Our case study concerns a medium-size newspaper publishing house with about 3000 IT end-users distributed over two main and a few subsidiary sites, also working mobile or in home-office. The technical facilities of the organization range from in-house print production[2], digital content management, administrative and office applications, to a state-of-the-art digital online publishing system, and thus form a rather complex, heterogeneous technical landscape. We believe that this status quo is rather typical for many medium-sized organizations at this time. Four major sectors can be identified:
The internal IT systems span across all technical and application layers from production machinery to content production, administrative, and other business software and is managed and maintained in a common network spanning various physical locations. Google Workspace (GWS) has been rolled out company-wide as a universal tool for day-to-day office work and communication. On infrastructure and technical layers, GWS is increasingly used for user identity management and the management of end-user devices. The third zone includes special cloud applications and services at different levels. Parts of operational business, for example in marketing, have been outsourced to special cloud services. As an important infrastructure part, a cloud service for Identity & Access Management (IAM) provides seamless and secure user logon and authentication across the different sources of identities and credentials used within the organization (e.g., Google and Active Directory). Additionally, some special cloud-based tools for IT Security are used, e.g., for endpoint security monitoring. Finally, Amazon Web Services (AWS) as a versatile cloud resource is the foundation of the company's Digital Publishing Platform (DPP). This complex core system of digital production consists of a number of connected components (loosely coupled in a service-oriented architecture [29]), partly own developed, partly contributed, and operated by external partners. The AWS infrastructure itself is managed by a specialized firm. In the development of the DPP, the change of work organization described in Sec. 1.2 has been most widely realized, exemplary with the own implementation of the online sales and subscriber management system – a core techno-economic asset of the DPP. Here, own application logic for operational business has been developed and integrated in cloud-native applications, employing modern methods such as serverless computing [31] without any consideration of the underlying infrastructure.
The four zones may be further broken down into functional groups, while maintaining a rough orientation on the layer model of information technology (although function groups often contain technical elements across different layers). There are many other possibilities to structure the IT landscape, e.g., technical-architectural (network segments and zones), or security-related such as access control groups and hierarchies. The functional grouping chosen here serves as a basis for strategizing the SIEM processes and SOC organization and is driven by two boundary conditions of the overarching security strategy: Functions are to be grouped and classified i) w.r.t. their criticality for business continuity, and ii) so as to enable group-wise reporting on security posture and security events for compliance purposes. These external conditions must be compatible with the conditions for a well-functioning SOC: iii) The function groups allow for coherent security operations regarding the core SIEM processes, i.e. they allow for application of common security controls and, for instance, technical expert knowledge to mitigate security events (we will check on this condition later in this section). With these conditions in mind, we identify twelve function groups.
-
Print production machines are special elements at the network edge: Control data goes in, telemetry data goes out, and network connection is almost exclusively via special control servers. Exposure units, stamping and bending machines and the actual printing machines are connected via various interfaces, e.g., an SCSI interface connected to a dedicated computer via a SCSI-USB converter. Printing presses often also have Ethernet interfaces and can speak TCP/IP. Configuration and maintenance is carried out via control servers or physically on site.
-
Print production systems form the IT environment of print production machinery and thus the network perimeter of the group 1 described above. The group contains highly specialized applications such as integrated workflow control as well as prepress/exposure/quality control software. In addition, there are infrastructure components such as font servers (type servers) and (Windows) file servers for data exchange with external providers.
-
The telephony group combines the various Voice-over-IP (VoIP) infrastructures and applications throughout the company, among them infrastructure elements such as a number of SIP servers (telco system software, PBX) and session border controllers from different manufacturers. A unified communications solution (telephone switchboard) is used at the application infrastructure level. Call center solutions form the application layer of this group. This group is a vertically integrated stack through all network layers from hardware to application and is largely isolated from other components. Relations to other functions exist at infrastructure and application levels (e.g., with directory services and CRM systems). This structure renders this group a candidate for outsourcing and/or virtualization.
-
Technical Infrastructure comprises basic network infrastructure functions at TCP/IP and higher protocol levels. These include routers, switches, DHCP, and DNS servers. The established logical network structures, subnets and associated network security areas (Demilitarized Zones, DMZ) are also located here. This function group cannot be fully outsourced. Finally, it also includes the platforms on which higher-level services and applications run, i.e., the (few) physical servers and the large number of own-managed virtual machines (VMs).
