073
ENTERPRISE SECURITY BLUEPRINT
APPENDIX
A
Design Pattern
Security Operations Center (SOC)
Event logging is a key control requirement for all enforcement points. Logged events should
be collected into centralized repositories that support event storage and analysis. In order
to reduce network bandwidth requirements, it is often implemented in multi-site networks
using local log storage consolidated centrally. A unified event management infrastructure that
incorporates both host and network events supports deep analysis of multi-vector attacks.
Automated and manual event response mechanisms require an integrated central management
capability that can adjust security controls in real time to block attacks and provide containment
of compromised hosts. Controls are also updated in the production environment to adapt
to changes in the network, hosts, applications, data and threat environment (e.g., high-risk
applications, attack sources, known malware and application vulnerabilities).
Similar to network management applications, logging and security management servers
should be protected within dedicated network segments to prevent attacks on the security
infrastructure. Trusted channels should be used to prevent tampering of critical security data
transiting through the network (e.g., distributing policies to managed enforcement points and
collecting log records). In addition trusted channels should be used to block attempts to spoof
security management hosts.
Protections
The following protections are typical for the Mobile design pattern:
Inbound Access Control
Firewall tightly restricts interactions into and out of the SOC, thus preventing
unauthorized access to network management servers and services and allowing
only authenticated control protocols
IPS enforces protocol compliance checks for authorized interactions
Inbound Threat Prevention
Prevents route injection and unauthorized access to Network Infrastructure services
IPS blocks exploitation of known management application vulnerabilities
Data Protection
VPN provides trusted channels for out-of-band management of network elements