|
GROUP SPECIFICATION
Information Security Indicators (ISI);
Guidelines for building and operating a secured
Security Operations Center (SOC)
Disclaimer
The present document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry Specification
Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.
---------------------- Page: 1 ----------------------
2 ETSI GS ISI 007 V1.1.1 (2018-12)
Reference
DGS/ISI-007
Keywords
cyber defence, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
If you find errors in the present document, please send your comment to one of the following services:
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2018.
All rights reserved.
TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.
TM TM
3GPP and LTE are trademarks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and
of the oneM2M Partners.
GSM and the GSM logo are trademarks registered and owned by the GSM Association.
ETSI
---------------------- Page: 2 ----------------------
3 ETSI GS ISI 007 V1.1.1 (2018-12)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 6
Introduction . 6
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 9
3 Definition of terms, symbols and abbreviations . 10
3.1 Terms . 10
3.2 Symbols . 11
3.3 Abbreviations . 11
4 General Description of the Security Incident Detection Service provided by the SOC . 11
4.1 Activities of the security incident detection service . 11
4.2 Architecture of the detection service information system . 12
4.3 Scope of application of the present document's requirements . 13
5 Requirements to be met by the service provider operating the Security Operations Center (SOC). 13
5.1 General requirements . 13
5.2 Activities of the security incident detection service . 14
5.2.1 Incident management . 14
5.2.2 Event management . 17
5.2.3 Reporting management . 19
5.3 Information protection . 20
5.3.1 Information systems security policy . 20
5.3.2 Levels of sensitivity or classification . 20
5.3.3 Territoriality of the service . 20
5.3.4 Security review . 20
5.3.5 Physical security . 21
5.3.6 Service continuity . 21
5.3.7 Service detection service (SOC of SOC) . 21
5.3.8 Partitioning of the service information system . 22
5.3.9 Administration and operation of the service . 23
5.3.10 Interconnections with the service information system . 23
5.3.11 Update zone . 24
5.3.12 Reporting zone . 24
5.3.13 Commissioning entity exchange zone. 25
5.3.14 Collection enclave within the commissioning entity's information system . 25
5.3.15 External access . 27
5.3.16 Remote access . 27
5.4 Organization of the service provider operating the SOC and Governance . 28
5.4.1 Code of ethics and recruitment . 28
5.4.2 Organization and management of competencies. 29
5.4.3 Operational and strategic committees . 30
5.4.3.1 Operational committee . 30
5.4.3.2 Strategic committee . 30
5.5 Quality and level of Service . 31
5.5.1 Quality of service . 31
5.5.2 Reversibility . 33
5.5.3 Service agreement . 34
5.5.3.1 Terms of delivery of the service . 34
5.5.3.2 Organization of the service . 34
5.5.3.3 Responsibilities . 35
5.5.3.4 Confidentiality and information protection . 35
ETSI
---------------------- Page: 3 ----------------------
4 ETSI GS ISI 007 V1.1.1 (2018-12)
5.5.3.5 Reversibility . 36
5.5.3.6 Laws and regulations. 36
5.5.3.7 Subcontracting . 37
5.5.3.8 Service level . 37
Annex A (informative): Tasks and skills of the service provider's SOC's employees . 38
A.1 Analyst operator . 38
A.1.1 Tasks . 38
A.1.2 Skills . 38
A.2 Infrastructure administrator . 38
A.2.1 Tasks . 38
A.2.2 Skills . 38
A.3 Architecture expert . 38
A.3.1 Tasks . 38
A.3.2 Skills . 39
A.4 Collection and log analysis expert . 39
A.4.1 Tasks . 39
A.4.2 Skills . 39
A.5 Detection expert . 39
A.5.1 Tasks . 39
A.5.2 Skills . 39
A.6 Access rights manager . 40
A.6.1 Tasks . 40
A.6.2 Skills . 40
Annex B (informative): Recommendations for Commissioning Entities . 41
B.0 Introduction . 41
B.1 Before the start of the service . 41
B.2 During the provision of the service . 42
Annex C (informative): Definition of the basic level of implementation . 43
Annex D (informative): Authors & contributors . 45
History . 46
ETSI
---------------------- Page: 4 ----------------------
5 ETSI GS ISI 007 V1.1.1 (2018-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security
Indicators (ISI).