-
A remote desktop service provides device- and location-independent virtual Windows and Linux desktop environments for devices outside the internal network, which only have access to internal resources via this secure service. Remote desktop agents on end devices provide a secure environment for the execution of applications delivered by the service. The remote desktop service infrastructure is heterogeneous, consisting of internal servers and cloud services of the provider[3].
-
End devices permanently installed in the company network are managed with automated scans, monitoring, and software distribution solutions. Mobile clients – laptops, tablets and other devices with various operation systems – are assigned to unique owners and managed via the device management functions of GWS. Access to internal resources from these clients is secured via remote desktop or VPN.
-
To set up ad hoc test environments, personnel of some OEs is privy to set up and administer virtual machines on certain servers. Being used for tests of third-party software and for own development, test systems may interact with internal systems or non-productive replicas thereof. During test and development in the field of print production, occasionally, test systems have to communicate with printing machines in the final stage. Outsourcing of test environments to a cloud-based test farm is a possibility that is currently considered for security and cost-efficiency reasons.
-
IT Security, as an OE, governs a variety of security and security management tools ranging from multi-factor authentication solutions and user credential management over multi-platform endpoint security monitoring, virus scanners, patch management and software distribution to passive and active baseline security functions such as firewalls and VPNs. Elements of this group are access-restricted to privy personnel of the OE and isolated within the organization’s intranet.
-
Data Security is implemented on two levels: While a backup solution regularly secures large amounts of business relevant data, another solution for continuous data protection (CDP) also secures machine images for disaster recovery[4]. The two complementary systems are architecturally similar: Target data sources are connected via proxy servers while management of the sources and storage load balancing is performed by orchestration servers. Short term security in-house storage is complemented by Long-Term Repositories (LTRs), which mostly reside off-shore.
-
The application infrastructure contains classic common functions such as mail server (MS Exchange), directory services (Active Directory, AD), print server, Windows domain controllers, database servers and specialties such as local license management servers for Windows (e.g. Office) software. Internal AD is complemented by cloud-based, federated IAM [34, 19] for cross-service access. FTP servers are maintained at various locations, e.g., for forwarding print data to production. Although normally considered an element of the higher application layer, we include GWS in this group, since its functions are commonly used throughout all OEs, and it is managed similarly to the aforementioned infrastructures.
-
The purpose of static data management is the secure long-term storage of important documents (incoming and outgoing invoices, personal files, and contracts) from the operative business for compliance. A data management solution for these documents also enables workflows for deadline-based processing. Another solution provides digitalization of paper documents. Both are linked to each other and to higher level business applications, in particular SAP. Further special solutions are employed for secure long-term archiving of documents and email communication.
-
Operative applications denote the IT functions for value creation proper on the one hand and for daily administration on the other. For the former, a special application for digital asset management (DAM) is the central element enabling cross-media management and processing of content and for newspaper editors and journalists to create it originally. The in-house part of the DAM is used for management, storage and rights control, while another part outplaced to the AWS cloud is tightly integrated with the DPP mentioned above and serves as a content repository for it but also as a frontend for content creators. Data is held redundantly in and replicated regularly between the two parts. The DAM and DPP are accompanied by auxiliary functions – some in-house some outsourced – for advertisement management, digital marketing and campaigning, and logistics planning for printed media distribution. The heart of administration functions is an SAP system with many subfunctions including financial accounting, cash register system, material planning, wages/salaries, controlling, and business intelligence. Organizationally, SAP is – as per common practice – operated and administered by a separate in-house team. SAP connect externally via dedicated DMZ routers. Apart from SAP, a separate application is used for human resources management.
The empirical part of the case study concludes with an evaluation of the functional groups from the perspective of security operations. Particularly, we want to understand how relevant a functional group is for the SOC – in terms of resources needed and effect exerted, and which particular methods, i.e., security controls [35], are best applied to each group. For the latter, we identify seven security controls that are tasks of the SOC within the functions of SIEM and baseline security. They are (with mnemonic tokens, the first four from the SIEM function, the last three from baseline security)
-
S.Com: Communication Monitoring relies on intercepting and examining data communications between network nodes and examining it for anomalies. Many levels apply, from rough logging of data volumes and network loads to examining individual IP packets with Deep Packet Inspection (DPI).
