CCN-CERT, Soluciones de Ciber Seguridad

FAQ SOC-AGE

I. Scope

The Cybersecurity Operations Center of the General State Administration and its Public Sector Offices. (SOC - AGE) is a shared managed security service that aims to provide protection to the General State Administration and its related or dependent public bodies by providing them with a global and unique infrastructure which includes the necessary equipment, as well as its configuration, implementation, maintenance, operation, monitoring and management of cybersecurity incidents in a centralised manner, for all the bodies and organisations of the General State Administration assigned the service.

Its purpose is to provide horizontal cybersecurity services that increase the capacity to monitor and detect threats in the day-to-day operation of the Administration's information and communications systems, as well as to improve its capability to respond to any attack.

It implies the evolution of the current security model towards an integral model that favours interdepartmental coordination, allowing each entity to establish its own security policies and facilitating the exchange of information.

  • Operation, monitoring and updating of perimeter defence devices.
  • Detection, coordinated response, investigation of cyberattacks and cyber threats and resolution of security incidents.
  • Early Warning Service (SAT) for security alerts on Internet connections, common inter-administrative networks and, upon request, corporate networks of the entities.
  • Vulnerability analysis of applications and services.
  • Anti-abuse digital identity services

This approach seeks to strengthen the most core services of a CSS with other complementary services that provide added value. In addition, depending on the demand from the entities and the evolution of the cyberthreat scenario over time, there will be a progressive evolution of the service to obtain continuous improvement in the level of security offered.

The scope of the Cybersecurity Operations Centre is the National Government and its public agencies.

The Cybersecurity Operations Centre aims to protect the perimeter security of the General State Administration and its public bodies against external threats by providing horizontal cybersecurity services.

It is conceived as a global and unique infrastructure complementary to the shared Telecommunications service.

In the medium term, it will be able to manage certain internal security elements, i.e. security devices that protect internal services and segment the entities' network, such as internal firewalls; and it will operate other security elements that the entities may have in their internal network, such as intrusion detection or prevention systems (excluding specialized LAN security devices).

Once the service is established, the possibility of end-point management is not ruled out in future phases.

Compliance with a significant subset of the security measures set out in Annex II of the National Security Scheme can be facilitated by the use of the security services provided in the Cybersecurity Operations Centre catalogue.

These are mainly measures relating to the protection of communications, the protection of services (Internet browsing, secure mail, remote access, etc.), intrusion detection, management of security incidents and the continuity of services among others.

II. Adhesion

Membership of the Cybersecurity Operations Centre should be through an expression of interest.

This would be through an existing template already used in the early warning service (EWS) of the CCN-CERT based on a signed letter or document of commitment.

Initially, it would begin with an initial group of volunteer entities expressing an interest in joining the service.

Perimeter security is applied in blocks.

The internal security part is optional, but if chosen it would be applied incrementally.

Yes, it is necessary to be attached to lot 3 of the centralised communications tendering, that is the centralised access to the Internet of the National Government.

In fact, the Internet access service must be provided by Lot 3 of the General State Administration's consolidated telecommunications services contract Phase 1 (file 05/14) and its future developments.

First of all, the services will be provided from a multi-customer perspective.

Each Entity may prescribe its own security policies, which shall be implemented and managed by specialized staff of the National Government's Cybersecurity Operations Centre and its Public Sector Offices. However, there shall be a basic security policy for the services, defined by the National Security Service, which shall establish common minimum-security requirements.

There will be a catalogue of standardized services that will allow economies of scale. If you upgrade to new services, they will be available to users.

These services will be implemented progressively, gradually expanding the scope of the services offered, in accordance with its development plan.

In addition, depending on the demand from the entities and the evolution of the cyberthreat scenario over time, there will be a progressive evolution of the service to obtain continuous improvement in the level of security offered.

Requests for new information or services will be taken into consideration. The catalogue will be constantly updated, although in principle it will be necessary to concentrate on the most specific functionalities.

The aim will be to offer services adapted to the specific needs of the different Entities that join the service.

Due to its centralized nature, the Cybersecurity Operations Center will facilitate the implementation of the most appropriate tools and/or technologies at all times, as well as the adoption of the appropriate measures for an efficient defense.

Yes. The Cybersecurity Operations Center will have pre-production environments.

The pre-production environment will continue to belong to the entity. The Cybersecurity Operations Centre will be able to monitor connections to pre-production environments exposed on the Internet.

If you have your data center in hosting you can also have the service of the Cybersecurity Operations Centre, provided that the Entity is assigned to Lot 3, and the Internet output corresponding to that Entity from the hosting is provided through the centralized infrastructure Lot 3 provides.

1Q/2Q 2018: Pre-implementation phase

  • Selection of pilot entities.

