Creating the Security Operations Center of the Future

March 16, 2020

The Carahsoft Team

The cybersecurity threat landscape is ever changing. Adversaries are becoming even more cunning and opportunistic, continually probing and taking advantages of the latest technologies to exploit weaknesses in our nation’s defense systems. Yesterday’s computer worms have evolved into today’s ransomware, deepfakes, and other malicious attacks that use legacy systems and a growing number of endpoints to gain a foothold into data-rich networks.

This calls for a Security Operations Center (SOC) that can stand up to the challenge of rapidly evolving threat vectors. Today’s SOCs must be able to protect hybrid IT infrastructures by monitoring complex and growing multi-tenant and multi-site enterprise networks and cloud-based environments. Beyond providing greater threat awareness, validation, and rapid response and remediation, SOCs need to be able to collect, curate, and analyze information and arm security teams with actionable intelligence that gives them greater insight into the what, when, how, and why surrounding potential cyberattacks.

The next-generation SOC

Ardalyst’s Medici Moons project is a next-generation SOC design that addresses these needs so that organizations can be better prepared for today’s—and tomorrow’s—cybersecurity risks. Named after the Galilean moons that surround Jupiter, Medici Moons reflects the innovative spirit that the great astronomer showed when he developed a high-powered telescope to view these previously unknown objects. But, instead of looking into actual space, we’re able to see things that are happening in cyberspace that could adversely impact a data center. Ardalyst is a cyber defense company headquartered in Annapolis, Maryland. The name “Ardalyst” comes from the words “ardent” and “catalyst,” meaning a passion to be an agent of change. The Medici Moons design is indicative of the company’s desire to share that passion progressive change with you.

Medici Moons includes a distributed, operational-level cybersecurity operations center (CSOC) that manages and receives data from a tactical-level CSOC. The latter is comprised of an active, low-side enclave that provides initial collection and automated responses, as well as a secondary, high-side enclave that provides out-of-band collection activities.

Medici Moons integrates unclassified and classified capabilities across both physical and software-defined architectures. The design allows for threats to be rapidly and automatically mitigated across physical, virtualized, and cloud-based infrastructures, and provides actionable intelligence that lets teams anticipate, withstand, recover and evolve from attacks.

Indeed, the design is based on the theory that it’s just as important to understand a problem as it is to solve that problem. Therefore, Medici Moons focuses on four core aspects of cybersecurity:

  • Collection. Data can be collected either from a physical or virtual Terminal Access Point (vTAP), but it’s important to know what data is being collected and whether or not it’s the right data. Medici Moons helps organizations prioritize data collection to ensure they’re getting the most important and relevant information.
  • Curation. Once data is collected, Medici Moons then curates the information even further to ensure its integrity.
  • Analysis. Data is then analyzed and processed. Patterns are recognized, intelligence is cultivated, and, finally…
  • Visualization. The collected, curated, and analyzed information is processed and presented to decision makers in a way that allows them to understand the problem and make on-the-spot decisions to address the situation. This is enormously helpful, particularly in distributed environments; security teams can instantly understand, for example, if an attack is impacting a single area or poses a wider threat across their organizations.

Data Collection from Gigamon, Threat Intelligence from FireEye

Gigamon is providing the data collection aspect of the system. Through Gigamon, Ardalyst is able to collect data from either a cloud, VM, or network and move that data into a higher level of trust, such as an enclave with higher security protocols. With its data collection capabilities and network visibility fabric, Gigamon essentially allows us to put the “S” in the next generation “SOC”.

FireEye brings world-class threat intelligence to the Medici Moons design. Their best-in-business sensors combine adversary, victim, and machine intelligence to paint a complete picture of the type of threat posed to a system. This is also aided by the fact that FireEye’s validation capabilities with Verodin can derive the TTPs and malware from current threat intelligence, actively access live systems, and assess an organization’s ability to detect and respond to such capabilities repeatedly. Combining FireEye’s threat intelligence with Gigamon’s visibility and data collection prowess provides Medici Moons with a degree of fidelity that is unparalleled in today’s cybersecurity landscape.

Medici Moons, today and tomorrow

Medici Moons is a scalable, flexible, and agile compendium of multiple SOCs, advanced sensors, and numerous potential technical innovations. These factors make the design ideal for particularly vulnerable networks including those that are highly distributed or comprised of aging computer systems.

The U.S. Navy, for instance, includes a multitude of shipboard systems that are supported and enabled by older technologies. In fact, according to CIO Aaron Weiss, the Navy’s information infrastructure is 10 – 15 years behind industry standards. Today, Medici Moons can equip the Navy and other Department of Defense agencies with innovative and agile detection-in-depth capabilities. This will allow them not only to sense, validate, and respond to threats, but understand those threats better so that they can prepare for and anticipate the next threat.

Make no mistake—there will always be a “next threat,” which is why having a highly adaptable cybersecurity design is so important.

We invite you to:

Follow us on Twitter and LinkedIn to see when the next SoTF Technical Exchange Meeting (TEM) is happening. Help us bring together the right stakeholders to the discussion.

Be part of the proof of concept by testing Gigamon, FireEye, and other components that can fit into your organization and deliver value today.

Watch Ardalyst's On-Demand Webinar to learn more about Project Medici Moons and how they Integrated FireEye & Gigamon's Technology for their new innovative Defense Design.