The present document is included in a series of 9 ISI 00x specifications. These 9 specifications are the following (see
figure 1 summarizing the various concepts involved in event detection and interactions between all parts):
• ETSI GS ISI 001-1 [1] addressing (together with its associated guide ETSI GS ISI 001-2 [2]) information
security indicators, meant to measure application and efficacy of preventative measures.
• ETSI GS ISI 002 [3] addressing the underlying event classification model and the associated taxonomy.
• ETSI GS ISI 003 [i.1] addressing the key issue of assessing an organization's maturity level regarding overall
event detection (technology/process/ people) in order to weigh event detection results.
• ETSI GS ISI 004 [i.2] addressing demonstration through examples how to produce indicators and how to
detect the related events with various means and methods (with a classification of the main categories of use
cases/symptoms).
• ETSI GS ISI 005 [i.3] addressing ways to produce security events and to test the efficacy of existing detection
means within organization (for major types of events), which is a more detailed and a more case by case
approach than ETSI GS ISI 003 one [i.1] and which can therefore complement it.
• ETSI GS ISI 006 [i.4] addressing another engineering part of the series, complementing ETSI GS ISI 004 [i.2]
and focusing on the design of a cybersecurity language to model threat intelligence information and enable
detection tools interoperability.
• ETSI GS ISI 007 (the present document) addressing comprehensive guidelines to build and operate a
secured SOC, especially regarding the architectural aspects, in a context where SOCs are often real
control towers within organizations.
• ETSI GS ISI 008 [i.5] addressing and explaining how to make SIEM a whole approach which is truly
integrated within an overall organization-wide and not only IT-oriented cyber defence.
Figure 1 summarizes the various concepts involved in event detection and the interactions between the specifications.
ETSI
---------------------- Page: 5 ----------------------
6 ETSI GS ISI 007 V1.1.1 (2018-12)
GS ISG ISI Series Summary Definition
Event
reaction
measures
Fake events
(Simulation)
Security Event
Real Detected
prevention
detection
events events
measures
measures
Residual risk
(event model-
centric vision)
Figure 1: Positioning the 9 GS ISI against the 3 main security measures
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The growing interconnection of networks and the requirements of dematerialization leave information systems
vulnerable to cyber-attacks. The points of interconnection with external networks and, in particular, with the Internet,
are all access points an external attacker can attempt to exploit to enter and remain inside an information system in
order to steal, alter or destroy its information assets. And addressing often very dangerous internal threats is also
necessary.
Furthermore, new regulations and laws make it more and more mandatory to detect and report to authorities security
incidents. This is in particular the case with the Network and Information Security (NIS) Directive [i.10], for which
the present document can be a strong basis for the implementation of Articles 14 and 16. For this purpose, it addresses a
secured way to use cyber threat intelligence to detect security incidents, which is an important issue to be dealt with in
the NIS Directive.
The use of security incident detection systems contributes to the protection of information systems from the threats of
cyber-attacks. Human, technical and organizational resources can be concentrated within a cyber security operations
center (CyberSOC or SOC), generally dedicated to the detection of and response to security incidents. Depending on the
challenges, needs and resources of the commissioning entity, this center can be internal, outsourced dedicated or even
shared. In this latter case, the pooling of resources can have positive effects, such as the sharing of information on
threats and detection rules.
When the provision of the detection service is compliant with the state-of-the-art, and is precisely adapted to the needs
of the commissioning entity, it helps to prevent severe security incidents (by detecting vulnerabilities or non-
conformities - see ETSI GS ISI 001-1 [1] or ETSI GS ISI 002 [3]) or, when such incidents occur, to limit their
consequences by making it possible to take rapid remediation actions that can be carried out by the commissioning
entity's security incident response teams (located either in a CERT or in the SOC itself).
ETSI
---------------------- Page: 6 ----------------------
7 ETSI GS ISI 007 V1.1.1 (2018-12)
However, the concentration and pooling of detection capabilities make the cyber security operations center a prime
target for attackers. Therefore, special attention should be paid to protecting its information system.
The purpose of the present document is to provide guidelines to build and operate a secured SOC, through a list of
functional, organizational and technical requirements. Furthermore, it covers security incident detection up to incident
reporting to the commissioning entity without entering the incident response field.