2Q/3Q 2018: Service implementation

  • Modifications in the communications architecture (lot 3).
  • Acquisition and implementation of SOC-AGE safety devices.
  • Detailed design of the service management model.
  • Detailed design of the migration procedure of the pilot entities.

4Q 2018: Pilot Projects

  • Pilot projects begin with selected entities.

2019 and subsequent years: Extension and consolidation of the service

  • Progressive incorporation of entities attached to lot 3 of communications.
  • Evolution and expansion of the security services offered.

III. Communication

A contact point or email will be provided for information or membership application requests. Mail SOC-AGE

Dialogue is through the point of contact or this emailMail SOC-AGE

During the implementation phase of the service, the specific communication channels for the Security Officers and the technical personnel of the entities will be defined.

IV. Responsibility

Responsibility for the Cybersecurity Operations Centre rests with the General Secretariat for Digital Administration (SGAD) in the exercise of the powers conferred by Article 14.2.a) Royal Decree 769/2017, of 28 July, which describes the basic organizational structure of the Ministry of Finance and Civil Service*, which will exercise the strategic direction of the Cybersecurity Operations Centre through the Division of Cybersecurity Planning and Coordination.

The operation of the Cybersecurity Operations Centre service will be carried out by CCN-CERT, in accordance with the powers conferred by Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration.

The following functions correspond to the General Secretariat of Digital Administration:

  • Definition of the strategic framework of action, which will include among other actions: definition of the service (parameters, associated processes, etc.), the framework of relations with user entities, communication and information channels, etc. for the initial service and for its subsequent evolution and expansion.
  • Technical management of the implementation project, service evolution projects and entity integration projects. Design of an annual action plan that will include activities to be carried out and the associated resources.
  • Follow-up and management of the service, including coordination with the Security Officers of the entities and other actors involved, and the management of the incorporation of new entities to the service.
  • Technical coordination of integration projects with the technical infrastructures of third parties, those of the entities that subscribe to the service as well as the shared and transversal infrastructures offered by the SGAD to the rest of the National Government.
  • Coordination of the response to security incidents among the different agents affected, and the subsequent support to entities that have suffered an incident. This function must be able to be carried out on an uninterrupted basis in order to coordinate immediate responses to incidents detected.
  • Dissemination of information and promotion of the service.

The National Cryptological Centre (CCN) attached to the National Intelligence Centre, in coordination with the General Secretariat of Digital Administration and within the framework of the defined action strategy, is responsible for the operations and intelligence functions of Cybersecurity, which will include the following:

  • Implementation of the technical infrastructure and security services.
  • Definition of Cybersecurity operation procedures.
  • Operation of Cybersecurity, including operation, monitoring and updating of perimeter defense devices.
  • Detection coordinated response and support for the resolution of security incidents.
  • Support the investigation of cyber-attacks and cyber threats.
  • Vulnerability analysis of applications and services.
  • Digital Identity Abuse Services

* and amending Royal Decree 424/2016 of 11 November 2006 establishing the basic organizational structure of ministerial departments.

Each Entity may prescribe its own security policies, which shall be implemented and managed by specialized staff of the National Government's Cybersecurity Operations Centre and its Public Sector Offices. However, there shall be a basic security policy for the services, defined by the National Security Service, which shall establish common minimum-security requirements.

The Cybersecurity Operations Centre will implement the service's planned actions, which include detection, coordinated response to and investigation of cyber-attacks and cyberthreats as well as the resolution of security incidents.

Therefore, the CSS will have the capability to detect security incidents that affect the entities, which does not exempt the entity from its responsibility for reporting security incidents that affect it and are detected by it.

The Cybersecurity Operations Centre will have the capability to detect security incidents that affect the entities, which does not exempt the entity from its responsibility for reporting security incidents that affect it and are detected by it.

Cybersecurity Operations Centre staff may be responsible for the management of Entity security incidents, including the various levels.

There will be a scaling matrix, and each entity will decide which types of actions within the management of the incident are delegated and which are not. This will be reflected in the service delivery agreement.

In emergency situations, such as serious security attacks affecting the Entities attached to the service, the SOC may carry out urgent mitigation actions, which will be communicated as quickly as possible to the Entity Security Officers for their information.

Service level agreements (SLAs) will be defined to ensure the quality of the services offered.

The existence of service indicators to be shared with user entities is foreseen.

SLAs will be defined in order to guarantee an agile service covering the needs of the Entities, considering the different levels of danger and prioritization of action that each incident may have.

Agile communication channels will be established for very urgent situations.

Compliance with the ENS of the service provided by the CSS shall be certified.

Automated vulnerability analysis tools will be available in different operating systems that will analyze ports, services, etc., and will attempt to exploit the vulnerabilities found, making a report that will be sent to the Entities.

