses
one must also be able to enable, detect,
and ­respond to c­ yber-attacks, taking prece-
dence over ­battling politics and personnel
issues. The integration of advanced analyt-
ics tools such as Splunk Enterprise Secu-
rity, SQRRL, ­Elastic search has changed the
traditional CSOC “sit and wait” for a para-
digm to b ­ ecome proactive in hunting for the
adversary.
Use Cases: What Advanced Analytics
Can Add to the CSOC Mission
Achieving the balance of proactive, dynamic,
and forensic cybersecurity ­encompasses the
following use case actions.
Use Case Examples
Advanced analytics comes in two flavors.
One is the automated analyst and the other is
the human analyst who will perform similar
functions, where they both can dive into the
aggregated data for analysis of such use case
functions as incident monitoring, malware
Expert Insights
 Big Data in the Cybersecurity Operations Center
detection, data breach detection, advanced
persistent threat ­ detection, ­insider threat
detection, threat ­intel analysis, and incident
response. The automated CSOC will then
execute its mission efficiently when given
the authority to do its job through efficient
organizational placement and appropriate
and transparent policies and procedures for
cyber-situational awareness.
The advanced analytics-driven CSCO will
take massive amounts of data and bring
them together into dashboard graphs as
data-driven behavioral diagrams ­designed
by the use cases. The use cases will allow
for cybersecurity investigations. The vast
amounts of data will provide the context for
a comprehensive view of the network that
will enable the defenders to be successful.
To be the next generation, CSOC should be
aware of the existing and new technologies.
This proactive vigilance will ­enable the CSOCs
to become technologically ­sophisticated. The
consumer of advanced analytics along with
threat intelligence creates a CSOC that will
become advanced by using these technologies
to grow the a­ utomated CSOC of the future.
The future is now.
Primary Components of a CSOC
with Advanced Analytics
The mission of the SOC—situational aware-
ness of the managed enclave.
Determine the processes, procedures,
technology—Identify and document critical
templates, methods, and processes r­ equired
to support the CSOC.
Understand the cyber-enclave’s environ-
ment to determine the “use cases” and the
type of data that is received by the CSOC.
Identify the interaction with the CSOC.
Staff the CSOC—define the operational
hours and the necessary personnel per shift.
Manage the events with advanced
­analytics—categorize, assign, and prioritize
activities received by the CSOC.
Leverage the appropriate framework,
that is, CSF, NIST 800-53, and ITIL—under-
stand the core framework to regulate the
components to run an efficient CSOC.
© Business Expert Press 978-1-94858-080-9 (2018)
www.businessexpertpress.com
Upon the definition of the service func-
tions, there will be a runbook, playbook, or
SOPs. This series of documentation must
be developed and consistently updated to
ensure that the appropriate information
is accurate. These documents are con-
sidered “living” documents and need to
be updated as events happen or there is
any major u ­ pdate to the network topol-
ogy. This documentation will guide the
daily processes and ­ procedures for the
SOC staff. Each tier within the CSOC is
assigned a series of responsibilities based
on each ­tier’s ­position’s description at the
tier level. The ­advent of utilizing advanced
analytics within the CSOC will drive effi-
ciencies and automation of processes and
procedures. The a­ utomation will initially
take place in the Tier 1 responses to initial
receipt of incidents. The goal of analytics
within the confines of the CSOC is for the
actual fingerprint of the network. Once
this baseline or footprint is established,
then anomalies will be able to be detected.
The Tier 1 incidents will auto-generate a
ticket and automatically be escalated or
closed based on the historical data and
the information from threat intelligence
feeds.
The programming of the analytics e ­ ngine
will lead to the automation and ­escalation
of true incidents through false positives
that will be handled automatically. There
will need to be human interaction to ensure
the accuracy of the ticket closure initially.
Traditional Structure of a CSOC
Roles and Responsibilities
The following individuals are responsi-
ble for maintaining and managing system
events on incidents for the enterprise or
organization:
■■ Tier 1 CSOC engineer can resolve the
­incident record, he/she:
Defines the incident in specific terms
and also gathers additional facts neces-
sary for troubleshooting and resolving
the issue(s).
Expert Insights
3