The security operations center (SOC) at the Oak Ridge National Laboratory thought it knew the online patterns and actions of most of its scientists and employees.
Then the pandemic hit and everything was thrown into a tizzy.
Kevin Kerr, the Energy Department’s Oak Ridge National Laboratory chief information security officer, said the SOC adjusted in the short term but it needs to be more nimble and agile as the future of computing continues to change.
“We had to rebaseline everything. Our people were logging in from all over the country. What was surprising more so [people didn’t work] 8 to 5 anymore. People had the flexibility to do things during the day so we saw people logging in at 4 in the morning that you never saw pre-COVID or working at 12 o’clock at night. So our behavior-based analysis was gone,” Kerr said on Ask the CIO. “We had to rebaseline the entire footprint, our signatures and the way we looked at things. It was a major impact. It was a total recalibration of our threat and risk environment.”
Understanding employee habits and reestablishing that baseline became more important as Oak Ridge National Lab played a larger role in coronavirus research. Oak Ridge is one of several agencies and academic institutions bringing the power of high performance computing, through the HPC COVID Consortium. This has made Energy, other agencies and private sector targets of cyber attacks by nation states.
Kerr said during normal times Oak Ridge has a unique environment and the pandemic made it more complex.
He said the SOC has to be attuned to what is the norm and what isn’t the norm, especially in regard to data exchanges with public and private sector partners.
“We collect a lot of data and we started collecting a lot more than we normally do. We had to find specific needles in a pile of needles. I think we came out pretty well ahead of the game on that,” Kerr said. “One of the things we’ve seen is the boundaryless environment with more and more use of the cloud. Our researchers need some of the latest and greatest stuff in order to collaborate across the world. We’ve seen some vectors coming through various cloud aspects and some of our third parties are getting attacked.”
He said the big change Oak Ridge has seen over the last few years is the rise of phishing emails instead of the bigger, flashier types of cyber attacks.
This is why Oak Ridge’s SOC and overall cyber approach implemented automation and two-factor authentication several years ago, and now is considering managed threat detection and response capabilities.
SOCs on high alert
Bill Rucker, the president of Trustwave Government Solutions, said agency security operations centers have been on an evolutionary path for the last several years.
He said they have moved from logs and security devices to looking for malicious insiders and the ever-changing security threat vectors.
“Agencies have new environments. Multiple clouds and hybrid cloud environments, and they have acquired numerous security tools that don’t always integrate well. This leaves agencies with pockets of data,” Rucker said. “SOCs are on high alert all the time because of the frequency and targeted threats.”
Knowing the ever-important role security operations centers are playing in securing agency networks, the Office of Management and Budget asked for a plan to modernize and consolidate these organizations in September.
OMB found in 2018 Cyber Risk Determination Report that agency SOCs were uncoordinated and, in many cases, stove pipped where they weren’t sharing data. OMB and the Homeland Security Department are setting up a SOC-as-a-service offering through the Quality Service Management Office (QSMO).
Rucker said the need to modernize SOCs is driving change across the public and private sectors.
“The battlefield is the users and end points and it’s all changed. The resilience our user community has to have is unpresented because they have to be right every single time,” Rucker said. “It makes it much tougher for users not be compromised. This is one of the reasons why we see what was managed security services evolving into managed threat detection and response because people can’t do this on their own. They need help based on the sheer volume and sophistication of what is taking place.”
Automation tools used by threat hunters
Rucker said managed threat detection and response services takes threat information from both internal and external sources and network data and puts it in a single place to manage, analyze and mitigate vulnerabilities in real time.
He said add automation tools used by threat hunters to proactively address real and potential problems.
“This will bring a new level of maturity to the SOC,” Rucker said. “There are organizations that don’t have the budget, the talent or the resources to run 24/7 at the highest fidelity that they do 8 a.m. to 5 p.m. With managed threat detection and response services you get that extra lift.”
Kerr said Oak Ridge started looking at these managed services given the stress on resources and the constantly changing threats the organization faces.
“Managed threat detection can connect and tie other data in from a different perspective so we look at that as an advantage,” Kerr said. “We play chess in two dimensions but bringing in managed threat detection response team actually brings in the threat and allows you to play chess in multiple dimensions. Not just from left, right or north or south, but also from time. They can see things on the other side of the globe before things happen and I look at that as one of the things that is key.”