Are 'pop-up' SOCs the answer to protect major events? [Q&A]
Increasingly high profile one-off events like sports tournaments and elections are becoming the target of hackers.
Protecting these is tough because even if the hosts have a sound security infrastructure for day-to-day operations, they often don't have the resources necessary to lock down a large scale, high-profile event which requires additional physical and cybersecurity to protect against disruption, revenue loss or other irreversible damage.
The answer may lie in the idea of a 'pop-up' security operations center (SOC) which can be deployed quickly to deal with times of abnormal traffic and network distress at large events. We spoke to Dave Gold, VP of solutions architecture at ProtectWise, to find out more.
BN: What sort of things can pop-up SOCs be used for?
DG: Pop-up SOCs are used for high-profile events, often temporary, where there’s a need to deploy security and protect the event. Things like international football leagues, major league baseball, other professional sports leagues, trade shows and conferences, anywhere that you need to spin up a security operations team very quickly. There's also a need in things like the military where assets and troops move around, as well as political events and campaigns. All of these things need technology that can be spun up and deployed quickly and that can provide visibility into the entire environment.
BN: What are the major threats to these types of event?
DG: The threats can be all over the place. Denial of service is a big one, to be able to be disruptive and make a name for yourself -- we saw that with the opening ceremony of the Olympic Games. They are not than different from attacks on normal commercial networks, so credential theft, attacks on point of sale systems, and so on. There's also valuable data in these environments.
BN: Are elections and other events seen as an easier target?
DG: Yes, there's a perception too that these things are not very secure because they are temporary. Higher profile event targets can be seen as easier because they don’t have all of the technology that an established company has in its everyday networks.
BN: Is a pop-up SOC a supplement to existing security tools?
DG: Typically events will have a standard security operations team, but they will be looking for additional resources from, vendors, partners, law enforcement and so on to help augment their staff. Ideally they want all of the tools they would have on a permanent network, so firewalls, security analytics, all the things that you would normally want to see. The challenge is that there may only be a couple of days to stand these up and the technology requires a lot of configuration, a lot of appliances to be shipped on site, cabled and configured. A cloud delivered solution or a solution that is software virtualized is therefore preferable.
At ProtectWise we can send our sensor on site and deploy it in minutes because the work is done in the cloud. We can get complete packet level visibility to everything that is going across the network, identify threats and respond in a very quick way. Delivering the solution from the cloud also means it can be accessed remotely so you remove much of the challenge of physically getting people to the events.
The SOC can of course also deploy on top of whatever basic level of technology is already there at the venue and will supply the data that you need to understand what is happening and see if there is an attack or if something unusual is going on.
BN: How fast can a pop-up SOC be deployed and what technology drives that?
DG: We basically record the whole network and create a forensic memory that can be analyzed for threats. A sensor can be deployed on a network in a couple of minutes. The software is packaged and can be deployed on commodity hardware but it's also virtualized so that you can eliminate the delay of shipping an appliance.
We also don’t charge per sensor so customers can put them anywhere they need. For big stadiums for example it can be used to protect electrical and HVAC systems, point-of-sale systems, anything which is vulnerable to attackers. You can spin these sensors up throughout the entire network very quickly. It also eliminates the need to have months' worth of data to establish a baseline. We can deploy and start detecting very quickly and obviously the longer it’s on the network the easier anomalies are to spot.
BN: So it's as easy as just plugging something into the network?
DG: We wanted to build this to be as simple to deploy as possible. Sometimes organizations use our technology on their main networks. A pop-up allows them to just deploy another sensor and use some of their existing capacity so staging an event won't cost them anything more. If you are running exhibitions for example you can have the sensor on a commodity Linux box and just take it around to different venues without too much effort.