-
S.Acc: Access Monitoring observes the triggering of functions on a node by requests from another node or a user. This necessitates inspection of communication protocols (e.g., DNS, LDAP, SMTP, SMNP, HTTP, SOAP, REST, and application-specific protocols) at all layers. Target systems mostly carry logs that are data sources for SIM. IAM systems also provide granular logs. Checking plausibility and detecting anomalies of access attempts is a core element of intrusion detection (see below).
-
S.App: Application Monitoring yields information about security-related events in business applications. Extensive logging of application processes plays the main role here. Occasionally, applications also have their own security modules, which, e.g., “scan” the application’s configuration or databases. For SIM, the supplied logs (in proprietary formats) must be individually accessed which can be cumbersome.
-
S.ID: Intrusion Detection is a meta-method that combines data from the three aforementioned methods and additional data obtained from endpoints (endpoint security) in order to detect breaches of system security by attackers. This is a part process of SIEM which is often effected by separate intrusion detection systems (IDS).
-
B.Ept: Endpoint Security comprises a variety of tasks such as setting up (restricting) user access rights, configuring system and software regarding to security features (e.g., virus scanners), and monitoring the clients during operation. Special products for remote monitoring and management of endpoints install agent programs on endpoints. Such agents can often trigger alerts or provide logs for SIEM purposes.
-
B.Vuln: Vulnerability Management refers to the detection and elimination of security deficiencies – entry points for attackers – through updates or reconfiguration. Information about vulnerabilities mostly comes from external (general/public [37] or manufacturer-specific) sources that have to be constantly monitored. Vulnerabilities are security-relevant events and their management is part of SIEM.
-
B.Peri: Perimeter Security essentially consists of two parts. The static part restricts the communication between nodes in the network, for example by setting up separate segments or only allowing protected (VPN) connections. The dynamic part secures perimeters by detecting and filtering unauthorized communication, e.g., by firewalls. Both parts provide relevant information (network access and firewall logs) for SIM.
With these definitions, three questions were put to an internal expert committee[5]:
-
What is the primary security control which must be applied to a function group?
-
What are (at most two) secondary controls which should[6] be applied to a group?
-
What is a group’s relevance to security operations, ranked as low, medium, or high?
The last question asks for some elaboration. The committee was here asked for a synthetic opinion (euphemism for “gut feel”) on the effort incurred by security operations on a function group. Three subsidiary valuation criteria were provided: i) Criticality of the function according to common confidentiality-integrity-availability schematics, ii) applicability and effectiveness of the seven security controls, and iii) expected workload in terms of attack frequency times mitigation effort. For each of the questions, the committee was asked to provide a rationale for its answer, a requirement which serves as a guidance toward rational group consensus. The result of the survey is shown in Table 1. The Abstract Category (Cat.) column is introduced in the following section.
Table 1
Expert survey on applicable security controls, and relevance to security operations.
Cat. | Function Group | Prim. Ctrl. | Sec. Ctrl. | SO Relevance |
A | Production machines | B.Peri | B.Vuln | Medium |
E | Print production | S.ID | B.Vuln | High |
A | Telephony | B.Peri | S.ID | Medium |
B | Technical Infrastructure | B.Ept | B.Vuln, S.ID | High |
D | Remote Desktop Service | S.Acc | B.Vuln, S.ID | Medium |
B | End Devices | B.Ept | B.Vuln, S.ID | High |
C | Test Environments | B.Peri | S.Acc, S.Com | Low |
C | IT Security | B.Peri | S.Acc | High |
C | Data Security | S.Com | S.App, B.Vuln | High |
D | Application Infrastructure | S.Acc | B.Vuln, S.ID | High |
D | Static Data Management | S.Acc | S.App, B.Vuln | Low |
E | Operative Applications | B.Vuln | S.ID | High |
[2] Which is strategically not fully outsourced due to the regional locality of some news outlets in the company’s portfolio.
[3] The service provider is Citrix. For an architecture overview, see [32].
[4] The backup solution is VEEAM; CDP is implemented with Zerto. For a (however biased, marketing-oriented) comparison, see [33].
[5] Consisting of members from the IT security, IT proper, and, if applicable, the specialty department responsible for use and/or management of a function group. Proportionality was disregarded since the group was asked to respond with rational consensus.
[6] The terms must and should are used here in accordance with the IETF definitions of normative language [36] which was familiar to most participants, or otherwise introduced to them.