COI Report – Part VII
Page 325 of 425
Were they breached Yes. Were they technically compromised Yes. But did anyone know about them, no, because there was no impact. The impact was contained.
944. IHiS’ current security detection capability rests largely on its outsourced managed security service (“MSS”) provider. A MSS provider is an IT service provider that provides an organisation with cybersecurity monitoring and management of various security systems, which may include antivirus and anti- malware, intrusion detection systems, intrusion prevention systems, firewalls etc. Alerts raised would be communicated to IHiS security team who would then have to evaluate the alerts for significance (e.g. signs of attack, before acting upon them. Thus, while the MSS provider is responsible for receiving alerts, ultimately, assessments of the seriousness of the alerts and consequent remedial actions are squarely within the remit of IHiS’ security staff.
41.5.2
Overview of an Advanced Security Operations Centre
945. The better way of integrating both alerts and responses is to have an
ASOC. An ASOC would consolidate the people, processes, and technologies necessary to monitor and respond to potential security incidents in a single place, facilitating detection, containment, and remediation of IT threats. An ASOC should be designed to monitor applications and network activity for unusual signs, then analyse those signs to determine whether an attack is in progress. If it is determined that an attack is taking place, the ASOC (also called a Cyber Defence Centre (“CDC”), where it incorporates incident response functions) can then coordinate investigations, reporting, and remediation efforts.
946. In Gen. Alexander’s expert opinion, an ASOC is an especially important organisational measure to be put in place, to support the CISO. Vivek observed that an ASOC would be abetter option than having outsourced MSS, as MSS providers are often limited to superficial reporting of alerts as they do not have full access to an organisation’s systems. In contrast, an ASOC would have full access. This is key to responding effectively to an attack. As Vivek said
|
