Annex D: Security Operations

Overview

The GC ESA Description Document Annex D - Security Operations (OPS) incorporates the Security Policy Compliance Monitoring (PCM) ESA focus area (ESFA) components that are described in the GC ESA Description Document Main Body. The main goal of the OPS ESFA is to describe security and system functions that provide the security capabilities that ensure GC IT/IS services supporting the GC's mission and business objectives are available, confidential, and that the integrity of the information is preserved. In the past, these security capabilities were focused on defensive measures aligned with the Defence in Depth approach to security operations.

However, the increase in attacks via a stealthy, persistent, and sophisticated adversary, who may have already compromised system components and established a foothold within an organization's systems (i.e. advanced persistent threats), requires the system to be able to continue operations in spite of an attack. Therefore, there is a need to move to a security operations implementation that exhibits cyber resiliency. The goals of cyber resiliency are to continue essential mission/business functions during an attack, restore those functions as soon as possible after the attack, and to adapt to minimize adverse impacts from future attacks.

The GC enterprise operates in a world of ever-present risk to its mission and business objectives. The GC Framework for the Management of Risk identifies principles to effectively manage risk within the GC via a "systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decision on, and communicating risk issues." As stated in the GC Guide to Integrated Risk Management, risk management "cannot be practiced effectively in silos", but must be integrated into the organization in a "continuous, proactive, and systematic process." Security Operations supports this GC Integrated Risk Management approach by providing capabilities to assess, respond to, and monitor risk within the GC Enterprise.

Components

The image on the below depicts the components used to define the security operations ESFA. The OPS components are intended to represent the superset of functionality required by a wide range of security operations centres. For a table describing the OPS components with the security operations ESFA, please refer to the GC ESA Description Document Annex D - Security Operations (OPS) document.

Also, please read the GC ESA Description Document Annex D - Security Operations (OPS) document for more information about the architectural needs that need to be considered and implemented to develop an architecture for secure applications.

Context

The image on the below shows the contextual view of the OPS ESFA with respect to other ESFAs, direct GC actors, and the external security information feeds required to perform security operations. All ESFAs interface with security operations as OPS components are required to monitor and asses the security state of the GC enterprise. The black hat actor or unknown/compromised devices are positioned to illustrate potential intrusion vectors into the GC enterprise. For a full list and description of GC enterprise actors, please read the GC ESA Description Document Main Body. External interfaces for security operations include threat intelligence and information sharing capabilities across GC security operations and with external partners.

For more information about the interface characteristics between the OPS ESFA and other ESFAs, and security considerations when interfacing with these ESFAs, please read the GC ESA Description Document Annex D - Security Operations (OPS) document.

Perspectives

This section provides contextual information on security operations that supports the target architectural views and information concerning security operations capabilities that provide rational for the security architecture transitions.

The following subsections, which can be expanded by clicking on 'Expand' on the far right, provide contextual information that should be considered for improving security operations.

For more information, please read the GC ESA Description Document Annex D - Security Operations (OPS) document.

Security Operations (OPS) Target Security Architecture

Two target architecture viewpoints are presented for security operations. The first viewpoint focuses on GC-wide security operations providing shared situational awareness and the sharing of security information and knowledge resources between security operations. Communications between security operation centres are secured by the methods documented in the GC ESA ConOps Annex D: Secure Enterprise Systems Administration document. The second viewpoint represents a single security operations centre and focuses on the functions and interactions of the OPS components.

GC-Wide Security Operations

The image below depicts the GC-wide hierarchy of security operations. Each security operations centre has access to the complete set of OPS component functions and security information is shared across all GC security operations. Situational awareness exists at the mission/business level and extends across all security operations creating a GC-wide shared situational awareness capability. Security information sharing includes situational status reports, CDM state data, threat intelligence (alerts, reports, bulletins, and best practices), cloud security monitoring, vulnerability intelligence, and GC policy guidance information.

Centralized CDM repositories allow security operation centres to share security state information across GC security operation centres. This provides the GC with the ability to contextually analyze GC security operations states. For example, CDM data can be used to identify assets that have a critical vulnerability. Analysis of this data identifies where and how many of the assets exist, the security settings of the assets, and then directs that these assets are secured.

Security Operations Instance

The image below depicts an instance of a security operation centre. Each security operation centre has access to all OPS component functions whether they are presented as lightweight interfaces or as complete applications. OPS component interfaces are digital and automated to provide adaptable security workflow automation capabilities. Security operations have access and control of local security data and share relevant security information by reporting CDM state data, threat intelligence, and policy and audit compliance to centralized GC repositories.

For more information about the target security architecture for security operations and the transition strategy to achieve it, please read the ESADD Annex D: Security Operations (OPS) document.

ESADD Annex D: Security Operations (OPS) Pattern Diagrams

For the Pattern Diagrams for Security Operations (OPS) from the GC ESA Description Document Annex D - Security Operations (OPS) document, please visit the ESA Pattern Diagram Repository.

List of ESADD Annex D Pattern Diagrams

• Pattern PN-OPS-001 Asset Discovery

• Pattern PN-OPS-002 Client Endpoint Configuration Checking
• Pattern PN-OPS-003 Backup and Restore
• Pattern PN-OPS-004 Anomaly Detection and Resolution
• Pattern PN-OPS-005 Vulnerability Identification and Mitigation
• Pattern PN-OPS-006 Cyber Security Event

References

• GC ESADD Annex D: Security Operations (OPS)
• GC ESA Description Document Main Body
• GC Framework for the Management of Risk
• GC Guide to Integrated Risk Management
• GC ESA ConOps Annex D: Secure Enterprise Systems Administration