CONNECT meets with Tony Barber, Head of the GÉANT Operations Centre (GOC), to talk about the recently launched GÉANT Security Operations Centre (SOC), the requirements and the process that led to the set-up of this necessary resource for the GÉANT network and community, along with the benefits it will bring.
Tony, what is the main function of the GÉANT SOC?
The mission of the SOC is to safeguard the GÉANT operational assets by maintaining maximum possible vigilance at and within the network perimeter and act to mitigate threats that may compromise the organisation and its members’ assets. The SOC is an operational resource dedicated to network security, it achieves this by managing security services in the operational environment, providing security support, maintaining operational security awareness to protect the GÉANT backbone network and the NREN uplinks and providing expert security support for NRENs. The SOC team will be at the front of the GÉANT CERT (Computer Emergency Response Team) function, liaising with other CERTS and CSIRTS as required.
What were the main drivers and rationale that led to the creation of the SOC?
World events and the rise of cyber threats to global critical infrastructure, combined with the increasing awareness and growing number of security related incidents involving GÉANT assets have led us in this direction. We have also been guided by the EC demand for enhanced cybersecurity threat mitigation and protection. This makes sense given that the Commission has recently invested hugely in the GÉANT network as a long-term asset. The GÉANT board and executive team fully support his initiative. In addition, with the increasing complexity of the network, product set and the breadth of the security toolset we have adopted, it makes increasing sense to deploy specialist skills rather than rely on traditional network engineers to double up as security specialists. The proven NOC plus SOC model has already been deployed by many partners around the globe and within the wider membership base. These are some of the key factors determining our decision.
What are the main responsibilities of the SOC, how does it operate?
We are very driven by process and are working towards greater certification. This involves documenting our roles and responsibilities which now include the GÉANT corporate security strategy and roadmap, where the SOC role is well defined along with other GÉANT security teams that form a comprehensive security layer around the business we undertake. The SOC focusses on network and connectivity services, it provides operational support and management for those services and undertakes network security incident mitigation and management. As well as being reactive, we aim to be proactive in our approach to security, building on threat intelligence analysis to ensure the network and services are not at risk of current and future vulnerabilities. An example of this is ensuring we evaluate all of our vendor security bulletins and staying current with global threat vectors such as DNS denial of service attacks. Our SOC will also provide guidance and advice to designers of emerging security products and it maintains the company certifications such as Trusted-Introducer and FIRST membership. We work closely with internal security teams to form a comprehensive security ‘blanket’ approach for GÉANT. The SOC delivers its service by working closely alongside the GÉANT NOC team. New tools are being deployed and processes have been developed that means our work is repeatable. For example, a daily task verifies BGP routing validity, another one checks on daily global reported issues from forums we participate in and we regularly undertake perimeter penetration tests on our own system. The SOC provides a variety of alerting and detection services such as our DDoS cleansing and mitigation service and anomaly detection service.
What are the main challenges that GÉANT is facing in the management and set up of this resource?
No project or initiative is without challenges, but those we face are not insurmountable. Here is just a selection of those we identified. The prominence of a new hybrid workforce and the technical debit caused by the pandemic (general expenditure gravitating towards cloud infrastructure to the detriment of the physical infrastructure) have created new challenges for R&E in the last two years. The employment market for IT specialists is very challenging across Europe meaning it is hard to find quality candidates and then retain them. In addition, the crossover to new security tools means new skills need to be learned along with the strengths and limitations of those tools. Interaction and co-operation with other GÉANT security teams needs to be well defined and collaborative for all of the teams to be successful. From a coverage perspective unfortunately 24×7 cover (from SOC staff) is not yet possible with such a small team, but it is something we are working towards. And of course we will always have the challenge of absorbing the high volume of threat intelligence data and develop and evolve future complex services.
What is your view of the SOC of the future?
My view of the GÉANT SOC of the future is a 24×7 service based on building blocks of knowledgeable committed people, up to date and relevant technology and good processes. At some time in the future, there may be the possibility to offer outsourced SOC services to smaller NRENs who do not have the resources to provide their own.
For more information about Network Operations at GÉANT, visit https://network.geant.org/network_operations/