In 2012 I visited the Security Intelligence Center of Lockheed Martin. My goal was to understand how the previous year Lockheed was able to identify a breach in process. We had learned of it from news stories that Lockheed had shut off remote access to all 80,000 employees. Anyone who needed to get on the corporate network were told to go to an office.
Remote VPNs were authenticated with RSA SecurID tokens. The shut down occurred only weeks after RSA itself had been penetrated and its file of secret seeds for those tokens had been exfiltrated. SecurID tokens are ubiquitous in the corporate world. The little devices generate an 8,10, or more digit code every minute to 90 seconds. Thanks to a shared secret the authentication server produces the same code at the same time. Only someone in possession of a registered token can login.
The breach, attributed to China, affected all 60,000 RSA customers. Including defense contractor Lockheed Martin. Researchers had tried for years to extract the secret seeds from these tokens. They would take them apart and etch the silicon chips. They would put them in a microwave oven, hoping to get the poor little things to cough of their secrets. Occasionally a researcher would report success, but invariably they destroyed the device in the process. Much has been written about third party and supply chain risk. The theft of RSA secret seeds is the most impactful of all such breaches. RSA had to replace many of the millions of devices in their customers’ hands. So how in the world did Lockheed Martin detect an attempt by Chinese hackers to login remotely with full privileges via an authenticated session? I’ll tell you.
Lockheed had built a SOC to track the continuous hacking attempts against their systems. Don’t forget that Lockheed probably has more experience being targeted than just about any commercial operation. Lockheed owned Sandia Labs which was where Shawn Carpenter worked when he discovered what came to be called Titan Rain, the systematic attempts by China to engage in cyber espionage dating back to at least 2003. Lockheed is one the largest components of the so-called Defense Industrial Base (DIB) which we learned was massively breached in 2007-8 and terabytes of design data for two dozen advanced weapons systems were stolen, including for the F35 Joint Strike Fighter.
By 2010 Lockheed’s SOC (which they called a SIC) had been built up to 80 people. There were malware analysts who would capture and reverse engineer the malicious code samples directed their way. They maintained a data store of thousands of samples that were unique to Lockheed. They also captured network traffic and monitored endpoints. Lockheed described to me how they recruited puzzle solvers to staff their SOC. They did not look for people with cybersecurity experience, they looked for smart people in their IT department that had the ability to put together disparate data from endpoints, malware analysis, and network traffic and build a story. They used the Cyber Kill Chain as a framework for reporting the activity of hacking teams they identified.
When I saw Lockheed’s capabilities I had one of those moments when the future becomes clear. Every highly targeted enterprise would need to build the same capability–members of the DIB, government agencies, and large financial institutions. The next tier, those that just see the run of the mill attacks, ransomware, DDoS, etc. would acquire a new range of tools for security analytics to give them similar capabilities. And finally, small organizations that could not build and staff a SOC would outsource to a new generation of managed security service providers. This service has become know as MDR, managed detection and response. eSentire in Ontario was one of the very first to provide MDR services.
There is also a broad spectrum of service providers that will provide “SOC as a Service,” a dedicated team in their facility to provide these MDR capabilities. Of 113 Managed Security Services Providers I identified while researching Security Yearbook 2020, seven identified themselves as SOC as a Service providers.
NRI Secure Technologies in Japan. Expel, Binary Defense, Perch, Clearnetwork, in the US. The Cyberfort Group in the UK, and Cyberhat in Israel.
Another service is provided by firms that will build and staff a SOC for you.They can maintain it as an outsourced service or eventually transition the operation and its people to the client. But where are they going to find the staff?
Ryan Craig, author of A New U: Faster + Cheaper Alternative to College, is a successful investor in companies that source and place people with technical skill sets. He is on the prowl for such a company in the SOC-augmentation, -creation business. Working with him this year we have discovered that the cyber skills gap is a many to many problem. The shortfall in experienced, trained, people is disbursed across every organization. Other than US Cyber Command perhaps, there are no large concentrations of demand. And there are no concentrated sources of people to fill these roles.
Thousands of colleges have cyber programs. They often have classes on ethical hacking that prepare students for their CEH certificate. But employers demand experience. Where is a student going to get that experience? Craig believes they will get it through a new channel provided by SOC staffing companies. This new breed of staffing organization will be an intermediary between colleges and employers. It will hire smart puzzle solvers out of school and put them to work as Level 1 SOC analysts where they will get exposed to the everyday workflow of pouring through data, responding to alerts, and escalating to Level 2 and 3. In the meantime they will be subjected to intensive classroom training to get the skills and certifications they need. In as little as a year they will be experienced, certified, cyber workers. The firm that trained them can then place them at their customers that are transitioning to managing their own SOC.
Lockheed Martin had to build an advanced SOC because they were on the front lines. No one had ever had to respond to such a sophisticated barrage. Every organization needs the same capability to some degree. This opens up tremendous opportunities for graduates and the intermediaries that can hire them, train them, and place them.
