V-SOC

Virtual Security Operations Center

Automating the functions of a traditional Security Operations Center

Customer Challenges

 Maintaining a secure enterprise IT infrastructure is one the most important and complex challenges facing federal agencies today.  With the proliferation of Internet-based attacks, viruses, worms, botnets and other emerging threats, an agency’s enterprise security architecture becomes more complicated as various layers of defense are implemented.  Often, a “defense in depth” approach is used, utilizing the best-of-breed vendors and various technologies to counteract the threats.  Typically the alerts and logs from these various security devices are directed to a centralized Security Operations Center (SOC).

SOC engineers sift through voluminous data and determine whether ongoing network activity constitutes an actual security incident or event, and take action accordingly.  It can be difficult to achieve a high degree of accuracy in identifying threats to protect the network without incurring unnecessary denial of service.  Collecting and processing the information from various security devices is another challenge. Security engineers need a system that integrates all the security devices to form a unified approach towards enterprise security management.

Comtech’s Solution

 Comtech worked with one our Government customers to develop the V-SOC system by collecting data from various security devices, normalizing and correlating the data, and performing an analysis based on various factors to determine whether a security event is actionable or not.  Optionally, the V-SOC system can be configured to take automated action based on prescribed policies and/or a set of rules defined by the system owner. The V-SOC is a platform-agnostic, customizable, and highly-scalable system. 

The V-SOC system provides enterprise security, situational awareness, and operates in real time to identify and quarantine emerging network threats. The functionality and architecture can be integrated into any agency’s network security architecture within a short period of time.

System Description

 The VSOC is made up of four major subsystems: 1) Log Collector, 2) Log Database, 3) Log Analysis, and 4) Web Interface. By keeping these subsystems logically separate, the scalability of the system is limited only by the amount of hardware the customer is willing to allocate to each subsystem. All four subsystems can run on a single platform for small enterprises or can be distributed across multiple platforms for very large networks. 

The figure on the right shows how the V-SOC system works and where it fits in the overall enterprise security architecture. Comtech’s VSOC solution is scalable and can work with any vendors’ security solution.  If the device can send a log, V-SOC can be made to work with it. 

In addition, its centralized management/distributed support paradigm makes the system ideally suited for delegating remediation efforts to the regional LAN administrators/support personnel who are most likely be in contact with the end-user or source of the event.

In this sample diagram, a user has triggered an alert(s), generated by one or more of the security devices in the network.  The resulting log(s) is then forwarded from the security device(s) to the V-SOC Log Collector.  

The Log Collector normalizes the data from various sources by extracting the common attributes of each log (e.g., Source IP address, Destination IP address, port numbers) as well as the application layer data contained in the log (e.g., those generated by intrusion detection/prevention systems and other application-aware security appliances) and enters them into the Log Database.

VSOC Data Flow Diagram

VSOC Data Flow Diagram

Log Analysis Engine

The Log Analysis Engine uses a highly tunable algorithm to determine what normal and abnormal network activity is. When countermeasures are required, the Analysis Engine issues a command to the router(s) to block the IP address.  

To prevent unnecessary denial of service, the V-SOC has built-in safeguards to prevent a massive automated “block all” situation, which could theoretically occur during a rare case of multiple false alerts.  Conversely, when there is a known security threat outbreak (e.g., Code Red, Sasser, Nimda), these safeguards are disabled and the V-SOC will block all events until the outbreak is contained. 

The Log Database is not only a report repository, it is an integral part of the system that keeps track of the location of devices (i.e., which router to block), the systems users, the owners of specific IP address ranges, and other data necessary to provide a comprehensive view of the security posture of the enterprise. The Log Database also provides powerful search and analysis capabilities to augment forensic analysis.

Network and system administrators along with security engineers interact with and control the V-SOC system via the front-end Web Interface.  The front-end has access controls to manage user permissions, giving the administrator total control of who can access any feature or view of the system.  The interface system is flexible and fully customizable; granular access to specific functions of the Web Interface can be applied.

The Log Analysis Engine constantly keeps an open channel with the Log Database and correlates every log into an “event”.  Loosely defined, an event is a source IP address that the system is tracking to determine whether or not it breaks security policy.  If it does, the system will take the prescribed action (block, alert, etc.) based on the defined set of rules.  So, in contrast to a firewall which takes action based on layer-3/4 characteristics, or an Intrusion Detection System which takes action based on layer-5/6/7 application data and signatures, the V-SOC system combines all of these and takes action.

Technical support and Maintenance Services

Comtech offers engineering and support services to our customers during the entire lifecycle of the V-SOC solution. Because of its open architecture, implementing the V-SOC requires configuration and integration into the overall network security architecture to fully interoperate with all of the various brands and models of networking and security devices.

The customer can choose onsite technical support and maintenance personnel or remote maintenance for software updates and fixes, as well as telephone support and troubleshooting.  Comtech also offers a Client Customization Program to provide R&D/Engineering support to develop solutions for emerging client-specific requirements.  

Benefits

The most valuable feature of Comtech’s V-SOC solution is the ability to completely tailor the system to the client’s network security requirements. The V-SOC system reduces the number of staff required to manage, analyze, and respond to security incidents within an agency’s IT Infrastructure.  

In some cases, the need for dedicated SOC staff is eliminated, resulting in appreciable cost savings.  Additionally, the accuracy and response time is improved significantly when network security enforcement is performed by the automated system, rather than by manual intervention.

Summary

Comtech’s V-SOC was developed to provide a centralized system that integrates the various vendors’ security devices to achieve a unified approach towards enterprise security management.  Many years of collective expertise have gone into its development and refinement.  The V-SOC can be deployed in any agency’s network in a short amount of time to better protect their systems and information.