It can also be used, in the interest of adopting best practices, independently of any regulatory framework.
ETSI
---------------------- Page: 7 ----------------------
8 ETSI GS ISI 007 V1.1.1 (2018-12)
1 Scope
The present document covers the 2 types of security incident detection services: internal and external.
The requirements can be implemented at 2 different levels: basic level (partial compliance), advanced level (full
compliance).
The present document is structured as follows (after clauses 2 and 3 respectively dedicated to references and terms,
symbols and abbreviations):
• Clause 4 describes the activities to which the present document relates.
• Clause 5 presents the requirements applicable to service providers (either internal or external) operating a
SOC.
NOTE: These requirements, labelled with lowercase letters (a, b, c, etc.), stem from requirements of a similar
reference framework published by ANSSI [i.12], so that their labelling is aligned with them, meaning that
not present letters correspond to discarded or not relevant requirements.
• Annex A presents the tasks and skills expected from the service provider's employees.
• Annex B presents the recommendations for the commissioning entities when contracting with security
incident detection providers.
• Annex C defines the basic and partial level of implementation of the requirements.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
https://docbox.etsi.org/Reference/.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of
operational indicators for organizations to use to benchmark their security posture".
[2] ETSI GS ISI 001-2: "Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to
select operational indicators based on the full set given in part 1".
[3] ETSI GS ISI 002: "Information Security Indicators (ISI); Event Model A security event
classification model and taxonomy".
[4] ISO/IEC 27002:2013: "Information technology - Security techniques - Code of Practice for
information security controls".
ETSI
---------------------- Page: 8 ----------------------
9 ETSI GS ISI 007 V1.1.1 (2018-12)
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI GS ISI 003: "Information Security Indicators (ISI); Key Performance Security Indicators
(KPSI) to evaluate the maturity of security event detection".
[i.2] ETSI GS ISI 004: "Information Security Indicators (ISI); Guidelines for event detection
implementation".
[i.3] ETSI GS ISI 005: "Information Security Indicators (ISI); Guidelines for security event detection
testing and assessment of detection effectiveness".
[i.4] ETSI GS ISI 006: "Information Security Indicators (ISI); An ISI-compliant Measurement and
Event Management Architecture for Cyber Security and Safety
[i.5] ETSI GS ISI 008: "Information Security Indicators (ISI); Description of an Overall Organization-
wide Security Information and Event Management (SIEM) Approach".
[i.6] ISO 27035-1:2016: "Information technology - Security techniques - Information security incident
management -- Part 1: Principles of incident management".
[i.7] ISO 27035-2:2016: "Information technology - Security techniques - Information security incident
management -- Part 2: Guidelines to plan and prepare for incident response".
[i.8] ANSSI: "Guide d'hygiène informatique".
NOTE: Available at https://www.ssi.gouv.fr/entreprise/guide/guide-dhygiene-informatique/ for an up-to-date
version.
[i.9] The Center for Internet Cybersecurity: "Critical Security Controls for Effective Cyber Defense
Version 7".
NOTE: Available at https://www.cisecurity.org/critical-controls.cfm.
[i.10] Directive (EU) 2016/1148 of The European Parliament and of The Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union.
NOTE: Available at https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
[i.11] ISO 27000: "Information technology -- Security techniques -- Information security management
systems -- Overview and vocabulary".
[i.12] ANSSI (The French Networks and Information Security Agency): "Security incident detection
service providers - Requirements reference document".
NOTE: Available at https://www.ssi.gouv.fr/uploads/2014/12/pdis_referentiel_v1.0_en.pdf.
ETSI
---------------------- Page: 9 ----------------------
10 ETSI GS ISI 007 V1.1.1 (2018-12)
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the terms given in ETSI GS ISI 001-2 [2] and the following apply:
NOTE: They are primarily taken from the ISO 27000 [i.11] and ISO 27035 [i.6] and [i.7] standards.
administrator: member of the detection service with privileged rights enabling them to ensure the smooth running of
the detection service devices
collection source: equipment within the information system that generates events related to the security of the
information
collector: device enabling the centralization of security events originating from various collection sources
EXAMPLE: Syslog server, SIEM solution collector.
NOTE: In the context of this service, local collectors are collectors installed in the commissioning entity's
information system, and central collectors are collectors used for centralizing events and located in the
service provider's information system
...