However, support for the correction of vulnerabilities detected in applications is not contemplated.

Each Entity may prescribe its own security policies, which shall be implemented and managed by specialized staff of the National Government's Cybersecurity Operations Centre and its Public Sector Offices.

However, there shall be a basic security policy for the services, defined by the National Security Service, which shall establish common minimum-security requirements.

Each entity decides on the permissions to access the data.

In any case, there will be confidentiality agreements to be signed by staff with access to Entity data.

SOC will provide evidence and collaboration for investigations whenever there is a court order.

Event logs relating to an Entity in the custody of the Cybersecurity Operations Centre are the property of the Entity.

The Entities will also be given the possibility of carrying out forensic analysis, upon justification of the request, in those cases that will require judicial action.

The purchase of computer media to be delivered to the court or to any of the parties involved in the process, as well as the custody of them by a third party, shall be at the expense of the Entity.

V. Budget and contracting

Centralized services are not drawn from the Entity’s budget.

If certain aspects of internal security are assumed, such as the acquisition of equipment not contemplated among those supported by the Cybersecurity Operations Centre, this expense would be the responsibility of the entity (you acquire it I operate it).

In addition, better service can be offered by enabling greater interoperability between different security elements.

VI. Other issues

As part of the perimeter security services offered by the Cybersecurity Operations Centre, the analysis of e-mail from the Internet will be conducted transparently for agencies. If the agency joins the National Government's Unified Electronic Mail Service, which provides for the full management of the electronic service, a higher level of analysis can be carried out.

The proposed architecture is multitenant in all its elements including in mail protection systems, so that, if necessary, different configurations could be applied for each entity, as long as they respect the minimum-security policies defined for the service.

The decryption will be carried out in order to protect the services on the internet provided by the agencies affiliated with the programme. Exceptions will be made for outlets to financial or health programmes and other categories. At the moment, we are working on exceptions to be dealt with in the SSL protocol.

Certificates from the affiliated agencies will be located in the National Government Cybersecurity Operations Centre's HSMs, which will promote a certificate to the affiliated agencies to monitor SSL and intercept malware and malware traffic over SSL.

Safety devices will do most of the traffic treatment to apply the configured protections.

Logically, Cybersecurity Operations Centre personnel should also have access to this traffic in order to resolve problems or optimize configurations, just as security technicians in the Entities they are assigned to now have access to it, which Cybersecurity Operations Centre staff replace.

Of course, all staff at the Cybersecurity Operations Centre are required to maintain absolute confidentiality and will have signed agreements to do so. Administrators will use fully identifiable users and generally activate audit trail mechanisms for access to security appliance logs.

The element of the architecture that performs the decryption of SSL access to the applications that Entities request must have installed the certificates of all the applications which it protects. These certificates will be stored with necessary guarantees. Regarding the decryption of Entities' navigation traffic, the distribution of a trusted root certificate to all Entity customers will likely be needed. In any case, it will be discussed with the entities prior to their migration. Exceptions may be made for the analysis of the categories considered to be most conflictive for each Entity, such as health, access to financial data, etc.

Backup systems are going to be security twins or mirrors as long as the internet access is done through Lot 3.

It is desired that the Project be as generic as possible and at the same time have the capabilities to abide by the specifications of each entity involved. Current work is centered on having a traffic and technology from as many entities as possible.

The idea is that the Centre can evolve to continue to offer what is considered the best protection available in the market.

It is certainly one of the most difficult elements to configure to prevent it from affecting Entity applications. For this reason, the collaboration of the personnel of the participating Entities, including application managers, is important.

Communication between teams both in the first implementation and when applications evolve will be fluid. Incident management tools will allow this fluid communication.

It is an external DNS for entities to have a source of information for the detection of cyberattacks and contacts of "Command and Control" from harmful codes. The DNS service will perform proxy tasks with the External DNS, without providing a name publishing service on the Internet.

They do not refer to external DNS, understanding as such those hosting the domains published on the Internet, since this management is carried out from Lot 3 of the centralised communications competition.

What is offered in this service is a new additional DNS platform that will act as a proxy for those DNS requests made in user navigation.

In this way, additional protections can be enabled to prevent connections with known Command and Control servers and also provide a source of information for detecting attacks and malicious code in the Entities for further processing.

No, the equipment is located in the perimeter protection zone of the National Government's centralised Internet access.

Este sitio web utiliza cookies propias y de terceros para el correcto funcionamiento y visualización del sitio web por parte del usuario, así como la recogida de estadísticas. Si continúa navegando, consideramos que acepta su uso. Puede cambiar la configuración u obtener más información consultando nuestra Política de Cookies.